chore(deps): update all-minor-patch-updates

Merge pull request 'chore(deps): update all-minor-patch-updates' (#296 ) from renovate/all-minor-patch-updates into main
Reviewed-on: #296
2026-04-22 15:00:49 +00:00 · 2026-04-17 18:42:13 +00:00 · 2026-04-17 15:00:31 +00:00 · 2026-04-15 10:53:59 -04:00 · 2026-04-15 10:52:17 -04:00 · 2026-04-15 14:40:42 +00:00
76 changed files with 11290 additions and 1562 deletions
@@ -1 +1,2 @@
+.vscode/
 test/
@@ -0,0 +1,37 @@
+# Main Infrastructure: weyma-talos
+
+**Production Kubernetes infrastructure with disaster recovery capabilities**
+
+This repository contains the foundational infrastructure for my Kubernetes homelab, designed with reliability and rapid recovery as core principles.
+
+## Architecture
+
+My infrastructure follows a layered "black start" approach - essential services run outside the Kubernetes cluster to enable cluster bootstrapping and recovery from total failures.
+
+### Black Start Layer
+Static services (Docker Compose on TrueNAS/Proxmox) that provide cluster dependencies:
+- Image cache for faster deployments and offline capability
+- Talos discovery server for node bootstrapping  
+- HashiCorp Vault for secrets management (external to cluster)
+- Future: Self-hosted Sidero Omni server (migrating from SaaS)
+
+### System Apps Layer
+Applications running within Kubernetes that provide core cluster functionality, managed via ArgoCD with GitOps principles.
+
+## Repository Structure
+
+- **`black-start/`** - Docker Compose services for cluster dependencies
+- **`config-patches/`** - Talos Linux configuration patches for cluster and individual machines
+- **`omni/`** - Sidero Omni [cluster template](https://docs.siderolabs.com/omni/reference/cluster-templates)
+- **`system-apps/`** - System applications (ArgoCD projects) - monitoring, ingress, certificates, storage
+
+## Tech Stack
+
+**OS:** Talos Linux | **Orchestration:** Kubernetes | **GitOps:** ArgoCD | **Secrets:** Vault | **Storage:** Rook-Ceph
+
+## Recovery Process
+
+The "black start" architecture enables ~15-20 minute automated recovery from complete infrastructure failure:
+1. Start black-start services → 2. Bootstrap Talos → 3. Deploy system apps → 4. Deploy core apps
+
+For application deployments, see [core-apps](https://git.dubyatp.xyz/core-apps).
@@ -1,15 +0,0 @@
-services:
-  prometheus:
-    image: prom/prometheus:v3.5.0
-    command:
-      - '--config.file=/etc/prometheus/prometheus.yaml'
-      - '--web.config.file=/etc/prometheus/web-config.yaml'
-      - '--web.enable-remote-write-receiver'
-      - '--storage.tsdb.retention.size=35GB'
-    ports:
-      - 9090:9090
-    volumes:
-      - ./.basicauthpass:/etc/prometheus/.basicauthpass
-      - ./prometheus.yaml:/etc/prometheus/prometheus.yaml
-      - ./web-config.yaml:/etc/prometheus/web-config.yaml
-      - /mnt/prometheus-data:/prometheus
@@ -1,32 +0,0 @@
-# my global config
-global:
-  scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
-  evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
-  # scrape_timeout is set to the global default (10s).
-
-# Alertmanager configuration
-alerting:
-  alertmanagers:
-    - static_configs:
-        - targets:
-          # - alertmanager:9093
-
-# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
-rule_files:
-  # - "first_rules.yml"
-  # - "second_rules.yml"
-
-# A scrape configuration containing exactly one endpoint to scrape:
-# Here it's Prometheus itself.
-scrape_configs:
-  # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
-  - job_name: "prometheus"
-
-    # metrics_path defaults to '/metrics'
-    # scheme defaults to 'http'.
-
-    static_configs:
-      - targets: ["localhost:9090"]
-    basic_auth:
-      username: prometheus
-      password_file: /etc/prometheus/.basicauthpass
@@ -1,2 +0,0 @@
-basic_auth_users:
-  prometheus: <redacted>
@@ -2,7 +2,7 @@ version: "3.8"
 services:
  discovery:
    restart: unless-stopped
-    image: ghcr.io/siderolabs/discovery-service:v1.0.11
+    image: ghcr.io/siderolabs/discovery-service:v1.0.17
    ports:
      - 10.105.6.215:3000:3000
      - 10.105.6.215:3001:3001
@@ -5,7 +5,7 @@ services:
    command: tunnel run weyma-vault
    env_file: ".env"
  vault:
-    image: hashicorp/vault:1.20
+    image: hashicorp/vault:2.0
    env_file: ".env.vault"
    environment:
      VAULT_ADDR: "https://weyma-vault.infra.dubyatp.xyz:8200"
@@ -0,0 +1,10 @@
+cluster:
+  controllerManager:
+    extraArgs:
+      bind-address: "0.0.0.0"
+  proxy:
+    extraArgs:
+      metrics-bind-address: "0.0.0.0:10249"
+  scheduler:
+    extraArgs:
+      bind-address: "0.0.0.0"
@@ -1,8 +1,213 @@
 cluster:
  extraManifests:
    - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
-    - https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
  inlineManifests:
+    - name: metrics-server
+      contents: |-
+        apiVersion: v1
+        kind: ServiceAccount
+        metadata:
+          labels:
+            k8s-app: metrics-server
+          name: metrics-server
+          namespace: kube-system
+        ---
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: ClusterRole
+        metadata:
+          labels:
+            k8s-app: metrics-server
+            rbac.authorization.k8s.io/aggregate-to-admin: "true"
+            rbac.authorization.k8s.io/aggregate-to-edit: "true"
+            rbac.authorization.k8s.io/aggregate-to-view: "true"
+          name: system:aggregated-metrics-reader
+        rules:
+        - apiGroups:
+          - metrics.k8s.io
+          resources:
+          - pods
+          - nodes
+          verbs:
+          - get
+          - list
+          - watch
+        ---
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: ClusterRole
+        metadata:
+          labels:
+            k8s-app: metrics-server
+          name: system:metrics-server
+        rules:
+        - apiGroups:
+          - ""
+          resources:
+          - nodes/metrics
+          verbs:
+          - get
+        - apiGroups:
+          - ""
+          resources:
+          - pods
+          - nodes
+          verbs:
+          - get
+          - list
+          - watch
+        ---
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: RoleBinding
+        metadata:
+          labels:
+            k8s-app: metrics-server
+          name: metrics-server-auth-reader
+          namespace: kube-system
+        roleRef:
+          apiGroup: rbac.authorization.k8s.io
+          kind: Role
+          name: extension-apiserver-authentication-reader
+        subjects:
+        - kind: ServiceAccount
+          name: metrics-server
+          namespace: kube-system
+        ---
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: ClusterRoleBinding
+        metadata:
+          labels:
+            k8s-app: metrics-server
+          name: metrics-server:system:auth-delegator
+        roleRef:
+          apiGroup: rbac.authorization.k8s.io
+          kind: ClusterRole
+          name: system:auth-delegator
+        subjects:
+        - kind: ServiceAccount
+          name: metrics-server
+          namespace: kube-system
+        ---
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: ClusterRoleBinding
+        metadata:
+          labels:
+            k8s-app: metrics-server
+          name: system:metrics-server
+        roleRef:
+          apiGroup: rbac.authorization.k8s.io
+          kind: ClusterRole
+          name: system:metrics-server
+        subjects:
+        - kind: ServiceAccount
+          name: metrics-server
+          namespace: kube-system
+        ---
+        apiVersion: v1
+        kind: Service
+        metadata:
+          labels:
+            k8s-app: metrics-server
+          name: metrics-server
+          namespace: kube-system
+        spec:
+          ports:
+          - appProtocol: https
+            name: https
+            port: 443
+            protocol: TCP
+            targetPort: https
+          selector:
+            k8s-app: metrics-server
+        ---
+        apiVersion: apps/v1
+        kind: Deployment
+        metadata:
+          labels:
+            k8s-app: metrics-server
+          name: metrics-server
+          namespace: kube-system
+        spec:
+          selector:
+            matchLabels:
+              k8s-app: metrics-server
+          strategy:
+            rollingUpdate:
+              maxUnavailable: 0
+          template:
+            metadata:
+              labels:
+                k8s-app: metrics-server
+            spec:
+              containers:
+              - args:
+                - --cert-dir=/tmp
+                - --secure-port=10250
+                - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
+                - --kubelet-use-node-status-port
+                - --metric-resolution=15s
+                - --kubelet-insecure-tls
+                image: registry.k8s.io/metrics-server/metrics-server:v0.8.0
+                imagePullPolicy: IfNotPresent
+                livenessProbe:
+                  failureThreshold: 3
+                  httpGet:
+                    path: /livez
+                    port: https
+                    scheme: HTTPS
+                  periodSeconds: 10
+                name: metrics-server
+                ports:
+                - containerPort: 10250
+                  name: https
+                  protocol: TCP
+                readinessProbe:
+                  failureThreshold: 3
+                  httpGet:
+                    path: /readyz
+                    port: https
+                    scheme: HTTPS
+                  initialDelaySeconds: 20
+                  periodSeconds: 10
+                resources:
+                  requests:
+                    cpu: 100m
+                    memory: 200Mi
+                securityContext:
+                  allowPrivilegeEscalation: false
+                  capabilities:
+                    drop:
+                    - ALL
+                  readOnlyRootFilesystem: true
+                  runAsNonRoot: true
+                  runAsUser: 1000
+                  seccompProfile:
+                    type: RuntimeDefault
+                volumeMounts:
+                - mountPath: /tmp
+                  name: tmp-dir
+              nodeSelector:
