chore(deps): update helm release cilium to v1.19.3

Reviewed-on: #54

k8s-peterg/argo-workflows/kustomization.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespace.yaml
+  - secrets.yaml
+
+helmCharts:
+  - name: argo-workflows
+    repo: https://argoproj.github.io/argo-helm
+    namespace: argo-workflows
+    releaseName: argo-workflows
+    version: 1.0.7
+    valuesFile: values.yaml

k8s-peterg/argo-workflows/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: argo-workflows

k8s-peterg/argo-workflows/secrets.yaml

@@ -0,0 +1,31 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: argo-workflows-sso
+  namespace: argo-workflows
+spec:
+  secretStoreRef:
+    name: vault-wheatley
+    kind: ClusterSecretStore
+  target:
+    name: argo-workflows-sso
+    template:
+      metadata:
+        labels:
+          app.kubernetes.io/part-of: argo-workflows
+  data:
+    - secretKey: client-id
+      remoteRef:
+        key: secrets/managed/argo-workflows/authentik-sso
+        property: client-id
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None
+    - secretKey: client-secret
+      remoteRef:
+        key: secrets/managed/argo-workflows/authentik-sso
+        property: client-secret
+        conversionStrategy: Default
+        decodingStrategy: None
+        metadataPolicy: None

k8s-peterg/argo-workflows/values.yaml

@@ -0,0 +1,313 @@
+## Custom resource configuration
+crds:
+  # -- Install and upgrade CRDs
+  install: true
+  # -- Keep CRDs on chart uninstall
+  keep: true
+  # -- Use full CRDs with complete OpenAPI schemas. When false, uses minified CRDs with x-kubernetes-preserve-unknown-fields.
+  # Full CRDs are very large and are installed via a pre-install/pre-upgrade hook Job that uses server-side apply.
+  full: true
+
+# -- Create ClusterRoles that extend existing ClusterRoles to interact with Argo Workflows CRDs.
+## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
+createAggregateRoles: true
+
+# -- Restrict Argo to operate only in a single namespace (the namespace of the
+# Helm release) by apply Roles and RoleBindings instead of the Cluster
+# equivalents, and start workflow-controller with the --namespaced flag. Use it
+# in clusters with strict access policy.
+singleNamespace: false
+
+workflow:
+  serviceAccount:
+    # -- Specifies whether a service account should be created
+    create: false
+    # -- Labels applied to created service account
+    labels: {}
+    # -- Annotations applied to created service account
+    annotations: {}
+    # -- Service account which is used to run workflows
+    name: "argo-workflow"
+    # -- Secrets with credentials to pull images from a private registry. Same format as `.Values.images.pullSecrets`
+    pullSecrets: []
+  rbac:
+    # -- Adds Role and RoleBinding for the above specified service account to be able to run workflows.
+    # A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below)
+    create: true
+    # -- Allows permissions for the Argo Agent. Only required if using http/plugin templates
+    agentPermissions: false
+    # -- Allows permissions for the Argo Artifact GC pod. Only required if using artifact gc
+    artifactGC: false
+    # -- Extra service accounts to be added to the RoleBinding
+    serviceAccounts: []
+      # - name: my-service-account
+      #   namespace: my-namespace
+    # -- Additional rules for the service account that runs the workflows.
+    rules: []
+
+controller:
+  rbac:
+    # -- Adds Role and RoleBinding for the controller.
+    create: true
+    # -- Allows controller to get, list, and watch certain k8s secrets
+    secretWhitelist: []
+    # -- Allows controller to get, list and watch all k8s secrets. Can only be used if secretWhitelist is empty.
+    accessAllSecrets: false
+    # -- Allows controller to create and update ConfigMaps. Enables memoization feature
+    writeConfigMaps: false
+
+  configMap:
+    # -- Create a ConfigMap for the controller
+    create: true
+    # -- ConfigMap name
+    name: ""
+    # -- ConfigMap annotations
+    annotations: {}
+
+  # -- enable Workflow Archive to store the status of workflows. Postgres and MySQL (>= 5.7.8) are available.
