From 8527962c0ceb6dfaa822399184e18a91ce5ed1fe Mon Sep 17 00:00:00 2001 From: gitea-bot Date: Sat, 14 Mar 2026 18:23:05 +0000 Subject: [PATCH 01/11] chore: Update manifests after change --- .../manifests/loki/ClusterRole-loki-clusterrole.yaml | 4 ++-- .../ClusterRoleBinding-loki-clusterrolebinding.yaml | 4 ++-- .../cl01tl/manifests/loki/ConfigMap-loki-gateway.yaml | 4 ++-- .../cl01tl/manifests/loki/ConfigMap-loki-runtime.yaml | 4 ++-- clusters/cl01tl/manifests/loki/ConfigMap-loki.yaml | 4 ++-- .../cl01tl/manifests/loki/DaemonSet-loki-canary.yaml | 6 +++--- .../cl01tl/manifests/loki/Deployment-loki-gateway.yaml | 4 ++-- clusters/cl01tl/manifests/loki/Pod-loki-helm-test.yaml | 4 ++-- .../cl01tl/manifests/loki/Service-loki-canary.yaml | 4 ++-- .../manifests/loki/Service-loki-chunks-cache.yaml | 4 ++-- .../cl01tl/manifests/loki/Service-loki-gateway.yaml | 4 ++-- .../cl01tl/manifests/loki/Service-loki-headless.yaml | 4 ++-- .../cl01tl/manifests/loki/Service-loki-memberlist.yaml | 4 ++-- .../manifests/loki/Service-loki-results-cache.yaml | 4 ++-- clusters/cl01tl/manifests/loki/Service-loki.yaml | 4 ++-- .../manifests/loki/ServiceAccount-loki-canary.yaml | 4 ++-- .../cl01tl/manifests/loki/ServiceAccount-loki.yaml | 4 ++-- .../manifests/loki/StatefulSet-loki-chunks-cache.yaml | 4 ++-- .../manifests/loki/StatefulSet-loki-results-cache.yaml | 4 ++-- clusters/cl01tl/manifests/loki/StatefulSet-loki.yaml | 10 ++++++---- 20 files changed, 45 insertions(+), 43 deletions(-) diff --git a/clusters/cl01tl/manifests/loki/ClusterRole-loki-clusterrole.yaml b/clusters/cl01tl/manifests/loki/ClusterRole-loki-clusterrole.yaml index 144d5d38f..3555cc833 100644 --- a/clusters/cl01tl/manifests/loki/ClusterRole-loki-clusterrole.yaml +++ b/clusters/cl01tl/manifests/loki/ClusterRole-loki-clusterrole.yaml @@ -2,10 +2,10 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: - helm.sh/chart: loki-6.53.0 + helm.sh/chart: loki-6.55.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.6.5" + app.kubernetes.io/version: "3.6.7" name: loki-clusterrole rules: - apiGroups: [""] diff --git a/clusters/cl01tl/manifests/loki/ClusterRoleBinding-loki-clusterrolebinding.yaml b/clusters/cl01tl/manifests/loki/ClusterRoleBinding-loki-clusterrolebinding.yaml index e18fed921..915ce6ad7 100644 --- a/clusters/cl01tl/manifests/loki/ClusterRoleBinding-loki-clusterrolebinding.yaml +++ b/clusters/cl01tl/manifests/loki/ClusterRoleBinding-loki-clusterrolebinding.yaml @@ -3,10 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: loki-clusterrolebinding labels: - helm.sh/chart: loki-6.53.0 + helm.sh/chart: loki-6.55.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.6.5" + app.kubernetes.io/version: "3.6.7" subjects: - kind: ServiceAccount name: loki diff --git a/clusters/cl01tl/manifests/loki/ConfigMap-loki-gateway.yaml b/clusters/cl01tl/manifests/loki/ConfigMap-loki-gateway.yaml index 65d4fa809..5c9fd27ee 100644 --- a/clusters/cl01tl/manifests/loki/ConfigMap-loki-gateway.yaml +++ b/clusters/cl01tl/manifests/loki/ConfigMap-loki-gateway.yaml @@ -4,10 +4,10 @@ metadata: name: loki-gateway namespace: loki labels: - helm.sh/chart: loki-6.53.0 + helm.sh/chart: loki-6.55.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.6.5" + app.kubernetes.io/version: "3.6.7" app.kubernetes.io/component: gateway data: nginx.conf: "worker_processes 5; ## Default: 1\nerror_log /dev/stderr;\npid /tmp/nginx.pid;\nworker_rlimit_nofile 8192;\n\nevents {\n worker_connections 4096; ## Default: 1024\n}\n\nhttp {\n client_body_temp_path /tmp/client_temp;\n proxy_temp_path /tmp/proxy_temp_path;\n fastcgi_temp_path /tmp/fastcgi_temp;\n uwsgi_temp_path /tmp/uwsgi_temp;\n scgi_temp_path /tmp/scgi_temp;\n\n client_max_body_size 4M;\n\n proxy_read_timeout 600; ## 10 minutes\n proxy_send_timeout 600;\n proxy_connect_timeout 600;\n\n proxy_http_version 1.1;\n\n default_type application/octet-stream;\n log_format main '$remote_addr - $remote_user [$time_local] $status '\n '\"$request\" $body_bytes_sent \"$http_referer\" '\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\n access_log /dev/stderr main;\n\n sendfile on;\n tcp_nopush on;\n resolver kube-dns.kube-system.svc.cluster.local.;\n\n # if the X-Query-Tags header is empty, set a noop= without a value as empty values are not logged\n map $http_x_query_tags $query_tags {\n \"\" \"noop=\"; # When header is empty, set noop=\n default $http_x_query_tags; # Otherwise, preserve the original value\n }\n\n server {\n listen 8080;\n listen [::]:8080;\n\n location = / {\n \n return 200 'OK';\n auth_basic off;\n }\n\n ########################################################\n # Configure backend targets\n location ^~ /ui {\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n\n # Distributor\n location = /api/prom/push {\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n location = /loki/api/v1/push {\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n location = /distributor/ring {\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n location = /otlp/v1/logs {\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n\n # Ingester\n location = /flush {\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n location ^~ /ingester/ {\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n location = /ingester {\n \n internal; # to suppress 301\n }\n\n # Ring\n location = /ring {\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n\n # MemberListKV\n location = /memberlist {\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n\n # Ruler\n location = /ruler/ring {\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n location = /api/prom/rules {\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n location ^~ /api/prom/rules/ {\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n location = /loki/api/v1/rules {\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n location ^~ /loki/api/v1/rules/ {\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n location = /prometheus/api/v1/alerts {\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n location = /prometheus/api/v1/rules {\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n\n # Compactor\n location = /compactor/ring {\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n location = /loki/api/v1/delete {\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n location = /loki/api/v1/cache/generation_numbers {\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n\n # IndexGateway\n location = /indexgateway/ring {\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n\n # QueryScheduler\n location = /scheduler/ring {\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n\n # Config\n location = /config {\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n\n\n # QueryFrontend, Querier\n location = /api/prom/tail {\n proxy_set_header Upgrade $http_upgrade;\n proxy_set_header Connection \"upgrade\";\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n location = /loki/api/v1/tail {\n proxy_set_header Upgrade $http_upgrade;\n proxy_set_header Connection \"upgrade\";\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n location ^~ /api/prom/ {\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n location = /api/prom {\n \n internal; # to suppress 301\n }\n location ^~ /loki/api/v1/ {\n # pass custom headers set by Grafana as X-Query-Tags which are logged as key/value pairs in metrics.go log messages\n proxy_set_header X-Query-Tags \"${query_tags},user=${http_x_grafana_user},dashboard_id=${http_x_dashboard_uid},dashboard_title=${http_x_dashboard_title},panel_id=${http_x_panel_id},panel_title=${http_x_panel_title},source_rule_uid=${http_x_rule_uid},rule_name=${http_x_rule_name},rule_folder=${http_x_rule_folder},rule_version=${http_x_rule_version},rule_source=${http_x_rule_source},rule_type=${http_x_rule_type}\";\n \n proxy_pass http://loki.loki.svc.cluster.local:3100$request_uri;\n }\n location = /loki/api/v1 {\n \n internal; # to suppress 301\n }\n }\n}\n" diff --git a/clusters/cl01tl/manifests/loki/ConfigMap-loki-runtime.yaml b/clusters/cl01tl/manifests/loki/ConfigMap-loki-runtime.yaml index 0f441bc5b..01b22c4f6 100644 --- a/clusters/cl01tl/manifests/loki/ConfigMap-loki-runtime.yaml +++ b/clusters/cl01tl/manifests/loki/ConfigMap-loki-runtime.yaml @@ -4,10 +4,10 @@ metadata: name: loki-runtime namespace: loki labels: - helm.sh/chart: loki-6.53.0 + helm.sh/chart: loki-6.55.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.6.5" + app.kubernetes.io/version: "3.6.7" data: runtime-config.yaml: | {} diff --git a/clusters/cl01tl/manifests/loki/ConfigMap-loki.yaml b/clusters/cl01tl/manifests/loki/ConfigMap-loki.yaml index f2b89870c..e12f58d9a 100644 --- a/clusters/cl01tl/manifests/loki/ConfigMap-loki.yaml +++ b/clusters/cl01tl/manifests/loki/ConfigMap-loki.yaml @@ -4,10 +4,10 @@ metadata: name: loki namespace: loki labels: - helm.sh/chart: loki-6.53.0 + helm.sh/chart: loki-6.55.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.6.5" + app.kubernetes.io/version: "3.6.7" data: config.yaml: |2 diff --git a/clusters/cl01tl/manifests/loki/DaemonSet-loki-canary.yaml b/clusters/cl01tl/manifests/loki/DaemonSet-loki-canary.yaml index 14090d13d..605c7aef8 100644 --- a/clusters/cl01tl/manifests/loki/DaemonSet-loki-canary.yaml +++ b/clusters/cl01tl/manifests/loki/DaemonSet-loki-canary.yaml @@ -4,10 +4,10 @@ metadata: name: loki-canary namespace: loki labels: - helm.sh/chart: loki-6.53.0 + helm.sh/chart: loki-6.55.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.6.5" + app.kubernetes.io/version: "3.6.7" app.kubernetes.io/component: canary spec: selector: @@ -35,7 +35,7 @@ spec: runAsUser: 10001 containers: - name: loki-canary - image: docker.io/grafana/loki-canary:3.6.5 + image: docker.io/grafana/loki-canary:3.6.7 imagePullPolicy: IfNotPresent args: - -addr=loki-gateway.loki.svc.cluster.local.:80 diff --git a/clusters/cl01tl/manifests/loki/Deployment-loki-gateway.yaml b/clusters/cl01tl/manifests/loki/Deployment-loki-gateway.yaml index 5a23ef994..cdf48fe26 100644 --- a/clusters/cl01tl/manifests/loki/Deployment-loki-gateway.yaml +++ b/clusters/cl01tl/manifests/loki/Deployment-loki-gateway.yaml @@ -4,10 +4,10 @@ metadata: name: loki-gateway namespace: loki labels: - helm.sh/chart: loki-6.53.0 + helm.sh/chart: loki-6.55.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.6.5" + app.kubernetes.io/version: "3.6.7" app.kubernetes.io/component: gateway spec: replicas: 1 diff --git a/clusters/cl01tl/manifests/loki/Pod-loki-helm-test.yaml b/clusters/cl01tl/manifests/loki/Pod-loki-helm-test.yaml index 36058726b..fb905727d 100644 --- a/clusters/cl01tl/manifests/loki/Pod-loki-helm-test.yaml +++ b/clusters/cl01tl/manifests/loki/Pod-loki-helm-test.yaml @@ -4,10 +4,10 @@ metadata: name: "loki-helm-test" namespace: loki labels: - helm.sh/chart: loki-6.53.0 + helm.sh/chart: loki-6.55.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.6.5" + app.kubernetes.io/version: "3.6.7" app.kubernetes.io/component: helm-test annotations: "helm.sh/hook": test diff --git a/clusters/cl01tl/manifests/loki/Service-loki-canary.yaml b/clusters/cl01tl/manifests/loki/Service-loki-canary.yaml index 638f5c40f..05c108e0e 100644 --- a/clusters/cl01tl/manifests/loki/Service-loki-canary.yaml +++ b/clusters/cl01tl/manifests/loki/Service-loki-canary.yaml @@ -4,10 +4,10 @@ metadata: name: loki-canary namespace: loki labels: - helm.sh/chart: loki-6.53.0 + helm.sh/chart: loki-6.55.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.6.5" + app.kubernetes.io/version: "3.6.7" app.kubernetes.io/component: canary annotations: spec: diff --git a/clusters/cl01tl/manifests/loki/Service-loki-chunks-cache.yaml b/clusters/cl01tl/manifests/loki/Service-loki-chunks-cache.yaml index a54eb6b73..e11e77cde 100644 --- a/clusters/cl01tl/manifests/loki/Service-loki-chunks-cache.yaml +++ b/clusters/cl01tl/manifests/loki/Service-loki-chunks-cache.yaml @@ -3,10 +3,10 @@ kind: Service metadata: name: loki-chunks-cache labels: - helm.sh/chart: loki-6.53.0 + helm.sh/chart: loki-6.55.