+                kubernetes.io/os: linux
+              priorityClassName: system-cluster-critical
+              serviceAccountName: metrics-server
+              volumes:
+              - emptyDir: {}
+                name: tmp-dir
+        ---
+        apiVersion: apiregistration.k8s.io/v1
+        kind: APIService
+        metadata:
+          labels:
+            k8s-app: metrics-server
+          name: v1beta1.metrics.k8s.io
+        spec:
+          group: metrics.k8s.io
+          groupPriorityMinimum: 100
+          insecureSkipTLSVerify: true
+          service:
+            name: metrics-server
+            namespace: kube-system
+          version: v1beta1
+          versionPriority: 100
+
    - name: metrics-lb
      contents: |-
        apiVersion: v1
@@ -10,6 +215,8 @@ cluster:
        metadata:
          name: metrics-lb
          namespace: kube-system
+          annotations:
+            metallb.io/ip-allocated-from-pool: test-pool
        spec:
          type: LoadBalancer
          ports:
@@ -19,4 +226,3 @@ cluster:
            targetPort: https
          selector:
            k8s-app: metrics-server
-        
@@ -3,8 +3,17 @@ machine:
    interfaces:
      - deviceSelector:
          hardwareAddr: "e8:ff:1e:d5:f8:22"
+          driver: "igc"
        dhcp: true
+        vlans:
+          - vlanId: 50
+            dhcp: false
      - deviceSelector:
          hardwareAddr: "e8:ff:1e:d5:f8:21"
        mtu: 9000
        dhcp: true
+      - interface: br0
+        dhcp: false
+        bridge:
+          interfaces:
+            - enp2s0.50
@@ -3,8 +3,17 @@ machine:
    interfaces:
      - deviceSelector:
          hardwareAddr: "f4:52:14:60:5e:30"
+          driver: "mlx4_core"
        dhcp: true
+        vlans:
+          - vlanId: 50
+            dhcp: false
      - deviceSelector:
          hardwareAddr: "f4:52:14:60:5e:31"
        dhcp: true
        mtu: 9000
+      - interface: br0
+        dhcp: false
+        bridge:
+          interfaces:
+            - eno1.50
@@ -8,3 +8,11 @@ machine:
          hardwareAddr: "00:16:3e:e5:79:0a"
        dhcp: true
        mtu: 9000
+      - deviceSelector:
+          hardwareAddr: "00:16:3e:6b:1c:1d"
+        dhcp: false
+      - interface: br0
+        dhcp: false
+        bridge:
+          interfaces:
+            - enx00163e6b1c1d
@@ -3,8 +3,17 @@ machine:
    interfaces:
      - deviceSelector:
          hardwareAddr: "e8:ff:1e:d4:b8:89"
+          driver: "igc"
        dhcp: true
+        vlans:
+          - vlanId: 50
+            dhcp: false
      - deviceSelector:
          hardwareAddr: "e8:ff:1e:d4:b8:8a"
        mtu: 9000
        dhcp: true
+      - interface: br0
+        dhcp: false
+        bridge:
+          interfaces:
+            - enp1s0.50
@@ -8,5 +8,14 @@ machine:
      - deviceSelector:
          hardwareAddr: "bc:24:11:f8:4a:92"
          driver: "virtio*"
-        dhcp: true
        mtu: 8996
+        dhcp: true
+      - deviceSelector:
+          hardwareAddr: "bc:24:11:93:02:0e"
+          driver: "virtio*"
+        dhcp: false
+      - interface: br0
+        dhcp: false
+        bridge:
+          interfaces:
+            - enxbc241193020e
@@ -0,0 +1,532 @@
+kind: Cluster
+name: weyma-talos
+kubernetes:
+  version: v1.34.2
+talos:
+  version: v1.11.5
+features:
+  backupConfiguration:
+    interval: 6h0m0s
+patches:
+  - idOverride: 500-5100c0c3-f72e-45f5-8cde-4a1c3b6f72a8
+    annotations:
+      description: pod-svc-subnets
+      name: User defined patch
+    inline:
+      cluster:
+        network:
+          podSubnets:
+            - 10.244.0.0/16
+          serviceSubnets:
+            - 10.112.0.0/12
+  - idOverride: 500-7c228773-8b44-40b0-8b4c-30f617668af0
+    annotations:
+      description: weyma-image-cache
+      name: User defined patch
+    inline:
+      machine:
+        registries:
+          mirrors:
+            docker.io:
+              endpoints:
+                - http://10.105.6.215:6000
+            factory.talos.dev:
+              endpoints:
+                - http://10.105.6.215:6004
+            gcr.io:
+              endpoints:
+                - http://10.105.6.215:6002
+            ghcr.io:
+              endpoints:
+                - http://10.105.6.215:6003
+            registry.k8s.io:
+              endpoints:
+                - http://10.105.6.215:6001
+  - idOverride: 500-f198cacc-280b-4874-a410-252c160621a7
+    annotations:
+      name: weyma-bind-addr
+    inline:
+      cluster:
+        controllerManager:
+          extraArgs:
+            bind-address: 0.0.0.0
+        proxy:
+          extraArgs:
+            proxy-mode: ipvs
+            metrics-bind-address: 0.0.0.0:10249
+        scheduler:
+          extraArgs:
+            bind-address: 0.0.0.0
+  - idOverride: 500-fc113705-0777-4b52-8df0-7cee67fcc68e
+    annotations:
+      name: weyma-bootstrap-metrics
+    inline:
+      cluster:
+        extraManifests:
+          - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
+        inlineManifests:
+          - contents: |-
+              apiVersion: v1
+              kind: ServiceAccount
+              metadata:
+                labels:
+                  k8s-app: metrics-server
+                name: metrics-server
+                namespace: kube-system
+              ---
+              apiVersion: rbac.authorization.k8s.io/v1
+              kind: ClusterRole
+              metadata:
+                labels:
+                  k8s-app: metrics-server
+                  rbac.authorization.k8s.io/aggregate-to-admin: "true"
+                  rbac.authorization.k8s.io/aggregate-to-edit: "true"
+                  rbac.authorization.k8s.io/aggregate-to-view: "true"
+                name: system:aggregated-metrics-reader
+              rules:
+              - apiGroups:
+                - metrics.k8s.io
+                resources:
+                - pods
+                - nodes
+                verbs:
+                - get
+                - list
+                - watch
+              ---
+              apiVersion: rbac.authorization.k8s.io/v1
+              kind: ClusterRole
+              metadata:
+                labels:
+                  k8s-app: metrics-server
+                name: system:metrics-server
+              rules:
+              - apiGroups:
+                - ""
+                resources:
+                - nodes/metrics
+                verbs:
+                - get
+              - apiGroups:
+                - ""
+                resources:
+                - pods
+                - nodes
+                verbs:
+                - get
+                - list
+                - watch
+              ---
+              apiVersion: rbac.authorization.k8s.io/v1
+              kind: RoleBinding
+              metadata:
+                labels:
+                  k8s-app: metrics-server
+                name: metrics-server-auth-reader
+                namespace: kube-system
+              roleRef:
+                apiGroup: rbac.authorization.k8s.io
+                kind: Role
+                name: extension-apiserver-authentication-reader
+              subjects:
+              - kind: ServiceAccount
+                name: metrics-server
+                namespace: kube-system
+              ---
+              apiVersion: rbac.authorization.k8s.io/v1
+              kind: ClusterRoleBinding
+              metadata:
+                labels:
+                  k8s-app: metrics-server
+                name: metrics-server:system:auth-delegator
+              roleRef:
+                apiGroup: rbac.authorization.k8s.io
+                kind: ClusterRole
+                name: system:auth-delegator
+              subjects:
+              - kind: ServiceAccount
+                name: metrics-server
+                namespace: kube-system
+              ---
+              apiVersion: rbac.authorization.k8s.io/v1
+              kind: ClusterRoleBinding
+              metadata:
+                labels:
+                  k8s-app: metrics-server
+                name: system:metrics-server
+              roleRef:
+                apiGroup: rbac.authorization.k8s.io
+                kind: ClusterRole
+                name: system:metrics-server
+              subjects:
+              - kind: ServiceAccount
+                name: metrics-server
+                namespace: kube-system
+              ---
+              apiVersion: v1
+              kind: Service
+              metadata:
+                labels:
+                  k8s-app: metrics-server
+                name: metrics-server
+                namespace: kube-system
+              spec:
+                ports:
+                - appProtocol: https
+                  name: https
+                  port: 443
+                  protocol: TCP
+                  targetPort: https
+                selector:
+                  k8s-app: metrics-server
+              ---
+              apiVersion: apps/v1
+              kind: Deployment
+              metadata:
+                labels:
+                  k8s-app: metrics-server
+                name: metrics-server
+                namespace: kube-system
+              spec:
+                selector:
+                  matchLabels:
+                    k8s-app: metrics-server
+                strategy:
+                  rollingUpdate:
+                    maxUnavailable: 0
+                template:
+                  metadata:
+                    labels:
+                      k8s-app: metrics-server
+                  spec:
+                    containers:
+                    - args:
+                      - --cert-dir=/tmp
+                      - --secure-port=10250
+                      - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
+                      - --kubelet-use-node-status-port
+                      - --metric-resolution=15s
+                      - --kubelet-insecure-tls
+                      image: registry.k8s.io/metrics-server/metrics-server:v0.8.0
+                      imagePullPolicy: IfNotPresent
+                      livenessProbe:
+                        failureThreshold: 3
+                        httpGet:
+                          path: /livez
+                          port: https
