infrastructure/core-apps
3
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: infrastructure:2654453ba1bcbf346113004fd0285f584e24301e
Branches Tags
infrastructure:main
...
compare: infrastructure:bbdfaee3bf412baf9dd5230182bea0824dab547b
Branches Tags
infrastructure:main

10 Commits
2654453ba1 ... bbdfaee3bf

Author SHA1 Message Date
Renovate Bot
bbdfaee3bf chore(deps): update docker.io/library/busybox docker tag to v1.37.0 2025-05-27 15:00:21 +00:00
William P
7110b1878d grafana: change deploymentstrategy to recreate 2025-05-27 10:13:51 -04:00
William P
a23d978668 grafana: cleanup values file 2025-05-27 10:12:17 -04:00
William P
b4e3062480 add renovate 2025-05-27 10:02:36 -04:00
williamp
8be1db7ef9 Merge pull request 'chore(deps): update helm release grafana to v9.2.1' (#8) from renovate/grafana-9.x into main 
Reviewed-on: #8
 2025-05-27 13:47:22 +00:00
Renovate Bot
7bf065764a chore(deps): update helm release grafana to v9.2.1 2025-05-27 13:44:37 +00:00
William P
5a4896927f immich: update apiVersion on external-secret from v1beta1 to v1 2025-05-26 10:15:46 -04:00
William P
3f8819d4eb update externalsecrets to use v1 instead of v1beta1 2025-05-26 10:04:30 -04:00
williamp
31a2413834 Merge pull request 'chore(deps): update helm release grafana to v9.2.0' (#6) from renovate/grafana-9.x into main 
Reviewed-on: #6
 2025-05-24 11:41:20 +00:00
Renovate Bot
4b9bbe6a9e chore(deps): update helm release grafana to v9.2.0 2025-05-23 16:00:16 +00:00
12 changed files with 104 additions and 327 deletions
Expand all files Collapse all files

2
attic/secret.yaml
View File

@@ -1,4 +1,4 @@
apiVersion: external-secrets.io/v1beta1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: attic-secret name: attic-secret

2
authentik/values.yaml
View File

@@ -124,7 +124,7 @@ authentik:
data: data:
tls.crt: "" tls.crt: ""
tls.key: "" tls.key: ""
- apiVersion: external-secrets.io/v1beta1 - apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: authentik-credentials name: authentik-credentials

2
gitea-runner/secret.yaml
View File

@@ -1,4 +1,4 @@
apiVersion: external-secrets.io/v1beta1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: gitea-runner-token name: gitea-runner-token

2
grafana/Chart.yaml
View File

@@ -24,5 +24,5 @@ appVersion: "1.0"
dependencies: dependencies:
- name: grafana - name: grafana
version: 9.0.0 version: 9.2.1
repository: https://grafana.github.io/helm-charts repository: https://grafana.github.io/helm-charts

