alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 2 Actions Activity

Compare commits

base: alexlebens:dab055843e1f90d97954834acaa95846ec0f0ebc
Branches Tags
alexlebens:main alexlebens:renovate/unified-clideywhodb alexlebens:renovate/cilium-1.x alexlebens:manifests
..
compare: alexlebens:main
Branches Tags
alexlebens:renovate/unified-clideywhodb alexlebens:renovate/cilium-1.x alexlebens:manifests alexlebens:main

7 Commits
dab055843e ... main

Author SHA1 Message Date
Renovate Bot
e1b62113c1 chore(deps): update searxng/searxng:latest docker digest to 2c86f95 (#4250)
All checks were successful
render-manifests-push / render-manifests-push (push) Has been skipped
Details
lint-test-helm / lint-helm (push) Successful in 19s
Details
renovate / renovate (push) Successful in 3m36s
Details
2026-02-26 11:03:37 +00:00
Renovate Bot
4fde64a6a1 chore(deps): update harbor.alexlebens.net/images/site-documentation docker tag to v0.1.6 (#4247)
All checks were successful
render-manifests-push / render-manifests-push (push) Has been skipped
Details
lint-test-helm / lint-helm (push) Successful in 21s
Details
renovate / renovate (push) Successful in 3m41s
Details
2026-02-26 04:14:15 +00:00
Renovate Bot
45159022c9 chore(deps): update harbor.alexlebens.net/images/site-profile docker tag to v2.16.0 (#4246)
Some checks failed
render-manifests-push / render-manifests-push (push) Has been skipped
Details
lint-test-helm / lint-helm (push) Successful in 1m37s
Details
renovate / renovate (push) Has been cancelled
Details 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [harbor.alexlebens.net/images/site-profile](https://gitea.alexlebens.dev/alexlebens/site-profile) | minor | `2.15.1` → `2.16.0` |

---

### Release Notes

<details>
<summary>alexlebens/site-profile (harbor.alexlebens.net/images/site-profile)</summary>

### [`v2.16.0`](https://gitea.alexlebens.dev/alexlebens/site-profile/compare/2.15.1...2.16.0)

[Compare Source](https://gitea.alexlebens.dev/alexlebens/site-profile/compare/2.15.1...2.16.0)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNS43IiwidXBkYXRlZEluVmVyIjoiNDMuMjUuNyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiaW1hZ2UiXX0=-->

Reviewed-on: #4246
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
 2026-02-26 04:12:25 +00:00
Renovate Bot
fbc8b4014f chore(deps): update kube-prometheus-stack docker tag to v82.4.0 (#4232)
All checks were successful
render-manifests-push / render-manifests-push (push) Has been skipped
Details
lint-test-helm / lint-helm (push) Successful in 1m37s
Details
render-manifests-dispatch / render-manifests-dispatch (push) Successful in 43m25s
Details
renovate / renovate (push) Successful in 3m11s
Details 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [kube-prometheus-stack](https://github.com/prometheus-operator/kube-prometheus) ([source](https://github.com/prometheus-community/helm-charts)) | minor | `82.3.0` → `82.4.0` |

---

### Release Notes

<details>
<summary>prometheus-community/helm-charts (kube-prometheus-stack)</summary>

### [`v82.4.0`](https://github.com/prometheus-community/helm-charts/releases/tag/kube-prometheus-stack-82.4.0)

[Compare Source](https://github.com/prometheus-community/helm-charts/compare/kube-prometheus-stack-82.3.0...kube-prometheus-stack-82.4.0)

kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards, and Prometheus rules combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus Operator.

#### What's Changed

- \[kube-prometheus-stack] unify PodDisruptionBudget configuration by [@&#8203;mkmet](https://github.com/mkmet) in [#&#8203;6669](https://github.com/prometheus-community/helm-charts/pull/6669)

#### New Contributors

- [@&#8203;mkmet](https://github.com/mkmet) made their first contribution in [#&#8203;6669](https://github.com/prometheus-community/helm-charts/pull/6669)

**Full Changelog**: <https://github.com/prometheus-community/helm-charts/compare/prometheus-nginx-exporter-1.19.1...kube-prometheus-stack-82.4.0>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNS43IiwidXBkYXRlZEluVmVyIjoiNDMuMjUuNyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiaW1hZ2UiXX0=-->

Reviewed-on: #4232
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
 2026-02-26 00:02:47 +00:00
Alex Lebens
7411f391e8 feat: add proxy auth
All checks were successful
lint-test-helm / lint-helm (push) Successful in 1m21s
Details
render-manifests-push / render-manifests-push (push) Successful in 4m17s
Details
renovate / renovate (push) Successful in 5m3s
Details
2026-02-25 17:42:52 -06:00
Alex Lebens
536e164b03 fix: change headers
All checks were successful
lint-test-helm / lint-helm (push) Successful in 40s
Details
render-manifests-push / render-manifests-push (push) Successful in 2m26s
Details
renovate / renovate (push) Successful in 3m3s
Details
2026-02-25 17:25:18 -06:00
Alex Lebens
ade761cc85 feat: add reference grant
All checks were successful
lint-test-helm / lint-helm (push) Successful in 47s
Details
render-manifests-push / render-manifests-push (push) Successful in 2m2s
Details
renovate / renovate (push) Successful in 3m24s
Details
2026-02-25 17:08:38 -06:00
21 changed files with 340 additions and 8 deletions
Expand all files Collapse all files