+                          scheme: HTTPS
+                        periodSeconds: 10
+                      name: metrics-server
+                      ports:
+                      - containerPort: 10250
+                        name: https
+                        protocol: TCP
+                      readinessProbe:
+                        failureThreshold: 3
+                        httpGet:
+                          path: /readyz
+                          port: https
+                          scheme: HTTPS
+                        initialDelaySeconds: 20
+                        periodSeconds: 10
+                      resources:
+                        requests:
+                          cpu: 100m
+                          memory: 200Mi
+                      securityContext:
+                        allowPrivilegeEscalation: false
+                        capabilities:
+                          drop:
+                          - ALL
+                        readOnlyRootFilesystem: true
+                        runAsNonRoot: true
+                        runAsUser: 1000
+                        seccompProfile:
+                          type: RuntimeDefault
+                      volumeMounts:
+                      - mountPath: /tmp
+                        name: tmp-dir
+                    nodeSelector:
+                      kubernetes.io/os: linux
+                    priorityClassName: system-cluster-critical
+                    serviceAccountName: metrics-server
+                    volumes:
+                    - emptyDir: {}
+                      name: tmp-dir
+              ---
+              apiVersion: apiregistration.k8s.io/v1
+              kind: APIService
+              metadata:
+                labels:
+                  k8s-app: metrics-server
+                name: v1beta1.metrics.k8s.io
+              spec:
+                group: metrics.k8s.io
+                groupPriorityMinimum: 100
+                insecureSkipTLSVerify: true
+                service:
+                  name: metrics-server
+                  namespace: kube-system
+                version: v1beta1
+                versionPriority: 100
+            name: metrics-server
+          - contents: |-
+              apiVersion: v1
+              kind: Service
+              metadata:
+                name: metrics-lb
+                namespace: kube-system
+                annotations:
+                  metallb.io/ip-allocated-from-pool: test-pool
+              spec:
+                type: LoadBalancer
+                ports:
+                - name: https
+                  port: 443
+                  protocol: TCP
+                  targetPort: https
+                selector:
+                  k8s-app: metrics-server
+            name: metrics-lb
+          - contents: |-
+              apiVersion: v1
+              data:
+                  Corefile: |
+                      .:53 {
+                          errors
+                          health {
+                              lameduck 5s
+                          }
+                          ready
+                          log . {
+                              class error
+                          }
+                          prometheus :9153
+
+                          kubernetes cluster.local in-addr.arpa ip6.arpa {
+                              pods insecure
+                              fallthrough in-addr.arpa ip6.arpa
+                              ttl 30
+                          }
+
+                          rewrite name git.dubyatp.xyz traefik-local.traefik.svc.cluster.local
+                          
+                          forward . /etc/resolv.conf {
+                            max_concurrent 1000
+                          }
+                          cache 30 {
+                            disable success cluster.local
+                            disable denial cluster.local
+                          }
+                          loop
+                          reload
+                          loadbalance
+                      }
+              kind: ConfigMap
+              metadata:
+                  name: coredns
+                  namespace: kube-system
+            name: coredns-config
+---
+kind: ControlPlane
+machines:
+  - 20b4c826-e699-43b3-826d-73eb5173680b
+  - 5fdea709-56ad-45f2-966d-5e344dbe4fdf
+  - 30303031-3030-3030-6335-303731636665
+---
+kind: Workers
+machines:
+  - 02c02200-f403-11ef-9372-70f446672600
+  - 03000200-0400-0500-0006-000700080009
+  - 1006b91a-ecbf-11ea-aed4-046ba1ee3700
+  - 5f0cd701-0784-4fcc-8e52-3b3304049972
+  - da507021-8912-4337-86a3-94a05bd1cf05
+---
+kind: Machine
+name: 02c02200-f403-11ef-9372-70f446672600
+patches:
+  - idOverride: 400-cm-02c02200-f403-11ef-9372-70f446672600
+    annotations:
+      name: ""
+    inline:
+      machine:
+        network:
+          hostname: weyma-talos-w02
+          interfaces:
+            - deviceSelector:
+                driver: igc
+                hardwareAddr: e8:ff:1e:d4:b8:89
+              dhcp: true
+              vlans:
+                - dhcp: false
+                  vlanId: 50
+            - deviceSelector:
+                hardwareAddr: e8:ff:1e:d4:b8:8a
+              dhcp: true
+              mtu: 9000
+            - bridge:
+                interfaces:
+                  - enp1s0.50
+              dhcp: false
+              interface: br0
+---
+kind: Machine
+name: 03000200-0400-0500-0006-000700080009
+patches:
+  - idOverride: 400-cm-03000200-0400-0500-0006-000700080009
+    annotations:
+      name: ""
+    inline:
+      machine:
+        network:
+          hostname: weyma-talos-testw01
+          interfaces:
+            - deviceSelector:
+                driver: igc
+                hardwareAddr: e8:ff:1e:d5:f8:22
+              dhcp: true
+              vlans:
+                - dhcp: false
+                  vlanId: 50
+            - deviceSelector:
+                hardwareAddr: e8:ff:1e:d5:f8:21
+              dhcp: true
+              mtu: 9000
+            - bridge:
+                interfaces:
+                  - enp2s0.50
+              dhcp: false
+              interface: br0
+---
+kind: Machine
+name: 1006b91a-ecbf-11ea-aed4-046ba1ee3700
+patches:
+  - idOverride: 400-cm-1006b91a-ecbf-11ea-aed4-046ba1ee3700
+    annotations:
+      name: ""
+    inline:
+      machine:
+        network:
+          hostname: weyma-talos-testw04
+          interfaces:
+            - deviceSelector:
+                driver: mlx4_core
+                hardwareAddr: f4:52:14:60:5e:30
+              dhcp: true
+              vlans:
+                - dhcp: false
+                  vlanId: 50
+            - deviceSelector:
+                hardwareAddr: f4:52:14:60:5e:31
+              dhcp: true
+              mtu: 9000
+            - bridge:
+                interfaces:
+                  - eno1.50
+              dhcp: false
+              interface: br0
+---
+kind: Machine
+name: 30303031-3030-3030-6335-303731636665
+patches:
+  - idOverride: 400-cm-30303031-3030-3030-6335-303731636665
+    inline:
+      machine:
+        network:
+          hostname: weyma-talos-cp04
+          interfaces:
+            - deviceSelector:
+                hardwareAddr: dc:a6:32:95:0f:cb
+              dhcp: true
+---
+kind: Machine
+name: 20b4c826-e699-43b3-826d-73eb5173680b
+patches:
+  - idOverride: 400-cm-20b4c826-e699-43b3-826d-73eb5173680b
+    annotations:
+      name: ""
+    inline:
+      machine:
+        network:
+          hostname: weyma-talos-cp02
+          interfaces:
+            - deviceSelector:
+                driver: virtio*
+                hardwareAddr: 00:16:3e:9c:01:27
+              dhcp: true
+---
+kind: Machine
+name: 5f0cd701-0784-4fcc-8e52-3b3304049972
+patches:
+  - idOverride: 400-cm-5f0cd701-0784-4fcc-8e52-3b3304049972
+    annotations:
+      name: ""
+    inline:
+      machine:
+        network:
+          hostname: weyma-talos-testw05
+          interfaces:
+            - deviceSelector:
+                hardwareAddr: 00:16:3e:b3:dd:f8
+              dhcp: true
+            - deviceSelector:
+                hardwareAddr: 00:16:3e:e5:79:0a
+              dhcp: true
+              mtu: 9000
+            - deviceSelector:
+                hardwareAddr: 00:16:3e:6b:1c:1d
+              dhcp: false
+            - bridge:
+                interfaces:
+                  - enx00163e6b1c1d
+              dhcp: false
+              interface: br0
+---
+kind: Machine
+systemExtensions:
+  - siderolabs/nut-client
+  - siderolabs/qemu-guest-agent
+name: 5fdea709-56ad-45f2-966d-5e344dbe4fdf
+patches:
+  - idOverride: 400-cm-5fdea709-56ad-45f2-966d-5e344dbe4fdf
+    annotations:
+      name: ""
+    inline:
+      machine:
+        network:
+          hostname: weyma-talos-cp01
+          interfaces:
+            - deviceSelector:
+                driver: virtio*
+                hardwareAddr: bc:24:11:e6:ff:7b
+              dhcp: true
+---
+kind: Machine
+name: da507021-8912-4337-86a3-94a05bd1cf05
+patches:
+  - idOverride: 400-cm-da507021-8912-4337-86a3-94a05bd1cf05
+    annotations:
+      name: ""
+    inline:
+      machine:
+        network:
+          hostname: weyma-talos-w03
+          interfaces:
+            - deviceSelector:
+                driver: virtio*
+                hardwareAddr: bc:24:11:be:6c:08
+              dhcp: true
+            - deviceSelector:
+                driver: virtio*
+                hardwareAddr: bc:24:11:f8:4a:92
+              dhcp: true
+              mtu: 8996
+            - deviceSelector:
+                driver: virtio*
+                hardwareAddr: bc:24:11:93:02:0e
+              dhcp: false
+            - bridge:
+                interfaces:
+                  - enxbc241193020e
+              dhcp: false
+              interface: br0
@@ -1,3 +1,37 @@
 {
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "customManagers": [
+    {
+      "customType": "regex",
+      "description": "Update Ceph version in Rook CephCluster spec",
+      "managerFilePatterns": ["/(^|/)rook-ceph-cluster\\.ya?ml$/"],
+      "matchStrings": [
+        "image:\\s*[\"']?(?<depName>quay\\.io/ceph/ceph):v(?<currentValue>\\d+\\.\\d+\\.\\d+)(?:-\\d+)?[\"']?"
