chore(deps): update docker.io/curlimages/curl docker tag to v8.13.0

2025-05-23 15:00:17 +00:00
12 changed files with 326 additions and 103 deletions
--- a/attic/secret.yaml
+++ b/attic/secret.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1
+apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: attic-secret
--- a/authentik/values.yaml
+++ b/authentik/values.yaml
@@ -124,7 +124,7 @@ authentik:
      data:
        tls.crt: ""
        tls.key: ""
-    - apiVersion: external-secrets.io/v1
+    - apiVersion: external-secrets.io/v1beta1
      kind: ExternalSecret
      metadata:
        name: authentik-credentials
--- a/gitea-runner/secret.yaml
+++ b/gitea-runner/secret.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1
+apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: gitea-runner-token
--- a/grafana/Chart.yaml
+++ b/grafana/Chart.yaml
@@ -24,5 +24,5 @@ appVersion: "1.0"
 dependencies:
 - name: grafana
-  version: 9.2.1
+  version: 9.0.0
  repository: https://grafana.github.io/helm-charts
--- a/grafana/values.yaml
+++ b/grafana/values.yaml
@@ -3,8 +3,17 @@ grafana:
    existingSecret: grafana-admin
    passwordKey: passwordKey
    userKey: userKey
  affinity: {}
  alerting: {}
  assertNoLeakedSecrets: true
  automountServiceAccountToken: true
  autoscaling:
    behavior: {}
    enabled: false
    maxReplicas: 5
    minReplicas: 1
    targetCPU: "60"
    targetMemory: ""
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
@@ -13,21 +22,52 @@ grafana:
    seccompProfile:
      type: RuntimeDefault
  createConfigmap: true
  dashboardProviders: {}
  dashboards: {}
  dashboardsConfigMaps: {}
  datasources: {}
  defaultCurlOptions: -skf
  deploymentStrategy:
-    type: Recreate
+    type: RollingUpdate
  dnsConfig: {}
  dnsPolicy: null
  downloadDashboards:
    env: {}
    envFromSecret: ""
    envValueFrom: {}
    resources: {}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      seccompProfile:
        type: RuntimeDefault
  downloadDashboardsImage:
    pullPolicy: IfNotPresent
    registry: docker.io
    repository: curlimages/curl
    sha: ""
    tag: 8.13.0
  enableKubeBackwardCompatibility: false
  enableServiceLinks: true
  env: {}
  envFromConfigMaps:
  - name: grafana-env
  envFromSecret: ""
  envFromSecrets:
  - name: grafana-secretenv
  envRenderSecret: {}
  envValueFrom: {}
  extraConfigmapMounts: []
  extraContainerVolumes: []
  extraContainers: ""
  extraEmptyDirMounts: []
  extraExposePorts: []
  extraInitContainers: []
  extraLabels: {}
  extraObjects:
-  - apiVersion: external-secrets.io/v1
+  - apiVersion: external-secrets.io/v1beta1
    kind: ExternalSecret
    metadata:
      name: grafana-admin
@@ -55,7 +95,7 @@ grafana:
        creationPolicy: Owner
        deletionPolicy: Retain
        name: grafana-admin
-  - apiVersion: external-secrets.io/v1
+  - apiVersion: external-secrets.io/v1beta1
    kind: ExternalSecret
    metadata:
      name: grafana-secretenv
@@ -108,6 +148,13 @@ grafana:
    data:
      tls.crt: ""
      tls.key: ""
  extraSecretMounts: []
  extraVolumeMounts: []
  extraVolumes: []
  global:
    imagePullSecrets: []
    imageRegistry: null
  gossipPortName: gossip
  grafana.ini:
    analytics:
      check_for_updates: true
@@ -123,14 +170,93 @@ grafana:
    server:
      domain: '{{ if (and .Values.ingress.enabled .Values.ingress.hosts) }}{{ tpl (.Values.ingress.hosts
        | first) . }}{{ else }}''''{{ end }}'
  headlessService: false
  hostAliases: []
  image:
    pullPolicy: IfNotPresent
    pullSecrets: []
    registry: docker.io
    repository: grafana/grafana
-  ingress:
+    sha: ""
    tag: ""
  imageRenderer:
    affinity: {}
    automountServiceAccountToken: false
    autoscaling:
      behavior: {}
      enabled: false
      maxReplicas: 5
      minReplicas: 1
      targetCPU: "60"
      targetMemory: ""
    containerSecurityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      readOnlyRootFilesystem: true
      seccompProfile:
        type: RuntimeDefault
    deploymentStrategy: {}
    enabled: false
    env:
      HTTP_HOST: 0.0.0.0
      XDG_CACHE_HOME: /tmp/.chromium
      XDG_CONFIG_HOME: /tmp/.chromium
    envValueFrom: {}
    extraConfigmapMounts: []
    extraSecretMounts: []
    extraVolumeMounts: []
    extraVolumes: []
    grafanaProtocol: http
    grafanaSubPath: ""
    hostAliases: []
    image:
      pullPolicy: Always
      pullSecrets: []
      registry: docker.io
      repository: grafana/grafana-image-renderer
      sha: ""
      tag: latest
    networkPolicy:
      extraIngressSelectors: []
      limitEgress: false
      limitIngress: true
    nodeSelector: {}
    podAnnotations: {}
    podPortName: http
    priorityClassName: ""
    renderingCallbackURL: ""
    replicas: 1
    resources: {}
    revisionHistoryLimit: 10
    securityContext: {}
    serverURL: ""
    service:
      appProtocol: ""
      enabled: true
      port: 8081
      portName: http
      targetPort: 8081
    serviceAccountName: ""
    serviceMonitor:
      enabled: false
      interval: 1m
      labels: {}
      path: /metrics
      relabelings: []
      scheme: http
      scrapeTimeout: 30s
      targetLabels: []
      tlsConfig: {}
    tolerations: []
  ingress:
    annotations: {}
    enabled: true
    extraPaths: []
    hosts:
    - grafana.infra.dubyatp.xyz
    labels: {}
    path: /
    pathType: Prefix
    tls:
@@ -143,7 +269,9 @@ grafana:
      pullPolicy: IfNotPresent
      registry: docker.io
      repository: library/busybox
      sha: ""
      tag: 1.31.1
    resources: {}
    securityContext:
      capabilities:
        add:
@@ -155,6 +283,11 @@ grafana:
      runAsUser: 0
      seccompProfile:
        type: RuntimeDefault
  ldap:
    config: ""
    enabled: false
    existingSecret: ""
  lifecycleHooks: {}
  livenessProbe:
    failureThreshold: 10
    httpGet:
@@ -162,45 +295,227 @@ grafana:
      port: 3000
    initialDelaySeconds: 60
    timeoutSeconds: 30
  namespaceOverride: ""
  networkPolicy:
    allowExternal: true
    egress:
      blockDNSResolution: false
      enabled: false
      ports: []
      to: []
    enabled: false
    explicitNamespacesSelector: {}
    ingress: true
  nodeSelector: {}
  notifiers: {}
  persistence:
    accessModes:
    - ReadWriteOnce
    disableWarning: false
    enabled: true
    extraPvcLabels: {}
    finalizers:
    - kubernetes.io/pvc-protection
    inMemory:
      enabled: false
    lookupVolumeName: true
    size: 10Gi
    type: pvc
    volumeName: ""
  plugins: []
  podDisruptionBudget: {}
  podPortName: grafana
  podAnnotations:
    backup.velero.io/backup-volumes: "storage"
  rbac:
    create: true
    extraClusterRoleRules: []
    extraRoleRules: []
    namespaced: false
    pspEnabled: false
    pspUseAppArmor: false
  readinessProbe:
    httpGet:
      path: /api/health
      port: 3000
  replicas: 1
  resources: {}
  revisionHistoryLimit: 10
  route:
    main:
      additionalRules: []
      annotations: {}
      apiVersion: gateway.networking.k8s.io/v1
      enabled: false
      filters: []
      hostnames: []
      kind: HTTPRoute
      labels: {}
      matches:
      - path:
          type: PathPrefix
          value: /
      parentRefs: []
  securityContext:
    fsGroup: 472
    runAsGroup: 472
    runAsNonRoot: true
    runAsUser: 472
  service:
    annotations: {}
    appProtocol: ""
    enabled: true
    ipFamilies: []
    ipFamilyPolicy: ""
    labels: {}
    loadBalancerClass: ""
    loadBalancerIP: ""
    loadBalancerSourceRanges: []
    port: 80
    portName: service
    sessionAffinity: ""
    targetPort: 3000
    type: ClusterIP
  serviceAccount:
    automountServiceAccountToken: false
    create: true
    labels: {}
    name: null
    nameTest: null
  serviceMonitor:
    basicAuth: {}
    enabled: false
    interval: 30s
    labels: {}
    metricRelabelings: []
    path: /metrics
    relabelings: []
    scheme: http
    scrapeTimeout: 30s
    targetLabels: []
    tlsConfig: {}
  shareProcessNamespace: false
  sidecar:
    alerts:
      enabled: false
      env: {}
      extraMounts: []
      initAlerts: false
      label: grafana_alert
      labelValue: ""
      reloadURL: http://localhost:3000/api/admin/provisioning/alerting/reload
      resource: both
      resourceName: ""
      script: null
      searchNamespace: null
      sizeLimit: {}
      skipReload: false
      watchMethod: WATCH
    dashboards:
      SCProvider: true
      defaultFolderName: null
      enabled: false
      env: {}
      envValueFrom: {}
      extraMounts: []
      folder: /tmp/dashboards
      folderAnnotation: null
      label: grafana_dashboard
      labelValue: ""
      provider:
        allowUiUpdates: false
        disableDelete: false
        folder: ""
        folderUid: ""
        foldersFromFilesStructure: false
        name: sidecarProvider
        orgid: 1
        type: file
      reloadURL: http://localhost:3000/api/admin/provisioning/dashboards/reload
      resource: both
      resourceName: ""
      script: null
      searchNamespace: null
      sizeLimit: {}
      skipReload: false
      watchMethod: WATCH
    datasources:
      enabled: false
      env: {}
      envValueFrom: {}
      extraMounts: []
      initDatasources: false
      label: grafana_datasource
      labelValue: ""
      reloadURL: http://localhost:3000/api/admin/provisioning/datasources/reload
      resource: both
      resourceName: ""
      script: null
      searchNamespace: null
      sizeLimit: {}
      skipReload: false
      watchMethod: WATCH
    enableUniqueFilenames: false
    image:
      registry: quay.io
      repository: kiwigrid/k8s-sidecar
      sha: ""
      tag: 1.30.3
    imagePullPolicy: IfNotPresent
