alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 4 Actions 1 Activity

Compare commits

base: alexlebens:main
Branches Tags
alexlebens:main alexlebens:renovate/major-unified-vault alexlebens:renovate/unified-stalwartlabs alexlebens:renovate/unified-gitea alexlebens:renovate/unified-cilium alexlebens:manifests
..
compare: alexlebens:ef6a2b06b6af59c193e95d10797a1df26a1dc9dc
Branches Tags
alexlebens:renovate/major-unified-vault alexlebens:renovate/unified-stalwartlabs alexlebens:renovate/unified-gitea alexlebens:renovate/unified-cilium alexlebens:manifests alexlebens:main

1 Commits
main ... ef6a2b06b6

Author SHA1 Message Date
Renovate Bot
ef6a2b06b6 chore(deps): update dependency moghtech/komodo to v2
All checks were successful
lint-test-helm / lint-helm (pull_request) Successful in 28s
Details
lint-test-helm / validate-kubeconform (pull_request) Successful in 19s
Details
2026-03-24 14:05:13 +00:00
413 changed files with 5872 additions and 5315 deletions
Expand all files Collapse all files

BIN
.DS_Store vendored
View File

Binary file not shown.

2
.gitea/workflows/lint-test-docker.yaml
View File

@@ -28,7 +28,7 @@ jobs:
- name: Check Branch Exists - name: Check Branch Exists
id: check-branch-exists id: check-branch-exists
if: github.event_name == 'pull_request' if: github.event_name == 'pull_request'
uses: GuillaumeFalourd/branch-exists@650358876c774d6ccbd581b5553eb636dab79a97 # v1.2 uses: GuillaumeFalourd/branch-exists@009290475dc3d75b5d7ec680c0c5b614b0d9855d # v1.1
with: with:
branch: "${{ github.base_ref }}" branch: "${{ github.base_ref }}"

260
.gitea/workflows/lint-test-helm.yaml
View File

@@ -16,8 +16,8 @@ on:
env: env:
CLUSTER: cl01tl CLUSTER: cl01tl
BASE_BRANCH: "origin/${{ github.base_ref }}" BASE_BRANCH: "origin/${{ github.base_ref }}"
# renovate: datasource=github-releases depName=yannh/kubeconform
KUBECONFORM_VERSION: "v0.6.7" KUBECONFORM_VERSION: "v0.6.7"
ARGOCD_VERSION: "v3.3.6"
jobs: jobs:
lint-helm: lint-helm:
@@ -35,7 +35,7 @@ jobs:
- name: Check Branch Exists - name: Check Branch Exists
id: check-branch-exists id: check-branch-exists
if: github.event_name == 'pull_request' if: github.event_name == 'pull_request'
uses: GuillaumeFalourd/branch-exists@650358876c774d6ccbd581b5553eb636dab79a97 # v1.2 uses: GuillaumeFalourd/branch-exists@009290475dc3d75b5d7ec680c0c5b614b0d9855d # v1.1
with: with:
branch: ${{ github.base_ref }} branch: ${{ github.base_ref }}
@@ -102,7 +102,7 @@ jobs:
echo "" echo ""
echo "${CHANGED_CHARTS}" echo "${CHANGED_CHARTS}"
CHANGED_CHARTS_CSV=$(echo "${CHANGED_CHARTS}" | paste -sd ',' -) CHANGED_CHARTS_CSV=$(echo "$CHANGED_CHARTS" | paste -sd ',' -)
echo "" echo ""
echo "----" echo "----"
@@ -236,17 +236,7 @@ jobs:
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Cache Kubeconform
id: cache-kubeconform
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
with:
path: /usr/local/bin/kubeconform
key: ${{ runner.os }}-kubeconform-${{ env.KUBECONFORM_VERSION }}
restore-keys: |
${{ runner.os }}-kubeconform-
- name: Install Kubeconform - name: Install Kubeconform
if: steps.cache-kubeconform.outputs.cache-hit != 'true'
run: | run: |
echo ">> Downloading Kubeconform ${{ env.KUBECONFORM_VERSION }} ..." echo ">> Downloading Kubeconform ${{ env.KUBECONFORM_VERSION }} ..."
wget -q https://github.com/yannh/kubeconform/releases/download/${{ env.KUBECONFORM_VERSION }}/kubeconform-linux-amd64.tar.gz wget -q https://github.com/yannh/kubeconform/releases/download/${{ env.KUBECONFORM_VERSION }}/kubeconform-linux-amd64.tar.gz
@@ -259,8 +249,6 @@ jobs:
echo ">> Installing Kubeconform ..." echo ">> Installing Kubeconform ..."
sudo mv kubeconform /usr/local/bin/ sudo mv kubeconform /usr/local/bin/
- name: Verify installation
run: |
echo "" echo ""
echo ">> Verifying installation ..." echo ">> Verifying installation ..."
kubeconform -v kubeconform -v
@@ -336,7 +324,7 @@ jobs:
helm dependency build "${CHART_PATH}" --skip-refresh helm dependency build "${CHART_PATH}" --skip-refresh
if ! helm template "${DIR}" "${CHART_PATH}" --include-crds --namespace default --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor" | \ if ! helm template "${DIR}" "${CHART_PATH}" --include-crds --namespace default --api-versions "gateway.networking.k8s.io/v1/HTTPRoute" | \
kubeconform \ kubeconform \
${SCHEMA_LOCATIONS} \ ${SCHEMA_LOCATIONS} \
-ignore-missing-schemas \ -ignore-missing-schemas \
@@ -377,243 +365,3 @@ jobs:
icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png' icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
actions: '[{"action": "view", "label": "View Run", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]' actions: '[{"action": "view", "label": "View Run", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
image: true image: true
# argo-diff:
# needs: lint-helm
# runs-on: ubuntu-js
# if: |
# needs.lint-helm.result == 'success' &&
# needs.lint-helm.outputs.changes-detected == 'true' &&
# github.event_name == 'pull_request'
# steps:
# - name: Checkout
# uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
# with:
# fetch-depth: 0
# - name: Cache ArgoCD CLI
# id: cache-argocd
# uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
# with:
# path: /usr/local/bin/argocd
# key: ${{ runner.os }}-argocd-${{ env.ARGOCD_VERSION }}
# restore-keys: |
# ${{ runner.os }}-argocd-
# - name: Install ArgoCD CLI
# if: steps.cache-argocd.outputs.cache-hit != 'true'
# run: |
# echo ">> Downloading ArgoCD CLI, version: ${{ env.ARGOCD_VERSION }} ..."
# curl -sSL -o argocd-linux-amd64 https://github.com/argoproj/argo-cd/releases/download/${{ env.ARGOCD_VERSION }}/argocd-linux-amd64
# echo ""
# echo ">> Installing ArgoCD CLI ..."
# sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd
# echo ""
# echo "----"
# - name: Verify installation
# run: |
# echo ""
# echo ">> Verifying installation ..."
# argocd version --client
# echo ""
# echo "----"
# - name: Set Up Helm
# uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5
# with:
# token: ${{ secrets.GITEA_TOKEN }}
# # renovate: datasource=github-releases depName=helm/helm
# version: v4.1.3
# cache: true
# - name: Cache Helm Dependencies
# uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
# with:
# path: |
# ~/.cache/helm
# ~/.config/helm
# key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
# restore-keys: |
# helm-cache-${{ runner.os }}-
# - name: Add Repositories
# env:
# CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
# run: |
# echo ">> Adding repositories for chart dependencies ..."
# echo ""
# for DIR in ${CHANGED_CHARTS}; do
# helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/${DIR} 2> /dev/null \
# | tail -n +2 \
# | awk 'NF > 0 { print $1, $3 }' \
# | while read -r REPO_NAME REPO_URL; do
# if [[ "${REPO_URL}" == oci://* ]]; then
# echo ">> Ignoring OCI repo: ${REPO_URL}"
# elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
# helm repo add "${REPO_NAME}" "${REPO_URL}"
# fi
# done || true
# done
# if helm repo list > /dev/null 2>&1; then
# echo ""
# echo ">> Update repository cache ..."
# helm repo update
# fi
# echo ""
# echo "----"
# - name: Render Templates
# id: render
# env:
# CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
# run: |
# for APP_NAME in ${CHANGED_CHARTS}; do
# echo ">> Render templates for ${APP_NAME} ..."
# CHART_PATH="clusters/${CLUSTER}/helm/${APP_NAME}"
# OUTPUT_FOLDER="clusters/${CLUSTER}/manifests/${APP_NAME}/"
# mkdir -p "${OUTPUT_FOLDER}"
# helm dependency build "${CHART_PATH}" --skip-refresh
# NAMESPACE="${APP_NAME}"
# case "${APP_NAME}" in
# "stack")
# NAMESPACE="argocd"
# echo ">> Special Rendering into 'argocd' namespace ..."
# ;;
# "cilium" | "coredns" | "metrics-server")
# NAMESPACE="kube-system"
# echo ">> Special Rendering for ${APP_NAME} into 'kube-system' namespace ..."
# ;;
# *)
# echo ">> Standard Rendering ..."
# esac
# TEMPLATE=$(helm template "${APP_NAME}" "${CHART_PATH}" --include-crds --namespace "${NAMESPACE}" --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor")
# # Format and split rendered template
# echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
# # Strip comments again to ensure formatting correctness
# for file in "$OUTPUT_FOLDER"/*; do
# yq -i '... comments=""' $file
# done
# echo ""
# echo ">> Templates in output folder: ${OUTPUT_FOLDER}"
# ls ${OUTPUT_FOLDER}
# done
# echo "----"
# - name: Run App Diff
# id: diff
# env:
# ARGOCD_SERVER: ${{ secrets.ARGOCD_SERVER }}
# ARGOCD_AUTH_TOKEN: ${{ secrets.ARGOCD_AUTH_TOKEN }}
# CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
# run: |
# FAILED_CHARTS=""
# DIFF_FOUND="false"
# EXIT_CODE=0
# for APP_NAME in ${CHANGED_CHARTS}; do
# echo ">> Running argocd app diff for ${APP_NAME} ..."
# if ! argocd app diff "${APP_NAME}" \
# --server "${ARGOCD_SERVER}" \
# --auth-token "${ARGOCD_AUTH_TOKEN}" \
# --revision ${{ github.sha }} \
# --local "clusters/${CLUSTER}/manifests/${APP_NAME}" \
# --local-repo-root "." \
# --grpc-web > "diff_output_${APP_NAME}.txt" 2>&1; then
# # ArgoCD diff returns non-zero on diff or error.
# # Let's capture if it actually generated a diff output to post.
# DIFF_FOUND="true"
# # Check if the output contains validation/connection errors
# if grep -iE 'error|failed|connection refused|timeout' "diff_output_${APP_NAME}.txt"; then
# echo ">> ArgoCD encountered an error validating ${APP_NAME}!"
# EXIT_CODE=1
# FAILED_CHARTS="${FAILED_CHARTS} ${APP_NAME}"
# fi
# fi
# if [ -s "diff_output_${APP_NAME}.txt" ]; then
# echo ">> Argo diff or errors:"
# echo ""
# cat diff_output_${APP_NAME}.txt
# echo ""
# else
# echo ">> No Argo diff found for ${APP_NAME}"
# rm "diff_output_${APP_NAME}.txt"
# fi
# done
# echo "----"
# echo "diff-detected=${DIFF_FOUND}" >> "$GITHUB_OUTPUT"
# echo "failed-charts=${FAILED_CHARTS}" >> "$GITHUB_OUTPUT"
# exit $EXIT_CODE
# - name: Post Diff
# if: |
# always() &&
# steps.diff.outputs.diff-detected == 'true' &&
# github.event.pull_request.number != null
# env:
# GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
# run: |
# COMMENT_BODY="### ArgoCD Diff Results
# "
# for f in diff_output_*.txt; do
# APP_NAME=$(echo $f | sed 's/diff_output_//;s/.txt//')
# DIFF_CONTENT=$(cat "$f")
# COMMENT_BODY="${COMMENT_BODY}
# #### App: ${APP_NAME}
# "
# if [ -z "$DIFF_CONTENT" ]; then
# COMMENT_BODY="${COMMENT_BODY} No changes detected."
# else
# COMMENT_BODY="${COMMENT_BODY}
# \`\`\`diff
# ${DIFF_CONTENT}
# \`\`\`"
# fi
# done
# curl -X 'POST' \
# "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
# -H "Authorization: token ${GITEA_TOKEN}" \
# -H "Content-Type: application/json" \
# -d "$(jq -n --arg body "$COMMENT_BODY" '{body: $body}')"
# - name: ntfy Failed
# uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
# if: failure()
# with:
# url: '${{ secrets.NTFY_URL }}'
# topic: '${{ secrets.NTFY_TOPIC }}'
# title: 'ArgoCD Diff Failure'
# priority: 3
# headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
# tags: action,failed
# details: "ArgoCD diff for cluster '${{ env.CLUSTER }}' failed on charts: ${{ steps.diff.outputs.failed-charts }}"
# icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
# actions: '[{"action": "view", "label": "View Run", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
# image: true

8
.gitea/workflows/render-manifests.yaml
View File

@@ -50,7 +50,7 @@ jobs:
cache: true cache: true
- name: Configure Kubeconfig - name: Configure Kubeconfig
uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5 uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4
with: with:
method: kubeconfig method: kubeconfig
kubeconfig: ${{ secrets.KUBECONFIG }} kubeconfig: ${{ secrets.KUBECONFIG }}
@@ -273,7 +273,7 @@ jobs:
NAMESPACE="argocd" NAMESPACE="argocd"
echo ">> Special Rendering into 'argocd' namespace ..." echo ">> Special Rendering into 'argocd' namespace ..."
;; ;;
"cilium" | "coredns" | "metrics-server") "cilium" | "coredns" | "metrics-server" | "prometheus-operator-crds")
NAMESPACE="kube-system" NAMESPACE="kube-system"
echo ">> Special Rendering for ${CHART_NAME} into 'kube-system' namespace ..." echo ">> Special Rendering for ${CHART_NAME} into 'kube-system' namespace ..."
;; ;;
@@ -283,7 +283,7 @@ jobs:
echo ">> Formating rendered template ..." echo ">> Formating rendered template ..."
local TEMPLATE local TEMPLATE
TEMPLATE=$(helm template "${CHART_NAME}" ./ --namespace "${NAMESPACE}" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor") TEMPLATE=$(helm template "${CHART_NAME}" ./ --namespace "${NAMESPACE}" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
# Format and split rendered template # Format and split rendered template
echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"' echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
@@ -314,7 +314,7 @@ jobs:
for DIR in ${RENDER_DIR}; do for DIR in ${RENDER_DIR}; do
echo "${DIR}" echo "${DIR}"
done | xargs -P 5 -I {} bash -c 'OUT=$(render_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {} done | xargs -P 4 -I {} bash -c 'OUT=$(render_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
echo "" echo ""
echo "----" echo "----"