+      ],
+      "datasourceTemplate": "docker",
+      "versioningTemplate": "loose",
+      "extractVersionTemplate": "^v?(?<version>\\d+\\.\\d+\\.\\d+)"
+    }
+  ],
+  "packageRules": [
+    {
+      "description": "Consolidate patch and minor updates to one PR",
+      "matchUpdateTypes": ["minor", "patch"],
+      "groupName": "all-minor-patch-updates"
+    },
+    {
+      "description": "Rook Ceph - auto-update minor and patch versions only",
+      "matchDatasources": ["docker"],
+      "matchPackageNames": ["quay.io/ceph/ceph"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "enabled": true
+    },
+    {
+      "description": "Rook Ceph - block major version upgrades",
+      "matchDatasources": ["docker"],
+      "matchPackageNames": ["quay.io/ceph/ceph"],
+      "matchUpdateTypes": ["major"],
+      "enabled": false
+    }
+  ]
 }
@@ -0,0 +1,28 @@
+apiVersion: v2
+name: argocd
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: "1.0"
+
+dependencies:
+- name: argo-cd
+  version: 9.5.4
+  repository: https://argoproj.github.io/argo-helm
@@ -0,0 +1,318 @@
+argo-cd:
+  global:
+    domain: argocd.infra.dubyatp.xyz
+  configs:
+    cm:
+      admin.enabled: false
+      dex.config: |
+        connectors:
+        - config:
+            issuer: https://auth.dubyatp.xyz/application/o/argocd/
+            clientID: ZZ4Rt3ZixVu9ote8yzryHFrEhlbY85C24Hh9Uo98
+            clientSecret: $weyma-argocd-secrets:dex.authentik.clientSecret
+            insecureEnableGroups: true
+            scopes:
+              - openid
+              - profile
+              - email
+          name: authentik
+          type: oidc
+          id: authentik
+      resource.customizations.ignoreDifferences.admissionregistration.k8s.io_MutatingWebhookConfiguration: |
+        jsonPointers:
+          - /webhooks/0/clientConfig/caBundle
+      resource.customizations.ignoreDifferences.admissionregistration.k8s.io_ValidatingWebhookConfiguration: |
+        jsonPointers:
+          - /webhooks/0/clientConfig/caBundle
+      resource.customizations.ignoreDifferences.Secret: |
+        jsonPointers:
+          - /data
+    params:
+      server.insecure: true
+    ssh:
+      extraHosts: |
+        git.dubyatp.xyz ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC/9ygk32Ibk6/ZqIhwh0ZyTTDpdXxP/BUgtJI4FVLKVWIEFnB+fOCTsSXM/mt8R0Xld/AJ+muywNhZc60nEAg+Pj4yxc0u75t1Ea+C8JjEh2xW7rH+oZLv+JabcLk5Ze7rpaETkq2ILxNmBKemgDut8mXt9BYBo5mk72ClWBsijFWw8Vj8LnWfzw/VsFFlQ4CJvnLuTqw+bgI5VlodwR20wcEHuSuUKY9IA2hyDZLWJ2vZzIlI8TuY21Qc8vFmEVB7M1mgqLJKksdi/ZLHk5UN9HTRz0Q6SaNyvPfjWCeHX8Tb3WnsAnHvnXc0C3A2EWVFqHIpJwVRTC2ef6LCUmZmPv1NqnFWftv192n+oOJqT+537fNesK7tQJfX4Osi5RDCL788GjJHLOarzEIKegpunCjq/9yp/Oi6M/v+/eN7rdd/UY80mcmoOC1HOVPfjxmCfcFFpqKX3NYlx/czF+gpf0mRBaHEpkGk3oPrqGiZbSAShsLDvptZANmBoBSDFwFwJpHxdMzMOLM8NyQNewKs1pYbjklbuC5W33qjgHdVk56jnGVPwCVak/TQgoOI9NtxnfvfV6sB5mQWEkiNsUzEVK3hgu5Wa93vN/DZ75KoS95Ldj4pCfJV92eeeYWvrRPAIdnzxjH2rdfhysHW2NYFdl7PlAqcca+CaO4WOHOMJw==
+        git-ssh.dubyatp.xyz ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC/9ygk32Ibk6/ZqIhwh0ZyTTDpdXxP/BUgtJI4FVLKVWIEFnB+fOCTsSXM/mt8R0Xld/AJ+muywNhZc60nEAg+Pj4yxc0u75t1Ea+C8JjEh2xW7rH+oZLv+JabcLk5Ze7rpaETkq2ILxNmBKemgDut8mXt9BYBo5mk72ClWBsijFWw8Vj8LnWfzw/VsFFlQ4CJvnLuTqw+bgI5VlodwR20wcEHuSuUKY9IA2hyDZLWJ2vZzIlI8TuY21Qc8vFmEVB7M1mgqLJKksdi/ZLHk5UN9HTRz0Q6SaNyvPfjWCeHX8Tb3WnsAnHvnXc0C3A2EWVFqHIpJwVRTC2ef6LCUmZmPv1NqnFWftv192n+oOJqT+537fNesK7tQJfX4Osi5RDCL788GjJHLOarzEIKegpunCjq/9yp/Oi6M/v+/eN7rdd/UY80mcmoOC1HOVPfjxmCfcFFpqKX3NYlx/czF+gpf0mRBaHEpkGk3oPrqGiZbSAShsLDvptZANmBoBSDFwFwJpHxdMzMOLM8NyQNewKs1pYbjklbuC5W33qjgHdVk56jnGVPwCVak/TQgoOI9NtxnfvfV6sB5mQWEkiNsUzEVK3hgu5Wa93vN/DZ75KoS95Ldj4pCfJV92eeeYWvrRPAIdnzxjH2rdfhysHW2NYFdl7PlAqcca+CaO4WOHOMJw==
+    rbac:
+      policy.csv: |
+        g, ArgoCD Admins, role:admin
+  controller:
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+      rules:
+        enabled: true
+        spec:
+         - alert: ArgoAppMissing
+           expr: |
+             absent(argocd_app_info) == 1
+           for: 15m
+           labels:
+             severity: critical
+           annotations:
+             summary: "[Argo CD] No reported applications"
+             description: >
+               Argo CD has not reported any applications data for the past 15 minutes which
+               means that it must be down or not functioning properly.  This needs to be
+               resolved for this cloud to continue to maintain state.
