diff --git a/k8s-peterg/argo-workflows/kustomization.yaml b/k8s-peterg/argo-workflows/kustomization.yaml deleted file mode 100644 index 7451e9a..0000000 --- a/k8s-peterg/argo-workflows/kustomization.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - namespace.yaml - - secrets.yaml - -helmCharts: - - name: argo-workflows - repo: https://argoproj.github.io/argo-helm - namespace: argo-workflows - releaseName: argo-workflows - version: 1.0.7 - valuesFile: values.yaml diff --git a/k8s-peterg/argo-workflows/namespace.yaml b/k8s-peterg/argo-workflows/namespace.yaml deleted file mode 100644 index 67653ed..0000000 --- a/k8s-peterg/argo-workflows/namespace.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: argo-workflows diff --git a/k8s-peterg/argo-workflows/secrets.yaml b/k8s-peterg/argo-workflows/secrets.yaml deleted file mode 100644 index 7838756..0000000 --- a/k8s-peterg/argo-workflows/secrets.yaml +++ /dev/null @@ -1,31 +0,0 @@ ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: argo-workflows-sso - namespace: argo-workflows -spec: - secretStoreRef: - name: vault-wheatley - kind: ClusterSecretStore - target: - name: argo-workflows-sso - template: - metadata: - labels: - app.kubernetes.io/part-of: argo-workflows - data: - - secretKey: client-id - remoteRef: - key: secrets/managed/argo-workflows/authentik-sso - property: client-id - conversionStrategy: Default - decodingStrategy: None - metadataPolicy: None - - secretKey: client-secret - remoteRef: - key: secrets/managed/argo-workflows/authentik-sso - property: client-secret - conversionStrategy: Default - decodingStrategy: None - metadataPolicy: None diff --git a/k8s-peterg/argo-workflows/values.yaml b/k8s-peterg/argo-workflows/values.yaml deleted file mode 100644 index 26b8dcf..0000000 --- a/k8s-peterg/argo-workflows/values.yaml +++ /dev/null @@ -1,313 +0,0 @@ -## Custom resource configuration -crds: - # -- Install and upgrade CRDs - install: true - # -- Keep CRDs on chart uninstall - keep: true - # -- Use full CRDs with complete OpenAPI schemas. When false, uses minified CRDs with x-kubernetes-preserve-unknown-fields. - # Full CRDs are very large and are installed via a pre-install/pre-upgrade hook Job that uses server-side apply. - full: true - -# -- Create ClusterRoles that extend existing ClusterRoles to interact with Argo Workflows CRDs. -## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles -createAggregateRoles: true - -# -- Restrict Argo to operate only in a single namespace (the namespace of the -# Helm release) by apply Roles and RoleBindings instead of the Cluster -# equivalents, and start workflow-controller with the --namespaced flag. Use it -# in clusters with strict access policy. -singleNamespace: false - -workflow: - serviceAccount: - # -- Specifies whether a service account should be created - create: false - # -- Labels applied to created service account - labels: {} - # -- Annotations applied to created service account - annotations: {} - # -- Service account which is used to run workflows - name: "argo-workflow" - # -- Secrets with credentials to pull images from a private registry. Same format as `.Values.images.pullSecrets` - pullSecrets: [] - rbac: - # -- Adds Role and RoleBinding for the above specified service account to be able to run workflows. - # A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below) - create: true - # -- Allows permissions for the Argo Agent. Only required if using http/plugin templates - agentPermissions: false - # -- Allows permissions for the Argo Artifact GC pod. Only required if using artifact gc - artifactGC: false - # -- Extra service accounts to be added to the RoleBinding - serviceAccounts: [] - # - name: my-service-account - # namespace: my-namespace - # -- Additional rules for the service account that runs the workflows. - rules: [] - -controller: - rbac: - # -- Adds Role and RoleBinding for the controller. - create: true - # -- Allows controller to