+  ## Ref: https://argo-workflows.readthedocs.io/en/stable/workflow-archive/
+  persistence: {}
+  # connectionPool:
+  #   maxIdleConns: 100
+  #   maxOpenConns: 0
+  # # save the entire workflow into etcd and DB
+  # nodeStatusOffLoad: false
+  # # enable archiving of old workflows
+  # archive: false
+  # postgresql:
+  #   host: localhost
+  #   port: 5432
+  #   database: postgres
+  #   tableName: argo_workflows
+  #   # the database secrets must be in the same namespace of the controller
+  #   userNameSecret:
+  #     name: argo-postgres-config
+  #     key: username
+  #   passwordSecret:
+  #     name: argo-postgres-config
+  #     key: password
+  #   ssl: true
+  #   # sslMode must be one of: disable, require, verify-ca, verify-full
+  #   # you can find more information about those ssl options here: https://godoc.org/github.com/lib/pq
+  #   sslMode: require
+  # mysql:
+  #   host: localhost
+  #   port: 3306
+  #   database: argo
+  #   tableName: argo_workflows
+  #   userNameSecret:
+  #     name: argo-mysql-config
+  #     key: username
+  #   passwordSecret:
+  #     name: argo-mysql-config
+  #     key: password
+
+  # -- Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level.
+  # Only valid for 2.7+
+  ## See more: https://argo-workflows.readthedocs.io/en/stable/default-workflow-specs/
+  workflowDefaults: {}
+  #   spec:
+  #     ttlStrategy:
+  #       secondsAfterCompletion: 86400
+  #     # Ref: https://argo-workflows.readthedocs.io/en/stable/artifact-repository-ref/
+  #     artifactRepositoryRef:
+  #       configMap: my-artifact-repository # default is "artifact-repositories"
+  #       key: v2-s3-artifact-repository # default can be set by the `workflows.argoproj.io/default-artifact-repository` annotation in config map.
+
+  serviceAccount:
+    # -- Create a service account for the controller
+    create: true
+    # -- Service account name
+    name: ""
+    # -- Labels applied to created service account
+    labels: {}
+    # -- Annotations applied to created service account
+    annotations: {}
+
+  # -- Workflow controller name string
+  name: workflow-controller
+
+  # -- Specify all namespaces where this workflow controller instance will manage
+  # workflows. This controls where the service account and RBAC resources will
+  # be created. Only valid when singleNamespace is false.
+  workflowNamespaces:
+    - default
+
+  logging:
+    # -- Set the logging level (one of: `debug`, `info`, `warn`, `error`)
+    level: info
+    # -- Set the glog logging level
+    globallevel: "0"
+    # -- Set the logging format (one of: `text`, `json`)
+    format: "text"
+
+server:
+  # -- Deploy the Argo Server
+  enabled: true
+  # -- Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /.
+  ## only updates base url of resources on client side,
+  ## it's expected that a proxy server rewrites the request URL and gets rid of this prefix
+  ## https://github.com/argoproj/argo-workflows/issues/716#issuecomment-433213190
+  baseHref: /
+  image:
+    # -- Registry to use for the server
+    registry: quay.io
+    # -- Repository to use for the server
+    repository: argoproj/argocli
+    # -- Image tag for the Argo Workflows server. Defaults to `.Values.images.tag`.
+    tag: ""
+  rbac:
+    # -- Adds Role and RoleBinding for the server.
+    create: true
+  # -- Servers container-level security context
+  serviceAccount:
+    # -- Create a service account for the server
+    create: true
+    # -- Service account name
+    name: ""
+    # -- Labels applied to created service account
+    labels: {}
+    # -- Annotations applied to created service account
+    annotations: {}
+
+  # -- A list of supported authentication modes. Available values are `server`, `client`, or `sso`. If you provide sso, please configure `.Values.server.sso` as well.
+  ## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server-auth-mode/
+  authModes:
+    - sso
+
+  ## Ingress configuration.
+  # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
+  ingress:
+    # -- Enable an ingress resource
+    enabled: false
+
+  # Gateway API HTTPRoute configuration
+  # NOTE: Gateway API support is in EXPERIMENTAL status