325
grafana/values.yaml
View File

@@ -3,17 +3,8 @@ grafana:
existingSecret: grafana-admin existingSecret: grafana-admin
passwordKey: passwordKey passwordKey: passwordKey
userKey: userKey userKey: userKey
affinity: {}
alerting: {}
assertNoLeakedSecrets: true assertNoLeakedSecrets: true
automountServiceAccountToken: true automountServiceAccountToken: true
autoscaling:
behavior: {}
enabled: false
maxReplicas: 5
minReplicas: 1
targetCPU: "60"
targetMemory: ""
containerSecurityContext: containerSecurityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
capabilities: capabilities:
@@ -22,52 +13,21 @@ grafana:
seccompProfile: seccompProfile:
type: RuntimeDefault type: RuntimeDefault
createConfigmap: true createConfigmap: true
dashboardProviders: {}
dashboards: {}
dashboardsConfigMaps: {}
datasources: {}
defaultCurlOptions: -skf defaultCurlOptions: -skf
deploymentStrategy: deploymentStrategy:
type: RollingUpdate type: Recreate
dnsConfig: {}
dnsPolicy: null
downloadDashboards:
env: {}
envFromSecret: ""
envValueFrom: {}
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
downloadDashboardsImage: downloadDashboardsImage:
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
registry: docker.io registry: docker.io
repository: curlimages/curl repository: curlimages/curl
sha: ""
tag: 8.9.1 tag: 8.9.1
enableKubeBackwardCompatibility: false
enableServiceLinks: true enableServiceLinks: true
env: {}
envFromConfigMaps: envFromConfigMaps:
- name: grafana-env - name: grafana-env
envFromSecret: ""
envFromSecrets: envFromSecrets:
- name: grafana-secretenv - name: grafana-secretenv
envRenderSecret: {}
envValueFrom: {}
extraConfigmapMounts: []
extraContainerVolumes: []
extraContainers: ""
extraEmptyDirMounts: []
extraExposePorts: []
extraInitContainers: []
extraLabels: {}
extraObjects: extraObjects:
- apiVersion: external-secrets.io/v1beta1 - apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: grafana-admin name: grafana-admin
@@ -95,7 +55,7 @@ grafana:
creationPolicy: Owner creationPolicy: Owner
deletionPolicy: Retain deletionPolicy: Retain
name: grafana-admin name: grafana-admin
- apiVersion: external-secrets.io/v1beta1 - apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: grafana-secretenv name: grafana-secretenv
@@ -148,13 +108,6 @@ grafana:
data: data:
tls.crt: "" tls.crt: ""
tls.key: "" tls.key: ""
extraSecretMounts: []
extraVolumeMounts: []
extraVolumes: []
global:
imagePullSecrets: []
imageRegistry: null
gossipPortName: gossip
grafana.ini: grafana.ini:
analytics: analytics:
check_for_updates: true check_for_updates: true
@@ -170,93 +123,14 @@ grafana:
server: server:
domain: '{{ if (and .Values.ingress.enabled .Values.ingress.hosts) }}{{ tpl (.Values.ingress.hosts domain: '{{ if (and .Values.ingress.enabled .Values.ingress.hosts) }}{{ tpl (.Values.ingress.hosts
| first) . }}{{ else }}''''{{ end }}' | first) . }}{{ else }}''''{{ end }}'
headlessService: false
hostAliases: []
image: image:
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
pullSecrets: []
registry: docker.io registry: docker.io
repository: grafana/grafana repository: grafana/grafana
sha: ""
tag: ""
imageRenderer:
affinity: {}
automountServiceAccountToken: false
autoscaling:
behavior: {}
enabled: false
maxReplicas: 5
minReplicas: 1
targetCPU: "60"
targetMemory: ""
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
deploymentStrategy: {}
enabled: false
env:
HTTP_HOST: 0.0.0.0
XDG_CACHE_HOME: /tmp/.chromium
XDG_CONFIG_HOME: /tmp/.chromium
envValueFrom: {}
extraConfigmapMounts: []
extraSecretMounts: []
extraVolumeMounts: []
extraVolumes: []
grafanaProtocol: http
grafanaSubPath: ""
hostAliases: []
image:
pullPolicy: Always
pullSecrets: []
registry: docker.io
repository: grafana/grafana-image-renderer
sha: ""
tag: latest
networkPolicy:
extraIngressSelectors: []
limitEgress: false
limitIngress: true
nodeSelector: {}
podAnnotations: {}
podPortName: http
priorityClassName: ""
renderingCallbackURL: ""
replicas: 1
resources: {}
revisionHistoryLimit: 10
securityContext: {}
serverURL: ""
service:
appProtocol: ""
enabled: true
port: 8081
portName: http
targetPort: 8081
serviceAccountName: ""
serviceMonitor:
enabled: false
interval: 1m
labels: {}
path: /metrics
relabelings: []
scheme: http
scrapeTimeout: 30s
targetLabels: []
tlsConfig: {}
tolerations: []
ingress: ingress:
annotations: {}
enabled: true enabled: true
extraPaths: []
hosts: hosts:
- grafana.infra.dubyatp.xyz - grafana.infra.dubyatp.xyz
labels: {}
path: / path: /
pathType: Prefix pathType: Prefix
tls: tls:
@@ -269,9 +143,7 @@ grafana:
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
registry: docker.io registry: docker.io
repository: library/busybox repository: library/busybox
sha: "" tag: 1.37.0
tag: 1.31.1
resources: {}
securityContext: securityContext:
capabilities: capabilities:
add: add:
@@ -283,11 +155,6 @@ grafana:
runAsUser: 0 runAsUser: 0
seccompProfile: seccompProfile:
type: RuntimeDefault type: RuntimeDefault