2
.gitea/workflows/renovate.yaml
View File

@@ -13,7 +13,7 @@ on:
jobs: jobs:
renovate: renovate:
runs-on: ubuntu-latest runs-on: ubuntu-latest
container: ghcr.io/renovatebot/renovate:43.136.0@sha256:b8dd2bc412bcabfe641377548863d46d13ac36adaf12103ecb0420c4a1e23261 container: ghcr.io/renovatebot/renovate:43.84.2@sha256:92285747b3aac062a4f567762c272a12dce037843a20177a02c95b7c420e20cb
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

7
clusters/cl01tl/helm/actual/Chart.lock
View File

@@ -2,5 +2,8 @@ dependencies:
- name: app-template - name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2 version: 4.6.2
digest: sha256:1c04c187e6cf768117f7f91f3a3b082937ad5854c1cf6a681ad7c02687cd543d - name: volsync-target
generated: "2026-04-18T20:15:22.778699-05:00" repository: oci://harbor.alexlebens.net/helm-charts
version: 0.8.0
digest: sha256:ff81b3d8fc831e4b8048f646fffcf597aa7410e52ecf27690eab8104047dbe6f
generated: "2026-03-06T01:04:41.514235218Z"

10
clusters/cl01tl/helm/actual/Chart.yaml
View File

@@ -18,10 +18,10 @@ dependencies:
alias: actual alias: actual
repository: https://bjw-s-labs.github.io/helm-charts/ repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2 version: 4.6.2
# - name: volsync-target - name: volsync-target
# alias: volsync-target-data alias: volsync-target-data
# version: 0.8.0 version: 0.8.0
# repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png
# renovate: datasource=github-releases depName=actualbudget/actual # renovate: datasource=github-releases depName=actualbudget/actual
appVersion: 26.4.0 appVersion: 26.3.0

7
clusters/cl01tl/helm/actual/values.yaml
View File

@@ -8,14 +8,14 @@ actual:
main: main:
image: image:
repository: ghcr.io/actualbudget/actual repository: ghcr.io/actualbudget/actual
tag: 26.4.0@sha256:b0e732e2c41b3dc468a71548e88ef76d3f0c157fc43d15fa05d14ec1c5747e1e tag: 26.3.0@sha256:eb8bc26f53025e07e464594c12d77c52c4b95840c8dadd9b95c4f0c4660f8ad2
env: env:
- name: ACTUAL_PORT - name: ACTUAL_PORT
value: 5006 value: 5006
resources: resources:
requests: requests:
cpu: 10m cpu: 25m
memory: 50Mi memory: 64Mi
probes: probes:
liveness: liveness:
enabled: true enabled: true
@@ -39,6 +39,7 @@ actual:
http: http:
port: 80 port: 80
targetPort: 5006 targetPort: 5006
protocol: HTTP
route: route:
main: main:
kind: HTTPRoute kind: HTTPRoute

12
clusters/cl01tl/helm/argo-workflows/Chart.lock Normal file
View File

@@ -0,0 +1,12 @@
dependencies:
- name: argo-workflows
repository: https://argoproj.github.io/argo-helm
version: 1.0.5
- name: argo-events
repository: https://argoproj.github.io/argo-helm
version: 2.4.21
- name: postgres-cluster
repository: oci://harbor.alexlebens.net/helm-charts
version: 7.10.0
digest: sha256:d0d7ebf1c0013d001aa2f17d04a6d3f3d7a1fa7d5c62792eef856b87c24eb26e
generated: "2026-03-20T20:48:30.830922259Z"

32
clusters/cl01tl/helm/argo-workflows/Chart.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: v2
name: argo-workflows
version: 1.0.0
description: Argo Workflows
keywords:
- argo-workflows
- argo-events
- workflows
- events
home: https://docs.alexlebens.dev/applications/argo-workflows/
sources:
- https://github.com/argoproj/argo-workflows
- https://github.com/argoproj/argo-events
- https://github.com/argoproj/argo-helm/tree/main/charts/argo-workflows
- https://github.com/argoproj/argo-helm/tree/main/charts/argo-events
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
maintainers:
- name: alexlebens
dependencies:
- name: argo-workflows
version: 1.0.5
repository: https://argoproj.github.io/argo-helm
- name: argo-events
version: 2.4.21
repository: https://argoproj.github.io/argo-helm
- name: postgres-cluster
alias: postgres-18-cluster
version: 7.10.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
# renovate: datasource=github-releases depName=argoproj/argo-workflows
appVersion: v4.0.3

14
clusters/cl01tl/helm/prowlarr/templates/external-secret.yaml → clusters/cl01tl/helm/argo-workflows/templates/external-secret.yaml
View File

@@ -1,10 +1,10 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: prowlarr-key-secret name: argo-workflows-oidc-secret
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: prowlarr-key-secret app.kubernetes.io/name: argo-workflows-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
@@ -12,7 +12,11 @@ spec:
kind: ClusterSecretStore kind: ClusterSecretStore
name: vault name: vault
data: data:
- secretKey: key - secretKey: secret
remoteRef: remoteRef:
key: /cl01tl/prowlarr/key key: /authentik/oidc/argo-workflows
property: key property: secret
- secretKey: client
remoteRef:
key: /authentik/oidc/argo-workflows
property: client

109
clusters/cl01tl/helm/argo-workflows/values.yaml Normal file
View File

@@ -0,0 +1,109 @@
argo-workflows:
crds:
install: true
keep: true
full: true
upgradeJob:
image:
repository: registry.k8s.io/kubectl
tag: v1.35.3
controller:
metricsConfig:
enabled: true
persistence:
postgresql:
host: argo-workflows-postgresql-18-cluster-rw
port: 5432
database: app
tableName: app
userNameSecret:
name: argo-workflows-postgresql-18-cluster-app
key: username
passwordSecret:
name: argo-workflows-postgresql-18-cluster-app
key: password
ssl: false
sslMode: disable
workflowWorkers: 2
workflowTTLWorkers: 2
podCleanupWorkers: 2
cronWorkflowWorkers: 2
resources:
requests:
cpu: 10m
memory: 32Mi
serviceMonitor:
enabled: true
workflowNamespaces:
- argo-workflows
server:
authModes:
- sso
httproute:
enabled: true
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- argo-workflows.alexlebens.net
rules:
- matches:
- path:
type: PathPrefix
value: /
sso:
enabled: true
issuer: https://authentik.alexlebens.net/application/o/argo-workflows/
clientId:
name: argo-workflows-oidc-secret
key: client
clientSecret:
name: argo-workflows-oidc-secret
key: secret
redirectUrl: https://argo-workflows.alexlebens.net/oauth2/callback
rbac:
enabled: false
scopes:
- openid
- email
- profile
argo-events:
crds:
install: true
keep: true
controller:
resources:
requests:
cpu: 10m
memory: 32Mi
metrics:
enabled: true
serviceMonitor:
enabled: true
webhook:
enabled: true
resources:
requests:
cpu: 10m
memory: 32Mi
postgres-18-cluster:
mode: recovery
recovery:
method: objectStore
objectStore:
index: 1
backup:
objectStore:
- name: garage-local
index: 1
destinationBucket: postgres-backups
externalSecretCredentialPath: /garage/home-infra/postgres-backups
isWALArchiver: true
scheduledBackups:
- name: live-backup
suspend: false
immediate: true
schedule: "0 0 14 * * *"
backupName: garage-local

6
clusters/cl01tl/helm/argocd/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies: dependencies:
- name: argo-cd - name: argo-cd
repository: https://argoproj.github.io/argo-helm repository: https://argoproj.github.io/argo-helm
version: 9.5.2 version: 9.4.15
digest: sha256:5d9e6405ee944bf94df6af247164ebb9b8899144853b9a7eafabe8606affe84e digest: sha256:a0eed2e174bb6b13d04653c755a359025b050d479a92180039a1990dd8ee7caa
generated: "2026-04-19T19:53:40.43789-05:00" generated: "2026-03-20T01:09:07.547016465Z"

4
clusters/cl01tl/helm/argocd/Chart.yaml
View File

@@ -13,8 +13,8 @@ maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: argo-cd - name: argo-cd
version: 9.5.2 version: 9.4.15
repository: https://argoproj.github.io/argo-helm repository: https://argoproj.github.io/argo-helm
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
# renovate: datasource=github-releases depName=argoproj/argo-cd # renovate: datasource=github-releases depName=argoproj/argo-cd
appVersion: v3.3.7 appVersion: v3.3.4

14
clusters/cl01tl/helm/argocd/templates/_helpers.tpl
View File

@@ -1,14 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

52
clusters/cl01tl/helm/argocd/templates/external-secret.yaml
View File

@@ -1,40 +1,70 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: argocd-oidc-authentik name: argocd-oidc-secret
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: argocd-oidc-authentik app.kubernetes.io/name: argocd-oidc-secret
{{- include "custom.labels" . | nindent 4 }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: openbao name: vault
data: data:
- secretKey: secret - secretKey: secret
remoteRef: remoteRef:
key: /cl01tl/authentik/oidc/argocd key: /authentik/oidc/argocd
property: secret property: secret
- secretKey: client - secretKey: client
remoteRef: remoteRef:
key: /cl01tl/authentik/oidc/argocd key: /authentik/oidc/argocd
property: client property: client
--- ---
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: argocd-notifications-ntfy name: argocd-notifications-secret
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: argocd-notifications-ntfy app.kubernetes.io/name: argocd-notifications-secret
{{- include "custom.labels" . | nindent 4 }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: openbao name: vault
data: data:
- secretKey: ntfy-token - secretKey: ntfy-token
remoteRef: remoteRef:
key: /cl01tl/ntfy/users/cl01tl key: /ntfy/user/cl01tl
property: token property: token
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: argocd-gitea-repo-infrastructure-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: argocd-gitea-repo-infrastructure-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: type
remoteRef:
key: /cl01tl/argocd/credentials/repo/infrastructure
property: type
- secretKey: url
remoteRef:
key: /cl01tl/argocd/credentials/repo/infrastructure
property: url
- secretKey: sshPrivateKey
remoteRef:
key: /cl01tl/argocd/credentials/repo/infrastructure
property: sshPrivateKey

32
clusters/cl01tl/helm/argocd/values.yaml
View File

@@ -13,8 +13,8 @@ argo-cd:
connectors: connectors:
- config: - config:
issuer: https://authentik.alexlebens.net/application/o/argocd/ issuer: https://authentik.alexlebens.net/application/o/argocd/
clientID: $argocd-oidc-authentik:client clientID: $argocd-oidc-secret:client
clientSecret: $argocd-oidc-authentik:secret clientSecret: $argocd-oidc-secret:secret
insecureEnableGroups: true insecureEnableGroups: true
scopes: scopes:
- openid - openid
@@ -34,7 +34,7 @@ argo-cd:
replicas: 1 replicas: 1
resources: resources:
requests: requests:
cpu: 100m cpu: 15m
memory: 1Gi memory: 1Gi
readinessProbe: readinessProbe:
failureThreshold: 3 failureThreshold: 3
@@ -77,7 +77,7 @@ argo-cd:
enabled: true enabled: true
resources: resources:
requests: requests:
cpu: 1m cpu: 10m
memory: 64Mi memory: 64Mi
metrics: metrics:
enabled: true enabled: true
@@ -91,14 +91,14 @@ argo-cd:
enabled: true enabled: true
image: image:
repository: redis repository: redis
tag: 8.6.2-alpine@sha256:81b6f81d6a6c5b9019231a2e8eb10085e3a139a34f833dcc965a8a959b040b72 tag: 8.6.1-alpine@sha256:315270d166080f537bbdf1b489b603aaaa213cb55a544acfa51feb7481abb1c0
persistentVolume: persistentVolume:
enabled: true enabled: true
redis: redis:
resources: resources:
requests: requests:
cpu: 1000m cpu: 1000m
memory: 50Mi memory: 64Mi
haproxy: haproxy:
enabled: true enabled: true
image: image:
@@ -106,8 +106,8 @@ argo-cd:
tag: 3.3.6-alpine@sha256:744be2dca649a44d490a4c565d36968d19482dd387f1bdd44c168f4322bc6b1e tag: 3.3.6-alpine@sha256:744be2dca649a44d490a4c565d36968d19482dd387f1bdd44c168f4322bc6b1e
resources: resources:
requests: requests:
cpu: 5m cpu: 10m
memory: 90Mi memory: 128Mi
metrics: metrics:
enabled: true enabled: true
serviceMonitor: serviceMonitor:
@@ -138,8 +138,8 @@ argo-cd:
replicas: 2 replicas: 2
resources: resources:
requests: requests:
cpu: 20m cpu: 10m
memory: 80Mi memory: 64Mi
metrics: metrics:
enabled: true enabled: true
serviceMonitor: serviceMonitor:
@@ -157,8 +157,8 @@ argo-cd:
replicas: 2 replicas: 2
resources: resources:
requests: requests:
cpu: 1m cpu: 10m
memory: 50Mi memory: 64Mi
readinessProbe: readinessProbe:
enabled: true enabled: true
failureThreshold: 3 failureThreshold: 3
@@ -182,7 +182,7 @@ argo-cd:
resources: resources:
requests: requests:
cpu: 10m cpu: 10m
memory: 50Mi memory: 64Mi
metrics: metrics:
enabled: true enabled: true
serviceMonitor: serviceMonitor:
@@ -205,7 +205,7 @@ argo-cd:
argocdUrl: https://argocd.alexlebens.net argocdUrl: https://argocd.alexlebens.net
secret: secret:
create: false create: false
name: argocd-notifications-ntfy name: argocd-notifications-secret
metrics: metrics:
enabled: true enabled: true
serviceMonitor: serviceMonitor:
@@ -218,8 +218,8 @@ argo-cd:
value: Bearer $ntfy-token value: Bearer $ntfy-token
resources: resources:
requests: requests:
cpu: 2m cpu: 10m
memory: 50Mi memory: 64Mi
livenessProbe: livenessProbe:
enabled: true enabled: true
readinessProbe: readinessProbe:

2
clusters/cl01tl/helm/audiobookshelf/Chart.yaml
View File

@@ -32,4 +32,4 @@ dependencies:
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png
# renovate: datasource=github-releases depName=advplyr/audiobookshelf # renovate: datasource=github-releases depName=advplyr/audiobookshelf
appVersion: 2.33.2 appVersion: 2.33.1

27
clusters/cl01tl/helm/audiobookshelf/templates/_helpers.tpl
View File

@@ -1,27 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}
{{/*
NFS names
*/}}
{{- define "custom.booksNfsName" -}}
audiobookshelf-books-nfs-storage
{{- end -}}
{{- define "custom.audiobooksNfsName" -}}
audiobookshelf-audiobooks-nfs-storage
{{- end -}}
{{- define "custom.podcastsNfsName" -}}
audiobookshelf-podcasts-nfs-storage
{{- end -}}

