feat: add more

.gitea/workflows/renovate.yaml

@@ -13,7 +13,7 @@ on:
 jobs:
   renovate:
     runs-on: ubuntu-latest
-    container: ghcr.io/renovatebot/renovate:43.139.6@sha256:2ed9f867ea7a7d2448847ce704f78af09e9b881c63f843a1aa0f590691737c42
+    container: ghcr.io/renovatebot/renovate:43.138.2@sha256:79765b2442117d5c87e17456aa79ae54b4e0e2a4d9212a10508e233706375556
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

clusters/cl01tl/helm/actual/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/authentik/templates/ingress.yaml

@@ -5,8 +5,8 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: {{ .Release.Name }}-tailscale
-    tailscale.com/proxy-class: no-metrics
     {{- include "custom.labels" . | nindent 4 }}
+    tailscale.com/proxy-class: no-metrics
   annotations:
     tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
 spec:
@@ -25,4 +25,4 @@ spec:
               service:
                 name: authentik-server
                 port:
-                  number: 80
+                  name: http

clusters/cl01tl/helm/blocky/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/cilium/templates/http-route.yaml

@@ -20,8 +20,6 @@ spec:
           type: PathPrefix
           value: /
       backendRefs:
-        - group: ''
+        - kind: Service
-          kind: Service
           name: hubble-ui
           port: 80
-          weight: 100

clusters/cl01tl/helm/cloudnative-pg/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/coredns/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/external-secret.yaml

@@ -1,16 +1,15 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: synology-iscsi-config-secret
+  name: synology-iscsi-config
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: synology-iscsi-config-secret
+    app.kubernetes.io/name: synology-iscsi-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: driver-config-file.yaml
       remoteRef:

clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/namespace.yaml

@@ -1,11 +1,10 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: democratic-csi-synology-iscsi
+  name: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: democratic-csi-synology-iscsi
+    app.kubernetes.io/name: {{ .Release.Namespace }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/democratic-csi-synology-iscsi/values.yaml

@@ -3,7 +3,7 @@ democratic-csi:
     image:
       registry: ghcr.io/democratic-csi/democratic-csi
       tag: v1.9.5@@sha256:fc3b7d7ed3a616714139525075312758e23a5d425ffb539ad12c9bd20fb6001f
-    existingConfigSecret: synology-iscsi-config-secret
+    existingConfigSecret: synology-iscsi-config
     config:
       driver: synology-iscsi
     resources:

clusters/cl01tl/helm/descheduler/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/directus/Chart.yaml

@@ -5,7 +5,7 @@ description: Directus
 keywords:
   - directus
   - content-management-system
-home: https://docs.alexlebens.dev/applications/descheduler/
+home: https://docs.alexlebens.dev/applications/directus/
 sources:
   - https://github.com/directus/directus
   - https://github.com/directus/directus/pkgs/container/directus

clusters/cl01tl/helm/directus/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/directus/templates/external-secret.yaml

@@ -5,13 +5,20 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: directus-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
+    - secretKey: key
+      remoteRef:
+        key: /cl01tl/directus/key
+        property: key
+    - secretKey: secret
+      remoteRef:
+        key: /cl01tl/directus/key
+        property: secret
     - secretKey: admin-email
       remoteRef:
         key: /cl01tl/directus/config
@@ -20,38 +27,6 @@ spec:
       remoteRef:
         key: /cl01tl/directus/config
         property: admin-password
-    - secretKey: secret
-      remoteRef:
-        key: /cl01tl/directus/config
-        property: secret
-    - secretKey: key
-      remoteRef:
-        key: /cl01tl/directus/config
-        property: key
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-oidc-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-oidc-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: OIDC_CLIENT_ID
-      remoteRef:
-        key: /authentik/oidc/directus
-        property: client
-    - secretKey: OIDC_CLIENT_SECRET
-      remoteRef:
-        key: /authentik/oidc/directus
-        property: secret
 
 ---
 apiVersion: external-secrets.io/v1
@@ -61,18 +36,67 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: directus-metric-token
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: metric-token
       remoteRef:
         key: /cl01tl/directus/metrics
         property: metric-token
 
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: directus-valkey-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-valkey-config
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: openbao
+  data:
+    - secretKey: user
+      remoteRef:
+        key: /cl01tl/directus/valkey
+        property: user
+    - secretKey: password
+      remoteRef:
+        key: /cl01tl/directus/valkey
+        property: password
+    - secretKey: default
+      remoteRef:
+        key: /cl01tl/directus/valkey
+        property: password
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: directus-oidc-authentik
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-oidc-authentik
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: openbao
+  data:
+    - secretKey: OIDC_CLIENT_ID
+      remoteRef:
+        key: /cl01tl/authentik/oidc/directus
+        property: client
+    - secretKey: OIDC_CLIENT_SECRET
+      remoteRef:
+        key: /cl01tl/authentik/oidc/directus
+        property: secret
+
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
@@ -81,12 +105,11 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: directus-bucket-garage
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: ACCESS_KEY_ID
       remoteRef:
@@ -100,31 +123,3 @@ spec:
       remoteRef:
         key: /garage/home-infra/directus-assets
         property: ACCESS_REGION
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-valkey-config
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-valkey-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: default
-      remoteRef:
-        key: /cl01tl/directus/valkey
-        property: password
-    - secretKey: user
-      remoteRef:
-        key: /cl01tl/directus/valkey
-        property: user
-    - secretKey: password
-      remoteRef:
-        key: /cl01tl/directus/valkey
-        property: password

clusters/cl01tl/helm/directus/values.yaml

@@ -113,12 +113,12 @@ directus:
             - name: AUTH_AUTHENTIK_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: directus-oidc-secret
+                  name: directus-oidc-authentik
                   key: OIDC_CLIENT_ID
             - name: AUTH_AUTHENTIK_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: directus-oidc-secret
+                  name: directus-oidc-authentik
                   key: OIDC_CLIENT_SECRET
             - name: AUTH_AUTHENTIK_SCOPE
               value: openid profile email

clusters/cl01tl/helm/elastic-operator/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/element-web/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/eraser/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/excalidraw/Chart.yaml

@@ -5,7 +5,7 @@ description: Excalidraw
 keywords:
   - excalidraw
   - drawing
-home: https://docs.alexlebens.dev/applications/eraser/
+home: https://docs.alexlebens.dev/applications/excalidraw/
 sources:
   - https://github.com/excalidraw/excalidraw
   - https://hub.docker.com/r/excalidraw/excalidraw

clusters/cl01tl/helm/excalidraw/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/external-dns/Chart.yaml