ldap:
config: ""
enabled: false
existingSecret: ""
lifecycleHooks: {}
livenessProbe: livenessProbe:
failureThreshold: 10 failureThreshold: 10
httpGet: httpGet:
@@ -295,227 +162,45 @@ grafana:
port: 3000 port: 3000
initialDelaySeconds: 60 initialDelaySeconds: 60
timeoutSeconds: 30 timeoutSeconds: 30
namespaceOverride: ""
networkPolicy:
allowExternal: true
egress:
blockDNSResolution: false
enabled: false
ports: []
to: []
enabled: false
explicitNamespacesSelector: {}
ingress: true
nodeSelector: {}
notifiers: {}
persistence: persistence:
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
disableWarning: false
enabled: true enabled: true
extraPvcLabels: {}
finalizers: finalizers:
- kubernetes.io/pvc-protection - kubernetes.io/pvc-protection
inMemory:
enabled: false
lookupVolumeName: true
size: 10Gi size: 10Gi
type: pvc type: pvc
volumeName: ""
plugins: []
podDisruptionBudget: {}
podPortName: grafana podPortName: grafana
podAnnotations: podAnnotations:
backup.velero.io/backup-volumes: "storage" backup.velero.io/backup-volumes: "storage"
rbac: rbac:
create: true create: true
extraClusterRoleRules: []
extraRoleRules: []
namespaced: false namespaced: false
pspEnabled: false
pspUseAppArmor: false
readinessProbe: readinessProbe:
httpGet: httpGet:
path: /api/health path: /api/health
port: 3000 port: 3000
replicas: 1 replicas: 1
resources: {}
revisionHistoryLimit: 10 revisionHistoryLimit: 10
route:
main:
additionalRules: []
annotations: {}
apiVersion: gateway.networking.k8s.io/v1
enabled: false
filters: []
hostnames: []
kind: HTTPRoute
labels: {}
matches:
- path:
type: PathPrefix
value: /
parentRefs: []
securityContext: securityContext:
fsGroup: 472 fsGroup: 472
runAsGroup: 472 runAsGroup: 472
runAsNonRoot: true runAsNonRoot: true
runAsUser: 472 runAsUser: 472
service: service:
annotations: {}
appProtocol: ""
enabled: true enabled: true
ipFamilies: []
ipFamilyPolicy: ""
labels: {}
loadBalancerClass: ""
loadBalancerIP: ""
loadBalancerSourceRanges: []
port: 80 port: 80
portName: service portName: service
sessionAffinity: ""
targetPort: 3000 targetPort: 3000
type: ClusterIP type: ClusterIP
serviceAccount: serviceAccount:
automountServiceAccountToken: false automountServiceAccountToken: false
create: true create: true
labels: {}
name: null
nameTest: null
serviceMonitor:
basicAuth: {}
enabled: false
interval: 30s
labels: {}
metricRelabelings: []
path: /metrics
relabelings: []
scheme: http
scrapeTimeout: 30s
targetLabels: []
tlsConfig: {}
shareProcessNamespace: false
sidecar:
alerts:
enabled: false
env: {}
extraMounts: []
initAlerts: false
label: grafana_alert
labelValue: ""
reloadURL: http://localhost:3000/api/admin/provisioning/alerting/reload
resource: both
resourceName: ""
script: null
searchNamespace: null
sizeLimit: {}
skipReload: false
watchMethod: WATCH
dashboards:
SCProvider: true
defaultFolderName: null
enabled: false
env: {}
envValueFrom: {}
extraMounts: []
folder: /tmp/dashboards
folderAnnotation: null
label: grafana_dashboard
labelValue: ""
provider:
allowUiUpdates: false
disableDelete: false
folder: ""
folderUid: ""
foldersFromFilesStructure: false
name: sidecarProvider
orgid: 1
type: file
reloadURL: http://localhost:3000/api/admin/provisioning/dashboards/reload
resource: both
resourceName: ""
script: null
searchNamespace: null
sizeLimit: {}
skipReload: false
watchMethod: WATCH
datasources:
enabled: false
env: {}
envValueFrom: {}
extraMounts: []
initDatasources: false
label: grafana_datasource
labelValue: ""
reloadURL: http://localhost:3000/api/admin/provisioning/datasources/reload
resource: both
resourceName: ""
script: null
searchNamespace: null
sizeLimit: {}
skipReload: false
watchMethod: WATCH
enableUniqueFilenames: false
image:
registry: quay.io
repository: kiwigrid/k8s-sidecar
sha: ""
tag: 1.30.3
imagePullPolicy: IfNotPresent
livenessProbe: {}
notifiers:
enabled: false
env: {}
extraMounts: []
initNotifiers: false
label: grafana_notifier
labelValue: ""
reloadURL: http://localhost:3000/api/admin/provisioning/notifications/reload
resource: both
resourceName: ""
script: null
searchNamespace: null
sizeLimit: {}
skipReload: false
watchMethod: WATCH
plugins:
enabled: false
env: {}
extraMounts: []
initPlugins: false
label: grafana_plugin
labelValue: ""
reloadURL: http://localhost:3000/api/admin/provisioning/plugins/reload
resource: both
resourceName: ""
script: null
searchNamespace: null
sizeLimit: {}
skipReload: false
watchMethod: WATCH
readinessProbe: {}
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
smtp:
existingSecret: ""
passwordKey: password
userKey: user
testFramework: testFramework:
containerSecurityContext: {}
enabled: true enabled: true
image: image:
registry: docker.io registry: docker.io
repository: bats/bats repository: bats/bats
tag: 1.12.0 tag: 1.12.0
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
resources: {} useStatefulSet: false
securityContext: {}
tolerations: []
topologySpreadConstraints: []
useStatefulSet: false

2
immich/immich-postgres-credentials.yaml
View File

@@ -1,4 +1,4 @@
apiVersion: external-secrets.io/v1beta1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: postgres-credentials name: postgres-credentials

2
nextcloud/secret.yaml
View File

@@ -1,4 +1,4 @@
apiVersion: external-secrets.io/v1beta1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: nextcloud-secret name: nextcloud-secret

9
renovate/renovate-config.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: renovate-config
data:
config.json: |-
{
"repositories": ["infrastructure/core-apps","infrastructure/db-operators","infrastructure/weyma-talos"]
}

49
renovate/renovate-cronjob.yaml Normal file
View File

@@ -0,0 +1,49 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: renovate-bot
spec:
schedule: '@hourly'
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
spec:
containers:
- image: renovate/renovate:40.14.6
name: renovate-bot
env: # For illustration purposes, please use secrets.
- name: RENOVATE_PLATFORM
value: 'gitea'
- name: RENOVATE_ENDPOINT
value: 'https://git.dubyatp.xyz/api/v1'
- name: RENOVATE_TOKEN
valueFrom:
secretKeyRef:
key: gitea-pat
name: renovate-gitea-token
- name: RENOVATE_GITHUB_COM_TOKEN
valueFrom:
secretKeyRef:
key: github-com-pat
name: renovate-github-com-token
- name: RENOVATE_AUTODISCOVER
value: 'false'
- name: RENOVATE_BASE_DIR
value: '/tmp/renovate/'
- name: RENOVATE_CONFIG_FILE
value: '/opt/renovate/config.json'
- name: LOG_LEVEL
value: debug
volumeMounts:
- name: config-volume
mountPath: /opt/renovate/
- name: work-volume
mountPath: /tmp/renovate/
restartPolicy: Never
volumes:
- name: config-volume
configMap:
name: renovate-config
- name: work-volume
emptyDir: {}

17
renovate/renovate-gitea-token.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: renovate-gitea-token
spec:
refreshInterval: 1h
secretStoreRef:
name: weyma-vault
kind: ClusterSecretStore
target:
name: renovate-gitea-token
creationPolicy: Owner
data:
- secretKey: gitea-pat
remoteRef:
key: renovate
property: gitea-pat

17
renovate/renovate-github-token.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: renovate-github-com-token
spec:
refreshInterval: 1h
secretStoreRef:
name: weyma-vault
kind: ClusterSecretStore
target:
name: renovate-github-com-token
creationPolicy: Owner
data:
- secretKey: github-com-pat
remoteRef:
key: renovate
property: github-com-pat

2
vaultwarden/secret.yaml
View File

@@ -1,4 +1,4 @@
apiVersion: external-secrets.io/v1beta1 apiVersion: external-secrets.io/v1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: vaultwarden-secrets name: vaultwarden-secrets