Update harbor.alexlebens.net/images/site-documentation Docker tag to v0.17.0

.gitea/workflows/lint-test-helm.yaml

@@ -16,8 +16,8 @@ on:
 env:
   CLUSTER: cl01tl
   BASE_BRANCH: "origin/${{ github.base_ref }}"
+  # renovate: datasource=github-releases depName=yannh/kubeconform
   KUBECONFORM_VERSION: "v0.6.7"
-  ARGOCD_VERSION: "v3.3.6"
 
 jobs:
   lint-helm:
@@ -102,7 +102,7 @@ jobs:
             echo ""
             echo "${CHANGED_CHARTS}"
 
-            CHANGED_CHARTS_CSV=$(echo "${CHANGED_CHARTS}" | paste -sd ',' -)
+            CHANGED_CHARTS_CSV=$(echo "$CHANGED_CHARTS" | paste -sd ',' -)
 
             echo ""
             echo "----"
@@ -169,10 +169,9 @@ jobs:
 
           echo ">> Running linting on changed charts ..."
 
-          lint_chart() {
-            local DIR="$1"
-            local CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
-            local CHART_NAME=$(basename "${CHART_PATH}")
+          for DIR in ${CHANGED_CHARTS}; do
+            CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
+            CHART_NAME=$(basename "${CHART_PATH}")
 
             if [ -f "${CHART_PATH}/Chart.yaml" ]; then
               echo ""
@@ -183,8 +182,15 @@ jobs:
               echo ">> Linting helm chart ${CHART_NAME} ..."
 
               if ! helm lint "${CHART_PATH}" --namespace "default"; then
-                echo "${DIR}" > ".failed_chart_${CHART_NAME}"
-                return 1
+                EXIT_CODE=1
+
+                if [ -z "${FAILED_CHARTS}" ]; then
+                  FAILED_CHARTS="${DIR}"
+
+                else
+                  FAILED_CHARTS="${FAILED_CHARTS}, ${DIR}"
+
+                fi
               fi
 
             else
@@ -192,20 +198,8 @@ jobs:
               echo ">> Directory ${CHART_PATH} does not contain a Chart.yaml. Skipping ..."
 
             fi
-          }
 
-          export -f lint_chart
-          export CLUSTER
-
-          for DIR in ${CHANGED_CHARTS}; do
-            echo "${DIR}"
-          done | xargs -P 4 -I {} bash -c 'OUT=$(lint_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
-
-          if ls .failed_chart_* 1> /dev/null 2>&1; then
-            EXIT_CODE=1
-            FAILED_CHARTS=$(cat .failed_chart_* | paste -sd ',' - | sed 's/,/, /g')
-            rm -f .failed_chart_*
-          fi
+          done
 
           echo ""
           echo "----"
@@ -242,17 +236,7 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Cache Kubeconform
-        id: cache-kubeconform
-        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-        with:
-          path: /usr/local/bin/kubeconform
-          key: ${{ runner.os }}-kubeconform-${{ env.KUBECONFORM_VERSION }}
-          restore-keys: |
-            ${{ runner.os }}-kubeconform-
-
       - name: Install Kubeconform
-        if: steps.cache-kubeconform.outputs.cache-hit != 'true'
         run: |
           echo ">> Downloading Kubeconform ${{ env.KUBECONFORM_VERSION }} ..."
           wget -q https://github.com/yannh/kubeconform/releases/download/${{ env.KUBECONFORM_VERSION }}/kubeconform-linux-amd64.tar.gz
@@ -265,8 +249,6 @@ jobs:
           echo ">> Installing Kubeconform ..."
           sudo mv kubeconform /usr/local/bin/
 
-      - name: Verify installation
-        run: |
           echo ""
           echo ">> Verifying installation ..."
           kubeconform -v
@@ -335,38 +317,32 @@ jobs:
           EXIT_CODE=0
           FAILED_CHARTS=""
 
-          validate_chart() {
-            local DIR="$1"
-            local CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
+          for DIR in ${CHANGED_CHARTS}; do
+            CHART_PATH="clusters/${CLUSTER}/helm/${DIR}"
             echo ""
             echo ">> Validating: ${DIR}"
 
             helm dependency build "${CHART_PATH}" --skip-refresh
 
-            if ! helm template "${DIR}" "${CHART_PATH}" --include-crds --namespace default --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor" | \
+            if ! helm template "${DIR}" "${CHART_PATH}" --include-crds --namespace default --api-versions "gateway.networking.k8s.io/v1/HTTPRoute" | \
               kubeconform \
                 ${SCHEMA_LOCATIONS} \
                 -ignore-missing-schemas \
                 -strict \
                 -summary; then
 
-              echo "${DIR}" > ".failed_chart_${DIR}"
-              return 1
+              EXIT_CODE=1
+
+              if [ -z "${FAILED_CHARTS}" ]; then
+                FAILED_CHARTS="${DIR}"
+
+              else
+                FAILED_CHARTS="${FAILED_CHARTS}, ${DIR}"
+
+              fi
             fi
-          }
 
-          export -f validate_chart
-          export CLUSTER SCHEMA_LOCATIONS
-
-          for DIR in ${CHANGED_CHARTS}; do
-            echo "${DIR}"
-          done | xargs -P 4 -I {} bash -c 'OUT=$(validate_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
-
-          if ls .failed_chart_* 1> /dev/null 2>&1; then
-            EXIT_CODE=1
-            FAILED_CHARTS=$(cat .failed_chart_* | paste -sd ',' - | sed 's/,/, /g')
-            rm -f .failed_chart_*
-          fi
+          done
 
           echo ""
           echo "----"
@@ -389,243 +365,3 @@ jobs:
           icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
           actions: '[{"action": "view", "label": "View Run", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
           image: true
-
-  # argo-diff:
-  #   needs: lint-helm
-  #   runs-on: ubuntu-js
-  #   if: |
-  #     needs.lint-helm.result == 'success' &&
-  #     needs.lint-helm.outputs.changes-detected == 'true' &&
-  #     github.event_name == 'pull_request'
-  #   steps:
-  #     - name: Checkout
-  #       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-  #       with:
-  #         fetch-depth: 0
-
-  #     - name: Cache ArgoCD CLI
-  #       id: cache-argocd
-  #       uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-  #       with:
-  #         path: /usr/local/bin/argocd
-  #         key: ${{ runner.os }}-argocd-${{ env.ARGOCD_VERSION }}
-  #         restore-keys: |
-  #           ${{ runner.os }}-argocd-
-
-  #     - name: Install ArgoCD CLI
-  #       if: steps.cache-argocd.outputs.cache-hit != 'true'
-  #       run: |
-  #         echo ">> Downloading ArgoCD CLI, version: ${{ env.ARGOCD_VERSION }} ..."
-  #         curl -sSL -o argocd-linux-amd64 https://github.com/argoproj/argo-cd/releases/download/${{ env.ARGOCD_VERSION }}/argocd-linux-amd64
-
-  #         echo ""
-  #         echo ">> Installing ArgoCD CLI ..."
-  #         sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd
-
-  #         echo ""
-  #         echo "----"
-
-  #     - name: Verify installation
-  #       run: |
-  #         echo ""
-  #         echo ">> Verifying installation ..."
-  #         argocd version --client
-
-  #         echo ""
-  #         echo "----"
-
-  #     - name: Set Up Helm
-  #       uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5
-  #       with:
-  #         token: ${{ secrets.GITEA_TOKEN }}
-  #         # renovate: datasource=github-releases depName=helm/helm
-  #         version: v4.1.3
-  #         cache: true
-
-  #     - name: Cache Helm Dependencies
-  #       uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
-  #       with:
-  #         path: |
-  #           ~/.cache/helm
-  #           ~/.config/helm
-  #         key: helm-cache-${{ runner.os }}-${{ hashFiles('infrastructure/clusters/cl01tl/helm/**/Chart.yaml', 'infrastructure/clusters/cl01tl/helm/**/Chart.lock') }}
-  #         restore-keys: |
-  #           helm-cache-${{ runner.os }}-
-
-  #     - name: Add Repositories
-  #       env:
-  #         CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
-  #       run: |
-  #         echo ">> Adding repositories for chart dependencies ..."
-  #         echo ""
-
-  #         for DIR in ${CHANGED_CHARTS}; do
-  #           helm dependency list --max-col-width 120 clusters/${CLUSTER}/helm/${DIR} 2> /dev/null \
-  #             | tail -n +2 \
-  #             | awk 'NF > 0 { print $1, $3 }' \
-  #             | while read -r REPO_NAME REPO_URL; do
-  #               if [[ "${REPO_URL}" == oci://* ]]; then
-  #                 echo ">> Ignoring OCI repo: ${REPO_URL}"
-
-  #               elif [[ -n "${REPO_NAME}" && -n "${REPO_URL}" ]]; then
-  #                 helm repo add "${REPO_NAME}" "${REPO_URL}"
-
-  #               fi
-
-  #             done || true
-  #         done
-
-  #         if helm repo list > /dev/null 2>&1; then
-  #           echo ""
-  #           echo ">> Update repository cache ..."
-  #           helm repo update
-
-  #         fi
-
-  #         echo ""
-  #         echo "----"
-
-  #     - name: Render Templates
-  #       id: render
-  #       env:
-  #         CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
-  #       run: |
-  #         for APP_NAME in ${CHANGED_CHARTS}; do
-  #           echo ">> Render templates for ${APP_NAME} ..."
-  #           CHART_PATH="clusters/${CLUSTER}/helm/${APP_NAME}"
-  #           OUTPUT_FOLDER="clusters/${CLUSTER}/manifests/${APP_NAME}/"
-  #           mkdir -p "${OUTPUT_FOLDER}"
-
-  #           helm dependency build "${CHART_PATH}" --skip-refresh
-
-  #           NAMESPACE="${APP_NAME}"
-  #           case "${APP_NAME}" in
-  #             "stack")
-  #               NAMESPACE="argocd"
-  #               echo ">> Special Rendering into 'argocd' namespace ..."
-  #               ;;
-  #             "cilium" | "coredns" | "metrics-server")
-  #               NAMESPACE="kube-system"
-  #               echo ">> Special Rendering for ${APP_NAME} into 'kube-system' namespace ..."
-  #               ;;
-  #             *)
-  #               echo ">> Standard Rendering ..."
-  #           esac
-
-  #           TEMPLATE=$(helm template "${APP_NAME}" "${CHART_PATH}" --include-crds --namespace "${NAMESPACE}" --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor")
-
-  #           # Format and split rendered template
-  #           echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
-
-  #           # Strip comments again to ensure formatting correctness
-  #           for file in "$OUTPUT_FOLDER"/*; do
-  #             yq -i '... comments=""' $file
-
-  #           done
-
-  #           echo ""
-  #           echo ">> Templates in output folder: ${OUTPUT_FOLDER}"
-  #           ls ${OUTPUT_FOLDER}
-  #         done
-
-  #         echo "----"
-
-  #     - name: Run App Diff
-  #       id: diff
-  #       env:
-  #         ARGOCD_SERVER: ${{ secrets.ARGOCD_SERVER }}
-  #         ARGOCD_AUTH_TOKEN: ${{ secrets.ARGOCD_AUTH_TOKEN }}
-  #         CHANGED_CHARTS: ${{ needs.lint-helm.outputs.chart-dir }}
-  #       run: |
-  #         FAILED_CHARTS=""
-  #         DIFF_FOUND="false"
-  #         EXIT_CODE=0
-
-  #         for APP_NAME in ${CHANGED_CHARTS}; do
-  #           echo ">> Running argocd app diff for ${APP_NAME} ..."
-  #           if ! argocd app diff "${APP_NAME}" \
-  #             --server "${ARGOCD_SERVER}" \
-  #             --auth-token "${ARGOCD_AUTH_TOKEN}" \
-  #             --revision ${{ github.sha }} \
-  #             --local "clusters/${CLUSTER}/manifests/${APP_NAME}" \
-  #             --local-repo-root "." \
-  #             --grpc-web > "diff_output_${APP_NAME}.txt" 2>&1; then
-
-  #             # ArgoCD diff returns non-zero on diff or error.
-  #             # Let's capture if it actually generated a diff output to post.
-  #             DIFF_FOUND="true"
-
-  #             # Check if the output contains validation/connection errors
-  #             if grep -iE 'error|failed|connection refused|timeout' "diff_output_${APP_NAME}.txt"; then
-  #                echo ">> ArgoCD encountered an error validating ${APP_NAME}!"
-  #                EXIT_CODE=1
-  #                FAILED_CHARTS="${FAILED_CHARTS} ${APP_NAME}"
-  #             fi
-  #           fi
-
-  #           if [ -s "diff_output_${APP_NAME}.txt" ]; then
-  #             echo ">> Argo diff or errors:"
-  #             echo ""
-  #             cat diff_output_${APP_NAME}.txt
-  #             echo ""
-  #           else
-  #             echo ">> No Argo diff found for ${APP_NAME}"
-  #             rm "diff_output_${APP_NAME}.txt"
-  #           fi
-  #         done
-
-  #         echo "----"
-  #         echo "diff-detected=${DIFF_FOUND}" >> "$GITHUB_OUTPUT"
-  #         echo "failed-charts=${FAILED_CHARTS}" >> "$GITHUB_OUTPUT"
-
-  #         exit $EXIT_CODE
-
-  #     - name: Post Diff
-  #       if: |
-  #         always() &&
-  #         steps.diff.outputs.diff-detected == 'true' &&
-  #         github.event.pull_request.number != null
-  #       env:
-  #         GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
-  #       run: |
-  #         COMMENT_BODY="### ArgoCD Diff Results
-  #         "
-
-  #         for f in diff_output_*.txt; do
-  #           APP_NAME=$(echo $f | sed 's/diff_output_//;s/.txt//')
-  #           DIFF_CONTENT=$(cat "$f")
-
-  #           COMMENT_BODY="${COMMENT_BODY}
-  #         #### App: ${APP_NAME}
-  #         "
-
-  #           if [ -z "$DIFF_CONTENT" ]; then
-  #             COMMENT_BODY="${COMMENT_BODY} No changes detected."
-  #           else
-  #             COMMENT_BODY="${COMMENT_BODY}
-  #         \`\`\`diff
-  #         ${DIFF_CONTENT}
-  #         \`\`\`"
-  #           fi
-  #         done
-
-  #         curl -X 'POST' \
-  #           "${{ github.server_url }}/api/v1/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
-  #           -H "Authorization: token ${GITEA_TOKEN}" \
-  #           -H "Content-Type: application/json" \
-  #           -d "$(jq -n --arg body "$COMMENT_BODY" '{body: $body}')"
-
-  #     - name: ntfy Failed
-  #       uses: niniyas/ntfy-action@96acac57fdc91d4c4f50b78486c1ed6f03f9f61c # master
-  #       if: failure()
-  #       with:
-  #         url: '${{ secrets.NTFY_URL }}'
-  #         topic: '${{ secrets.NTFY_TOPIC }}'
-  #         title: 'ArgoCD Diff Failure'
-  #         priority: 3
-  #         headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
-  #         tags: action,failed
-  #         details: "ArgoCD diff for cluster '${{ env.CLUSTER }}' failed on charts: ${{ steps.diff.outputs.failed-charts }}"
-  #         icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
-  #         actions: '[{"action": "view", "label": "View Run", "url": "${{ vars.USER_URL }}/${{ github.repository }}/actions/runs/${{ github.run_id }}", "clear": true}]'
-  #         image: true