39
clusters/cl01tl/helm/authentik/templates/reference-grant.yaml Normal file
View File

@@ -0,0 +1,39 @@
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
name: allow-outpost-cross-namespace-access
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: allow-outpost-cross-namespace-access
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
from:
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespace: lidarr
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespace: radarr
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespace: radarr-4k
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespace: radarr-anime
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespace: radarr-standup
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespace: sonarr
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespace: sonarr-4k
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespace: sonarr-anime
to:
- group: ""
kind: Service
name: ak-outpost-traefik-proxy-auth

2
clusters/cl01tl/helm/kube-prometheus-stack/Chart.lock
View File

@@ -9,4 +9,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts
version: 1.0.4
digest: sha256:24214c0bc1e6aed9954385aa61b403a7fa4b4e92bac09777504635cba98735ba
generated: "2026-02-25T23:06:53.839916136Z"
generated: "2026-02-25T23:46:14.059155578Z"

26
clusters/cl01tl/helm/lidarr/templates/middleware.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: oidc-forward-auth
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: oidc-forward-auth
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
forwardAuth:
address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-entitlements
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version

16
clusters/cl01tl/helm/lidarr/values.yaml
View File

@@ -84,12 +84,28 @@ lidarr:
hostnames:
- lidarr.alexlebens.net
rules:
- backendRefs:
- name: ak-outpost-traefik-proxy-auth
namespace: authentik
port: 9000
weight: 100
filters: []
matches:
- path:
type: PathPrefix
value: /outpost.goauthentik.io
- backendRefs:
- group: ''
kind: Service
name: lidarr
port: 80
weight: 100
filters:
- type: ExtensionRef
extensionRef:
group: traefik.io
kind: Middleware
name: oidc-forward-auth
matches:
- path:
type: PathPrefix

26
clusters/cl01tl/helm/radarr-4k/templates/middleware.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: oidc-forward-auth
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: oidc-forward-auth
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
forwardAuth:
address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-entitlements
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version

16
clusters/cl01tl/helm/radarr-4k/values.yaml
View File

@@ -84,12 +84,28 @@ radarr-4k:
hostnames:
- radarr-4k.alexlebens.net
rules:
- backendRefs:
- name: ak-outpost-traefik-proxy-auth
namespace: authentik
port: 9000
weight: 100
filters: []
matches:
- path:
type: PathPrefix
value: /outpost.goauthentik.io
- backendRefs:
- group: ''
kind: Service
name: radarr-4k
port: 80
weight: 100
filters:
- type: ExtensionRef
extensionRef:
group: traefik.io
kind: Middleware
name: oidc-forward-auth
matches:
- path:
type: PathPrefix

26
clusters/cl01tl/helm/radarr-anime/templates/middleware.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: oidc-forward-auth
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: oidc-forward-auth
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
forwardAuth:
address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-entitlements
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version

16
clusters/cl01tl/helm/radarr-anime/values.yaml
View File

@@ -82,12 +82,28 @@ radarr-anime:
hostnames:
- radarr-anime.alexlebens.net
rules:
- backendRefs:
- name: ak-outpost-traefik-proxy-auth
namespace: authentik
port: 9000
weight: 100
filters: []
matches:
- path:
type: PathPrefix
value: /outpost.goauthentik.io
- backendRefs:
- group: ''
kind: Service
name: radarr-anime
port: 80
weight: 100
filters:
- type: ExtensionRef
extensionRef:
group: traefik.io
kind: Middleware
name: oidc-forward-auth
matches:
- path:
type: PathPrefix

26
clusters/cl01tl/helm/radarr-standup/templates/middleware.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: oidc-forward-auth
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: oidc-forward-auth
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
forwardAuth:
address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-entitlements
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version

16
clusters/cl01tl/helm/radarr-standup/values.yaml
View File

@@ -82,12 +82,28 @@ radarr-standup:
hostnames:
- radarr-standup.alexlebens.net
rules:
- backendRefs:
- name: ak-outpost-traefik-proxy-auth
namespace: authentik
port: 9000
weight: 100
filters: []
matches:
- path:
type: PathPrefix
value: /outpost.goauthentik.io
- backendRefs:
- group: ''
kind: Service
name: radarr-standup
port: 80
weight: 100
filters:
- type: ExtensionRef
extensionRef:
group: traefik.io
kind: Middleware
name: oidc-forward-auth
matches:
- path:
type: PathPrefix