@@ -5,7 +5,7 @@ description: External DNS
 keywords:
   - external-dns
   - dns
-home: https://docs.alexlebens.dev/applications/eraser/
+home: https://docs.alexlebens.dev/applications/external-dns/
 sources:
   - https://github.com/kubernetes-sigs/external-dns
   - https://explore.ggcr.dev/?repo=registry.k8s.io%2Fexternal-dns%2Fexternal-dns

clusters/cl01tl/helm/external-dns/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/external-dns/templates/dns-endpoint.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: external-device-names
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   endpoints:
     # Unifi UDM
@@ -48,8 +47,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: iot-device-names
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   endpoints:
     # Airgradient
@@ -82,6 +80,18 @@ spec:
       recordType: A
       targets:
         - 10.230.0.100
+    # HD Homerun
+    - dnsName: dv01hr.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.232.1.72
+    # Pi KVM
+    - dnsName: dv02kv.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.232.1.71
 
 ---
 apiVersion: externaldns.k8s.io/v1alpha1
@@ -91,8 +101,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: server-host-names
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   endpoints:
     # Unifi Gateway
@@ -125,6 +134,18 @@ spec:
       recordType: A
       targets:
         - 10.232.1.52
+    # Desktop
+    - dnsName: pd05wd.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.230.0.115
+    # Laptop
+    - dnsName: pl02mc.alexlebens.net
+      recordTTL: 180
+      recordType: A
+      targets:
+        - 10.230.0.105
 
 ---
 apiVersion: externaldns.k8s.io/v1alpha1
@@ -134,8 +155,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: cluster-service-names
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   endpoints:
     # Treafik Proxy

clusters/cl01tl/helm/external-dns/templates/external-secret.yaml

@@ -5,12 +5,11 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: external-dns-unifi-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: api-key
       remoteRef:

clusters/cl01tl/helm/external-secrets/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/external-secrets/templates/cluster-role-binding.yaml

@@ -5,13 +5,12 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: external-secrets
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: system:auth-delegator
 subjects:
   - kind: ServiceAccount
-    name: external-secrets
+    name: {{ .Release.Name }}
     namespace: {{ .Release.Namespace }}

clusters/cl01tl/helm/external-secrets/templates/cluster-secret-store.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: vault
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   provider:
     vault:
@@ -26,8 +25,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: openbao
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   provider:
     vault:
@@ -39,7 +37,7 @@ spec:
           mountPath: kubernetes
           role: external-secrets
           serviceAccountRef:
-            name: external-secrets
+            name: {{ .Release.Name }}
-            namespace: {{ .Release.Name }}
+            namespace: {{ .Release.Namespace }}
             audiences:
               - openbao

clusters/cl01tl/helm/foldergram/templates/_helpers.tpl

@@ -0,0 +1,21 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+NFS names
+*/}}
+{{- define "custom.storageNfsName" -}}
+foldergram-pictures-collections-nfs-storage
+{{- end -}}

clusters/cl01tl/helm/foldergram/templates/persistent-volume-claim.yaml

@@ -1,14 +1,13 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: foldergram-pictures-collections-nfs-storage
+  name: {{ include "custom.storageNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: foldergram-pictures-collections-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: foldergram-pictures-collections-nfs-storage
+  volumeName: {{ include "custom.storageNfsName" . }}
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/foldergram/templates/persistent-volume.yaml

@@ -1,12 +1,11 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: foldergram-pictures-collections-nfs-storage
+  name: {{ include "custom.storageNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: foldergram-pictures-collections-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client

clusters/cl01tl/helm/freshrss/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/freshrss/templates/external-secret.yaml

@@ -1,54 +1,52 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: freshrss-install-secret
+  name: freshrss-install-config
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: freshrss-install-secret
+    app.kubernetes.io/name: freshrss-install-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: ADMIN_EMAIL
       remoteRef:
         key: /cl01tl/freshrss/config
-        property: ADMIN_EMAIL
+        property: admin-email
     - secretKey: ADMIN_PASSWORD
       remoteRef:
         key: /cl01tl/freshrss/config
-        property: ADMIN_PASSWORD
+        property: admin-password
     - secretKey: ADMIN_API_PASSWORD
       remoteRef:
         key: /cl01tl/freshrss/config
-        property: ADMIN_API_PASSWORD
+        property: admin-api-password
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: freshrss-oidc-secret
+  name: freshrss-oidc-authentik
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: freshrss-oidc-secret
+    app.kubernetes.io/name: freshrss-oidc-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: OIDC_CLIENT_ID
       remoteRef:
-        key: /authentik/oidc/freshrss
+        key: /cl01tl/authentik/oidc/freshrss
         property: client
     - secretKey: OIDC_CLIENT_SECRET
       remoteRef:
-        key: /authentik/oidc/freshrss
+        key: /cl01tl/authentik/oidc/freshrss
         property: secret
     - secretKey: OIDC_CLIENT_CRYPTO_KEY
       remoteRef:
-        key: /authentik/oidc/freshrss
+        key: /cl01tl/freshrss/key
-        property: crypto-key
+        property: oidc-client-crypto-key

clusters/cl01tl/helm/freshrss/values.yaml

@@ -73,9 +73,9 @@ freshrss:
               value: preferred_username
           envFrom:
             - secretRef:
-                name: freshrss-oidc-secret
+                name: freshrss-oidc-authentik
             - secretRef:
-                name: freshrss-install-secret
+                name: freshrss-install-config
           resources:
             requests:
               cpu: 1m

clusters/cl01tl/helm/garage/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/garage/templates/external-secret.yaml

@@ -1,26 +1,25 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: garage-token-secret
+  name: garage-token
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: garage-token-secret
+    app.kubernetes.io/name: garage-token
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: GARAGE_RPC_SECRET
       remoteRef:
-        key: /cl01tl/garage/token
+        key: /cl01tl/garage/config
-        property: rpc
+        property: rpc-secret
     - secretKey: GARAGE_ADMIN_TOKEN
       remoteRef:
-        key: /cl01tl/garage/token
+        key: /cl01tl/garage/config
-        property: admin
+        property: admin-token
     - secretKey: GARAGE_METRICS_TOKEN
       remoteRef:
-        key: /cl01tl/garage/token
+        key: /cl01tl/garage/config
-        property: metric
+        property: metrics-token

clusters/cl01tl/helm/garage/templates/service.yaml

@@ -6,8 +6,7 @@ metadata:
   labels:
     app.kubernetes.io/name: garage-main
     app.kubernetes.io/service: garage-main
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   ports:
     - name: admin
@@ -27,6 +26,6 @@ spec:
       protocol: TCP
       targetPort: 3902
   selector:
-    app.kubernetes.io/instance: garage
     app.kubernetes.io/name: garage
+    app.kubernetes.io/instance: garage
     garage-type: server