+  # Support depends on your Gateway controller implementation
+  # Some controllers may require additional configuration (e.g., BackendTLSPolicy for HTTPS backends)
+  # Refer to https://gateway-api.sigs.k8s.io/implementations/ for controller-specific details
+  httproute:
+    # -- Enable HTTPRoute resource for Argo Workflows server (Gateway API)
+    enabled: true
+    # -- Additional HTTPRoute labels
+    labels: {}
+    # -- Additional HTTPRoute annotations
+    annotations: {}
+    # -- Gateway API parentRefs for the HTTPRoute
+    ## Must reference an existing Gateway
+    # @default -- `[]` (See [values.yaml])
+    parentRefs:
+      - group: gateway.networking.k8s.io
+        kind: Gateway
+        name: internal
+        namespace: kube-system
+        sectionName: https
+    # -- List of hostnames for the HTTPRoute
+    # @default -- `[]` (See [values.yaml])
+    hostnames:
+      - "workflows.peterg.nl"
+      # @default -- `[]` (See [values.yaml])
+    rules:
+      - matches:
+          - path:
+              type: PathPrefix
+              value: /
+        # filters: []
+        #   - type: RequestHeaderModifier
+        #     requestHeaderModifier:
+        #       add:
+        #         - name: X-Custom-Header
+        #           value: custom-value
+
+  # Gateway API BackendTLSPolicy configuration
+  # NOTE: BackendTLSPolicy support is in EXPERIMENTAL status
+  # Required for HTTPS backends when using Gateway API
+  # Not all Gateway controllers support this resource (e.g., Cilium does not support it yet)
+  backendTLSPolicy:
+    # -- Enable BackendTLSPolicy resource for Argo Workflows server (Gateway API)
+    enabled: false
+    # -- Additional BackendTLSPolicy labels
+    labels: {}
+    # -- Additional BackendTLSPolicy annotations
+    annotations: {}
+    # -- Target references for the BackendTLSPolicy
+    # @default -- `[]` (See [values.yaml])
+    targetRefs: []
+      # - group: ""
+      #   kind: Service
+      #   name: argo-workflows-server
+      #   sectionName: https
+    # -- TLS validation configuration
+    # @default -- `{}` (See [values.yaml])
+    validation: {}
+      # hostname: argo-workflows-server.argo.svc.cluster.local
+      # caCertificateRefs:
+      #   - name: example-ca-cert
+      #     group: ""
+      #     kind: ConfigMap
+      # wellKnownCACertificates: System
+
+  clusterWorkflowTemplates:
+    # -- Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates.
+    enabled: true
+    # -- Give the server permissions to edit ClusterWorkflowTemplates.
+    enableEditing: true
+
+  # SSO configuration when SSO is specified as a server auth mode.
+  sso:
+    enabled: true
+    issuer: https://auth.peterg.nl/application/o/argo-workflows/
+    clientId:
+      name: argo-workflows-sso
+      key: client-id
+    clientSecret:
+      name: argo-workflows-sso
+      key: client-secret
+    redirectUrl: https://workflows.peterg.nl/oauth2/callback
+    scopes:
+      - groups
+    rbac:
+      enabled: true
+
+# -- Array of extra K8s manifests to deploy
+extraObjects:
+  - apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: admin-user
+      namespace: argo-workflows
+      annotations:
+        workflows.argoproj.io/rbac-rule: "'ArgoCD Admins' in groups"
+        workflows.argoproj.io/rbac-rule-precedence: "1"
+  - apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: read-only
+      namespace: argo-workflows
+      annotations:
+        workflows.argoproj.io/rbac-rule: "true"
+        workflows.argoproj.io/rbac-rule-precedence: "0"
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      name: argo-workflows-admin-user
+    subjects:
+      - kind: ServiceAccount
+        name: admin-user
+        namespace: argo-workflows
+    roleRef:
+      kind: ClusterRole
+      name: argo-workflows-admin
+      apiGroup: rbac.authorization.k8s.io
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      name: argo-workflows-read-only
+    subjects:
+      - kind: ServiceAccount
+        name: read-only
+        namespace: argo-workflows
+    roleRef:
+      kind: ClusterRole
+      name: argo-workflows-view
+      apiGroup: rbac.authorization.k8s.io