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.6.5" + app.kubernetes.io/version: "3.6.7" app.kubernetes.io/component: "memcached-chunks-cache" annotations: {} namespace: "loki" diff --git a/clusters/cl01tl/manifests/loki/Service-loki-gateway.yaml b/clusters/cl01tl/manifests/loki/Service-loki-gateway.yaml index 1a60809f5..e76a1c56a 100644 --- a/clusters/cl01tl/manifests/loki/Service-loki-gateway.yaml +++ b/clusters/cl01tl/manifests/loki/Service-loki-gateway.yaml @@ -4,10 +4,10 @@ metadata: name: loki-gateway namespace: loki labels: - helm.sh/chart: loki-6.53.0 + helm.sh/chart: loki-6.55.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.6.5" + app.kubernetes.io/version: "3.6.7" app.kubernetes.io/component: gateway prometheus.io/service-monitor: "false" annotations: diff --git a/clusters/cl01tl/manifests/loki/Service-loki-headless.yaml b/clusters/cl01tl/manifests/loki/Service-loki-headless.yaml index c100c2b87..ff58b51dd 100644 --- a/clusters/cl01tl/manifests/loki/Service-loki-headless.yaml +++ b/clusters/cl01tl/manifests/loki/Service-loki-headless.yaml @@ -4,10 +4,10 @@ metadata: name: loki-headless namespace: loki labels: - helm.sh/chart: loki-6.53.0 + helm.sh/chart: loki-6.55.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.6.5" + app.kubernetes.io/version: "3.6.7" variant: headless prometheus.io/service-monitor: "false" annotations: diff --git a/clusters/cl01tl/manifests/loki/Service-loki-memberlist.yaml b/clusters/cl01tl/manifests/loki/Service-loki-memberlist.yaml index 2e53c9a44..7dfa8e78d 100644 --- a/clusters/cl01tl/manifests/loki/Service-loki-memberlist.yaml +++ b/clusters/cl01tl/manifests/loki/Service-loki-memberlist.yaml @@ -4,10 +4,10 @@ metadata: name: loki-memberlist namespace: loki labels: - helm.sh/chart: loki-6.53.0 + helm.sh/chart: loki-6.55.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.6.5" + app.kubernetes.io/version: "3.6.7" annotations: spec: type: ClusterIP diff --git a/clusters/cl01tl/manifests/loki/Service-loki-results-cache.yaml b/clusters/cl01tl/manifests/loki/Service-loki-results-cache.yaml index 34eda366b..1e09f93bd 100644 --- a/clusters/cl01tl/manifests/loki/Service-loki-results-cache.yaml +++ b/clusters/cl01tl/manifests/loki/Service-loki-results-cache.yaml @@ -3,10 +3,10 @@ kind: Service metadata: name: loki-results-cache labels: - helm.sh/chart: loki-6.53.0 + helm.sh/chart: loki-6.55.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.6.5" + app.kubernetes.io/version: "3.6.7" app.kubernetes.io/component: "memcached-results-cache" annotations: {} namespace: "loki" diff --git a/clusters/cl01tl/manifests/loki/Service-loki.yaml b/clusters/cl01tl/manifests/loki/Service-loki.yaml index 13fdfe3c9..7932bd841 100644 --- a/clusters/cl01tl/manifests/loki/Service-loki.yaml +++ b/clusters/cl01tl/manifests/loki/Service-loki.yaml @@ -4,10 +4,10 @@ metadata: name: loki namespace: loki labels: - helm.sh/chart: loki-6.53.0 + helm.sh/chart: loki-6.55.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.6.5" + app.kubernetes.io/version: "3.6.7" annotations: spec: type: ClusterIP diff --git a/clusters/cl01tl/manifests/loki/ServiceAccount-loki-canary.yaml b/clusters/cl01tl/manifests/loki/ServiceAccount-loki-canary.yaml index 83a25dbd6..8ac5ed1d1 100644 --- a/clusters/cl01tl/manifests/loki/ServiceAccount-loki-canary.yaml +++ b/clusters/cl01tl/manifests/loki/ServiceAccount-loki-canary.yaml @@ -4,9 +4,9 @@ metadata: name: loki-canary namespace: loki labels: - helm.sh/chart: loki-6.53.0 + helm.sh/chart: loki-6.55.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.6.5" + app.kubernetes.io/version: "3.6.7" app.kubernetes.io/component: canary automountServiceAccountToken: true diff --git a/clusters/cl01tl/manifests/loki/ServiceAccount-loki.yaml b/clusters/cl01tl/manifests/loki/ServiceAccount-loki.yaml index 779fe396a..e1a8c4fa2 100644 --- a/clusters/cl01tl/manifests/loki/ServiceAccount-loki.yaml +++ b/clusters/cl01tl/manifests/loki/ServiceAccount-loki.yaml @@ -4,8 +4,8 @@ metadata: name: loki namespace: loki labels: - helm.sh/chart: loki-6.53.0 + helm.sh/chart: loki-6.55.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.6.5" + app.kubernetes.io/version: "3.6.7" automountServiceAccountToken: true diff --git a/clusters/cl01tl/manifests/loki/StatefulSet-loki-chunks-cache.yaml b/clusters/cl01tl/manifests/loki/StatefulSet-loki-chunks-cache.yaml index f61b4f0ad..a2b35d6b9 100644 --- a/clusters/cl01tl/manifests/loki/StatefulSet-loki-chunks-cache.yaml +++ b/clusters/cl01tl/manifests/loki/StatefulSet-loki-chunks-cache.yaml @@ -3,10 +3,10 @@ kind: StatefulSet metadata: name: loki-chunks-cache labels: - helm.sh/chart: loki-6.53.0 + helm.sh/chart: loki-6.55.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.6.5" + app.kubernetes.io/version: "3.6.7" app.kubernetes.io/component: "memcached-chunks-cache" name: "memcached-chunks-cache" annotations: {} diff --git a/clusters/cl01tl/manifests/loki/StatefulSet-loki-results-cache.yaml b/clusters/cl01tl/manifests/loki/StatefulSet-loki-results-cache.yaml index 97971c1b6..2d8c9a8e7 100644 --- a/clusters/cl01tl/manifests/loki/StatefulSet-loki-results-cache.yaml +++ b/clusters/cl01tl/manifests/loki/StatefulSet-loki-results-cache.yaml @@ -3,10 +3,10 @@ kind: StatefulSet metadata: name: loki-results-cache labels: - helm.sh/chart: loki-6.53.0 + helm.sh/chart: loki-6.55.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.6.5" + app.kubernetes.io/version: "3.6.7" app.kubernetes.io/component: "memcached-results-cache" name: "memcached-results-cache" annotations: {} diff --git a/clusters/cl01tl/manifests/loki/StatefulSet-loki.yaml b/clusters/cl01tl/manifests/loki/StatefulSet-loki.yaml index d83ff6bae..c58929f25 100644 --- a/clusters/cl01tl/manifests/loki/StatefulSet-loki.yaml +++ b/clusters/cl01tl/manifests/loki/StatefulSet-loki.yaml @@ -4,10 +4,10 @@ metadata: name: loki namespace: loki labels: - helm.sh/chart: loki-6.53.0 + helm.sh/chart: loki-6.55.0 app.kubernetes.io/name: loki app.kubernetes.io/instance: loki - app.kubernetes.io/version: "3.6.5" + app.kubernetes.io/version: "3.6.7" app.kubernetes.io/component: single-binary app.kubernetes.io/part-of: memberlist spec: @@ -50,7 +50,7 @@ spec: terminationGracePeriodSeconds: 30 containers: - name: loki - image: docker.io/grafana/loki:3.6.5 + image: docker.io/grafana/loki:3.6.7 imagePullPolicy: IfNotPresent args: - -config.file=/etc/loki/config/config.yaml @@ -93,7 +93,7 @@ spec: mountPath: "/rules" resources: {} - name: loki-sc-rules - image: docker.io/kiwigrid/k8s-sidecar:1.30.9 + image: docker.io/kiwigrid/k8s-sidecar:2.5.0 imagePullPolicy: IfNotPresent env: - name: METHOD @@ -117,6 +117,8 @@ spec: - ALL readOnlyRootFilesystem: true volumeMounts: + - name: tmp + mountPath: /tmp - name: sc-rules-volume mountPath: "/rules" affinity: -- 2.49.1 From 78e2b2bfb03d50a82c24984c68d157949edb34d6 Mon Sep 17 00:00:00 2001 From: gitea-bot Date: Sat, 14 Mar 2026 18:35:13 +0000 Subject: [PATCH 02/11] chore: Update manifests after change --- .../cl01tl/manifests/code-server/Deployment-code-server.yaml | 2 +- .../manifests/home-assistant/Deployment-home-assistant.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/cl01tl/manifests/code-server/Deployment-code-server.yaml b/clusters/cl01tl/manifests/code-server/Deployment-code-server.yaml index cd2d8b01f..c3dd56ca3 100644 --- a/clusters/cl01tl/manifests/code-server/Deployment-code-server.yaml +++ b/clusters/cl01tl/manifests/code-server/Deployment-code-server.yaml @@ -46,7 +46,7 @@ spec: envFrom: - secretRef: name: codeserver-password-secret - image: ghcr.io/linuxserver/code-server:4.110.0@sha256:8473aa16fba93fccc3ca772173d095bccd2e44d4d3104467fee923df10d57cd2 + image: ghcr.io/linuxserver/code-server:4.111.0@sha256:04107645b21f33215d1087773e2c889dfed823434f5dc4c7e9ae20df218a8ef3 imagePullPolicy: IfNotPresent name: main resources: diff --git a/clusters/cl01tl/manifests/home-assistant/Deployment-home-assistant.yaml b/clusters/cl01tl/manifests/home-assistant/Deployment-home-assistant.yaml index 8a6c01726..3f13e34aa 100644 --- a/clusters/cl01tl/manifests/home-assistant/Deployment-home-assistant.yaml +++ b/clusters/cl01tl/manifests/home-assistant/Deployment-home-assistant.yaml @@ -46,7 +46,7 @@ spec: envFrom: - secretRef: name: home-assistant-code-server-password-secret - image: ghcr.io/linuxserver/code-server:4.110.0@sha256:8473aa16fba93fccc3ca772173d095bccd2e44d4d3104467fee923df10d57cd2 + image: ghcr.io/linuxserver/code-server:4.111.0@sha256:04107645b21f33215d1087773e2c889dfed823434f5dc4c7e9ae20df218a8ef3 imagePullPolicy: IfNotPresent name: code-server resources: -- 2.49.1 From 3cbdfeb8b1b49fa48652ec5126056834f01ef838 Mon Sep 17 00:00:00 2001 From: gitea-bot Date: Sat, 14 Mar 2026 19:44:58 +0000 Subject: [PATCH 03/11] chore: Update manifests after change --- clusters/cl01tl/manifests/libation/CronJob-libation-main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/cl01tl/manifests/libation/CronJob-libation-main.yaml b/clusters/cl01tl/manifests/libation/CronJob-libation-main.yaml index 0fd454324..411e5b43f 100644 --- a/clusters/cl01tl/manifests/libation/CronJob-libation-main.yaml +++ b/clusters/cl01tl/manifests/libation/CronJob-libation-main.yaml @@ -42,7 +42,7 @@ spec: value: "-1" - name: LIBATION_BOOKS_DIR value: /data - image: rmcrackan/libation:13.2.1 + image: rmcrackan/libation:13.3.0 imagePullPolicy: IfNotPresent name: main resources: -- 2.49.1 From e978f9ce9032befe171152b16e93a003fb16477f Mon Sep 17 00:00:00 2001 From: gitea-bot Date: Sat, 14 Mar 2026 19:46:29 +0000 Subject: [PATCH 04/11] chore: Update manifests after change --- .../manifests/music-grabber/Deployment-music-grabber.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/cl01tl/manifests/music-grabber/Deployment-music-grabber.yaml b/clusters/cl01tl/manifests/music-grabber/Deployment-music-grabber.yaml index 35478b185..9ac6ef007 100644 --- a/clusters/cl01tl/manifests/music-grabber/Deployment-music-grabber.yaml +++ b/clusters/cl01tl/manifests/music-grabber/Deployment-music-grabber.yaml @@ -130,7 +130,7 @@ spec: name: music-grabber-config-secret - name: SLSKD_DOWNLOADS_PATH value: /mnt/store/slskd/Downloads - image: g33kphr33k/musicgrabber:2.3.5 + image: g33kphr33k/musicgrabber:2.4.3 imagePullPolicy: IfNotPresent name: main resources: -- 2.49.1 From f14bb488cb5a02314ee1e174047693c6818805db Mon Sep 17 00:00:00 2001 From: gitea-bot Date: Sat, 14 Mar 2026 19:53:16 +0000 Subject: [PATCH 05/11] chore: Update manifests after change --- .../manifests/audiobookshelf/Deployment-audiobookshelf.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/cl01tl/manifests/audiobookshelf/Deployment-audiobookshelf.yaml b/clusters/cl01tl/manifests/audiobookshelf/Deployment-audiobookshelf.yaml index 2826b5339..46aa02b4f 100644 --- a/clusters/cl01tl/manifests/audiobookshelf/Deployment-audiobookshelf.yaml +++ b/clusters/cl01tl/manifests/audiobookshelf/Deployment-audiobookshelf.yaml @@ -62,7 +62,7 @@ spec: - env: - name: TZ value: US/Central - image: ghcr.io/advplyr/audiobookshelf:2.32.1 + image: ghcr.io/advplyr/audiobookshelf:2.33.0 imagePullPolicy: IfNotPresent name: main resources: -- 2.49.1 From 798bc54e41d0a0c79fc12e549554049148009c4e Mon Sep 17 00:00:00 2001 From: gitea-bot Date: Sat, 14 Mar 2026 19:55:50 +0000 Subject: [PATCH 06/11] chore: Update manifests after change --- clusters/cl01tl/manifests/whodb/Deployment-whodb.