21
clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml
View File

@@ -1,23 +1,18 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: audiobookshelf-config-apprise name: audiobookshelf-apprise-config
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: audiobookshelf-config-apprise app.kubernetes.io/name: audiobookshelf-apprise-config
{{- include "custom.labels" . | nindent 4 }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: openbao name: vault
target:
template:
mergePolicy: Merge
engineVersion: v2
data: data:
ntfy-url: "{{ `{{ .endpoint }}` }}/audiobookshelf" - secretKey: ntfy-url
data:
- secretKey: endpoint
remoteRef: remoteRef:
key: /cl01tl/ntfy/users/cl01tl key: /cl01tl/audiobookshelf/apprise
property: internal-endpoint-credential property: ntfy-url

27
clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml
View File

@@ -1,13 +1,14 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: {{ include "custom.booksNfsName" . }} name: audiobookshelf-books-nfs-storage
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "custom.booksNfsName" . }} app.kubernetes.io/name: audiobookshelf-books-nfs-storage
{{ include "custom.labels" . | nindent 4 }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
volumeName: {{ include "custom.booksNfsName" . }} volumeName: audiobookshelf-books-nfs-storage
storageClassName: nfs-client storageClassName: nfs-client
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
@@ -19,13 +20,14 @@ spec:
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: {{ include "custom.audiobooksNfsName" . }} name: audiobookshelf-audiobooks-nfs-storage
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "custom.audiobooksNfsName" . }} app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
{{- include "custom.labels" . | nindent 4 }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
volumeName: {{ include "custom.audiobooksNfsName" . }} volumeName: audiobookshelf-audiobooks-nfs-storage
storageClassName: nfs-client storageClassName: nfs-client
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
@@ -37,13 +39,14 @@ spec:
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: {{ include "custom.podcastsNfsName" . }} name: audiobookshelf-podcasts-nfs-storage
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "custom.podcastsNfsName" . }} app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
{{- include "custom.labels" . | nindent 4 }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
volumeName: {{ include "custom.podcastsNfsName" . }} volumeName: audiobookshelf-podcasts-nfs-storage
storageClassName: nfs-client storageClassName: nfs-client
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany

21
clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume.yaml
View File

@@ -1,11 +1,12 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolume kind: PersistentVolume
metadata: metadata:
name: {{ include "custom.booksNfsName" . }} name: audiobookshelf-books-nfs-storage
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "custom.booksNfsName" . }} app.kubernetes.io/name: audiobookshelf-books-nfs-storage
{{- include "custom.labels" . | nindent 4 }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
persistentVolumeReclaimPolicy: Retain persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client storageClassName: nfs-client
@@ -25,11 +26,12 @@ spec:
apiVersion: v1 apiVersion: v1
kind: PersistentVolume kind: PersistentVolume
metadata: metadata:
name: {{ include "custom.audiobooksNfsName" . }} name: audiobookshelf-audiobooks-nfs-storage
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "custom.audiobooksNfsName" . }} app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
{{- include "custom.labels" . | nindent 4 }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
persistentVolumeReclaimPolicy: Retain persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client storageClassName: nfs-client
@@ -49,11 +51,12 @@ spec:
apiVersion: v1 apiVersion: v1
kind: PersistentVolume kind: PersistentVolume
metadata: metadata:
name: {{ include "custom.podcastsNfsName" . }} name: audiobookshelf-podcasts-nfs-storage
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "custom.podcastsNfsName" . }} app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
{{- include "custom.labels" . | nindent 4 }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
persistentVolumeReclaimPolicy: Retain persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client storageClassName: nfs-client

10
clusters/cl01tl/helm/audiobookshelf/values.yaml
View File

@@ -12,18 +12,18 @@ audiobookshelf:
main: main:
image: image:
repository: ghcr.io/advplyr/audiobookshelf repository: ghcr.io/advplyr/audiobookshelf
tag: 2.33.2@sha256:a44ed89b3e845faa1f7d353f2cc89b2fcd8011737dd14075fa963cf9468da3a5 tag: 2.33.1@sha256:a4a5841bba093d81e5f4ad1eaedb4da3fda6dbb2528c552349da50ad1f7ae708
env: env:
- name: TZ - name: TZ
value: America/Chicago value: America/Chicago
resources: resources:
requests: requests:
cpu: 1m cpu: 10m
memory: 200Mi memory: 200Mi
apprise-api: apprise-api:
image: image:
repository: ghcr.io/caronc/apprise repository: ghcr.io/caronc/apprise
tag: v1.3.3@sha256:4bfeac268ba87b8e08e308c9aa0182fe99e9501ec464027afc333d1634e65977 tag: v1.3.2@sha256:1aafc2118b6eae5d70d17831d9a8a52adee7104fd6f2bb018e6421664699c903
env: env:
- name: TZ - name: TZ
value: America/Chicago value: America/Chicago
@@ -40,7 +40,7 @@ audiobookshelf:
- name: APPRISE_STATELESS_URLS - name: APPRISE_STATELESS_URLS
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: audiobookshelf-config-apprise name: audiobookshelf-apprise-config
key: ntfy-url key: ntfy-url
service: service:
main: main:
@@ -49,9 +49,11 @@ audiobookshelf:
http: http:
port: 80 port: 80
targetPort: 80 targetPort: 80
protocol: HTTP
apprise: apprise:
port: 8000 port: 8000
targetPort: 8000 targetPort: 8000
protocol: HTTP
serviceMonitor: serviceMonitor:
main: main:
selector: selector:

12
clusters/cl01tl/helm/authentik/Chart.lock
View File

@@ -1,15 +1,15 @@
dependencies: dependencies:
- name: authentik - name: authentik
repository: https://charts.goauthentik.io/ repository: https://charts.goauthentik.io/
version: 2026.2.2 version: 2026.2.1
- name: cloudflared - name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 2.5.0 version: 2.4.0
- name: postgres-cluster - name: postgres-cluster
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 7.11.2 version: 7.10.0
- name: valkey - name: valkey
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 0.6.1 version: 0.4.0
digest: sha256:22fe4d9ec592aa74cbff5596e8d900f607bd68ea14c7df70a94b4ef76727614d digest: sha256:8c353c5dad4c3d04d518c1445497f0d1cb64261a4201ae17a2c0874454b807a7
generated: "2026-04-13T20:32:12.748342469Z" generated: "2026-03-15T20:04:35.99407071Z"

8
clusters/cl01tl/helm/authentik/Chart.yaml
View File

@@ -18,18 +18,18 @@ maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: authentik - name: authentik
version: 2026.2.2 version: 2026.2.1
repository: https://charts.goauthentik.io/ repository: https://charts.goauthentik.io/
- name: cloudflared - name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 2.5.0 version: 2.4.0
- name: postgres-cluster - name: postgres-cluster
alias: postgres-18-cluster alias: postgres-18-cluster
version: 7.11.2 version: 7.10.0
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey - name: valkey
alias: valkey alias: valkey
version: 0.6.1 version: 0.4.0
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/authentik.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/authentik.png
# renovate: datasource=github-releases depName=goauthentik/authentik # renovate: datasource=github-releases depName=goauthentik/authentik

14
clusters/cl01tl/helm/authentik/templates/_helpers.tpl
View File

@@ -1,14 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

9
clusters/cl01tl/helm/authentik/templates/external-secret.yaml
View File

@@ -1,15 +1,16 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: authentik-key name: authentik-key-secret
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: authentik-key app.kubernetes.io/name: authentik-key-secret
{{- include "custom.labels" . | nindent 4 }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: openbao name: vault
data: data:
- secretKey: key - secretKey: key
remoteRef: remoteRef:

7
clusters/cl01tl/helm/authentik/templates/ingress.yaml
View File

@@ -1,12 +1,13 @@
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: Ingress kind: Ingress
metadata: metadata:
name: {{ .Release.Name }}-tailscale name: authentik-tailscale
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ .Release.Name }}-tailscale app.kubernetes.io/name: authentik-tailscale
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
tailscale.com/proxy-class: no-metrics tailscale.com/proxy-class: no-metrics
{{- include "custom.labels" . | nindent 4 }}
annotations: annotations:
tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true" tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
spec: spec:

3
clusters/cl01tl/helm/authentik/templates/reference-grant.yaml
View File

@@ -5,7 +5,8 @@ metadata:
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: allow-outpost-cross-namespace-access app.kubernetes.io/name: allow-outpost-cross-namespace-access
{{- include "custom.labels" . | nindent 4 }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
from: from:
- group: gateway.networking.k8s.io - group: gateway.networking.k8s.io

12
clusters/cl01tl/helm/authentik/values.yaml
View File

@@ -4,7 +4,7 @@ authentik:
- name: AUTHENTIK_SECRET_KEY - name: AUTHENTIK_SECRET_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: authentik-key name: authentik-key-secret
key: key key: key
- name: AUTHENTIK_POSTGRESQL__HOST - name: AUTHENTIK_POSTGRESQL__HOST
valueFrom: valueFrom:
@@ -33,7 +33,7 @@ authentik:
replicas: 2 replicas: 2
resources: resources:
requests: requests:
cpu: 20m cpu: 100m
memory: 700Mi memory: 700Mi
livenessProbe: livenessProbe:
failureThreshold: 3 failureThreshold: 3
@@ -66,8 +66,8 @@ authentik:
replicas: 2 replicas: 2
resources: resources:
requests: requests:
cpu: 80m cpu: 100m
memory: 650Mi memory: 512Mi
metrics: metrics:
enabled: true enabled: true
serviceMonitor: serviceMonitor:
@@ -77,10 +77,6 @@ authentik:
enabled: true enabled: true
postgres-18-cluster: postgres-18-cluster:
mode: recovery mode: recovery
cluster:
resources:
requests:
memory: 150Mi
recovery: recovery:
method: objectStore method: objectStore
objectStore: objectStore:

24
clusters/cl01tl/helm/backrest/templates/_helpers.tpl
View File

@@ -1,24 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}
{{/*
NFS names
*/}}
{{- define "custom.storageNfsName" -}}
backrest-nfs-storage
{{- end -}}
{{- define "custom.shareNfsName" -}}
backrest-nfs-share
{{- end -}}

18
clusters/cl01tl/helm/backrest/templates/persistent-volume-claim.yaml
View File

@@ -1,13 +1,14 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: {{ include "custom.storageNfsName" . }} name: backrest-nfs-storage
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "custom.storageNfsName" . }} app.kubernetes.io/name: backrest-nfs-storage
{{- include "custom.labels" . | nindent 4 }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
volumeName: {{ include "custom.storageNfsName" . }} volumeName: backrest-nfs-storage
storageClassName: nfs-client storageClassName: nfs-client
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
@@ -19,13 +20,14 @@ spec:
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: {{ include "custom.shareNfsName" . }} name: backrest-nfs-share
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "custom.shareNfsName" . }} app.kubernetes.io/name: backrest-nfs-share
{{- include "custom.labels" . | nindent 4 }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
volumeName: {{ include "custom.shareNfsName" . }} volumeName: backrest-nfs-share
storageClassName: nfs-client storageClassName: nfs-client
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany

14
clusters/cl01tl/helm/backrest/templates/persistent-volume.yaml
View File

@@ -1,11 +1,12 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolume kind: PersistentVolume
metadata: metadata:
name: {{ include "custom.storageNfsName" . }} name: backrest-nfs-storage
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "custom.storageNfsName" . }} app.kubernetes.io/name: backrest-nfs-storage
{{- include "custom.labels" . | nindent 4 }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
persistentVolumeReclaimPolicy: Retain persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client storageClassName: nfs-client
@@ -25,11 +26,12 @@ spec:
apiVersion: v1 apiVersion: v1
kind: PersistentVolume kind: PersistentVolume
metadata: metadata:
name: {{ include "custom.shareNfsName" . }} name: backrest-nfs-share
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "custom.shareNfsName" . }} app.kubernetes.io/name: backrest-nfs-share
{{- include "custom.labels" . | nindent 4 }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
persistentVolumeReclaimPolicy: Retain persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client storageClassName: nfs-client

5
clusters/cl01tl/helm/backrest/values.yaml
View File

@@ -22,8 +22,8 @@ backrest:
value: /tmp value: /tmp
resources: resources:
requests: requests:
cpu: 1m cpu: 10m
memory: 30Mi memory: 80Mi
service: service:
main: main:
controller: main controller: main
@@ -31,6 +31,7 @@ backrest:
http: http:
port: 80 port: 80
targetPort: 9898 targetPort: 9898
protocol: TCP
serviceMonitor: serviceMonitor:
main: main:
selector: selector:

7
clusters/cl01tl/helm/bazarr/Chart.yaml
View File

@@ -5,14 +5,11 @@ description: Bazarr
keywords: keywords:
- bazarr - bazarr
- subtitles - subtitles
- servarr
home: https://docs.alexlebens.dev/applications/bazarr/ home: https://docs.alexlebens.dev/applications/bazarr/
sources: sources:
- https://github.com/morpheus65535/bazarr - https://github.com/morpheus65535/bazarr
- https://github.com/linuxserver/docker-bazarr - https://github.com/linuxserver/docker-bazarr
- https://github.com/onedr0p/exportarr
- https://github.com/linuxserver/docker-bazarr/pkgs/container/bazarr - https://github.com/linuxserver/docker-bazarr/pkgs/container/bazarr
- https://github.com/onedr0p/exportarr/pkgs/container/exportarr
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
maintainers: maintainers:
@@ -27,5 +24,5 @@ dependencies:
version: 0.8.0 version: 0.8.0
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/bazarr.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/bazarr.png
# renovate: datasource=github-releases depName=linuxserver/docker-bazarr # renovate: datasource=github-releases depName=morpheus65535/bazarr
appVersion: v1.5.6-ls342 appVersion: 1.5.6

21
clusters/cl01tl/helm/bazarr/templates/_helpers.tpl
View File

@@ -1,21 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}
{{/*
NFS names
*/}}
{{- define "custom.storageNfsName" -}}
bazarr-nfs-storage
{{- end -}}

17
clusters/cl01tl/helm/bazarr/templates/external-secret.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: bazarr-key
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: bazarr-key
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: openbao
data:
- secretKey: key
remoteRef:
key: /cl01tl/bazarr/key
property: key

9
clusters/cl01tl/helm/bazarr/templates/persistent-volume-claim.yaml
View File

@@ -1,13 +1,14 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: {{ include "custom.storageNfsName" . }} name: bazarr-nfs-storage
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "custom.storageNfsName" . }} app.kubernetes.io/name: bazarr-nfs-storage
{{- include "custom.labels" . | nindent 4 }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
volumeName: {{ include "custom.storageNfsName" . }} volumeName: bazarr-nfs-storage
storageClassName: nfs-client storageClassName: nfs-client
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany

7
clusters/cl01tl/helm/bazarr/templates/persistent-volume.yaml
View File

@@ -1,11 +1,12 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolume kind: PersistentVolume
metadata: metadata:
name: {{ include "custom.storageNfsName" . }} name: bazarr-nfs-storage
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "custom.storageNfsName" . }} app.kubernetes.io/name: bazarr-nfs-storage
{{- include "custom.labels" . | nindent 4 }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
persistentVolumeReclaimPolicy: Retain persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client storageClassName: nfs-client

39
clusters/cl01tl/helm/bazarr/values.yaml
View File

@@ -14,7 +14,7 @@ bazarr:
main: main:
image: image:
repository: ghcr.io/linuxserver/bazarr repository: ghcr.io/linuxserver/bazarr
tag: v1.5.6-ls342@sha256:9a631194c0dee21c85b5bff59e23610e1ae2f54594e922973949d271102e585e tag: 1.5.6@sha256:05f9d5b24884f37120453dc1a008a47be244eebec32099ae1bd29032e75b67aa
env: env:
- name: TZ - name: TZ
value: America/Chicago value: America/Chicago
@@ -25,26 +25,7 @@ bazarr:
resources: resources:
requests: requests:
cpu: 10m cpu: 10m
memory: 250Mi memory: 256Mi
metrics:
image:
repository: ghcr.io/onedr0p/exportarr
tag: v2.3.0@sha256:af535d94061cf97a52e1661945ffba78c03f9443eae7c0da1a80a5a4be56b520
args: ["bazarr"]
env:
- name: URL
value: http://localhost:6767
- name: PORT
value: 9792
- name: APIKEY
valueFrom:
secretKeyRef:
name: bazarr-key
key: key
- name: ENABLE_ADDITIONAL_METRICS
value: false
- name: ENABLE_UNKNOWN_QUEUE_ITEMS
value: false
service: service:
main: main:
controller: main controller: main
@@ -52,21 +33,7 @@ bazarr:
http: http:
port: 80 port: 80
targetPort: 6767 targetPort: 6767
metrics: protocol: HTTP
port: 9792
targetPort: 9792
serviceMonitor:
main:
selector:
matchLabels:
app.kubernetes.io/name: bazarr
app.kubernetes.io/instance: bazarr
serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
endpoints:
- port: metrics
interval: 3m
scrapeTimeout: 1m
path: /metrics
route: route:
main: main:
kind: HTTPRoute kind: HTTPRoute

6
clusters/cl01tl/helm/blocky/Chart.lock
View File

@@ -4,6 +4,6 @@ dependencies:
version: 4.6.2 version: 4.6.2
- name: valkey - name: valkey
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 0.6.1 version: 0.4.0
digest: sha256:6ed3a7587906fbda581d0091ff2c29a1816b8b0b8ae40add9885e6a68b2b82ae digest: sha256:a5b0099261d772b24a302a106d106cfa82ac07fa14564141e00cf107d708e859
generated: "2026-04-13T20:32:34.844998902Z" generated: "2026-03-09T23:06:16.853255429Z"

2
clusters/cl01tl/helm/blocky/Chart.yaml
View File

@@ -20,7 +20,7 @@ dependencies:
version: 4.6.2 version: 4.6.2
- name: valkey - name: valkey
alias: valkey alias: valkey
version: 0.6.1 version: 0.4.0
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/blocky.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/blocky.png
# renovate: datasource=github-releases depName=0xerr0r/blocky # renovate: datasource=github-releases depName=0xerr0r/blocky

12
clusters/cl01tl/helm/blocky/values.yaml
View File

@@ -15,7 +15,7 @@ blocky:
resources: resources:
requests: requests:
cpu: 10m cpu: 10m
memory: 100Mi memory: 90Mi
configMaps: configMaps:
config: config:
enabled: true enabled: true
@@ -102,13 +102,14 @@ blocky:
;; Application Names ;; Application Names
actual IN CNAME traefik-cl01tl actual IN CNAME traefik-cl01tl
alertmanager IN CNAME traefik-cl01tl alertmanager IN CNAME traefik-cl01tl
argo-workflows IN CNAME traefik-cl01tl
argocd IN CNAME traefik-cl01tl argocd IN CNAME traefik-cl01tl
audiobookshelf IN CNAME traefik-cl01tl audiobookshelf IN CNAME traefik-cl01tl
authentik IN CNAME traefik-cl01tl authentik IN CNAME traefik-cl01tl
backrest IN CNAME traefik-cl01tl backrest IN CNAME traefik-cl01tl
bao IN CNAME traefik-cl01tl
bazarr IN CNAME traefik-cl01tl bazarr IN CNAME traefik-cl01tl
ceph IN CNAME traefik-cl01tl ceph IN CNAME traefik-cl01tl
code-server IN CNAME traefik-cl01tl
dawarich IN CNAME traefik-cl01tl dawarich IN CNAME traefik-cl01tl
directus IN CNAME traefik-cl01tl directus IN CNAME traefik-cl01tl
excalidraw IN CNAME traefik-cl01tl excalidraw IN CNAME traefik-cl01tl
@@ -136,16 +137,16 @@ blocky:
lidarr IN CNAME traefik-cl01tl lidarr IN CNAME traefik-cl01tl
mail IN CNAME traefik-cl01tl mail IN CNAME traefik-cl01tl
medialyze IN CNAME traefik-cl01tl medialyze IN CNAME traefik-cl01tl
movie-roulette IN CNAME traefik-cl01tl
music-grabber IN CNAME traefik-cl01tl music-grabber IN CNAME traefik-cl01tl
navidrome IN CNAME traefik-cl01tl navidrome IN CNAME traefik-cl01tl
ntfy IN CNAME traefik-cl01tl ntfy IN CNAME traefik-cl01tl
objects IN CNAME traefik-cl01tl objects IN CNAME traefik-cl01tl
ollama IN CNAME traefik-cl01tl ollama IN CNAME traefik-cl01tl
omni-tools IN CNAME traefik-cl01tl omni-tools IN CNAME traefik-cl01tl
paperless-ngx IN CNAME traefik-cl01tl photoview IN CNAME traefik-cl01tl
plex IN CNAME traefik-cl01tl plex IN CNAME traefik-cl01tl
postiz-spotlight IN CNAME traefik-cl01tl postiz IN CNAME traefik-cl01tl
postiz-temporal IN CNAME traefik-cl01tl
prometheus IN CNAME traefik-cl01tl prometheus IN CNAME traefik-cl01tl
prowlarr IN CNAME traefik-cl01tl prowlarr IN CNAME traefik-cl01tl
qbittorrent IN CNAME traefik-cl01tl qbittorrent IN CNAME traefik-cl01tl
@@ -161,7 +162,6 @@ blocky:
sonarr IN CNAME traefik-cl01tl sonarr IN CNAME traefik-cl01tl
sonarr-4k IN CNAME traefik-cl01tl sonarr-4k IN CNAME traefik-cl01tl
sonarr-anime IN CNAME traefik-cl01tl sonarr-anime IN CNAME traefik-cl01tl
sparkyfitness IN CNAME traefik-cl01tl
stalwart IN CNAME traefik-cl01tl stalwart IN CNAME traefik-cl01tl
tdarr IN CNAME traefik-cl01tl tdarr IN CNAME traefik-cl01tl
tubearchivist IN CNAME traefik-cl01tl tubearchivist IN CNAME traefik-cl01tl

6
clusters/cl01tl/helm/cert-manager/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies: dependencies:
- name: cert-manager - name: cert-manager
repository: https://charts.jetstack.io repository: https://charts.jetstack.io
version: v1.20.2 version: v1.20.0
digest: sha256:f218239b4538c64d57e098a56c69dcbc4e076ffcc3d320c5a5fef1e6309e38cf digest: sha256:1543bd17649cb32982de3cce017fcbed1b44c41d50b76c6471b266f33e261c29
generated: "2026-04-13T23:02:59.380767677Z" generated: "2026-03-10T16:06:49.332999536Z"

9
clusters/cl01tl/helm/cert-manager/Chart.yaml
View File

@@ -5,7 +5,8 @@ description: Cert Manager
keywords: keywords:
- cert-manager - cert-manager
- certificates - certificates
home: https://docs.alexlebens.dev/applications/cert-manager/ - kubernetes
home: https://wiki.alexlebens.dev/s/368fe718-eedb-40e0-a5a7-fad03cdc6b09
sources: sources:
- https://github.com/cert-manager/cert-manager - https://github.com/cert-manager/cert-manager
- https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager - https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager
@@ -13,8 +14,8 @@ maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: cert-manager - name: cert-manager
version: v1.20.2 version: v1.20.0
repository: https://charts.jetstack.io repository: https://charts.jetstack.io
icon: https://raw.githubusercontent.com/cert-manager/cert-manager/refs/heads/master/logo/logo.png icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/cert-manager.png
# renovate: datasource=github-releases depName=cert-manager/cert-manager # renovate: datasource=github-releases depName=cert-manager/cert-manager
appVersion: v1.20.2 appVersion: v1.20.0

24
clusters/cl01tl/helm/cert-manager/templates/_helpers.tpl
View File

@@ -1,24 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}
{{/*
NFS names
*/}}
{{- define "custom.cloudflareSecretName" -}}
cert-manager-cloudflare-api-token
{{- end -}}
{{- define "custom.cloudflareSecretKey" -}}
api-token
{{- end -}}

8
clusters/cl01tl/helm/cert-manager/templates/cluster-issuer.yaml
View File

@@ -2,10 +2,6 @@ apiVersion: cert-manager.io/v1
kind: ClusterIssuer kind: ClusterIssuer
metadata: metadata:
name: letsencrypt-issuer name: letsencrypt-issuer
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: letsencrypt-issuer
{{- include "custom.labels" . | nindent 4 }}
spec: spec:
acme: acme:
email: alexanderlebens@gmail.com email: alexanderlebens@gmail.com
@@ -21,5 +17,5 @@ spec:
cloudflare: cloudflare:
email: alexanderlebens@gmail.com email: alexanderlebens@gmail.com
apiTokenSecretRef: apiTokenSecretRef:
name: {{ include "custom.cloudflareSecretName" . }} name: cloudflare-api-token
key: {{ include "custom.cloudflareSecretKey" . }} key: api-token

16
clusters/cl01tl/helm/cert-manager/templates/external-secret.yaml
View File

@@ -1,17 +1,21 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: {{ include "custom.cloudflareSecretName" . }} name: cloudflare-api-token
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: {{ include "custom.cloudflareSecretName" . }} app.kubernetes.io/name: cloudflare-api-token
{{- include "custom.labels" . | nindent 4 }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: openbao name: vault
data: data:
- secretKey: {{ include "custom.cloudflareSecretKey" . }} - secretKey: api-token
remoteRef: remoteRef:
key: /cloudflare/alexlebens.net/cl01tl-issuer-certificate conversionStrategy: Default
decodingStrategy: None
key: /cloudflare/alexlebens.net/clusterissuer
metadataPolicy: None
property: token property: token

8
clusters/cl01tl/helm/cert-manager/values.yaml
View File

@@ -3,16 +3,10 @@ cert-manager:
enabled: true enabled: true
keep: true keep: true
replicaCount: 2 replicaCount: 2
podDisruptionBudget:
enabled: true
minAvailable: 1
extraArgs: extraArgs:
- --enable-gateway-api - --enable-gateway-api
resources:
requests:
cpu: 10m
memory: 64Mi
prometheus: prometheus:
enabled: true
servicemonitor: servicemonitor:
enabled: true enabled: true
honorLabels: true honorLabels: true

9
clusters/cl01tl/helm/cilium/Chart.yaml
View File

@@ -4,12 +4,13 @@ version: 1.0.0
description: Cilium description: Cilium
keywords: keywords:
- cilium - cilium
- operator - cni
- network - network
home: https://docs.alexlebens.dev/applications/cilium/ - kubernetes
home: https://wiki.alexlebens.dev/s/9e6f5b17-e186-4af0-81cd-af647b162d3d
sources: sources:
- https://github.com/cilium/cilium - https://github.com/cilium/cilium
- https://github.com/cilium/cilium/tree/main/install/kubernetes/cilium - https://github.com/cilium/charts
maintainers: maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
@@ -18,4 +19,4 @@ dependencies:
repository: https://helm.cilium.io/ repository: https://helm.cilium.io/
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/cilium.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/cilium.png
# renovate: datasource=github-releases depName=cilium/cilium # renovate: datasource=github-releases depName=cilium/cilium
appVersion: 1.18.6 appVersion: 1.19.2

14
clusters/cl01tl/helm/cilium/templates/_helpers.tpl
View File

@@ -1,14 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

19
clusters/cl01tl/helm/cilium/templates/cilium-bgp-advertisement.yaml Normal file
View File

@@ -0,0 +1,19 @@
# apiVersion: cilium.io/v2
# kind: CiliumBGPAdvertisement
# metadata:
# name: cilium-bgp-advertisements
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: cilium-bgp-advertisements
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# advertisements:
# - advertisementType: "Service"
# service:
# addresses:
# - ExternalIP
# - LoadBalancerIP
# selector:
# matchExpressions:
# - {key: somekey, operator: NotIn, values: ['never-used-value']}

22
clusters/cl01tl/helm/cilium/templates/cilium-bgp-cluster-config.yaml Normal file
View File

@@ -0,0 +1,22 @@
# apiVersion: cilium.io/v2
# kind: CiliumBGPClusterConfig
# metadata:
# name: cilium-bgp
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: cilium-bgp
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# nodeSelector:
# matchLabels:
# node-role.kubernetes.io/bgp: "65020"
# bgpInstances:
# - name: "65020"
# localASN: 65020
# peers:
# - name: "udm-65000"
# peerASN: 65000
# peerAddress: 192.168.1.1
# peerConfigRef:
# name: "cilium-peer"

23
clusters/cl01tl/helm/cilium/templates/cilium-bgp-peer-config.yaml Normal file
View File

@@ -0,0 +1,23 @@
# apiVersion: cilium.io/v2
# kind: CiliumBGPPeerConfig
# metadata:
# name: cilium-peer
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: cilium-peer
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/part-of: {{ .Release.Name }}
# spec:
# timers:
# holdTimeSeconds: 9
# keepAliveTimeSeconds: 3
# ebgpMultihop: 4
# gracefulRestart:
# enabled: true
# restartTimeSeconds: 15
# families:
# - afi: ipv4
# safi: unicast
# advertisements:
# matchLabels:
# app.kubernetes.io/name: cilium-bgp-advertisements

6
clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml
View File

@@ -5,7 +5,8 @@ metadata:
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: default-ip-pool app.kubernetes.io/name: default-ip-pool
{{- include "custom.labels" . | nindent 4 }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
blocks: blocks:
- start: "10.232.1.21" - start: "10.232.1.21"
@@ -19,7 +20,8 @@ metadata:
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: bgp-ip-pool app.kubernetes.io/name: bgp-ip-pool
{{- include "custom.labels" . | nindent 4 }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
blocks: blocks:
- start: "10.232.2.100" - start: "10.232.2.100"