.gitea/workflows/render-manifests.yaml

@@ -50,7 +50,7 @@ jobs:
           cache: true
 
       - name: Configure Kubeconfig
-        uses: azure/k8s-set-context@89b837d75b40a7bd2ddafde837473c212db8b313 # v5
+        uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4
         with:
           method: kubeconfig
           kubeconfig: ${{ secrets.KUBECONFIG }}
@@ -273,7 +273,7 @@ jobs:
                   NAMESPACE="argocd"
                   echo ">> Special Rendering into 'argocd' namespace ..."
                   ;;
-                "cilium" | "coredns" | "metrics-server")
+                "cilium" | "coredns" | "metrics-server" | "prometheus-operator-crds")
                   NAMESPACE="kube-system"
                   echo ">> Special Rendering for ${CHART_NAME} into 'kube-system' namespace ..."
                   ;;
@@ -283,7 +283,7 @@ jobs:
 
               echo ">> Formating rendered template ..."
               local TEMPLATE
-              TEMPLATE=$(helm template "${CHART_NAME}" ./ --namespace "${NAMESPACE}" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute,monitoring.coreos.com/v1,monitoring.coreos.com/v1/ServiceMonitor")
+              TEMPLATE=$(helm template "${CHART_NAME}" ./ --namespace "${NAMESPACE}" --include-crds --dry-run=server --api-versions "gateway.networking.k8s.io/v1/HTTPRoute")
 
               # Format and split rendered template
               echo "${TEMPLATE}" | yq '... comments=""' | yq 'select(. != null)' | yq -s '"'"${OUTPUT_FOLDER}"'" + .kind + "-" + .metadata.name + ".yaml"'
@@ -314,7 +314,7 @@ jobs:
           for DIR in ${RENDER_DIR}; do
             echo "${DIR}"
 
-          done | xargs -P 5 -I {} bash -c 'OUT=$(render_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
+          done | xargs -P 4 -I {} bash -c 'OUT=$(render_chart "$@" 2>&1); printf "%s\n" "$OUT"' _ {}
 
           echo ""
           echo "----"

.gitea/workflows/renovate.yaml

@@ -12,8 +12,8 @@ on:
 
 jobs:
   renovate:
-    runs-on: ubuntu-js
-    container: ghcr.io/renovatebot/renovate:43.150.0@sha256:f2d4c467a8eb4b885630a8ca7d068173db69a5a1156ba41480c0a3a2e011d759
+    runs-on: ubuntu-latest
+    container: ghcr.io/renovatebot/renovate:43.104.3@sha256:8248aad190150ce3f1016f9e93b45185679f075c428bca093e724a59f1fd426e
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

clusters/cl01tl/helm/actual/Chart.lock

@@ -4,6 +4,6 @@ dependencies:
   version: 4.6.2
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 1.0.0
-digest: sha256:ee1ff98af82f76ddf0b672abf9f4973ae41faff3cd61d81849f496c089cfdbd3
-generated: "2026-04-26T14:57:34.863614-05:00"
+  version: 0.8.0
+digest: sha256:ff81b3d8fc831e4b8048f646fffcf597aa7410e52ecf27690eab8104047dbe6f
+generated: "2026-03-06T01:04:41.514235218Z"

clusters/cl01tl/helm/actual/Chart.yaml

@@ -20,8 +20,8 @@ dependencies:
     version: 4.6.2
   - name: volsync-target
     alias: volsync-target-data
-    version: 1.0.0
+    version: 0.8.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/actual-budget.png
 # renovate: datasource=github-releases depName=actualbudget/actual
-appVersion: 26.4.0
+appVersion: 26.3.0

clusters/cl01tl/helm/actual/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/actual/values.yaml

@@ -8,7 +8,7 @@ actual:
         main:
           image:
             repository: ghcr.io/actualbudget/actual
-            tag: 26.4.0@sha256:b0e732e2c41b3dc468a71548e88ef76d3f0c157fc43d15fa05d14ec1c5747e1e
+            tag: 26.3.0@sha256:eb8bc26f53025e07e464594c12d77c52c4b95840c8dadd9b95c4f0c4660f8ad2
           env:
             - name: ACTUAL_PORT
               value: 5006

clusters/cl01tl/helm/argocd/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: argo-cd
   repository: https://argoproj.github.io/argo-helm
-  version: 9.5.4
-digest: sha256:3d21f3de99812af73615ef0e75f835d41d49b81a840107194b44e06057d7311f
-generated: "2026-04-24T18:07:49.106452954Z"
+  version: 9.4.17
+digest: sha256:17752dbf03861cf70ee31c9a17373a5175656a2edd00ba5fcd3988a195147da8
+generated: "2026-03-28T01:51:34.832601868Z"

clusters/cl01tl/helm/argocd/Chart.yaml

@@ -13,8 +13,8 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: argo-cd
-    version: 9.5.4
+    version: 9.4.17
     repository: https://argoproj.github.io/argo-helm
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/argo-cd.png
 # renovate: datasource=github-releases depName=argoproj/argo-cd
-appVersion: v3.3.8
+appVersion: v3.3.6

clusters/cl01tl/helm/argocd/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/argocd/templates/external-secret.yaml