+  server:
+    ingress:
+      enabled: true
+    livenessProbe:
+      enabled: true
+    readinessProbe:
+      enabled: true
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+  repoServer:
+    livenessProbe:
+      enabled: true
+    readinessProbe:
+      enabled: true
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+  applicationSet:
+    livenessProbe:
+      enabled: true
+    readinessProbe:
+      enabled: true 
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+  redis:
+    livenessProbe:
+      enabled: true
+    readinessProbe:
+      enabled: true
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+  dex:
+    livenessProbe:
+      enabled: true
+    readinessProbe:
+      enabled: true
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+  notifications:
+    metrics:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+  extraObjects:
+    - apiVersion: external-secrets.io/v1
+      kind: ExternalSecret
+      metadata:
+        name: weyma-argocd-secrets
+        labels:
+          app.kubernetes.io/part-of: argocd
+      spec:
+        refreshInterval: 1h
+        secretStoreRef:
+          name: weyma-vault
+          kind: ClusterSecretStore
+        target:
+          name: weyma-argocd-secrets
+          creationPolicy: Owner
+        data:
+        - secretKey: webhook.gitea.secret
+          remoteRef:
+            key: argo-cd
+            property: webhook.gitea.secret
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
+        - secretKey: admin.password
+          remoteRef:
+            key: argo-cd
+            property: admin.password
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
+        - secretKey: admin.passwordMtime
+          remoteRef:
+            key: argo-cd
+            property: admin.passwordMtime
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
+        - secretKey: dex.authentik.clientSecret
+          remoteRef:
+            key: argo-cd
+            property: dex.authentik.clientSecret
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
+    - apiVersion: external-secrets.io/v1
+      kind: ExternalSecret
+      metadata:
+        name: git-core-apps
+        labels:
+          app.kubernetes.io/part-of: argocd
+          argocd.argoproj.io/secret-type: repository
+      spec:
+        refreshInterval: 1h
+        secretStoreRef:
+          name: weyma-vault
+          kind: ClusterSecretStore
+        target:
+          name: git-core-apps
+          creationPolicy: Owner
+        data:
+        - secretKey: sshPrivateKey
+          remoteRef:
+            key: argo-cd-git
+            property: sshPrivateKey
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
+        - secretKey: type
+          remoteRef:
+            key: argo-cd-git
+            property: type
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
+        - secretKey: url
+          remoteRef:
+            key: argo-cd-git
+            property: url.core-apps
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
+    - apiVersion: external-secrets.io/v1
+      kind: ExternalSecret
+      metadata:
+        name: git-weyma-talos
+        labels:
+          app.kubernetes.io/part-of: argocd
+          argocd.argoproj.io/secret-type: repository
+      spec:
+        refreshInterval: 1h
+        secretStoreRef:
+          name: weyma-vault
+          kind: ClusterSecretStore
+        target:
+          name: git-weyma-talos
+          creationPolicy: Owner
+        data:
+        - secretKey: sshPrivateKey
+          remoteRef:
+            key: argo-cd-git
+            property: sshPrivateKey
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
+        - secretKey: type
+          remoteRef:
+            key: argo-cd-git
+            property: type
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
+        - secretKey: url
+          remoteRef:
+            key: argo-cd-git
+            property: url.weyma-talos
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
+    - apiVersion: external-secrets.io/v1
+      kind: ExternalSecret
+      metadata:
+        name: git-williamp-sites
+        labels:
+          app.kubernetes.io/part-of: argocd
+          argocd.argoproj.io/secret-type: repository
+      spec:
+        refreshInterval: 1h
+        secretStoreRef:
+          name: weyma-vault
+          kind: ClusterSecretStore
+        target:
+          name: git-williamp-sites
+          creationPolicy: Owner
+        data:
+        - secretKey: sshPrivateKey
+          remoteRef:
+            key: argo-cd-git
+            property: sshPrivateKey
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
+        - secretKey: type
+          remoteRef:
+            key: argo-cd-git
+            property: type
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
+        - secretKey: url
+          remoteRef:
+            key: argo-cd-git
+            property: url.williamp-sites
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
+    - apiVersion: external-secrets.io/v1
+      kind: ExternalSecret
+      metadata:
+        name: git-db-operators
+        labels:
+          app.kubernetes.io/part-of: argocd
+          argocd.argoproj.io/secret-type: repository
+      spec:
+        refreshInterval: 1h
+        secretStoreRef:
+          name: weyma-vault
+          kind: ClusterSecretStore
+        target:
+          name: git-db-operators
+          creationPolicy: Owner
+        data:
+        - secretKey: sshPrivateKey
+          remoteRef:
+            key: argo-cd-git
+            property: sshPrivateKey
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
+        - secretKey: type
+          remoteRef:
+            key: argo-cd-git
+            property: type
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
+        - secretKey: url
+          remoteRef:
+            key: argo-cd-git
+            property: url.db-operators
+            conversionStrategy: Default
+            decodingStrategy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: cert-manager
-  version: v1.18.2
+  version: v1.20.2
  repository: https://charts.jetstack.io
@@ -9,6 +9,7 @@ spec:
  - dubyatp.xyz
  - '*.dubyatp.xyz'
  - '*.infra.dubyatp.xyz'
+  - "*.weyma-s3.infra.dubyatp.xyz"
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-dubyatp-xyz
@@ -9,3 +9,7 @@ cert-manager:
  cainjector:
    serviceLabels:
      metrics_enabled: "true"
+  prometheus:
+    enabled: true
+    servicemonitor:
+      enabled: true
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: external-secrets
-  version: 0.19.2
+  version: 2.3.0
  repository: https://charts.external-secrets.io
@@ -171,7 +171,7 @@ resources: {}

 serviceMonitor:
  # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics
-  enabled: false
+  enabled: true

  # -- namespace where you want to install ServiceMonitors
  namespace: ""
@@ -1,21 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: guestbook-ui
-  namespace: guestbook-ui
-spec:
-  replicas: 1
-  revisionHistoryLimit: 3
-  selector:
-    matchLabels:
-      app: guestbook-ui
-  template:
-    metadata:
-      labels:
-        app: guestbook-ui
-    spec:
-      containers:
-      - image: gcr.io/heptio-images/ks-guestbook-demo:0.2
-        name: guestbook-ui
-        ports:
-        - containerPort: 80
@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name:  guestbook-ui
@@ -1,11 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: guestbook-ui
-  namespace: guestbook-ui
-spec:
-  ports:
-  - port: 80
-    targetPort: 80
-  selector:
-    app: guestbook-ui
@@ -0,0 +1,28 @@
+apiVersion: v2
+name: kite
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: "1.0"
+
+dependencies:
+- name: kite
+  version: 0.10.0
+  repository: https://zxh326.github.io/kite
@@ -0,0 +1,30 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: kite-secret
+  namespace: {{ .Release.Namespace }}
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: weyma-vault
+    kind: ClusterSecretStore
+  target:
+    name: kite-secret
+    creationPolicy: Owner
+  data:
+  - secretKey: JWT_SECRET
+    remoteRef:
+      key: kite
+      property: JWT_SECRET
+  - secretKey: KITE_ENCRYPT_KEY
+    remoteRef:
+      key: kite
+      property: KITE_ENCRYPT_KEY
+  - secretKey: KITE_PASSWORD
+    remoteRef:
+      key: kite
+      property: KITE_PASSWORD
+  - secretKey: KITE_USERNAME
+    remoteRef:
+      key: kite
+      property: KITE_USERNAME
@@ -0,0 +1,22 @@
+kite:
+  host: "https://weyma-kite.infra.dubyatp.xyz"
+  deploymentStrategy:
+    type: Recreate
+  secret:
+    create: false
+    existingSecret: kite-secret
+  db:
+    sqlite:
+      persistence:
+        pvc:
+          enabled: true
+  ingress:
+    enabled: true
+    className: "traefik"
+    hosts:
+      - host: weyma-kite.infra.dubyatp.xyz
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+  podAnnotations:
+    backup.velero.io/backup-volumes: kite-storage
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: kubernetes-replicator
-  version: 2.12.0
+  version: 2.12.3
  repository: https://helm.mittwald.de
@@ -0,0 +1,14 @@
+apiVersion: kubevirt.io/v1
+kind: KubeVirt
+metadata:
+  annotations:
+    kubevirt.io/latest-observed-api-version: v1
+    kubevirt.io/storage-observed-api-version: v1
+  name: kubevirt
+  namespace: kubevirt
+spec:
+  configuration:
+    developerConfiguration:
+      featureGates:
+      - MultiArchitecture
+  imagePullPolicy: IfNotPresent
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: metallb
-  version: 0.15.2
+  version: 0.15.3
  repository: https://metallb.github.io/metallb
@@ -1,365 +1,7 @@
-# Default values for metallb.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-imagePullSecrets: []
-nameOverride: ""
-fullnameOverride: ""
-loadBalancerClass: ""
-
-# To configure MetalLB, you must specify ONE of the following two
-# options.
-
-rbac:
-  # create specifies whether to install and use RBAC rules.
-  create: true
-
+metallb:
  prometheus:
-  # scrape annotations specifies whether to add Prometheus metric
-  # auto-collection annotations to pods. See
-  # https://github.com/prometheus/prometheus/blob/release-2.1/documentation/examples/prometheus-kubernetes.yml
-  # for a corresponding Prometheus configuration. Alternatively, you
-  # may want to use the Prometheus Operator
-  # (https://github.com/coreos/prometheus-operator) for more powerful
-  # monitoring configuration. If you use the Prometheus operator, this
-  # can be left at false.
-  scrapeAnnotations: false
-
-  # port both controller and speaker will listen on for metrics
-  metricsPort: 7472
-
-  # if set, enables rbac proxy on the controller and speaker to expose
-  # the metrics via tls.
-  # secureMetricsPort: 9120
-
-  # the name of the secret to be mounted in the speaker pod
-  # to expose the metrics securely. If not present, a self signed
-  # certificate to be used.