45
clusters/cl01tl/helm/cilium/templates/gateway.yaml Normal file
View File

@@ -0,0 +1,45 @@
# apiVersion: gateway.networking.k8s.io/v1
# kind: Gateway
# metadata:
# name: cilium-tls-gateway
# namespace: {{ .Release.Namespace }}
# labels:
# app.kubernetes.io/name: cilium-tls-gateway
# app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/part-of: {{ .Release.Name }}
# annotations:
# cert-manager.io/cluster-issuer: letsencrypt-issuer
# spec:
# addresses:
# - type: IPAddress
# value: 10.232.1.23
# gatewayClassName: cilium
# listeners:
# - allowedRoutes:
# namespaces:
# from: All
# hostname: '*.alexlebens.net'
# name: https
# port: 443
# protocol: HTTPS
# tls:
# certificateRefs:
# - group: ''
# kind: Secret
# name: https-gateway-cert
# namespace: kube-system
# mode: Terminate
# - allowedRoutes:
# namespaces:
# from: All
# hostname: 'alexlebens.net'
# name: https-domain
# port: 443
# protocol: HTTPS
# tls:
# certificateRefs:
# - group: ''
# kind: Secret
# name: https-gateway-cert
# namespace: kube-system
# mode: Terminate

3
clusters/cl01tl/helm/cilium/templates/http-route.yaml
View File

@@ -5,7 +5,8 @@ metadata:
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: hubble app.kubernetes.io/name: hubble
{{- include "custom.labels" . | nindent 4 }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
parentRefs: parentRefs:
- group: gateway.networking.k8s.io - group: gateway.networking.k8s.io

28
clusters/cl01tl/helm/cilium/values.yaml
View File

@@ -25,24 +25,36 @@ cilium:
- NET_ADMIN - NET_ADMIN
- SYS_ADMIN - SYS_ADMIN
- SYS_RESOURCE - SYS_RESOURCE
l2announcements:
enabled: false
bgpControlPlane: bgpControlPlane:
enabled: false enabled: false
secretsNamespace:
name: kube-system
statusReport:
enabled: true
routerIDAllocation:
mode: "default"
bpf: bpf:
hostLegacyRouting: true hostLegacyRouting: true
devices: end0 enp6s0 devices: end0 enp6s0
ciliumEndpointSlice: ciliumEndpointSlice:
enabled: true enabled: true
ingressController:
enabled: false
gatewayAPI: gatewayAPI:
enabled: true enabled: true
enableAppProtocol: true
enableAlpn: true enableAlpn: true
secretsNamespace: enableAppProtocol: true
create: false gatewayClass:
name: kube-system create: auto
externalIPs:
enabled: true
socketLB: socketLB:
enabled: true enabled: true
hostNamespaceOnly: true hostNamespaceOnly: true
hubble: hubble:
enabled: true
metrics: metrics:
serviceMonitor: serviceMonitor:
enabled: true enabled: true
@@ -56,6 +68,8 @@ cilium:
enabled: true enabled: true
ui: ui:
enabled: true enabled: true
ingress:
enabled: false
ipam: ipam:
mode: "kubernetes" mode: "kubernetes"
ipv4: ipv4:
@@ -63,11 +77,12 @@ cilium:
ipv6: ipv6:
enabled: false enabled: false
kubeProxyReplacement: true kubeProxyReplacement: true
l7Proxy: true
prometheus: prometheus:
enabled: true enabled: true
serviceMonitor: serviceMonitor:
enabled: true
trustCRDsExist: true trustCRDsExist: true
enabled: true
envoy: envoy:
enabled: true enabled: true
securityContext: securityContext:
@@ -79,11 +94,14 @@ cilium:
- PERFMON - PERFMON
- BPF - BPF
prometheus: prometheus:
enabled: true
serviceMonitor: serviceMonitor:
enabled: true enabled: true
operator: operator:
enabled: true
rollOutPods: true rollOutPods: true
prometheus: prometheus:
enabled: true
serviceMonitor: serviceMonitor:
enabled: true enabled: true
cgroup: cgroup:

8
clusters/cl01tl/helm/cloudnative-pg/Chart.lock
View File

@@ -1,9 +1,9 @@
dependencies: dependencies:
- name: cloudnative-pg - name: cloudnative-pg
repository: https://cloudnative-pg.io/charts/ repository: https://cloudnative-pg.io/charts/
version: 0.28.0 version: 0.27.1
- name: plugin-barman-cloud - name: plugin-barman-cloud
repository: https://cloudnative-pg.io/charts/ repository: https://cloudnative-pg.io/charts/
version: 0.6.0 version: 0.5.0
digest: sha256:48241acb753e635a01b306b90cfbce13ed3c0105a33ec7d36f159e3a7fe607f3 digest: sha256:e7089ffd089cae87529e28f0e71302b9fc4a869b389cbb6628f1c559644a3a10
generated: "2026-04-14T09:03:10.332065288Z" generated: "2026-02-05T19:36:19.473447121Z"

13
clusters/cl01tl/helm/cloudnative-pg/Chart.yaml
View File

@@ -6,22 +6,21 @@ keywords:
- cloudnative-pg - cloudnative-pg
- operator - operator
- postgresql - postgresql
home: https://docs.alexlebens.dev/applications/cloudnative-pg/ - kubernetes
home: https://wiki.alexlebens.dev/s/9fb10833-0278-4e64-a34c-d348d833839f
sources: sources:
- https://github.com/cloudnative-pg/cloudnative-pg - https://github.com/cloudnative-pg/cloudnative-pg
- https://github.com/cloudnative-pg/plugin-barman-cloud
- https://github.com/cloudnative-pg/postgres-containers/pkgs/container/postgresql
- https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg - https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg
- https://github.com/cloudnative-pg/charts/tree/main/charts/plugin-barman-cloud - https://github.com/cloudnative-pg/charts/tree/main/charts/plugin-barman-cloud
maintainers: maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: cloudnative-pg - name: cloudnative-pg
version: 0.28.0 version: 0.27.1
repository: https://cloudnative-pg.io/charts/ repository: https://cloudnative-pg.io/charts/
- name: plugin-barman-cloud - name: plugin-barman-cloud
version: 0.6.0 version: 0.5.0
repository: https://cloudnative-pg.io/charts/ repository: https://cloudnative-pg.io/charts/
icon: https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg.github.io/refs/heads/main/assets/images/hero_image.png icon: https://avatars.githubusercontent.com/u/100373852?s=200&v=4
# renovate: datasource=github-releases depName=cloudnative-pg/cloudnative-pg # renovate: datasource=github-releases depName=cloudnative-pg/cloudnative-pg
appVersion: 1.29.0 appVersion: 1.28.1

16
clusters/cl01tl/helm/cloudnative-pg/values.yaml
View File

@@ -1,16 +1,16 @@
cloudnative-pg: cloudnative-pg:
replicaCount: 2 replicaCount: 2
resources:
requests:
cpu: 10m
memory: 100Mi
monitoring: monitoring:
podMonitorEnabled: true podMonitorEnabled: true
plugin-barman-cloud: plugin-barman-cloud:
replicaCount: 1 replicaCount: 1
image:
registry: ghcr.io
repository: cloudnative-pg/plugin-barman-cloud
tag: v0.11.0
sidecarImage:
registry: ghcr.io
repository: cloudnative-pg/plugin-barman-cloud-sidecar
tag: v0.11.0
crds: crds:
create: true create: true
resources:
requests:
cpu: 1m
memory: 20Mi

12
clusters/cl01tl/helm/code-server/Chart.lock Normal file
View File

@@ -0,0 +1,12 @@
dependencies:
- name: app-template
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2
- name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts
version: 2.4.0
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.8.0
digest: sha256:dee0f52096efc543f4db3a5dc2732fd37ae9b7950b264e399a6e74c2f3e7cee6
generated: "2026-03-09T22:04:00.58415637Z"

32
clusters/cl01tl/helm/code-server/Chart.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: v2
name: code-server
version: 1.0.0
description: Code Server
keywords:
- code-server
- code
- ide
home: https://wiki.alexlebens.dev/s/233f96bb-db70-47e4-8b22-a8efcbb0f93d
sources:
- https://github.com/coder/code-server
- https://github.com/cloudflare/cloudflared
- https://hub.docker.com/r/linuxserver/code-server
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
maintainers:
- name: alexlebens
dependencies:
- name: app-template
alias: code-server
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2
- name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts
version: 2.4.0
- name: volsync-target
alias: volsync-target-config
version: 0.8.0
repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/visual-studio-code.png
# renovate: datasource=github-releases depName=linuxserver/docker-code-server
appVersion: 4.108.1

28
clusters/cl01tl/helm/code-server/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: codeserver-password-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: codeserver-password-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/code-server/auth
metadataPolicy: None
property: PASSWORD
- secretKey: SUDO_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/code-server/auth
metadataPolicy: None
property: SUDO_PASSWORD

86
clusters/cl01tl/helm/code-server/values.yaml Normal file
View File

@@ -0,0 +1,86 @@
code-server:
controllers:
main:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/linuxserver/code-server
tag: 4.112.0@sha256:4bb5b8ad22268001687c047f0f04933799fb03df1eb0e1e266ba15ed2d9f4e8b
pullPolicy: IfNotPresent
env:
- name: TZ
value: US/Central
- name: PUID
value: 1000
- name: PGID
value: 1000
- name: DEFAULT_WORKSPACE
value: /config
envFrom:
- secretRef:
name: codeserver-password-secret
resources:
requests:
cpu: 10m
memory: 128Mi
service:
main:
controller: main
ports:
http:
port: 8443
targetPort: 8443
protocol: HTTP
route:
main:
kind: HTTPRoute
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: traefik-gateway
namespace: traefik
hostnames:
- code-server.alexlebens.net
rules:
- backendRefs:
- group: ''
kind: Service
name: code-server
port: 8443
weight: 100
matches:
- path:
type: PathPrefix
value: /
persistence:
config:
forceRename: code-server-config
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 2Gi
retain: true
advancedMounts:
main:
main:
- path: /config
readOnly: false
volsync-target-config:
pvcTarget: code-server-config
moverSecurityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
local:
enabled: true
schedule: 16 8 * * *
remote:
enabled: true
schedule: 16 9 * * *
external:
enabled: true
schedule: 16 10 * * *

6
clusters/cl01tl/helm/coredns/Chart.yaml
View File

@@ -5,7 +5,9 @@ description: CoreDNS
keywords: keywords:
- coredns - coredns
- dns - dns
home: https://docs.alexlebens.dev/applications/coredns/ - network
- kubernetes
home: https://wiki.alexlebens.dev/s/
sources: sources:
- https://github.com/coredns/coredns - https://github.com/coredns/coredns
- https://github.com/coredns/helm - https://github.com/coredns/helm
@@ -15,6 +17,6 @@ dependencies:
- name: coredns - name: coredns
version: 1.45.2 version: 1.45.2
repository: https://coredns.github.io/helm repository: https://coredns.github.io/helm
icon: https://raw.githubusercontent.com/coredns/coredns.io/refs/heads/master/static/images/favicon.png icon: https://raw.githubusercontent.com/walkxcode/dashboard-icons/main/png/coredns.png
# renovate: datasource=github-releases depName=coredns/coredns # renovate: datasource=github-releases depName=coredns/coredns
appVersion: v1.14.2 appVersion: v1.14.2

34
clusters/cl01tl/helm/coredns/values.yaml
View File

@@ -1,18 +1,23 @@
coredns: coredns:
image: image:
repository: registry.k8s.io/coredns/coredns repository: registry.k8s.io/coredns/coredns
tag: v1.14.2@sha256:e7e6440cfd1e919280958f5b5a6ab2b184d385bba774c12ad2a9e1e4183f90d9 tag: v1.14.2
replicaCount: 3 replicaCount: 3
resources: resources:
limits:
cpu: null
memory: null
requests: requests:
cpu: 30m cpu: 50m
memory: 30Mi memory: 128Mi
rollingUpdate:
maxUnavailable: 1
maxSurge: 25%
terminationGracePeriodSeconds: 30
serviceType: "ClusterIP"
prometheus: prometheus:
service: service:
enabled: true enabled: true
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "9153"
monitor: monitor:
enabled: true enabled: true
namespace: kube-system namespace: kube-system
@@ -24,7 +29,18 @@ coredns:
serviceAccount: serviceAccount:
create: true create: true
name: coredns name: coredns
rbac:
create: true
isClusterService: true
priorityClassName: system-cluster-critical priorityClassName: system-cluster-critical
securityContext:
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
servers: servers:
- zones: - zones:
- zone: . - zone: .
@@ -61,8 +77,6 @@ coredns:
- name: errors - name: errors
- name: cache - name: cache
parameters: 30 parameters: 30
- name: prometheus
parameters: :9153
- name: forward - name: forward
parameters: . 10.111.232.172 parameters: . 10.111.232.172
- zones: - zones:
@@ -74,8 +88,6 @@ coredns:
- name: errors - name: errors
- name: cache - name: cache
parameters: 30 parameters: 30
- name: prometheus
parameters: :9153
- name: forward - name: forward
parameters: . 10.97.20.219 parameters: . 10.97.20.219
nodeSelector: nodeSelector:
@@ -88,4 +100,6 @@ coredns:
operator: Exists operator: Exists
effect: NoSchedule effect: NoSchedule
deployment: deployment:
skipConfig: false
enabled: true
name: coredns name: coredns

17
clusters/cl01tl/helm/dawarich/Chart.lock
View File

@@ -4,18 +4,9 @@ dependencies:
version: 4.6.2 version: 4.6.2
- name: postgres-cluster - name: postgres-cluster
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 7.11.2 version: 7.10.0
- name: valkey - name: valkey
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 0.6.1 version: 0.4.0
- name: volsync-target digest: sha256:7584c2a1613454bbd83b66df46170fd0157df5186842844d483e2dd131398574
repository: oci://harbor.alexlebens.net/helm-charts generated: "2026-03-15T20:04:49.68456485Z"
version: 0.8.0
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.8.0
- name: volsync-target
repository: oci://harbor.alexlebens.net/helm-charts
version: 0.8.0
digest: sha256:6ece439d5549b7d7ccd75053846bb9b2e8f9798a2e2163eac6f62bf5cf222587
generated: "2026-04-13T20:32:54.380897459Z"