k8s-peterg/argocd/applications-peterg.yaml

@@ -78,3 +78,24 @@ spec:
       selfHeal: true
     syncOptions:
       - ServerSideApply=true
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argo-workflows
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://code.peterg.nl/wheatley/kubernetes.git
+    path: k8s-peterg/argo-workflows
+    targetRevision: HEAD
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argo-workflows
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - ServerSideApply=true

k8s-peterg/argocd/oidc.yaml

@@ -27,3 +27,28 @@ spec:
       remoteRef:
         key: secrets/managed/argocd/authentik-oidc-credentials
         property: clientSecret
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: argo-workflows-sso
+  namespace: argocd
+spec:
+  secretStoreRef:
+    name: vault-wheatley
+    kind: ClusterSecretStore
+  target:
+    name: argo-workflows-sso
+    template:
+      metadata:
+        labels:
+          app.kubernetes.io/part-of: argo-workflows
+  data:
+    - secretKey: client-id
+      remoteRef:
+        key: secrets/managed/argo-workflows/dex-sso
+        property: client-id
+    - secretKey: client-secret
+      remoteRef:
+        key: secrets/managed/argo-workflows/dex-sso
+        property: client-secret

k8s-peterg/external-secrets-operator/kustomization.yaml

@@ -12,4 +12,4 @@ helmCharts:
     repo: https://charts.external-secrets.io
     namespace: external-secrets
     releaseName: external-secrets
-    version: 2.1.0
+    version: 2.3.0

k8s-peterg/vault-wheatley-approle.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+data:
+  approle_id: MDE5YTdjOWQtMTYxOC0yZjg0LWE2NzUtOWQ5NmVkZWFiNzEyCg==
+  approle_secret: ZDZkOWU0MmUtZmVhNi05MGIzLWNlODktYzJlY2E2YWIxMjc3Cg==
+kind: Secret
+metadata:
+  name: vault-wheatley-approle
+  namespace: external-secrets
+type: Opaque

k8s-wheatley/cloudnative-pg/kustomization.yaml

@@ -11,5 +11,5 @@ helmCharts:
     repo: https://cloudnative-pg.github.io/charts
     namespace: cnpg-system
     releaseName: cloudnative-pg
-    version: 0.27.1
+    version: 0.28.0
     valuesFile: values.yaml

k8s-wheatley/external-secrets-operator/kustomization.yaml

@@ -12,4 +12,4 @@ helmCharts:
     repo: https://charts.external-secrets.io
     namespace: external-secrets
     releaseName: external-secrets
-    version: 2.1.0
+    version: 2.3.0

k8s-wheatley/plex/kustomization.yaml

@@ -14,4 +14,4 @@ resources:
 
 images:
 - name: plexinc/pms-docker
-  newTag: 1.43.0.10492-121068a07@sha256:1131c4cd21fa22f8196f749f1dbb69af306776c3c83c7f5b061e51dc49bcff7f
+  newTag: 1.43.1.10611-1e34174b1@sha256:8b5bcdf7b506fe051aa1a0a0d464efdb3ad8c0fb1f8a4dfb27a8c489b609920c

k8s-wheatley/prowlarr/kustomization.yaml

@@ -16,4 +16,4 @@ images:
   - name: flaresolverr/flaresolverr
     newTag: v3.4.6@sha256:7962759d99d7e125e108e0f5e7f3cdbcd36161776d058d1d9b7153b92ef1af9e
   - name: linuxserver/prowlarr
-    newTag: 2.3.0@sha256:9ef5d8bf832edcacb6082f9262cb36087854e78eb7b1c3e1d4375056055b2d82
+    newTag: 2.3.5@sha256:35f48abb3e976fcf077fae756866c582e4a90f8b24810ae4067b3558f7cdbbdf

k8s-wheatley/qbittorrent/deployments.yaml

@@ -36,6 +36,15 @@ spec:
             - name: gluetun-tmp
               mountPath: /tmp/gluetun
           restartPolicy: Always
+          lifecycle:
+            postStart:
+              exec:
+                command:
+                  [
+                    "/bin/sh",
+                    "-c",
+                    "(ip rule del table 51820; ip -6 rule del table 51820) || true",
+                  ]
           readinessProbe:
             exec:
               command:

k8s-wheatley/radarr/kustomization.yaml

@@ -14,4 +14,4 @@ resources:
 
 images:
   - name: linuxserver/radarr
-    newTag: 6.0.4@sha256:ca43905eaf2dd11425efdcfe184892e43806b1ae0a830440c825cecbc2629cfb
+    newTag: 6.1.1@sha256:6f1dda18354ea7f28cead8f6d099fc8222498c3ae165f567d504ed04d70980d7

k8s-wheatley/sonarr/kustomization.yaml

@@ -14,4 +14,4 @@ resources:
 
 images:
   - name: linuxserver/sonarr
-    newTag: 4.0.16@sha256:21c1c3d52248589bb064f5adafec18cad45812d7a01d317472955eef051e619b
+    newTag: 4.0.17@sha256:6854df9de20b8c82e1982604f39473d64dbb4c4584b1013f18f9ade1ee92af13

kustomize-bases/alloy/kustomization.yaml

@@ -9,14 +9,14 @@ resources:
 helmCharts:
   - name: alloy
     repo: https://grafana.github.io/helm-charts
-    version: "1.6.2"
+    version: "1.7.0"
     releaseName: alloy
     valuesFile: values.yaml
   - name: kube-state-metrics
     repo: https://prometheus-community.github.io/helm-charts
-    version: "7.2.1"
+    version: "7.2.2"
     releaseName: kube-state-metrics
   - name: prometheus-operator-crds
     repo: https://prometheus-community.github.io/helm-charts
-    version: "27.0.0"
+    version: "28.0.1"
     releaseName: prometheus-operator-crds

kustomize-bases/alloy/values.yaml

@@ -127,7 +127,7 @@ configReloader:
     # -- Repository to get config reloader image from.
     repository: prometheus-operator/prometheus-config-reloader
     # -- Tag of image to use for config reloading.
-    tag: v0.89.0@sha256:cb4ac6a56555bef0e202bec11e367dfe07ffb241cf4d30566b12b864692607a8
+    tag: v0.90.1@sha256:693faa0b87243cddca2cffb13586e4e2778b0cdf319cb2e601ba7af3fd19ef7d
     # -- SHA256 digest of image to use for config reloading (either in format "sha256:XYZ" or "XYZ"). When set, will override `configReloader.image.tag`
     digest: ""
   # -- Override the args passed to the container.

kustomize-bases/cilium/kustomization.yaml

@@ -13,5 +13,5 @@ helmCharts:
     repo: https://helm.cilium.io
     namespace: kube-system
     releaseName: cilium
-    version: 1.19.2
+    version: 1.19.3
     valuesFile: values.yaml