@@ -1,40 +1,70 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: argocd-oidc-authentik
+  name: argocd-oidc-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: argocd-oidc-authentik
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: argocd-oidc-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: secret
       remoteRef:
-        key: /cl01tl/authentik/oidc/argocd
+        key: /authentik/oidc/argocd
         property: secret
     - secretKey: client
       remoteRef:
-        key: /cl01tl/authentik/oidc/argocd
+        key: /authentik/oidc/argocd
         property: client
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: argocd-notifications-ntfy
+  name: argocd-notifications-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: argocd-notifications-ntfy
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: argocd-notifications-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: ntfy-token
       remoteRef:
-        key: /cl01tl/ntfy/users/cl01tl
+        key: /ntfy/user/cl01tl
         property: token
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: argocd-gitea-repo-infrastructure-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: argocd-gitea-repo-infrastructure-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: type
+      remoteRef:
+        key: /cl01tl/argocd/credentials/repo/infrastructure
+        property: type
+    - secretKey: url
+      remoteRef:
+        key: /cl01tl/argocd/credentials/repo/infrastructure
+        property: url
+    - secretKey: sshPrivateKey
+      remoteRef:
+        key: /cl01tl/argocd/credentials/repo/infrastructure
+        property: sshPrivateKey

clusters/cl01tl/helm/argocd/templates/prometheus-rule.yaml

@@ -1,108 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: PrometheusRule
-metadata:
-  name: haproxy
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: haproxy
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  groups:
-    - name: EmbeddedExporter
-      rules:
-        - alert: HAProxyHighHTTP4xxErrorRateBackend
-          expr: ((sum by (proxy) (rate(haproxy_server_http_responses_total{code="4xx"}[1m])) / sum by (proxy) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (proxy) (rate(haproxy_server_http_responses_total[1m])) > 0
-          for: 1m
-          labels:
-            severity: critical
-          annotations:
-            summary: HAProxy high HTTP 4xx error rate backend (instance {{ `{{ $labels.instance }}` }})
-            description: "Too many HTTP requests with status 4xx (> 5%) on backend {{ `{{ $labels.proxy }}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyHighHTTP5xxErrorRateBackend
-          expr: ((sum by (proxy) (rate(haproxy_server_http_responses_total{code="5xx"}[1m])) / sum by (proxy) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (proxy) (rate(haproxy_server_http_responses_total[1m])) > 0
-          for: 1m
-          labels:
-            severity: critical
-          annotations:
-            summary: HAProxy high HTTP 5xx error rate backend (instance {{ `{{ $labels.instance }}` }})
-            description: "Too many HTTP requests with status 5xx (> 5%) on backend {{ `{{ $labels.proxy }}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyHighHTTP4xxErrorRateServer
-          expr: ((sum by (server) (rate(haproxy_server_http_responses_total{code="4xx"}[1m])) / sum by (server) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (server) (rate(haproxy_server_http_responses_total[1m])) > 0
-          for: 1m
-          labels:
-            severity: critical
-          annotations:
-            summary: HAProxy high HTTP 4xx error rate server (instance {{ `{{ $labels.instance }}` }})
-            description: "Too many HTTP requests with status 4xx (> 5%) on server {{ `{{ $labels.server }}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyHighHTTP5xxErrorRateServer
-          expr: ((sum by (server) (rate(haproxy_server_http_responses_total{code="5xx"}[1m])) / sum by (server) (rate(haproxy_server_http_responses_total[1m]))) * 100) > 5 and sum by (server) (rate(haproxy_server_http_responses_total[1m])) > 0
-          for: 1m
-          labels:
-            severity: critical
-          annotations:
-            summary: HAProxy high HTTP 5xx error rate server (instance {{ `{{ $labels.instance }}` }})
-            description: "Too many HTTP requests with status 5xx (> 5%) on server {{ `{{ $labels.server }}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyServerResponseErrors
-          expr: (sum by (server) (rate(haproxy_server_response_errors_total[1m])) / sum by (server) (rate(haproxy_server_http_responses_total[1m]))) * 100 > 5 and sum by (server) (rate(haproxy_server_http_responses_total[1m])) > 0
-          for: 1m
-          labels:
-            severity: critical
-          annotations:
-            summary: HAProxy server response errors (instance {{ `{{ $labels.instance }}` }})
-            description: "Too many response errors to {{ `{{ $labels.server }}` }} server (> 5%).\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyBackendConnectionErrors
-          expr: (sum by (proxy) (rate(haproxy_backend_connection_errors_total[1m]))) > 100
-          for: 1m
-          labels:
-            severity: critical
-          annotations:
-            summary: HAProxy backend connection errors (instance {{ `{{ $labels.instance }}` }})
-            description: "Too many connection errors to {{ `{{ $labels.proxy }}` }} backend (> 100 req/s). Request throughput may be too high.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyServerConnectionErrors
-          expr: (sum by (proxy) (rate(haproxy_server_connection_errors_total[1m]))) > 100
-          for: 0m
-          labels:
-            severity: critical
-          annotations:
-            summary: HAProxy server connection errors (instance {{ `{{ $labels.instance }}` }})
-            description: "Too many connection errors to {{ `{{ $labels.proxy }}` }} (> 100 req/s). Request throughput may be too high.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyBackendMaxActiveSession>80%
-          expr: (haproxy_backend_current_sessions / haproxy_backend_limit_sessions * 100) > 80 and haproxy_backend_limit_sessions > 0
-          for: 2m
-          labels:
-            severity: warning
-          annotations:
-            summary: HAProxy backend max active session > 80% (instance {{ `{{ $labels.instance }}` }})
-            description: "Session limit from backend {{ `{{ $labels.proxy }}` }} reached 80% of limit - {{ `{{ $value | printf \"%.2f\"}}` }}%\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyPendingRequests
-          expr: sum by (proxy) (haproxy_backend_current_queue) > 0
-          for: 2m
-          labels:
-            severity: warning
-          annotations:
-            summary: HAProxy pending requests (instance {{ `{{ $labels.instance }}` }})
-            description: "Some HAProxy requests are pending on {{ `{{ $labels.proxy }}` }} - {{ `{{ $value | printf \"%.2f\"}}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyRetryHigh
-          expr: sum by (proxy) (rate(haproxy_backend_retry_warnings_total[1m])) > 10
-          for: 2m
-          labels:
-            severity: warning
-          annotations:
-            summary: HAProxy retry high (instance {{ `{{ $labels.instance }}` }})
-            description: "High rate of retry on {{ `{{ $labels.proxy }}` }} - {{ `{{ $value | printf \"%.2f\"}}` }}\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyFrontendSecurityBlockedRequests
-          expr: sum by (proxy) (rate(haproxy_frontend_denied_connections_total[2m])) > 10
-          for: 2m
-          labels:
-            severity: warning
-          annotations:
-            summary: HAProxy frontend security blocked requests (instance {{ `{{ $labels.instance }}` }})
-            description: "HAProxy is blocking requests for security reason\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: HAProxyServerHealthcheckFailure
-          expr: increase(haproxy_server_check_failures_total[1m]) > 2
-          for: 0m
-          labels:
-            severity: warning
-          annotations:
-            summary: HAProxy server healthcheck failure (instance {{ `{{ $labels.instance }}` }})
-            description: "Some server healthcheck are failing on {{ `{{ $labels.server }}` }} ({{ `{{ $value }}` }} in the last 1m)\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"

clusters/cl01tl/helm/argocd/values.yaml

@@ -13,8 +13,8 @@ argo-cd:
         connectors:
         - config:
             issuer: https://authentik.alexlebens.net/application/o/argocd/
-            clientID: $argocd-oidc-authentik:client
-            clientSecret: $argocd-oidc-authentik:secret
+            clientID: $argocd-oidc-secret:client
+            clientSecret: $argocd-oidc-secret:secret
             insecureEnableGroups: true
             scopes:
               - openid
@@ -48,31 +48,31 @@ argo-cd:
         enabled: true
       rules:
         enabled: true
-        spec:
-          - alert: ArgoAppMissing
-            expr: |
-              absent(argocd_app_info) == 1
-            for: 15m
-            labels:
-              severity: critical
-            annotations:
-              summary: "[Argo CD] No reported applications"
-              description: >
-                Argo CD has not reported any applications data for the past 15 minutes which
-                means that it must be down or not functioning properly.  This needs to be
-                resolved for this cloud to continue to maintain state.
-          - alert: ArgoAppNotSynced
-            expr: |
-              argocd_app_info{sync_status!="Synced"} == 1
-            for: 12h
-            labels:
-              severity: warning
-            annotations:
-              summary: "[{{`{{$labels.name}}`}}] Application not synchronized"
-              description: >
-                The application [{{`{{$labels.name}}`}} has not been synchronized for over
-                12 hours which means that the state of this cloud has drifted away from the
-                state inside Git.
+      spec:
+        - alert: ArgoAppMissing
+          expr: |
+            absent(argocd_app_info) == 1
+          for: 15m
+          labels:
+            severity: critical
+          annotations:
+            summary: "[Argo CD] No reported applications"
+            description: >
+              Argo CD has not reported any applications data for the past 15 minutes which
+              means that it must be down or not functioning properly.  This needs to be
+              resolved for this cloud to continue to maintain state.
+        - alert: ArgoAppNotSynced
+          expr: |
+            argocd_app_info{sync_status!="Synced"} == 1
+          for: 12h
+          labels:
+            severity: warning
+          annotations:
+            summary: "[{{`{{$labels.name}}`}}] Application not synchronized"
+            description: >
+              The application [{{`{{$labels.name}}`}} has not been synchronized for over
+              12 hours which means that the state of this cloud has drifted away from the
+              state inside Git.
   dex:
     enabled: true
     resources:
@@ -103,7 +103,7 @@ argo-cd:
       enabled: true
       image:
         repository: haproxy
-        tag: 3.3.7-alpine@sha256:2afa53c856e4e9fcc7dfb35b807fcb189896d7e62b38d363f9bedea92bce7f9a
+        tag: 3.3.6-alpine@sha256:744be2dca649a44d490a4c565d36968d19482dd387f1bdd44c168f4322bc6b1e
       resources:
         requests:
           cpu: 5m
@@ -205,7 +205,7 @@ argo-cd:
     argocdUrl: https://argocd.alexlebens.net
     secret:
       create: false
-      name: argocd-notifications-ntfy
+      name: argocd-notifications-secret
     metrics:
       enabled: true
       serviceMonitor:

clusters/cl01tl/helm/audiobookshelf/Chart.lock

@@ -4,9 +4,9 @@ dependencies:
   version: 4.6.2
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 1.0.0
+  version: 0.8.0
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 1.0.0
-digest: sha256:c6af4b1dd96410281d53ff8f63235bc79bd9a1d493d6da097d9e4ff088e09538
-generated: "2026-04-26T14:57:40.219612-05:00"
+  version: 0.8.0
+digest: sha256:7ee4cfdf7f908401c39b3cda0cf8783b25dcb9cf93e7c911609bab9e303ec5bf
+generated: "2026-03-06T01:05:03.534042627Z"

clusters/cl01tl/helm/audiobookshelf/Chart.yaml

@@ -24,12 +24,12 @@ dependencies:
     version: 4.6.2
   - name: volsync-target
     alias: volsync-target-config
-    version: 1.0.0
+    version: 0.8.0
     repository: oci://harbor.alexlebens.net/helm-charts
   - name: volsync-target
     alias: volsync-target-metadata
-    version: 1.0.0
+    version: 0.8.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/audiobookshelf.png
 # renovate: datasource=github-releases depName=advplyr/audiobookshelf
-appVersion: 2.34.0
+appVersion: 2.33.1

clusters/cl01tl/helm/audiobookshelf/templates/_helpers.tpl

@@ -1,27 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-NFS names
-*/}}
-{{- define "custom.booksNfsName" -}}
-audiobookshelf-books-nfs-storage
-{{- end -}}
-{{- define "custom.audiobooksNfsName" -}}
-audiobookshelf-audiobooks-nfs-storage
-{{- end -}}
-{{- define "custom.podcastsNfsName" -}}
-audiobookshelf-podcasts-nfs-storage
-{{- end -}}

clusters/cl01tl/helm/audiobookshelf/templates/external-secret.yaml

@@ -1,27 +1,18 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: audiobookshelf-config-apprise
+  name: audiobookshelf-apprise-config
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: audiobookshelf-config-apprise
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: audiobookshelf-apprise-config
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
-  target:
-    template:
-      mergePolicy: Merge
-      engineVersion: v2
-      data:
-        ntfy-url: "{{ `{{ .endpoint }}` }}/{{ `{{ .topic }}` }}"
+    name: vault
   data:
-    - secretKey: endpoint
+    - secretKey: ntfy-url
       remoteRef:
-        key: /cl01tl/ntfy/users/cl01tl
-        property: internal-endpoint-credential
-    - secretKey: topic
-      remoteRef:
-        key: /cl01tl/ntfy/topics
-        property: audiobookshelf
+        key: /cl01tl/audiobookshelf/apprise
+        property: ntfy-url

clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume-claim.yaml

@@ -1,13 +1,14 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.booksNfsName" . }}
+  name: audiobookshelf-books-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
-    {{ include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: audiobookshelf-books-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.booksNfsName" . }}
+  volumeName: audiobookshelf-books-nfs-storage
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany
@@ -19,13 +20,14 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.audiobooksNfsName" . }}
+  name: audiobookshelf-audiobooks-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.audiobooksNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.audiobooksNfsName" . }}
+  volumeName: audiobookshelf-audiobooks-nfs-storage
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany
@@ -37,13 +39,14 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.podcastsNfsName" . }}
+  name: audiobookshelf-podcasts-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.podcastsNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.podcastsNfsName" . }}
+  volumeName: audiobookshelf-podcasts-nfs-storage
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/audiobookshelf/templates/persistent-volume.yaml