24
clusters/cl01tl/helm/dawarich/Chart.yaml
View File

@@ -5,14 +5,10 @@ description: Dawarich
keywords: keywords:
- dawarich - dawarich
- location - location
home: https://docs.alexlebens.dev/applications/dawarich/ home: https://wiki.alexlebens.dev/s/
sources: sources:
- https://github.com/Freika/dawarich - https://github.com/Freika/dawarich
- https://hub.docker.com/r/freikin/dawarich
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
maintainers: maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
@@ -22,24 +18,12 @@ dependencies:
version: 4.6.2 version: 4.6.2
- name: postgres-cluster - name: postgres-cluster
alias: postgres-18-cluster alias: postgres-18-cluster
version: 7.11.2 version: 7.10.0
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey - name: valkey
alias: valkey alias: valkey
version: 0.6.1 version: 0.4.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-storage
version: 0.8.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-public
version: 0.8.0
repository: oci://harbor.alexlebens.net/helm-charts
- name: volsync-target
alias: volsync-target-watched
version: 0.8.0
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/dawarich.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/dawarich.png
# renovate: datasource=github-releases depName=Freika/dawarich # renovate: datasource=github-releases depName=Freika/dawarich
appVersion: 1.6.1 appVersion: 1.4.0

14
clusters/cl01tl/helm/dawarich/templates/_helpers.tpl
View File

@@ -1,14 +0,0 @@
{{/*
Common labels
*/}}
{{- define "custom.labels" -}}
{{ include "custom.selectorLabels" $ }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "custom.selectorLabels" -}}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
{{- end }}

31
clusters/cl01tl/helm/dawarich/templates/external-secret.yaml
View File

@@ -1,40 +1,51 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: dawarich-key name: dawarich-key-secret
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: dawarich-key app.kubernetes.io/name: dawarich-key-secret
{{- include "custom.labels" . | nindent 4 }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: openbao name: vault
data: data:
- secretKey: key - secretKey: key
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/dawarich/key key: /cl01tl/dawarich/key
metadataPolicy: None
property: key property: key
--- ---
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: dawarich-oidc-authentik name: dawarich-oidc-secret
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
labels: labels:
app.kubernetes.io/name: dawarich-oidc-authentik app.kubernetes.io/name: dawarich-oidc-secret
{{- include "custom.labels" . | nindent 4 }} app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec: spec:
secretStoreRef: secretStoreRef:
kind: ClusterSecretStore kind: ClusterSecretStore
name: openbao name: vault
data: data:
- secretKey: client - secretKey: client
remoteRef: remoteRef:
key: /cl01tl/authentik/oidc/dawarich conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/dawarich
metadataPolicy: None
property: client property: client
- secretKey: secret - secretKey: secret
remoteRef: remoteRef:
key: /cl01tl/authentik/oidc/dawarich conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/dawarich
metadataPolicy: None
property: secret property: secret

116
clusters/cl01tl/helm/dawarich/values.yaml
View File

@@ -4,20 +4,15 @@ dawarich:
type: deployment type: deployment
replicas: 1 replicas: 1
strategy: Recreate strategy: Recreate
revisionHistoryLimit: 3
containers: containers:
main: main:
image: image:
repository: freikin/dawarich repository: freikin/dawarich
tag: 1.6.1@sha256:a884f69f19ce0f66992f3872d24544d1e587e133b8a003e072711aafc1e02429 tag: 1.4.0
command: pullPolicy: IfNotPresent
- "web-entrypoint.sh" command: ["web-entrypoint.sh"]
args: args: ["bin/rails", "server", "-p", "3000", "-b", "::"]
- "bin/rails"
- "server"
- "-p"
- "3000"
- "-b"
- "::"
env: env:
- name: RAILS_ENV - name: RAILS_ENV
value: production value: production
@@ -61,12 +56,12 @@ dawarich:
- name: OIDC_CLIENT_ID - name: OIDC_CLIENT_ID
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: dawarich-oidc-authentik name: dawarich-oidc-secret
key: client key: client
- name: OIDC_CLIENT_SECRET - name: OIDC_CLIENT_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: dawarich-oidc-authentik name: dawarich-oidc-secret
key: secret key: secret
- name: OIDC_PROVIDER_NAME - name: OIDC_PROVIDER_NAME
value: Authentik value: Authentik
@@ -81,7 +76,7 @@ dawarich:
- name: SECRET_KEY_BASE - name: SECRET_KEY_BASE
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: dawarich-key name: dawarich-key-secret
key: key key: key
- name: RAILS_LOG_TO_STDOUT - name: RAILS_LOG_TO_STDOUT
value: true value: true
@@ -91,14 +86,14 @@ dawarich:
value: true value: true
probes: probes:
liveness: liveness:
enabled: true enabled: false
custom: true custom: true
spec: spec:
exec: exec:
command: command:
- /bin/sh - /bin/sh
- -c - -c
- "wget -qO - http://127.0.0.1:3000/api/v1/health | grep -q '\"status\"\\s*:\\s*\"ok\"'" - wget -qO - http://127.0.0.1:3000/api/v1/health | grep -Eq '\"status\"\\s*:\\s*\"ok\"'
failureThreshold: 5 failureThreshold: 5
initialDelaySeconds: 60 initialDelaySeconds: 60
periodSeconds: 10 periodSeconds: 10
@@ -106,16 +101,15 @@ dawarich:
timeoutSeconds: 10 timeoutSeconds: 10
resources: resources:
requests: requests:
cpu: 20m cpu: 10m
memory: 750Mi memory: 128Mi
sidekiq: sidekiq:
image: image:
repository: freikin/dawarich repository: freikin/dawarich
tag: 1.6.1@sha256:a884f69f19ce0f66992f3872d24544d1e587e133b8a003e072711aafc1e02429 tag: 1.4.0
command: pullPolicy: IfNotPresent
- "sidekiq-entrypoint.sh" command: ["sidekiq-entrypoint.sh"]
args: args: ["sidekiq"]
- "sidekiq"
env: env:
- name: RAILS_ENV - name: RAILS_ENV
value: production value: production
@@ -191,19 +185,23 @@ dawarich:
value: true value: true
probes: probes:
liveness: liveness:
enabled: true enabled: false
custom: true custom: true
spec: spec:
exec: exec:
command: command:
- pgrep - /bin/sh
- -f - -c
- sidekiq - pgrep -f sidekiq
failureThreshold: 5 failureThreshold: 5
initialDelaySeconds: 60 initialDelaySeconds: 60
periodSeconds: 10 periodSeconds: 10
successThreshold: 1 successThreshold: 1
timeoutSeconds: 10 timeoutSeconds: 10
resources:
requests:
cpu: 10m
memory: 128Mi
service: service:
main: main:
controller: main controller: main
@@ -211,9 +209,11 @@ dawarich:
http: http:
port: 80 port: 80
targetPort: 3000 targetPort: 3000
protocol: TCP
metrics: metrics:
port: 9394 port: 9394
targetPort: 9394 targetPort: 9394
protocol: TCP
serviceMonitor: serviceMonitor:
main: main:
selector: selector:
@@ -238,8 +238,11 @@ dawarich:
- dawarich.alexlebens.net - dawarich.alexlebens.net
rules: rules:
- backendRefs: - backendRefs:
- name: dawarich - group: ""
kind: Service
name: dawarich
port: 80 port: 80
weight: 100
matches: matches:
- path: - path:
type: PathPrefix type: PathPrefix
@@ -250,6 +253,7 @@ dawarich:
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 5Gi size: 5Gi
retain: true
advancedMounts: advancedMounts:
main: main:
main: main:
@@ -263,6 +267,7 @@ dawarich:
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 5Gi size: 5Gi
retain: true
advancedMounts: advancedMounts:
main: main:
main: main:
@@ -276,6 +281,7 @@ dawarich:
storageClass: ceph-block storageClass: ceph-block
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
size: 1Gi size: 1Gi
retain: true
advancedMounts: advancedMounts:
main: main:
main: main:
@@ -307,42 +313,32 @@ postgres-18-cluster:
destinationBucket: postgres-backups destinationBucket: postgres-backups
externalSecretCredentialPath: /garage/home-infra/postgres-backups externalSecretCredentialPath: /garage/home-infra/postgres-backups
isWALArchiver: true isWALArchiver: true
# - name: garage-remote
# index: 1
# destinationBucket: postgres-backups
# externalSecretCredentialPath: /garage/home-infra/postgres-backups
# retentionPolicy: "90d"
# data:
# compression: bzip2
# - name: external
# index: 1
# endpointURL: https://nyc3.digitaloceanspaces.com
# destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
# externalSecretCredentialPath: /garage/home-infra/postgres-backups
# isWALArchiver: false
scheduledBackups: scheduledBackups:
- name: live-backup - name: live-backup
suspend: false suspend: false
immediate: true immediate: true
schedule: "0 10 14 * * *" schedule: "0 10 14 * * *"
backupName: garage-local backupName: garage-local
volsync-target-storage: # - name: weekly-backup
pvcTarget: dawarich-storage # suspend: true
local: # immediate: true
enabled: true # schedule: "0 0 4 * * SAT"
schedule: 6 8 * * * # backupName: garage-remote
remote: # - name: daily-backup
enabled: true # suspend: true
schedule: 6 9 * * * # immediate: true
external: # schedule: "0 0 0 * * *"
enabled: true # backupName: external
schedule: 6 10 * * *
volsync-target-public:
pvcTarget: dawarich-public
local:
enabled: true
schedule: 8 8 * * *
remote:
enabled: true
schedule: 8 9 * * *
external:
enabled: true
schedule: 8 10 * * *
volsync-target-watched:
pvcTarget: dawarich-watched
local:
enabled: true
schedule: 8 8 * * *
remote:
enabled: true
schedule: 8 9 * * *
external:
enabled: true
schedule: 8 10 * * *

3
clusters/cl01tl/helm/democratic-csi-synology-iscsi/Chart.yaml
View File

@@ -5,7 +5,8 @@ description: Democratic CSI
keywords: keywords:
- democratic-csi-synology-iscsi - democratic-csi-synology-iscsi
- iscsi - iscsi
home: https://docs.alexlebens.dev/applications/democratic-csi-synology-iscsi/ - kubernetes
home: https://wiki.alexlebens.dev/s/0cc6ba65-024b-4489-952a-fc0f647fd099
sources: sources:
- https://github.com/democratic-csi/democratic-csi - https://github.com/democratic-csi/democratic-csi
- https://github.com/democratic-csi/charts/tree/master/stable/democratic-csi - https://github.com/democratic-csi/charts/tree/master/stable/democratic-csi

3
clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/external-secret.yaml
View File

@@ -14,5 +14,8 @@ spec:
data: data:
- secretKey: driver-config-file.yaml - secretKey: driver-config-file.yaml
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/democratic-csi-synology-iscsi/config key: /cl01tl/democratic-csi-synology-iscsi/config
metadataPolicy: None
property: driver-config-file.yaml property: driver-config-file.yaml

32
clusters/cl01tl/helm/democratic-csi-synology-iscsi/values.yaml
View File

@@ -1,35 +1,15 @@
democratic-csi: democratic-csi:
driver: driver:
image:
registry: ghcr.io/democratic-csi/democratic-csi
tag: v1.9.5@@sha256:fc3b7d7ed3a616714139525075312758e23a5d425ffb539ad12c9bd20fb6001f
existingConfigSecret: synology-iscsi-config-secret existingConfigSecret: synology-iscsi-config-secret
config: config:
driver: synology-iscsi driver: synology-iscsi
resources:
requests:
cpu: 1m
memory: 128Mi
csiDriver: csiDriver:
name: "org.democratic-csi.iscsi-synology" name: "org.democratic-csi.iscsi-synology"
controller: controller:
replicaCount: 3 enabled: true
externalAttacher: rbac:
image: enabled: true
registry: registry.k8s.io/sig-storage/csi-attacher replicaCount: 2
tag: v4.11.0@sha256:b74b05b39501565022883fc128002b4cb857a7bb6c858606bcb3fdedba0b0b80
externalProvisioner:
image:
registry: registry.k8s.io/sig-storage/csi-provisioner
tag: v3.6.4@sha256:e7ad666f1d9b0caa077c7f0c157c9f87d1e73858390732496f66dcc716ff10c5
externalResizer:
image:
registry: registry.k8s.io/sig-storage/csi-resizer
tag: v1.9.4@sha256:522911ef68bd2c5c17d90fb2a6d2b2fb72ae790f2c1463a466b4262a07fdbf5a
externalSnapshotter:
image:
registry: registry.k8s.io/sig-storage/csi-snapshotter
tag: v8.5.0@sha256:da081c27e8a6d91f36042c1942362d0515ced8d06e18c11b8f893e58c4d6d797
storageClasses: storageClasses:
- name: synology-iscsi-delete - name: synology-iscsi-delete
defaultClass: false defaultClass: false
@@ -55,7 +35,3 @@ democratic-csi:
value: /usr/local/sbin/iscsiadm value: /usr/local/sbin/iscsiadm
iscsiDirHostPath: /var/iscsi iscsiDirHostPath: /var/iscsi
iscsiDirHostPathType: "" iscsiDirHostPathType: ""
driverRegistrar:
image:
registry: registry.k8s.io/sig-storage/csi-node-driver-registrar
tag: v2.16.0@sha256:ab482308a4921e28a6df09a16ab99a457e9af9641ff44fb1be1a690d07ce8b70

4
clusters/cl01tl/helm/descheduler/Chart.yaml
View File

@@ -5,10 +5,10 @@ description: Descheduler
keywords: keywords:
- descheduler - descheduler
- kube-scheduler - kube-scheduler
home: https://docs.alexlebens.dev/applications/descheduler/ - kubernetes
home: https://wiki.alexlebens.dev/s/0c38b7e4-4573-487c-82b0-4eeeb00e1276
sources: sources:
- https://github.com/kubernetes-sigs/descheduler - https://github.com/kubernetes-sigs/descheduler
- https://explore.ggcr.dev/?repo=registry.k8s.io%2Fdescheduler%2Fdescheduler
- https://github.com/kubernetes-sigs/descheduler/tree/master/charts/descheduler - https://github.com/kubernetes-sigs/descheduler/tree/master/charts/descheduler
maintainers: maintainers:
- name: alexlebens - name: alexlebens

44
clusters/cl01tl/helm/descheduler/values.yaml
View File

@@ -1,25 +1,27 @@
descheduler: descheduler:
image:
repository: registry.k8s.io/descheduler/descheduler
tag: v0.35.1@sha256:871d3b804390b0b8c7cb09d4e9b7856cf30e31f9e9e3d29562b0301a10453bb1
kind: Deployment kind: Deployment
resources: resources:
limits:
cpu: null
memory: null
requests: requests:
cpu: 10m cpu: 10m
memory: 50Mi memory: 64Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
deschedulingInterval: 5m deschedulingInterval: 5m
replicas: 3 replicas: 1
leaderElection: leaderElection:
enabled: true enabled: false
leaseDuration: 15s command:
renewDeadline: 10s - "/bin/descheduler"
retryPeriod: 2s cmdOptions:
resourceLock: "leases" v: 3
resourceName: "descheduler" deschedulerPolicyAPIVersion: "descheduler/v1alpha2"
resourceNamespace: "descheduler"
deschedulerPolicy: deschedulerPolicy:
profiles: profiles:
- name: default - name: default
@@ -51,13 +53,13 @@ descheduler:
- name: LowNodeUtilization - name: LowNodeUtilization
args: args:
thresholds: thresholds:
cpu: 20 cpu: 30
memory: 20 memory: 30
pods: 20 pods: 50
targetThresholds: targetThresholds:
cpu: 50 cpu: 60
memory: 50 memory: 40
pods: 60 pods: 80
plugins: plugins:
balance: balance:
enabled: enabled:

