chore(deps): update docker.io/curlimages/curl docker tag to v8.13.0

2025-05-23 15:00:17 +00:00
12 changed files with 326 additions and 103 deletions
--- a/attic/secret.yaml
+++ b/attic/secret.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1
+apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: attic-secret
--- a/authentik/values.yaml
+++ b/authentik/values.yaml
@@ -124,7 +124,7 @@ authentik:
      data:
        tls.crt: ""
        tls.key: ""
-    - apiVersion: external-secrets.io/v1
+    - apiVersion: external-secrets.io/v1beta1
      kind: ExternalSecret
      metadata:
        name: authentik-credentials
--- a/gitea-runner/secret.yaml
+++ b/gitea-runner/secret.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1
+apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: gitea-runner-token
--- a/grafana/Chart.yaml
+++ b/grafana/Chart.yaml
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: grafana
-  version: 9.2.1
+  version: 9.0.0
  repository: https://grafana.github.io/helm-charts
--- a/grafana/values.yaml
+++ b/grafana/values.yaml
@@ -3,8 +3,17 @@ grafana:
    existingSecret: grafana-admin
    passwordKey: passwordKey
    userKey: userKey
+  affinity: {}
+  alerting: {}
  assertNoLeakedSecrets: true
  automountServiceAccountToken: true
+  autoscaling:
+    behavior: {}
+    enabled: false
+    maxReplicas: 5
+    minReplicas: 1
+    targetCPU: "60"
+    targetMemory: ""
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
@@ -13,21 +22,52 @@ grafana:
    seccompProfile:
      type: RuntimeDefault
  createConfigmap: true
+  dashboardProviders: {}
+  dashboards: {}
+  dashboardsConfigMaps: {}
+  datasources: {}
  defaultCurlOptions: -skf
  deploymentStrategy:
-    type: Recreate
+    type: RollingUpdate
+  dnsConfig: {}
+  dnsPolicy: null
+  downloadDashboards:
+    env: {}
+    envFromSecret: ""
+    envValueFrom: {}
+    resources: {}
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      seccompProfile:
+        type: RuntimeDefault
  downloadDashboardsImage:
    pullPolicy: IfNotPresent
    registry: docker.io
    repository: curlimages/curl
+    sha: ""
    tag: 8.13.0
+  enableKubeBackwardCompatibility: false
  enableServiceLinks: true
+  env: {}
  envFromConfigMaps:
  - name: grafana-env
+  envFromSecret: ""
  envFromSecrets:
  - name: grafana-secretenv
+  envRenderSecret: {}
+  envValueFrom: {}
+  extraConfigmapMounts: []
+  extraContainerVolumes: []
+  extraContainers: ""
+  extraEmptyDirMounts: []
+  extraExposePorts: []
+  extraInitContainers: []
+  extraLabels: {}
  extraObjects:
-  - apiVersion: external-secrets.io/v1
+  - apiVersion: external-secrets.io/v1beta1
    kind: ExternalSecret
    metadata:
      name: grafana-admin
@@ -55,7 +95,7 @@ grafana:
        creationPolicy: Owner
        deletionPolicy: Retain
        name: grafana-admin
-  - apiVersion: external-secrets.io/v1
+  - apiVersion: external-secrets.io/v1beta1
    kind: ExternalSecret
    metadata:
      name: grafana-secretenv
@@ -108,6 +148,13 @@ grafana:
    data:
      tls.crt: ""
      tls.key: ""
+  extraSecretMounts: []
+  extraVolumeMounts: []
+  extraVolumes: []
+  global:
+    imagePullSecrets: []
+    imageRegistry: null
+  gossipPortName: gossip
  grafana.ini:
    analytics:
      check_for_updates: true
@@ -123,14 +170,93 @@ grafana:
    server:
      domain: '{{ if (and .Values.ingress.enabled .Values.ingress.hosts) }}{{ tpl (.Values.ingress.hosts
        | first) . }}{{ else }}''''{{ end }}'
+  headlessService: false
+  hostAliases: []
  image:
    pullPolicy: IfNotPresent
+    pullSecrets: []
    registry: docker.io
    repository: grafana/grafana
+    sha: ""
+    tag: ""
+  imageRenderer:
+    affinity: {}
+    automountServiceAccountToken: false
