From 184049745ff498e1c1a7a41d43275a9d3bf8e4e4 Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Thu, 16 Apr 2026 09:03:05 +0200 Subject: [PATCH 01/40] chore: Remove unused secrets --- k8s-peterg/argocd/oidc.yaml | 25 ------------------------- k8s-peterg/vault-wheatley-approle.yaml | 9 --------- 2 files changed, 34 deletions(-) delete mode 100644 k8s-peterg/vault-wheatley-approle.yaml diff --git a/k8s-peterg/argocd/oidc.yaml b/k8s-peterg/argocd/oidc.yaml index c587b7e..b45056e 100644 --- a/k8s-peterg/argocd/oidc.yaml +++ b/k8s-peterg/argocd/oidc.yaml @@ -27,28 +27,3 @@ spec: remoteRef: key: secrets/managed/argocd/authentik-oidc-credentials property: clientSecret ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: argo-workflows-sso - namespace: argocd -spec: - secretStoreRef: - name: vault-wheatley - kind: ClusterSecretStore - target: - name: argo-workflows-sso - template: - metadata: - labels: - app.kubernetes.io/part-of: argo-workflows - data: - - secretKey: client-id - remoteRef: - key: secrets/managed/argo-workflows/dex-sso - property: client-id - - secretKey: client-secret - remoteRef: - key: secrets/managed/argo-workflows/dex-sso - property: client-secret diff --git a/k8s-peterg/vault-wheatley-approle.yaml b/k8s-peterg/vault-wheatley-approle.yaml deleted file mode 100644 index f116d9d..0000000 --- a/k8s-peterg/vault-wheatley-approle.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -data: - approle_id: MDE5YTdjOWQtMTYxOC0yZjg0LWE2NzUtOWQ5NmVkZWFiNzEyCg== - approle_secret: ZDZkOWU0MmUtZmVhNi05MGIzLWNlODktYzJlY2E2YWIxMjc3Cg== -kind: Secret -metadata: - name: vault-wheatley-approle - namespace: external-secrets -type: Opaque From bd7d2794d4f592ac317fe364581a8ce913c67fdc Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Fri, 17 Apr 2026 21:09:51 +0200 Subject: [PATCH 02/40] chore: Update gluetun config --- k8s-wheatley/qbittorrent/configmap.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/k8s-wheatley/qbittorrent/configmap.yaml b/k8s-wheatley/qbittorrent/configmap.yaml index de1c6cf..484d4d6 100644 --- a/k8s-wheatley/qbittorrent/configmap.yaml +++ b/k8s-wheatley/qbittorrent/configmap.yaml @@ -23,8 +23,6 @@ data: ' FIREWALL_OUTBOUND_SUBNETS: 10.244.0.0/16,10.96.0.0/12 FIREWALL_INPUT_PORTS: "8112" - DNS_KEEP_NAMESERVER: on - DOT: off --- apiVersion: v1 kind: ConfigMap From 5c1a74db0e0ac36915b33adaa3aece99c313f72f Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Fri, 17 Apr 2026 21:15:46 +0200 Subject: [PATCH 03/40] chore: Refactor nfs PVC resource --- k8s-wheatley/plex/kustomization.yaml | 23 +++++++++++ k8s-wheatley/plex/pvc.yaml | 33 ---------------- k8s-wheatley/qbittorrent/kustomization.yaml | 20 ++++++++++ k8s-wheatley/qbittorrent/pvc.yaml | 33 ---------------- k8s-wheatley/radarr/kustomization.yaml | 17 +++++++++ k8s-wheatley/radarr/pvc.yaml | 33 ---------------- k8s-wheatley/sonarr/kustomization.yaml | 17 +++++++++ k8s-wheatley/sonarr/pvc.yaml | 33 ---------------- kustomize-bases/nfs-media/kustomization.yaml | 6 +++ kustomize-bases/nfs-media/pvc.yaml | 40 ++++++++++++++++++++ 10 files changed, 123 insertions(+), 132 deletions(-) create mode 100644 kustomize-bases/nfs-media/kustomization.yaml create mode 100644 kustomize-bases/nfs-media/pvc.yaml diff --git a/k8s-wheatley/plex/kustomization.yaml b/k8s-wheatley/plex/kustomization.yaml index 7676da5..3bd4023 100644 --- a/k8s-wheatley/plex/kustomization.yaml +++ b/k8s-wheatley/plex/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization namespace: plex resources: + - ../../kustomize-bases/nfs-media - configmap.yaml - deployments.yaml - ingress.yaml @@ -12,6 +13,28 @@ resources: - services.yaml - namespace.yaml +patches: + - target: + kind: PersistentVolume + name: nfs-media + patch: | + - op: replace + path: /metadata/name + value: nfs-media-plex + - op: replace + path: /spec/accessModes/0 + value: ReadOnlyMany + - target: + kind: PersistentVolumeClaim + name: nfs-media + patch: | + - op: replace + path: /spec/volumeName + value: nfs-media-plex + - op: replace + path: /spec/accessModes/0 + value: ReadOnlyMany + images: - name: plexinc/pms-docker newTag: 1.43.1.10611-1e34174b1@sha256:8b5bcdf7b506fe051aa1a0a0d464efdb3ad8c0fb1f8a4dfb27a8c489b609920c diff --git a/k8s-wheatley/plex/pvc.yaml b/k8s-wheatley/plex/pvc.yaml index 7943bab..69e27fe 100644 --- a/k8s-wheatley/plex/pvc.yaml +++ b/k8s-wheatley/plex/pvc.yaml @@ -10,36 +10,3 @@ spec: resources: requests: storage: 20Gi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nfs-media -spec: - accessModes: - - ReadOnlyMany - resources: - requests: - storage: 40Ti - volumeName: nfs-media-plex ---- -apiVersion: v1 -kind: PersistentVolume -metadata: - name: nfs-media-plex -spec: - capacity: - storage: 40Ti - accessModes: - - ReadOnlyMany - nfs: - server: 10.0.69.10 - path: /tank/media - mountOptions: - - vers=4.1 - - rsize=1048576 - - wsize=1048576 - - hard - - timeo=600 - - noatime - persistentVolumeReclaimPolicy: Retain diff --git a/k8s-wheatley/qbittorrent/kustomization.yaml b/k8s-wheatley/qbittorrent/kustomization.yaml index 3e94bd5..68bd0ef 100644 --- a/k8s-wheatley/qbittorrent/kustomization.yaml +++ b/k8s-wheatley/qbittorrent/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization namespace: qbittorrent resources: + - ../../kustomize-bases/nfs-media - configmap.yaml - deployments.yaml - ingress.yaml @@ -12,6 +13,25 @@ resources: - services.yaml - namespace.yaml +patches: + - target: + kind: PersistentVolume + name: nfs-media + patch: | + - op: replace + path: /metadata/name + value: nfs-media-qbittorrent + - op: replace + path: /spec/nfs/path + value: /tank/media/downloads + - target: + kind: PersistentVolumeClaim + name: nfs-media + patch: | + - op: replace + path: /spec/volumeName + value: nfs-media-qbittorrent + images: - name: ghcr.io/qdm12/gluetun newTag: v3.41.1@sha256:1a5bf4b4820a879cdf8d93d7ef0d2d963af56670c9ebff8981860b6804ebc8ab diff --git a/k8s-wheatley/qbittorrent/pvc.yaml b/k8s-wheatley/qbittorrent/pvc.yaml index aa566ea..c352b02 100644 --- a/k8s-wheatley/qbittorrent/pvc.yaml +++ b/k8s-wheatley/qbittorrent/pvc.yaml @@ -10,36 +10,3 @@ spec: resources: requests: storage: 5Gi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nfs-media -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 40Ti - volumeName: nfs-media-qbittorrent ---- -apiVersion: v1 -kind: PersistentVolume -metadata: - name: nfs-media-qbittorrent -spec: - capacity: - storage: 40Ti - accessModes: - - ReadWriteMany - nfs: - server: 10.0.69.10 - path: /tank/media/downloads - mountOptions: - - vers=4.1 - - rsize=1048576 - - wsize=1048576 - - hard - - timeo=600 - - noatime - persistentVolumeReclaimPolicy: Retain diff --git a/k8s-wheatley/radarr/kustomization.yaml b/k8s-wheatley/radarr/kustomization.yaml index dcb0205..d121a97 100644 --- a/k8s-wheatley/radarr/kustomization.yaml +++ b/k8s-wheatley/radarr/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization namespace: radarr resources: + - ../../kustomize-bases/nfs-media - configmap.yaml - deployments.yaml - ingress.yaml @@ -12,6 +13,22 @@ resources: - services.yaml - namespace.yaml +patches: + - target: + kind: PersistentVolume + name: nfs-media + patch: | + - op: replace + path: /metadata/name + value: nfs-media-radarr + - target: + kind: PersistentVolumeClaim + name: nfs-media + patch: | + - op: replace + path: /spec/volumeName + value: nfs-media-radarr + images: - name: linuxserver/radarr newTag: 6.1.1@sha256:6f1dda18354ea7f28cead8f6d099fc8222498c3ae165f567d504ed04d70980d7 diff --git a/k8s-wheatley/radarr/pvc.yaml b/k8s-wheatley/radarr/pvc.yaml index fe76bfc..d188698 100644 --- a/k8s-wheatley/radarr/pvc.yaml +++ b/k8s-wheatley/radarr/pvc.yaml @@ -10,36 +10,3 @@ spec: resources: requests: storage: 5Gi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nfs-media -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 40Ti - volumeName: nfs-media-radarr ---- -apiVersion: v1 -kind: PersistentVolume -metadata: - name: nfs-media-radarr -spec: - capacity: - storage: 40Ti - accessModes: - - ReadWriteMany - nfs: - server: 10.0.69.10 - path: /tank/media - mountOptions: - - vers=4.1 - - rsize=1048576 - - wsize=1048576 - - hard - - timeo=600 - - noatime - persistentVolumeReclaimPolicy: Retain diff --git a/k8s-wheatley/sonarr/kustomization.yaml b/k8s-wheatley/sonarr/kustomization.yaml index eed76a3..a1c0b98 100644 --- a/k8s-wheatley/sonarr/kustomization.yaml +++ b/k8s-wheatley/sonarr/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization namespace: sonarr resources: + - ../../kustomize-bases/nfs-media - configmap.yaml - deployments.yaml - ingress.yaml @@ -12,6 +13,22 @@ resources: - services.yaml - namespace.yaml +patches: + - target: + kind: PersistentVolume + name: nfs-media + patch: | + - op: replace + path: /metadata/name + value: nfs-media-sonarr + - target: + kind: PersistentVolumeClaim + name: nfs-media + patch: | + - op: replace + path: /spec/volumeName + value: nfs-media-sonarr + images: - name: linuxserver/sonarr newTag: 4.0.17@sha256:6854df9de20b8c82e1982604f39473d64dbb4c4584b1013f18f9ade1ee92af13 diff --git a/k8s-wheatley/sonarr/pvc.yaml b/k8s-wheatley/sonarr/pvc.yaml index d431b58..14d30b8 100644 --- a/k8s-wheatley/sonarr/pvc.yaml +++ b/k8s-wheatley/sonarr/pvc.yaml @@ -10,36 +10,3 @@ spec: resources: requests: storage: 5Gi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nfs-media -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 40Ti - volumeName: nfs-media-sonarr ---- -apiVersion: v1 -kind: PersistentVolume -metadata: - name: nfs-media-sonarr -spec: - capacity: - storage: 40Ti - accessModes: - - ReadWriteMany - nfs: - server: 10.0.69.10 - path: /tank/media - mountOptions: - - vers=4.1 - - rsize=1048576 - - wsize=1048576 - - hard - - timeo=600 - - noatime - persistentVolumeReclaimPolicy: Retain diff --git a/kustomize-bases/nfs-media/kustomization.yaml b/kustomize-bases/nfs-media/kustomization.yaml new file mode 100644 index 0000000..482f897 --- /dev/null +++ b/kustomize-bases/nfs-media/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - pvc.yaml diff --git a/kustomize-bases/nfs-media/pvc.yaml b/kustomize-bases/nfs-media/pvc.yaml new file mode 100644 index 0000000..94091c9 --- /dev/null +++ b/kustomize-bases/nfs-media/pvc.yaml @@ -0,0 +1,40 @@ +# Shared NFS media storage template — used by plex, sonarr, radarr, and qbittorrent. +# All apps on k8s-wheatley mount the same NFS server: 10.0.69.10 +# +# Each app overlays this base with JSON patches in its kustomization.yaml: +# - Always: rename PV (metadata.name) and update PVC volumeName to match +# - plex only: patch accessModes to ReadOnlyMany on both PV and PVC +# - qbittorrent only: patch nfs.path to /tank/media/downloads +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: nfs-media # renamed per-app via JSON patch +spec: + capacity: + storage: 40Ti + accessModes: + - ReadWriteMany + nfs: + server: 10.0.69.10 + path: /tank/media + mountOptions: + - vers=4.1 + - rsize=1048576 + - wsize=1048576 + - hard + - timeo=600 + - noatime + persistentVolumeReclaimPolicy: Retain +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nfs-media +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 40Ti + volumeName: nfs-media # patched per-app to match PV name From 9d55315f4b69c14ed4a0068d4c9681f9cd9ac6ac Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Fri, 17 Apr 2026 21:46:49 +0200 Subject: [PATCH 04/40] chore: Add nullBytePolicy property --- k8s-peterg/argo-workflows/secrets.yaml | 2 ++ k8s-peterg/external-secrets-operator/clustersecrets.yaml | 2 ++ k8s-wheatley/external-secrets-operator/clustersecrets.yaml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/k8s-peterg/argo-workflows/secrets.yaml b/k8s-peterg/argo-workflows/secrets.yaml index 7838756..a32f76d 100644 --- a/k8s-peterg/argo-workflows/secrets.yaml +++ b/k8s-peterg/argo-workflows/secrets.yaml @@ -22,6 +22,7 @@ spec: conversionStrategy: Default decodingStrategy: None metadataPolicy: None + nullBytePolicy: Ignore - secretKey: client-secret remoteRef: key: secrets/managed/argo-workflows/authentik-sso @@ -29,3 +30,4 @@ spec: conversionStrategy: Default decodingStrategy: None metadataPolicy: None + nullBytePolicy: Ignore diff --git a/k8s-peterg/external-secrets-operator/clustersecrets.yaml b/k8s-peterg/external-secrets-operator/clustersecrets.yaml index db674e7..87bfcef 100644 --- a/k8s-peterg/external-secrets-operator/clustersecrets.yaml +++ b/k8s-peterg/external-secrets-operator/clustersecrets.yaml @@ -27,6 +27,7 @@ spec: conversionStrategy: Default decodingStrategy: None metadataPolicy: None + nullBytePolicy: Ignore - secretKey: key remoteRef: key: secrets/provisioned/tls-wildcard-peterg-nl @@ -34,3 +35,4 @@ spec: conversionStrategy: Default decodingStrategy: None metadataPolicy: None + nullBytePolicy: Ignore diff --git a/k8s-wheatley/external-secrets-operator/clustersecrets.yaml b/k8s-wheatley/external-secrets-operator/clustersecrets.yaml index ea424ae..16840b4 100644 --- a/k8s-wheatley/external-secrets-operator/clustersecrets.yaml +++ b/k8s-wheatley/external-secrets-operator/clustersecrets.yaml @@ -27,6 +27,7 @@ spec: conversionStrategy: Default decodingStrategy: None metadataPolicy: None + nullBytePolicy: Ignore - secretKey: key remoteRef: key: secrets/provisioned/tls-wildcard-wheatley-in @@ -34,3 +35,4 @@ spec: conversionStrategy: Default decodingStrategy: None metadataPolicy: None + nullBytePolicy: Ignore From 8c75b869f19ac7854577499f6717f79d9adc5069 Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Fri, 24 Apr 2026 15:03:34 +0200 Subject: [PATCH 05/40] chore: Improve parsed metrics --- k8s-peterg/alloy/configmap.yaml | 27 ++++++++++++++++++++++++++- k8s-wheatley/alloy/configmap.yaml | 30 ++++++++++++++++++++++++++++-- 2 files changed, 54 insertions(+), 3 deletions(-) diff --git a/k8s-peterg/alloy/configmap.yaml b/k8s-peterg/alloy/configmap.yaml index 18b2843..052ec28 100644 --- a/k8s-peterg/alloy/configmap.yaml +++ b/k8s-peterg/alloy/configmap.yaml @@ -6,6 +6,11 @@ metadata: data: config.alloy: |- prometheus.exporter.unix "node" { + set_collectors = [ + "cpu", "diskstats", "filesystem", "loadavg", + "meminfo", "netdev", "netstat", "os", + "pressure", "processes", "stat", "uname", "vmstat", + ] } discovery.kubernetes "kubernetes_apiservers" { @@ -141,6 +146,11 @@ data: source_labels = ["__meta_kubernetes_pod_node_name"] target_label = "node" } + + rule { + regex = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision" + action = "labeldrop" + } } discovery.relabel "kubernetes_services" { @@ -249,6 +259,11 @@ data: source_labels = ["__meta_kubernetes_pod_node_name"] target_label = "node" } + + rule { + regex = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision" + action = "labeldrop" + } } discovery.relabel "pod_logs" { @@ -352,9 +367,19 @@ data: } } + prometheus.relabel "cadvisor" { + forward_to = [prometheus.remote_write.default.receiver] + + rule { + source_labels = ["__name__"] + regex = "container_(cpu_usage_seconds_total|memory_usage_bytes|memory_working_set_bytes|memory_rss|memory_cache|memory_swap|network_receive_bytes_total|network_transmit_bytes_total|network_receive_packets_total|network_transmit_packets_total|fs_reads_bytes_total|fs_writes_bytes_total|spec_cpu_quota|spec_cpu_period|spec_memory_limit_bytes|last_seen)" + action = "keep" + } + } + prometheus.scrape "kubernetes_nodes_cadvisor" { targets = discovery.relabel.kubernetes_nodes_cadvisor.output - forward_to = [prometheus.remote_write.default.receiver] + forward_to = [prometheus.relabel.cadvisor.receiver] job_name = "kubernetes-nodes-cadvisor" scheme = "https" diff --git a/k8s-wheatley/alloy/configmap.yaml b/k8s-wheatley/alloy/configmap.yaml index 991eb51..380a48a 100644 --- a/k8s-wheatley/alloy/configmap.yaml +++ b/k8s-wheatley/alloy/configmap.yaml @@ -5,7 +5,13 @@ metadata: name: alloy-config data: config.alloy: |- - prometheus.exporter.unix "node" {} + prometheus.exporter.unix "node" { + set_collectors = [ + "cpu", "diskstats", "filesystem", "loadavg", + "meminfo", "netdev", "netstat", "os", + "pressure", "processes", "stat", "uname", "vmstat", + ] + } discovery.kubernetes "kubernetes_apiservers" { role = "endpoints" @@ -152,6 +158,11 @@ data: source_labels = ["__meta_kubernetes_pod_node_name"] target_label = "node" } + + rule { + regex = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision" + action = "labeldrop" + } } discovery.relabel "kubernetes_services" { @@ -260,6 +271,11 @@ data: source_labels = ["__meta_kubernetes_pod_node_name"] target_label = "node" } + + rule { + regex = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision" + action = "labeldrop" + } } discovery.relabel "pod_logs" { @@ -369,9 +385,19 @@ data: } } + prometheus.relabel "cadvisor" { + forward_to = [prometheus.remote_write.default.receiver] + + rule { + source_labels = ["__name__"] + regex = "container_(cpu_usage_seconds_total|memory_usage_bytes|memory_working_set_bytes|memory_rss|memory_cache|memory_swap|network_receive_bytes_total|network_transmit_bytes_total|network_receive_packets_total|network_transmit_packets_total|fs_reads_bytes_total|fs_writes_bytes_total|spec_cpu_quota|spec_cpu_period|spec_memory_limit_bytes|last_seen)" + action = "keep" + } + } + prometheus.scrape "kubernetes_nodes_cadvisor" { targets = discovery.relabel.kubernetes_nodes_cadvisor.output - forward_to = [prometheus.remote_write.default.receiver] + forward_to = [prometheus.relabel.cadvisor.receiver] job_name = "kubernetes-nodes-cadvisor" scheme = "https" clustering { From bdeec6d81920cd90f84fc7c50d373a86e18d726d Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Fri, 24 Apr 2026 15:06:24 +0200 Subject: [PATCH 06/40] chore: Add labeldrop for Loki --- k8s-peterg/alloy/configmap.yaml | 5 +++++ k8s-wheatley/alloy/configmap.yaml | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/k8s-peterg/alloy/configmap.yaml b/k8s-peterg/alloy/configmap.yaml index 052ec28..01cad1f 100644 --- a/k8s-peterg/alloy/configmap.yaml +++ b/k8s-peterg/alloy/configmap.yaml @@ -313,6 +313,11 @@ data: target_label = "__path__" replacement = "/var/log/pods/*$1/*.log" } + + rule { + regex = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision" + action = "labeldrop" + } } local.file_match "pod_logs" { diff --git a/k8s-wheatley/alloy/configmap.yaml b/k8s-wheatley/alloy/configmap.yaml index 380a48a..819a1c1 100644 --- a/k8s-wheatley/alloy/configmap.yaml +++ b/k8s-wheatley/alloy/configmap.yaml @@ -325,6 +325,11 @@ data: target_label = "__path__" replacement = "/var/log/pods/*$1/*.log" } + + rule { + regex = "pod_template_hash|controller_revision_hash|deployment_kubernetes_io_revision" + action = "labeldrop" + } } local.file_match "pod_logs" { From 2b9630eb0445b9ef1cb85b1ecb9aa5395f10c15d Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Mon, 27 Apr 2026 13:20:35 +0200 Subject: [PATCH 07/40] chore(gluetun): Rework port forward --- k8s-wheatley/qbittorrent/configmap.yaml | 22 ++++++++++++++-------- k8s-wheatley/qbittorrent/deployments.yaml | 6 ++++++ 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/k8s-wheatley/qbittorrent/configmap.yaml b/k8s-wheatley/qbittorrent/configmap.yaml index 484d4d6..61c614d 100644 --- a/k8s-wheatley/qbittorrent/configmap.yaml +++ b/k8s-wheatley/qbittorrent/configmap.yaml @@ -9,20 +9,26 @@ data: VPN_TYPE: "wireguard" VPN_PORT_FORWARDING: on VPN_PORT_FORWARDING_PROVIDER: protonvpn - VPN_PORT_FORWARDING_UP_COMMAND: | - /bin/sh -c ' + VPN_PORT_FORWARDING_UP_COMMAND: "/scripts/port-up.sh" + VPN_PORT_FORWARDING_DOWN_COMMAND: "/scripts/port-down.sh" + FIREWALL_OUTBOUND_SUBNETS: 10.244.0.0/16,10.96.0.0/12 + FIREWALL_INPUT_PORTS: "8112" +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: gluetun-scripts +data: + port-up.sh: | + #!/bin/sh wget -O- --retry-connrefused \ --post-data "json={\"listen_port\":{{PORTS}},\"current_network_interface\":\"tun0\",\"random_port\":false,\"upnp\":false}" \ http://127.0.0.1:8112/api/v2/app/setPreferences 2>&1 - ' - VPN_PORT_FORWARDING_DOWN_COMMAND: | - /bin/sh -c ' + port-down.sh: | + #!/bin/sh wget -O- --retry-connrefused \ --post-data "json={\"listen_port\":0,\"current_network_interface\":\"lo\"}" \ http://127.0.0.1:8112/api/v2/app/setPreferences 2>&1 - ' - FIREWALL_OUTBOUND_SUBNETS: 10.244.0.0/16,10.96.0.0/12 - FIREWALL_INPUT_PORTS: "8112" --- apiVersion: v1 kind: ConfigMap diff --git a/k8s-wheatley/qbittorrent/deployments.yaml b/k8s-wheatley/qbittorrent/deployments.yaml index 0e1600b..5dba05a 100644 --- a/k8s-wheatley/qbittorrent/deployments.yaml +++ b/k8s-wheatley/qbittorrent/deployments.yaml @@ -33,6 +33,8 @@ spec: - mountPath: "/gluetun/wireguard" name: gluetun-wgconfig readOnly: true + - name: gluetun-scripts + mountPath: /scripts - name: gluetun-tmp mountPath: /tmp/gluetun restartPolicy: Always @@ -128,6 +130,10 @@ spec: - name: gluetun-wgconfig secret: secretName: gluetun-wgconfig + - name: gluetun-scripts + configMap: + name: gluetun-scripts + defaultMode: 0755 - name: gluetun-tmp emptyDir: {} - name: nfs-media From 69a5ecb317db8a3857174ecd6ac1567f9c7ff336 Mon Sep 17 00:00:00 2001 From: Renovate Date: Tue, 28 Apr 2026 00:05:32 +0000 Subject: [PATCH 08/40] chore(deps): update linuxserver/prowlarr:2.3.5 docker digest to c5de2a8 --- k8s-wheatley/prowlarr/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s-wheatley/prowlarr/kustomization.yaml b/k8s-wheatley/prowlarr/kustomization.yaml index c9a7a47..788fdab 100644 --- a/k8s-wheatley/prowlarr/kustomization.yaml +++ b/k8s-wheatley/prowlarr/kustomization.yaml @@ -16,4 +16,4 @@ images: - name: flaresolverr/flaresolverr newTag: v3.4.6@sha256:7962759d99d7e125e108e0f5e7f3cdbcd36161776d058d1d9b7153b92ef1af9e - name: linuxserver/prowlarr - newTag: 2.3.5@sha256:35f48abb3e976fcf077fae756866c582e4a90f8b24810ae4067b3558f7cdbbdf + newTag: 2.3.5@sha256:c5de2a8758a05594319263e7691c1dce56899442ed1720d6eca216c0958f4caf From e1c2e09a98c95bbd7d8cbc38ccea4dfa68936a3b Mon Sep 17 00:00:00 2001 From: Renovate Date: Tue, 28 Apr 2026 00:05:35 +0000 Subject: [PATCH 09/40] chore(deps): update linuxserver/radarr:6.1.1 docker digest to b01097a --- k8s-wheatley/radarr/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s-wheatley/radarr/kustomization.yaml b/k8s-wheatley/radarr/kustomization.yaml index d121a97..445d2f3 100644 --- a/k8s-wheatley/radarr/kustomization.yaml +++ b/k8s-wheatley/radarr/kustomization.yaml @@ -31,4 +31,4 @@ patches: images: - name: linuxserver/radarr - newTag: 6.1.1@sha256:6f1dda18354ea7f28cead8f6d099fc8222498c3ae165f567d504ed04d70980d7 + newTag: 6.1.1@sha256:b01097ad2d948c9f5eca39eb60bb529e2e55b0738c4bf7db09383bef0abab59d From aac5c5e182bbaa0405b94d72cd7e1b81e8218d5e Mon Sep 17 00:00:00 2001 From: Renovate Date: Tue, 28 Apr 2026 00:05:38 +0000 Subject: [PATCH 10/40] chore(deps): update linuxserver/sonarr:4.0.17 docker digest to 3580aec --- k8s-wheatley/sonarr/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s-wheatley/sonarr/kustomization.yaml b/k8s-wheatley/sonarr/kustomization.yaml index a1c0b98..51ba92b 100644 --- a/k8s-wheatley/sonarr/kustomization.yaml +++ b/k8s-wheatley/sonarr/kustomization.yaml @@ -31,4 +31,4 @@ patches: images: - name: linuxserver/sonarr - newTag: 4.0.17@sha256:6854df9de20b8c82e1982604f39473d64dbb4c4584b1013f18f9ade1ee92af13 + newTag: 4.0.17@sha256:3580aec3802c915f0f819a88d5099abce61734b925732b8393d176b5dc561020 From 5f258cd68a9d2fc13a1cd91d6639979c3bf7c340 Mon Sep 17 00:00:00 2001 From: Renovate Date: Tue, 28 Apr 2026 00:05:40 +0000 Subject: [PATCH 11/40] chore(deps): update helm release argo-workflows to v1.0.13 --- k8s-peterg/argo-workflows/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s-peterg/argo-workflows/kustomization.yaml b/k8s-peterg/argo-workflows/kustomization.yaml index 7451e9a..76e6aa5 100644 --- a/k8s-peterg/argo-workflows/kustomization.yaml +++ b/k8s-peterg/argo-workflows/kustomization.yaml @@ -11,5 +11,5 @@ helmCharts: repo: https://argoproj.github.io/argo-helm namespace: argo-workflows releaseName: argo-workflows - version: 1.0.7 + version: 1.0.13 valuesFile: values.yaml From ae87765c4bfe9fe9dd333d06a7fcb521bd19e9c3 Mon Sep 17 00:00:00 2001 From: Renovate Date: Tue, 28 Apr 2026 00:06:00 +0000 Subject: [PATCH 12/40] chore(deps): update helm release alloy to v1.8.0 --- kustomize-bases/alloy/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kustomize-bases/alloy/kustomization.yaml b/kustomize-bases/alloy/kustomization.yaml index 69e9687..1bd4d01 100644 --- a/kustomize-bases/alloy/kustomization.yaml +++ b/kustomize-bases/alloy/kustomization.yaml @@ -9,7 +9,7 @@ resources: helmCharts: - name: alloy repo: https://grafana.github.io/helm-charts - version: "1.7.0" + version: "1.8.0" releaseName: alloy valuesFile: values.yaml - name: kube-state-metrics From 22db0e5f5b8960537b9b8e46d402b5c4722e395f Mon Sep 17 00:00:00 2001 From: Renovate Date: Tue, 28 Apr 2026 00:06:57 +0000 Subject: [PATCH 13/40] chore(deps): update helm release external-secrets to v2.4.0 --- k8s-peterg/external-secrets-operator/kustomization.yaml | 2 +- k8s-wheatley/external-secrets-operator/kustomization.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/k8s-peterg/external-secrets-operator/kustomization.yaml b/k8s-peterg/external-secrets-operator/kustomization.yaml index 91ef006..27bd976 100644 --- a/k8s-peterg/external-secrets-operator/kustomization.yaml +++ b/k8s-peterg/external-secrets-operator/kustomization.yaml @@ -12,4 +12,4 @@ helmCharts: repo: https://charts.external-secrets.io namespace: external-secrets releaseName: external-secrets - version: 2.3.0 + version: 2.4.0 diff --git a/k8s-wheatley/external-secrets-operator/kustomization.yaml b/k8s-wheatley/external-secrets-operator/kustomization.yaml index 91ef006..27bd976 100644 --- a/k8s-wheatley/external-secrets-operator/kustomization.yaml +++ b/k8s-wheatley/external-secrets-operator/kustomization.yaml @@ -12,4 +12,4 @@ helmCharts: repo: https://charts.external-secrets.io namespace: external-secrets releaseName: external-secrets - version: 2.3.0 + version: 2.4.0 From bd306516edd273b4c5a949926d62bee518f6a21f Mon Sep 17 00:00:00 2001 From: Renovate Date: Tue, 28 Apr 2026 00:07:05 +0000 Subject: [PATCH 14/40] chore(deps): update helm release kube-state-metrics to v7.3.0 --- kustomize-bases/alloy/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kustomize-bases/alloy/kustomization.yaml b/kustomize-bases/alloy/kustomization.yaml index 69e9687..5901411 100644 --- a/kustomize-bases/alloy/kustomization.yaml +++ b/kustomize-bases/alloy/kustomization.yaml @@ -14,7 +14,7 @@ helmCharts: valuesFile: values.yaml - name: kube-state-metrics repo: https://prometheus-community.github.io/helm-charts - version: "7.2.2" + version: "7.3.0" releaseName: kube-state-metrics - name: prometheus-operator-crds repo: https://prometheus-community.github.io/helm-charts From 775a28e4bbeb471c1a3d6d3f114740cccc47305f Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Wed, 6 May 2026 12:47:14 +0200 Subject: [PATCH 15/40] chore: Move pvc to datastore as this is cluster-specific --- .../nfs-media => k8s-wheatley/datastore}/pvc.yaml | 4 ++-- k8s-wheatley/plex/kustomization.yaml | 6 +++--- k8s-wheatley/qbittorrent/kustomization.yaml | 2 +- k8s-wheatley/radarr/kustomization.yaml | 2 +- k8s-wheatley/sonarr/kustomization.yaml | 2 +- kustomize-bases/nfs-media/kustomization.yaml | 6 ------ 6 files changed, 8 insertions(+), 14 deletions(-) rename {kustomize-bases/nfs-media => k8s-wheatley/datastore}/pvc.yaml (89%) delete mode 100644 kustomize-bases/nfs-media/kustomization.yaml diff --git a/kustomize-bases/nfs-media/pvc.yaml b/k8s-wheatley/datastore/pvc.yaml similarity index 89% rename from kustomize-bases/nfs-media/pvc.yaml rename to k8s-wheatley/datastore/pvc.yaml index 94091c9..7d43e93 100644 --- a/kustomize-bases/nfs-media/pvc.yaml +++ b/k8s-wheatley/datastore/pvc.yaml @@ -9,7 +9,7 @@ apiVersion: v1 kind: PersistentVolume metadata: - name: nfs-media # renamed per-app via JSON patch + name: nfs-media spec: capacity: storage: 40Ti @@ -37,4 +37,4 @@ spec: resources: requests: storage: 40Ti - volumeName: nfs-media # patched per-app to match PV name + volumeName: nfs-media diff --git a/k8s-wheatley/plex/kustomization.yaml b/k8s-wheatley/plex/kustomization.yaml index 3bd4023..ac6f6a4 100644 --- a/k8s-wheatley/plex/kustomization.yaml +++ b/k8s-wheatley/plex/kustomization.yaml @@ -4,7 +4,7 @@ kind: Kustomization namespace: plex resources: - - ../../kustomize-bases/nfs-media + - ../datastore/pvc.yaml - configmap.yaml - deployments.yaml - ingress.yaml @@ -36,5 +36,5 @@ patches: value: ReadOnlyMany images: -- name: plexinc/pms-docker - newTag: 1.43.1.10611-1e34174b1@sha256:8b5bcdf7b506fe051aa1a0a0d464efdb3ad8c0fb1f8a4dfb27a8c489b609920c + - name: plexinc/pms-docker + newTag: 1.43.1.10611-1e34174b1@sha256:8b5bcdf7b506fe051aa1a0a0d464efdb3ad8c0fb1f8a4dfb27a8c489b609920c diff --git a/k8s-wheatley/qbittorrent/kustomization.yaml b/k8s-wheatley/qbittorrent/kustomization.yaml index 68bd0ef..9582f02 100644 --- a/k8s-wheatley/qbittorrent/kustomization.yaml +++ b/k8s-wheatley/qbittorrent/kustomization.yaml @@ -4,7 +4,7 @@ kind: Kustomization namespace: qbittorrent resources: - - ../../kustomize-bases/nfs-media + - ../datastore/pvc.yaml - configmap.yaml - deployments.yaml - ingress.yaml diff --git a/k8s-wheatley/radarr/kustomization.yaml b/k8s-wheatley/radarr/kustomization.yaml index 445d2f3..e938840 100644 --- a/k8s-wheatley/radarr/kustomization.yaml +++ b/k8s-wheatley/radarr/kustomization.yaml @@ -4,7 +4,7 @@ kind: Kustomization namespace: radarr resources: - - ../../kustomize-bases/nfs-media + - ../datastore/pvc.yaml - configmap.yaml - deployments.yaml - ingress.yaml diff --git a/k8s-wheatley/sonarr/kustomization.yaml b/k8s-wheatley/sonarr/kustomization.yaml index 51ba92b..ad5d4f6 100644 --- a/k8s-wheatley/sonarr/kustomization.yaml +++ b/k8s-wheatley/sonarr/kustomization.yaml @@ -4,7 +4,7 @@ kind: Kustomization namespace: sonarr resources: - - ../../kustomize-bases/nfs-media + - ../datastore/pvc.yaml - configmap.yaml - deployments.yaml - ingress.yaml diff --git a/kustomize-bases/nfs-media/kustomization.yaml b/kustomize-bases/nfs-media/kustomization.yaml deleted file mode 100644 index 482f897..0000000 --- a/kustomize-bases/nfs-media/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - pvc.yaml From cd0c3724c68544dadf5924982ddd4dc482fe782f Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Wed, 6 May 2026 12:50:43 +0200 Subject: [PATCH 16/40] Revert "chore: Move pvc to datastore as this is cluster-specific" This reverts commit 775a28e4bbeb471c1a3d6d3f114740cccc47305f. --- k8s-wheatley/plex/kustomization.yaml | 6 +++--- k8s-wheatley/qbittorrent/kustomization.yaml | 2 +- k8s-wheatley/radarr/kustomization.yaml | 2 +- k8s-wheatley/sonarr/kustomization.yaml | 2 +- kustomize-bases/nfs-media/kustomization.yaml | 6 ++++++ .../datastore => kustomize-bases/nfs-media}/pvc.yaml | 4 ++-- 6 files changed, 14 insertions(+), 8 deletions(-) create mode 100644 kustomize-bases/nfs-media/kustomization.yaml rename {k8s-wheatley/datastore => kustomize-bases/nfs-media}/pvc.yaml (89%) diff --git a/k8s-wheatley/plex/kustomization.yaml b/k8s-wheatley/plex/kustomization.yaml index ac6f6a4..3bd4023 100644 --- a/k8s-wheatley/plex/kustomization.yaml +++ b/k8s-wheatley/plex/kustomization.yaml @@ -4,7 +4,7 @@ kind: Kustomization namespace: plex resources: - - ../datastore/pvc.yaml + - ../../kustomize-bases/nfs-media - configmap.yaml - deployments.yaml - ingress.yaml @@ -36,5 +36,5 @@ patches: value: ReadOnlyMany images: - - name: plexinc/pms-docker - newTag: 1.43.1.10611-1e34174b1@sha256:8b5bcdf7b506fe051aa1a0a0d464efdb3ad8c0fb1f8a4dfb27a8c489b609920c +- name: plexinc/pms-docker + newTag: 1.43.1.10611-1e34174b1@sha256:8b5bcdf7b506fe051aa1a0a0d464efdb3ad8c0fb1f8a4dfb27a8c489b609920c diff --git a/k8s-wheatley/qbittorrent/kustomization.yaml b/k8s-wheatley/qbittorrent/kustomization.yaml index 9582f02..68bd0ef 100644 --- a/k8s-wheatley/qbittorrent/kustomization.yaml +++ b/k8s-wheatley/qbittorrent/kustomization.yaml @@ -4,7 +4,7 @@ kind: Kustomization namespace: qbittorrent resources: - - ../datastore/pvc.yaml + - ../../kustomize-bases/nfs-media - configmap.yaml - deployments.yaml - ingress.yaml diff --git a/k8s-wheatley/radarr/kustomization.yaml b/k8s-wheatley/radarr/kustomization.yaml index e938840..445d2f3 100644 --- a/k8s-wheatley/radarr/kustomization.yaml +++ b/k8s-wheatley/radarr/kustomization.yaml @@ -4,7 +4,7 @@ kind: Kustomization namespace: radarr resources: - - ../datastore/pvc.yaml + - ../../kustomize-bases/nfs-media - configmap.yaml - deployments.yaml - ingress.yaml diff --git a/k8s-wheatley/sonarr/kustomization.yaml b/k8s-wheatley/sonarr/kustomization.yaml index ad5d4f6..51ba92b 100644 --- a/k8s-wheatley/sonarr/kustomization.yaml +++ b/k8s-wheatley/sonarr/kustomization.yaml @@ -4,7 +4,7 @@ kind: Kustomization namespace: sonarr resources: - - ../datastore/pvc.yaml + - ../../kustomize-bases/nfs-media - configmap.yaml - deployments.yaml - ingress.yaml diff --git a/kustomize-bases/nfs-media/kustomization.yaml b/kustomize-bases/nfs-media/kustomization.yaml new file mode 100644 index 0000000..482f897 --- /dev/null +++ b/kustomize-bases/nfs-media/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - pvc.yaml diff --git a/k8s-wheatley/datastore/pvc.yaml b/kustomize-bases/nfs-media/pvc.yaml similarity index 89% rename from k8s-wheatley/datastore/pvc.yaml rename to kustomize-bases/nfs-media/pvc.yaml index 7d43e93..94091c9 100644 --- a/k8s-wheatley/datastore/pvc.yaml +++ b/kustomize-bases/nfs-media/pvc.yaml @@ -9,7 +9,7 @@ apiVersion: v1 kind: PersistentVolume metadata: - name: nfs-media + name: nfs-media # renamed per-app via JSON patch spec: capacity: storage: 40Ti @@ -37,4 +37,4 @@ spec: resources: requests: storage: 40Ti - volumeName: nfs-media + volumeName: nfs-media # patched per-app to match PV name From 0633deb9838668b3724a59936aac1d35b1d21957 Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Wed, 6 May 2026 13:01:40 +0200 Subject: [PATCH 17/40] feat: Add Lidarr --- k8s-peterg/argocd/applications-wheatley.yaml | 19 ++++++++ k8s-wheatley/lidarr/configmap.yaml | 9 ++++ k8s-wheatley/lidarr/deployments.yaml | 50 ++++++++++++++++++++ k8s-wheatley/lidarr/ingress.yaml | 16 +++++++ k8s-wheatley/lidarr/kustomization.yaml | 33 +++++++++++++ k8s-wheatley/lidarr/namespace.yaml | 5 ++ k8s-wheatley/lidarr/pvc.yaml | 12 +++++ k8s-wheatley/lidarr/services.yaml | 12 +++++ 8 files changed, 156 insertions(+) create mode 100644 k8s-wheatley/lidarr/configmap.yaml create mode 100644 k8s-wheatley/lidarr/deployments.yaml create mode 100644 k8s-wheatley/lidarr/ingress.yaml create mode 100644 k8s-wheatley/lidarr/kustomization.yaml create mode 100644 k8s-wheatley/lidarr/namespace.yaml create mode 100644 k8s-wheatley/lidarr/pvc.yaml create mode 100644 k8s-wheatley/lidarr/services.yaml diff --git a/k8s-peterg/argocd/applications-wheatley.yaml b/k8s-peterg/argocd/applications-wheatley.yaml index 2f86524..eae54ce 100644 --- a/k8s-peterg/argocd/applications-wheatley.yaml +++ b/k8s-peterg/argocd/applications-wheatley.yaml @@ -143,6 +143,25 @@ spec: --- apiVersion: argoproj.io/v1alpha1 kind: Application +metadata: + name: lidarr + namespace: argocd +spec: + project: default + source: + repoURL: https://code.peterg.nl/wheatley/kubernetes.git + path: k8s-wheatley/lidarr + targetRevision: HEAD + destination: + server: https://10.13.37.10:6443 + namespace: lidarr + syncPolicy: + automated: + prune: true + selfHeal: true +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application metadata: name: prowlarr namespace: argocd diff --git a/k8s-wheatley/lidarr/configmap.yaml b/k8s-wheatley/lidarr/configmap.yaml new file mode 100644 index 0000000..188b4e6 --- /dev/null +++ b/k8s-wheatley/lidarr/configmap.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: lidarr-envs +data: + PUID: "1000" + PGID: "1000" + TZ: Europe/Amsterdam diff --git a/k8s-wheatley/lidarr/deployments.yaml b/k8s-wheatley/lidarr/deployments.yaml new file mode 100644 index 0000000..de9c4c5 --- /dev/null +++ b/k8s-wheatley/lidarr/deployments.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: lidarr + labels: + app: lidarr +spec: + replicas: 1 + serviceName: lidarr + selector: + matchLabels: + app: lidarr + template: + metadata: + labels: + app: lidarr + spec: + containers: + - name: lidarr + image: linuxserver/lidarr + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8686 + envFrom: + - configMapRef: + name: lidarr-envs + volumeMounts: + - mountPath: /config + name: lidarr-config + - mountPath: /shared/media + name: nfs-media + securityContext: + seccompProfile: + type: RuntimeDefault + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + add: + - "CHOWN" + - "SETUID" + - "SETGID" + volumes: + - name: lidarr-config + persistentVolumeClaim: + claimName: lidarr-storage + - name: nfs-media + persistentVolumeClaim: + claimName: nfs-media diff --git a/k8s-wheatley/lidarr/ingress.yaml b/k8s-wheatley/lidarr/ingress.yaml new file mode 100644 index 0000000..727dfc4 --- /dev/null +++ b/k8s-wheatley/lidarr/ingress.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: lidarr-route +spec: + parentRefs: + - name: internal + namespace: kube-system + sectionName: https + hostnames: + - "lidarr.wheatley.in" + rules: + - backendRefs: + - name: lidarr + port: 80 diff --git a/k8s-wheatley/lidarr/kustomization.yaml b/k8s-wheatley/lidarr/kustomization.yaml new file mode 100644 index 0000000..018f13b --- /dev/null +++ b/k8s-wheatley/lidarr/kustomization.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: lidarr + +resources: + - ../../kustomize-bases/nfs-media + - configmap.yaml + - deployments.yaml + - ingress.yaml + - pvc.yaml + - services.yaml + - namespace.yaml + +patches: + - target: + kind: PersistentVolume + name: nfs-media + patch: | + - op: replace + path: /metadata/name + value: nfs-media-lidarr + - target: + kind: PersistentVolumeClaim + name: nfs-media + patch: | + - op: replace + path: /spec/volumeName + value: nfs-media-lidarr + +images: + - name: linuxserver/lidarr + newTag: 3.1.0@sha256:d2f944115de2ca6754ad142ee92f9db481b1574c7bc030974d624584106b78d7 diff --git a/k8s-wheatley/lidarr/namespace.yaml b/k8s-wheatley/lidarr/namespace.yaml new file mode 100644 index 0000000..54f155f --- /dev/null +++ b/k8s-wheatley/lidarr/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: lidarr diff --git a/k8s-wheatley/lidarr/pvc.yaml b/k8s-wheatley/lidarr/pvc.yaml new file mode 100644 index 0000000..e06965e --- /dev/null +++ b/k8s-wheatley/lidarr/pvc.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: lidarr-storage +spec: + storageClassName: piraeus-lvmthin + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi diff --git a/k8s-wheatley/lidarr/services.yaml b/k8s-wheatley/lidarr/services.yaml new file mode 100644 index 0000000..d1a3deb --- /dev/null +++ b/k8s-wheatley/lidarr/services.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: lidarr +spec: + selector: + app: lidarr + ports: + - port: 80 + protocol: TCP + targetPort: 8686 From 631143f9f86a3bb5ea4aa3783ff61b85faa9c619 Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Wed, 6 May 2026 17:12:49 +0200 Subject: [PATCH 18/40] feat: Add renovate-operator --- k8s-peterg/argocd/applications-peterg.yaml | 19 +++++++++++++++ .../renovate-operator/kustomization.yaml | 18 +++++++++++++++ k8s-peterg/renovate-operator/namespace.yaml | 5 ++++ k8s-peterg/renovate-operator/policies.yaml | 17 ++++++++++++++ .../renovate-operator/renovate-job.yaml | 23 +++++++++++++++++++ k8s-peterg/renovate-operator/secrets.yaml | 22 ++++++++++++++++++ k8s-peterg/renovate-operator/values.yaml | 4 ++++ 7 files changed, 108 insertions(+) create mode 100644 k8s-peterg/renovate-operator/kustomization.yaml create mode 100644 k8s-peterg/renovate-operator/namespace.yaml create mode 100644 k8s-peterg/renovate-operator/policies.yaml create mode 100644 k8s-peterg/renovate-operator/renovate-job.yaml create mode 100644 k8s-peterg/renovate-operator/secrets.yaml create mode 100644 k8s-peterg/renovate-operator/values.yaml diff --git a/k8s-peterg/argocd/applications-peterg.yaml b/k8s-peterg/argocd/applications-peterg.yaml index 26d36ff..9822d88 100644 --- a/k8s-peterg/argocd/applications-peterg.yaml +++ b/k8s-peterg/argocd/applications-peterg.yaml @@ -99,3 +99,22 @@ spec: selfHeal: true syncOptions: - ServerSideApply=true +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: renovate-operator + namespace: argocd +spec: + project: default + source: + repoURL: https://code.peterg.nl/wheatley/kubernetes.git + path: k8s-peterg/renovate-operator + targetRevision: HEAD + destination: + server: https://kubernetes.default.svc + namespace: renovate-operator + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/k8s-peterg/renovate-operator/kustomization.yaml b/k8s-peterg/renovate-operator/kustomization.yaml new file mode 100644 index 0000000..1f91397 --- /dev/null +++ b/k8s-peterg/renovate-operator/kustomization.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: renovate-operator + +resources: + - namespace.yaml + - policies.yaml + - renovate-job.yaml + - secrets.yaml + +helmCharts: + - name: renovate-operator + repo: https://helm.mogenius.com/public + namespace: renovate-operator + releaseName: renovate-operator + version: "4.7.0" + valuesFile: values.yaml diff --git a/k8s-peterg/renovate-operator/namespace.yaml b/k8s-peterg/renovate-operator/namespace.yaml new file mode 100644 index 0000000..981aeee --- /dev/null +++ b/k8s-peterg/renovate-operator/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: renovate-operator diff --git a/k8s-peterg/renovate-operator/policies.yaml b/k8s-peterg/renovate-operator/policies.yaml new file mode 100644 index 0000000..2516fa9 --- /dev/null +++ b/k8s-peterg/renovate-operator/policies.yaml @@ -0,0 +1,17 @@ +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-internet-only +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 10.0.0.0/8 + - 192.168.0.0/16 + - 172.16.0.0/12 diff --git a/k8s-peterg/renovate-operator/renovate-job.yaml b/k8s-peterg/renovate-operator/renovate-job.yaml new file mode 100644 index 0000000..6916f07 --- /dev/null +++ b/k8s-peterg/renovate-operator/renovate-job.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: renovate-operator.mogenius.com/v1alpha1 +kind: RenovateJob +metadata: + name: renovate + namespace: renovate-operator +spec: + schedule: "*/15 * * * *" + provider: + name: forgejo + endpoint: https://code.peterg.nl/api/v1/ + secretRef: renovate-operator-secrets + parallelism: 1 + skipForks: true + extraEnv: + - name: LOG_LEVEL + value: debug + - name: RENOVATE_ONBOARDING + value: "true" + - name: RENOVATE_AUTODISCOVER + value: "true" + - name: RENOVATE_GIT_AUTHOR + value: "Renovate " diff --git a/k8s-peterg/renovate-operator/secrets.yaml b/k8s-peterg/renovate-operator/secrets.yaml new file mode 100644 index 0000000..b8fc2f6 --- /dev/null +++ b/k8s-peterg/renovate-operator/secrets.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: renovate-operator-secrets + namespace: renovate-operator +spec: + refreshInterval: "15s" + secretStoreRef: + name: vault-wheatley + kind: ClusterSecretStore + target: + name: renovate-operator-secrets + data: + - secretKey: RENOVATE_TOKEN + remoteRef: + key: /secrets/managed/renovate/token + property: RENOVATE_TOKEN + - secretKey: GITHUB_COM_TOKEN + remoteRef: + key: /secrets/managed/renovate/token + property: GITHUB_COM_TOKEN diff --git a/k8s-peterg/renovate-operator/values.yaml b/k8s-peterg/renovate-operator/values.yaml new file mode 100644 index 0000000..c55a4d1 --- /dev/null +++ b/k8s-peterg/renovate-operator/values.yaml @@ -0,0 +1,4 @@ +metrics: + enabled: true + serviceMonitor: + enabled: false From 2a4805b349a6add470dc86375cf4ad0da6289bb1 Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Wed, 6 May 2026 17:15:21 +0200 Subject: [PATCH 19/40] chore: temp disable renovatejob --- k8s-peterg/renovate-operator/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s-peterg/renovate-operator/kustomization.yaml b/k8s-peterg/renovate-operator/kustomization.yaml index 1f91397..aa05ec1 100644 --- a/k8s-peterg/renovate-operator/kustomization.yaml +++ b/k8s-peterg/renovate-operator/kustomization.yaml @@ -6,7 +6,7 @@ namespace: renovate-operator resources: - namespace.yaml - policies.yaml - - renovate-job.yaml + # - renovate-job.yaml - secrets.yaml helmCharts: From 00ff2937597697ac804a1fc170f4d7a704f79dda Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Wed, 6 May 2026 17:16:20 +0200 Subject: [PATCH 20/40] fix: use correct api version for externalsecrets --- k8s-peterg/renovate-operator/secrets.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s-peterg/renovate-operator/secrets.yaml b/k8s-peterg/renovate-operator/secrets.yaml index b8fc2f6..543f6f2 100644 --- a/k8s-peterg/renovate-operator/secrets.yaml +++ b/k8s-peterg/renovate-operator/secrets.yaml @@ -1,5 +1,5 @@ --- -apiVersion: external-secrets.io/v1beta1 +apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: renovate-operator-secrets From 35b2c83865dd03b6f9512d2f36ec0341007e69f8 Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Wed, 6 May 2026 17:19:30 +0200 Subject: [PATCH 21/40] chore: re-enable renovate-job --- k8s-peterg/renovate-operator/kustomization.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/k8s-peterg/renovate-operator/kustomization.yaml b/k8s-peterg/renovate-operator/kustomization.yaml index aa05ec1..62d9440 100644 --- a/k8s-peterg/renovate-operator/kustomization.yaml +++ b/k8s-peterg/renovate-operator/kustomization.yaml @@ -5,8 +5,8 @@ namespace: renovate-operator resources: - namespace.yaml - - policies.yaml - # - renovate-job.yaml + # - policies.yaml + - renovate-job.yaml - secrets.yaml helmCharts: From d863b7e339207d9100174ff3430e2cfc7b576cec Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Wed, 6 May 2026 17:27:36 +0200 Subject: [PATCH 22/40] fix: define image --- k8s-peterg/renovate-operator/renovate-job.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/k8s-peterg/renovate-operator/renovate-job.yaml b/k8s-peterg/renovate-operator/renovate-job.yaml index 6916f07..db3add4 100644 --- a/k8s-peterg/renovate-operator/renovate-job.yaml +++ b/k8s-peterg/renovate-operator/renovate-job.yaml @@ -9,6 +9,7 @@ spec: provider: name: forgejo endpoint: https://code.peterg.nl/api/v1/ + image: ghcr.io/renovatebot/renovate:43.161.0 secretRef: renovate-operator-secrets parallelism: 1 skipForks: true From df5c58690ee710810e3f14c603b1e801375117c4 Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Thu, 7 May 2026 09:22:59 +0200 Subject: [PATCH 23/40] feat(renovate-operator): Add httproute --- k8s-peterg/renovate-operator/values.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/k8s-peterg/renovate-operator/values.yaml b/k8s-peterg/renovate-operator/values.yaml index c55a4d1..b7f5f52 100644 --- a/k8s-peterg/renovate-operator/values.yaml +++ b/k8s-peterg/renovate-operator/values.yaml @@ -1,4 +1,14 @@ +fullnameOverride: "renovate-operator" metrics: enabled: true serviceMonitor: enabled: false + +route: + enabled: true + hostnames: + # -- parentRefs to place on the HTTPRoute + parentRefs: + - name: internal + namespace: kube-system + sectionName: https From 029c916c92fd9639008c2b6dd30ede9f3ddf1c75 Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Thu, 7 May 2026 10:05:25 +0200 Subject: [PATCH 24/40] chore(renovate-operator): decrease interval --- k8s-peterg/renovate-operator/renovate-job.yaml | 2 +- k8s-peterg/renovate-operator/values.yaml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/k8s-peterg/renovate-operator/renovate-job.yaml b/k8s-peterg/renovate-operator/renovate-job.yaml index db3add4..899630d 100644 --- a/k8s-peterg/renovate-operator/renovate-job.yaml +++ b/k8s-peterg/renovate-operator/renovate-job.yaml @@ -5,7 +5,7 @@ metadata: name: renovate namespace: renovate-operator spec: - schedule: "*/15 * * * *" + schedule: "*/30 * * * *" provider: name: forgejo endpoint: https://code.peterg.nl/api/v1/ diff --git a/k8s-peterg/renovate-operator/values.yaml b/k8s-peterg/renovate-operator/values.yaml index b7f5f52..979c844 100644 --- a/k8s-peterg/renovate-operator/values.yaml +++ b/k8s-peterg/renovate-operator/values.yaml @@ -7,7 +7,6 @@ metrics: route: enabled: true hostnames: - # -- parentRefs to place on the HTTPRoute parentRefs: - name: internal namespace: kube-system From 26d989fc03b51c20b037fa1b1815f28f02ed42a3 Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Thu, 7 May 2026 14:51:51 +0200 Subject: [PATCH 25/40] chore(renovate-operator): Decrease interval to 1h --- k8s-peterg/renovate-operator/renovate-job.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s-peterg/renovate-operator/renovate-job.yaml b/k8s-peterg/renovate-operator/renovate-job.yaml index 899630d..3ef991c 100644 --- a/k8s-peterg/renovate-operator/renovate-job.yaml +++ b/k8s-peterg/renovate-operator/renovate-job.yaml @@ -5,7 +5,7 @@ metadata: name: renovate namespace: renovate-operator spec: - schedule: "*/30 * * * *" + schedule: "0 * * * *" provider: name: forgejo endpoint: https://code.peterg.nl/api/v1/ From 3d7580dc3a25f8965da3a6e3c0533ce38e4c020c Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Thu, 7 May 2026 15:15:54 +0200 Subject: [PATCH 26/40] feat(renovate-operator): Fix ratelimits --- k8s-peterg/renovate-operator/configmap.yaml | 22 +++++++++++++++++++ .../renovate-operator/kustomization.yaml | 1 + .../renovate-operator/renovate-job.yaml | 9 ++++++++ k8s-peterg/renovate-operator/secrets.yaml | 22 +++++++++++++++++++ k8s-peterg/renovate-operator/values.yaml | 4 ++++ 5 files changed, 58 insertions(+) create mode 100644 k8s-peterg/renovate-operator/configmap.yaml diff --git a/k8s-peterg/renovate-operator/configmap.yaml b/k8s-peterg/renovate-operator/configmap.yaml new file mode 100644 index 0000000..5a6053c --- /dev/null +++ b/k8s-peterg/renovate-operator/configmap.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: renovate-config + namespace: renovate-operator +data: + config.json: |- + { + "hostRules": [ + { + "matchHost": "docker.io", + "username": "{{ env.DOCKER_USERNAME}}", + "password": "{{ env.DOCKER_TOKEN }}" + }, + { + "matchHost": "registry-1.docker.io", + "username": "{{ env.DOCKER_USERNAME}}", + "password": "{{ env.DOCKER_TOKEN }}" + } + ] + } diff --git a/k8s-peterg/renovate-operator/kustomization.yaml b/k8s-peterg/renovate-operator/kustomization.yaml index 62d9440..17e99a5 100644 --- a/k8s-peterg/renovate-operator/kustomization.yaml +++ b/k8s-peterg/renovate-operator/kustomization.yaml @@ -4,6 +4,7 @@ kind: Kustomization namespace: renovate-operator resources: + - configmap.yaml - namespace.yaml # - policies.yaml - renovate-job.yaml diff --git a/k8s-peterg/renovate-operator/renovate-job.yaml b/k8s-peterg/renovate-operator/renovate-job.yaml index 3ef991c..1fdcfc7 100644 --- a/k8s-peterg/renovate-operator/renovate-job.yaml +++ b/k8s-peterg/renovate-operator/renovate-job.yaml @@ -13,6 +13,13 @@ spec: secretRef: renovate-operator-secrets parallelism: 1 skipForks: true + extraVolumes: + - name: renovate-config + configMap: + name: renovate-config + extraVolumeMounts: + - name: renovate-config + mountPath: /opt/renovate extraEnv: - name: LOG_LEVEL value: debug @@ -22,3 +29,5 @@ spec: value: "true" - name: RENOVATE_GIT_AUTHOR value: "Renovate " + - name: RENOVATE_CONFIG_FILE + value: /opt/renovate/config.json diff --git a/k8s-peterg/renovate-operator/secrets.yaml b/k8s-peterg/renovate-operator/secrets.yaml index 543f6f2..8dba422 100644 --- a/k8s-peterg/renovate-operator/secrets.yaml +++ b/k8s-peterg/renovate-operator/secrets.yaml @@ -20,3 +20,25 @@ spec: remoteRef: key: /secrets/managed/renovate/token property: GITHUB_COM_TOKEN +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: renovate-operator-docker-login + namespace: renovate-operator +spec: + refreshInterval: "15s" + secretStoreRef: + name: vault-wheatley + kind: ClusterSecretStore + target: + name: renovate-operator-docker-login + data: + - secretKey: DOCKER_USERNAME + remoteRef: + key: /secrets/managed/renovate/docker + property: DOCKER_USERNAME + - secretKey: DOCKER_TOKEN + remoteRef: + key: /secrets/managed/renovate/docker + property: DOCKER_PASSWORD diff --git a/k8s-peterg/renovate-operator/values.yaml b/k8s-peterg/renovate-operator/values.yaml index 979c844..88eaa44 100644 --- a/k8s-peterg/renovate-operator/values.yaml +++ b/k8s-peterg/renovate-operator/values.yaml @@ -4,6 +4,10 @@ metrics: serviceMonitor: enabled: false +image: + imagePullSecrets: + - name: renovate-operator-docker-login + route: enabled: true hostnames: From e7fe39a55c3d7481271c531b83388aa127f6bc3b Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Thu, 7 May 2026 17:00:07 +0200 Subject: [PATCH 27/40] fix(renovate-operator): Parse secrets correctly --- k8s-peterg/renovate-operator/renovate-job.yaml | 7 +++++-- k8s-peterg/renovate-operator/values.yaml | 9 ++++++--- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/k8s-peterg/renovate-operator/renovate-job.yaml b/k8s-peterg/renovate-operator/renovate-job.yaml index 1fdcfc7..3707624 100644 --- a/k8s-peterg/renovate-operator/renovate-job.yaml +++ b/k8s-peterg/renovate-operator/renovate-job.yaml @@ -19,7 +19,10 @@ spec: name: renovate-config extraVolumeMounts: - name: renovate-config - mountPath: /opt/renovate + mountPath: /config + extraEnvFrom: + - secretRef: + name: renovate-operator-docker-login extraEnv: - name: LOG_LEVEL value: debug @@ -30,4 +33,4 @@ spec: - name: RENOVATE_GIT_AUTHOR value: "Renovate " - name: RENOVATE_CONFIG_FILE - value: /opt/renovate/config.json + value: /config/config.json diff --git a/k8s-peterg/renovate-operator/values.yaml b/k8s-peterg/renovate-operator/values.yaml index 88eaa44..d93c1d9 100644 --- a/k8s-peterg/renovate-operator/values.yaml +++ b/k8s-peterg/renovate-operator/values.yaml @@ -4,9 +4,12 @@ metrics: serviceMonitor: enabled: false -image: - imagePullSecrets: - - name: renovate-operator-docker-login +crd: + install: true + mode: template + +rbac: + ownNamespaceOnly: true route: enabled: true From 47a110d56480d88a2e9ed2fd8313a5047cd2d8b8 Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Fri, 8 May 2026 09:24:12 +0200 Subject: [PATCH 28/40] fix(renovate-operator): Fix inclusion of docker login --- k8s-peterg/renovate-operator/configmap.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/k8s-peterg/renovate-operator/configmap.yaml b/k8s-peterg/renovate-operator/configmap.yaml index 5a6053c..a9f3eee 100644 --- a/k8s-peterg/renovate-operator/configmap.yaml +++ b/k8s-peterg/renovate-operator/configmap.yaml @@ -10,13 +10,13 @@ data: "hostRules": [ { "matchHost": "docker.io", - "username": "{{ env.DOCKER_USERNAME}}", - "password": "{{ env.DOCKER_TOKEN }}" + "username": "{{ process.env.DOCKER_USERNAME }}", + "password": "{{ process.env.DOCKER_TOKEN }}" }, { "matchHost": "registry-1.docker.io", - "username": "{{ env.DOCKER_USERNAME}}", - "password": "{{ env.DOCKER_TOKEN }}" + "username": "{{ process.env.DOCKER_USERNAME }}", + "password": "{{ process.env.DOCKER_TOKEN }}" } ] } From 486542e783b77b0913c8ab046fb96ea3b3e76f2d Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Fri, 8 May 2026 09:37:30 +0200 Subject: [PATCH 29/40] chore(renovate-operator): use config.js --- k8s-peterg/renovate-operator/configmap.yaml | 35 ++++++++++++------- .../renovate-operator/renovate-job.yaml | 10 +----- k8s-peterg/renovate-operator/secrets.yaml | 2 +- 3 files changed, 25 insertions(+), 22 deletions(-) diff --git a/k8s-peterg/renovate-operator/configmap.yaml b/k8s-peterg/renovate-operator/configmap.yaml index a9f3eee..370ac73 100644 --- a/k8s-peterg/renovate-operator/configmap.yaml +++ b/k8s-peterg/renovate-operator/configmap.yaml @@ -5,18 +5,29 @@ metadata: name: renovate-config namespace: renovate-operator data: - config.json: |- - { - "hostRules": [ + config.js: |- + module.exports = { + platform: 'forgejo', + endpoint: 'https://code.peterg.nl/api/v1/', + gitAuthor: 'Renovate ', + username: 'renovate', + autodiscover: true, + onboardingConfig: { + $schema: 'https://docs.renovatebot.com/renovate-schema.json', + extends: ['config:recommended'], + }, + optimizeForDisabled: true, + persistRepoData: true, + hostRules: [ { - "matchHost": "docker.io", - "username": "{{ process.env.DOCKER_USERNAME }}", - "password": "{{ process.env.DOCKER_TOKEN }}" + matchHost: 'docker.io', + username: process.env.DOCKER_USERNAME, + password: process.env.DOCKER_TOKEN, }, { - "matchHost": "registry-1.docker.io", - "username": "{{ process.env.DOCKER_USERNAME }}", - "password": "{{ process.env.DOCKER_TOKEN }}" - } - ] - } + matchHost: 'registry-1.docker.io', + username: process.env.DOCKER_USERNAME, + password: process.env.DOCKER_TOKEN, + }, + ], + }; diff --git a/k8s-peterg/renovate-operator/renovate-job.yaml b/k8s-peterg/renovate-operator/renovate-job.yaml index 3707624..d4db44b 100644 --- a/k8s-peterg/renovate-operator/renovate-job.yaml +++ b/k8s-peterg/renovate-operator/renovate-job.yaml @@ -24,13 +24,5 @@ spec: - secretRef: name: renovate-operator-docker-login extraEnv: - - name: LOG_LEVEL - value: debug - - name: RENOVATE_ONBOARDING - value: "true" - - name: RENOVATE_AUTODISCOVER - value: "true" - - name: RENOVATE_GIT_AUTHOR - value: "Renovate " - name: RENOVATE_CONFIG_FILE - value: /config/config.json + value: /config/config.js diff --git a/k8s-peterg/renovate-operator/secrets.yaml b/k8s-peterg/renovate-operator/secrets.yaml index 8dba422..90c1e4c 100644 --- a/k8s-peterg/renovate-operator/secrets.yaml +++ b/k8s-peterg/renovate-operator/secrets.yaml @@ -16,7 +16,7 @@ spec: remoteRef: key: /secrets/managed/renovate/token property: RENOVATE_TOKEN - - secretKey: GITHUB_COM_TOKEN + - secretKey: RENOVATE_GITHUB_TOKEN remoteRef: key: /secrets/managed/renovate/token property: GITHUB_COM_TOKEN From 856e86fd5184ae45b4b86dc944e8573660b131c3 Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Fri, 8 May 2026 09:49:27 +0200 Subject: [PATCH 30/40] fix secretref --- k8s-peterg/renovate-operator/renovate-job.yaml | 13 ++++++++++--- k8s-peterg/renovate-operator/secrets.yaml | 2 +- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/k8s-peterg/renovate-operator/renovate-job.yaml b/k8s-peterg/renovate-operator/renovate-job.yaml index d4db44b..30a2375 100644 --- a/k8s-peterg/renovate-operator/renovate-job.yaml +++ b/k8s-peterg/renovate-operator/renovate-job.yaml @@ -20,9 +20,16 @@ spec: extraVolumeMounts: - name: renovate-config mountPath: /config - extraEnvFrom: - - secretRef: - name: renovate-operator-docker-login extraEnv: - name: RENOVATE_CONFIG_FILE value: /config/config.js + - name: DOCKER_USERNAME + valueFrom: + secretKeyRef: + name: renovate-operator-docker-login + key: DOCKER_USERNAME + - name: DOCKER_TOKEN + valueFrom: + secretKeyRef: + name: renovate-operator-docker-login + key: DOCKER_TOKEN diff --git a/k8s-peterg/renovate-operator/secrets.yaml b/k8s-peterg/renovate-operator/secrets.yaml index 90c1e4c..538fc3e 100644 --- a/k8s-peterg/renovate-operator/secrets.yaml +++ b/k8s-peterg/renovate-operator/secrets.yaml @@ -16,7 +16,7 @@ spec: remoteRef: key: /secrets/managed/renovate/token property: RENOVATE_TOKEN - - secretKey: RENOVATE_GITHUB_TOKEN + - secretKey: GITHUB_TOKEN remoteRef: key: /secrets/managed/renovate/token property: GITHUB_COM_TOKEN From e8df03cd18272813d45696eb17bb3c79073c276b Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Fri, 8 May 2026 11:47:53 +0200 Subject: [PATCH 31/40] add policies --- .../renovate-operator/kustomization.yaml | 2 +- k8s-peterg/renovate-operator/policies.yaml | 20 +++++++++++++++++++ k8s-peterg/renovate-operator/secrets.yaml | 2 +- 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/k8s-peterg/renovate-operator/kustomization.yaml b/k8s-peterg/renovate-operator/kustomization.yaml index 17e99a5..ad54284 100644 --- a/k8s-peterg/renovate-operator/kustomization.yaml +++ b/k8s-peterg/renovate-operator/kustomization.yaml @@ -6,7 +6,7 @@ namespace: renovate-operator resources: - configmap.yaml - namespace.yaml - # - policies.yaml + - policies.yaml - renovate-job.yaml - secrets.yaml diff --git a/k8s-peterg/renovate-operator/policies.yaml b/k8s-peterg/renovate-operator/policies.yaml index 2516fa9..fde5a8e 100644 --- a/k8s-peterg/renovate-operator/policies.yaml +++ b/k8s-peterg/renovate-operator/policies.yaml @@ -15,3 +15,23 @@ spec: - 10.0.0.0/8 - 192.168.0.0/16 - 172.16.0.0/12 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: api-server-egress +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + - podSelector: + matchLabels: + k8s-app: kube-apiserver + - ports: + - protocol: TCP + port: 6443 diff --git a/k8s-peterg/renovate-operator/secrets.yaml b/k8s-peterg/renovate-operator/secrets.yaml index 538fc3e..8dba422 100644 --- a/k8s-peterg/renovate-operator/secrets.yaml +++ b/k8s-peterg/renovate-operator/secrets.yaml @@ -16,7 +16,7 @@ spec: remoteRef: key: /secrets/managed/renovate/token property: RENOVATE_TOKEN - - secretKey: GITHUB_TOKEN + - secretKey: GITHUB_COM_TOKEN remoteRef: key: /secrets/managed/renovate/token property: GITHUB_COM_TOKEN From 36f4bbc98a6fe6dd6b7dc90bc25b7e125d4f27f6 Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Fri, 8 May 2026 11:50:31 +0200 Subject: [PATCH 32/40] set loglevel --- k8s-peterg/renovate-operator/policies.yaml | 20 ------------------- .../renovate-operator/renovate-job.yaml | 2 ++ 2 files changed, 2 insertions(+), 20 deletions(-) diff --git a/k8s-peterg/renovate-operator/policies.yaml b/k8s-peterg/renovate-operator/policies.yaml index fde5a8e..2516fa9 100644 --- a/k8s-peterg/renovate-operator/policies.yaml +++ b/k8s-peterg/renovate-operator/policies.yaml @@ -15,23 +15,3 @@ spec: - 10.0.0.0/8 - 192.168.0.0/16 - 172.16.0.0/12 ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: api-server-egress -spec: - podSelector: {} - policyTypes: - - Egress - egress: - - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: kube-system - - podSelector: - matchLabels: - k8s-app: kube-apiserver - - ports: - - protocol: TCP - port: 6443 diff --git a/k8s-peterg/renovate-operator/renovate-job.yaml b/k8s-peterg/renovate-operator/renovate-job.yaml index 30a2375..31379a8 100644 --- a/k8s-peterg/renovate-operator/renovate-job.yaml +++ b/k8s-peterg/renovate-operator/renovate-job.yaml @@ -21,6 +21,8 @@ spec: - name: renovate-config mountPath: /config extraEnv: + - name: LOG_LEVEL + value: debug - name: RENOVATE_CONFIG_FILE value: /config/config.js - name: DOCKER_USERNAME From b1a30eaf1d0a21a095cb720444de4e04b39c892d Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Fri, 8 May 2026 11:54:39 +0200 Subject: [PATCH 33/40] add policy --- k8s-peterg/renovate-operator/policies.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/k8s-peterg/renovate-operator/policies.yaml b/k8s-peterg/renovate-operator/policies.yaml index 2516fa9..e7c6c9a 100644 --- a/k8s-peterg/renovate-operator/policies.yaml +++ b/k8s-peterg/renovate-operator/policies.yaml @@ -15,3 +15,23 @@ spec: - 10.0.0.0/8 - 192.168.0.0/16 - 172.16.0.0/12 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: kubernetes-egress +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + - podSelector: + matchLabels: + k8s-app: kube-apiserver + - ports: + - protocol: TCP + port: 6443 From c40ccabcbba3b90922581985dc1fe915f6419e37 Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Fri, 8 May 2026 13:02:56 +0200 Subject: [PATCH 34/40] chore: add hostType --- k8s-peterg/renovate-operator/configmap.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/k8s-peterg/renovate-operator/configmap.yaml b/k8s-peterg/renovate-operator/configmap.yaml index 370ac73..2666cb1 100644 --- a/k8s-peterg/renovate-operator/configmap.yaml +++ b/k8s-peterg/renovate-operator/configmap.yaml @@ -20,11 +20,13 @@ data: persistRepoData: true, hostRules: [ { + hostType: 'docker', matchHost: 'docker.io', username: process.env.DOCKER_USERNAME, password: process.env.DOCKER_TOKEN, }, { + hostType: 'docker', matchHost: 'registry-1.docker.io', username: process.env.DOCKER_USERNAME, password: process.env.DOCKER_TOKEN, From b01b6a8987daa76e00b4573badd1c2d911ab4ed0 Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Fri, 8 May 2026 13:58:53 +0200 Subject: [PATCH 35/40] feat: Detect host rules from env --- k8s-peterg/renovate-operator/configmap.yaml | 14 -------------- k8s-peterg/renovate-operator/renovate-job.yaml | 2 ++ 2 files changed, 2 insertions(+), 14 deletions(-) diff --git a/k8s-peterg/renovate-operator/configmap.yaml b/k8s-peterg/renovate-operator/configmap.yaml index 2666cb1..472822c 100644 --- a/k8s-peterg/renovate-operator/configmap.yaml +++ b/k8s-peterg/renovate-operator/configmap.yaml @@ -18,18 +18,4 @@ data: }, optimizeForDisabled: true, persistRepoData: true, - hostRules: [ - { - hostType: 'docker', - matchHost: 'docker.io', - username: process.env.DOCKER_USERNAME, - password: process.env.DOCKER_TOKEN, - }, - { - hostType: 'docker', - matchHost: 'registry-1.docker.io', - username: process.env.DOCKER_USERNAME, - password: process.env.DOCKER_TOKEN, - }, - ], }; diff --git a/k8s-peterg/renovate-operator/renovate-job.yaml b/k8s-peterg/renovate-operator/renovate-job.yaml index 31379a8..025e6f3 100644 --- a/k8s-peterg/renovate-operator/renovate-job.yaml +++ b/k8s-peterg/renovate-operator/renovate-job.yaml @@ -25,6 +25,8 @@ spec: value: debug - name: RENOVATE_CONFIG_FILE value: /config/config.js + - name: RENOVATE_DETECT_HOST_RULES_FROM_ENV + value: "true" - name: DOCKER_USERNAME valueFrom: secretKeyRef: From a5a63ee4cd52beb93f19fb4d0db29ae262de466a Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Fri, 8 May 2026 14:01:09 +0200 Subject: [PATCH 36/40] fix: password intead of token --- k8s-peterg/renovate-operator/renovate-job.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s-peterg/renovate-operator/renovate-job.yaml b/k8s-peterg/renovate-operator/renovate-job.yaml index 025e6f3..83b205e 100644 --- a/k8s-peterg/renovate-operator/renovate-job.yaml +++ b/k8s-peterg/renovate-operator/renovate-job.yaml @@ -32,7 +32,7 @@ spec: secretKeyRef: name: renovate-operator-docker-login key: DOCKER_USERNAME - - name: DOCKER_TOKEN + - name: DOCKER_PASSWORD valueFrom: secretKeyRef: name: renovate-operator-docker-login From a97783ed0be2d20a6dcb46c880f5a797bd26e8b2 Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Fri, 8 May 2026 14:25:38 +0200 Subject: [PATCH 37/40] fix: Don't autodiscover --- k8s-peterg/renovate-operator/configmap.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/k8s-peterg/renovate-operator/configmap.yaml b/k8s-peterg/renovate-operator/configmap.yaml index 472822c..1edf30b 100644 --- a/k8s-peterg/renovate-operator/configmap.yaml +++ b/k8s-peterg/renovate-operator/configmap.yaml @@ -11,7 +11,6 @@ data: endpoint: 'https://code.peterg.nl/api/v1/', gitAuthor: 'Renovate ', username: 'renovate', - autodiscover: true, onboardingConfig: { $schema: 'https://docs.renovatebot.com/renovate-schema.json', extends: ['config:recommended'], From bf6098e6765434c821c4baa58d9ed9c37028f5f1 Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Fri, 8 May 2026 14:32:50 +0200 Subject: [PATCH 38/40] chore: Remove auth --- k8s-peterg/renovate-operator/renovate-job.yaml | 10 ---------- k8s-peterg/renovate-operator/secrets.yaml | 4 ---- 2 files changed, 14 deletions(-) diff --git a/k8s-peterg/renovate-operator/renovate-job.yaml b/k8s-peterg/renovate-operator/renovate-job.yaml index 83b205e..22558e9 100644 --- a/k8s-peterg/renovate-operator/renovate-job.yaml +++ b/k8s-peterg/renovate-operator/renovate-job.yaml @@ -27,13 +27,3 @@ spec: value: /config/config.js - name: RENOVATE_DETECT_HOST_RULES_FROM_ENV value: "true" - - name: DOCKER_USERNAME - valueFrom: - secretKeyRef: - name: renovate-operator-docker-login - key: DOCKER_USERNAME - - name: DOCKER_PASSWORD - valueFrom: - secretKeyRef: - name: renovate-operator-docker-login - key: DOCKER_TOKEN diff --git a/k8s-peterg/renovate-operator/secrets.yaml b/k8s-peterg/renovate-operator/secrets.yaml index 8dba422..3d3581b 100644 --- a/k8s-peterg/renovate-operator/secrets.yaml +++ b/k8s-peterg/renovate-operator/secrets.yaml @@ -16,10 +16,6 @@ spec: remoteRef: key: /secrets/managed/renovate/token property: RENOVATE_TOKEN - - secretKey: GITHUB_COM_TOKEN - remoteRef: - key: /secrets/managed/renovate/token - property: GITHUB_COM_TOKEN --- apiVersion: external-secrets.io/v1 kind: ExternalSecret From 845aea8b13f5562d006b1ca828c460065e7125f3 Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Fri, 8 May 2026 14:35:36 +0200 Subject: [PATCH 39/40] chore: dont detect host rules from env --- .../renovate-operator/renovate-job.yaml | 2 -- k8s-peterg/renovate-operator/secrets.yaml | 24 +++---------------- 2 files changed, 3 insertions(+), 23 deletions(-) diff --git a/k8s-peterg/renovate-operator/renovate-job.yaml b/k8s-peterg/renovate-operator/renovate-job.yaml index 22558e9..7f161da 100644 --- a/k8s-peterg/renovate-operator/renovate-job.yaml +++ b/k8s-peterg/renovate-operator/renovate-job.yaml @@ -25,5 +25,3 @@ spec: value: debug - name: RENOVATE_CONFIG_FILE value: /config/config.js - - name: RENOVATE_DETECT_HOST_RULES_FROM_ENV - value: "true" diff --git a/k8s-peterg/renovate-operator/secrets.yaml b/k8s-peterg/renovate-operator/secrets.yaml index 3d3581b..543f6f2 100644 --- a/k8s-peterg/renovate-operator/secrets.yaml +++ b/k8s-peterg/renovate-operator/secrets.yaml @@ -16,25 +16,7 @@ spec: remoteRef: key: /secrets/managed/renovate/token property: RENOVATE_TOKEN ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: renovate-operator-docker-login - namespace: renovate-operator -spec: - refreshInterval: "15s" - secretStoreRef: - name: vault-wheatley - kind: ClusterSecretStore - target: - name: renovate-operator-docker-login - data: - - secretKey: DOCKER_USERNAME + - secretKey: GITHUB_COM_TOKEN remoteRef: - key: /secrets/managed/renovate/docker - property: DOCKER_USERNAME - - secretKey: DOCKER_TOKEN - remoteRef: - key: /secrets/managed/renovate/docker - property: DOCKER_PASSWORD + key: /secrets/managed/renovate/token + property: GITHUB_COM_TOKEN From 7d863973b8242d9b6851c10377e8f23b129584d6 Mon Sep 17 00:00:00 2001 From: Renovate Date: Fri, 8 May 2026 12:49:53 +0000 Subject: [PATCH 40/40] chore(deps): update helm release cilium to v1.19.3 --- kustomize-bases/cilium/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kustomize-bases/cilium/kustomization.yaml b/kustomize-bases/cilium/kustomization.yaml index 4cccdf0..37b61c4 100644 --- a/kustomize-bases/cilium/kustomization.yaml +++ b/kustomize-bases/cilium/kustomization.yaml @@ -13,5 +13,5 @@ helmCharts: repo: https://helm.cilium.io namespace: kube-system releaseName: cilium - version: 1.18.6 + version: 1.19.3 valuesFile: values.yaml