-  speakerMetricsTLSSecret: ""
-
-  # the name of the secret to be mounted in the controller pod
-  # to expose the metrics securely. If not present, a self signed
-  # certificate to be used.
-  controllerMetricsTLSSecret: ""
-
-  # prometheus doesn't have the permission to scrape all namespaces so we give it permission to scrape metallb's one
-  rbacPrometheus: true
-
-  # the service account used by prometheus
-  # required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true "
-  serviceAccount: ""
-
-  # the namespace where prometheus is deployed
-  # required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true "
-  namespace: ""
-
-  # the image to be used for the kuberbacproxy container
-  rbacProxy:
-    repository: gcr.io/kubebuilder/kube-rbac-proxy
-    tag: v0.12.0
-    pullPolicy:
-
-  # Prometheus Operator PodMonitors
+    rbacPrometheus: false
    podMonitor:
-    # enable support for Prometheus Operator
-    enabled: false
-
-    # optional additional labels for podMonitors
-    additionalLabels: {}
-
-    # optional annotations for podMonitors
-    annotations: {}
-
-    # Job label for scrape target
-    jobLabel: "app.kubernetes.io/name"
-
-    # Scrape interval. If not set, the Prometheus default scrape interval is used.
-    interval:
-
-    # 	metric relabel configs to apply to samples before ingestion.
-    metricRelabelings: []
-    # - action: keep
-    #   regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
-    #   sourceLabels: [__name__]
-
-    # 	relabel configs to apply to samples before ingestion.
-    relabelings: []
-    # - sourceLabels: [__meta_kubernetes_pod_node_name]
-    #   separator: ;
-    #   regex: ^(.*)$
-    #   target_label: nodename
-    #   replacement: $1
-    #   action: replace
-
-  # Prometheus Operator ServiceMonitors. To be used as an alternative
-  # to podMonitor, supports secure metrics.
-  serviceMonitor:
-    # enable support for Prometheus Operator
-    enabled: false
-
-    speaker:
-      # optional additional labels for the speaker serviceMonitor
-      additionalLabels: {}
-      # optional additional annotations for the speaker serviceMonitor
-      annotations: {}
-      # optional tls configuration for the speaker serviceMonitor, in case
-      # secure metrics are enabled.
-      tlsConfig:
-        insecureSkipVerify: true
-
-    controller:
-      # optional additional labels for the controller serviceMonitor
-      additionalLabels: {}
-      # optional additional annotations for the controller serviceMonitor
-      annotations: {}
-      # optional tls configuration for the controller serviceMonitor, in case
-      # secure metrics are enabled.
-      tlsConfig:
-        insecureSkipVerify: true
-
-    # Job label for scrape target
-    jobLabel: "app.kubernetes.io/name"
-
-    # Scrape interval. If not set, the Prometheus default scrape interval is used.
-    interval:
-
-    # 	metric relabel configs to apply to samples before ingestion.
-    metricRelabelings: []
-    # - action: keep
-    #   regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
-    #   sourceLabels: [__name__]
-
-    # 	relabel configs to apply to samples before ingestion.
-    relabelings: []
-    # - sourceLabels: [__meta_kubernetes_pod_node_name]
-    #   separator: ;
-    #   regex: ^(.*)$
-    #   target_label: nodename
-    #   replacement: $1
-    #   action: replace
-
-  # Prometheus Operator alertmanager alerts
+      enabled: true
    prometheusRule:
-    # enable alertmanager alerts
-    enabled: false
-
-    # optional additional labels for prometheusRules
-    additionalLabels: {}
-
-    # optional annotations for prometheusRules
-    annotations: {}
-
-    # MetalLBStaleConfig
-    staleConfig:
      enabled: true
-      labels:
-        severity: warning
-
-    # MetalLBConfigNotLoaded
-    configNotLoaded:
-      enabled: true
-      labels:
-        severity: warning
-
-    # MetalLBAddressPoolExhausted
-    addressPoolExhausted:
-      enabled: true
-      labels:
-        severity: critical
-
-    addressPoolUsage:
-      enabled: true
-      thresholds:
-        - percent: 75
-          labels:
-            severity: warning
-        - percent: 85
-          labels:
-            severity: warning
-        - percent: 95
-          labels:
-            severity: critical
-
-    # MetalLBBGPSessionDown
-    bgpSessionDown:
-      enabled: true
-      labels:
-        severity: critical
-
-    extraAlerts: []
-
-# controller contains configuration specific to the MetalLB cluster
-# controller.
-controller:
-  enabled: true
-  # -- Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none`
-  logLevel: info
-  # command: /controller
-  # webhookMode: enabled
-  image:
-    repository: quay.io/metallb/controller
-    tag: v0.15.2
-    pullPolicy:
-  ## @param controller.updateStrategy.type Metallb controller deployment strategy type.
-  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
-  ## e.g:
-  ## strategy:
-  ##  type: RollingUpdate
-  ##  rollingUpdate:
-  ##    maxSurge: 25%
-  ##    maxUnavailable: 25%
-  ##
-  strategy:
-    type: RollingUpdate
-  serviceAccount:
-    # Specifies whether a ServiceAccount should be created
-    create: true
-    # The name of the ServiceAccount to use. If not set and create is
-    # true, a name is generated using the fullname template
-    name: ""
-    annotations: {}
-  securityContext:
-    runAsNonRoot: true
-    # nobody
-    runAsUser: 65534
-    fsGroup: 65534
-  resources: {}
-    # limits:
-      # cpu: 100m
-      # memory: 100Mi
-  nodeSelector: {}
-  tolerations: []
-  priorityClassName: ""
-  runtimeClassName: ""
-  affinity: {}
-  podAnnotations: {}
-  labels: {}
-  livenessProbe:
-    enabled: true
-    failureThreshold: 3
-    initialDelaySeconds: 10
-    periodSeconds: 10
-    successThreshold: 1
-    timeoutSeconds: 1
-  readinessProbe:
-    enabled: true
-    failureThreshold: 3
-    initialDelaySeconds: 10
-    periodSeconds: 10
-    successThreshold: 1
-    timeoutSeconds: 1
-  tlsMinVersion: "VersionTLS12"
-  tlsCipherSuites: ""
-
-  extraContainers: []
-
-# speaker contains configuration specific to the MetalLB speaker
-# daemonset.
-speaker:
-  enabled: true
-  # command: /speaker
-  # -- Speaker log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none`
-  logLevel: info
-  tolerateMaster: true
-  memberlist:
-    enabled: true
-    mlBindPort: 7946
-    mlBindAddrOverride: ""
-    mlSecretKeyPath: "/etc/ml_secret_key"
-  excludeInterfaces:
-    enabled: true
-  # ignore the exclude-from-external-loadbalancer label
-  ignoreExcludeLB: false
-
-  image:
-    repository: quay.io/metallb/speaker
-    tag: v0.15.2
-    pullPolicy:
-  ## @param speaker.updateStrategy.type Speaker daemonset strategy type
-  ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/
-  ##
-  updateStrategy:
-    ## StrategyType
-    ## Can be set to RollingUpdate or OnDelete
-    ##
-    type: RollingUpdate
-  serviceAccount:
-    # Specifies whether a ServiceAccount should be created
-    create: true
-    # The name of the ServiceAccount to use. If not set and create is
-    # true, a name is generated using the fullname template
-    name: ""
-    annotations: {}
-  securityContext: {}
-  ## Defines a secret name for the controller to generate a memberlist encryption secret
-  ## By default secretName: {{ "metallb.fullname" }}-memberlist
-  ##
-  # secretName:
-  resources: {}
-    # limits:
-      # cpu: 100m
-      # memory: 100Mi
-  nodeSelector: {}
-  tolerations: []
-  priorityClassName: ""
-  affinity: {}
-  ## Selects which runtime class will be used by the pod.
-  runtimeClassName: ""
-  podAnnotations: {}
-  labels: {}
-  livenessProbe:
-    enabled: true
-    failureThreshold: 3
-    initialDelaySeconds: 10
-    periodSeconds: 10
-    successThreshold: 1
-    timeoutSeconds: 1
-  readinessProbe:
-    enabled: true
-    failureThreshold: 3
-    initialDelaySeconds: 10
-    periodSeconds: 10
-    successThreshold: 1
-    timeoutSeconds: 1
-  startupProbe:
-    enabled: true
-    failureThreshold: 30
-    periodSeconds: 5
-  # frr contains configuration specific to the MetalLB FRR container,
-  # for speaker running alongside FRR.
-  frr:
-    enabled: false
-    image:
-      repository: quay.io/frrouting/frr
-      tag: 10.4.1
-      pullPolicy:
-    metricsPort: 7473
-    resources: {}
-
-    # if set, enables a rbac proxy sidecar container on the speaker to
-    # expose the frr metrics via tls.
-    # secureMetricsPort: 9121
-
-
-  reloader:
-    resources: {}
-
-  frrMetrics:
-    resources: {}
-
-  extraContainers: []
-
-crds:
-  enabled: true
-  validationFailurePolicy: Fail
-
-# frrk8s contains the configuration related to using an frrk8s instance
-# (github.com/metallb/frr-k8s) as the backend for the BGP implementation.