clusters/cl01tl/helm/garage/values.yaml

@@ -24,7 +24,7 @@ garage:
             tag: v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690
           envFrom:
             - secretRef:
-                name: garage-token-secret
+                name: garage-token
           resources:
             requests:
               cpu: 10m
@@ -53,7 +53,7 @@ garage:
             tag: v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690
           envFrom:
             - secretRef:
-                name: garage-token-secret
+                name: garage-token
           resources:
             requests:
               cpu: 10m
@@ -82,7 +82,7 @@ garage:
             tag: v2.3.0@sha256:866bd13ed2038ba7e7190e840482bc27234c4afaf77be8cfa439ae088c1e4690
           envFrom:
             - secretRef:
-                name: garage-token-secret
+                name: garage-token
           resources:
             requests:
               cpu: 10m
@@ -104,7 +104,7 @@ garage:
             - name: API_ADMIN_KEY
               valueFrom:
                 secretKeyRef:
-                  name: garage-token-secret
+                  name: garage-token
                   key: GARAGE_ADMIN_TOKEN
           resources:
             requests:
@@ -273,7 +273,7 @@ garage:
           scrapeTimeout: 2m
           path: /metrics
           bearerTokenSecret:
-            name: garage-token-secret
+            name: garage-token
             key: GARAGE_METRICS_TOKEN
   route:
     webui:

clusters/cl01tl/helm/gatus/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/gatus/templates/external-secret.yaml

@@ -1,42 +1,40 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: gatus-config-secret
+  name: gatus-config
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gatus-config-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: NTFY_TOKEN
       remoteRef:
-        key: /ntfy/user/cl01tl
+        key: /cl01tl/ntfy/users/cl01tl
         property: token
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: gatus-oidc-secret
+  name: gatus-oidc-authentik
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: gatus-oidc-secret
+    app.kubernetes.io/name: gatus-oidc-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: OIDC_CLIENT_ID
       remoteRef:
-        key: /authentik/oidc/gatus
+        key: /cl01tl/authentik/oidc/gatus
         property: client
     - secretKey: OIDC_CLIENT_SECRET
       remoteRef:
-        key: /authentik/oidc/gatus
+        key: /cl01tl/authentik/oidc/gatus
         property: secret

clusters/cl01tl/helm/gatus/values.yaml

@@ -20,17 +20,17 @@ gatus:
     NTFY_TOKEN:
       valueFrom:
         secretKeyRef:
-          name: gatus-config-secret
+          name: gatus-config
           key: NTFY_TOKEN
     OIDC_CLIENT_ID:
       valueFrom:
         secretKeyRef:
-          name: gatus-oidc-secret
+          name: gatus-oidc-authentik
           key: OIDC_CLIENT_ID
     OIDC_CLIENT_SECRET:
       valueFrom:
         secretKeyRef:
-          name: gatus-oidc-secret
+          name: gatus-oidc-authentik
           key: OIDC_CLIENT_SECRET
     POSTGRES_USER:
       valueFrom:

clusters/cl01tl/helm/generic-device-plugin/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/generic-device-plugin/templates/namespace.yaml

@@ -1,11 +1,10 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: generic-device-plugin
+  name: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: generic-device-plugin
+    app.kubernetes.io/name: {{ .Release.Namespace }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/gitea/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/gitea/templates/config-map.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gitea-custom-templates
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 data:
   header.tmpl: |
     <script defer src="https://rybbit.alexlebens.dev/api/script.js" data-site-id="b515c34a6dcc"></script>

clusters/cl01tl/helm/gitea/templates/external-secret.yaml

@@ -1,64 +1,15 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
-metadata:
-  name: gitea-admin-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-admin-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: username
-      remoteRef:
-        key: /cl01tl/gitea/auth/admin
-        property: username
-    - secretKey: password
-      remoteRef:
-        key: /cl01tl/gitea/auth/admin
-        property: password
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: gitea-oidc-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-oidc-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: secret
-      remoteRef:
-        key: /authentik/oidc/gitea
-        property: secret
-    - secretKey: key
-      remoteRef:
-        key: /authentik/oidc/gitea
-        property: client
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
 metadata:
   name: gitea-runner-secret
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gitea-runner-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: token
       remoteRef:
@@ -69,80 +20,15 @@ spec:
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: gitea-renovate-secret
+  name: gitea-meilisearch-key
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: gitea-renovate-secret
+    app.kubernetes.io/name: gitea-meilisearch-key
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
-  data:
-    - secretKey: RENOVATE_ENDPOINT
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: RENOVATE_ENDPOINT
-    - secretKey: RENOVATE_GIT_AUTHOR
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: RENOVATE_GIT_AUTHOR
-    - secretKey: RENOVATE_TOKEN
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: RENOVATE_TOKEN
-    - secretKey: RENOVATE_GIT_PRIVATE_KEY
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: id_rsa
-    - secretKey: RENOVATE_GITHUB_COM_TOKEN
-      remoteRef:
-        key: /github/gitea-cl01tl
-        property: token
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: gitea-renovate-ssh-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-renovate-ssh-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: config
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: ssh_config
-    - secretKey: id_rsa
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: id_rsa
-    - secretKey: id_rsa.pub
-      remoteRef:
-        key: /cl01tl/gitea/renovate
-        property: id_rsa.pub
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: gitea-meilisearch-master-key-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: gitea-meilisearch-master-key-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
   target:
     template:
       mergePolicy: Merge
@@ -153,4 +39,27 @@ spec:
     - secretKey: MEILI_MASTER_KEY
       remoteRef:
         key: /cl01tl/gitea/meilisearch
-        property: MEILI_MASTER_KEY
+        property: master-key
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitea-oidc-authentik
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: gitea-oidc-authentik
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: openbao
+  data:
+    - secretKey: secret
+      remoteRef:
+        key: /cl01tl/authentik/oidc/gitea
+        property: secret
+    - secretKey: key
+      remoteRef:
+        key: /cl01tl/authentik/oidc/gitea
+        property: client

clusters/cl01tl/helm/gitea/templates/http-route.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gitea
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   parentRefs:
     - group: gateway.networking.k8s.io
@@ -21,8 +20,6 @@ spec:
           type: PathPrefix
           value: /
       backendRefs:
-        - group: ''
+        - kind: Service
-          kind: Service
           name: gitea-http
           port: 3000
-          weight: 100

clusters/cl01tl/helm/gitea/templates/ingress.yaml

@@ -1,12 +1,11 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: gitea-tailscale
+  name: {{ .Release.Name }}-tailscale
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: gitea-tailscale
+    app.kubernetes.io/name: {{ .Release.Name }}-tailscale
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
     tailscale.com/proxy-class: no-metrics
   annotations:
     tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
@@ -21,7 +20,7 @@ spec:
       http:
         paths:
           - path: /
-            pathType: ImplementationSpecific
+            pathType: Prefix
             backend:
               service:
                 name: gitea-http

clusters/cl01tl/helm/gitea/templates/namespace.yaml

@@ -1,11 +1,10 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: gitea
+  name: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: gitea
+    app.kubernetes.io/name: {{ .Release.Namespace }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/gitea/templates/persistent-volume-claim.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gitea-themes-storage
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   volumeMode: Filesystem
   storageClassName: ceph-filesystem