get, list, and watch certain k8s secrets - secretWhitelist: [] - # -- Allows controller to get, list and watch all k8s secrets. Can only be used if secretWhitelist is empty. - accessAllSecrets: false - # -- Allows controller to create and update ConfigMaps. Enables memoization feature - writeConfigMaps: false - - configMap: - # -- Create a ConfigMap for the controller - create: true - # -- ConfigMap name - name: "" - # -- ConfigMap annotations - annotations: {} - - # -- enable Workflow Archive to store the status of workflows. Postgres and MySQL (>= 5.7.8) are available. - ## Ref: https://argo-workflows.readthedocs.io/en/stable/workflow-archive/ - persistence: {} - # connectionPool: - # maxIdleConns: 100 - # maxOpenConns: 0 - # # save the entire workflow into etcd and DB - # nodeStatusOffLoad: false - # # enable archiving of old workflows - # archive: false - # postgresql: - # host: localhost - # port: 5432 - # database: postgres - # tableName: argo_workflows - # # the database secrets must be in the same namespace of the controller - # userNameSecret: - # name: argo-postgres-config - # key: username - # passwordSecret: - # name: argo-postgres-config - # key: password - # ssl: true - # # sslMode must be one of: disable, require, verify-ca, verify-full - # # you can find more information about those ssl options here: https://godoc.org/github.com/lib/pq - # sslMode: require - # mysql: - # host: localhost - # port: 3306 - # database: argo - # tableName: argo_workflows - # userNameSecret: - # name: argo-mysql-config - # key: username - # passwordSecret: - # name: argo-mysql-config - # key: password - - # -- Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level. - # Only valid for 2.7+ - ## See more: https://argo-workflows.readthedocs.io/en/stable/default-workflow-specs/ - workflowDefaults: {} - # spec: - # ttlStrategy: - # secondsAfterCompletion: 86400 - # # Ref: https://argo-workflows.readthedocs.io/en/stable/artifact-repository-ref/ - # artifactRepositoryRef: - # configMap: my-artifact-repository # default is "artifact-repositories" - # key: v2-s3-artifact-repository # default can be set by the `workflows.argoproj.io/default-artifact-repository` annotation in config map. - - serviceAccount: - # -- Create a service account for the controller - create: true - # -- Service account name - name: "" - # -- Labels applied to created service account - labels: {} - # -- Annotations applied to created service account - annotations: {} - - # -- Workflow controller name string - name: workflow-controller - - # -- Specify all namespaces where this workflow controller instance will manage - # workflows. This controls where the service account and RBAC resources will - # be created. Only valid when singleNamespace is false. - workflowNamespaces: - - default - - logging: - # -- Set the logging level (one of: `debug`, `info`, `warn`, `error`) - level: info - # -- Set the glog logging level - globallevel: "0" - # -- Set the logging format (one of: `text`, `json`) - format: "text" - -server: - # -- Deploy the Argo Server - enabled: true - # -- Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /. - ## only updates base url of resources on client side, - ## it's expected that a proxy server rewrites the request URL and gets rid of this prefix - ## https://github.com/argoproj/argo-workflows/issues/716#issuecomment-433213190 - baseHref: / - image: - # -- Registry to use for the server - registry: quay.io - # -- Repository to use for the server - repository: argoproj/argocli - # -- Image tag for the Argo Workflows server. Defaults to `.Values.images.tag`. - tag: "" - rbac: - # -- Adds Role and RoleBinding for the server. - create: true - # -- Servers container-level security context - serviceAccount: - # -- Create a service account for the server - create: true - # -- Service account name - name: "" - # -- Labels applied to created service account - labels: {} - # -- Annotations applied to created service