@@ -1,11 +1,12 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.booksNfsName" . }}
+  name: audiobookshelf-books-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.booksNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: audiobookshelf-books-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client
@@ -25,11 +26,12 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.audiobooksNfsName" . }}
+  name: audiobookshelf-audiobooks-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.audiobooksNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: audiobookshelf-audiobooks-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client
@@ -49,11 +51,12 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.podcastsNfsName" . }}
+  name: audiobookshelf-podcasts-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.podcastsNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: audiobookshelf-podcasts-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client

clusters/cl01tl/helm/audiobookshelf/values.yaml

@@ -12,7 +12,7 @@ audiobookshelf:
         main:
           image:
             repository: ghcr.io/advplyr/audiobookshelf
-            tag: 2.34.0@sha256:4143292c530f6ac6700afd13360c04f477e4f1a81c1c97c4224b1c7e4330c5c4
+            tag: 2.33.1@sha256:a4a5841bba093d81e5f4ad1eaedb4da3fda6dbb2528c552349da50ad1f7ae708
           env:
             - name: TZ
               value: America/Chicago
@@ -23,7 +23,7 @@ audiobookshelf:
         apprise-api:
           image:
             repository: ghcr.io/caronc/apprise
-            tag: v1.4.0@sha256:9d97a6b9b42cf6afdf3b5466dbed2a59cd42a4bb777ec6aa57b5f2ee623569eb
+            tag: v1.3.3@sha256:4bfeac268ba87b8e08e308c9aa0182fe99e9501ec464027afc333d1634e65977
           env:
             - name: TZ
               value: America/Chicago
@@ -40,7 +40,7 @@ audiobookshelf:
             - name: APPRISE_STATELESS_URLS
               valueFrom:
                 secretKeyRef:
-                  name: audiobookshelf-config-apprise
+                  name: audiobookshelf-apprise-config
                   key: ntfy-url
   service:
     main:

clusters/cl01tl/helm/authentik/Chart.lock

@@ -1,15 +1,15 @@
 dependencies:
 - name: authentik
   repository: https://charts.goauthentik.io/
-  version: 2026.2.2
+  version: 2026.2.1
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.6.0
+  version: 2.4.0
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.12.1
+  version: 7.11.1
 - name: valkey
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.6.1
-digest: sha256:d1dbca83e5b63a58a9bf9f2903d1b45bbadca3e8599541367bc61ef2ce938cdb
-generated: "2026-04-24T21:50:21.398658595Z"
+  version: 0.5.0
+digest: sha256:4b90c5af4cc7f37b04284aafd75ddda1241c71acb726932e7e21520b5bf98543
+generated: "2026-03-31T18:36:26.87524-05:00"

clusters/cl01tl/helm/authentik/Chart.yaml

@@ -18,18 +18,18 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: authentik
-    version: 2026.2.2
+    version: 2026.2.1
     repository: https://charts.goauthentik.io/
   - name: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 2.6.0
+    version: 2.4.0
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 7.12.1
+    version: 7.11.1
     repository: oci://harbor.alexlebens.net/helm-charts
   - name: valkey
     alias: valkey
-    version: 0.6.1
+    version: 0.5.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/authentik.png
 # renovate: datasource=github-releases depName=goauthentik/authentik

clusters/cl01tl/helm/authentik/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/authentik/templates/external-secret.yaml

@@ -1,15 +1,16 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: authentik-key
+  name: authentik-key-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: authentik-key
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: authentik-key-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: key
       remoteRef:

clusters/cl01tl/helm/authentik/templates/ingress.yaml

@@ -1,11 +1,12 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
-  name: {{ .Release.Name }}-tailscale
+  name: authentik-tailscale
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ .Release.Name }}-tailscale
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: authentik-tailscale
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
     tailscale.com/proxy-class: no-metrics
   annotations:
     tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
@@ -25,4 +26,4 @@ spec:
               service:
                 name: authentik-server
                 port:
-                  name: http
+                  number: 80

clusters/cl01tl/helm/authentik/templates/reference-grant.yaml

@@ -5,7 +5,8 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: allow-outpost-cross-namespace-access
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   from:
     - group: gateway.networking.k8s.io

clusters/cl01tl/helm/authentik/values.yaml

@@ -4,7 +4,7 @@ authentik:
       - name: AUTHENTIK_SECRET_KEY
         valueFrom:
           secretKeyRef:
-            name: authentik-key
+            name: authentik-key-secret
             key: key
       - name: AUTHENTIK_POSTGRESQL__HOST
         valueFrom:

clusters/cl01tl/helm/backrest/Chart.lock

@@ -4,9 +4,9 @@ dependencies:
   version: 4.6.2
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 1.0.0
+  version: 0.8.0
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 1.0.0
-digest: sha256:4c3010c4ef30f7baaad7564d1fda9bdfe18184fab0e3f47a8a1f4c74e340e557
-generated: "2026-04-24T22:50:23.056323614Z"
+  version: 0.8.0
+digest: sha256:f203538010828e77336f3cf39451a1072c90aeb8ece7c173a3476c49883b46d1
+generated: "2026-03-06T01:05:24.935421139Z"

clusters/cl01tl/helm/backrest/Chart.yaml

@@ -20,11 +20,11 @@ dependencies:
     version: 4.6.2
   - name: volsync-target
     alias: volsync-target-config
-    version: 1.0.0
+    version: 0.8.0
     repository: oci://harbor.alexlebens.net/helm-charts
   - name: volsync-target
     alias: volsync-target-data
-    version: 1.0.0
+    version: 0.8.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/backrest.png
 # renovate: datasource=github-releases depName=garethgeorge/backrest

clusters/cl01tl/helm/backrest/templates/_helpers.tpl

@@ -1,24 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-NFS names
-*/}}
-{{- define "custom.storageNfsName" -}}
-backrest-nfs-storage
-{{- end -}}
-{{- define "custom.shareNfsName" -}}
-backrest-nfs-share
-{{- end -}}

clusters/cl01tl/helm/backrest/templates/persistent-volume-claim.yaml

@@ -1,13 +1,14 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.storageNfsName" . }}
+  name: backrest-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: backrest-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.storageNfsName" . }}
+  volumeName: backrest-nfs-storage
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany
@@ -19,13 +20,14 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.shareNfsName" . }}
+  name: backrest-nfs-share
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.shareNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: backrest-nfs-share
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.shareNfsName" . }}
+  volumeName: backrest-nfs-share
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/backrest/templates/persistent-volume.yaml

@@ -1,11 +1,12 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.storageNfsName" . }}
+  name: backrest-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: backrest-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client
@@ -25,11 +26,12 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.shareNfsName" . }}
+  name: backrest-nfs-share
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.shareNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: backrest-nfs-share
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client

clusters/cl01tl/helm/bazarr/Chart.lock

@@ -4,6 +4,6 @@ dependencies:
   version: 4.6.2
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 1.0.0
-digest: sha256:ee94a588fa517303597c8a6159befdbac00b651afc5c1d7c779b3cb28d3ba8c6
-generated: "2026-04-24T22:50:33.529825344Z"
+  version: 0.8.0
+digest: sha256:ce88e4cd451613c9dbc25d285700970789ff678452ef277f3c8465dbf6157f1f
+generated: "2026-03-06T01:05:44.405374459Z"

clusters/cl01tl/helm/bazarr/Chart.yaml

@@ -10,9 +10,7 @@ home: https://docs.alexlebens.dev/applications/bazarr/
 sources:
   - https://github.com/morpheus65535/bazarr
   - https://github.com/linuxserver/docker-bazarr
-  - https://github.com/onedr0p/exportarr
   - https://github.com/linuxserver/docker-bazarr/pkgs/container/bazarr
-  - https://github.com/onedr0p/exportarr/pkgs/container/exportarr
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
 maintainers:
@@ -24,8 +22,8 @@ dependencies:
     version: 4.6.2
   - name: volsync-target
     alias: volsync-target-config
-    version: 1.0.0
+    version: 0.8.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/bazarr.png
 # renovate: datasource=github-releases depName=linuxserver/docker-bazarr
-appVersion: v1.5.6-ls342
+appVersion: 1.5.6

clusters/cl01tl/helm/bazarr/templates/_helpers.tpl

@@ -1,21 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-NFS names
-*/}}
-{{- define "custom.storageNfsName" -}}
-bazarr-nfs-storage
-{{- end -}}

clusters/cl01tl/helm/bazarr/templates/external-secret.yaml

@@ -1,17 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: bazarr-key
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: bazarr-key
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: key
-      remoteRef:
-        key: /cl01tl/bazarr/key
-        property: key

clusters/cl01tl/helm/bazarr/templates/persistent-volume-claim.yaml

@@ -1,13 +1,14 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: {{ include "custom.storageNfsName" . }}
+  name: bazarr-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: bazarr-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  volumeName: {{ include "custom.storageNfsName" . }}
+  volumeName: bazarr-nfs-storage
   storageClassName: nfs-client
   accessModes:
     - ReadWriteMany

clusters/cl01tl/helm/bazarr/templates/persistent-volume.yaml

@@ -1,11 +1,12 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: {{ include "custom.storageNfsName" . }}
+  name: bazarr-nfs-storage
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.storageNfsName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: bazarr-nfs-storage
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   persistentVolumeReclaimPolicy: Retain
   storageClassName: nfs-client