clusters/cl01tl/helm/gitea/templates/service-monitor.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gitea
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   selector:
     matchLabels:

clusters/cl01tl/helm/gitea/templates/tcp-route.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: gitea-ssh
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   parentRefs:
     - group: gateway.networking.k8s.io
@@ -16,8 +15,6 @@ spec:
       sectionName: ssh
   rules:
     - backendRefs:
-        - group: ''
+        - kind: Service
-          kind: Service
           name: gitea-ssh
           port: 22
-          weight: 100

clusters/cl01tl/helm/gitea/values.yaml

@@ -59,7 +59,7 @@ gitea:
     oauth:
       - name: Authentik
         provider: openidConnect
-        existingSecret: gitea-oidc-secret
+        existingSecret: gitea-oidc-authentik
         autoDiscoverUrl: https://auth.alexlebens.dev/application/o/gitea/.well-known/openid-configuration
         iconUrl: https://goauthentik.io/img/icon.png
         scopes: "email profile"
@@ -137,7 +137,7 @@ gitea:
       - name: GITEA__INDEXER__ISSUE_INDEXER_CONN_STR
         valueFrom:
           secretKeyRef:
-            name: gitea-meilisearch-master-key-secret
+            name: gitea-meilisearch-key
             key: ISSUE_INDEXER_CONN_STR
   valkey-cluster:
     enabled: false
@@ -235,7 +235,7 @@ meilisearch:
     MEILI_ENV: production
     MEILI_EXPERIMENTAL_DUMPLESS_UPGRADE: true
   auth:
-    existingMasterKeySecret: gitea-meilisearch-master-key-secret
+    existingMasterKeySecret: gitea-meilisearch-key
   persistence:
     enabled: true
     storageClass: ceph-block

clusters/cl01tl/helm/grafana-operator/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/grafana-operator/templates/external-secret.yaml

@@ -1,98 +1,44 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: grafana-auth-secret
+  name: grafana-config
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: grafana-auth-secret
+    app.kubernetes.io/name: grafana-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: admin-user
       remoteRef:
-        key: /cl01tl/grafana/auth
+        key: /cl01tl/grafana/config
         property: admin-user
     - secretKey: admin-password
       remoteRef:
-        key: /cl01tl/grafana/auth
+        key: /cl01tl/grafana/config
         property: admin-password
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: grafana-oauth-secret
+  name: grafana-oidc-authentik
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: grafana-oauth-secret
+    app.kubernetes.io/name: grafana-oidc-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: AUTH_CLIENT_ID
       remoteRef:
-        key: /authentik/oidc/grafana
+        key: /cl01tl/authentik/oidc/grafana
         property: client
     - secretKey: AUTH_CLIENT_SECRET
       remoteRef:
-        key: /authentik/oidc/grafana
+        key: /cl01tl/authentik/oidc/grafana
         property: secret
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: grafana-operator-postgresql-18-cluster-backup-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: grafana-operator-postgresql-18-cluster-backup-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: ACCESS_KEY_ID
-      remoteRef:
-        key: /digital-ocean/home-infra/postgres-backups
-        property: access
-    - secretKey: ACCESS_SECRET_KEY
-      remoteRef:
-        key: /digital-ocean/home-infra/postgres-backups
-        property: secret
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: grafana-operator-postgresql-18-cluster-backup-secret-garage
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: grafana-operator-postgresql-18-cluster-backup-secret-garage
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: ACCESS_KEY_ID
-      remoteRef:
-        key: /garage/home-infra/postgres-backups
-        property: ACCESS_KEY_ID
-    - secretKey: ACCESS_SECRET_KEY
-      remoteRef:
-        key: /garage/home-infra/postgres-backups
-        property: ACCESS_SECRET_KEY
-    - secretKey: ACCESS_REGION
-      remoteRef:
-        key: /garage/home-infra/postgres-backups
-        property: ACCESS_REGION

clusters/cl01tl/helm/grafana-operator/templates/grafana-dashboard.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-ceph
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -24,8 +23,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-coredns
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -43,8 +41,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-etcd
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -62,8 +59,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-garage
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -81,8 +77,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-loki
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -100,8 +95,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-node-full
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -119,8 +113,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-node-short
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -138,8 +131,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-pods
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -157,8 +149,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-argocd
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -176,8 +167,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-blocky
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -195,8 +185,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-cert-manager
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -214,8 +203,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-cloudnative-pg
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -233,8 +221,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-descheduler
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -252,8 +239,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-external-dns
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -271,8 +257,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-external-secrets
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -290,8 +275,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-gatus
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -309,8 +293,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-operator
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -328,8 +311,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-harbor
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -347,8 +329,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-speedtest-exporter
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -366,8 +347,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-spegel
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -385,8 +365,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-traefik
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -404,8 +383,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-tdarr
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -423,8 +401,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-unpoller
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -442,8 +419,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-version-checker-internal
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -461,8 +437,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-version-checker
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -480,8 +455,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-volsync
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -499,8 +473,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-s3
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -518,8 +491,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -537,8 +509,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-gitea
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -556,8 +527,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-ntfy
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -575,8 +545,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-openbao
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -594,8 +563,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-qbittorrent
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -613,8 +581,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-vault
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -632,8 +599,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-unpackerr
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -651,8 +617,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-airgradient
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -670,8 +635,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-server-power-consumption
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -689,8 +653,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-immich
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -708,8 +671,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-jellyfin
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -727,8 +689,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-navidrome
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -746,8 +707,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-radarr
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -765,8 +725,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-servarr
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -784,8 +743,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-dashboard-sonarr
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:

clusters/cl01tl/helm/grafana-operator/templates/grafana-datasource.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-datasource-prometheus
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   datasource:
     name: Prometheus
@@ -33,8 +32,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-datasource-loki
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   datasource:
     name: Loki

clusters/cl01tl/helm/grafana-operator/templates/grafana-folder.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-folder-application
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -40,8 +39,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-folder-iot
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -75,8 +73,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-folder-platform
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -110,8 +107,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-folder-service
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:
@@ -145,8 +141,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-folder-system
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   instanceSelector:
     matchLabels:

clusters/cl01tl/helm/grafana-operator/templates/grafana.yaml

@@ -5,8 +5,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grafana-main
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
     app: grafana-main
 spec:
   config:
@@ -66,22 +65,22 @@ spec:
                 - name: AUTH_CLIENT_ID
                   valueFrom:
                     secretKeyRef:
-                      name: grafana-oauth-secret
+                      name: grafana-oidc-authentik
                       key: AUTH_CLIENT_ID
                 - name: AUTH_CLIENT_SECRET
                   valueFrom:
                     secretKeyRef:
-                      name: grafana-oauth-secret
+                      name: grafana-oidc-authentik
                       key: AUTH_CLIENT_SECRET
                 - name: ADMIN_USER
                   valueFrom:
                     secretKeyRef:
-                      name: grafana-auth-secret
+                      name: grafana-config
                       key: admin-user
                 - name: ADMIN_PASSWORD
                   valueFrom:
                     secretKeyRef:
-                      name: grafana-auth-secret
+                      name: grafana-config
                       key: admin-password
                 - name: DB_HOST
                   valueFrom:

clusters/cl01tl/helm/grimmory/templates/_helpers.tpl

@@ -0,0 +1,24 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+NFS names
+*/}}
+{{- define "custom.booksNfsName" -}}
+grimmory-books-nfs-storage
+{{- end -}}
+{{- define "custom.booksImportNfsName" -}}
+grimmory-books-import-nfs-storage
+{{- end -}}

clusters/cl01tl/helm/grimmory/templates/external-secret.yaml

@@ -1,42 +1,21 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: grimmory-database-secret
+  name: grimmory-database-config
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: grimmory-database-secret
+    app.kubernetes.io/name: grimmory-database-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: password
       remoteRef:
         key: /cl01tl/grimmory/database
         property: password
 
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: grimmory-data-replication-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: grimmory-data-replication-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: psk.txt
-      remoteRef:
-        key: /cl01tl/grimmory/replication
-        property: psk.txt
-
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
@@ -45,12 +24,11 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grimmory-mariadb-cluster-backup-secret-external
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: access
       remoteRef:
@@ -69,18 +47,17 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: grimmory-mariadb-cluster-backup-secret-garage
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: access
       remoteRef:
         key: /garage/home-infra/mariadb-backups
-        property: access
+        property: ACCESS_KEY_ID
     - secretKey: secret
       remoteRef:
         key: /garage/home-infra/mariadb-backups
-        property: secret
+        property: ACCESS_SECRET_KEY

clusters/cl01tl/helm/grimmory/templates/namespace.yaml

@@ -1,13 +1,7 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: grimmory
+  name: {{ .Release.Namespace }}
-  annotations:
-    volsync.backube/privileged-movers: "true"
   labels:
-    app.kubernetes.io/name: grimmory
+    app.kubernetes.io/name: {{ .Release.Namespace }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-    pod-security.kubernetes.io/audit: privileged
-    pod-security.kubernetes.io/enforce: privileged
-    pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/grimmory/templates/persistent-volume-claim.yaml

@@ -1,14 +1,13 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: grimmory-books-nfs-storage
+  name: {{ include "custom.booksNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: grimmory-books-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: grimmory-books-nfs-storage
+  volumeName: {{ include "custom.booksNfsName" . }}
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany
@@ -20,14 +19,13 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: grimmory-books-import-nfs-storage
+  name: {{ include "custom.booksImportNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: grimmory-books-import-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.booksImportNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: grimmory-books-import-nfs-storage
+  volumeName: {{ include "custom.booksImportNfsName" . }}
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/grimmory/templates/persistent-volume.yaml

@@ -1,12 +1,11 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: grimmory-books-nfs-storage
+  name: {{ include "custom.booksNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: grimmory-books-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client
@@ -26,12 +25,11 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: grimmory-books-import-nfs-storage
+  name: {{ include "custom.booksImportNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: grimmory-books-import-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.booksImportNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client
@@ -40,7 +38,7 @@ spec:
   accessModes:
     - ReadWriteMany
   nfs:
-    path: /volume2/Storage/Books Import
+    path: '/volume2/Storage/Books Import'
     server: synologybond.alexlebens.net
   mountOptions:
     - vers=4

clusters/cl01tl/helm/grimmory/values.yaml

@@ -27,7 +27,7 @@ grimmory:
             - name: DATABASE_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: grimmory-database-secret
+                  name: grimmory-database-config
                   key: password
             - name: GRIMMORY_PORT
               value: 6060
@@ -98,7 +98,7 @@ mariadb-cluster:
   mariadb:
     rootPasswordSecretKeyRef:
       generate: false
-      name: grimmory-database-secret
+      name: grimmory-database-config
       key: password
     storage:
       size: 5Gi

clusters/cl01tl/helm/harbor/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/harbor/templates/external-secret.yaml

@@ -5,12 +5,11 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: harbor-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: HARBOR_ADMIN_PASSWORD
       remoteRef:
@@ -18,12 +17,12 @@ spec:
         property: admin-password
     - secretKey: secretKey
       remoteRef:
-        key: /cl01tl/harbor/config
+        key: /cl01tl/harbor/key
-        property: secretKey
+        property: secret-key
     - secretKey: CSRF_KEY
       remoteRef:
-        key: /cl01tl/harbor/core
+        key: /cl01tl/harbor/key
-        property: CSRF_KEY
+        property: csrf-key
     - secretKey: secret
       remoteRef:
         key: /cl01tl/harbor/core
@@ -39,24 +38,20 @@ spec:
     - secretKey: JOBSERVICE_SECRET
       remoteRef:
         key: /cl01tl/harbor/jobservice
-        property: JOBSERVICE_SECRET
+        property: secret
     - secretKey: REGISTRY_HTTP_SECRET
       remoteRef:
         key: /cl01tl/harbor/registry
-        property: REGISTRY_HTTP_SECRET
+        property: http-secret
-    - secretKey: REGISTRY_REDIS_PASSWORD
-      remoteRef:
-        key: /cl01tl/harbor/registry
-        property: REGISTRY_REDIS_PASSWORD
     - secretKey: REGISTRY_HTPASSWD
       remoteRef:
         key: /cl01tl/harbor/registry
-        property: REGISTRY_HTPASSWD
+        property: ht-passwd
     - secretKey: REGISTRY_CREDENTIAL_PASSWORD
       remoteRef:
         key: /cl01tl/harbor/registry
-        property: REGISTRY_CREDENTIAL_PASSWORD
+        property: credential-password
     - secretKey: REGISTRY_PASSWD
       remoteRef:
         key: /cl01tl/harbor/registry
-        property: REGISTRY_CREDENTIAL_PASSWORD
+        property: credential-password

clusters/cl01tl/helm/headlamp/templates/_helpers.tpl

@@ -0,0 +1,21 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+ServiceAccount name
+*/}}
+{{- define "custom.serviceAccountName" -}}
+headlamp-admin
+{{- end -}}

clusters/cl01tl/helm/headlamp/templates/cluster-role-binding.yaml

@@ -5,16 +5,15 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: cluster-admin-oidc
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 roleRef:
+  apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: cluster-admin
-  apiGroup: rbac.authorization.k8s.io
 subjects:
-  - kind: User
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
     name: https://authentik.alexlebens.net/application/o/headlamp/#alexanderlebens@gmail.com
-    apiGroup: rbac.authorization.k8s.io
   - kind: ServiceAccount
-    name: headlamp-admin
+    name: {{ include "custom.serviceAccountName" . }}
-    namespace: headlamp
+    namespace: {{ .Release.Namespace }}

