From 9606bd1b270b00f12c8b3730bb0ae4b14ce812e9 Mon Sep 17 00:00:00 2001 From: gitea-bot Date: Fri, 27 Mar 2026 00:22:35 +0000 Subject: [PATCH] chore: Update manifests after change --- .../ConfigMap-eraser-manager-config.yaml | 22 +++++++------- .../Deployment-eraser-controller-manager.yaml | 9 +++--- .../excalidraw/Deployment-excalidraw.yaml | 5 ++-- .../excalidraw/HTTPRoute-excalidraw.yaml | 2 +- .../ClusterRole-external-dns-unifi.yaml | 3 -- .../Deployment-external-dns-unifi.yaml | 16 ++++++---- ...ernalSecret-external-dns-unifi-secret.yaml | 3 -- ...ment-external-secrets-cert-controller.yaml | 7 ++++- .../Deployment-external-secrets-webhook.yaml | 6 +++- .../Deployment-external-secrets.yaml | 30 ++++++++++++++++++- ...DisruptionBudget-external-secrets-pdb.yaml | 17 +++++++++++ 11 files changed, 84 insertions(+), 36 deletions(-) create mode 100644 clusters/cl01tl/manifests/external-secrets/PodDisruptionBudget-external-secrets-pdb.yaml diff --git a/clusters/cl01tl/manifests/eraser/ConfigMap-eraser-manager-config.yaml b/clusters/cl01tl/manifests/eraser/ConfigMap-eraser-manager-config.yaml index 4d6be92aa..3a36bbeb9 100644 --- a/clusters/cl01tl/manifests/eraser/ConfigMap-eraser-manager-config.yaml +++ b/clusters/cl01tl/manifests/eraser/ConfigMap-eraser-manager-config.yaml @@ -10,27 +10,27 @@ data: collector: enabled: true image: - tag: v1.4.1 + repo: ghcr.io/eraser-dev/collector + tag: v1.4.1@sha256:827588ff826c3558bf2c50b1fc94f20122b054dfcf3480c3ffe6f0bae25c3dad limit: {} request: - cpu: 10m - memory: 128Mi + cpu: 1m + memory: 20Mi remover: image: - tag: v1.4.1 + repo: ghcr.io/eraser-dev/remover + tag: v1.4.1@sha256:e57592157d717588f69c011cd0b6ab783a19a53b447a5350b27e7e66aae67525 limit: {} request: - cpu: 10m - memory: 128Mi + cpu: 1m + memory: 20Mi scanner: config: "" enabled: false image: tag: v1.4.1 limit: {} - request: - cpu: 100m - memory: 128Mi + request: {} health: {} kind: EraserConfig leaderElection: {} @@ -49,9 +49,7 @@ data: type: exclude otlpEndpoint: "" priorityClassName: "" - profile: - enabled: false - port: 6060 + profile: {} pullSecrets: [] runtime: address: unix:///run/containerd/containerd.sock diff --git a/clusters/cl01tl/manifests/eraser/Deployment-eraser-controller-manager.yaml b/clusters/cl01tl/manifests/eraser/Deployment-eraser-controller-manager.yaml index 37eb04f80..222054b6c 100644 --- a/clusters/cl01tl/manifests/eraser/Deployment-eraser-controller-manager.yaml +++ b/clusters/cl01tl/manifests/eraser/Deployment-eraser-controller-manager.yaml @@ -41,7 +41,7 @@ spec: fieldPath: metadata.namespace - name: OTEL_SERVICE_NAME value: eraser-manager - image: 'ghcr.io/eraser-dev/eraser-manager:v1.4.1' + image: 'ghcr.io/eraser-dev/eraser-manager:v1.4.1@sha256:5f18fb7da4ccad93a8643ece496681f1489b0d7b0ce45e18a94774cf8b6a717d' imagePullPolicy: 'IfNotPresent' livenessProbe: httpGet: @@ -57,11 +57,10 @@ spec: initialDelaySeconds: 5 periodSeconds: 10 resources: - limits: - memory: 30Mi + limits: {} requests: - cpu: 10m - memory: 30Mi + cpu: 1m + memory: 20Mi securityContext: allowPrivilegeEscalation: false capabilities: diff --git a/clusters/cl01tl/manifests/excalidraw/Deployment-excalidraw.yaml b/clusters/cl01tl/manifests/excalidraw/Deployment-excalidraw.yaml index 9006425d3..ab0a26f91 100644 --- a/clusters/cl01tl/manifests/excalidraw/Deployment-excalidraw.yaml +++ b/clusters/cl01tl/manifests/excalidraw/Deployment-excalidraw.yaml @@ -40,9 +40,8 @@ spec: - name: TZ value: America/Chicago image: excalidraw/excalidraw:latest@sha256:3c2513e830bb6e195147c05b34ecf8393d0ba2b1cc86e93b407a5777d6135c6c - imagePullPolicy: IfNotPresent name: main