-# This allows configuring additional frr parameters in combination to those
-# applied by MetalLB.
-frrk8s:
-  # if set, enables frrk8s as a backend. This is mutually exclusive to frr
-  # mode.
-  enabled: false
-  external: false
-  namespace: ""
@@ -0,0 +1,28 @@
+apiVersion: v2
+name: kube-prometheus-stack
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: "1.0"
+
+dependencies:
+- name: kube-prometheus-stack
+  version: 83.7.0
+  repository: https://prometheus-community.github.io/helm-charts
@@ -1,21 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: prometheus-agent
-rules:
-  - apiGroups: [""]
-    resources:
-      - nodes
-      - nodes/proxy
-      - nodes/metrics
-      - services
-      - endpoints
-      - pods
-    verbs: ["get", "list", "watch"]
-
-  - apiGroups: ["extensions"]
-    resources: ["ingresses"]
-    verbs: ["get", "list", "watch"]
-
-  - nonResourceURLs: ["/metrics"]
-    verbs: ["get"]
@@ -1,108 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: prom-agent-config
-  namespace: monitoring
-data:
-  prometheus.yml: |
-    global:
-      scrape_interval: 15s
-    scrape_configs:
-      - job_name: 'weyma-talos-nodes-kubelet'
-        kubernetes_sd_configs:
-          - role: node
-        scheme: https
-        tls_config:
-          insecure_skip_verify: true
-        authorization:
-          credentials_file: /var/run/secrets/kubernetes.io/serviceaccount/token
-        relabel_configs:
-          - action: labelmap
-            regex: __meta_kubernetes_node_label_(.+)
-          - action: labeldrop
-            regex: cpu_feature_node_kubevirt_io_.+
-          - action: labeldrop
-            regex: cpu_model_migration_node_kubevirt_io_.+
-          - action: labeldrop
-            regex: cpu_model_node_kubevirt_io_.+
-          - action: labeldrop
-            regex: cpu_timer_node_kubevirt_io_.+
-          - action: labeldrop
-            regex: cpu_vendor_node_kubevirt_io_.+
-          - action: labeldrop
-            regex: host_model_cpu_node_kubevirt_io_.+
-          - action: labeldrop
-            regex: host_model_required_features_node_kubevirt_io_.+
-          - action: labeldrop
-            regex: hyperv_node_kubevirt_io_.+
-      - job_name: 'weyma-talos-nodes-metrics'
-        kubernetes_sd_configs:
-          - role: node
-        scheme: https
-        tls_config:
-          insecure_skip_verify: true
-        authorization:
-          credentials_file: /var/run/secrets/kubernetes.io/serviceaccount/token
-        relabel_configs:
-          - source_labels: [__address__]
-            regex: (.+):\d+
-            target_label: __address__
-            replacement: ${1}:9100
-          - action: labelmap
-            regex: __meta_kubernetes_node_label_(.+)
-          - action: labeldrop
-            regex: cpu_feature_node_kubevirt_io_.+
-          - action: labeldrop
-            regex: cpu_model_migration_node_kubevirt_io_.+
-          - action: labeldrop
-            regex: cpu_model_node_kubevirt_io_.+
-          - action: labeldrop
-            regex: cpu_timer_node_kubevirt_io_.+
-          - action: labeldrop
-            regex: cpu_vendor_node_kubevirt_io_.+
-          - action: labeldrop
-            regex: host_model_cpu_node_kubevirt_io_.+
-          - action: labeldrop
-            regex: host_model_required_features_node_kubevirt_io_.+
-          - action: labeldrop
-            regex: hyperv_node_kubevirt_io_.+
-      - job_name: 'weyma-talos-service-endpoints'
-        kubernetes_sd_configs:
-          - role: endpoints
-        relabel_configs:
-          - source_labels: [__meta_kubernetes_service_label_metrics_enabled]
-            regex: true
-            action: keep
-          - action: labelmap
-            regex: __meta_kubernetes_service_label_(.+)
-          - source_labels: [__meta_kubernetes_namespace]
-            action: replace
-            target_label: namespace
-          - source_labels: [__meta_kubernetes_service_name]
-            action: replace
-            target_label: service
-      - job_name: 'weyma-talos-rook'
-        kubernetes_sd_configs:
-          - role: endpoints
-        relabel_configs:
-          - source_labels: [__meta_kubernetes_service_name]
-            regex: ^rook-ceph-(exporter|mgr)$
-            action: keep
-          - source_labels: [__address__]
-            regex: ^[^:]+:(9283|9926)$
-            action: keep
-          - action: labelmap
-            regex: __meta_kubernetes_service_label_(.+)
-          - source_labels: [__meta_kubernetes_namespace]
-            action: replace
-            target_label: namespace
-          - source_labels: [__meta_kubernetes_service_name]
-            action: replace
-            target_label: service
-    remote_write:
-      - url: "https://10.105.15.20:30104/api/v1/write"
-        basic_auth:
-          username: prometheus
-          password_file: /etc/prometheus/secrets/.basicauthpass
-        tls_config:
-          insecure_skip_verify: true
@@ -1,41 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: prometheus-agent
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: prometheus-agent
-  template:
-    metadata:
-      labels:
-        app: prometheus-agent
-    spec:
-      serviceAccountName: prometheus-agent
-      containers:
-        - name: prometheus
-          image: prom/prometheus:v3.2.1
-          args:
-            - "--config.file=/etc/prometheus/prometheus.yml"
-            - "--agent"
-          resources:
-            requests:
-              cpu: 200m
-              memory: 256Mi
-            limits:
-              cpu: 500m
-              memory: 1Gi
-          volumeMounts:
-            - name: config-volume
-              mountPath: /etc/prometheus
-            - name: auth
-              mountPath: /etc/prometheus/secrets
-      volumes:
-        - name: config-volume
-          configMap:
-            name: prom-agent-config
-        - name: auth
-          secret:
-            secretName: prometheus-auth
-            
@@ -1,22 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app.kubernetes.io/component: exporter
-    app.kubernetes.io/name: node-exporter
-    app.kubernetes.io/part-of: kube-prometheus
-    app.kubernetes.io/version: 1.9.1
-  name: node-exporter
-rules:
- apiGroups:
-  - authentication.k8s.io
-  resources:
-  - tokenreviews
-  verbs:
-  - create
- apiGroups:
-  - authorization.k8s.io
-  resources:
-  - subjectaccessreviews
-  verbs:
-  - create
@@ -1,17 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  labels:
-    app.kubernetes.io/component: exporter
-    app.kubernetes.io/name: node-exporter
-    app.kubernetes.io/part-of: kube-prometheus
-    app.kubernetes.io/version: 1.9.1
-  name: node-exporter
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: node-exporter
-subjects:
- kind: ServiceAccount
-  name: node-exporter
-  namespace: monitoring
@@ -1,121 +0,0 @@
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  labels:
-    app.kubernetes.io/component: exporter
-    app.kubernetes.io/name: node-exporter
-    app.kubernetes.io/part-of: kube-prometheus
-    app.kubernetes.io/version: 1.9.1
-  name: node-exporter
-  namespace: monitoring
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/component: exporter
-      app.kubernetes.io/name: node-exporter
-      app.kubernetes.io/part-of: kube-prometheus
-  template:
-    metadata:
-      annotations:
-        kubectl.kubernetes.io/default-container: node-exporter
-      labels:
-        app.kubernetes.io/component: exporter
-        app.kubernetes.io/name: node-exporter
-        app.kubernetes.io/part-of: kube-prometheus
-        app.kubernetes.io/version: 1.9.1
-    spec:
-      automountServiceAccountToken: true
-      containers:
-      - args:
-        - --web.listen-address=127.0.0.1:9100
-        - --path.sysfs=/host/sys
-        - --path.rootfs=/host/root
-        - --path.udev.data=/host/root/run/udev/data
-        - --no-collector.wifi
-        - --no-collector.hwmon
-        - --no-collector.btrfs
-        - --collector.filesystem.mount-points-exclude=^/(dev|proc|sys|run/k3s/containerd/.+|var/lib/docker/.+|var/lib/kubelet/pods/.+)($|/)
-        - --collector.netclass.ignored-devices=^(veth.*|[a-f0-9]{15})$
-        - --collector.netdev.device-exclude=^(veth.*|[a-f0-9]{15})$
-        image: quay.io/prometheus/node-exporter:v1.9.1
-        name: node-exporter
-        resources:
-          limits:
-            cpu: 250m
-            memory: 180Mi
-          requests:
-            cpu: 102m
-            memory: 180Mi
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            add:
-            - SYS_TIME
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-        volumeMounts:
-        - mountPath: /host/sys
-          mountPropagation: HostToContainer
-          name: sys
-          readOnly: true
-        - mountPath: /host/root
-          mountPropagation: HostToContainer
-          name: root
-          readOnly: true
-      - args:
-        - --secure-listen-address=[$(IP)]:9100
-        - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
-        - --upstream=http://127.0.0.1:9100/
-        env:
-        - name: IP