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/cl01tl/manifests/whodb/Deployment-whodb.yaml b/clusters/cl01tl/manifests/whodb/Deployment-whodb.yaml index f15be6c59..5d022228c 100644 --- a/clusters/cl01tl/manifests/whodb/Deployment-whodb.yaml +++ b/clusters/cl01tl/manifests/whodb/Deployment-whodb.yaml @@ -39,7 +39,7 @@ spec: value: ollama-server-2.ollama - name: WHODB_OLLAMA_PORT value: "11434" - image: clidey/whodb:0.98.0 + image: clidey/whodb:0.99.0 imagePullPolicy: IfNotPresent name: main resources: -- 2.49.1 From 45d2a9728f63b2ee10ad27336a550edf9ddb8f58 Mon Sep 17 00:00:00 2001 From: gitea-bot Date: Sat, 14 Mar 2026 19:57:07 +0000 Subject: [PATCH 07/11] chore: Update manifests after change --- ...tion-externalmariadbs.k8s.mariadb.com.yaml | 20 +- ...ceDefinition-mariadbs.k8s.mariadb.com.yaml | 258 +++++++++++++++++- ...eDefinition-maxscales.k8s.mariadb.com.yaml | 32 ++- ...ition-physicalbackups.k8s.mariadb.com.yaml | 60 ++++ ...pointintimerecoveries.k8s.mariadb.com.yaml | 255 +++++++++++++++++ 5 files changed, 604 insertions(+), 21 deletions(-) create mode 100644 clusters/cl01tl/manifests/mariadb-operator/CustomResourceDefinition-pointintimerecoveries.k8s.mariadb.com.yaml diff --git a/clusters/cl01tl/manifests/mariadb-operator/CustomResourceDefinition-externalmariadbs.k8s.mariadb.com.yaml b/clusters/cl01tl/manifests/mariadb-operator/CustomResourceDefinition-externalmariadbs.k8s.mariadb.com.yaml index a40482d8a..f0f4f856d 100644 --- a/clusters/cl01tl/manifests/mariadb-operator/CustomResourceDefinition-externalmariadbs.k8s.mariadb.com.yaml +++ b/clusters/cl01tl/manifests/mariadb-operator/CustomResourceDefinition-externalmariadbs.k8s.mariadb.com.yaml @@ -197,13 +197,17 @@ spec: By default, the Secret field 'ca.crt' provisioned by cert-manager will be added to the trust chain. A custom trust bundle may be specified via clientCASecretRef. properties: group: - description: Group of the resource being referred to. + description: |- + Group of the issuer being referred to. + Defaults to 'cert-manager.io'. type: string kind: - description: Kind of the resource being referred to. + description: |- + Kind of the issuer being referred to. + Defaults to 'Issuer'. type: string name: - description: Name of the resource being referred to. + description: Name of the issuer being referred to. type: string required: - name @@ -258,13 +262,17 @@ spec: By default, the Secret field 'ca.crt' provisioned by cert-manager will be added to the trust chain. A custom trust bundle may be specified via serverCASecretRef. properties: group: - description: Group of the resource being referred to. + description: |- + Group of the issuer being referred to. + Defaults to 'cert-manager.io'. type: string kind: - description: Kind of the resource being referred to. + description: |- + Kind of the issuer being referred to. + Defaults to 'Issuer'. type: string name: - description: Name of the resource being referred to. + description: Name of the issuer being referred to. type: string required: - name diff --git a/clusters/cl01tl/manifests/mariadb-operator/CustomResourceDefinition-mariadbs.k8s.mariadb.com.yaml b/clusters/cl01tl/manifests/mariadb-operator/CustomResourceDefinition-mariadbs.k8s.mariadb.com.yaml index d0c0f202a..4be939dcb 100644 --- a/clusters/cl01tl/manifests/mariadb-operator/CustomResourceDefinition-mariadbs.k8s.mariadb.com.yaml +++ b/clusters/cl01tl/manifests/mariadb-operator/CustomResourceDefinition-mariadbs.k8s.mariadb.com.yaml @@ -287,6 +287,60 @@ spec: bootstrapFrom: description: BootstrapFrom defines a source to bootstrap from. properties: + azureBlob: + description: |- + AzureBlob defines the configuration to restore from Azure Blob compatible storage. + This field takes precedence over the Volume source. + properties: + containerName: + description: ContainerName is the name of the storage container. + type: string + prefix: + description: 'Prefix indicates a folder/subfolder in the container. For example: mariadb/ or mariadb/backups. A trailing slash ''/'' is added if not provided.' + type: string + serviceURL: + description: 'ServiceURL is the full URL for connecting to Azure, usually in the form: http(s)://.blob.core.windows.net/.' + type: string + storageAccountKey: + description: StorageAccountKey is a reference to a Secret key containing the Azure Blob Storage Storage account Key. Pairs with StorageAccountKey for static credential authentication + properties: + key: + type: string + name: + default: "" + type: string + required: + - key + type: object + x-kubernetes-map-type: atomic + storageAccountName: + description: StorageAccountName is the name of the storage account. Pairs with StorageAccountKey for static credential authentication + type: string + tls: + description: TLS provides the configuration required to establish TLS connections with Azure Blob Storage. + properties: + caSecretKeyRef: + description: |- + CASecretKeyRef is a reference to a Secret key containing a CA bundle in PEM format used to establish TLS connections with S3. + By default, the system trust chain will be used, but you can use this field to add more CAs to the bundle. + properties: + key: + type: string + name: + default: "" + type: string + required: + - key + type: object + x-kubernetes-map-type: atomic + enabled: + description: Enabled is a flag to enable TLS. + type: boolean + type: object + required: + - containerName + - serviceURL + type: object backupContentType: description: |- BackupContentType is the backup content type available in the source to bootstrap from. @@ -308,8 +362,30 @@ spec: description: Name of the referent. type: string type: object + logLevel: + default: info + description: LogLevel to be used in the mariadb-operator container of the restoration Job. It defaults to 'info'. + enum: + - debug + - info + - warn + - error + - dpanic + - panic + - fatal + type: string + pointInTimeRecoveryRef: + description: |- + PointInTimeRecoveryRef is a reference to a PointInTimeRecovery object. + Providing this field implies restoring the PhysicalBackup referenced in the PointInTimeRecovery object and replaying the + archived binary logs up to the point-in-time restoration target, defined by the targetRecoveryTime field. + properties: + name: + default: "" + type: string + type: object restoreJob: - description: RestoreJob defines additional properties for the Job used to perform the restoration. + description: RestoreJob defines additional properties for the restoration Job. properties: affinity: description: Affinity to be used in the Pod. @@ -724,7 +800,7 @@ spec: type: object stagingStorage: description: |- - StagingStorage defines the temporary storage used to keep external backups (i.e. S3) while they are being processed. + StagingStorage defines the temporary storage used to keep external backups and binary logs (i.e. S3) while they are being processed. It defaults to an emptyDir volume, meaning that the backups will be temporarily stored in the node where the Job is scheduled. properties: persistentVolumeClaim: @@ -1061,6 +1137,12 @@ spec: database: description: Database is the name of the initial Database. type: string + enableServiceLinks: + description: |- + EnableServiceLinks indicates whether information about services should be injected into pod's + environment variables, matching the syntax of Docker links. Defaults to true if not specified. + Set to false to disable injection of service link environment variables. + type: boolean env: description: Env represents the environment variables to be injected in a container. items: @@ -2408,7 +2490,7 @@ spec: maxScaleRef: description: |- MaxScaleRef is a reference to a MaxScale resource to be used with the current MariaDB. - Providing this field implies delegating high availability tasks such as primary failover to MaxScale. + Providing this reference implies delegating high availability tasks such as primary failover to MaxScale. properties: name: type: string @@ -3130,6 +3212,15 @@ spec: type: array x-kubernetes-list-type: atomic type: object + pointInTimeRecoveryRef: + description: |- + PointInTimeRecoveryRef is a reference to a PointInTimeRecovery resource to be used with the current MariaDB. + Providing this reference implies configuring binary logs in the MariaDB instance and binary log archival in the sidecar agent. + properties: + name: + default: "" + type: string + type: object port: default: 3306 description: Port where the instances will be listening for connections. @@ -3217,6 +3308,9 @@ spec: externalTrafficPolicy: description: ExternalTrafficPolicy Service field. type: string + loadBalancerClass: + description: LoadBalancerClass Service field. + type: string loadBalancerIP: description: LoadBalancerIP Service field. type: string @@ -4674,6 +4768,9 @@ spec: externalTrafficPolicy: description: ExternalTrafficPolicy Service field. type: string + loadBalancerClass: + description: LoadBalancerClass Service field. + type: string loadBalancerIP: description: LoadBalancerIP Service field. type: string @@ -4755,6 +4852,9 @@ spec: externalTrafficPolicy: description: ExternalTrafficPolicy Service field. type: string + loadBalancerClass: + description: LoadBalancerClass Service field. + type: string loadBalancerIP: description: LoadBalancerIP Service field. type: string @@ -5170,13 +5270,17 @@ spec: By default, the Secret field 'ca.crt' provisioned by cert-manager will be added to the trust chain. A custom trust bundle may be specified via clientCASecretRef. properties: group: - description: Group of the resource being referred to. + description: |- + Group of the issuer being referred to. + Defaults to 'cert-manager.io'. type: string kind: - description: Kind of the resource being referred to. + description: |- + Kind of the issuer being referred to. + Defaults to 'Issuer'. type: string name: - description: Name of the resource being referred to. + description: Name of the issuer being referred to. type: string required: - name @@ -5225,13 +5329,17 @@ spec: By default, the Secret field 'ca.crt' provisioned by cert-manager will be added to the trust chain. A custom trust bundle may be specified via serverCASecretRef. properties: group: - description: Group of the resource being referred to. + description: |- + Group of the issuer being referred to. + Defaults to 'cert-manager.io'. type: string kind: - description: Kind of the resource being referred to. + description: |- + Kind of the issuer being referred to. + Defaults to 'Issuer'. type: string name: - description: Name of the resource being referred to. + description: Name of the issuer being referred to. type: string required: - name @@ -5482,6 +5590,110 @@ spec: pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object + ephemeral: + description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#ephemeralvolumesource-v1-core.' + properties: + volumeClaimTemplate: + description: VolumeClaimTemplate defines a template to customize PVC objects. + properties: + accessModes: + items: + type: string + type: array + x-kubernetes-list-type: atomic + metadata: + description: Metadata to be added to the PVC metadata. + properties: + annotations: + additionalProperties: + type: string + description: Annotations to be added to children resources. + type: object + labels: + additionalProperties: + type: string + description: Labels to be added to children resources. + type: object + type: object + resources: + description: VolumeResourceRequirements describes the storage resource requirements for a volume. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + selector: + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + type: object + type: object hostPath: description: 'Refer to the Kubernetes docs: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#hostpathvolumesource-v1-core' properties: @@ -5657,6 +5869,34 @@ spec: description: State is a per Pod representation of the Galera state file (grastate.dat). type: object type: object + pointInTimeRecovery: + description: PointInTimeRecovery is the status of the point-in-time-recovery process. + properties: + gtidStrictModePaused: + description: GtidStrictModePaused indicates that gtid_strict_mode has been temporarily paused to replay binlogs. + type: boolean + lastArchivedBinaryLog: + description: LastArchivedBinaryLog is name of the last archived binary log. + type: string + lastArchivedGtid: + description: LastArchivedGtid is the last archived GTID. + type: string + lastArchivedPosition: + description: LastArchivedPosition is the position of last archived binary log event. + format: int32 + type: integer + lastArchivedTime: + description: LastArchivedTime is the time of the last archived binary log event. + format: date-time + type: string + serverId: + description: ServerId identifies the server whose binary logs are being archived. + format: int32 + type: integer + storageReadyForArchival: + description: StorageReadyForArchival indicates that the storage is ready for archival, meaning that the sidecar agent can start archiving the binary logs. + type: boolean + type: object replicas: description: Replicas indicates the number of current instances. format: int32 diff --git a/clusters/cl01tl/manifests/mariadb-operator/CustomResourceDefinition-maxscales.k8s.mariadb.com.yaml b/clusters/cl01tl/manifests/mariadb-operator/CustomResourceDefinition-maxscales.k8s.mariadb.com.yaml index d0f551a6c..17cbdf2eb 100644 --- a/clusters/cl01tl/manifests/mariadb-operator/CustomResourceDefinition-maxscales.k8s.mariadb.com.yaml +++ b/clusters/cl01tl/manifests/mariadb-operator/CustomResourceDefinition-maxscales.k8s.mariadb.com.yaml @@ -652,6 +652,12 @@ spec: description: ServiceName to be used in the Connection. type: string type: object + enableServiceLinks: + description: |- + EnableServiceLinks indicates whether information about services should be injected into pod's + environment variables, matching the syntax of Docker links. Defaults to true if not specified. + Set to false to disable injection of service link environment variables. + type: boolean env: description: Env represents the environment variables to be injected in a container. items: @@ -737,6 +743,9 @@ spec: externalTrafficPolicy: description: ExternalTrafficPolicy Service field. type: string + loadBalancerClass: + description: LoadBalancerClass Service field. + type: string loadBalancerIP: description: LoadBalancerIP Service field. type: string @@ -816,6 +825,9 @@ spec: externalTrafficPolicy: description: ExternalTrafficPolicy Service field. type: string + loadBalancerClass: + description: LoadBalancerClass Service field. + type: string loadBalancerIP: description: LoadBalancerIP Service field. type: string @@ -1894,13 +1906,17 @@ spec: By default, the Secret field 'ca.crt' provisioned by cert-manager will be added to the trust chain. A custom trust bundle may be specified via adminCASecretRef. properties: group: - description: Group of the resource being referred to. + description: |- + Group of the issuer being referred to. + Defaults to 'cert-manager.io'. type: string kind: - description: Kind of the resource being referred to. + description: |- + Kind of the issuer being referred to. + Defaults to 'Issuer'. type: string name: - description: Name of the resource being referred to. + description: Name of the issuer being referred to. type: string required: - name @@ -1936,13 +1952,17 @@ spec: By default, the Secret field 'ca.crt' provisioned by cert-manager will be added to the trust chain. A custom trust bundle may be specified via listenerCASecretRef. properties: group: - description: Group of the resource being referred to. + description: |- + Group of the issuer being referred to. + Defaults to 'cert-manager.io'. type: string kind: - description: Kind of the resource being referred to. + description: |- + Kind of the issuer being referred to. + Defaults to 'Issuer'. type: string name: - description: Name of the resource being referred to. + description: Name of the issuer being referred to. type: string required: - name diff --git a/clusters/cl01tl/manifests/mariadb-operator/CustomResourceDefinition-physicalbackups.k8s.mariadb.com.yaml b/clusters/cl01tl/manifests/mariadb-operator/CustomResourceDefinition-physicalbackups.k8s.mariadb.com.yaml index ce77d17fb..8ac73bfc9 100644 --- a/clusters/cl01tl/manifests/mariadb-operator/CustomResourceDefinition-physicalbackups.k8s.mariadb.com.yaml +++ b/clusters/cl01tl/manifests/mariadb-operator/CustomResourceDefinition-physicalbackups.k8s.mariadb.com.yaml @@ -276,6 +276,11 @@ spec: immediate: description: Immediate indicates whether the first backup should be taken immediately after creating the PhysicalBackup. type: boolean + onDemand: + description: |- + OnDemand is an identifier used to trigger an on-demand backup. + If the identifier is different than the one tracked under status.lastScheduleOnDemand, a new physical backup will be triggered. + type: string suspend: default: false description: Suspend defines whether the schedule is active or not. @@ -489,6 +494,58 @@ spec: storage: description: Storage defines the final storage for backups. properties: + azureBlob: + description: AzureBlob defines the configuration to store backups in a AzureBlob compatible storage. + properties: + containerName: + description: ContainerName is the name of the storage container. + type: string + prefix: + description: 'Prefix indicates a folder/subfolder in the container. For example: mariadb/ or mariadb/backups. A trailing slash ''/'' is added if not provided.' + type: string + serviceURL: + description: 'ServiceURL is the full URL for connecting to Azure, usually in the form: http(s)://.blob.core.windows.net/.' + type: string + storageAccountKey: + description: StorageAccountKey is a reference to a Secret key containing the Azure Blob Storage Storage account Key. Pairs with StorageAccountKey for static credential authentication + properties: + key: + type: string + name: + default: "" + type: string + required: + - key + type: object + x-kubernetes-map-type: atomic + storageAccountName: + description: StorageAccountName is the name of the storage account. Pairs with StorageAccountKey for static credential authentication + type: string + tls: + description: TLS provides the configuration required to establish TLS connections with Azure Blob Storage. + properties: + caSecretKeyRef: + description: |- + CASecretKeyRef is a reference to a Secret key containing a CA bundle in PEM format used to establish TLS connections with S3. + By default, the system trust chain will be used, but you can use this field to add more CAs to the bundle. + properties: + key: + type: string + name: + default: "" + type: string + required: + - key + type: object + x-kubernetes-map-type: atomic + enabled: + description: Enabled is a flag to enable TLS. + type: boolean + type: object + required: + - containerName + - serviceURL + type: object persistentVolumeClaim: description: PersistentVolumeClaim is a Kubernetes PVC specification. properties: @@ -896,6 +953,9 @@ spec: description: LastScheduleCheckTime is the last time that the schedule was checked. format: date-time type: string + lastScheduleOnDemand: + description: LastScheduleOnDemand is the last on-demand schedule identifier. + type: string lastScheduleTime: description: LastScheduleTime is the last time that a backup was scheduled. format: date-time diff --git a/clusters/cl01tl/manifests/mariadb-operator/CustomResourceDefinition-pointintimerecoveries.k8s.mariadb.com.yaml b/clusters/cl01tl/manifests/mariadb-operator/CustomResourceDefinition-pointintimerecoveries.k8s.mariadb.com.yaml new file mode 100644 index 000000000..fd881185e --- /dev/null +++ b/clusters/cl01tl/manifests/mariadb-operator/CustomResourceDefinition-pointintimerecoveries.k8s.mariadb.com.yaml @@ -0,0 +1,255 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.20.0 + name: pointintimerecoveries.k8s.mariadb.com +spec: + group: k8s.mariadb.com + names: + kind: PointInTimeRecovery + listKind: PointInTimeRecoveryList + plural: pointintimerecoveries + shortNames: + - pitr + singular: pointintimerecovery + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.physicalBackupRef.name + name: Physical Backup + type: string + - jsonPath: .status.lastRecoverableTime + name: Last Recoverable Time + type: string + - jsonPath: .spec.strictMode + name: Strict Mode + type: boolean + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: PointInTimeRecovery is the Schema for the pointintimerecoveries API. It contains binlog archival and point-in-time restoration settings. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: PointInTimeRecoverySpec defines the desired state of PointInTimeRecovery. It contains binlog archive and point-in-time restoration settings. + properties: + archiveTimeout: + default: 1h + description: |- + ArchiveTimeout defines the maximum duration for the binary log archival. + If this duration is exceeded, the sidecar agent will log an error and it will be retried in the next archive cycle. + It defaults to 1 hour. + type: string + compression: + description: |- + Compression algorithm to be used for compressing the binary logs. + This field is immutable, it cannot be updated after creation. + enum: + - none + - bzip2 + - gzip + type: string + physicalBackupRef: + description: PhysicalBackupRef is a reference to a PhysicalBackup object that will be used as base backup. + properties: + name: + default: "" + type: string + type: object + storage: + description: PointInTimeRecoveryStorage is the storage where the point in time recovery data will be stored + properties: + azureBlob: + description: AzureBlob is the Azure Blob Storage where the binary logs will be kept. + properties: + containerName: + description: ContainerName is the name of the storage container. + type: string + prefix: + description: 'Prefix indicates a folder/subfolder in the container. For example: mariadb/ or mariadb/backups. A trailing slash ''/'' is added if not provided.' + type: string + serviceURL: + description: 'ServiceURL is the full URL for connecting to Azure, usually in the form: http(s)://.blob.core.windows.net/.' + type: string + storageAccountKey: + description: StorageAccountKey is a reference to a Secret key containing the Azure Blob Storage Storage account Key. Pairs with StorageAccountKey for static credential authentication + properties: + key: + type: string + name: + default: "" + type: string + required: + - key + type: object + x-kubernetes-map-type: atomic + storageAccountName: + description: StorageAccountName is the name of the storage account. Pairs with StorageAccountKey for static credential authentication + type: string + tls: + description: TLS provides the configuration required to establish TLS connections with Azure Blob Storage. + properties: + caSecretKeyRef: + description: |- + CASecretKeyRef is a reference to a Secret key containing a CA bundle in PEM format used to establish TLS connections with S3. + By default, the system trust chain will be used, but you can use this field to add more CAs to the bundle. + properties: + key: + type: string + name: + default: "" + type: string + required: + - key + type: object + x-kubernetes-map-type: atomic + enabled: + description: Enabled is a flag to enable TLS. + type: boolean + type: object + required: + - containerName + - serviceURL + type: object + s3: + description: S3 is the S3-compatible storage where the binary logs will be kept. + properties: + accessKeyIdSecretKeyRef: + description: AccessKeyIdSecretKeyRef is a reference to a Secret key containing the S3 access key id. + properties: + key: + type: string + name: + default: "" + type: string + required: + - key + type: object + x-kubernetes-map-type: atomic + bucket: + description: Bucket is the name Name of the bucket to store backups. + type: string + endpoint: + description: Endpoint is the S3 API endpoint without scheme. + type: string + prefix: + description: 'Prefix indicates a folder/subfolder in the bucket. For example: mariadb/ or mariadb/backups. A trailing slash ''/'' is added if not provided.' + type: string + region: + description: Region is the S3 region name to use. + type: string + secretAccessKeySecretKeyRef: + description: AccessKeyIdSecretKeyRef is a reference to a Secret key containing the S3 secret key. + properties: + key: + type: string + name: + default: "" + type: string + required: + - key + type: object + x-kubernetes-map-type: atomic + sessionTokenSecretKeyRef: + description: SessionTokenSecretKeyRef is a reference to a Secret key containing the S3 session token. + properties: + key: + type: string + name: + default: "" + type: string + required: + - key + type: object + x-kubernetes-map-type: atomic + ssec: + description: |- + SSEC is a reference