resources: requests: - cpu: 10m - memory: 128Mi + cpu: 1m + memory: 10Mi diff --git a/clusters/cl01tl/manifests/excalidraw/HTTPRoute-excalidraw.yaml b/clusters/cl01tl/manifests/excalidraw/HTTPRoute-excalidraw.yaml index 0335c2e14..b6597643c 100644 --- a/clusters/cl01tl/manifests/excalidraw/HTTPRoute-excalidraw.yaml +++ b/clusters/cl01tl/manifests/excalidraw/HTTPRoute-excalidraw.yaml @@ -23,7 +23,7 @@ spec: name: excalidraw namespace: excalidraw port: 80 - weight: 100 + weight: 1 matches: - path: type: PathPrefix diff --git a/clusters/cl01tl/manifests/external-dns/ClusterRole-external-dns-unifi.yaml b/clusters/cl01tl/manifests/external-dns/ClusterRole-external-dns-unifi.yaml index ae429bf7d..b611c420a 100644 --- a/clusters/cl01tl/manifests/external-dns/ClusterRole-external-dns-unifi.yaml +++ b/clusters/cl01tl/manifests/external-dns/ClusterRole-external-dns-unifi.yaml @@ -9,9 +9,6 @@ metadata: app.kubernetes.io/version: "0.20.0" app.kubernetes.io/managed-by: Helm rules: - - apiGroups: ["extensions", "networking.k8s.io"] - resources: ["ingresses"] - verbs: ["get", "watch", "list"] - apiGroups: ["externaldns.k8s.io"] resources: ["dnsendpoints"] verbs: ["get", "watch", "list"] diff --git a/clusters/cl01tl/manifests/external-dns/Deployment-external-dns-unifi.yaml b/clusters/cl01tl/manifests/external-dns/Deployment-external-dns-unifi.yaml index 44b87eaf1..e88f99bda 100644 --- a/clusters/cl01tl/manifests/external-dns/Deployment-external-dns-unifi.yaml +++ b/clusters/cl01tl/manifests/external-dns/Deployment-external-dns-unifi.yaml @@ -47,8 +47,7 @@ spec: args: - --log-level=info - --log-format=text - - --interval=1m - - --source=ingress + - --interval=360m - --source=crd - --source=gateway-httproute - --source=gateway-tlsroute @@ -57,6 +56,7 @@ spec: - --txt-owner-id=default - --txt-prefix=k8s. - --domain-filter=alexlebens.net + - --exclude-domains=alexlebens.dev - --provider=webhook - --ignore-ingress-tls-spec ports: @@ -81,8 +81,12 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 + resources: + requests: + cpu: 1m + memory: 80Mi - name: webhook - image: ghcr.io/kashalls/external-dns-unifi-webhook:v0.8.2 + image: ghcr.io/kashalls/external-dns-unifi-webhook:v0.8.2@sha256:7f0ddbbc83a36a2a9d762e25eef9cafcb3adf0493068a27d72ae71087eafe6f0 imagePullPolicy: IfNotPresent env: - name: UNIFI_HOST @@ -93,7 +97,7 @@ spec: key: api-key name: external-dns-unifi-secret - name: LOG_LEVEL - value: debug + value: info ports: - name: http-webhook protocol: TCP @@ -110,9 +114,9 @@ spec: readinessProbe: failureThreshold: 6 httpGet: - path: /readyz + path: /healthz port: http-webhook - initialDelaySeconds: 10 + initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 diff --git a/clusters/cl01tl/manifests/external-dns/ExternalSecret-external-dns-unifi-secret.yaml b/clusters/cl01tl/manifests/external-dns/ExternalSecret-external-dns-unifi-secret.yaml index d9a9dc34b..2cdc54984 100644 --- a/clusters/cl01tl/manifests/external-dns/ExternalSecret-external-dns-unifi-secret.yaml +++ b/clusters/cl01tl/manifests/external-dns/ExternalSecret-external-dns-unifi-secret.yaml @@ -14,8 +14,5 @@ spec: data: - secretKey: api-key remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /unifi/auth/cl01tl - metadataPolicy: None property: api-key diff --git a/clusters/cl01tl/manifests/external-secrets/Deployment-external-secrets-cert-controller.yaml b/clusters/cl01tl/manifests/external-secrets/Deployment-external-secrets-cert-controller.yaml index 204afb07d..7c8da3a62 100644 --- a/clusters/cl01tl/manifests/external-secrets/Deployment-external-secrets-cert-controller.yaml +++ b/clusters/cl01tl/manifests/external-secrets/Deployment-external-secrets-cert-controller.yaml @@ -40,7 +40,7 @@ spec: runAsUser: 1000 seccompProfile: type: RuntimeDefault - image: ghcr.io/external-secrets/external-secrets:v2.2.0 + image: ghcr.io/external-secrets/external-secrets:v2.2.0@sha256:876e627dbee5b0edd12da49b035469d12418cd6c3c4be5e383ae6a82e8bd4565 imagePullPolicy: IfNotPresent args: - certcontroller @@ -54,6 +54,7 @@ spec: - --loglevel=info - --zap-time-encoding=epoch - --enable-partial-cache=true + - --enable-leader-election=true ports: - containerPort: 8080 protocol: TCP @@ -67,3 +68,7 @@ spec: path: /readyz initialDelaySeconds: 20 periodSeconds: 5 + resources: + requests: + cpu: 1m + memory: 60Mi diff --git a/clusters/cl01tl/manifests/external-secrets/Deployment-external-secrets-webhook.yaml b/clusters/cl01tl/manifests/external-secrets/Deployment-external-secrets-webhook.yaml index d0a006a61..18a8827a0 100644 --- a/clusters/cl01tl/manifests/external-secrets/Deployment-external-secrets-webhook.yaml +++ b/clusters/cl01tl/manifests/external-secrets/Deployment-external-secrets-webhook.yaml @@ -40,7 +40,7 @@ spec: runAsUser: 1000 seccompProfile: type: RuntimeDefault - image: ghcr.io/external-secrets/external-secrets:v2.2.0 + image: ghcr.io/external-secrets/external-secrets:v2.2.0@sha256:876e627dbee5b0edd12da49b035469d12418cd6c3c4be5e383ae6a82e8bd4565 imagePullPolicy: IfNotPresent args: - webhook @@ -68,6 +68,10 @@ spec: path: /readyz initialDelaySeconds: 20 periodSeconds: 5 + resources: + requests: + cpu: 1m + memory: 30Mi volumeMounts: - name: certs mountPath: /tmp/certs diff --git a/clusters/cl01tl/manifests/external-secrets/Deployment-external-secrets.yaml b/clusters/cl01tl/manifests/external-secrets/Deployment-external-secrets.yaml index b4e96b35f..af763273a 100644 --- a/clusters/cl01tl/manifests/external-secrets/Deployment-external-secrets.yaml +++ b/clusters/cl01tl/manifests/external-secrets/Deployment-external-secrets.yaml @@ -40,15 +40,43 @@ spec: runAsUser: 1000 seccompProfile: type: RuntimeDefault - image: ghcr.io/external-secrets/external-secrets:v2.2.0 + image: ghcr.io/external-secrets/external-secrets:v2.2.0@sha256:876e627dbee5b0edd12da49b035469d12418cd6c3c4be5e383ae6a82e8bd4565 imagePullPolicy: IfNotPresent args: + - --enable-leader-election=true + - --enable-extended-metric-labels=true - --concurrent=1 - --metrics-addr=:8080 - --loglevel=info - --zap-time-encoding=epoch + - --live-addr=:8082 ports: - containerPort: 8080 protocol: TCP name: metrics + - name: live + protocol: TCP + containerPort: 8082 + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: live + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: live + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: + requests: + cpu: 5m + memory: 50Mi dnsPolicy: ClusterFirst diff --git a/clusters/cl01tl/manifests/external-secrets/PodDisruptionBudget-external-secrets-pdb.yaml b/clusters/cl01tl/manifests/external-secrets/PodDisruptionBudget-external-secrets-pdb.yaml new file mode 100644 index 000000000..3a37a5c7c --- /dev/null +++ b/clusters/cl01tl/manifests/external-secrets/PodDisruptionBudget-external-secrets-pdb.yaml @@ -0,0 +1,17 @@ +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: "external-secrets-pdb" + namespace: external-secrets + labels: + helm.sh/chart: external-secrets-2.2.0 + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: external-secrets + app.kubernetes.io/version: "v2.2.0" + app.kubernetes.io/managed-by: Helm +spec: + minAvailable: 1 + selector: + matchLabels: + app.kubernetes.io/name: external-secrets + app.kubernetes.io/instance: external-secrets