chore(deps): update helm release cilium to v1.19.2

2026-03-23 11:01:46 +00:00
18 changed files with 12 additions and 440 deletions
--- a/k8s-peterg/argo-workflows/kustomization.yaml
+++ b/k8s-peterg/argo-workflows/kustomization.yaml
@ -1,15 +0,0 @@
---
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - namespace.yaml
-  - secrets.yaml
-
-helmCharts:
-  - name: argo-workflows
-    repo: https://argoproj.github.io/argo-helm
-    namespace: argo-workflows
-    releaseName: argo-workflows
-    version: 1.0.7
-    valuesFile: values.yaml
--- a/k8s-peterg/argo-workflows/namespace.yaml
+++ b/k8s-peterg/argo-workflows/namespace.yaml
@ -1,5 +0,0 @@
---
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: argo-workflows
--- a/k8s-peterg/argo-workflows/secrets.yaml
+++ b/k8s-peterg/argo-workflows/secrets.yaml
@ -1,31 +0,0 @@
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: argo-workflows-sso
-  namespace: argo-workflows
-spec:
-  secretStoreRef:
-    name: vault-wheatley
-    kind: ClusterSecretStore
-  target:
-    name: argo-workflows-sso
-    template:
-      metadata:
-        labels:
-          app.kubernetes.io/part-of: argo-workflows
-  data:
-    - secretKey: client-id
-      remoteRef:
-        key: secrets/managed/argo-workflows/authentik-sso
-        property: client-id
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-    - secretKey: client-secret
-      remoteRef:
-        key: secrets/managed/argo-workflows/authentik-sso
-        property: client-secret
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
--- a/k8s-peterg/argo-workflows/values.yaml
+++ b/k8s-peterg/argo-workflows/values.yaml
@ -1,313 +0,0 @@
-## Custom resource configuration
-crds:
-  # -- Install and upgrade CRDs
-  install: true
-  # -- Keep CRDs on chart uninstall
-  keep: true
-  # -- Use full CRDs with complete OpenAPI schemas. When false, uses minified CRDs with x-kubernetes-preserve-unknown-fields.
-  # Full CRDs are very large and are installed via a pre-install/pre-upgrade hook Job that uses server-side apply.
-  full: true
-
-# -- Create ClusterRoles that extend existing ClusterRoles to interact with Argo Workflows CRDs.
-## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
-createAggregateRoles: true
-
-# -- Restrict Argo to operate only in a single namespace (the namespace of the
-# Helm release) by apply Roles and RoleBindings instead of the Cluster
-# equivalents, and start workflow-controller with the --namespaced flag. Use it
-# in clusters with strict access policy.
-singleNamespace: false
-
-workflow:
-  serviceAccount:
-    # -- Specifies whether a service account should be created
-    create: false
-    # -- Labels applied to created service account
-    labels: {}
-    # -- Annotations applied to created service account
-    annotations: {}
-    # -- Service account which is used to run workflows
-    name: "argo-workflow"
-    # -- Secrets with credentials to pull images from a private registry. Same format as `.Values.images.pullSecrets`
-    pullSecrets: []
-  rbac:
-    # -- Adds Role and RoleBinding for the above specified service account to be able to run workflows.
-    # A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below)
-    create: true
-    # -- Allows permissions for the Argo Agent. Only required if using http/plugin templates
-    agentPermissions: false
-    # -- Allows permissions for the Argo Artifact GC pod. Only required if using artifact gc
-    artifactGC: false
-    # -- Extra service accounts to be added to the RoleBinding
-    serviceAccounts: []
-      # - name: my-service-account
-      #   namespace: my-namespace
-    # -- Additional rules for the service account that runs the workflows.
-    rules: []
-
-controller:
-  rbac:
-    # -- Adds Role and RoleBinding for the controller.
-    create: true
-    # -- Allows controller to get, list, and watch certain k8s secrets
-    secretWhitelist: []
-    # -- Allows controller to get, list and watch all k8s secrets. Can only be used if secretWhitelist is empty.
-    accessAllSecrets: false
-    # -- Allows controller to create and update ConfigMaps. Enables memoization feature
-    writeConfigMaps: false
-
-  configMap:
-    # -- Create a ConfigMap for the controller
-    create: true
-    # -- ConfigMap name
-    name: ""
-    # -- ConfigMap annotations
-    annotations: {}
-
-  # -- enable Workflow Archive to store the status of workflows. Postgres and MySQL (>= 5.7.8) are available.
-  ## Ref: https://argo-workflows.readthedocs.io/en/stable/workflow-archive/
-  persistence: {}
-  # connectionPool:
-  #   maxIdleConns: 100
-  #   maxOpenConns: 0
-  # # save the entire workflow into etcd and DB
-  # nodeStatusOffLoad: false
-  # # enable archiving of old workflows
-  # archive: false
-  # postgresql:
-  #   host: localhost
-  #   port: 5432
-  #   database: postgres
-  #   tableName: argo_workflows
-  #   # the database secrets must be in the same namespace of the controller
-  #   userNameSecret:
-  #     name: argo-postgres-config
-  #     key: username
-  #   passwordSecret:
-  #     name: argo-postgres-config
-  #     key: password
-  #   ssl: true
-  #   # sslMode must be one of: disable, require, verify-ca, verify-full
-  #   # you can find more information about those ssl options here: https://godoc.org/github.com/lib/pq
-  #   sslMode: require
-  # mysql:
-  #   host: localhost
-  #   port: 3306
-  #   database: argo
-  #   tableName: argo_workflows
-  #   userNameSecret:
-  #     name: argo-mysql-config
-  #     key: username
-  #   passwordSecret:
-  #     name: argo-mysql-config
-  #     key: password
-
-  # -- Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level.
-  # Only valid for 2.7+
-  ## See more: https://argo-workflows.readthedocs.io/en/stable/default-workflow-specs/
-  workflowDefaults: {}
-  #   spec:
-  #     ttlStrategy:
-  #       secondsAfterCompletion: 86400
-  #     # Ref: https://argo-workflows.readthedocs.io/en/stable/artifact-repository-ref/
-  #     artifactRepositoryRef:
-  #       configMap: my-artifact-repository # default is "artifact-repositories"
-  #       key: v2-s3-artifact-repository # default can be set by the `workflows.argoproj.io/default-artifact-repository` annotation in config map.
-
-  serviceAccount:
-    # -- Create a service account for the controller
-    create: true
-    # -- Service account name
-    name: ""
-    # -- Labels applied to created service account
-    labels: {}
-    # -- Annotations applied to created service account
-    annotations: {}
-
-  # -- Workflow controller name string
-  name: workflow-controller
-
-  # -- Specify all namespaces where this workflow controller instance will manage
-  # workflows. This controls where the service account and RBAC resources will
-  # be created. Only valid when singleNamespace is false.
-  workflowNamespaces:
-    - default
-
-  logging:
-    # -- Set the logging level (one of: `debug`, `info`, `warn`, `error`)
-    level: info
-    # -- Set the glog logging level
-    globallevel: "0"
-    # -- Set the logging format (one of: `text`, `json`)
-    format: "text"
-
-server:
-  # -- Deploy the Argo Server
-  enabled: true
-  # -- Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /.
-  ## only updates base url of resources on client side,
-  ## it's expected that a proxy server rewrites the request URL and gets rid of this prefix
-  ## https://github.com/argoproj/argo-workflows/issues/716#issuecomment-433213190
-  baseHref: /
-  image:
-    # -- Registry to use for the server
-    registry: quay.io
-    # -- Repository to use for the server
-    repository: argoproj/argocli
-    # -- Image tag for the Argo Workflows server. Defaults to `.Values.images.tag`.
-    tag: ""
-  rbac:
-    # -- Adds Role and RoleBinding for the server.
-    create: true
-  # -- Servers container-level security context
-  serviceAccount:
-    # -- Create a service account for the server
-    create: true
-    # -- Service account name
-    name: ""
-    # -- Labels applied to created service account
-    labels: {}
-    # -- Annotations applied to created service account
-    annotations: {}
-
-  # -- A list of supported authentication modes. Available values are `server`, `client`, or `sso`. If you provide sso, please configure `.Values.server.sso` as well.
-  ## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server-auth-mode/
-  authModes:
-    - sso
-
-  ## Ingress configuration.
-  # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
-  ingress:
-    # -- Enable an ingress resource
-    enabled: false
-
-  # Gateway API HTTPRoute configuration
-  # NOTE: Gateway API support is in EXPERIMENTAL status
-  # Support depends on your Gateway controller implementation
-  # Some controllers may require additional configuration (e.g., BackendTLSPolicy for HTTPS backends)
-  # Refer to https://gateway-api.sigs.k8s.io/implementations/ for controller-specific details
-  httproute:
-    # -- Enable HTTPRoute resource for Argo Workflows server (Gateway API)
-    enabled: true
-    # -- Additional HTTPRoute labels
-    labels: {}
-    # -- Additional HTTPRoute annotations
-    annotations: {}
-    # -- Gateway API parentRefs for the HTTPRoute
-    ## Must reference an existing Gateway
-    # @default -- `[]` (See [values.yaml])
-    parentRefs:
-      - group: gateway.networking.k8s.io
-        kind: Gateway
-        name: internal
-        namespace: kube-system
-        sectionName: https
-    # -- List of hostnames for the HTTPRoute
-    # @default -- `[]` (See [values.yaml])
-    hostnames:
-      - "workflows.peterg.nl"
-      # @default -- `[]` (See [values.yaml])
-    rules:
-      - matches:
-          - path:
-              type: PathPrefix
-              value: /
-        # filters: []
-        #   - type: RequestHeaderModifier
-        #     requestHeaderModifier:
-        #       add:
-        #         - name: X-Custom-Header
-        #           value: custom-value
-
-  # Gateway API BackendTLSPolicy configuration
-  # NOTE: BackendTLSPolicy support is in EXPERIMENTAL status
-  # Required for HTTPS backends when using Gateway API
-  # Not all Gateway controllers support this resource (e.g., Cilium does not support it yet)
-  backendTLSPolicy:
-    # -- Enable BackendTLSPolicy resource for Argo Workflows server (Gateway API)
-    enabled: false
-    # -- Additional BackendTLSPolicy labels
-    labels: {}
-    # -- Additional BackendTLSPolicy annotations
-    annotations: {}
-    # -- Target references for the BackendTLSPolicy
-    # @default -- `[]` (See [values.yaml])
-    targetRefs: []
-      # - group: ""
-      #   kind: Service
-      #   name: argo-workflows-server
-      #   sectionName: https
-    # -- TLS validation configuration
-    # @default -- `{}` (See [values.yaml])
-    validation: {}
-      # hostname: argo-workflows-server.argo.svc.cluster.local
-      # caCertificateRefs:
-      #   - name: example-ca-cert
-      #     group: ""
-      #     kind: ConfigMap
-      # wellKnownCACertificates: System
-
-  clusterWorkflowTemplates:
-    # -- Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates.
-    enabled: true
-    # -- Give the server permissions to edit ClusterWorkflowTemplates.
-    enableEditing: true
-
-  # SSO configuration when SSO is specified as a server auth mode.
-  sso:
-    enabled: true
-    issuer: https://auth.peterg.nl/application/o/argo-workflows/
-    clientId:
-      name: argo-workflows-sso
-      key: client-id
-    clientSecret:
-      name: argo-workflows-sso
-      key: client-secret
-    redirectUrl: https://workflows.peterg.nl/oauth2/callback
-    scopes:
-      - groups
-    rbac:
-      enabled: true
-
-# -- Array of extra K8s manifests to deploy
-extraObjects:
-  - apiVersion: v1
-    kind: ServiceAccount
-    metadata:
-      name: admin-user
-      namespace: argo-workflows
-      annotations:
-        workflows.argoproj.io/rbac-rule: "'ArgoCD Admins' in groups"
-        workflows.argoproj.io/rbac-rule-precedence: "1"
-  - apiVersion: v1
-    kind: ServiceAccount
-    metadata:
-      name: read-only
-      namespace: argo-workflows
-      annotations:
-        workflows.argoproj.io/rbac-rule: "true"
-        workflows.argoproj.io/rbac-rule-precedence: "0"
-  - apiVersion: rbac.authorization.k8s.io/v1
-    kind: ClusterRoleBinding
-    metadata:
-      name: argo-workflows-admin-user
-    subjects:
-      - kind: ServiceAccount
-        name: admin-user
-        namespace: argo-workflows
-    roleRef:
-      kind: ClusterRole
-      name: argo-workflows-admin
-      apiGroup: rbac.authorization.k8s.io
-  - apiVersion: rbac.authorization.k8s.io/v1
-    kind: ClusterRoleBinding
-    metadata:
-      name: argo-workflows-read-only
-    subjects:
-      - kind: ServiceAccount
-        name: read-only
-        namespace: argo-workflows
-    roleRef:
-      kind: ClusterRole
-      name: argo-workflows-view
-      apiGroup: rbac.authorization.k8s.io
--- a/k8s-peterg/argocd/applications-peterg.yaml
+++ b/k8s-peterg/argocd/applications-peterg.yaml
@ -78,24 +78,3 @@ spec:
      selfHeal: true
    syncOptions:
      - ServerSideApply=true
---
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: argo-workflows
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://code.peterg.nl/wheatley/kubernetes.git
-    path: k8s-peterg/argo-workflows
-    targetRevision: HEAD
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: argo-workflows
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-      - ServerSideApply=true
--- a/k8s-peterg/argocd/oidc.yaml
+++ b/k8s-peterg/argocd/oidc.yaml
@ -27,28 +27,3 @@ spec:
      remoteRef:
        key: secrets/managed/argocd/authentik-oidc-credentials
        property: clientSecret
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: argo-workflows-sso
-  namespace: argocd
-spec:
-  secretStoreRef:
-    name: vault-wheatley
-    kind: ClusterSecretStore
-  target:
-    name: argo-workflows-sso
-    template:
-      metadata:
-        labels:
-          app.kubernetes.io/part-of: argo-workflows
-  data:
-    - secretKey: client-id
-      remoteRef:
-        key: secrets/managed/argo-workflows/dex-sso
-        property: client-id
-    - secretKey: client-secret
-      remoteRef:
-        key: secrets/managed/argo-workflows/dex-sso
-        property: client-secret
--- a/k8s-peterg/external-secrets-operator/kustomization.yaml
+++ b/k8s-peterg/external-secrets-operator/kustomization.yaml
@ -12,4 +12,4 @@ helmCharts:
    repo: https://charts.external-secrets.io
    namespace: external-secrets
    releaseName: external-secrets
-    version: 2.3.0
+    version: 2.1.0
--- a/k8s-peterg/vault-wheatley-approle.yaml
+++ b/k8s-peterg/vault-wheatley-approle.yaml
@ -1,9 +0,0 @@
-apiVersion: v1
-data:
-  approle_id: MDE5YTdjOWQtMTYxOC0yZjg0LWE2NzUtOWQ5NmVkZWFiNzEyCg==
-  approle_secret: ZDZkOWU0MmUtZmVhNi05MGIzLWNlODktYzJlY2E2YWIxMjc3Cg==
-kind: Secret
-metadata:
-  name: vault-wheatley-approle
-  namespace: external-secrets
-type: Opaque
--- a/k8s-wheatley/cloudnative-pg/kustomization.yaml
+++ b/k8s-wheatley/cloudnative-pg/kustomization.yaml
@ -11,5 +11,5 @@ helmCharts:
    repo: https://cloudnative-pg.github.io/charts
    namespace: cnpg-system
    releaseName: cloudnative-pg
-    version: 0.28.0
+    version: 0.27.1
    valuesFile: values.yaml
--- a/k8s-wheatley/external-secrets-operator/kustomization.yaml
+++ b/k8s-wheatley/external-secrets-operator/kustomization.yaml
@ -12,4 +12,4 @@ helmCharts:
    repo: https://charts.external-secrets.io
    namespace: external-secrets
    releaseName: external-secrets
-    version: 2.3.0
+    version: 2.1.0
--- a/k8s-wheatley/plex/kustomization.yaml
+++ b/k8s-wheatley/plex/kustomization.yaml
@ -14,4 +14,4 @@ resources:

 images:
 - name: plexinc/pms-docker
-  newTag: 1.43.1.10611-1e34174b1@sha256:8b5bcdf7b506fe051aa1a0a0d464efdb3ad8c0fb1f8a4dfb27a8c489b609920c
+  newTag: 1.43.0.10492-121068a07@sha256:1131c4cd21fa22f8196f749f1dbb69af306776c3c83c7f5b061e51dc49bcff7f
--- a/k8s-wheatley/prowlarr/kustomization.yaml
+++ b/k8s-wheatley/prowlarr/kustomization.yaml
@ -16,4 +16,4 @@ images:
  - name: flaresolverr/flaresolverr
    newTag: v3.4.6@sha256:7962759d99d7e125e108e0f5e7f3cdbcd36161776d058d1d9b7153b92ef1af9e
  - name: linuxserver/prowlarr
-    newTag: 2.3.5@sha256:35f48abb3e976fcf077fae756866c582e4a90f8b24810ae4067b3558f7cdbbdf
+    newTag: 2.3.0@sha256:9ef5d8bf832edcacb6082f9262cb36087854e78eb7b1c3e1d4375056055b2d82
--- a/k8s-wheatley/qbittorrent/deployments.yaml
+++ b/k8s-wheatley/qbittorrent/deployments.yaml
@ -36,15 +36,6 @@ spec:
            - name: gluetun-tmp
              mountPath: /tmp/gluetun
          restartPolicy: Always
-          lifecycle:
-            postStart:
-              exec:
-                command:
-                  [
-                    "/bin/sh",
-                    "-c",
-                    "(ip rule del table 51820; ip -6 rule del table 51820) || true",
-                  ]
          readinessProbe:
            exec:
              command:
--- a/k8s-wheatley/radarr/kustomization.yaml
+++ b/k8s-wheatley/radarr/kustomization.yaml
@ -14,4 +14,4 @@ resources:

 images:
  - name: linuxserver/radarr
-    newTag: 6.1.1@sha256:6f1dda18354ea7f28cead8f6d099fc8222498c3ae165f567d504ed04d70980d7
+    newTag: 6.0.4@sha256:ca43905eaf2dd11425efdcfe184892e43806b1ae0a830440c825cecbc2629cfb
--- a/k8s-wheatley/sonarr/kustomization.yaml
+++ b/k8s-wheatley/sonarr/kustomization.yaml
@ -14,4 +14,4 @@ resources:

 images:
  - name: linuxserver/sonarr
-    newTag: 4.0.17@sha256:6854df9de20b8c82e1982604f39473d64dbb4c4584b1013f18f9ade1ee92af13
+    newTag: 4.0.16@sha256:21c1c3d52248589bb064f5adafec18cad45812d7a01d317472955eef051e619b
--- a/kustomize-bases/alloy/kustomization.yaml
+++ b/kustomize-bases/alloy/kustomization.yaml
@ -9,14 +9,14 @@ resources:
 helmCharts:
  - name: alloy
    repo: https://grafana.github.io/helm-charts
-    version: "1.7.0"
+    version: "1.6.2"
    releaseName: alloy
    valuesFile: values.yaml
  - name: kube-state-metrics
    repo: https://prometheus-community.github.io/helm-charts
-    version: "7.2.2"
+    version: "7.2.1"
    releaseName: kube-state-metrics
  - name: prometheus-operator-crds
    repo: https://prometheus-community.github.io/helm-charts
-    version: "28.0.1"
+    version: "27.0.0"
    releaseName: prometheus-operator-crds
--- a/kustomize-bases/alloy/values.yaml
+++ b/kustomize-bases/alloy/values.yaml
@ -127,7 +127,7 @@ configReloader:
    # -- Repository to get config reloader image from.
    repository: prometheus-operator/prometheus-config-reloader
    # -- Tag of image to use for config reloading.
-    tag: v0.90.1@sha256:693faa0b87243cddca2cffb13586e4e2778b0cdf319cb2e601ba7af3fd19ef7d
+    tag: v0.89.0@sha256:cb4ac6a56555bef0e202bec11e367dfe07ffb241cf4d30566b12b864692607a8
    # -- SHA256 digest of image to use for config reloading (either in format "sha256:XYZ" or "XYZ"). When set, will override `configReloader.image.tag`
    digest: ""
  # -- Override the args passed to the container.
--- a/kustomize-bases/cilium/kustomization.yaml
+++ b/kustomize-bases/cilium/kustomization.yaml
@ -13,5 +13,5 @@ helmCharts:
    repo: https://helm.cilium.io
    namespace: kube-system
    releaseName: cilium
-    version: 1.19.3
+    version: 1.19.2
    valuesFile: values.yaml