clusters/cl01tl/helm/headlamp/templates/external-secret.yaml

@@ -1,38 +1,37 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: headlamp-oidc-secret
+  name: headlamp-oidc-authentik
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: headlamp-oidc-secret
+    app.kubernetes.io/name: headlamp-oidc-authentik
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: OIDC_CLIENT_ID
       remoteRef:
-        key: /authentik/oidc/headlamp
+        key: /cl01tl/authentik/oidc/headlamp
         property: client
     - secretKey: OIDC_CLIENT_SECRET
       remoteRef:
-        key: /authentik/oidc/headlamp
+        key: /cl01tl/authentik/oidc/headlamp
         property: secret
     - secretKey: OIDC_ISSUER_URL
       remoteRef:
-        key: /authentik/oidc/headlamp
+        key: /cl01tl/authentik/oidc/headlamp
         property: issuer
     - secretKey: OIDC_SCOPES
       remoteRef:
-        key: /authentik/oidc/headlamp
+        key: /cl01tl/authentik/oidc/headlamp
         property: scopes
     - secretKey: HEADLAMP_CONFIG_OIDC_VALIDATOR_IDP_ISSUER_URL
       remoteRef:
-        key: /authentik/oidc/headlamp
+        key: /cl01tl/authentik/oidc/headlamp
-        property: validator-issuer-url
+        property: issuer
     - secretKey: HEADLAMP_CONFIG_OIDC_VALIDATOR_CLIENT_ID
       remoteRef:
-        key: /authentik/oidc/headlamp
+        key: /cl01tl/authentik/oidc/headlamp
-        property: validator-client-id
+        property: client

clusters/cl01tl/helm/headlamp/templates/service-account.yaml

@@ -1,9 +1,8 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: headlamp-admin
+  name: {{ include "custom.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: headlamp-admin
+    app.kubernetes.io/name: {{ include "custom.serviceAccountName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}

clusters/cl01tl/helm/headlamp/values.yaml

@@ -10,7 +10,7 @@ headlamp:
         create: false
       externalSecret:
         enabled: true
-        name: headlamp-oidc-secret
+        name: headlamp-oidc-authentik
     watchPlugins: true
   httpRoute:
     enabled: true
@@ -27,11 +27,9 @@ headlamp:
             type: PathPrefix
             value: /
         backendRefs:
-          - group: ''
+          - kind: Service
-            kind: Service
             name: headlamp
             port: 80
-            weight: 100
   resources:
     requests:
       cpu: 1m

clusters/cl01tl/helm/home-assistant/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/home-assistant/templates/external-secret.yaml

@@ -1,42 +1,40 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: home-assistant-code-server-password-secret
+  name: home-assistant-code-server-password
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: home-assistant-code-server-password-secret
+    app.kubernetes.io/name: home-assistant-code-server-password
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: PASSWORD
       remoteRef:
-        key: /cl01tl/home-assistant/code-server/auth
+        key: /cl01tl/home-assistant/code-server
-        property: PASSWORD
+        property: password
     - secretKey: SUDO_PASSWORD
       remoteRef:
-        key: /cl01tl/home-assistant/code-server/auth
+        key: /cl01tl/home-assistant/code-server
-        property: SUDO_PASSWORD
+        property: sudo-password
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: home-assistant-token-secret
+  name: home-assistant-metric-token
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: home-assistant-token-secret
+    app.kubernetes.io/name: home-assistant-metric-token
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: bearer-token
       remoteRef:
-        key: /cl01tl/home-assistant/auth
+        key: /cl01tl/home-assistant/config
         property: bearer-token

clusters/cl01tl/helm/home-assistant/values.yaml

@@ -35,7 +35,7 @@ home-assistant:
               value: /config
           envFrom:
             - secretRef:
-                name: home-assistant-code-server-password-secret
+                name: home-assistant-code-server-password
   service:
     main:
       controller: main
@@ -63,7 +63,7 @@ home-assistant:
           scrapeTimeout: 1m
           path: /api/prometheus
           bearerTokenSecret:
-            name: home-assistant-token-secret
+            name: home-assistant-metric-token
             key: bearer-token
   route:
     main:

clusters/cl01tl/helm/homepage/templates/_helpers.tpl

@@ -0,0 +1,21 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+CluserRole Name
+*/}}
+{{- define "custom.clusterRoleName" -}}
+homepage
+{{- end -}}

clusters/cl01tl/helm/homepage/templates/cluster-role-binding.yaml

@@ -1,16 +1,15 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: homepage
+  name: {{ include "custom.clusterRoleName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: homepage
+    app.kubernetes.io/name: {{ include "custom.clusterRoleName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: homepage
+  name: {{ include "custom.clusterRoleName" . }}
 subjects:
   - kind: ServiceAccount
     name: homepage

clusters/cl01tl/helm/homepage/templates/cluster-role.yaml

@@ -1,12 +1,11 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: homepage
+  name: {{ include "custom.clusterRoleName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: homepage
+    app.kubernetes.io/name: {{ include "custom.clusterRoleName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 rules:
   - apiGroups:
       - ""

clusters/cl01tl/helm/homepage/templates/external-secret.yaml

@@ -1,20 +1,19 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: homepage-keys-secret
+  name: homepage-secrets
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: homepage-keys-secret
+    app.kubernetes.io/name: homepage-secrets
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: HOMEPAGE_VAR_GITEA_API_TOKEN
       remoteRef:
-        key: /cl01tl/gitea/auth/homepage
+        key: /cl01tl/gitea/users/bot
         property: token
     - secretKey: HOMEPAGE_VAR_ARGOCD_API_TOKEN
       remoteRef:
@@ -34,47 +33,47 @@ spec:
         property: key
     - secretKey: HOMEPAGE_VAR_SYNOLOGY_USER
       remoteRef:
-        key: /synology/auth/cl01tl
+        key: /synology/users/remote_stats
         property: user
     - secretKey: HOMEPAGE_VAR_SYNOLOGY_PASSWORD
       remoteRef:
-        key: /synology/auth/cl01tl
+        key: /synology/users/remote_stats
         property: password
     - secretKey: HOMEPAGE_VAR_UNIFI_API_KEY
       remoteRef:
-        key: /unifi/auth/cl01tl
+        key: /unifi/users/cl01tl
         property: api-key
     - secretKey: HOMEPAGE_VAR_SONARR_KEY
       remoteRef:
-        key: /cl01tl/sonarr4/key
+        key: /cl01tl/sonarr/key
         property: key
     - secretKey: HOMEPAGE_VAR_SONARR4K_KEY
       remoteRef:
-        key: /cl01tl/sonarr4-4k/key
+        key: /cl01tl/sonarr-4k/key
         property: key
     - secretKey: HOMEPAGE_VAR_SONARRANIME_KEY
       remoteRef:
-        key: /cl01tl/sonarr4-anime/key
+        key: /cl01tl/sonarr-anime/key
         property: key
     - secretKey: HOMEPAGE_VAR_RADARR_KEY
       remoteRef:
-        key: /cl01tl/radarr5/key
+        key: /cl01tl/radarr/key
         property: key
     - secretKey: HOMEPAGE_VAR_RADARR4K_KEY
       remoteRef:
-        key: /cl01tl/radarr5-4k/key
+        key: /cl01tl/radarr-4k/key
         property: key
     - secretKey: HOMEPAGE_VAR_RADARRANIME_KEY
       remoteRef:
-        key: /cl01tl/radarr5-anime/key
+        key: /cl01tl/radarr-anime/key
         property: key
     - secretKey: HOMEPAGE_VAR_RADARRSTANDUP_KEY
       remoteRef:
-        key: /cl01tl/radarr5-standup/key
+        key: /cl01tl/radarr-standup/key
         property: key
     - secretKey: HOMEPAGE_VAR_LIDARR_KEY
       remoteRef:
-        key: /cl01tl/lidarr2/key
+        key: /cl01tl/lidarr/key
         property: key
     - secretKey: HOMEPAGE_VAR_PROWLARR_KEY
       remoteRef:

clusters/cl01tl/helm/homepage/values.yaml

@@ -22,7 +22,7 @@ homepage:
               value: home.alexlebens.net
           envFrom:
             - secretRef:
-                name: homepage-keys-secret
+                name: homepage-secrets
           resources:
             requests:
               cpu: 1m

clusters/cl01tl/helm/houndarr/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/immich/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/immich/templates/external-secrets.yaml

@@ -1,18 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: immich-config-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: immich-config-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: immich.json
-      remoteRef:
-        key: /cl01tl/immich/config
-        property: immich.json

clusters/cl01tl/helm/immich/templates/secret-provider-class.yaml

@@ -0,0 +1,18 @@
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: immich-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: immich-config
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  provider: openbao
+  parameters:
+    baoAddress: "http://openbao-internal.openbao:8200"
+    roleName: immich
+    objects: |
+      - objectName: immich.json
+        fileName: immich.json
+        secretPath: secret/data/cl01tl/immich/config
+        secretKey: immich.json

clusters/cl01tl/helm/immich/values.yaml

@@ -4,6 +4,8 @@ immich:
       type: deployment
       replicas: 1
       strategy: Recreate
+      serviceAccount:
+        name: immich
       containers:
         main:
           image:
@@ -86,6 +88,10 @@ immich:
               gpu.intel.com/i915: 1
               cpu: 10m
               memory: 500Mi
+  serviceAccount:
+    immich:
+      enabled: true
+      staticToken: true
   service:
     main:
       controller: main
@@ -135,9 +141,13 @@ immich:
                 value: /
   persistence:
     config:
-      enabled: true
+      type: custom
-      type: secret
+      volumeSpec:
-      name: immich-config-secret
+        csi:
+          driver: secrets-store.csi.k8s.io
+          readOnly: true
+          volumeAttributes:
+            secretProviderClass: immich-config
       advancedMounts:
         main:
           main:

clusters/cl01tl/helm/intel-device-plugin/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/intel-device-plugin/templates/namespace.yaml

@@ -1,11 +1,10 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: intel-device-plugin
+  name: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: intel-device-plugin
+    app.kubernetes.io/name: {{ .Release.Namespace }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/jellyfin/templates/_helpers.tpl

@@ -0,0 +1,24 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+NFS names
+*/}}
+{{- define "custom.storageNfsName" -}}
+jellyfin-nfs-storage
+{{- end -}}
+{{- define "custom.storageYoutubeNfsName" -}}
+jellyfin-youtube-nfs-storage
+{{- end -}}

clusters/cl01tl/helm/jellyfin/templates/external-secret.yaml

@@ -1,38 +1,36 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: jellyfin-exporter-secret
+  name: jellyfin-metric-token
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: jellyfin-exporter-secret
+    app.kubernetes.io/name: jellyfin-metric-token
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: token
       remoteRef:
-        key: /cl01tl/jellyfin/exporter
+        key: /cl01tl/jellyfin/metrics
         property: token
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: jellyfin-meilisearch-master-key-secret
+  name: jellyfin-meilisearch-key
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: jellyfin-meilisearch-master-key-secret
+    app.kubernetes.io/name: jellyfin-meilisearch-key
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: MEILI_MASTER_KEY
       remoteRef:
         key: /cl01tl/jellyfin/meilisearch
-        property: MEILI_MASTER_KEY
+        property: master-key

clusters/cl01tl/helm/jellyfin/templates/persistent-volume-claim.yaml

@@ -1,14 +1,13 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: jellyfin-nfs-storage
+  name: {{ include "custom.storageNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: jellyfin-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: jellyfin-nfs-storage
+  volumeName: {{ include "custom.storageNfsName" . }}
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany
@@ -20,14 +19,13 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: jellyfin-youtube-nfs-storage
+  name: {{ include "custom.storageYoutubeNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: jellyfin-youtube-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.storageYoutubeNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: jellyfin-youtube-nfs-storage
+  volumeName: {{ include "custom.storageYoutubeNfsName" . }}
   storageClassName: nfs-client
   accessModes:
     - ReadOnlyMany

clusters/cl01tl/helm/jellyfin/templates/persistent-volume.yaml

@@ -1,12 +1,11 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: jellyfin-nfs-storage
+  name: {{ include "custom.storageNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: jellyfin-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client
@@ -26,12 +25,11 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: jellyfin-youtube-nfs-storage
+  name: {{ include "custom.storageYoutubeNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: jellyfin-youtube-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.storageYoutubeNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client

clusters/cl01tl/helm/jellyfin/values.yaml

@@ -48,7 +48,7 @@ jellyfin:
             - name: TOKEN
               valueFrom:
                 secretKeyRef:
-                  name: jellyfin-exporter-secret
+                  name: jellyfin-metric-token
                   key: token
   service:
     main:
@@ -133,7 +133,7 @@ meilisearch:
     MEILI_ENV: production
     MEILI_EXPERIMENTAL_DUMPLESS_UPGRADE: true
   auth:
-    existingMasterKeySecret: jellyfin-meilisearch-master-key-secret
+    existingMasterKeySecret: jellyfin-meilisearch-key
   persistence:
     enabled: true
     storageClass: ceph-block

clusters/cl01tl/helm/jellystat/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/jellystat/templates/external-secret.yaml