8
clusters/cl01tl/helm/directus/Chart.lock
View File

@@ -4,9 +4,9 @@ dependencies:
version: 4.6.2 version: 4.6.2
- name: postgres-cluster - name: postgres-cluster
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 7.11.2 version: 7.10.0
- name: valkey - name: valkey
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 0.6.1 version: 0.4.0
digest: sha256:78f5065d1125792c88e4d24f5ac1ee3d6310b4997f552020c44d0615335ea329 digest: sha256:dfcb5d35e03ecdc4206227d206d36509319f0dcdaed54363840d71337debb3f7
generated: "2026-04-13T20:33:13.909018545Z" generated: "2026-03-15T20:05:03.156596646Z"

16
clusters/cl01tl/helm/directus/Chart.yaml
View File

@@ -4,14 +4,16 @@ version: 1.0.0
description: Directus description: Directus
keywords: keywords:
- directus - directus
- content-management-system - cms
home: https://docs.alexlebens.dev/applications/descheduler/ home: https://wiki.alexlebens.dev/s/c2d242de-dcaa-4801-86a2-c4761dc8bf9b
sources: sources:
- https://github.com/directus/directus - https://github.com/directus/directus
- https://github.com/directus/directus/pkgs/container/directus - https://github.com/cloudflare/cloudflared
- https://github.com/cloudnative-pg/cloudnative-pg
- https://hub.docker.com/r/directus/directus
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
maintainers: maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
@@ -21,12 +23,12 @@ dependencies:
version: 4.6.2 version: 4.6.2
- name: postgres-cluster - name: postgres-cluster
alias: postgres-18-cluster alias: postgres-18-cluster
version: 7.11.2 version: 7.10.0
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
- name: valkey - name: valkey
alias: valkey alias: valkey
version: 0.6.1 version: 0.4.0
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
# renovate: datasource=github-releases depName=directus/directus # renovate: datasource=github-releases depName=directus/directus
appVersion: 11.17.3 appVersion: 11.16.1

39
clusters/cl01tl/helm/directus/templates/external-secret.yaml
View File

@@ -14,19 +14,31 @@ spec:
data: data:
- secretKey: admin-email - secretKey: admin-email
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/directus/config key: /cl01tl/directus/config
metadataPolicy: None
property: admin-email property: admin-email
- secretKey: admin-password - secretKey: admin-password
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/directus/config key: /cl01tl/directus/config
metadataPolicy: None
property: admin-password property: admin-password
- secretKey: secret - secretKey: secret
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/directus/config key: /cl01tl/directus/config
metadataPolicy: None
property: secret property: secret
- secretKey: key - secretKey: key
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/directus/config key: /cl01tl/directus/config
metadataPolicy: None
property: key property: key
--- ---
@@ -46,11 +58,17 @@ spec:
data: data:
- secretKey: OIDC_CLIENT_ID - secretKey: OIDC_CLIENT_ID
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/directus key: /authentik/oidc/directus
metadataPolicy: None
property: client property: client
- secretKey: OIDC_CLIENT_SECRET - secretKey: OIDC_CLIENT_SECRET
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/directus key: /authentik/oidc/directus
metadataPolicy: None
property: secret property: secret
--- ---
@@ -70,7 +88,10 @@ spec:
data: data:
- secretKey: metric-token - secretKey: metric-token
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/directus/metrics key: /cl01tl/directus/metrics
metadataPolicy: None
property: metric-token property: metric-token
--- ---
@@ -90,15 +111,24 @@ spec:
data: data:
- secretKey: ACCESS_KEY_ID - secretKey: ACCESS_KEY_ID
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/directus-assets key: /garage/home-infra/directus-assets
metadataPolicy: None
property: ACCESS_KEY_ID property: ACCESS_KEY_ID
- secretKey: ACCESS_SECRET_KEY - secretKey: ACCESS_SECRET_KEY
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/directus-assets key: /garage/home-infra/directus-assets
metadataPolicy: None
property: ACCESS_SECRET_KEY property: ACCESS_SECRET_KEY
- secretKey: ACCESS_REGION - secretKey: ACCESS_REGION
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /garage/home-infra/directus-assets key: /garage/home-infra/directus-assets
metadataPolicy: None
property: ACCESS_REGION property: ACCESS_REGION
--- ---
@@ -118,13 +148,22 @@ spec:
data: data:
- secretKey: default - secretKey: default
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/directus/valkey key: /cl01tl/directus/valkey
metadataPolicy: None
property: password property: password
- secretKey: user - secretKey: user
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/directus/valkey key: /cl01tl/directus/valkey
metadataPolicy: None
property: user property: user
- secretKey: password - secretKey: password
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cl01tl/directus/valkey key: /cl01tl/directus/valkey
metadataPolicy: None
property: password property: password

39
clusters/cl01tl/helm/directus/values.yaml
View File

@@ -4,11 +4,13 @@ directus:
type: deployment type: deployment
replicas: 1 replicas: 1
strategy: Recreate strategy: Recreate
revisionHistoryLimit: 3
containers: containers:
main: main:
image: image:
repository: ghcr.io/directus/directus repository: directus/directus
tag: 11.17.3@sha256:ae6ab737fd04077d295bbefa545cc4aefccc206e3d0120c83812f9b482a8c9a5 tag: 11.16.1
pullPolicy: IfNotPresent
env: env:
- name: PUBLIC_URL - name: PUBLIC_URL
value: https://directus.alexlebens.net value: https://directus.alexlebens.net
@@ -142,7 +144,7 @@ directus:
resources: resources:
requests: requests:
cpu: 10m cpu: 10m
memory: 300Mi memory: 256Mi
service: service:
main: main:
controller: main controller: main
@@ -150,6 +152,7 @@ directus:
http: http:
port: 80 port: 80
targetPort: 8055 targetPort: 8055
protocol: TCP
serviceMonitor: serviceMonitor:
main: main:
selector: selector:
@@ -177,8 +180,11 @@ directus:
- directus.alexlebens.net - directus.alexlebens.net
rules: rules:
- backendRefs: - backendRefs:
- name: directus - group: ''
kind: Service
name: directus
port: 80 port: 80
weight: 100
matches: matches:
- path: - path:
type: PathPrefix type: PathPrefix
@@ -196,12 +202,35 @@ postgres-18-cluster:
destinationBucket: postgres-backups destinationBucket: postgres-backups
externalSecretCredentialPath: /garage/home-infra/postgres-backups externalSecretCredentialPath: /garage/home-infra/postgres-backups
isWALArchiver: true isWALArchiver: true
# - name: garage-remote
# index: 1
# destinationBucket: postgres-backups
# externalSecretCredentialPath: /garage/home-infra/postgres-backups
# retentionPolicy: "90d"
# data:
# compression: bzip2
# - name: external
# index: 1
# endpointURL: https://nyc3.digitaloceanspaces.com
# destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
# externalSecretCredentialPath: /garage/home-infra/postgres-backups
# isWALArchiver: false
scheduledBackups: scheduledBackups:
- name: live-backup - name: live-backup
suspend: false suspend: false
immediate: true immediate: true
schedule: "0 15 14 * * *" schedule: "0 15 14 * * *"
backupName: garage-local backupName: garage-local
# - name: weekly-backup
# suspend: true
# immediate: true
# schedule: "0 0 4 * * SAT"
# backupName: garage-remote
# - name: daily-backup
# suspend: true
# immediate: true
# schedule: "0 0 0 * * *"
# backupName: external
valkey: valkey:
valkey: valkey:
auth: auth:
@@ -210,7 +239,5 @@ valkey:
aclUsers: aclUsers:
default: default:
permissions: "~* &* +@all" permissions: "~* &* +@all"
# No option to configure metrics when auth is enabled
# https://github.com/valkey-io/valkey-helm/issues/135
metrics: metrics:
enabled: false enabled: false

6
clusters/cl01tl/helm/elastic-operator/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies: dependencies:
- name: eck-operator - name: eck-operator
repository: https://helm.elastic.co repository: https://helm.elastic.co
version: 3.3.2 version: 3.3.1
digest: sha256:ac7a849a6d8244ef56c11f18438c4c76133f92d245228c5a1c8369d42562c177 digest: sha256:8585f3ea3e4cafc4ff2969ea7e797017b7cfe4becb3385f0b080725908c02f09
generated: "2026-04-01T21:30:02.975920565Z" generated: "2026-02-25T18:48:55.77034549Z"

9
clusters/cl01tl/helm/elastic-operator/Chart.yaml
View File

@@ -6,7 +6,8 @@ keywords:
- elastic-operator - elastic-operator
- operator - operator
- elastic-search - elastic-search
home: https://docs.alexlebens.dev/applications/elastic-operator/ - kubernetes
home: https://wiki.alexlebens.dev/s/
sources: sources:
- https://github.com/elastic/cloud-on-k8s - https://github.com/elastic/cloud-on-k8s
- https://github.com/elastic/cloud-on-k8s/tree/main/deploy/eck-operator - https://github.com/elastic/cloud-on-k8s/tree/main/deploy/eck-operator
@@ -14,8 +15,8 @@ maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: eck-operator - name: eck-operator
version: 3.3.2 version: 3.3.1
repository: https://helm.elastic.co repository: https://helm.elastic.co
icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/elastic.png icon: https://helm.elastic.co/icons/eck.png
# renovate: datasource=github-releases depName=elastic/cloud-on-k8s # renovate: datasource=github-releases depName=elastic/cloud-on-k8s
appVersion: v3.3.2 appVersion: v3.3.1

9
clusters/cl01tl/helm/elastic-operator/values.yaml
View File

@@ -1,16 +1,9 @@
eck-operator: eck-operator:
managedNamespaces: managedNamespaces:
- stalwart
- tubearchivist - tubearchivist
- stalwart
installCRDs: true installCRDs: true
replicaCount: 2 replicaCount: 2
resources:
limits:
cpu: null
memory: null
requests:
cpu: 2m
memory: 50Mi
telemetry: telemetry:
disabled: true disabled: true
config: config:

8
clusters/cl01tl/helm/element-web/Chart.lock
View File

@@ -1,9 +1,9 @@
dependencies: dependencies:
- name: element-web - name: element-web
repository: https://ananace.gitlab.io/charts repository: https://ananace.gitlab.io/charts
version: 1.4.34 version: 1.4.32
- name: cloudflared - name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 2.5.0 version: 2.4.0
digest: sha256:8640b8a250bdcd9e7561e3d28538ccf4644a7159a035ee0a5fdbcf71dc5b2bbe digest: sha256:49d9dd45eff7cbbc11644e4a8bd3c9d3bf84716ed034a76f097f0ba1fea4c934
generated: "2026-04-10T01:17:19.932208699Z" generated: "2026-03-11T16:04:17.556777286Z"

14
clusters/cl01tl/helm/element-web/Chart.yaml
View File

@@ -4,22 +4,24 @@ version: 1.0.0
description: Element Web description: Element Web
keywords: keywords:
- element-web - element-web
- matrix-chat - chat
home: https://docs.alexlebens.dev/applications/element-web/ - matrix
home: https://wiki.alexlebens.dev/s/e3b03481-1a1d-4b56-8cd9-e75a8dcc0f6c
sources: sources:
- https://github.com/element-hq/element-web - https://github.com/element-hq/element-web
- https://github.com/element-hq/element-web/pkgs/container/element-web - https://github.com/cloudflare/cloudflared
- https://hub.docker.com/r/vectorim/element-web
- https://gitlab.com/ananace/charts/-/tree/master/charts/element-web - https://gitlab.com/ananace/charts/-/tree/master/charts/element-web
- https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
maintainers: maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: element-web - name: element-web
version: 1.4.34 version: 1.4.32
repository: https://ananace.gitlab.io/charts repository: https://ananace.gitlab.io/charts
- name: cloudflared - name: cloudflared
repository: oci://harbor.alexlebens.net/helm-charts repository: oci://harbor.alexlebens.net/helm-charts
version: 2.5.0 version: 2.4.0
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/element.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/element.png
# renovate: datasource=github-releases depName=element-hq/element-web # renovate: datasource=github-releases depName=element-hq/element-web
appVersion: v1.12.15 appVersion: v1.12.12

11
clusters/cl01tl/helm/element-web/values.yaml
View File

@@ -1,8 +1,9 @@
element-web: element-web:
replicaCount: 1 replicaCount: 1
image: image:
repository: ghcr.io/element-hq/element-web repository: vectorim/element-web
tag: v1.12.15@sha256:c7fa40b5ba3891f8af3ce63da0818f457c1802a9ee4d2f5e46a9df36a2388eed tag: v1.12.12
pullPolicy: IfNotPresent
defaultServer: defaultServer:
url: https://matrix.alexlebens.dev url: https://matrix.alexlebens.dev
name: alexlebens.dev name: alexlebens.dev
@@ -17,7 +18,9 @@ element-web:
immediate: true immediate: true
default_theme: dark default_theme: dark
default_country_code: US default_country_code: US
ingress:
enabled: false
resources: resources:
requests: requests:
cpu: 1m cpu: 10m
memory: 10Mi memory: 128Mi

7
clusters/cl01tl/helm/eraser/Chart.lock
View File

@@ -2,8 +2,5 @@ dependencies:
- name: eraser - name: eraser
repository: https://eraser-dev.github.io/eraser/charts repository: https://eraser-dev.github.io/eraser/charts
version: 1.4.1 version: 1.4.1
- name: app-template digest: sha256:da828de684b0cd82e99994586f3db4f55c43c01607c4d8d0e70e204c7bbbbf5b
repository: https://bjw-s-labs.github.io/helm-charts/ generated: "2025-12-03T22:53:20.200917773Z"
version: 4.6.2
digest: sha256:8414813d3d9d195b16ef7ebf814f7095a16413f4b0e579fcb37738000624f68c
generated: "2026-04-08T21:39:05.689756-05:00"