+    autoscaling:
+      behavior: {}
+      enabled: false
+      maxReplicas: 5
+      minReplicas: 1
+      targetCPU: "60"
+      targetMemory: ""
+    containerSecurityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      readOnlyRootFilesystem: true
+      seccompProfile:
+        type: RuntimeDefault
+    deploymentStrategy: {}
+    enabled: false
+    env:
+      HTTP_HOST: 0.0.0.0
+      XDG_CACHE_HOME: /tmp/.chromium
+      XDG_CONFIG_HOME: /tmp/.chromium
+    envValueFrom: {}
+    extraConfigmapMounts: []
+    extraSecretMounts: []
+    extraVolumeMounts: []
+    extraVolumes: []
+    grafanaProtocol: http
+    grafanaSubPath: ""
+    hostAliases: []
+    image:
+      pullPolicy: Always
+      pullSecrets: []
+      registry: docker.io
+      repository: grafana/grafana-image-renderer
+      sha: ""
+      tag: latest
+    networkPolicy:
+      extraIngressSelectors: []
+      limitEgress: false
+      limitIngress: true
+    nodeSelector: {}
+    podAnnotations: {}
+    podPortName: http
+    priorityClassName: ""
+    renderingCallbackURL: ""
+    replicas: 1
+    resources: {}
+    revisionHistoryLimit: 10
+    securityContext: {}
+    serverURL: ""
+    service:
+      appProtocol: ""
+      enabled: true
+      port: 8081
+      portName: http
+      targetPort: 8081
+    serviceAccountName: ""
+    serviceMonitor:
+      enabled: false
+      interval: 1m
+      labels: {}
+      path: /metrics
+      relabelings: []
+      scheme: http
+      scrapeTimeout: 30s
+      targetLabels: []
+      tlsConfig: {}
+    tolerations: []
  ingress:
+    annotations: {}
    enabled: true
+    extraPaths: []
    hosts:
    - grafana.infra.dubyatp.xyz
+    labels: {}
    path: /
    pathType: Prefix
    tls:
@@ -143,7 +269,9 @@ grafana:
      pullPolicy: IfNotPresent
      registry: docker.io
      repository: library/busybox
+      sha: ""
      tag: 1.31.1
+    resources: {}
    securityContext:
      capabilities:
        add:
@@ -155,6 +283,11 @@ grafana:
      runAsUser: 0
      seccompProfile:
        type: RuntimeDefault
+  ldap:
+    config: ""
+    enabled: false
+    existingSecret: ""
+  lifecycleHooks: {}
  livenessProbe:
    failureThreshold: 10
    httpGet:
@@ -162,45 +295,227 @@ grafana:
      port: 3000
    initialDelaySeconds: 60
    timeoutSeconds: 30
+  namespaceOverride: ""
+  networkPolicy:
+    allowExternal: true
+    egress:
+      blockDNSResolution: false
+      enabled: false
+      ports: []
+      to: []
+    enabled: false
+    explicitNamespacesSelector: {}
+    ingress: true
+  nodeSelector: {}
+  notifiers: {}
  persistence:
    accessModes:
    - ReadWriteOnce
+    disableWarning: false
    enabled: true
+    extraPvcLabels: {}
    finalizers:
    - kubernetes.io/pvc-protection
+    inMemory:
+      enabled: false
+    lookupVolumeName: true
    size: 10Gi
    type: pvc
+    volumeName: ""
+  plugins: []
+  podDisruptionBudget: {}
  podPortName: grafana
  podAnnotations:
    backup.velero.io/backup-volumes: "storage"
  rbac:
    create: true
+    extraClusterRoleRules: []
+    extraRoleRules: []
    namespaced: false
+    pspEnabled: false
+    pspUseAppArmor: false
  readinessProbe:
    httpGet:
      path: /api/health
      port: 3000
  replicas: 1
+  resources: {}
  revisionHistoryLimit: 10
+  route:
+    main:
+      additionalRules: []
+      annotations: {}
+      apiVersion: gateway.networking.k8s.io/v1
+      enabled: false
+      filters: []
+      hostnames: []
+      kind: HTTPRoute
+      labels: {}
+      matches:
+      - path:
+          type: PathPrefix
+          value: /
+      parentRefs: []
  securityContext:
    fsGroup: 472
    runAsGroup: 472
    runAsNonRoot: true
    runAsUser: 472