to a Secret containing the SSE-C (Server-Side Encryption with Customer-Provided Keys) key. + The secret must contain a 32-byte key (256 bits) in the specified key. + This enables server-side encryption where you provide and manage the encryption key. + properties: + customerKeySecretKeyRef: + description: |- + CustomerKeySecretKeyRef is a reference to a Secret key containing the SSE-C customer-provided encryption key. + The key must be a 32-byte (256-bit) key encoded in base64. + properties: + key: + type: string + name: + default: "" + type: string + required: + - key + type: object + x-kubernetes-map-type: atomic + required: + - customerKeySecretKeyRef + type: object + tls: + description: TLS provides the configuration required to establish TLS connections with S3. + properties: + caSecretKeyRef: + description: |- + CASecretKeyRef is a reference to a Secret key containing a CA bundle in PEM format used to establish TLS connections with S3. + By default, the system trust chain will be used, but you can use this field to add more CAs to the bundle. + properties: + key: + type: string + name: + default: "" + type: string + required: + - key + type: object + x-kubernetes-map-type: atomic + enabled: + description: Enabled is a flag to enable TLS. + type: boolean + type: object + required: + - bucket + - endpoint + type: object + type: object + strictMode: + description: |- + StrictMode controls the behavior when a point-in-time restoration cannot reach the exact target time: + When enabled: Returns an error and avoids replaying binary logs if target time is not reached. + When disabled (default): Replays available binary logs until the last recoverable time. It logs logs an error if target time is not reached. + type: boolean + required: + - physicalBackupRef + - storage + type: object + status: + description: PointInTimeRecoveryStatus represents the current status of the point-in-time-recovery. + properties: + lastRecoverableTime: + description: LastRecoverableTime is the most recent recoverable time based on the current state of physical backups and archived binary logs. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} -- 2.49.1 From 23bd173a71bcf12e2f82968d473d8531569741a4 Mon Sep 17 00:00:00 2001 From: gitea-bot Date: Sat, 14 Mar 2026 20:04:36 +0000 Subject: [PATCH 08/11] chore: Update manifests after change --- .../cl01tl/manifests/ollama/Deployment-ollama-server-1.yaml | 2 +- .../cl01tl/manifests/ollama/Deployment-ollama-server-2.yaml | 2 +- .../cl01tl/manifests/ollama/Deployment-ollama-server-3.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/clusters/cl01tl/manifests/ollama/Deployment-ollama-server-1.yaml b/clusters/cl01tl/manifests/ollama/Deployment-ollama-server-1.yaml index a06422bc0..062df8f35 100644 --- a/clusters/cl01tl/manifests/ollama/Deployment-ollama-server-1.yaml +++ b/clusters/cl01tl/manifests/ollama/Deployment-ollama-server-1.yaml @@ -50,7 +50,7 @@ spec: value: 24h - name: OLLAMA_HOST value: 0.0.0.0 - image: ollama/ollama:0.17.7 + image: ollama/ollama:0.18.0 imagePullPolicy: IfNotPresent name: main resources: diff --git a/clusters/cl01tl/manifests/ollama/Deployment-ollama-server-2.yaml b/clusters/cl01tl/manifests/ollama/Deployment-ollama-server-2.yaml index 83aa8608d..304b93d8b 100644 --- a/clusters/cl01tl/manifests/ollama/Deployment-ollama-server-2.yaml +++ b/clusters/cl01tl/manifests/ollama/Deployment-ollama-server-2.yaml @@ -50,7 +50,7 @@ spec: value: 24h - name: OLLAMA_HOST value: 0.0.0.0 - image: ollama/ollama:0.17.7 + image: ollama/ollama:0.18.0 imagePullPolicy: IfNotPresent name: main resources: diff --git a/clusters/cl01tl/manifests/ollama/Deployment-ollama-server-3.yaml b/clusters/cl01tl/manifests/ollama/Deployment-ollama-server-3.yaml index 366fc2d79..81701cf86 100644 --- a/clusters/cl01tl/manifests/ollama/Deployment-ollama-server-3.yaml +++ b/clusters/cl01tl/manifests/ollama/Deployment-ollama-server-3.yaml @@ -50,7 +50,7 @@ spec: value: 24h - name: OLLAMA_HOST value: 0.0.0.0 - image: ollama/ollama:0.17.7 + image: ollama/ollama:0.18.0 imagePullPolicy: IfNotPresent name: main resources: -- 2.49.1 From e3b8d82655a92a45912776507c7738687fbefc58 Mon Sep 17 00:00:00 2001 From: gitea-bot Date: Sat, 14 Mar 2026 20:12:27 +0000 Subject: [PATCH 09/11] chore: Update manifests after change --- clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml b/clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml index 651b3c5d0..630e3c9b2 100644 --- a/clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml +++ b/clusters/cl01tl/manifests/homepage/Deployment-homepage.yaml @@ -45,7 +45,7 @@ spec: envFrom: - secretRef: name: homepage-keys-secret - image: ghcr.io/gethomepage/homepage:v1.10.1 + image: ghcr.io/gethomepage/homepage:v1.11.0 imagePullPolicy: IfNotPresent name: main resources: -- 2.49.1 From b8120ec017a6c998074f35129611bf2a5308e480 Mon Sep 17 00:00:00 2001 From: gitea-bot Date: Sat, 14 Mar 2026 21:26:25 +0000 Subject: [PATCH 10/11] chore: Update manifests after change --- .../ClusterRole-grafana-operator.yaml | 19 +- .../ClusterRoleBinding-grafana-operator.yaml | 4 +- ...tion-grafanas.grafana.integreatly.org.yaml | 817 ++++++++++++++++-- .../Deployment-grafana-operator.yaml | 10 +- .../Role-grafana-operator-leases.yaml | 4 +- .../RoleBinding-grafana-operator-leases.yaml | 4 +- ...vice-grafana-operator-metrics-service.yaml | 4 +- .../ServiceAccount-grafana-operator.yaml | 4 +- .../ServiceMonitor-grafana-operator.yaml | 4 +- 9 files changed, 754 insertions(+), 116 deletions(-) diff --git a/clusters/cl01tl/manifests/grafana-operator/ClusterRole-grafana-operator.yaml b/clusters/cl01tl/manifests/grafana-operator/ClusterRole-grafana-operator.yaml index 2eafe778e..9edffa8d4 100644 --- a/clusters/cl01tl/manifests/grafana-operator/ClusterRole-grafana-operator.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/ClusterRole-grafana-operator.yaml @@ -3,10 +3,10 @@ kind: ClusterRole metadata: name: grafana-operator labels: - helm.sh/chart: grafana-operator-5.22.0 + helm.sh/chart: grafana-operator-5.22.1 app.kubernetes.io/name: grafana-operator app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/version: "v5.22.0" + app.kubernetes.io/version: "v5.22.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: grafana-operator app.kubernetes.io/component: operator @@ -27,6 +27,14 @@ rules: - patch - update - watch + - apiGroups: + - "" + - events.k8s.io + resources: + - events + verbs: + - create + - patch - apiGroups: - apps resources: @@ -39,13 +47,6 @@ rules: - patch - update - watch - - apiGroups: - - events.k8s.io - resources: - - events - verbs: - - create - - patch - apiGroups: - gateway.networking.k8s.io resources: diff --git a/clusters/cl01tl/manifests/grafana-operator/ClusterRoleBinding-grafana-operator.yaml b/clusters/cl01tl/manifests/grafana-operator/ClusterRoleBinding-grafana-operator.yaml index fd0cdfd6b..ff3a24304 100644 --- a/clusters/cl01tl/manifests/grafana-operator/ClusterRoleBinding-grafana-operator.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/ClusterRoleBinding-grafana-operator.yaml @@ -3,10 +3,10 @@ kind: ClusterRoleBinding metadata: name: grafana-operator labels: - helm.sh/chart: grafana-operator-5.22.0 + helm.sh/chart: grafana-operator-5.22.1 app.kubernetes.io/name: grafana-operator app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/version: "v5.22.0" + app.kubernetes.io/version: "v5.22.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: grafana-operator app.kubernetes.io/component: operator diff --git a/clusters/cl01tl/manifests/grafana-operator/CustomResourceDefinition-grafanas.grafana.integreatly.org.yaml b/clusters/cl01tl/manifests/grafana-operator/CustomResourceDefinition-grafanas.grafana.integreatly.org.yaml index b06ce20bc..bafcef524 100644 --- a/clusters/cl01tl/manifests/grafana-operator/CustomResourceDefinition-grafanas.grafana.integreatly.org.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/CustomResourceDefinition-grafanas.grafana.integreatly.org.yaml @@ -4094,6 +4094,7 @@ spec: type: string maxItems: 16 type: array + x-kubernetes-list-type: atomic parentRefs: description: |- ParentRefs references the resources (usually Gateways) that a Route wants @@ -4312,6 +4313,7 @@ spec: type: object maxItems: 32 type: array + x-kubernetes-list-type: atomic rules: description: |- Rules are a list of HTTP matchers, filters and actions. @@ -4403,8 +4405,8 @@ spec: authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. - - + + properties: cors: description: |- @@ -4412,31 +4414,27 @@ spec: cross-origin request based on HTTP response header. Support: Extended - - properties: allowCredentials: description: |- AllowCredentials indicates whether the actual cross-origin request allows to include credentials. - The only valid value for the `Access-Control-Allow-Credentials` response - header is true (case-sensitive). + When set to true, the gateway will include the `Access-Control-Allow-Credentials` + response header with value true (case-sensitive). - If the credentials are not allowed in cross-origin requests, the gateway - will omit the header `Access-Control-Allow-Credentials` entirely rather - than setting its value to false. + When set to false or omitted the gateway will omit the header + `Access-Control-Allow-Credentials` entirely (this is the standard CORS + behavior). Support: Extended - enum: - - true type: boolean allowHeaders: description: |- AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -4455,18 +4453,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is unspecified. + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. - When the `AllowCredentials` field is specified and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -4490,6 +4491,9 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -4498,7 +4502,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -4518,18 +4522,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is unspecified. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is specified and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -4595,10 +4602,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is unspecified. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. - When the `AllowCredentials` field is specified and `AllowOrigins` field + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -4608,19 +4624,21 @@ spec: Support: Extended items: description: |- - The AbsoluteURI MUST NOT be a relative URI, and it MUST follow the URI syntax and - encoding rules specified in RFC3986. The AbsoluteURI MUST include both a - scheme (e.g., "http" or "spiffe") and a scheme-specific-part. URIs that - include an authority MUST include a fully qualified domain name or + The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and + encoding rules specified in RFC3986. The CORSOrigin MUST include both a + scheme ("http" or "https") and a scheme-specific-part, or it should be a single '*' character. + URIs that include an authority MUST include a fully qualified domain name or IP address as the host. - The below regex is taken from the regex section in RFC 3986 with a slight modification to enforce a full URI and not relative. maxLength: 253 minLength: 1 - pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))? + pattern: (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$) type: string maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowOrigins cannot contain '*' alongside other origins + rule: '!(''*'' in self && self.size() > 1)' exposeHeaders: description: |- ExposeHeaders indicates which HTTP response headers can be exposed @@ -4643,15 +4661,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is - unspecified. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -4687,6 +4708,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -4725,6 +4749,249 @@ spec: - kind - name type: object + externalAuth: + description: |- + ExternalAuth configures settings related to sending request details + to an external auth service. The external service MUST authenticate + the request, and MAY authorize the request as well. + + If there is any problem communicating with the external service, + this filter MUST fail closed. + + Support: Extended + + + properties: + backendRef: + description: |- + BackendRef is a reference to a backend to send authorization + requests to. + + The backend must speak the selected protocol (GRPC or HTTP) on the + referenced port. + + If the backend service requires TLS, use BackendTLSPolicy to tell the + implementation to supply the TLS details to be used to connect to that + backend. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' + forwardBody: + description: |- + ForwardBody controls if requests to the authorization server should include + the body of the client request; and if so, how big that body is allowed + to be. + + It is expected that implementations will buffer the request body up to + `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a + 4xx series error (413 or 403 are common examples), and fail processing + of the filter. + + If unset, or `forwardBody.maxSize` is set to `0`, then the body will not + be forwarded. + + Feature Name: HTTPRouteExternalAuthForwardBody + properties: + maxSize: + description: |- + MaxSize specifies how large in bytes the largest body that will be buffered + and sent to the authorization server. If the body size is larger than + `maxSize`, then the body sent to the authorization server must be + truncated to `maxSize` bytes. + + Experimental note: This behavior needs to be checked against + various dataplanes; it may need to be changed. + See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 + for more. + + If 0, the body will not be sent to the authorization server. + type: integer + type: object + grpc: + description: |- + GRPCAuthConfig contains configuration for communication with ext_authz + protocol-speaking backends. + + If unset, implementations must assume the default behavior for each + included field is intended. + properties: + allowedHeaders: + description: |- + AllowedRequestHeaders specifies what headers from the client request + will be sent to the authorization server. + + If this list is empty, then all headers must be sent. + + If the list has entries, only those entries must be sent. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + type: object + http: + description: |- + HTTPAuthConfig contains configuration for communication with HTTP-speaking + backends. + + If unset, implementations must assume the default behavior for each + included field is intended. + properties: + allowedHeaders: + description: |- + AllowedRequestHeaders specifies what additional headers from the client request + will be sent to the authorization server. + + The following headers must always be sent to the authorization server, + regardless of this setting: + + * `Host` + * `Method` + * `Path` + * `Content-Length` + * `Authorization` + + If this list is empty, then only those headers must be sent. + + Note that `Content-Length` has a special behavior, in that the length + sent must be correct for the actual request to the external authorization + server - that is, it must reflect the actual number of bytes sent in the + body of the request to the authorization server. + + So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set + to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set + to anything other than `0`, then the `Content-Length` of the authorization + request must be set to the actual number of bytes forwarded. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + allowedResponseHeaders: + description: |- + AllowedResponseHeaders specifies what headers from the authorization response + will be copied into the request to the backend. + + If this list is empty, then all headers from the authorization server + except Authority or Host must be copied. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + path: + description: |- + Path sets the prefix that paths from the client request will have added + when forwarded to the authorization server. + + When empty or unspecified, no prefix is added. + + Valid values are the same as the "value" regex for path values in the `match` + stanza, and the validation regex will screen out invalid paths in the same way. + Even with the validation, implementations MUST sanitize this input before using it + directly. + maxLength: 1024 + pattern: ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$ + type: string + type: object + protocol: + description: |- + ExternalAuthProtocol describes which protocol to use when communicating with an + ext_authz authorization server. + + When this is set to GRPC, each backend must use the Envoy ext_authz protocol + on the port specified in `backendRefs`. Requests and responses are defined + in the protobufs explained at: + https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto + + When this is set to HTTP, each backend must respond with a `200` status + code in on a successful authorization. Any other code is considered + an authorization failure. + + Feature Names: + GRPC Support - HTTPRouteExternalAuthGRPC + HTTP Support - HTTPRouteExternalAuthHTTP + enum: + - HTTP + - GRPC + type: string + required: + - backendRef + - protocol + type: object + x-kubernetes-validations: + - message: grpc must be specified when protocol is set to 'GRPC' + rule: 'self.protocol == ''GRPC'' ? has(self.grpc) : true' + - message: protocol must be 'GRPC' when grpc is set + rule: 'has(self.grpc) ? self.protocol == ''GRPC'' : true' + - message: http must be specified when protocol is set to 'HTTP' + rule: 'self.protocol == ''HTTP'' ? has(self.http) : true' + - message: protocol must be 'HTTP' when http is set + rule: 'has(self.http) ? self.protocol == ''HTTP'' : true' requestHeaderModifier: description: |- RequestHeaderModifier defines a schema for a filter that modifies request @@ -4768,7 +5035,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -4840,7 +5114,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -5142,6 +5423,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -5187,7 +5471,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -5259,7 +5550,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -5308,7 +5606,7 @@ spec: Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. - + enum: - RequestHeaderModifier - ResponseHeaderModifier @@ -5316,6 +5614,7 @@ spec: - RequestRedirect - URLRewrite - ExtensionRef + - CORS type: string urlRewrite: description: |- @@ -5397,6 +5696,10 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type != ''RequestHeaderModifier'')' - message: filter.requestHeaderModifier must be specified for RequestHeaderModifier filter.type @@ -5423,9 +5726,8 @@ spec: rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' maxItems: 16 type: array + x-kubernetes-list-type: atomic x-kubernetes-validations: - - message: May specify either httpRouteFilterRequestRedirect or httpRouteFilterRequestRewrite, but not both - rule: '!(self.exists(f, f.type == ''RequestRedirect'') && self.exists(f, f.type == ''URLRewrite''))' - message: May specify either httpRouteFilterRequestRedirect or httpRouteFilterRequestRewrite, but not both rule: '!(self.exists(f, f.type == ''RequestRedirect'') && self.exists(f, f.type == ''URLRewrite''))' - message: RequestHeaderModifier filter cannot be repeated @@ -5524,6 +5826,7 @@ spec: rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' maxItems: 16 type: array + x-kubernetes-list-type: atomic filters: description: |- Filters define the filters that are applied to requests that match @@ -5571,8 +5874,8 @@ spec: authentication strategies, rate-limiting, and traffic shaping. API guarantee/conformance is defined based on the type of the filter. - - + + properties: cors: description: |- @@ -5580,31 +5883,27 @@ spec: cross-origin request based on HTTP response header. Support: Extended - - properties: allowCredentials: description: |- AllowCredentials indicates whether the actual cross-origin request allows to include credentials. - The only valid value for the `Access-Control-Allow-Credentials` response - header is true (case-sensitive). + When set to true, the gateway will include the `Access-Control-Allow-Credentials` + response header with value true (case-sensitive). - If the credentials are not allowed in cross-origin requests, the gateway - will omit the header `Access-Control-Allow-Credentials` entirely rather - than setting its value to false. + When set to false or omitted the gateway will omit the header + `Access-Control-Allow-Credentials` entirely (this is the standard CORS + behavior). Support: Extended - enum: - - true type: boolean allowHeaders: description: |- AllowHeaders indicates which HTTP request headers are supported for accessing the requested resource. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Allow-Headers` response header are separated by a comma (","). @@ -5623,18 +5922,21 @@ spec: client side. A wildcard indicates that the requests with all HTTP headers are allowed. - The `Access-Control-Allow-Headers` response header can only use `*` - wildcard as value when the `AllowCredentials` field is unspecified. + If config contains the wildcard "*" in allowHeaders and the request is + not credentialed, the `Access-Control-Allow-Headers` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Headers from the request. - When the `AllowCredentials` field is specified and `AllowHeaders` field - specified with the `*` wildcard, the gateway must specify one or more + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Headers` response header. When + also the `AllowCredentials` field is true and `AllowHeaders` field + is specified with the `*` wildcard, the gateway must specify one or more HTTP headers in the value of the `Access-Control-Allow-Headers` response header. The value of the header `Access-Control-Allow-Headers` is same as the `Access-Control-Request-Headers` header provided by the client. If the header `Access-Control-Request-Headers` is not included in the request, the gateway will omit the `Access-Control-Allow-Headers` - response header, instead of specifying the `*` wildcard. A Gateway - implementation may choose to add implementation-specific default headers. + response header, instead of specifying the `*` wildcard. Support: Extended items: @@ -5658,6 +5960,9 @@ spec: maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowHeaders cannot contain '*' alongside other methods + rule: '!