@@ -1,26 +1,25 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: jellystat-secret
+  name: jellystat-config
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: jellystat-secret
+    app.kubernetes.io/name: jellystat-config
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: secret-key
       remoteRef:
-        key: /cl01tl/jellystat/auth
+        key: /cl01tl/jellystat/key
         property: secret-key
     - secretKey: user
       remoteRef:
-        key: /cl01tl/jellystat/auth
+        key: /cl01tl/jellystat/config
         property: user
     - secretKey: password
       remoteRef:
-        key: /cl01tl/jellystat/auth
+        key: /cl01tl/jellystat/cconfig
         property: password

clusters/cl01tl/helm/jellystat/values.yaml

@@ -15,17 +15,17 @@ jellystat:
             - name: JWT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: jellystat-secret
+                  name: jellystat-config
                   key: secret-key
             - name: JS_USER
               valueFrom:
                 secretKeyRef:
-                  name: jellystat-secret
+                  name: jellystat-config
                   key: user
             - name: JS_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: jellystat-secret
+                  name: jellystat-config
                   key: password
             - name: POSTGRES_USER
               valueFrom:

clusters/cl01tl/helm/karakeep/templates/_helpers.tpl

@@ -0,0 +1,14 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

clusters/cl01tl/helm/karakeep/templates/external-secret.yaml

@@ -1,48 +1,80 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: karakeep-key-secret
+  name: karakeep-key
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: karakeep-key-secret
+    app.kubernetes.io/name: karakeep-key
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: key
       remoteRef:
         key: /cl01tl/karakeep/key
         property: key
-    - secretKey: prometheus-token
-      remoteRef:
-        key: /cl01tl/karakeep/key
-        property: prometheus-token
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: karakeep-oidc-secret
+  name: karakeep-metric-token
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: karakeep-oidc-secret
+    app.kubernetes.io/name: karakeep-key-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
+  data:
+    - secretKey: prometheus-token
+      remoteRef:
+        key: /cl01tl/karakeep/metrics
+        property: token
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: karakeep-meilisearch-key
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: karakeep-meilisearch-key
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: openbao
+  data:
+    - secretKey: MEILI_MASTER_KEY
+      remoteRef:
+        key: /cl01tl/karakeep/meilisearch
+        property: master-key
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: karakeep-oidc-authentik
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: karakeep-oidc-authentik
+    {{- include "custom.labels" . | nindent 4 }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: openbao
   data:
     - secretKey: AUTHENTIK_CLIENT_ID
       remoteRef:
-        key: /authentik/oidc/karakeep
+        key: /cl01tl/authentik/oidc/karakeep
         property: client
     - secretKey: AUTHENTIK_CLIENT_SECRET
       remoteRef:
-        key: /authentik/oidc/karakeep
+        key: /cl01tl/authentik/oidc/karakeep
         property: secret
 
 ---
@@ -53,12 +85,11 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: karakeep-bucket-garage
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: ACCESS_KEY_ID
       remoteRef:
@@ -72,23 +103,11 @@ spec:
       remoteRef:
         key: /garage/home-infra/karakeep-assets
         property: ACCESS_REGION
-
+    - secretKey: BUCKET
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: karakeep-meilisearch-master-key-secret
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: karakeep-meilisearch-master-key-secret
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault
-  data:
-    - secretKey: MEILI_MASTER_KEY
       remoteRef:
-        key: /cl01tl/karakeep/meilisearch
+        key: /garage/home-infra/karakeep-assets
-        property: MEILI_MASTER_KEY
+        property: BUCKET
+    - secretKey: ENDPOINT
+      remoteRef:
+        key: /garage/config
+        property: ENDPOINT_LOCAL

clusters/cl01tl/helm/karakeep/values.yaml

@@ -19,22 +19,28 @@ karakeep:
             - name: NEXTAUTH_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: karakeep-key-secret
+                  name: karakeep-key
                   key: key
             - name: PROMETHEUS_AUTH_TOKEN
               valueFrom:
                 secretKeyRef:
-                  name: karakeep-key-secret
+                  name: karakeep-metric-token
                   key: prometheus-token
             - name: ASSET_STORE_S3_ENDPOINT
-              value: http://garage-main.garage:3900
+              valueFrom:
+                secretKeyRef:
+                  name: karakeep-bucket-garage
+                  key: ENDPOINT
             - name: ASSET_STORE_S3_REGION
               valueFrom:
                 secretKeyRef:
                   name: karakeep-bucket-garage
                   key: ACCESS_REGION
             - name: ASSET_STORE_S3_BUCKET
-              value: karakeep-assets
+              valueFrom:
+                secretKeyRef:
+                  name: karakeep-bucket-garage
+                  key: BUCKET
             - name: ASSET_STORE_S3_ACCESS_KEY_ID
               valueFrom:
                 secretKeyRef:
@@ -52,7 +58,7 @@ karakeep:
             - name: MEILI_MASTER_KEY
               valueFrom:
                 secretKeyRef:
-                  name: karakeep-meilisearch-master-key-secret
+                  name: karakeep-meilisearch-key
                   key: MEILI_MASTER_KEY
             - name: BROWSER_WEB_URL
               value: http://karakeep.karakeep:9222
@@ -67,12 +73,12 @@ karakeep:
             - name: OAUTH_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: karakeep-oidc-secret
+                  name: karakeep-oidc-authentik
                   key: AUTHENTIK_CLIENT_ID
             - name: OAUTH_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: karakeep-oidc-secret
+                  name: karakeep-oidc-authentik
                   key: AUTHENTIK_CLIENT_SECRET
             - name: OLLAMA_BASE_URL
               value: http://ollama-server-3.ollama:11434
@@ -126,7 +132,7 @@ karakeep:
           authorization:
             credentials:
               key: prometheus-token
-              name: karakeep-key-secret
+              name: karakeep-metric-token
   persistence:
     data:
       forceRename: karakeep
@@ -144,7 +150,7 @@ meilisearch:
     MEILI_ENV: production
     MEILI_EXPERIMENTAL_DUMPLESS_UPGRADE: true
   auth:
-    existingMasterKeySecret: karakeep-meilisearch-master-key-secret
+    existingMasterKeySecret: karakeep-meilisearch-key
   persistence:
     enabled: true
     storageClass: ceph-block

clusters/cl01tl/helm/kiwix/templates/_helpers.tpl

@@ -0,0 +1,21 @@
+{{/*
+Common labels
+*/}}
+{{- define "custom.labels" -}}
+{{ include "custom.selectorLabels" $ }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "custom.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+NFS names
+*/}}
+{{- define "custom.storageNfsName" -}}
+kiwix-nfs-storage
+{{- end -}}

clusters/cl01tl/helm/kiwix/templates/persistent-volume-claim.yaml

@@ -1,14 +1,13 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: kiwix-nfs-storage
+  name: {{ include "custom.storageNfsName" . }}
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: kiwix-nfs-storage
+    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{- include "custom.labels" . | nindent 4 }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: kiwix-nfs-storage
+  volumeName: {{ include "custom.storageNfsName" . }}
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany