chore(deps): update helm release cilium to v1.19.2

2026-03-23 11:01:46 +00:00
18 changed files with 12 additions and 440 deletions
--- a/k8s-peterg/argo-workflows/kustomization.yaml
+++ b/k8s-peterg/argo-workflows/kustomization.yaml
@ -1,15 +0,0 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
  - secrets.yaml
 helmCharts:
  - name: argo-workflows
    repo: https://argoproj.github.io/argo-helm
    namespace: argo-workflows
    releaseName: argo-workflows
    version: 1.0.7
    valuesFile: values.yaml
--- a/k8s-peterg/argo-workflows/namespace.yaml
+++ b/k8s-peterg/argo-workflows/namespace.yaml
@ -1,5 +0,0 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: argo-workflows
--- a/k8s-peterg/argo-workflows/secrets.yaml
+++ b/k8s-peterg/argo-workflows/secrets.yaml
@ -1,31 +0,0 @@
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: argo-workflows-sso
  namespace: argo-workflows
 spec:
  secretStoreRef:
    name: vault-wheatley
    kind: ClusterSecretStore
  target:
    name: argo-workflows-sso
    template:
      metadata:
        labels:
          app.kubernetes.io/part-of: argo-workflows
  data:
    - secretKey: client-id
      remoteRef:
        key: secrets/managed/argo-workflows/authentik-sso
        property: client-id
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
    - secretKey: client-secret
      remoteRef:
        key: secrets/managed/argo-workflows/authentik-sso
        property: client-secret
        conversionStrategy: Default
        decodingStrategy: None
        metadataPolicy: None
--- a/k8s-peterg/argo-workflows/values.yaml
+++ b/k8s-peterg/argo-workflows/values.yaml
@ -1,313 +0,0 @@
 ## Custom resource configuration
 crds:
  # -- Install and upgrade CRDs
  install: true
  # -- Keep CRDs on chart uninstall
  keep: true
  # -- Use full CRDs with complete OpenAPI schemas. When false, uses minified CRDs with x-kubernetes-preserve-unknown-fields.
  # Full CRDs are very large and are installed via a pre-install/pre-upgrade hook Job that uses server-side apply.
  full: true
 # -- Create ClusterRoles that extend existing ClusterRoles to interact with Argo Workflows CRDs.
 ## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
 createAggregateRoles: true
 # -- Restrict Argo to operate only in a single namespace (the namespace of the
 # Helm release) by apply Roles and RoleBindings instead of the Cluster
 # equivalents, and start workflow-controller with the --namespaced flag. Use it
 # in clusters with strict access policy.
 singleNamespace: false
 workflow:
  serviceAccount:
    # -- Specifies whether a service account should be created
    create: false
    # -- Labels applied to created service account
    labels: {}
    # -- Annotations applied to created service account
    annotations: {}
    # -- Service account which is used to run workflows
    name: "argo-workflow"
    # -- Secrets with credentials to pull images from a private registry. Same format as `.Values.images.pullSecrets`
    pullSecrets: []
  rbac:
    # -- Adds Role and RoleBinding for the above specified service account to be able to run workflows.
    # A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below)
    create: true
    # -- Allows permissions for the Argo Agent. Only required if using http/plugin templates
    agentPermissions: false
    # -- Allows permissions for the Argo Artifact GC pod. Only required if using artifact gc
    artifactGC: false
    # -- Extra service accounts to be added to the RoleBinding
    serviceAccounts: []
      # - name: my-service-account
      #   namespace: my-namespace
    # -- Additional rules for the service account that runs the workflows.
    rules: []
 controller:
  rbac:
    # -- Adds Role and RoleBinding for the controller.
    create: true
    # -- Allows controller to get, list, and watch certain k8s secrets
    secretWhitelist: []
    # -- Allows controller to get, list and watch all k8s secrets. Can only be used if secretWhitelist is empty.
    accessAllSecrets: false
    # -- Allows controller to create and update ConfigMaps. Enables memoization feature
    writeConfigMaps: false
  configMap:
    # -- Create a ConfigMap for the controller
    create: true
    # -- ConfigMap name
    name: ""
    # -- ConfigMap annotations
    annotations: {}
  # -- enable Workflow Archive to store the status of workflows. Postgres and MySQL (>= 5.7.8) are available.
  ## Ref: https://argo-workflows.readthedocs.io/en/stable/workflow-archive/
  persistence: {}
  # connectionPool:
  #   maxIdleConns: 100
  #   maxOpenConns: 0
  # # save the entire workflow into etcd and DB
  # nodeStatusOffLoad: false
  # # enable archiving of old workflows
  # archive: false
  # postgresql:
  #   host: localhost
  #   port: 5432
  #   database: postgres
  #   tableName: argo_workflows
  #   # the database secrets must be in the same namespace of the controller
  #   userNameSecret:
  #     name: argo-postgres-config
  #     key: username
  #   passwordSecret:
  #     name: argo-postgres-config
  #     key: password
  #   ssl: true
  #   # sslMode must be one of: disable, require, verify-ca, verify-full
  #   # you can find more information about those ssl options here: https://godoc.org/github.com/lib/pq
  #   sslMode: require
  # mysql:
  #   host: localhost
  #   port: 3306
  #   database: argo
  #   tableName: argo_workflows
  #   userNameSecret:
  #     name: argo-mysql-config
  #     key: username
  #   passwordSecret:
  #     name: argo-mysql-config
  #     key: password
  # -- Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level.
  # Only valid for 2.7+
  ## See more: https://argo-workflows.readthedocs.io/en/stable/default-workflow-specs/
  workflowDefaults: {}
  #   spec:
  #     ttlStrategy:
  #       secondsAfterCompletion: 86400
  #     # Ref: https://argo-workflows.readthedocs.io/en/stable/artifact-repository-ref/
  #     artifactRepositoryRef:
  #       configMap: my-artifact-repository # default is "artifact-repositories"
  #       key: v2-s3-artifact-repository # default can be set by the `workflows.argoproj.io/default-artifact-repository` annotation in config map.
  serviceAccount:
    # -- Create a service account for the controller
    create: true
    # -- Service account name
    name: ""
    # -- Labels applied to created service account
    labels: {}
    # -- Annotations applied to created service account
    annotations: {}
  # -- Workflow controller name string
  name: workflow-controller
  # -- Specify all namespaces where this workflow controller instance will manage
  # workflows. This controls where the service account and RBAC resources will
  # be created. Only valid when singleNamespace is false.
  workflowNamespaces:
    - default
  logging:
    # -- Set the logging level (one of: `debug`, `info`, `warn`, `error`)
    level: info
    # -- Set the glog logging level
    globallevel: "0"
    # -- Set the logging format (one of: `text`, `json`)
    format: "text"
 server:
  # -- Deploy the Argo Server
  enabled: true
  # -- Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /.
  ## only updates base url of resources on client side,
  ## it's expected that a proxy server rewrites the request URL and gets rid of this prefix
  ## https://github.com/argoproj/argo-workflows/issues/716#issuecomment-433213190
  baseHref: /
  image:
    # -- Registry to use for the server
    registry: quay.io
    # -- Repository to use for the server
    repository: argoproj/argocli
    # -- Image tag for the Argo Workflows server. Defaults to `.Values.images.tag`.
    tag: ""
  rbac:
    # -- Adds Role and RoleBinding for the server.
    create: true
  # -- Servers container-level security context
  serviceAccount:
    # -- Create a service account for the server
    create: true
    # -- Service account name
    name: ""
    # -- Labels applied to created service account
    labels: {}
    # -- Annotations applied to created service account
    annotations: {}
  # -- A list of supported authentication modes. Available values are `server`, `client`, or `sso`. If you provide sso, please configure `.Values.server.sso` as well.
  ## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server-auth-mode/
  authModes:
    - sso
  ## Ingress configuration.
  # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
  ingress:
    # -- Enable an ingress resource
    enabled: false
  # Gateway API HTTPRoute configuration
  # NOTE: Gateway API support is in EXPERIMENTAL status
  # Support depends on your Gateway controller implementation
  # Some controllers may require additional configuration (e.g., BackendTLSPolicy for HTTPS backends)
  # Refer to https://gateway-api.sigs.k8s.io/implementations/ for controller-specific details
  httproute:
    # -- Enable HTTPRoute resource for Argo Workflows server (Gateway API)
    enabled: true
    # -- Additional HTTPRoute labels
    labels: {}
    # -- Additional HTTPRoute annotations
    annotations: {}
    # -- Gateway API parentRefs for the HTTPRoute
    ## Must reference an existing Gateway
    # @default -- `[]` (See [values.yaml])
    parentRefs:
      - group: gateway.networking.k8s.io
        kind: Gateway
        name: internal
        namespace: kube-system
        sectionName: https
    # -- List of hostnames for the HTTPRoute
    # @default -- `[]` (See [values.yaml])
    hostnames:
      - "workflows.peterg.nl"
      # @default -- `[]` (See [values.yaml])
    rules:
      - matches:
          - path:
              type: PathPrefix
              value: /
        # filters: []
        #   - type: RequestHeaderModifier
        #     requestHeaderModifier:
        #       add:
        #         - name: X-Custom-Header
        #           value: custom-value
  # Gateway API BackendTLSPolicy configuration
  # NOTE: BackendTLSPolicy support is in EXPERIMENTAL status
  # Required for HTTPS backends when using Gateway API
  # Not all Gateway controllers support this resource (e.g., Cilium does not support it yet)
  backendTLSPolicy:
    # -- Enable BackendTLSPolicy resource for Argo Workflows server (Gateway API)
    enabled: false
    # -- Additional BackendTLSPolicy labels
    labels: {}
    # -- Additional BackendTLSPolicy annotations
    annotations: {}
    # -- Target references for the BackendTLSPolicy
    # @default -- `[]` (See [values.yaml])
    targetRefs: []
      # - group: ""
      #   kind: Service
      #   name: argo-workflows-server
      #   sectionName: https
    # -- TLS validation configuration
    # @default -- `{}` (See [values.yaml])
    validation: {}
      # hostname: argo-workflows-server.argo.svc.cluster.local
      # caCertificateRefs:
      #   - name: example-ca-cert
      #     group: ""
      #     kind: ConfigMap
      # wellKnownCACertificates: System
  clusterWorkflowTemplates:
    # -- Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates.
    enabled: true
    # -- Give the server permissions to edit ClusterWorkflowTemplates.
    enableEditing: true
  # SSO configuration when SSO is specified as a server auth mode.
  sso:
    enabled: true
    issuer: https://auth.peterg.nl/application/o/argo-workflows/
    clientId:
      name: argo-workflows-sso
      key: client-id
    clientSecret:
      name: argo-workflows-sso
      key: client-secret
    redirectUrl: https://workflows.peterg.nl/oauth2/callback
    scopes:
      - groups
    rbac:
      enabled: true
 # -- Array of extra K8s manifests to deploy
 extraObjects:
  - apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: admin-user
      namespace: argo-workflows
      annotations:
        workflows.argoproj.io/rbac-rule: "'ArgoCD Admins' in groups"
        workflows.argoproj.io/rbac-rule-precedence: "1"
  - apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: read-only
      namespace: argo-workflows
      annotations:
        workflows.argoproj.io/rbac-rule: "true"
        workflows.argoproj.io/rbac-rule-precedence: "0"
  - apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: argo-workflows-admin-user
    subjects:
      - kind: ServiceAccount
        name: admin-user
        namespace: argo-workflows
    roleRef:
      kind: ClusterRole
      name: argo-workflows-admin
      apiGroup: rbac.authorization.k8s.io
  - apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: argo-workflows-read-only
    subjects:
      - kind: ServiceAccount
        name: read-only
        namespace: argo-workflows
    roleRef:
      kind: ClusterRole
      name: argo-workflows-view
      apiGroup: rbac.authorization.k8s.io
--- a/k8s-peterg/argocd/applications-peterg.yaml
+++ b/k8s-peterg/argocd/applications-peterg.yaml
@ -78,24 +78,3 @@ spec:
      selfHeal: true
    syncOptions:
      - ServerSideApply=true
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: argo-workflows
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://code.peterg.nl/wheatley/kubernetes.git
    path: k8s-peterg/argo-workflows
    targetRevision: HEAD
  destination:
    server: https://kubernetes.default.svc
    namespace: argo-workflows
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - ServerSideApply=true
--- a/k8s-peterg/argocd/oidc.yaml
+++ b/k8s-peterg/argocd/oidc.yaml
@ -27,28 +27,3 @@ spec:
      remoteRef:
        key: secrets/managed/argocd/authentik-oidc-credentials
        property: clientSecret
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: argo-workflows-sso
  namespace: argocd
 spec:
  secretStoreRef:
    name: vault-wheatley
    kind: ClusterSecretStore
  target:
    name: argo-workflows-sso
    template:
      metadata:
        labels:
          app.kubernetes.io/part-of: argo-workflows
  data:
    - secretKey: client-id
      remoteRef:
        key: secrets/managed/argo-workflows/dex-sso
        property: client-id
    - secretKey: client-secret
      remoteRef:
        key: secrets/managed/argo-workflows/dex-sso
        property: client-secret
--- a/k8s-peterg/external-secrets-operator/kustomization.yaml
+++ b/k8s-peterg/external-secrets-operator/kustomization.yaml
@ -12,4 +12,4 @@ helmCharts:
    repo: https://charts.external-secrets.io
    namespace: external-secrets
    releaseName: external-secrets
-    version: 2.3.0
+    version: 2.1.0
--- a/k8s-peterg/vault-wheatley-approle.yaml
+++ b/k8s-peterg/vault-wheatley-approle.yaml
@ -1,9 +0,0 @@
 apiVersion: v1
 data:
  approle_id: MDE5YTdjOWQtMTYxOC0yZjg0LWE2NzUtOWQ5NmVkZWFiNzEyCg==
  approle_secret: ZDZkOWU0MmUtZmVhNi05MGIzLWNlODktYzJlY2E2YWIxMjc3Cg==
 kind: Secret
 metadata:
  name: vault-wheatley-approle
  namespace: external-secrets
 type: Opaque
--- a/k8s-wheatley/cloudnative-pg/kustomization.yaml
+++ b/k8s-wheatley/cloudnative-pg/kustomization.yaml
@ -11,5 +11,5 @@ helmCharts:
    repo: https://cloudnative-pg.github.io/charts
    namespace: cnpg-system
    releaseName: cloudnative-pg
-    version: 0.28.0
+    version: 0.27.1
    valuesFile: values.yaml
--- a/k8s-wheatley/external-secrets-operator/kustomization.yaml
+++ b/k8s-wheatley/external-secrets-operator/kustomization.yaml
@ -12,4 +12,4 @@ helmCharts:
    repo: https://charts.external-secrets.io
    namespace: external-secrets
    releaseName: external-secrets
-    version: 2.3.0
+    version: 2.1.0
--- a/k8s-wheatley/plex/kustomization.yaml
+++ b/k8s-wheatley/plex/kustomization.yaml
@ -14,4 +14,4 @@ resources:
 images:
 - name: plexinc/pms-docker
-  newTag: 1.43.1.10611-1e34174b1@sha256:8b5bcdf7b506fe051aa1a0a0d464efdb3ad8c0fb1f8a4dfb27a8c489b609920c
+  newTag: 1.43.0.10492-121068a07@sha256:1131c4cd21fa22f8196f749f1dbb69af306776c3c83c7f5b061e51dc49bcff7f
--- a/k8s-wheatley/prowlarr/kustomization.yaml
+++ b/k8s-wheatley/prowlarr/kustomization.yaml
@ -16,4 +16,4 @@ images:
  - name: flaresolverr/flaresolverr
    newTag: v3.4.6@sha256:7962759d99d7e125e108e0f5e7f3cdbcd36161776d058d1d9b7153b92ef1af9e
  - name: linuxserver/prowlarr
-    newTag: 2.3.5@sha256:35f48abb3e976fcf077fae756866c582e4a90f8b24810ae4067b3558f7cdbbdf
+    newTag: 2.3.0@sha256:9ef5d8bf832edcacb6082f9262cb36087854e78eb7b1c3e1d4375056055b2d82
--- a/k8s-wheatley/qbittorrent/deployments.yaml
+++ b/k8s-wheatley/qbittorrent/deployments.yaml
@ -36,15 +36,6 @@ spec:
            - name: gluetun-tmp
              mountPath: /tmp/gluetun
          restartPolicy: Always
          lifecycle:
            postStart:
              exec:
                command:
                  [
                    "/bin/sh",
                    "-c",
                    "(ip rule del table 51820; ip -6 rule del table 51820) || true",
                  ]
          readinessProbe:
            exec:
              command:
--- a/k8s-wheatley/radarr/kustomization.yaml
+++ b/k8s-wheatley/radarr/kustomization.yaml
@ -14,4 +14,4 @@ resources:
 images:
  - name: linuxserver/radarr
-    newTag: 6.1.1@sha256:6f1dda18354ea7f28cead8f6d099fc8222498c3ae165f567d504ed04d70980d7
+    newTag: 6.0.4@sha256:ca43905eaf2dd11425efdcfe184892e43806b1ae0a830440c825cecbc2629cfb
--- a/k8s-wheatley/sonarr/kustomization.yaml
+++ b/k8s-wheatley/sonarr/kustomization.yaml
@ -14,4 +14,4 @@ resources:
 images:
  - name: linuxserver/sonarr
-    newTag: 4.0.17@sha256:6854df9de20b8c82e1982604f39473d64dbb4c4584b1013f18f9ade1ee92af13
+    newTag: 4.0.16@sha256:21c1c3d52248589bb064f5adafec18cad45812d7a01d317472955eef051e619b
--- a/kustomize-bases/alloy/kustomization.yaml
+++ b/kustomize-bases/alloy/kustomization.yaml
@ -9,14 +9,14 @@ resources:
 helmCharts:
  - name: alloy
    repo: https://grafana.github.io/helm-charts
-    version: "1.7.0"
+    version: "1.6.2"
    releaseName: alloy
    valuesFile: values.yaml
  - name: kube-state-metrics
    repo: https://prometheus-community.github.io/helm-charts
-    version: "7.2.2"
+    version: "7.2.1"
    releaseName: kube-state-metrics
  - name: prometheus-operator-crds
    repo: https://prometheus-community.github.io/helm-charts
-    version: "28.0.1"
+    version: "27.0.0"
    releaseName: prometheus-operator-crds
--- a/kustomize-bases/alloy/values.yaml
+++ b/kustomize-bases/alloy/values.yaml
@ -127,7 +127,7 @@ configReloader:
    # -- Repository to get config reloader image from.
    repository: prometheus-operator/prometheus-config-reloader
    # -- Tag of image to use for config reloading.
-    tag: v0.90.1@sha256:693faa0b87243cddca2cffb13586e4e2778b0cdf319cb2e601ba7af3fd19ef7d
+    tag: v0.89.0@sha256:cb4ac6a56555bef0e202bec11e367dfe07ffb241cf4d30566b12b864692607a8
    # -- SHA256 digest of image to use for config reloading (either in format "sha256:XYZ" or "XYZ"). When set, will override `configReloader.image.tag`
    digest: ""
  # -- Override the args passed to the container.
--- a/kustomize-bases/cilium/kustomization.yaml
+++ b/kustomize-bases/cilium/kustomization.yaml
@ -13,5 +13,5 @@ helmCharts:
    repo: https://helm.cilium.io
    namespace: kube-system
    releaseName: cilium
-    version: 1.19.3
+    version: 1.19.2
    valuesFile: values.yaml