  service:
+    annotations: {}
+    appProtocol: ""
    enabled: true
+    ipFamilies: []
+    ipFamilyPolicy: ""
+    labels: {}
+    loadBalancerClass: ""
+    loadBalancerIP: ""
+    loadBalancerSourceRanges: []
    port: 80
    portName: service
+    sessionAffinity: ""
    targetPort: 3000
    type: ClusterIP
  serviceAccount:
    automountServiceAccountToken: false
    create: true
+    labels: {}
+    name: null
+    nameTest: null
+  serviceMonitor:
+    basicAuth: {}
+    enabled: false
+    interval: 30s
+    labels: {}
+    metricRelabelings: []
+    path: /metrics
+    relabelings: []
+    scheme: http
+    scrapeTimeout: 30s
+    targetLabels: []
+    tlsConfig: {}
+  shareProcessNamespace: false
+  sidecar:
+    alerts:
+      enabled: false
+      env: {}
+      extraMounts: []
+      initAlerts: false
+      label: grafana_alert
+      labelValue: ""
+      reloadURL: http://localhost:3000/api/admin/provisioning/alerting/reload
+      resource: both
+      resourceName: ""
+      script: null
+      searchNamespace: null
+      sizeLimit: {}
+      skipReload: false
+      watchMethod: WATCH
+    dashboards:
+      SCProvider: true
+      defaultFolderName: null
+      enabled: false
+      env: {}
+      envValueFrom: {}
+      extraMounts: []
+      folder: /tmp/dashboards
+      folderAnnotation: null
+      label: grafana_dashboard
+      labelValue: ""
+      provider:
+        allowUiUpdates: false
+        disableDelete: false
+        folder: ""
+        folderUid: ""
+        foldersFromFilesStructure: false
+        name: sidecarProvider
+        orgid: 1
+        type: file
+      reloadURL: http://localhost:3000/api/admin/provisioning/dashboards/reload
+      resource: both
+      resourceName: ""
+      script: null
+      searchNamespace: null
+      sizeLimit: {}
+      skipReload: false
+      watchMethod: WATCH
+    datasources:
+      enabled: false
+      env: {}
+      envValueFrom: {}
+      extraMounts: []
+      initDatasources: false
+      label: grafana_datasource
+      labelValue: ""
+      reloadURL: http://localhost:3000/api/admin/provisioning/datasources/reload
+      resource: both
+      resourceName: ""
+      script: null
+      searchNamespace: null
+      sizeLimit: {}
+      skipReload: false
+      watchMethod: WATCH
+    enableUniqueFilenames: false
+    image:
+      registry: quay.io
+      repository: kiwigrid/k8s-sidecar
+      sha: ""
+      tag: 1.30.3
+    imagePullPolicy: IfNotPresent
+    livenessProbe: {}
+    notifiers:
+      enabled: false
+      env: {}
+      extraMounts: []
+      initNotifiers: false
+      label: grafana_notifier
+      labelValue: ""
+      reloadURL: http://localhost:3000/api/admin/provisioning/notifications/reload
+      resource: both
+      resourceName: ""
+      script: null
+      searchNamespace: null
+      sizeLimit: {}
+      skipReload: false
+      watchMethod: WATCH
+    plugins:
+      enabled: false
+      env: {}
+      extraMounts: []
+      initPlugins: false
+      label: grafana_plugin
+      labelValue: ""
+      reloadURL: http://localhost:3000/api/admin/provisioning/plugins/reload
+      resource: both
+      resourceName: ""
+      script: null
+      searchNamespace: null
+      sizeLimit: {}
+      skipReload: false
+      watchMethod: WATCH
+    readinessProbe: {}
+    resources: {}
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      seccompProfile:
+        type: RuntimeDefault
+  smtp:
+    existingSecret: ""
+    passwordKey: password
+    userKey: user
  testFramework:
+    containerSecurityContext: {}
    enabled: true
    image:
      registry: docker.io
      repository: bats/bats
      tag: 1.12.0