clusters/cl01tl/helm/bazarr/values.yaml

@@ -23,28 +23,11 @@ bazarr:
             - name: PGID
               value: 1000
           resources:
+            limits:
+              cpu: 100m
             requests:
-              cpu: 10m
+              cpu: 1m
               memory: 250Mi
-        metrics:
-          image:
-            repository: ghcr.io/onedr0p/exportarr
-            tag: v2.3.0@sha256:af535d94061cf97a52e1661945ffba78c03f9443eae7c0da1a80a5a4be56b520
-          args: ["bazarr"]
-          env:
-            - name: URL
-              value: http://localhost:6767
-            - name: PORT
-              value: 9792
-            - name: APIKEY
-              valueFrom:
-                secretKeyRef:
-                  name: bazarr-key
-                  key: key
-            - name: ENABLE_ADDITIONAL_METRICS
-              value: false
-            - name: ENABLE_UNKNOWN_QUEUE_ITEMS
-              value: false
   service:
     main:
       controller: main
@@ -52,21 +35,6 @@ bazarr:
         http:
           port: 80
           targetPort: 6767
-        metrics:
-          port: 9792
-          targetPort: 9792
-  serviceMonitor:
-    main:
-      selector:
-        matchLabels:
-          app.kubernetes.io/name: bazarr
-          app.kubernetes.io/instance: bazarr
-      serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
-      endpoints:
-        - port: metrics
-          interval: 3m
-          scrapeTimeout: 1m
-          path: /metrics
   route:
     main:
       kind: HTTPRoute

clusters/cl01tl/helm/blocky/Chart.lock

@@ -4,6 +4,6 @@ dependencies:
   version: 4.6.2
 - name: valkey
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.6.1
-digest: sha256:6ed3a7587906fbda581d0091ff2c29a1816b8b0b8ae40add9885e6a68b2b82ae
-generated: "2026-04-13T20:32:34.844998902Z"
+  version: 0.5.0
+digest: sha256:49b0e666059bad492ebaa4a20119ce5bbd1959a1ee6b22b271a9ca9529122697
+generated: "2026-03-31T18:37:20.549898-05:00"

clusters/cl01tl/helm/blocky/Chart.yaml

@@ -20,7 +20,7 @@ dependencies:
     version: 4.6.2
   - name: valkey
     alias: valkey
-    version: 0.6.1
+    version: 0.5.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/blocky.png
 # renovate: datasource=github-releases depName=0xerr0r/blocky

clusters/cl01tl/helm/blocky/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/blocky/values.yaml

@@ -106,7 +106,6 @@ blocky:
               audiobookshelf                  IN      CNAME   traefik-cl01tl
               authentik                       IN      CNAME   traefik-cl01tl
               backrest                        IN      CNAME   traefik-cl01tl
-              bao                             IN      CNAME   traefik-cl01tl
               bazarr                          IN      CNAME   traefik-cl01tl
               ceph                            IN      CNAME   traefik-cl01tl
               dawarich                        IN      CNAME   traefik-cl01tl
@@ -143,9 +142,9 @@ blocky:
               ollama                          IN      CNAME   traefik-cl01tl
               omni-tools                      IN      CNAME   traefik-cl01tl
               paperless-ngx                   IN      CNAME   traefik-cl01tl
+              photoview                       IN      CNAME   traefik-cl01tl
               plex                            IN      CNAME   traefik-cl01tl
-              postiz-spotlight                IN      CNAME   traefik-cl01tl
-              postiz-temporal                 IN      CNAME   traefik-cl01tl
+              postiz                          IN      CNAME   traefik-cl01tl
               prometheus                      IN      CNAME   traefik-cl01tl
               prowlarr                        IN      CNAME   traefik-cl01tl
               qbittorrent                     IN      CNAME   traefik-cl01tl
@@ -161,7 +160,6 @@ blocky:
               sonarr                          IN      CNAME   traefik-cl01tl
               sonarr-4k                       IN      CNAME   traefik-cl01tl
               sonarr-anime                    IN      CNAME   traefik-cl01tl
-              sparkyfitness                   IN      CNAME   traefik-cl01tl
               stalwart                        IN      CNAME   traefik-cl01tl
               tdarr                           IN      CNAME   traefik-cl01tl
               tubearchivist                   IN      CNAME   traefik-cl01tl

clusters/cl01tl/helm/cert-manager/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: cert-manager
   repository: https://charts.jetstack.io
-  version: v1.20.2
-digest: sha256:f218239b4538c64d57e098a56c69dcbc4e076ffcc3d320c5a5fef1e6309e38cf
-generated: "2026-04-13T23:02:59.380767677Z"
+  version: v1.20.1
+digest: sha256:1bf36eba44cf096b40355a697b8cffb302f07f9135374222aabdf686f017b7a9
+generated: "2026-03-28T01:35:24.542754563Z"

clusters/cl01tl/helm/cert-manager/Chart.yaml

@@ -13,8 +13,8 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: cert-manager
-    version: v1.20.2
+    version: v1.20.1
     repository: https://charts.jetstack.io
 icon: https://raw.githubusercontent.com/cert-manager/cert-manager/refs/heads/master/logo/logo.png
 # renovate: datasource=github-releases depName=cert-manager/cert-manager
-appVersion: v1.20.2
+appVersion: v1.20.1

clusters/cl01tl/helm/cert-manager/templates/_helpers.tpl

@@ -1,24 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-NFS names
-*/}}
-{{- define "custom.cloudflareSecretName" -}}
-cert-manager-cloudflare-api-token
-{{- end -}}
-{{- define "custom.cloudflareSecretKey" -}}
-api-token
-{{- end -}}

clusters/cl01tl/helm/cert-manager/templates/cluster-issuer.yaml

@@ -5,7 +5,8 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: letsencrypt-issuer
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   acme:
     email: alexanderlebens@gmail.com
@@ -21,5 +22,5 @@ spec:
           cloudflare:
             email: alexanderlebens@gmail.com
             apiTokenSecretRef:
-              name: {{ include "custom.cloudflareSecretName" . }}
-              key: {{ include "custom.cloudflareSecretKey" . }}
+              name: cloudflare-api-token
+              key: api-token

clusters/cl01tl/helm/cert-manager/templates/external-secret.yaml

@@ -1,17 +1,18 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: {{ include "custom.cloudflareSecretName" . }}
+  name: cloudflare-api-token
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: {{ include "custom.cloudflareSecretName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: cloudflare-api-token
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
-    - secretKey: {{ include "custom.cloudflareSecretKey" . }}
+    - secretKey: api-token
       remoteRef:
-        key: /cloudflare/alexlebens.net/cl01tl-issuer-certificate
+        key: /cloudflare/alexlebens.net/clusterissuer
         property: token

clusters/cl01tl/helm/cert-manager/templates/prometheus-rule.yaml

@@ -1,44 +0,0 @@
-apiVersion: monitoring.coreos.com/v1
-kind: PrometheusRule
-metadata:
-  name: cert-manager
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: cert-manager
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  groups:
-    - name: EmbeddedExporter
-      rules:
-        - alert: Cert-ManagerAbsent
-          expr: absent(up{job="cert-manager"})
-          for: 10m
-          labels:
-            severity: critical
-          annotations:
-            summary: Cert-Manager absent (instance {{ `{{ $labels.instance }}` }})
-            description: "Cert-Manager has disappeared from Prometheus service discovery. New certificates will not be able to be minted, and existing ones can't be renewed until cert-manager is back.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: Cert-ManagerCertificateExpiringSoon
-          expr: avg by (exported_namespace, namespace, name) (certmanager_certificate_expiration_timestamp_seconds - time()) < (21 * 24 * 3600)
-          for: 1h
-          labels:
-            severity: warning
-          annotations:
-            summary: Cert-Manager certificate expiring soon (instance {{ `{{ $labels.instance }}` }})
-            description: "The certificate {{ `{{ $labels.name }}` }} is expiring in less than 21 days.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: Cert-ManagerCertificateNotReady
-          expr: max by (name, exported_namespace, namespace, condition) (certmanager_certificate_ready_status{condition!="True"} == 1)
-          for: 10m
-          labels:
-            severity: critical
-          annotations:
-            summary: Cert-Manager certificate not ready (instance {{ `{{ $labels.instance }}` }})
-            description: "The certificate {{ `{{ $labels.name }}` }} in namespace {{ `{{ $labels.exported_namespace }}` }} is not ready to serve traffic.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"
-        - alert: Cert-ManagerHittingACMERateLimits
-          expr: sum by (host) (rate(certmanager_acme_client_request_count{status="429"}[5m])) > 0
-          for: 5m
-          labels:
-            severity: critical
-          annotations:
-            summary: Cert-Manager hitting ACME rate limits (instance {{ `{{ $labels.instance }}` }})
-            description: "Cert-Manager is being rate-limited by the ACME provider. Certificate issuance and renewal may be blocked for up to a week.\n  VALUE = {{ `{{ $value }}` }}\n  LABELS = {{ `{{ $labels }}` }}"

clusters/cl01tl/helm/cilium/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/cilium/templates/cilium-bgp-advertisement.yaml

@@ -0,0 +1,19 @@
+# apiVersion: cilium.io/v2
+# kind: CiliumBGPAdvertisement
+# metadata:
+#   name: cilium-bgp-advertisements
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: cilium-bgp-advertisements
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+# spec:
+#   advertisements:
+#     - advertisementType: "Service"
+#       service:
+#         addresses:
+#           - ExternalIP
+#           - LoadBalancerIP
+#       selector:
+#         matchExpressions:
+#          - {key: somekey, operator: NotIn, values: ['never-used-value']}

clusters/cl01tl/helm/cilium/templates/cilium-bgp-cluster-config.yaml

@@ -0,0 +1,22 @@
+# apiVersion: cilium.io/v2
+# kind: CiliumBGPClusterConfig
+# metadata:
+#   name: cilium-bgp
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: cilium-bgp
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+# spec:
+#   nodeSelector:
+#     matchLabels:
+#       node-role.kubernetes.io/bgp: "65020"
+#   bgpInstances:
+#     - name: "65020"
+#       localASN: 65020
+#       peers:
+#         - name: "udm-65000"
+#           peerASN: 65000
+#           peerAddress: 192.168.1.1
+#           peerConfigRef:
+#             name: "cilium-peer"

clusters/cl01tl/helm/cilium/templates/cilium-bgp-peer-config.yaml

@@ -0,0 +1,23 @@
+# apiVersion: cilium.io/v2
+# kind: CiliumBGPPeerConfig
+# metadata:
+#   name: cilium-peer
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: cilium-peer
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+# spec:
+#   timers:
+#     holdTimeSeconds: 9
+#     keepAliveTimeSeconds: 3
+#   ebgpMultihop: 4
+#   gracefulRestart:
+#     enabled: true
+#     restartTimeSeconds: 15
+#   families:
+#     - afi: ipv4
+#       safi: unicast
+#       advertisements:
+#         matchLabels:
+#           app.kubernetes.io/name: cilium-bgp-advertisements

clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml

@@ -5,7 +5,8 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: default-ip-pool
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   blocks:
     - start: "10.232.1.21"
@@ -19,7 +20,8 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: bgp-ip-pool
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   blocks:
     - start: "10.232.2.100"

clusters/cl01tl/helm/cilium/templates/gateway.yaml

@@ -0,0 +1,45 @@
+# apiVersion: gateway.networking.k8s.io/v1
+# kind: Gateway
+# metadata:
+#   name: cilium-tls-gateway
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: cilium-tls-gateway
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+#   annotations:
+#     cert-manager.io/cluster-issuer: letsencrypt-issuer
+# spec:
+#   addresses:
+#     - type: IPAddress
+#       value: 10.232.1.23
+#   gatewayClassName: cilium
+#   listeners:
+#     - allowedRoutes:
+#         namespaces:
+#           from: All
+#       hostname: '*.alexlebens.net'
+#       name: https
+#       port: 443
+#       protocol: HTTPS
+#       tls:
+#         certificateRefs:
+#           - group: ''
+#             kind: Secret
+#             name: https-gateway-cert
+#             namespace: kube-system
+#         mode: Terminate
+#     - allowedRoutes:
+#         namespaces:
+#           from: All
+#       hostname: 'alexlebens.net'
+#       name: https-domain
+#       port: 443
+#       protocol: HTTPS
+#       tls:
+#         certificateRefs:
+#           - group: ''
+#             kind: Secret
+#             name: https-gateway-cert
+#             namespace: kube-system
+#         mode: Terminate

clusters/cl01tl/helm/cilium/templates/http-route.yaml

@@ -5,7 +5,8 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: hubble
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   parentRefs:
     - group: gateway.networking.k8s.io
@@ -20,6 +21,8 @@ spec:
           type: PathPrefix
           value: /
       backendRefs:
-        - kind: Service
+        - group: ''
+          kind: Service
           name: hubble-ui
           port: 80
+          weight: 100

clusters/cl01tl/helm/cloudnative-pg/Chart.lock

@@ -4,12 +4,6 @@ dependencies:
   version: 0.28.0
 - name: plugin-barman-cloud
   repository: https://cloudnative-pg.io/charts/
-  version: 0.6.0
-- name: rclone-bucket
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.4.3
-- name: rclone-bucket
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.4.3
-digest: sha256:75d7078b7009082521a1bb8b49141e20b442343dabe7f76f5e7a16a352cfe205
-generated: "2026-04-26T15:36:31.678086-05:00"
+  version: 0.5.0
+digest: sha256:3e9b26d00fdb61af60f003bcb327e05d02799eb6088e30aaabd01c49c6021aac
+generated: "2026-04-01T20:05:40.198140255Z"

clusters/cl01tl/helm/cloudnative-pg/Chart.yaml

@@ -13,7 +13,6 @@ sources:
   - https://github.com/cloudnative-pg/postgres-containers/pkgs/container/postgresql
   - https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg
   - https://github.com/cloudnative-pg/charts/tree/main/charts/plugin-barman-cloud
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket
 maintainers:
   - name: alexlebens
 dependencies:
@@ -21,16 +20,8 @@ dependencies:
     version: 0.28.0
     repository: https://cloudnative-pg.io/charts/
   - name: plugin-barman-cloud
-    version: 0.6.0
+    version: 0.5.0
     repository: https://cloudnative-pg.io/charts/
-  - name: rclone-bucket
-    alias: rclone-postgres-backups-remote
-    repository: oci://harbor.alexlebens.net/helm-charts
-    version: 0.4.3
-  - name: rclone-bucket
-    alias: rclone-postgres-backups-external
-    repository: oci://harbor.alexlebens.net/helm-charts
-    version: 0.4.3
 icon: https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg.github.io/refs/heads/main/assets/images/hero_image.png
 # renovate: datasource=github-releases depName=cloudnative-pg/cloudnative-pg
 appVersion: 1.29.0

clusters/cl01tl/helm/cloudnative-pg/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/cloudnative-pg/values.yaml

@@ -14,62 +14,3 @@ plugin-barman-cloud:
     requests:
       cpu: 1m
       memory: 20Mi
-rclone-postgres-backups-remote:
-  nameOverride: postgres-backups-remote-rclone
-  cronJob:
-    suspend: false
-    schedule: 0 6 * * 6
-  rclone:
-    source:
-      bucketName: postgres-backups
-    destination:
-      bucketName: postgres-backups
-  prune:
-    enabled: true
-    ageToPrune: 45d
-    include: "/cl01tl/*/*/*/base/**"
-    exclude: "**/walls/**"
-  secret:
-    externalSecret:
-      source:
-        credentials:
-          path: /garage/home-infra/postgres-backups
-        config:
-          path: /garage/config
-      destination:
-        credentials:
-          path: /garage/home-infra/postgres-backups
-        config:
-          path: /garage/config
-rclone-postgres-backups-external:
-  nameOverride: postgres-backups-external-rclone
-  cronJob:
-    suspend: true
-    schedule: 0 6 * * 6
-  rclone:
-    source:
-      bucketName: openbao-backups
-    destination:
-      bucketName: postgres-backups-ecc1010276b61716
-      providerType: DigitalOcean
-  prune:
-    enabled: true
-    ageToPrune: 45d
-    include: "/cl01tl/*/*/*/base/**"
-    exclude: "**/walls/**"
-  secret:
-    externalSecret:
-      source:
-        credentials:
-          path: /garage/home-infra/postgres-backups
-        config:
-          path: /garage/config
-      destination:
-        credentials:
-          path: /digital-ocean/home-infra/postgres-backups
-          keyIdProperty: AWS_ACCESS_KEY_ID
-          secretKeyProperty: AWS_SECRET_ACCESS_KEY
-          regionProperty: AWS_REGION
-        config:
-          path: /digital-ocean/config
-          endpointProperty: ENDPOINT

clusters/cl01tl/helm/coredns/Chart.yaml

@@ -17,4 +17,4 @@ dependencies:
     repository: https://coredns.github.io/helm
 icon: https://raw.githubusercontent.com/coredns/coredns.io/refs/heads/master/static/images/favicon.png
 # renovate: datasource=github-releases depName=coredns/coredns
-appVersion: v1.14.3
+appVersion: v1.14.2

clusters/cl01tl/helm/coredns/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/dawarich/Chart.lock

@@ -4,18 +4,9 @@ dependencies:
   version: 4.6.2
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.12.1
+  version: 7.11.1
 - name: valkey
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.6.1
-- name: volsync-target
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 1.0.0
-- name: volsync-target
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 1.0.0
-- name: volsync-target
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 1.0.0
-digest: sha256:675bca89787669fd5b23eb2d4b49a44acee2556044982bb634f678a39cec7db4
-generated: "2026-04-24T22:50:43.987901153Z"
+  version: 0.5.0
+digest: sha256:1f513bd53430dd0fbba301ab5577aca85e984394dfdca9f615aae944a09c6bc0
+generated: "2026-03-31T18:37:35.858603-05:00"

clusters/cl01tl/helm/dawarich/Chart.yaml

@@ -12,7 +12,6 @@ sources:
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
 maintainers:
   - name: alexlebens
 dependencies:
@@ -22,24 +21,12 @@ dependencies:
     version: 4.6.2
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 7.12.1
+    version: 7.11.1
     repository: oci://harbor.alexlebens.net/helm-charts
   - name: valkey
     alias: valkey
-    version: 0.6.1
-    repository: oci://harbor.alexlebens.net/helm-charts
-  - name: volsync-target
-    alias: volsync-target-storage
-    version: 1.0.0
-    repository: oci://harbor.alexlebens.net/helm-charts
-  - name: volsync-target
-    alias: volsync-target-public
-    version: 1.0.0
-    repository: oci://harbor.alexlebens.net/helm-charts
-  - name: volsync-target
-    alias: volsync-target-watched
-    version: 1.0.0
+    version: 0.5.0
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/dawarich.png
 # renovate: datasource=github-releases depName=Freika/dawarich
-appVersion: 1.7.0
+appVersion: 1.6.1

clusters/cl01tl/helm/dawarich/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/dawarich/templates/external-secret.yaml

@@ -1,52 +1,42 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: dawarich-key
+  name: dawarich-key-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: dawarich-key
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: dawarich-key-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: key
       remoteRef:
         key: /cl01tl/dawarich/key
         property: key
-    - secretKey: otp-primary-key
-      remoteRef:
-        key: /cl01tl/dawarich/key
-        property: otp-primary-key
-    - secretKey: otp-deterministic-key
-      remoteRef:
-        key: /cl01tl/dawarich/key
-        property: otp-deterministic-key
-    - secretKey: otp-derivation-salt
-      remoteRef:
-        key: /cl01tl/dawarich/key
-        property: otp-derivation-salt
 
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: dawarich-oidc-authentik
+  name: dawarich-oidc-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: dawarich-oidc-authentik
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: dawarich-oidc-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: client
       remoteRef:
-        key: /cl01tl/authentik/oidc/dawarich
+        key: /authentik/oidc/dawarich
         property: client
     - secretKey: secret
       remoteRef:
-        key: /cl01tl/authentik/oidc/dawarich
+        key: /authentik/oidc/dawarich
         property: secret