(''*'' in self && self.size() > 1)' allowMethods: description: |- AllowMethods indicates which HTTP methods are supported for accessing the @@ -5666,7 +5971,7 @@ spec: Valid values are any method defined by RFC9110, along with the special value `*`, which represents all HTTP methods are allowed. - Method names are case sensitive, so these values are also case-sensitive. + Method names are case-sensitive, so these values are also case-sensitive. (See https://www.rfc-editor.org/rfc/rfc2616#section-5.1.1) Multiple method names in the value of the `Access-Control-Allow-Methods` @@ -5686,18 +5991,21 @@ spec: `Access-Control-Allow-Methods`, it will present an error on the client side. - The `Access-Control-Allow-Methods` response header can only use `*` - wildcard as value when the `AllowCredentials` field is unspecified. + If config contains the wildcard "*" in allowMethods and the request is + not credentialed, the `Access-Control-Allow-Methods` response header + can either use the `*` wildcard or the value of + Access-Control-Request-Method from the request. - When the `AllowCredentials` field is specified and `AllowMethods` field + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Methods` response header. When + also the `AllowCredentials` field is true and `AllowMethods` field specified with the `*` wildcard, the gateway must specify one HTTP method in the value of the Access-Control-Allow-Methods response header. The value of the header `Access-Control-Allow-Methods` is same as the `Access-Control-Request-Method` header provided by the client. If the header `Access-Control-Request-Method` is not included in the request, the gateway will omit the `Access-Control-Allow-Methods` response header, - instead of specifying the `*` wildcard. A Gateway implementation may - choose to add implementation-specific default methods. + instead of specifying the `*` wildcard. Support: Extended items: @@ -5763,10 +6071,19 @@ spec: the CORS headers. The cross-origin request fails on the client side. Therefore, the client doesn't attempt the actual cross-origin request. - The `Access-Control-Allow-Origin` response header can only use `*` - wildcard as value when the `AllowCredentials` field is unspecified. + Conversely, if the request `Origin` matches one of the configured + allowed origins, the gateway sets the response header + `Access-Control-Allow-Origin` to the same value as the `Origin` + header provided by the client. - When the `AllowCredentials` field is specified and `AllowOrigins` field + When config has the wildcard ("*") in allowOrigins, and the request + is not credentialed (e.g., it is a preflight request), the + `Access-Control-Allow-Origin` response header either contains the + wildcard as well or the Origin from the request. + + When the request is credentialed, the gateway must not specify the `*` + wildcard in the `Access-Control-Allow-Origin` response header. When + also the `AllowCredentials` field is true and `AllowOrigins` field specified with the `*` wildcard, the gateway must return a single origin in the value of the `Access-Control-Allow-Origin` response header, instead of specifying the `*` wildcard. The value of the header @@ -5776,19 +6093,21 @@ spec: Support: Extended items: description: |- - The AbsoluteURI MUST NOT be a relative URI, and it MUST follow the URI syntax and - encoding rules specified in RFC3986. The AbsoluteURI MUST include both a - scheme (e.g., "http" or "spiffe") and a scheme-specific-part. URIs that - include an authority MUST include a fully qualified domain name or + The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and + encoding rules specified in RFC3986. The CORSOrigin MUST include both a + scheme ("http" or "https") and a scheme-specific-part, or it should be a single '*' character. + URIs that include an authority MUST include a fully qualified domain name or IP address as the host. - The below regex is taken from the regex section in RFC 3986 with a slight modification to enforce a full URI and not relative. maxLength: 253 minLength: 1 - pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))? + pattern: (^\*$)|(^(http(s)?):\/\/(((\*\.)?([a-zA-Z0-9\-]+\.)*[a-zA-Z0-9-]+|\*)(:([0-9]{1,5}))?)$) type: string maxItems: 64 type: array x-kubernetes-list-type: set + x-kubernetes-validations: + - message: AllowOrigins cannot contain '*' alongside other origins + rule: '!(''*'' in self && self.size() > 1)' exposeHeaders: description: |- ExposeHeaders indicates which HTTP response headers can be exposed @@ -5811,15 +6130,18 @@ spec: this additional header will be exposed as part of the response to the client. - Header names are not case sensitive. + Header names are not case-sensitive. Multiple header names in the value of the `Access-Control-Expose-Headers` response header are separated by a comma (","). A wildcard indicates that the responses with all HTTP headers are exposed to clients. The `Access-Control-Expose-Headers` response header can only - use `*` wildcard as value when the `AllowCredentials` field is - unspecified. + use `*` wildcard as value when the request is not credentialed. + + When the `exposeHeaders` config field contains the "*" wildcard and + the request is credentialed, the gateway cannot use the `*` wildcard in + the `Access-Control-Expose-Headers` response header. Support: Extended items: @@ -5855,6 +6177,9 @@ spec: The default value of `Access-Control-Max-Age` response header is 5 (seconds). + + When the `MaxAge` field is unspecified, the gateway sets the response + header "Access-Control-Max-Age: 5" by default. format: int32 minimum: 1 type: integer @@ -5893,6 +6218,249 @@ spec: - kind - name type: object + externalAuth: + description: |- + ExternalAuth configures settings related to sending request details + to an external auth service. The external service MUST authenticate + the request, and MAY authorize the request as well. + + If there is any problem communicating with the external service, + this filter MUST fail closed. + + Support: Extended + + + properties: + backendRef: + description: |- + BackendRef is a reference to a backend to send authorization + requests to. + + The backend must speak the selected protocol (GRPC or HTTP) on the + referenced port. + + If the backend service requires TLS, use BackendTLSPolicy to tell the + implementation to supply the TLS details to be used to connect to that + backend. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') ? has(self.port) : true' + forwardBody: + description: |- + ForwardBody controls if requests to the authorization server should include + the body of the client request; and if so, how big that body is allowed + to be. + + It is expected that implementations will buffer the request body up to + `forwardBody.maxSize` bytes. Bodies over that size must be rejected with a + 4xx series error (413 or 403 are common examples), and fail processing + of the filter. + + If unset, or `forwardBody.maxSize` is set to `0`, then the body will not + be forwarded. + + Feature Name: HTTPRouteExternalAuthForwardBody + properties: + maxSize: + description: |- + MaxSize specifies how large in bytes the largest body that will be buffered + and sent to the authorization server. If the body size is larger than + `maxSize`, then the body sent to the authorization server must be + truncated to `maxSize` bytes. + + Experimental note: This behavior needs to be checked against + various dataplanes; it may need to be changed. + See https://github.com/kubernetes-sigs/gateway-api/pull/4001#discussion_r2291405746 + for more. + + If 0, the body will not be sent to the authorization server. + type: integer + type: object + grpc: + description: |- + GRPCAuthConfig contains configuration for communication with ext_authz + protocol-speaking backends. + + If unset, implementations must assume the default behavior for each + included field is intended. + properties: + allowedHeaders: + description: |- + AllowedRequestHeaders specifies what headers from the client request + will be sent to the authorization server. + + If this list is empty, then all headers must be sent. + + If the list has entries, only those entries must be sent. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + type: object + http: + description: |- + HTTPAuthConfig contains configuration for communication with HTTP-speaking + backends. + + If unset, implementations must assume the default behavior for each + included field is intended. + properties: + allowedHeaders: + description: |- + AllowedRequestHeaders specifies what additional headers from the client request + will be sent to the authorization server. + + The following headers must always be sent to the authorization server, + regardless of this setting: + + * `Host` + * `Method` + * `Path` + * `Content-Length` + * `Authorization` + + If this list is empty, then only those headers must be sent. + + Note that `Content-Length` has a special behavior, in that the length + sent must be correct for the actual request to the external authorization + server - that is, it must reflect the actual number of bytes sent in the + body of the request to the authorization server. + + So if the `forwardBody` stanza is unset, or `forwardBody.maxSize` is set + to `0`, then `Content-Length` must be `0`. If `forwardBody.maxSize` is set + to anything other than `0`, then the `Content-Length` of the authorization + request must be set to the actual number of bytes forwarded. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + allowedResponseHeaders: + description: |- + AllowedResponseHeaders specifies what headers from the authorization response + will be copied into the request to the backend. + + If this list is empty, then all headers from the authorization server + except Authority or Host must be copied. + items: + type: string + maxItems: 64 + type: array + x-kubernetes-list-type: set + path: + description: |- + Path sets the prefix that paths from the client request will have added + when forwarded to the authorization server. + + When empty or unspecified, no prefix is added. + + Valid values are the same as the "value" regex for path values in the `match` + stanza, and the validation regex will screen out invalid paths in the same way. + Even with the validation, implementations MUST sanitize this input before using it + directly. + maxLength: 1024 + pattern: ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$ + type: string + type: object + protocol: + description: |- + ExternalAuthProtocol describes which protocol to use when communicating with an + ext_authz authorization server. + + When this is set to GRPC, each backend must use the Envoy ext_authz protocol + on the port specified in `backendRefs`. Requests and responses are defined + in the protobufs explained at: + https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/external_auth.proto + + When this is set to HTTP, each backend must respond with a `200` status + code in on a successful authorization. Any other code is considered + an authorization failure. + + Feature Names: + GRPC Support - HTTPRouteExternalAuthGRPC + HTTP Support - HTTPRouteExternalAuthHTTP + enum: + - HTTP + - GRPC + type: string + required: + - backendRef + - protocol + type: object + x-kubernetes-validations: + - message: grpc must be specified when protocol is set to 'GRPC' + rule: 'self.protocol == ''GRPC'' ? has(self.grpc) : true' + - message: protocol must be 'GRPC' when grpc is set + rule: 'has(self.grpc) ? self.protocol == ''GRPC'' : true' + - message: http must be specified when protocol is set to 'HTTP' + rule: 'self.protocol == ''HTTP'' ? has(self.http) : true' + - message: protocol must be 'HTTP' when http is set + rule: 'has(self.http) ? self.protocol == ''HTTP'' : true' requestHeaderModifier: description: |- RequestHeaderModifier defines a schema for a filter that modifies request @@ -5936,7 +6504,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -6008,7 +6583,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -6310,6 +6892,9 @@ spec: enum: - 301 - 302 + - 303 + - 307 + - 308 type: integer type: object responseHeaderModifier: @@ -6355,7 +6940,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -6427,7 +7019,14 @@ spec: pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -6476,7 +7075,7 @@ spec: Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. - + enum: - RequestHeaderModifier - ResponseHeaderModifier @@ -6484,6 +7083,7 @@ spec: - RequestRedirect - URLRewrite - ExtensionRef + - CORS type: string urlRewrite: description: |- @@ -6565,6 +7165,10 @@ spec: - type type: object x-kubernetes-validations: + - message: filter.cors must be nil if the filter.type is not CORS + rule: '!(has(self.cors) && self.type != ''CORS'')' + - message: filter.cors must be specified for CORS filter.type + rule: '!(!has(self.cors) && self.type == ''CORS'')' - message: filter.requestHeaderModifier must be nil if the filter.type is not RequestHeaderModifier rule: '!(has(self.requestHeaderModifier) && self.type != ''RequestHeaderModifier'')' - message: filter.requestHeaderModifier must be specified for RequestHeaderModifier filter.type @@ -6591,6 +7195,7 @@ spec: rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' maxItems: 16 type: array + x-kubernetes-list-type: atomic x-kubernetes-validations: - message: May specify either httpRouteFilterRequestRedirect or httpRouteFilterRequestRewrite, but not both rule: '!