26
clusters/cl01tl/helm/radarr/templates/middleware.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: oidc-forward-auth
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: oidc-forward-auth
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
forwardAuth:
address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-entitlements
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version

16
clusters/cl01tl/helm/radarr/values.yaml
View File

@@ -84,12 +84,28 @@ radarr:
hostnames:
- radarr.alexlebens.net
rules:
- backendRefs:
- name: ak-outpost-traefik-proxy-auth
namespace: authentik
port: 9000
weight: 100
filters: []
matches:
- path:
type: PathPrefix
value: /outpost.goauthentik.io
- backendRefs:
- group: ''
kind: Service
name: radarr
port: 80
weight: 100
filters:
- type: ExtensionRef
extensionRef:
group: traefik.io
kind: Middleware
name: oidc-forward-auth
matches:
- path:
type: PathPrefix

4
clusters/cl01tl/helm/searxng/values.yaml
View File

@@ -9,7 +9,7 @@ searxng:
main:
image:
repository: searxng/searxng
tag: latest@sha256:edf110a2816d8963949d03879c72a7e19c221b5f7bfb7952a33ae073f96ccb18
tag: latest@sha256:2c86f95c22dde03f5354a81b027ec882830748c5fe6454f03c7ec8fc384e54ea
pullPolicy: IfNotPresent
env:
- name: SEARXNG_BASE_URL
@@ -39,7 +39,7 @@ searxng:
main:
image:
repository: searxng/searxng
tag: latest@sha256:edf110a2816d8963949d03879c72a7e19c221b5f7bfb7952a33ae073f96ccb18
tag: latest@sha256:2c86f95c22dde03f5354a81b027ec882830748c5fe6454f03c7ec8fc384e54ea
pullPolicy: IfNotPresent
env:
- name: SEARXNG_BASE_URL

2
clusters/cl01tl/helm/site-documentation/values.yaml
View File

@@ -11,7 +11,7 @@ site-documentation:
main:
image:
repository: harbor.alexlebens.net/images/site-documentation
tag: 0.1.5
tag: 0.1.6
pullPolicy: IfNotPresent
resources:
requests:

2
clusters/cl01tl/helm/site-profile/values.yaml
View File

@@ -11,7 +11,7 @@ site-profile:
main:
image:
repository: harbor.alexlebens.net/images/site-profile
tag: 2.15.1
tag: 2.16.0
pullPolicy: IfNotPresent
resources:
requests:

3
clusters/cl01tl/helm/sonarr-4k/templates/middleware.yaml
View File

@@ -11,10 +11,7 @@ spec:
forwardAuth:
address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authRequestHeaders:
- X-Forwarded-Proto
authResponseHeaders:
- Set-Cookie
- X-authentik-username
- X-authentik-groups
- X-authentik-entitlements

2
clusters/cl01tl/helm/sonarr-4k/values.yaml
View File

@@ -86,6 +86,8 @@ sonarr-4k:
- name: ak-outpost-traefik-proxy-auth
namespace: authentik
port: 9000
weight: 100
filters: []
matches:
- path:
type: PathPrefix

26
clusters/cl01tl/helm/sonarr-anime/templates/middleware.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: oidc-forward-auth
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: oidc-forward-auth
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
forwardAuth:
address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-entitlements
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version

16
clusters/cl01tl/helm/sonarr-anime/values.yaml
View File

@@ -82,12 +82,28 @@ sonarr-anime:
hostnames:
- sonarr-anime.alexlebens.net
rules:
- backendRefs:
- name: ak-outpost-traefik-proxy-auth
namespace: authentik
port: 9000
weight: 100
filters: []
matches:
- path:
type: PathPrefix
value: /outpost.goauthentik.io
- backendRefs:
- group: ''
kind: Service
name: sonarr-anime
port: 80
weight: 100
filters:
- type: ExtensionRef
extensionRef:
group: traefik.io
kind: Middleware
name: oidc-forward-auth
matches:
- path:
type: PathPrefix

26
clusters/cl01tl/helm/sonarr/templates/middleware.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: oidc-forward-auth
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: oidc-forward-auth
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
forwardAuth:
address: http://ak-outpost-traefik-proxy-auth.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-entitlements
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version

16
clusters/cl01tl/helm/sonarr/values.yaml
View File

@@ -82,12 +82,28 @@ sonarr:
hostnames:
- sonarr.alexlebens.net
rules:
- backendRefs:
- name: ak-outpost-traefik-proxy-auth
namespace: authentik
port: 9000
weight: 100
filters: []
matches:
- path:
type: PathPrefix
value: /outpost.goauthentik.io
- backendRefs:
- group: ''
kind: Service
name: sonarr
port: 80
weight: 100
filters:
- type: ExtensionRef
extensionRef:
group: traefik.io
kind: Middleware
name: oidc-forward-auth
matches:
- path:
type: PathPrefix