    imagePullPolicy: IfNotPresent
-  useStatefulSet: false
+    resources: {}
+    securityContext: {}
+  tolerations: []
+  topologySpreadConstraints: []
+  useStatefulSet: false
--- a/immich/immich-postgres-credentials.yaml
+++ b/immich/immich-postgres-credentials.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1
+apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: postgres-credentials
--- a/nextcloud/secret.yaml
+++ b/nextcloud/secret.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1
+apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: nextcloud-secret
--- a/renovate/renovate-config.yaml
+++ b/renovate/renovate-config.yaml
@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: renovate-config
-data:
-  config.json: |-
-    {
-      "repositories": ["infrastructure/core-apps","infrastructure/db-operators","infrastructure/weyma-talos"]
-    }
--- a/renovate/renovate-cronjob.yaml
+++ b/renovate/renovate-cronjob.yaml
@@ -1,49 +0,0 @@
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: renovate-bot
-spec:
-  schedule: '@hourly'
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          containers:
-            - image: renovate/renovate:40.14.6
-              name: renovate-bot
-              env: # For illustration purposes, please use secrets.
-                - name: RENOVATE_PLATFORM
-                  value: 'gitea'
-                - name: RENOVATE_ENDPOINT
-                  value: 'https://git.dubyatp.xyz/api/v1'
-                - name: RENOVATE_TOKEN
-                  valueFrom:
-                    secretKeyRef:
-                      key: gitea-pat
-                      name: renovate-gitea-token
-                - name: RENOVATE_GITHUB_COM_TOKEN
-                  valueFrom:
-                    secretKeyRef:
-                      key: github-com-pat
-                      name: renovate-github-com-token
-                - name: RENOVATE_AUTODISCOVER
-                  value: 'false'
-                - name: RENOVATE_BASE_DIR
-                  value: '/tmp/renovate/'
-                - name: RENOVATE_CONFIG_FILE
-                  value: '/opt/renovate/config.json'
-                - name: LOG_LEVEL
-                  value: debug
-              volumeMounts:
-                - name: config-volume
-                  mountPath: /opt/renovate/
-                - name: work-volume
-                  mountPath: /tmp/renovate/
-          restartPolicy: Never
-          volumes:
-            - name: config-volume
-              configMap:
-                name: renovate-config
-            - name: work-volume
-              emptyDir: {}
--- a/renovate/renovate-gitea-token.yaml
+++ b/renovate/renovate-gitea-token.yaml
@@ -1,17 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: renovate-gitea-token
-spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    name: weyma-vault
-    kind: ClusterSecretStore
-  target:
-    name: renovate-gitea-token
-    creationPolicy: Owner
-  data:
-    - secretKey: gitea-pat
-      remoteRef:
-        key: renovate
-        property: gitea-pat
--- a/renovate/renovate-github-token.yaml
+++ b/renovate/renovate-github-token.yaml
@@ -1,17 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: renovate-github-com-token
-spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    name: weyma-vault
-    kind: ClusterSecretStore
-  target:
-    name: renovate-github-com-token
-    creationPolicy: Owner
-  data:
-    - secretKey: github-com-pat
-      remoteRef:
-        key: renovate
-        property: github-com-pat
--- a/vaultwarden/secret.yaml
+++ b/vaultwarden/secret.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1
+apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: vaultwarden-secrets