(self.exists(f, f.type == ''RequestRedirect'') && self.exists(f, f.type == ''URLRewrite''))' @@ -6715,7 +7320,14 @@ spec: - RegularExpression type: string value: - description: Value is the value of HTTP Header to be matched. + description: |- + Value is the value of HTTP Header to be matched. + + Must consist of printable US-ASCII characters, optionally separated + by single tabs or spaces. See: https://tools.ietf.org/html/rfc7230#section-3.2 + + + maxLength: 4096 minLength: 1 type: string @@ -6865,12 +7477,12 @@ spec: type: object maxItems: 64 type: array + x-kubernetes-list-type: atomic name: description: |- Name is the name of the route rule. This name MUST be unique within a Route if it is set. Support: Extended - maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ @@ -6904,7 +7516,7 @@ spec: For example, setting the `rules[].retry.backoff` field to the value `100ms` will cause a backend request to first be retried approximately 100 milliseconds after timing out or receiving a response code configured - to be retryable. + to be retriable. An implementation MAY use an exponential or alternative backoff strategy for subsequent retry attempts, MAY cap the maximum backoff duration to @@ -6947,7 +7559,7 @@ spec: HTTPRouteRetryStatusCode defines an HTTP response status code for which a backend request should be retried. - Implementations MUST support the following status codes as retryable: + Implementations MUST support the following status codes as retriable: * 500 * 502 @@ -6965,6 +7577,7 @@ spec: minimum: 400 type: integer type: array + x-kubernetes-list-type: atomic type: object sessionPersistence: description: |- @@ -7041,7 +7654,7 @@ spec: default: Cookie description: |- Type defines the type of session persistence such as through - the use a header or cookie. Defaults to cookie based session + the use of a header or cookie. Defaults to cookie based session persistence. Support: Core for "Cookie" type @@ -7055,6 +7668,8 @@ spec: x-kubernetes-validations: - message: AbsoluteTimeout must be specified when cookie lifetimeType is Permanent rule: '!has(self.cookieConfig) || !has(self.cookieConfig.lifetimeType) || self.cookieConfig.lifetimeType != ''Permanent'' || has(self.absoluteTimeout)' + - message: cookieConfig can only be set with type Cookie + rule: '!has(self.cookieConfig) || self.type == ''Cookie''' timeouts: description: |- Timeouts defines the timeouts that can be configured for an HTTP request. @@ -7127,10 +7742,32 @@ spec: - message: Within backendRefs, When using URLRewrite filter with path.replacePrefixMatch, exactly one PathPrefix match must be specified rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite) && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches) != 1 || !has(self.matches[0].path) || self.matches[0].path.type != ''PathPrefix'') ? false : true) : true' maxItems: 16 + minItems: 1 type: array + x-kubernetes-list-type: atomic x-kubernetes-validations: - message: While 16 rules and 64 matches per rule are allowed, the total number of matches across all rules in a route must be less than 128 rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size() > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size() : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size() > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size() : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size() > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size() : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size() > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size() : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size() > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size() : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128' + useDefaultGateways: + description: |- + UseDefaultGateways indicates the default Gateway scope to use for this + Route. If unset (the default) or set to None, the Route will not be + attached to any default Gateway; if set, it will be attached to any + default Gateway supporting the named scope, subject to the usual rules + about which Routes a Gateway is allowed to claim. + + Think carefully before using this functionality! The set of default + Gateways supporting the requested scope can change over time without + any notice to the Route author, and in many situations it will not be + appropriate to request a default Gateway for a given Route -- for + example, a Route with specific security requirements should almost + certainly not use a default Gateway. + + + enum: + - All + - None + type: string type: object type: object ingress: @@ -8245,7 +8882,7 @@ spec: description: |- Version sets the tag of the default image: docker.io/grafana/grafana. Allows full image refs with/without sha256checksum: "registry/repo/image:tag@sha" - default: 12.3.3 + default: 12.4.1 type: string type: object status: diff --git a/clusters/cl01tl/manifests/grafana-operator/Deployment-grafana-operator.yaml b/clusters/cl01tl/manifests/grafana-operator/Deployment-grafana-operator.yaml index c1c5fe588..248ad6a57 100644 --- a/clusters/cl01tl/manifests/grafana-operator/Deployment-grafana-operator.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/Deployment-grafana-operator.yaml @@ -4,10 +4,10 @@ metadata: name: grafana-operator namespace: grafana-operator labels: - helm.sh/chart: grafana-operator-5.22.0 + helm.sh/chart: grafana-operator-5.22.1 app.kubernetes.io/name: grafana-operator app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/version: "v5.22.0" + app.kubernetes.io/version: "v5.22.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: grafana-operator app.kubernetes.io/component: operator @@ -20,10 +20,10 @@ spec: template: metadata: labels: - helm.sh/chart: grafana-operator-5.22.0 + helm.sh/chart: grafana-operator-5.22.1 app.kubernetes.io/name: grafana-operator app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/version: "v5.22.0" + app.kubernetes.io/version: "v5.22.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: grafana-operator app.kubernetes.io/component: operator @@ -38,7 +38,7 @@ spec: - ALL readOnlyRootFilesystem: true runAsNonRoot: true - image: "ghcr.io/grafana/grafana-operator:v5.22.0" + image: "ghcr.io/grafana/grafana-operator:v5.22.1" imagePullPolicy: IfNotPresent env: - name: WATCH_NAMESPACE diff --git a/clusters/cl01tl/manifests/grafana-operator/Role-grafana-operator-leases.yaml b/clusters/cl01tl/manifests/grafana-operator/Role-grafana-operator-leases.yaml index 2a71fbf75..afefca68d 100644 --- a/clusters/cl01tl/manifests/grafana-operator/Role-grafana-operator-leases.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/Role-grafana-operator-leases.yaml @@ -4,10 +4,10 @@ metadata: namespace: grafana-operator name: grafana-operator-leases labels: - helm.sh/chart: grafana-operator-5.22.0 + helm.sh/chart: grafana-operator-5.22.1 app.kubernetes.io/name: grafana-operator app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/version: "v5.22.0" + app.kubernetes.io/version: "v5.22.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: grafana-operator app.kubernetes.io/component: operator diff --git a/clusters/cl01tl/manifests/grafana-operator/RoleBinding-grafana-operator-leases.yaml b/clusters/cl01tl/manifests/grafana-operator/RoleBinding-grafana-operator-leases.yaml index 5c8e150ab..d7d4af92b 100644 --- a/clusters/cl01tl/manifests/grafana-operator/RoleBinding-grafana-operator-leases.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/RoleBinding-grafana-operator-leases.yaml @@ -4,10 +4,10 @@ metadata: name: grafana-operator-leases namespace: grafana-operator labels: - helm.sh/chart: grafana-operator-5.22.0 + helm.sh/chart: grafana-operator-5.22.1 app.kubernetes.io/name: grafana-operator app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/version: "v5.22.0" + app.kubernetes.io/version: "v5.22.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: grafana-operator app.kubernetes.io/component: operator diff --git a/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-metrics-service.yaml b/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-metrics-service.yaml index b0f7dac48..e733693a6 100644 --- a/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-metrics-service.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/Service-grafana-operator-metrics-service.yaml @@ -4,10 +4,10 @@ metadata: name: grafana-operator-metrics-service namespace: grafana-operator labels: - helm.sh/chart: grafana-operator-5.22.0 + helm.sh/chart: grafana-operator-5.22.1 app.kubernetes.io/name: grafana-operator app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/version: "v5.22.0" + app.kubernetes.io/version: "v5.22.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: grafana-operator app.kubernetes.io/component: operator diff --git a/clusters/cl01tl/manifests/grafana-operator/ServiceAccount-grafana-operator.yaml b/clusters/cl01tl/manifests/grafana-operator/ServiceAccount-grafana-operator.yaml index 60ea87ca1..ba8411b5c 100644 --- a/clusters/cl01tl/manifests/grafana-operator/ServiceAccount-grafana-operator.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/ServiceAccount-grafana-operator.yaml @@ -4,10 +4,10 @@ metadata: name: grafana-operator namespace: grafana-operator labels: - helm.sh/chart: grafana-operator-5.22.0 + helm.sh/chart: grafana-operator-5.22.1 app.kubernetes.io/name: grafana-operator app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/version: "v5.22.0" + app.kubernetes.io/version: "v5.22.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: grafana-operator app.kubernetes.io/component: operator diff --git a/clusters/cl01tl/manifests/grafana-operator/ServiceMonitor-grafana-operator.yaml b/clusters/cl01tl/manifests/grafana-operator/ServiceMonitor-grafana-operator.yaml index a374e942d..ec9dda5b0 100644 --- a/clusters/cl01tl/manifests/grafana-operator/ServiceMonitor-grafana-operator.yaml +++ b/clusters/cl01tl/manifests/grafana-operator/ServiceMonitor-grafana-operator.yaml @@ -4,10 +4,10 @@ metadata: name: grafana-operator namespace: grafana-operator labels: - helm.sh/chart: grafana-operator-5.22.0 + helm.sh/chart: grafana-operator-5.22.1 app.kubernetes.io/name: grafana-operator app.kubernetes.io/instance: grafana-operator - app.kubernetes.io/version: "v5.22.0" + app.kubernetes.io/version: "v5.22.1" app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: grafana-operator app.kubernetes.io/component: operator -- 2.49.1 From 949da8c72c1bfa6f886222a4a8d50ef35020ebad Mon Sep 17 00:00:00 2001 From: gitea-bot Date: Sat, 14 Mar 2026 22:40:33 +0000 Subject: [PATCH 11/11] chore: Update manifests after change --- .../cl01tl/manifests/code-server/Deployment-code-server.yaml | 2 +- .../manifests/home-assistant/Deployment-home-assistant.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/cl01tl/manifests/code-server/Deployment-code-server.yaml b/clusters/cl01tl/manifests/code-server/Deployment-code-server.yaml index c3dd56ca3..2f34d2479 100644 --- a/clusters/cl01tl/manifests/code-server/Deployment-code-server.yaml +++ b/clusters/cl01tl/manifests/code-server/Deployment-code-server.yaml @@ -46,7 +46,7 @@ spec: envFrom: - secretRef: name: codeserver-password-secret - image: ghcr.io/linuxserver/code-server:4.111.0@sha256:04107645b21f33215d1087773e2c889dfed823434f5dc4c7e9ae20df218a8ef3 + image: ghcr.io/linuxserver/code-server:4.111.0@sha256:12c04b41f601604795562ece2ac64cade7cfca632415f4bfb1742477e3226272 imagePullPolicy: IfNotPresent name: main resources: diff --git a/clusters/cl01tl/manifests/home-assistant/Deployment-home-assistant.yaml b/clusters/cl01tl/manifests/home-assistant/Deployment-home-assistant.yaml index 3f13e34aa..7467bade8 100644 --- a/clusters/cl01tl/manifests/home-assistant/Deployment-home-assistant.yaml +++ b/clusters/cl01tl/manifests/home-assistant/Deployment-home-assistant.yaml @@ -46,7 +46,7 @@ spec: envFrom: - secretRef: name: home-assistant-code-server-password-secret - image: ghcr.io/linuxserver/code-server:4.111.0@sha256:04107645b21f33215d1087773e2c889dfed823434f5dc4c7e9ae20df218a8ef3 + image: ghcr.io/linuxserver/code-server:4.111.0@sha256:12c04b41f601604795562ece2ac64cade7cfca632415f4bfb1742477e3226272 imagePullPolicy: IfNotPresent name: code-server resources: -- 2.49.1