12
clusters/cl01tl/helm/eraser/Chart.yaml
View File

@@ -5,23 +5,17 @@ description: Eraser
keywords: keywords:
- eraser - eraser
- images - images
home: https://docs.alexlebens.dev/applications/eraser/ - kubernetes
home: https://wiki.alexlebens.dev/s/bb53ffae-0eda-4ed6-9fdd-894e672b4377
sources: sources:
- https://github.com/eraser-dev/eraser - https://github.com/eraser-dev/eraser
- https://github.com/eraser-dev/eraser/pkgs/container/eraser-manager
- https://github.com/open-telemetry/opentelemetry-collector-releases/pkgs/container/opentelemetry-collector-releases%2Fopentelemetry-collector
- https://github.com/eraser-dev/eraser/tree/main/charts/eraser - https://github.com/eraser-dev/eraser/tree/main/charts/eraser
- https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
maintainers: maintainers:
- name: alexlebens - name: alexlebens
dependencies: dependencies:
- name: eraser - name: eraser
version: 1.4.1 version: 1.4.1
repository: https://eraser-dev.github.io/eraser/charts repository: https://eraser-dev.github.io/eraser/charts
- name: app-template icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
alias: eraser-metrics
repository: https://bjw-s-labs.github.io/helm-charts/
version: 4.6.2
icon: https://raw.githubusercontent.com/eraser-dev/eraser/refs/heads/main/images/eraser-logo-color-1c.png
# renovate: datasource=github-releases depName=eraser-dev/eraser # renovate: datasource=github-releases depName=eraser-dev/eraser
appVersion: v1.4.1 appVersion: v1.4.1

129
clusters/cl01tl/helm/eraser/values.yaml
View File

@@ -1,119 +1,50 @@
eraser: eraser:
runtimeConfig: runtimeConfig:
apiVersion: eraser.sh/v1alpha3
kind: EraserConfig
manager: manager:
runtime:
name: containerd
address: unix:///run/containerd/containerd.sock
logLevel: info
scheduling: scheduling:
repeatInterval: 24h repeatInterval: 24h
beginImmediately: true beginImmediately: true
profile:
enabled: false
port: 6060
imageJob: imageJob:
successRatio: 1.0
cleanup: cleanup:
delayOnSuccess: 0s delayOnSuccess: 0s
delayOnFailure: 24h delayOnFailure: 24h
nodeFilter:
type: exclude
selectors:
- eraser.sh/cleanup.filter
- kubernetes.io/os=windows
components: components:
collector: collector:
image: enabled: true
repo: ghcr.io/eraser-dev/collector
tag: v1.4.1@sha256:827588ff826c3558bf2c50b1fc94f20122b054dfcf3480c3ffe6f0bae25c3dad
request: request:
cpu: 1m cpu: 10m
memory: 20Mi memory: 128Mi
scanner: scanner:
enabled: false enabled: false
remover:
image:
repo: ghcr.io/eraser-dev/remover
tag: v1.4.1@sha256:e57592157d717588f69c011cd0b6ab783a19a53b447a5350b27e7e66aae67525
request: request:
cpu: 1m cpu: 100m
memory: 20Mi memory: 128Mi
config: ""
remover:
request:
cpu: 10m
memory: 128Mi
deploy: deploy:
image: securityContext:
repo: ghcr.io/eraser-dev/eraser-manager allowPrivilegeEscalation: false
tag: v1.4.1@sha256:5f18fb7da4ccad93a8643ece496681f1489b0d7b0ce45e18a94774cf8b6a717d
resources:
limits:
memory: null
requests:
cpu: 1m
memory: 20Mi
eraser-metrics:
global:
nameOverride: eraser-metrics
fullnameOverride: eraser-metrics
controllers:
main:
type: deployment
replicas: 1
strategy: Recreate
containers:
main:
image:
repository: ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector
tag: 0.150.1@sha256:618f7867e49fdb173d9b46d535b01f82254b0b14beac6ab1f6f2eb8cf62c5d42
command:
- /otelcol
- --config=/conf/otel-collector-config.yaml
resources: resources:
requests: requests:
cpu: 10m cpu: 10m
memory: 20Mi memory: 30Mi
configMaps: nodeSelector:
config: kubernetes.io/os: linux
enabled: true
forceRename: eraser-config
data:
otel-collector-config.yaml: |
receivers:
otlp:
protocols:
http:
exporters:
prometheus:
endpoint: "0.0.0.0:8889"
send_timestamps: true
metric_expiration: 180m
service:
telemetry:
logs:
encoding: json
pipelines:
metrics:
receivers:
- otlp
exporters:
- prometheus
service:
main:
controller: main
ports:
http:
port: 4318
targetPort: 4318
metrics:
port: 8889
targetPort: 8889
serviceMonitor:
main:
selector:
matchLabels:
app.kubernetes.io/name: eraser-metrics
app.kubernetes.io/instance: eraser-metrics
serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
endpoints:
- port: metrics
interval: 30s
scrapeTimeout: 15s
path: /metrics
persistence:
config:
enabled: true
type: configMap
name: eraser-config
advancedMounts:
main:
main:
- path: /conf/otel-collector-config.yaml
readOnly: true
mountPropagation: None
subPath: otel-collector-config.yaml

3
clusters/cl01tl/helm/excalidraw/Chart.yaml
View File

@@ -4,8 +4,7 @@ version: 1.0.0
description: Excalidraw description: Excalidraw
keywords: keywords:
- excalidraw - excalidraw
- drawing home: https://wiki.alexlebens.dev/
home: https://docs.alexlebens.dev/applications/eraser/
sources: sources:
- https://github.com/excalidraw/excalidraw - https://github.com/excalidraw/excalidraw
- https://hub.docker.com/r/excalidraw/excalidraw - https://hub.docker.com/r/excalidraw/excalidraw

14
clusters/cl01tl/helm/excalidraw/values.yaml
View File

@@ -4,11 +4,13 @@ excalidraw:
type: deployment type: deployment
replicas: 1 replicas: 1
strategy: Recreate strategy: Recreate
revisionHistoryLimit: 3
containers: containers:
main: main:
image: image:
repository: excalidraw/excalidraw repository: excalidraw/excalidraw
tag: latest@sha256:20ffa04668e19616bb0c1b3632849e5cd96e0bc7a1336b73d9d072667f2c2854 tag: latest@sha256:3c2513e830bb6e195147c05b34ecf8393d0ba2b1cc86e93b407a5777d6135c6c
pullPolicy: IfNotPresent
env: env:
- name: NODE_ENV - name: NODE_ENV
value: production value: production
@@ -16,8 +18,8 @@ excalidraw:
value: America/Chicago value: America/Chicago
resources: resources:
requests: requests:
cpu: 1m cpu: 10m
memory: 10Mi memory: 128Mi
service: service:
main: main:
controller: main controller: main
@@ -25,6 +27,7 @@ excalidraw:
http: http:
port: 80 port: 80
targetPort: 80 targetPort: 80
protocol: HTTP
route: route:
main: main:
kind: HTTPRoute kind: HTTPRoute
@@ -37,8 +40,11 @@ excalidraw:
- excalidraw.alexlebens.net - excalidraw.alexlebens.net
rules: rules:
- backendRefs: - backendRefs:
- name: excalidraw - group: ''
kind: Service
name: excalidraw
port: 80 port: 80
weight: 100
matches: matches:
- path: - path:
type: PathPrefix type: PathPrefix

8
clusters/cl01tl/helm/external-dns/Chart.yaml
View File

@@ -5,11 +5,11 @@ description: External DNS
keywords: keywords:
- external-dns - external-dns
- dns - dns
home: https://docs.alexlebens.dev/applications/eraser/ - unifi
- kubernetes
home: https://wiki.alexlebens.dev/s/7b50e4da-5dc1-4f62-baf9-14b5fed64552
sources: sources:
- https://github.com/kubernetes-sigs/external-dns - https://github.com/kubernetes-sigs/external-dns
- https://explore.ggcr.dev/?repo=registry.k8s.io%2Fexternal-dns%2Fexternal-dns
- https://github.com/kashalls/external-dns-unifi-webhook
- https://github.com/kubernetes-sigs/external-dns/tree/master/charts/external-dns - https://github.com/kubernetes-sigs/external-dns/tree/master/charts/external-dns
maintainers: maintainers:
- name: alexlebens - name: alexlebens
@@ -20,4 +20,4 @@ dependencies:
repository: https://kubernetes-sigs.github.io/external-dns/ repository: https://kubernetes-sigs.github.io/external-dns/
icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
# renovate: datasource=github-releases depName=kubernetes-sigs/external-dns # renovate: datasource=github-releases depName=kubernetes-sigs/external-dns
appVersion: v0.21.0 appVersion: v0.20.0

3
clusters/cl01tl/helm/external-dns/templates/external-secret.yaml
View File

@@ -14,5 +14,8 @@ spec:
data: data:
- secretKey: api-key - secretKey: api-key
remoteRef: remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /unifi/auth/cl01tl key: /unifi/auth/cl01tl
metadataPolicy: None
property: api-key property: api-key

21
clusters/cl01tl/helm/external-dns/values.yaml
View File

@@ -1,30 +1,25 @@
external-dns-unifi: external-dns-unifi:
image:
repository: registry.k8s.io/external-dns/external-dns
tag: v0.21.0@sha256:f53faaf71cb270d1ca9dce6ea0c94bfebf1a18696263487f0fbc74b9bf2bd7ff
fullnameOverride: external-dns-unifi fullnameOverride: external-dns-unifi
resources:
requests:
cpu: 1m
memory: 80Mi
serviceMonitor: serviceMonitor:
enabled: true enabled: true
interval: 360m interval: 1m
sources: sources:
- ingress
- crd - crd
- gateway-httproute - gateway-httproute
- gateway-tlsroute - gateway-tlsroute
policy: sync policy: sync
registry: txt
txtOwnerId: default txtOwnerId: default
txtPrefix: k8s. txtPrefix: k8s.
domainFilters: ["alexlebens.net"] domainFilters: ["alexlebens.net"]
excludeDomains: ["alexlebens.dev"] excludeDomains: []
provider: provider:
name: webhook name: webhook
webhook: webhook:
image: image:
repository: ghcr.io/kashalls/external-dns-unifi-webhook repository: ghcr.io/kashalls/external-dns-unifi-webhook
tag: v0.8.2@sha256:7f0ddbbc83a36a2a9d762e25eef9cafcb3adf0493068a27d72ae71087eafe6f0 tag: v0.8.2
env: env:
- name: UNIFI_HOST - name: UNIFI_HOST
value: https://192.168.1.1 value: https://192.168.1.1
@@ -34,14 +29,18 @@ external-dns-unifi:
name: external-dns-unifi-secret name: external-dns-unifi-secret
key: api-key key: api-key
- name: LOG_LEVEL - name: LOG_LEVEL
value: info value: debug
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /healthz path: /healthz
port: http-webhook port: http-webhook
initialDelaySeconds: 10
timeoutSeconds: 5
readinessProbe: readinessProbe:
httpGet: httpGet:
path: /readyz path: /readyz
port: http-webhook port: http-webhook
initialDelaySeconds: 10
timeoutSeconds: 5
extraArgs: extraArgs:
- --ignore-ingress-tls-spec - --ignore-ingress-tls-spec

6
clusters/cl01tl/helm/external-secrets/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies: dependencies:
- name: external-secrets - name: external-secrets
repository: https://charts.external-secrets.io repository: https://charts.external-secrets.io
version: 2.3.0 version: 2.2.0
digest: sha256:fedb79c937be24d4bb72f665122b468b445de95f3f02de419903e3136186e42f digest: sha256:832fc3f8d3728bdea2b696a6044e4c18967cd9ab9c5cc74adbf40aaa270a84b4
generated: "2026-04-10T15:10:52.488487421Z" generated: "2026-03-20T20:53:08.407747649Z"

12
clusters/cl01tl/helm/external-secrets/Chart.yaml
View File

@@ -5,17 +5,15 @@ description: External Secrets
keywords: keywords:
- external-secrets - external-secrets
- secrets - secrets
- operator - vault
home: https://docs.alexlebens.dev/applications/eraser/ home: https://wiki.alexlebens.dev/s/d29044fb-0d63-4500-8853-2971964f356a
sources: sources:
- https://github.com/external-secrets/external-secrets - https://github.com/external-secrets/external-secrets
- https://github.com/external-secrets/external-secrets/pkgs/container/external-secrets
- https://github.com/external-secrets/external-secrets/tree/main/deploy/charts/external-secrets - https://github.com/external-secrets/external-secrets/tree/main/deploy/charts/external-secrets
dependencies: dependencies:
- name: external-secrets - name: external-secrets
alias: external-secrets version: 2.2.0
version: 2.3.0
repository: https://charts.external-secrets.io repository: https://charts.external-secrets.io
icon: https://raw.githubusercontent.com/external-secrets/external-secrets/refs/heads/main/assets/eso-logo-large.png icon: https://avatars.githubusercontent.com/u/68335991?s=48&v=4
# renovate: datasource=github-releases depName=external-secrets/external-secrets # renovate: datasource=github-releases depName=external-secrets/external-secrets
appVersion: v2.3.0 appVersion: v2.2.0

17
clusters/cl01tl/helm/external-secrets/templates/cluster-role-binding.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: external-secrets
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: external-secrets
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: external-secrets
namespace: {{ .Release.Namespace }}

26
clusters/cl01tl/helm/external-secrets/templates/cluster-secret-store.yaml
View File

@@ -17,29 +17,3 @@ spec:
namespace: vault namespace: vault
name: vault-token name: vault-token
key: token key: token
---
apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
name: openbao
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: openbao
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
provider:
vault:
server: http://openbao-internal.openbao:8200
path: secret
version: v2
auth:
kubernetes:
mountPath: kubernetes
role: external-secrets
serviceAccountRef:
name: external-secrets
namespace: {{ .Release.Name }}
audiences:
- openbao

44
clusters/cl01tl/helm/external-secrets/values.yaml
View File

@@ -1,44 +0,0 @@
external-secrets:
replicaCount: 3
image:
repository: ghcr.io/external-secrets/external-secrets
tag: v2.3.0@sha256:c425f51f422506c380550ad32fbf155412c7be84dd1c4b196130dcf04497be80
installCRDs: true
crds:
createClusterExternalSecret: true
createClusterSecretStore: true
createSecretStore: true
createClusterGenerator: true
createClusterPushSecret: true
createPushSecret: true
leaderElect: true
extendedMetricLabels: true
resources:
requests:
cpu: 5m
memory: 50Mi
serviceMonitor:
enabled: true
livenessProbe:
enabled: true
readinessProbe:
enabled: true
podDisruptionBudget:
enabled: true
minAvailable: 1
webhook:
image:
repository: ghcr.io/external-secrets/external-secrets
tag: v2.3.0@sha256:c425f51f422506c380550ad32fbf155412c7be84dd1c4b196130dcf04497be80
resources:
requests:
cpu: 1m
memory: 30Mi
certController:
image:
repository: ghcr.io/external-secrets/external-secrets
tag: v2.3.0@sha256:c425f51f422506c380550ad32fbf155412c7be84dd1c4b196130dcf04497be80
resources:
requests:
cpu: 1m
memory: 60Mi

Some files were not shown because too many files have changed in this diff Show More