account - annotations: {} - - # -- A list of supported authentication modes. Available values are `server`, `client`, or `sso`. If you provide sso, please configure `.Values.server.sso` as well. - ## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server-auth-mode/ - authModes: - - sso - - ## Ingress configuration. - # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ - ingress: - # -- Enable an ingress resource - enabled: false - - # Gateway API HTTPRoute configuration - # NOTE: Gateway API support is in EXPERIMENTAL status - # Support depends on your Gateway controller implementation - # Some controllers may require additional configuration (e.g., BackendTLSPolicy for HTTPS backends) - # Refer to https://gateway-api.sigs.k8s.io/implementations/ for controller-specific details - httproute: - # -- Enable HTTPRoute resource for Argo Workflows server (Gateway API) - enabled: true - # -- Additional HTTPRoute labels - labels: {} - # -- Additional HTTPRoute annotations - annotations: {} - # -- Gateway API parentRefs for the HTTPRoute - ## Must reference an existing Gateway - # @default -- `[]` (See [values.yaml]) - parentRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: internal - namespace: kube-system - sectionName: https - # -- List of hostnames for the HTTPRoute - # @default -- `[]` (See [values.yaml]) - hostnames: - - "workflows.peterg.nl" - # @default -- `[]` (See [values.yaml]) - rules: - - matches: - - path: - type: PathPrefix - value: / - # filters: [] - # - type: RequestHeaderModifier - # requestHeaderModifier: - # add: - # - name: X-Custom-Header - # value: custom-value - - # Gateway API BackendTLSPolicy configuration - # NOTE: BackendTLSPolicy support is in EXPERIMENTAL status - # Required for HTTPS backends when using Gateway API - # Not all Gateway controllers support this resource (e.g., Cilium does not support it yet) - backendTLSPolicy: - # -- Enable BackendTLSPolicy resource for Argo Workflows server (Gateway API) - enabled: false - # -- Additional BackendTLSPolicy labels - labels: {} - # -- Additional BackendTLSPolicy annotations - annotations: {} - # -- Target references for the BackendTLSPolicy - # @default -- `[]` (See [values.yaml]) - targetRefs: [] - # - group: "" - # kind: Service - # name: argo-workflows-server - # sectionName: https - # -- TLS validation configuration - # @default -- `{}` (See [values.yaml]) - validation: {} - # hostname: argo-workflows-server.argo.svc.cluster.local - # caCertificateRefs: - # - name: example-ca-cert - # group: "" - # kind: ConfigMap - # wellKnownCACertificates: System - - clusterWorkflowTemplates: - # -- Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates. - enabled: true - # -- Give the server permissions to edit ClusterWorkflowTemplates. - enableEditing: true - - # SSO configuration when SSO is specified as a server auth mode. - sso: - enabled: true - issuer: https://auth.peterg.nl/application/o/argo-workflows/ - clientId: - name: argo-workflows-sso - key: client-id - clientSecret: - name: argo-workflows-sso - key: client-secret - redirectUrl: https://workflows.peterg.nl/oauth2/callback - scopes: - - groups - rbac: - enabled: true - -# -- Array of extra K8s manifests to deploy -extraObjects: - - apiVersion: v1 - kind: ServiceAccount - metadata: - name: admin-user - namespace: argo-workflows - annotations: - workflows.argoproj.io/rbac-rule: "'ArgoCD Admins' in groups" - workflows.argoproj.io/rbac-rule-precedence: "1" - - apiVersion: v1 - kind: ServiceAccount - metadata: - name: read-only - namespace: argo-workflows - annotations: - workflows.argoproj.io/rbac-rule: "true" - workflows.argoproj.io/rbac-rule-precedence: "0" - - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - name: argo-workflows-admin-user - subjects: - - kind: ServiceAccount - name: admin-user - namespace: argo-workflows - roleRef: - kind: ClusterRole - name: argo-workflows-admin - apiGroup: rbac.authorization.k8s.io - - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - name: argo-workflows-read-only - subjects: - - kind: ServiceAccount - name: read-only - namespace: argo-workflows - roleRef: - kind: ClusterRole - name: argo-workflows-view - apiGroup: rbac.authorization.k8s.io diff --git a/k8s-peterg/argocd/applications-peterg.yaml b/k8s-peterg/argocd/applications-peterg.yaml index 26d36ff..915b119 100644 --- a/k8s-peterg/argocd/applications-peterg.yaml +++ b/k8s-peterg/argocd/applications-peterg.yaml @@ -78,24 +78,3 @@ spec: selfHeal: true syncOptions: - ServerSideApply=true ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: argo-workflows - namespace: argocd -spec: - project: default - source: - repoURL: https://code.peterg.nl/wheatley/kubernetes.git - path: k8s-peterg/argo-workflows - targetRevision: HEAD - destination: - server: https://kubernetes.default.svc - namespace: argo-workflows - syncPolicy: - automated: - prune: true - selfHeal: true - syncOptions: - - ServerSideApply=true diff --git a/k8s-peterg/argocd/oidc.yaml b/k8s-peterg/argocd/oidc.yaml index c587b7e..b45056e 100644 --- a/k8s-peterg/argocd/oidc.yaml +++ b/k8s-peterg/argocd/oidc.yaml @@ -27,28 +27,3 @@ spec: remoteRef: key: secrets/managed/argocd/authentik-oidc-credentials property: clientSecret ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: argo-workflows-sso - namespace: argocd -spec: - secretStoreRef: - name: vault-wheatley - kind: ClusterSecretStore - target: - name: argo-workflows-sso - template: - metadata: - labels: - app.kubernetes.io/part-of: argo-workflows - data: - - secretKey: client-id - remoteRef: - key: secrets/managed/argo-workflows/dex-sso - property: client-id - - secretKey: client-secret - remoteRef: - key: secrets/managed/argo-workflows/dex-sso - property: client-secret diff --git a/k8s-peterg/external-secrets-operator/kustomization.yaml b/k8s-peterg/external-secrets-operator/kustomization.yaml index 91ef006..bf9ffc9 100644 --- a/k8s-peterg/external-secrets-operator/kustomization.yaml +++ b/k8s-peterg/external-secrets-operator/kustomization.yaml @@ -12,4 +12,4 @@ helmCharts: repo: https://charts.external-secrets.io namespace: external-secrets releaseName: external-secrets - version: 2.3.0 + version: 2.1.0 diff --git a/k8s-peterg/vault-wheatley-approle.yaml b/k8s-peterg/vault-wheatley-approle.yaml deleted file mode 100644 index f116d9d..0000000 --- a/k8s-peterg/vault-wheatley-approle.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -data: - approle_id: MDE5YTdjOWQtMTYxOC0yZjg0LWE2NzUtOWQ5NmVkZWFiNzEyCg== - approle_secret: ZDZkOWU0MmUtZmVhNi05MGIzLWNlODktYzJlY2E2YWIxMjc3Cg== -kind: Secret -metadata: - name: vault-wheatley-approle - namespace: external-secrets -type: Opaque diff --git a/k8s-wheatley/cloudnative-pg/kustomization.yaml b/k8s-wheatley/cloudnative-pg/kustomization.yaml index 7f720ec..5d961e4 100644 --- a/k8s-wheatley/cloudnative-pg/kustomization.yaml +++ b/k8s-wheatley/cloudnative-pg/kustomization.yaml @@ -11,5 +11,5 @@ helmCharts: repo: https://cloudnative-pg.github.io/charts namespace: cnpg-system releaseName: cloudnative-pg - version: 0.28.0 + version: 0.27.1 valuesFile: values.yaml diff --git a/k8s-wheatley/external-secrets-operator/kustomization.yaml b/k8s-wheatley/external-secrets-operator/kustomization.yaml index 91ef006..bf9ffc9 100644 --- a/k8s-wheatley/external-secrets-operator/kustomization.yaml +++ b/k8s-wheatley/external-secrets-operator/kustomization.yaml @@ -12,4 +12,4 @@ helmCharts: repo: https://charts.external-secrets.io namespace: external-secrets releaseName: external-secrets - version: 2.3.0 + version: 2.1.0 diff --git a/k8s-wheatley/plex/kustomization.yaml b/k8s-wheatley/plex/kustomization.yaml index 7676da5..eb8b1eb 100644 --- a/k8s-wheatley/plex/kustomization.yaml +++ b/k8s-wheatley/plex/kustomization.yaml @@ -14,4 +14,4 @@ resources: images: - name: plexinc/pms-docker - newTag: 1.43.1.10611-1e34174b1@sha256:8b5bcdf7b506fe051aa1a0a0d464efdb3ad8c0fb1f8a4dfb27a8c489b609920c + newTag: 1.43.0.10492-121068a07@sha256:1131c4cd21fa22f8196f749f1dbb69af306776c3c83c7f5b061e51dc49bcff7f diff --git a/k8s-wheatley/prowlarr/kustomization.yaml b/k8s-wheatley/prowlarr/kustomization.yaml index c9a7a47..71d1948 100644 --- a/k8s-wheatley/prowlarr/kustomization.yaml +++ b/k8s-wheatley/prowlarr/kustomization.yaml @@ -16,4 +16,4 @@ images: - name: flaresolverr/flaresolverr newTag: v3.4.6@sha256:7962759d99d7e125e108e0f5e7f3cdbcd36161776d058d1d9b7153b92ef1af9e - name: linuxserver/prowlarr - newTag: 2.3.5@sha256:35f48abb3e976fcf077fae756866c582e4a90f8b24810ae4067b3558f7cdbbdf + newTag: 2.3.0@sha256:9ef5d8bf832edcacb6082f9262cb36087854e78eb7b1c3e1d4375056055b2d82 diff --git a/k8s-wheatley/qbittorrent/deployments.yaml b/k8s-wheatley/qbittorrent/deployments.yaml index 0e1600b..939dd66 100644 --- a/k8s-wheatley/qbittorrent/deployments.yaml +++ b/k8s-wheatley/qbittorrent/deployments.yaml @@ -36,15 +36,6 @@ spec: - name: gluetun-tmp mountPath: /tmp/gluetun restartPolicy: Always - lifecycle: - postStart: - exec: - command: - [ - "/bin/sh", - "-c", - "(ip rule del table 51820; ip -6 rule del table 51820) || true", - ] readinessProbe: exec: command: diff --git a/k8s-wheatley/radarr/kustomization.yaml b/k8s-wheatley/radarr/kustomization.yaml index dcb0205..25417d3 100644 --- a/k8s-wheatley/radarr/kustomization.yaml +++ b/k8s-wheatley/radarr/kustomization.yaml @@ -14,4 +14,4 @@ resources: images: - name: linuxserver/radarr - newTag: 6.1.1@sha256:6f1dda18354ea7f28cead8f6d099fc8222498c3ae165f567d504ed04d70980d7 + newTag: 6.0.4@sha256:ca43905eaf2dd11425efdcfe184892e43806b1ae0a830440c825cecbc2629cfb diff --git a/k8s-wheatley/sonarr/kustomization.yaml b/k8s-wheatley/sonarr/kustomization.yaml index eed76a3..8ea7bb6 100644 --- a/k8s-wheatley/sonarr/kustomization.yaml +++ b/k8s-wheatley/sonarr/kustomization.yaml @@ -14,4 +14,4 @@ resources: images: - name: linuxserver/sonarr - newTag: 4.0.17@sha256:6854df9de20b8c82e1982604f39473d64dbb4c4584b1013f18f9ade1ee92af13 + newTag: 4.0.16@sha256:21c1c3d52248589bb064f5adafec18cad45812d7a01d317472955eef051e619b diff --git a/kustomize-bases/alloy/kustomization.yaml b/kustomize-bases/alloy/kustomization.yaml index 69e9687..f186140 100644 --- a/kustomize-bases/alloy/kustomization.yaml +++ b/kustomize-bases/alloy/kustomization.yaml @@ -9,14 +9,14 @@ resources: helmCharts: - name: alloy repo: https://grafana.github.io/helm-charts - version: "1.7.0" + version: "1.6.2" releaseName: alloy valuesFile: values.yaml - name: kube-state-metrics repo: https://prometheus-community.github.io/helm-charts - version: "7.2.2" + version: "7.2.1" releaseName: kube-state-metrics - name: prometheus-operator-crds repo: https://prometheus-community.github.io/helm-charts - version: "28.0.1" + version: "27.0.0" releaseName: prometheus-operator-crds diff --git a/kustomize-bases/alloy/values.yaml b/kustomize-bases/alloy/values.yaml index 8f2540b..fd88ceb 100644 --- a/kustomize-bases/alloy/values.yaml +++ b/kustomize-bases/alloy/values.yaml @@ -127,7 +127,7 @@ configReloader: # -- Repository to get config reloader image from. repository: prometheus-operator/prometheus-config-reloader # -- Tag of image to use for config reloading. - tag: v0.90.1@sha256:693faa0b87243cddca2cffb13586e4e2778b0cdf319cb2e601ba7af3fd19ef7d + tag: v0.89.0@sha256:cb4ac6a56555bef0e202bec11e367dfe07ffb241cf4d30566b12b864692607a8 # -- SHA256 digest of image to use for config reloading (either in format "sha256:XYZ" or "XYZ"). When set, will override `configReloader.image.tag` digest: "" # -- Override the args passed to the container. diff --git a/kustomize-bases/cilium/kustomization.yaml b/kustomize-bases/cilium/kustomization.yaml index 37b61c4..726d152 100644 --- a/kustomize-bases/cilium/kustomization.yaml +++ b/kustomize-bases/cilium/kustomization.yaml @@ -13,5 +13,5 @@ helmCharts: repo: https://helm.cilium.io namespace: kube-system releaseName: cilium - version: 1.19.3 + version: 1.19.2 valuesFile: values.yaml