clusters/cl01tl/helm/dawarich/values.yaml

@@ -8,7 +8,7 @@ dawarich:
         main:
           image:
             repository: freikin/dawarich
-            tag: 1.7.0@sha256:7d5f99c61121fcfa4cbdd6a153392630d9f059ffb0156759278d3e049085ec62
+            tag: 1.6.1@sha256:a884f69f19ce0f66992f3872d24544d1e587e133b8a003e072711aafc1e02429
           command:
             - "web-entrypoint.sh"
           args:
@@ -61,12 +61,12 @@ dawarich:
             - name: OIDC_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: dawarich-oidc-authentik
+                  name: dawarich-oidc-secret
                   key: client
             - name: OIDC_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: dawarich-oidc-authentik
+                  name: dawarich-oidc-secret
                   key: secret
             - name: OIDC_PROVIDER_NAME
               value: Authentik
@@ -81,23 +81,8 @@ dawarich:
             - name: SECRET_KEY_BASE
               valueFrom:
                 secretKeyRef:
-                  name: dawarich-key
+                  name: dawarich-key-secret
                   key: key
-            - name: OTP_ENCRYPTION_PRIMARY_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-key
-                  key: otp-primary-key
-            - name: OTP_ENCRYPTION_DETERMINISTIC_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-key
-                  key: otp-deterministic-key
-            - name: OTP_ENCRYPTION_KEY_DERIVATION_SALT
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-key
-                  key: otp-derivation-salt
             - name: RAILS_LOG_TO_STDOUT
               value: true
             - name: SELF_HOSTED
@@ -126,7 +111,7 @@ dawarich:
         sidekiq:
           image:
             repository: freikin/dawarich
-            tag: 1.7.0@sha256:7d5f99c61121fcfa4cbdd6a153392630d9f059ffb0156759278d3e049085ec62
+            tag: 1.6.1@sha256:a884f69f19ce0f66992f3872d24544d1e587e133b8a003e072711aafc1e02429
           command:
             - "sidekiq-entrypoint.sh"
           args:
@@ -176,12 +161,12 @@ dawarich:
             - name: OIDC_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: dawarich-oidc-authentik
+                  name: dawarich-oidc-secret
                   key: client
             - name: OIDC_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: dawarich-oidc-authentik
+                  name: dawarich-oidc-secret
                   key: secret
             - name: OIDC_PROVIDER_NAME
               value: Authentik
@@ -196,23 +181,8 @@ dawarich:
             - name: SECRET_KEY_BASE
               valueFrom:
                 secretKeyRef:
-                  name: dawarich-key
+                  name: dawarich-key-secret
                   key: key
-            - name: OTP_ENCRYPTION_PRIMARY_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-key
-                  key: otp-primary-key
-            - name: OTP_ENCRYPTION_DETERMINISTIC_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-key
-                  key: otp-deterministic-key
-            - name: OTP_ENCRYPTION_KEY_DERIVATION_SALT
-              valueFrom:
-                secretKeyRef:
-                  name: dawarich-key
-                  key: otp-derivation-salt
             - name: RAILS_LOG_TO_STDOUT
               value: true
             - name: SELF_HOSTED
@@ -343,36 +313,3 @@ postgres-18-cluster:
         immediate: true
         schedule: "0 10 14 * * *"
         backupName: garage-local
-volsync-target-storage:
-  pvcTarget: dawarich-storage
-  local:
-    enabled: true
-    schedule: 6 8 * * *
-  remote:
-    enabled: true
-    schedule: 6 9 * * *
-  external:
-    enabled: true
-    schedule: 6 10 * * *
-volsync-target-public:
-  pvcTarget: dawarich-public
-  local:
-    enabled: true
-    schedule: 8 8 * * *
-  remote:
-    enabled: true
-    schedule: 8 9 * * *
-  external:
-    enabled: true
-    schedule: 8 10 * * *
-volsync-target-watched:
-  pvcTarget: dawarich-watched
-  local:
-    enabled: true
-    schedule: 8 8 * * *
-  remote:
-    enabled: true
-    schedule: 8 9 * * *
-  external:
-    enabled: true
-    schedule: 8 10 * * *

clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/external-secret.yaml

@@ -1,15 +1,16 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
-  name: synology-iscsi-config
+  name: synology-iscsi-config-secret
   namespace: {{ .Release.Namespace }}
   labels:
-    app.kubernetes.io/name: synology-iscsi-config
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: synology-iscsi-config-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: driver-config-file.yaml
       remoteRef:

clusters/cl01tl/helm/democratic-csi-synology-iscsi/templates/namespace.yaml

@@ -1,10 +1,11 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: {{ .Release.Namespace }}
+  name: democratic-csi-synology-iscsi
   labels:
-    app.kubernetes.io/name: {{ .Release.Namespace }}
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/name: democratic-csi-synology-iscsi
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
     pod-security.kubernetes.io/audit: privileged
     pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/warn: privileged

clusters/cl01tl/helm/democratic-csi-synology-iscsi/values.yaml

@@ -3,7 +3,7 @@ democratic-csi:
     image:
       registry: ghcr.io/democratic-csi/democratic-csi
       tag: v1.9.5@@sha256:fc3b7d7ed3a616714139525075312758e23a5d425ffb539ad12c9bd20fb6001f
-    existingConfigSecret: synology-iscsi-config
+    existingConfigSecret: synology-iscsi-config-secret
     config:
       driver: synology-iscsi
     resources:
@@ -47,8 +47,6 @@ democratic-csi:
         fsType: ext4
   node:
     hostPID: true
-    rbac:
-      enabled: true
     driver:
       extraEnv:
         - name: ISCSIADM_HOST_STRATEGY

clusters/cl01tl/helm/descheduler/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/directus/Chart.lock

@@ -4,12 +4,9 @@ dependencies:
   version: 4.6.2
 - name: postgres-cluster
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 7.12.1
+  version: 7.11.1
 - name: valkey
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.6.1
-- name: rclone-bucket
-  repository: oci://harbor.alexlebens.net/helm-charts
-  version: 0.4.3
-digest: sha256:df3b79c6b8868d749d98d232741fef4a26b73894bce3bf4588581340c15fc3da
-generated: "2026-04-26T21:06:27.85398357Z"
+  version: 0.5.0
+digest: sha256:116183cdff428293215553b7e60be9aefafbbaaaf64c01f1fc974badd3e0754b
+generated: "2026-03-31T18:37:42.414041-05:00"

clusters/cl01tl/helm/directus/Chart.yaml

@@ -5,14 +5,13 @@ description: Directus
 keywords:
   - directus
   - content-management-system
-home: https://docs.alexlebens.dev/applications/directus/
+home: https://docs.alexlebens.dev/applications/descheduler/
 sources:
   - https://github.com/directus/directus
   - https://github.com/directus/directus/pkgs/container/directus
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
-  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/rclone-bucket
 maintainers:
   - name: alexlebens
 dependencies:
@@ -22,16 +21,12 @@ dependencies:
     version: 4.6.2
   - name: postgres-cluster
     alias: postgres-18-cluster
-    version: 7.12.1
+    version: 7.11.1
     repository: oci://harbor.alexlebens.net/helm-charts
   - name: valkey
     alias: valkey
-    version: 0.6.1
+    version: 0.5.0
     repository: oci://harbor.alexlebens.net/helm-charts
-  - name: rclone-bucket
-    alias: rclone-directus-assets-remote
-    repository: oci://harbor.alexlebens.net/helm-charts
-    version: 0.4.3
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/directus.png
 # renovate: datasource=github-releases depName=directus/directus
-appVersion: 11.17.3
+appVersion: 11.17.1

clusters/cl01tl/helm/directus/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/directus/templates/external-secret.yaml

@@ -5,20 +5,13 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: directus-config
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
-    - secretKey: key
-      remoteRef:
-        key: /cl01tl/directus/key
-        property: key
-    - secretKey: secret
-      remoteRef:
-        key: /cl01tl/directus/key
-        property: secret
     - secretKey: admin-email
       remoteRef:
         key: /cl01tl/directus/config
@@ -27,6 +20,38 @@ spec:
       remoteRef:
         key: /cl01tl/directus/config
         property: admin-password
+    - secretKey: secret
+      remoteRef:
+        key: /cl01tl/directus/config
+        property: secret
+    - secretKey: key
+      remoteRef:
+        key: /cl01tl/directus/config
+        property: key
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: directus-oidc-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-oidc-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: OIDC_CLIENT_ID
+      remoteRef:
+        key: /authentik/oidc/directus
+        property: client
+    - secretKey: OIDC_CLIENT_SECRET
+      remoteRef:
+        key: /authentik/oidc/directus
+        property: secret
 
 ---
 apiVersion: external-secrets.io/v1
@@ -36,67 +61,18 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: directus-metric-token
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: metric-token
       remoteRef:
         key: /cl01tl/directus/metrics
         property: metric-token
 
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-valkey-config
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-valkey-config
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: user
-      remoteRef:
-        key: /cl01tl/directus/valkey
-        property: user
-    - secretKey: password
-      remoteRef:
-        key: /cl01tl/directus/valkey
-        property: password
-    - secretKey: default
-      remoteRef:
-        key: /cl01tl/directus/valkey
-        property: password
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: directus-oidc-authentik
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: directus-oidc-authentik
-    {{- include "custom.labels" . | nindent 4 }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: openbao
-  data:
-    - secretKey: OIDC_CLIENT_ID
-      remoteRef:
-        key: /cl01tl/authentik/oidc/directus
-        property: client
-    - secretKey: OIDC_CLIENT_SECRET
-      remoteRef:
-        key: /cl01tl/authentik/oidc/directus
-        property: secret
-
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
@@ -105,11 +81,12 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: directus-bucket-garage
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: ACCESS_KEY_ID
       remoteRef:
@@ -123,3 +100,31 @@ spec:
       remoteRef:
         key: /garage/home-infra/directus-assets
         property: ACCESS_REGION
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: directus-valkey-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: directus-valkey-config
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: default
+      remoteRef:
+        key: /cl01tl/directus/valkey
+        property: password
+    - secretKey: user
+      remoteRef:
+        key: /cl01tl/directus/valkey
+        property: user
+    - secretKey: password
+      remoteRef:
+        key: /cl01tl/directus/valkey
+        property: password

clusters/cl01tl/helm/directus/values.yaml

@@ -8,7 +8,7 @@ directus:
         main:
           image:
             repository: ghcr.io/directus/directus
-            tag: 11.17.3@sha256:ae6ab737fd04077d295bbefa545cc4aefccc206e3d0120c83812f9b482a8c9a5
+            tag: 11.17.1@sha256:1dd2080a50a9f6df2b6f49df15a7734424bbd1a5902983c4b6e447f22027b80b
           env:
             - name: PUBLIC_URL
               value: https://directus.alexlebens.net
@@ -113,12 +113,12 @@ directus:
             - name: AUTH_AUTHENTIK_CLIENT_ID
               valueFrom:
                 secretKeyRef:
-                  name: directus-oidc-authentik
+                  name: directus-oidc-secret
                   key: OIDC_CLIENT_ID
             - name: AUTH_AUTHENTIK_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
-                  name: directus-oidc-authentik
+                  name: directus-oidc-secret
                   key: OIDC_CLIENT_SECRET
             - name: AUTH_AUTHENTIK_SCOPE
               value: openid profile email
@@ -214,24 +214,3 @@ valkey:
     # https://github.com/valkey-io/valkey-helm/issues/135
     metrics:
       enabled: false
-rclone-directus-assets-remote:
-  cronJob:
-    suspend: false
-    schedule: 0 0 * * *
-  rclone:
-    source:
-      bucketName: directus-assets
-    destination:
-      bucketName: directus-assets
-  secret:
-    externalSecret:
-      source:
-        credentials:
-          path: /garage/home-infra/directus-assets
-        config:
-          path: /garage/config
-      destination:
-        credentials:
-          path: /garage/home-infra/directus-assets
-        config:
-          path: /garage/config

clusters/cl01tl/helm/elastic-operator/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/elastic-operator/values.yaml

@@ -1,7 +1,7 @@
 eck-operator:
   managedNamespaces:
-    - stalwart
     - tubearchivist
+    - stalwart
   installCRDs: true
   replicaCount: 2
   resources:

clusters/cl01tl/helm/element-web/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: element-web
   repository: https://ananace.gitlab.io/charts
-  version: 1.4.34
+  version: 1.4.33
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
-  version: 2.6.0
-digest: sha256:e988be9f997351a8f658bf5151ec4fb04ae7d877389c9bf01b7331e1a58005ef
-generated: "2026-04-24T21:06:15.882448748Z"
+  version: 2.4.0
+digest: sha256:63b0e582d42fb42bcf4d96ba4b299e42c434c42f284208596808288543192fe0
+generated: "2026-03-24T16:11:50.424321433Z"

clusters/cl01tl/helm/element-web/Chart.yaml

@@ -15,11 +15,11 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: element-web
-    version: 1.4.34
+    version: 1.4.33
     repository: https://ananace.gitlab.io/charts
   - name: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
-    version: 2.6.0
+    version: 2.4.0
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/element.png
 # renovate: datasource=github-releases depName=element-hq/element-web
-appVersion: v1.12.15
+appVersion: v1.12.13

clusters/cl01tl/helm/element-web/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/element-web/values.yaml

