From f2f79060d128f005ed7babb10f8662220e005af1 Mon Sep 17 00:00:00 2001 From: gitea-bot Date: Mon, 30 Mar 2026 01:46:32 +0000 Subject: [PATCH] Automated Manifest Update (#5276) This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow. ### Details - **Trigger**: `workflow_dispatch` by `@alexlebens` - **Commit**: `361db06` (on `main`) - **Charts Updated**: `postiz` ### Update Details (2026-03-30 01:44 UTC) - **Trigger**: `pull_request` by `@alexlebens` - **Commit**: `4130942` (on `4130942c8720bd14bc99b776da2f28c23f3619c8`) - **Charts Updated**: `harbor,headlamp,home-assistant` Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/5276 Co-authored-by: gitea-bot Co-committed-by: gitea-bot --- .../harbor/ExternalSecret-harbor-secret.yaml | 36 ------------------- .../harbor/StatefulSet-harbor-trivy.yaml | 2 +- .../headlamp/Deployment-headlamp.yaml | 6 ++-- .../ExternalSecret-headlamp-oidc-secret.yaml | 18 ---------- .../headlamp/HTTPRoute-headlamp.yaml | 16 +++++---- .../Deployment-home-assistant.yaml | 19 +++++----- ...assistant-code-server-password-secret.yaml | 6 ---- ...nalSecret-home-assistant-token-secret.yaml | 3 -- .../HTTPRoute-home-assistant-code-server.yaml | 2 +- .../HTTPRoute-home-assistant-main.yaml | 2 +- 10 files changed, 23 insertions(+), 87 deletions(-) diff --git a/clusters/cl01tl/manifests/harbor/ExternalSecret-harbor-secret.yaml b/clusters/cl01tl/manifests/harbor/ExternalSecret-harbor-secret.yaml index 64e5f06ca..703db1b17 100644 --- a/clusters/cl01tl/manifests/harbor/ExternalSecret-harbor-secret.yaml +++ b/clusters/cl01tl/manifests/harbor/ExternalSecret-harbor-secret.yaml @@ -14,85 +14,49 @@ spec: data: - secretKey: HARBOR_ADMIN_PASSWORD remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/harbor/config - metadataPolicy: None property: admin-password - secretKey: secretKey remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/harbor/config - metadataPolicy: None property: secretKey - secretKey: CSRF_KEY remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/harbor/core - metadataPolicy: None property: CSRF_KEY - secretKey: secret remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/harbor/core - metadataPolicy: None property: secret - secretKey: tls.crt remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/harbor/core - metadataPolicy: None property: tls.crt - secretKey: tls.key remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/harbor/core - metadataPolicy: None property: tls.key - secretKey: JOBSERVICE_SECRET remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/harbor/jobservice - metadataPolicy: None property: JOBSERVICE_SECRET - secretKey: REGISTRY_HTTP_SECRET remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/harbor/registry - metadataPolicy: None property: REGISTRY_HTTP_SECRET - secretKey: REGISTRY_REDIS_PASSWORD remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/harbor/registry - metadataPolicy: None property: REGISTRY_REDIS_PASSWORD - secretKey: REGISTRY_HTPASSWD remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/harbor/registry - metadataPolicy: None property: REGISTRY_HTPASSWD - secretKey: REGISTRY_CREDENTIAL_PASSWORD remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/harbor/registry - metadataPolicy: None property: REGISTRY_CREDENTIAL_PASSWORD - secretKey: REGISTRY_PASSWD remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/harbor/registry - metadataPolicy: None property: REGISTRY_CREDENTIAL_PASSWORD diff --git a/clusters/cl01tl/manifests/harbor/StatefulSet-harbor-trivy.yaml b/clusters/cl01tl/manifests/harbor/StatefulSet-harbor-trivy.yaml index 9e3fdbc22..ee38794ee 100644 --- a/clusters/cl01tl/manifests/harbor/StatefulSet-harbor-trivy.yaml +++ b/clusters/cl01tl/manifests/harbor/StatefulSet-harbor-trivy.yaml @@ -46,7 +46,7 @@ spec: automountServiceAccountToken: false containers: - name: trivy - image: goharbor/trivy-adapter-photon:v2.14.3 + image: ghcr.io/goharbor/trivy-adapter-photon:v2.15.0@sha256:6fd6de9cfbbb04cb1d94722cfa01cf71b8994d3f9e7891d3b03a89a7536480ba imagePullPolicy: IfNotPresent securityContext: allowPrivilegeEscalation: false diff --git a/clusters/cl01tl/manifests/headlamp/Deployment-headlamp.yaml b/clusters/cl01tl/manifests/headlamp/Deployment-headlamp.yaml index cef67a8ac..845fe59c0 100644 --- a/clusters/cl01tl/manifests/headlamp/Deployment-headlamp.yaml +++ b/clusters/cl01tl/manifests/headlamp/Deployment-headlamp.yaml @@ -32,7 +32,7 @@ spec: runAsGroup: 101 runAsNonRoot: true runAsUser: 100 - image: "ghcr.io/headlamp-k8s/headlamp:v0.41.0" + image: "ghcr.io/headlamp-k8s/headlamp:v0.41.0@sha256:89c6c65810bfde61796483c93c70d659104355593792bf55cab680d685da8eeb" imagePullPolicy: IfNotPresent envFrom: - secretRef: @@ -60,8 +60,8 @@ spec: port: http resources: requests: - cpu: 10m - memory: 128Mi + cpu: 1m + memory: 80Mi volumeMounts: - name: plugins-dir mountPath: /headlamp/plugins diff --git a/clusters/cl01tl/manifests/headlamp/ExternalSecret-headlamp-oidc-secret.yaml b/clusters/cl01tl/manifests/headlamp/ExternalSecret-headlamp-oidc-secret.yaml index 5e7deeb84..1a1c1ad77 100644 --- a/clusters/cl01tl/manifests/headlamp/ExternalSecret-headlamp-oidc-secret.yaml +++ b/clusters/cl01tl/manifests/headlamp/ExternalSecret-headlamp-oidc-secret.yaml @@ -14,43 +14,25 @@ spec: data: - secretKey: OIDC_CLIENT_ID remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /authentik/oidc/headlamp - metadataPolicy: None property: client - secretKey: OIDC_CLIENT_SECRET remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /authentik/oidc/headlamp - metadataPolicy: None property: secret - secretKey: OIDC_ISSUER_URL remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /authentik/oidc/headlamp - metadataPolicy: None property: issuer - secretKey: OIDC_SCOPES remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /authentik/oidc/headlamp - metadataPolicy: None property: scopes - secretKey: HEADLAMP_CONFIG_OIDC_VALIDATOR_IDP_ISSUER_URL remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /authentik/oidc/headlamp - metadataPolicy: None property: validator-issuer-url - secretKey: HEADLAMP_CONFIG_OIDC_VALIDATOR_CLIENT_ID remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /authentik/oidc/headlamp - metadataPolicy: None property: validator-client-id diff --git a/clusters/cl01tl/manifests/headlamp/HTTPRoute-headlamp.yaml b/clusters/cl01tl/manifests/headlamp/HTTPRoute-headlamp.yaml index 3444365bb..50c9d6e02 100644 --- a/clusters/cl01tl/manifests/headlamp/HTTPRoute-headlamp.yaml +++ b/clusters/cl01tl/manifests/headlamp/HTTPRoute-headlamp.yaml @@ -4,9 +4,11 @@ metadata: name: headlamp namespace: headlamp labels: + helm.sh/chart: headlamp-0.41.0 app.kubernetes.io/name: headlamp app.kubernetes.io/instance: headlamp - app.kubernetes.io/part-of: headlamp + app.kubernetes.io/version: "0.41.0" + app.kubernetes.io/managed-by: Helm spec: parentRefs: - group: gateway.networking.k8s.io @@ -16,13 +18,13 @@ spec: hostnames: - headlamp.alexlebens.net rules: - - matches: - - path: - type: PathPrefix - value: / - backendRefs: - - group: '' + - backendRefs: + - group: "" kind: Service name: headlamp port: 80 weight: 100 + matches: + - path: + type: PathPrefix + value: / diff --git a/clusters/cl01tl/manifests/home-assistant/Deployment-home-assistant.yaml b/clusters/cl01tl/manifests/home-assistant/Deployment-home-assistant.yaml index e1fb15e65..34572692e 100644 --- a/clusters/cl01tl/manifests/home-assistant/Deployment-home-assistant.yaml +++ b/clusters/cl01tl/manifests/home-assistant/Deployment-home-assistant.yaml @@ -29,6 +29,9 @@ spec: enableServiceLinks: false serviceAccountName: default automountServiceAccountToken: true + securityContext: + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch hostIPC: false hostNetwork: false hostPID: false @@ -36,7 +39,7 @@ spec: containers: - env: - name: TZ - value: US/Central + value: America/Chicago - name: PUID value: "1000" - name: PGID @@ -47,25 +50,19 @@ spec: - secretRef: name: home-assistant-code-server-password-secret image: ghcr.io/linuxserver/code-server:4.112.0@sha256:4bb5b8ad22268001687c047f0f04933799fb03df1eb0e1e266ba15ed2d9f4e8b - imagePullPolicy: IfNotPresent name: code-server - resources: - requests: - cpu: 10m - memory: 128Mi volumeMounts: - mountPath: /config/home-assistant name: config - env: - name: TZ - value: US/Central - image: ghcr.io/home-assistant/home-assistant:2026.3.4 - imagePullPolicy: IfNotPresent + value: America/Chicago + image: ghcr.io/home-assistant/home-assistant:2026.3.4@sha256:916682086154a7390114a9788782b8efb199852d4f7d47066722c2bc5d1829e6 name: main resources: requests: - cpu: 50m - memory: 512Mi + cpu: 1m + memory: 400Mi volumeMounts: - mountPath: /config name: config diff --git a/clusters/cl01tl/manifests/home-assistant/ExternalSecret-home-assistant-code-server-password-secret.yaml b/clusters/cl01tl/manifests/home-assistant/ExternalSecret-home-assistant-code-server-password-secret.yaml index a04a9b60a..3743e9254 100644 --- a/clusters/cl01tl/manifests/home-assistant/ExternalSecret-home-assistant-code-server-password-secret.yaml +++ b/clusters/cl01tl/manifests/home-assistant/ExternalSecret-home-assistant-code-server-password-secret.yaml @@ -14,15 +14,9 @@ spec: data: - secretKey: PASSWORD remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/home-assistant/code-server/auth - metadataPolicy: None property: PASSWORD - secretKey: SUDO_PASSWORD remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/home-assistant/code-server/auth - metadataPolicy: None property: SUDO_PASSWORD diff --git a/clusters/cl01tl/manifests/home-assistant/ExternalSecret-home-assistant-token-secret.yaml b/clusters/cl01tl/manifests/home-assistant/ExternalSecret-home-assistant-token-secret.yaml index 4de3c5179..36f920d97 100644 --- a/clusters/cl01tl/manifests/home-assistant/ExternalSecret-home-assistant-token-secret.yaml +++ b/clusters/cl01tl/manifests/home-assistant/ExternalSecret-home-assistant-token-secret.yaml @@ -14,8 +14,5 @@ spec: data: - secretKey: bearer-token remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /cl01tl/home-assistant/auth - metadataPolicy: None property: bearer-token diff --git a/clusters/cl01tl/manifests/home-assistant/HTTPRoute-home-assistant-code-server.yaml b/clusters/cl01tl/manifests/home-assistant/HTTPRoute-home-assistant-code-server.yaml index 638c09d9b..1428ac4c4 100644 --- a/clusters/cl01tl/manifests/home-assistant/HTTPRoute-home-assistant-code-server.yaml +++ b/clusters/cl01tl/manifests/home-assistant/HTTPRoute-home-assistant-code-server.yaml @@ -23,7 +23,7 @@ spec: name: home-assistant-code-server namespace: home-assistant port: 8443 - weight: 100 + weight: 1 matches: - path: type: PathPrefix diff --git a/clusters/cl01tl/manifests/home-assistant/HTTPRoute-home-assistant-main.yaml b/clusters/cl01tl/manifests/home-assistant/HTTPRoute-home-assistant-main.yaml index f6a28be24..426946033 100644 --- a/clusters/cl01tl/manifests/home-assistant/HTTPRoute-home-assistant-main.yaml +++ b/clusters/cl01tl/manifests/home-assistant/HTTPRoute-home-assistant-main.yaml @@ -23,7 +23,7 @@ spec: name: home-assistant-main namespace: home-assistant port: 80 - weight: 100 + weight: 1 matches: - path: type: PathPrefix