    livenessProbe: {}
    notifiers:
      enabled: false
      env: {}
      extraMounts: []
      initNotifiers: false
      label: grafana_notifier
      labelValue: ""
      reloadURL: http://localhost:3000/api/admin/provisioning/notifications/reload
      resource: both
      resourceName: ""
      script: null
      searchNamespace: null
      sizeLimit: {}
      skipReload: false
      watchMethod: WATCH
    plugins:
      enabled: false
      env: {}
      extraMounts: []
      initPlugins: false
      label: grafana_plugin
      labelValue: ""
      reloadURL: http://localhost:3000/api/admin/provisioning/plugins/reload
      resource: both
      resourceName: ""
      script: null
      searchNamespace: null
      sizeLimit: {}
      skipReload: false
      watchMethod: WATCH
    readinessProbe: {}
    resources: {}
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      seccompProfile:
        type: RuntimeDefault
  smtp:
    existingSecret: ""
    passwordKey: password
    userKey: user
  testFramework:
    containerSecurityContext: {}
    enabled: true
    image:
      registry: docker.io
      repository: bats/bats
      tag: 1.12.0
    imagePullPolicy: IfNotPresent
    resources: {}
    securityContext: {}
  tolerations: []
  topologySpreadConstraints: []
  useStatefulSet: false
--- a/immich/immich-postgres-credentials.yaml
+++ b/immich/immich-postgres-credentials.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1
+apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: postgres-credentials
--- a/nextcloud/secret.yaml
+++ b/nextcloud/secret.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1
+apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: nextcloud-secret
--- a/renovate/renovate-config.yaml
+++ b/renovate/renovate-config.yaml
@@ -1,9 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: renovate-config
 data:
  config.json: |-
    {
      "repositories": ["infrastructure/core-apps","infrastructure/db-operators","infrastructure/weyma-talos"]
    }
--- a/renovate/renovate-cronjob.yaml
+++ b/renovate/renovate-cronjob.yaml
@@ -1,49 +0,0 @@
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  name: renovate-bot
 spec:
  schedule: '@hourly'
  concurrencyPolicy: Forbid
  jobTemplate:
    spec:
      template:
        spec:
          containers:
            - image: renovate/renovate:40.14.6
              name: renovate-bot
              env: # For illustration purposes, please use secrets.
                - name: RENOVATE_PLATFORM
                  value: 'gitea'
                - name: RENOVATE_ENDPOINT
                  value: 'https://git.dubyatp.xyz/api/v1'
                - name: RENOVATE_TOKEN
                  valueFrom:
                    secretKeyRef:
                      key: gitea-pat
                      name: renovate-gitea-token
                - name: RENOVATE_GITHUB_COM_TOKEN
                  valueFrom:
                    secretKeyRef:
                      key: github-com-pat
                      name: renovate-github-com-token
                - name: RENOVATE_AUTODISCOVER
                  value: 'false'
                - name: RENOVATE_BASE_DIR
                  value: '/tmp/renovate/'
                - name: RENOVATE_CONFIG_FILE
                  value: '/opt/renovate/config.json'
                - name: LOG_LEVEL
                  value: debug
              volumeMounts:
                - name: config-volume
                  mountPath: /opt/renovate/
                - name: work-volume
                  mountPath: /tmp/renovate/
          restartPolicy: Never
          volumes:
            - name: config-volume
              configMap:
                name: renovate-config
            - name: work-volume
              emptyDir: {}
--- a/renovate/renovate-gitea-token.yaml
+++ b/renovate/renovate-gitea-token.yaml
@@ -1,17 +0,0 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: renovate-gitea-token
 spec:
  refreshInterval: 1h
  secretStoreRef:
    name: weyma-vault
    kind: ClusterSecretStore
  target:
    name: renovate-gitea-token
    creationPolicy: Owner
  data:
    - secretKey: gitea-pat
      remoteRef:
        key: renovate
        property: gitea-pat
--- a/renovate/renovate-github-token.yaml
+++ b/renovate/renovate-github-token.yaml
@@ -1,17 +0,0 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: renovate-github-com-token
 spec:
  refreshInterval: 1h
  secretStoreRef:
    name: weyma-vault
    kind: ClusterSecretStore
  target:
    name: renovate-github-com-token
    creationPolicy: Owner
  data:
    - secretKey: github-com-pat
      remoteRef:
        key: renovate
        property: github-com-pat
--- a/vaultwarden/secret.yaml
+++ b/vaultwarden/secret.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1
+apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: vaultwarden-secrets