@@ -2,7 +2,7 @@ element-web:
   replicaCount: 1
   image:
     repository: ghcr.io/element-hq/element-web
-    tag: v1.12.15@sha256:c7fa40b5ba3891f8af3ce63da0818f457c1802a9ee4d2f5e46a9df36a2388eed
+    tag: v1.12.13@sha256:5107e63026c13ed014f743e485821b7d4b56d275a41e76303859bb14f5f94eb6
   defaultServer:
     url: https://matrix.alexlebens.dev
     name: alexlebens.dev

clusters/cl01tl/helm/eraser/Chart.lock

@@ -2,8 +2,5 @@ dependencies:
 - name: eraser
   repository: https://eraser-dev.github.io/eraser/charts
   version: 1.4.1
-- name: app-template
-  repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 4.6.2
-digest: sha256:8414813d3d9d195b16ef7ebf814f7095a16413f4b0e579fcb37738000624f68c
-generated: "2026-04-08T21:39:05.689756-05:00"
+digest: sha256:da828de684b0cd82e99994586f3db4f55c43c01607c4d8d0e70e204c7bbbbf5b
+generated: "2025-12-03T22:53:20.200917773Z"

clusters/cl01tl/helm/eraser/Chart.yaml

@@ -9,19 +9,13 @@ home: https://docs.alexlebens.dev/applications/eraser/
 sources:
   - https://github.com/eraser-dev/eraser
   - https://github.com/eraser-dev/eraser/pkgs/container/eraser-manager
-  - https://github.com/open-telemetry/opentelemetry-collector-releases/pkgs/container/opentelemetry-collector-releases%2Fopentelemetry-collector
   - https://github.com/eraser-dev/eraser/tree/main/charts/eraser
-  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
 maintainers:
   - name: alexlebens
 dependencies:
   - name: eraser
     version: 1.4.1
     repository: https://eraser-dev.github.io/eraser/charts
-  - name: app-template
-    alias: eraser-metrics
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.6.2
 icon: https://raw.githubusercontent.com/eraser-dev/eraser/refs/heads/main/images/eraser-logo-color-1c.png
 # renovate: datasource=github-releases depName=eraser-dev/eraser
 appVersion: v1.4.1

clusters/cl01tl/helm/eraser/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/eraser/values.yaml

@@ -35,85 +35,3 @@ eraser:
       requests:
         cpu: 1m
         memory: 20Mi
-eraser-metrics:
-  global:
-    nameOverride: eraser-metrics
-    fullnameOverride: eraser-metrics
-  controllers:
-    main:
-      type: deployment
-      replicas: 1
-      strategy: Recreate
-      containers:
-        main:
-          image:
-            repository: ghcr.io/open-telemetry/opentelemetry-collector-releases/opentelemetry-collector
-            tag: 0.150.1@sha256:618f7867e49fdb173d9b46d535b01f82254b0b14beac6ab1f6f2eb8cf62c5d42
-          command:
-            - /otelcol
-            - --config=/conf/otel-collector-config.yaml
-          resources:
-            requests:
-              cpu: 10m
-              memory: 20Mi
-  configMaps:
-    config:
-      enabled: true
-      forceRename: eraser-config
-      data:
-        otel-collector-config.yaml: |
-          receivers:
-            otlp:
-              protocols:
-                http:
-
-          exporters:
-            prometheus:
-              endpoint: "0.0.0.0:8889"
-              send_timestamps: true
-              metric_expiration: 180m
-
-          service:
-            telemetry:
-              logs:
-                encoding: json
-            pipelines:
-              metrics:
-                receivers:
-                  - otlp
-                exporters:
-                  - prometheus
-  service:
-    main:
-      controller: main
-      ports:
-        http:
-          port: 4318
-          targetPort: 4318
-        metrics:
-          port: 8889
-          targetPort: 8889
-  serviceMonitor:
-    main:
-      selector:
-        matchLabels:
-          app.kubernetes.io/name: eraser-metrics
-          app.kubernetes.io/instance: eraser-metrics
-      serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
-      endpoints:
-        - port: metrics
-          interval: 30s
-          scrapeTimeout: 15s
-          path: /metrics
-  persistence:
-    config:
-      enabled: true
-      type: configMap
-      name: eraser-config
-      advancedMounts:
-        main:
-          main:
-            - path: /conf/otel-collector-config.yaml
-              readOnly: true
-              mountPropagation: None
-              subPath: otel-collector-config.yaml

clusters/cl01tl/helm/excalidraw/Chart.yaml

@@ -5,7 +5,7 @@ description: Excalidraw
 keywords:
   - excalidraw
   - drawing
-home: https://docs.alexlebens.dev/applications/excalidraw/
+home: https://docs.alexlebens.dev/applications/eraser/
 sources:
   - https://github.com/excalidraw/excalidraw
   - https://hub.docker.com/r/excalidraw/excalidraw
@@ -19,4 +19,4 @@ dependencies:
     version: 4.6.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/excalidraw.png
 # renovate: datasource=github-releases depName=excalidraw/excalidraw
-appVersion: v0.18.1
+appVersion: v0.18.0

clusters/cl01tl/helm/excalidraw/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/excalidraw/values.yaml

@@ -8,7 +8,7 @@ excalidraw:
         main:
           image:
             repository: excalidraw/excalidraw
-            tag: latest@sha256:20ffa04668e19616bb0c1b3632849e5cd96e0bc7a1336b73d9d072667f2c2854
+            tag: latest@sha256:3c2513e830bb6e195147c05b34ecf8393d0ba2b1cc86e93b407a5777d6135c6c
           env:
             - name: NODE_ENV
               value: production

clusters/cl01tl/helm/external-dns/Chart.yaml

@@ -5,7 +5,7 @@ description: External DNS
 keywords:
   - external-dns
   - dns
-home: https://docs.alexlebens.dev/applications/external-dns/
+home: https://docs.alexlebens.dev/applications/eraser/
 sources:
   - https://github.com/kubernetes-sigs/external-dns
   - https://explore.ggcr.dev/?repo=registry.k8s.io%2Fexternal-dns%2Fexternal-dns
@@ -20,4 +20,4 @@ dependencies:
     repository: https://kubernetes-sigs.github.io/external-dns/
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/kubernetes.png
 # renovate: datasource=github-releases depName=kubernetes-sigs/external-dns
-appVersion: v0.21.0
+appVersion: v0.20.0

clusters/cl01tl/helm/external-dns/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/external-dns/templates/dns-endpoint.yaml

@@ -5,7 +5,8 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: external-device-names
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   endpoints:
     # Unifi UDM
@@ -47,7 +48,8 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: iot-device-names
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   endpoints:
     # Airgradient
@@ -80,18 +82,6 @@ spec:
       recordType: A
       targets:
         - 10.230.0.100
-    # HD Homerun
-    - dnsName: dv01hr.alexlebens.net
-      recordTTL: 180
-      recordType: A
-      targets:
-        - 10.232.1.72
-    # Pi KVM
-    - dnsName: dv02kv.alexlebens.net
-      recordTTL: 180
-      recordType: A
-      targets:
-        - 10.232.1.71
 
 ---
 apiVersion: externaldns.k8s.io/v1alpha1
@@ -101,7 +91,8 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: server-host-names
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   endpoints:
     # Unifi Gateway
@@ -134,18 +125,6 @@ spec:
       recordType: A
       targets:
         - 10.232.1.52
-    # Desktop
-    - dnsName: pd05wd.alexlebens.net
-      recordTTL: 180
-      recordType: A
-      targets:
-        - 10.230.0.115
-    # Laptop
-    - dnsName: pl02mc.alexlebens.net
-      recordTTL: 180
-      recordType: A
-      targets:
-        - 10.230.0.105
 
 ---
 apiVersion: externaldns.k8s.io/v1alpha1
@@ -155,7 +134,8 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: cluster-service-names
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   endpoints:
     # Treafik Proxy

clusters/cl01tl/helm/external-dns/templates/external-secret.yaml

@@ -5,13 +5,14 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: external-dns-unifi-secret
-    {{- include "custom.labels" . | nindent 4 }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: openbao
+    name: vault
   data:
     - secretKey: api-key
       remoteRef:
-        key: /unifi/users/cl01tl
+        key: /unifi/auth/cl01tl
         property: api-key

clusters/cl01tl/helm/external-dns/values.yaml

@@ -1,7 +1,7 @@
 external-dns-unifi:
   image:
     repository: registry.k8s.io/external-dns/external-dns
-    tag: v0.21.0@sha256:f53faaf71cb270d1ca9dce6ea0c94bfebf1a18696263487f0fbc74b9bf2bd7ff
+    tag: v0.20.0@sha256:ddc7f4212ed09a21024deb1f470a05240837712e74e4b9f6d1f2632ff10672e7
   fullnameOverride: external-dns-unifi
   resources:
     requests:

clusters/cl01tl/helm/external-secrets/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: external-secrets
   repository: https://charts.external-secrets.io
-  version: 2.4.0
-digest: sha256:a31b4ba5b5ec296036576c8d7d26f8b42061eec7142817f9ca0c256a457a2ea1
-generated: "2026-04-24T19:03:31.856576444Z"
+  version: 2.2.0
+digest: sha256:3894df20e1f3d56bc9789177181a84d8ae1402ef76ec6328e417ce5a568738ae
+generated: "2026-03-26T19:19:15.734454-05:00"

clusters/cl01tl/helm/external-secrets/Chart.yaml

@@ -14,8 +14,8 @@ sources:
 dependencies:
   - name: external-secrets
     alias: external-secrets
-    version: 2.4.0
+    version: 2.2.0
     repository: https://charts.external-secrets.io
 icon: https://raw.githubusercontent.com/external-secrets/external-secrets/refs/heads/main/assets/eso-logo-large.png
 # renovate: datasource=github-releases depName=external-secrets/external-secrets
-appVersion: v2.4.0
+appVersion: v2.2.0

clusters/cl01tl/helm/external-secrets/templates/_helpers.tpl

@@ -1,14 +0,0 @@
-{{/*
-Common labels
-*/}}
-{{- define "custom.labels" -}}
-{{ include "custom.selectorLabels" $ }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "custom.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

clusters/cl01tl/helm/external-secrets/templates/cluster-role-binding.yaml

@@ -1,16 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: external-secrets
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: external-secrets
-    {{- include "custom.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-  - kind: ServiceAccount
-    name: {{ .Release.Name }}
-    namespace: {{ .Release.Namespace }}