-          valueFrom:
-            fieldRef:
-              fieldPath: status.podIP
-        image: quay.io/brancz/kube-rbac-proxy:v0.19.1
-        name: kube-rbac-proxy
-        ports:
-        - containerPort: 9100
-          hostPort: 9100
-          name: https
-        resources:
-          limits:
-            cpu: 20m
-            memory: 40Mi
-          requests:
-            cpu: 10m
-            memory: 20Mi
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          readOnlyRootFilesystem: true
-          runAsGroup: 65532
-          runAsNonRoot: true
-          runAsUser: 65532
-          seccompProfile:
-            type: RuntimeDefault
-      hostNetwork: true
-      hostPID: true
-      nodeSelector:
-        kubernetes.io/os: linux
-      priorityClassName: system-cluster-critical
-      securityContext:
-        runAsGroup: 65534
-        runAsNonRoot: true
-        runAsUser: 65534
-      serviceAccountName: node-exporter
-      tolerations:
-      - operator: Exists
-      volumes:
-      - hostPath:
-          path: /sys
-        name: sys
-      - hostPath:
-          path: /
-        name: root
-  updateStrategy:
-    rollingUpdate:
-      maxUnavailable: 10%
-    type: RollingUpdate
@@ -1,29 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  labels:
-    app.kubernetes.io/component: exporter
-    app.kubernetes.io/name: node-exporter
-    app.kubernetes.io/part-of: kube-prometheus
-    app.kubernetes.io/version: 1.9.1
-  name: node-exporter
-  namespace: monitoring
-spec:
-  egress:
-  - {}
-  ingress:
-  - from:
-    - podSelector:
-        matchLabels:
-          app.kubernetes.io/name: prometheus
-    ports:
-    - port: 9100
-      protocol: TCP
-  podSelector:
-    matchLabels:
-      app.kubernetes.io/component: exporter
-      app.kubernetes.io/name: node-exporter
-      app.kubernetes.io/part-of: kube-prometheus
-  policyTypes:
-  - Egress
-  - Ingress
@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/component: exporter
-    app.kubernetes.io/name: node-exporter
-    app.kubernetes.io/part-of: kube-prometheus
-    app.kubernetes.io/version: 1.9.1
-  name: node-exporter
-  namespace: monitoring
-spec:
-  ports:
-  - name: https
-    port: 9100
-    targetPort: https
-  selector:
-    app.kubernetes.io/component: exporter
-    app.kubernetes.io/name: node-exporter
-    app.kubernetes.io/part-of: kube-prometheus
@@ -1,11 +0,0 @@
-apiVersion: v1
-automountServiceAccountToken: false
-kind: ServiceAccount
-metadata:
-  labels:
-    app.kubernetes.io/component: exporter
-    app.kubernetes.io/name: node-exporter
-    app.kubernetes.io/part-of: kube-prometheus
-    app.kubernetes.io/version: 1.9.1
-  name: node-exporter
-  namespace: monitoring
@@ -1,17 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: prometheus-auth
-spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    name: weyma-vault
-    kind: ClusterSecretStore
-  target:
-    name: prometheus-auth
-    creationPolicy: Owner
-  data:
-  - secretKey: .basicauthpass
-    remoteRef:
-      key: monitoring
-      property: prometheus-password
@@ -1,5 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: prometheus-agent
-  namespace: monitoring
@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: discord-webhook
+  namespace: {{ .Release.Namespace }}
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: weyma-vault
+    kind: ClusterSecretStore
+  target:
+    name: discord-webhook
+    creationPolicy: Owner
+  data:
+  - secretKey: webhook
+    remoteRef:
+      conversionStrategy: Default
+      decodingStrategy: None
+      metadataPolicy: None
+      nullBytePolicy: Ignore
+      key: monitoring
+      property: discord_webhook
@@ -0,0 +1,67 @@
+{{- if .Values.discord.enabled }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: alertmanager-discord
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: alertmanager-discord
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: alertmanager-discord
+  template:
+    metadata:
+      labels:
+        app: alertmanager-discord
+    spec:
+      containers:
+        - name: alertmanager-discord
+          image: {{ .Values.discord.image | default "ghcr.io/rogerrum/alertmanager-discord:1.0.7" }}
+          ports:
+            - containerPort: 9094
+          env:
+            - name: LISTEN_ADDRESS
+              value: "0.0.0.0:9094"
+            - name: DISCORD_WEBHOOK
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.discord.secret.name | quote }}
+                  key: {{ .Values.discord.secret.key | quote }}
+            {{- if .Values.discord.username }}
+            - name: DISCORD_USERNAME
+              value: {{ .Values.discord.username | quote }}
+            {{- end }}
+            {{- if .Values.discord.avatar_url }}
+            - name: DISCORD_AVATAR_URL
+              value: {{ .Values.discord.avatar_url | quote }}
+            {{- end }}
+            {{- if .Values.discord.verbose }}
+            - name: VERBOSE
+              value: "ON"
+            {{- end }}
+          resources:
+            requests:
+              memory: "128Mi"
+              cpu: "500m"
+            limits:
+              memory: "512Mi"
+              cpu: "1"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: alertmanager-discord
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: ClusterIP
+  selector:
+    app: alertmanager-discord
+  ports:
+    - port: 9094
+      targetPort: 9094
+      protocol: TCP
+{{- end }}
@@ -0,0 +1,80 @@
+kube-prometheus-stack:
+  alertmanager:
+    config:
+      route:
+        group_by: ['namespace']
+        group_wait: 30s
+        group_interval: 5m
+        repeat_interval: 12h
+        receiver: 'null'
+        routes:
+        - receiver: "discord_webhook"
+          matchers:
+            - severity = "critical"
+          continue: false
+        - receiver: 'null'
+      receivers:
+      - name: "null"
+      - name: "discord_webhook"
+        webhook_configs:
+          - url: "http://alertmanager-discord:9094"
+    alertmanagerSpec:
+      storage:
+        volumeClaimTemplate:
+          spec:
+            storageClassName: rook-ceph-block
+            accessModes: ["ReadWriteOnce"]
+            resources:
+              requests:
+                storage: 50Gi
+  additionalPrometheusRulesMap:
+    rule-name:
+      groups:
+        - name: AdditionalAlerts
+          rules:
+            - alert: ExcessiveWarnings
+              expr: count(ALERTS{severity="warning",alertstate="firing"}) >= 5
+              for: 1m
+              labels:
+                severity: critical
+              annotations:
+                summary: Excessive 'warning' alerts are firing in the cluster
+                description: "{{ $value }} alerts with 'warning' severity are firing and could be a sign of catastrophic failure in the cluster"
+  prometheusOperator:
+    admissionWebhooks:
+      certManager:
+        enabled: true
+  prometheus:
+    prometheusSpec:
+      ruleSelectorNilUsesHelmValues: false
+      serviceMonitorSelectorNilUsesHelmValues: false
+      podMonitorSelectorNilUsesHelmValues: false
+      probeSelectorNilUsesHelmValues: false
+      scrapeConfigSelectorNilUsesHelmValues: false
+      storageSpec:
+        volumeClaimTemplate:
+          spec:
+            storageClassName: rook-ceph-block
+            accessModes: ["ReadWriteOnce"]
+            resources:
+              requests:
+                storage: 50Gi
+  thanosRuler:  
+    thanosRulerSpec:
+      storage:
+        volumeClaimTemplate:
+          spec:
+            storageClassName: rook-ceph-block
+            accessModes: ["ReadWriteOnce"]
+            resources:
+              requests:
+                storage: 50Gi
+  grafana:
+    enabled: false # Grafana is instead deployed in its own namespace in the core-apps repo
+discord:
+  enabled: true
+  secret:
+    name: discord-webhook
+    key: webhook
+  username: "Alertmanager"
+  verbose: true
@@ -0,0 +1,29 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: multus
+rules:
+  - apiGroups: ["k8s.cni.cncf.io"]
+    resources:
+      - '*'
+    verbs:
+      - '*'
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - pods/status
+    verbs:
+      - get
+      - list
+      - update
+      - watch
+  - apiGroups:
+      - ""
+      - events.k8s.io
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+      - update
@@ -1,12 +1,12 @@
-apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: prometheus-agent
+  name: multus
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: prometheus-agent
+  name: multus
 subjects:
  - kind: ServiceAccount
-    name: prometheus-agent
-    namespace: monitoring
+    name: multus
+    namespace: kube-system
@@ -0,0 +1,20 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: multus-daemon-config
+  namespace: kube-system
+  labels:
+    tier: node
+    app: multus
+data:
+  daemon-config.json: |
+    {
+        "chrootDir": "/hostroot",
+        "cniVersion": "0.3.1",
+        "logLevel": "verbose",
+        "logToStderr": true,
+        "cniConfigDir": "/host/etc/cni/net.d",
+        "multusAutoconfigDir": "/host/etc/cni/net.d",
+        "multusConfigFile": "auto",
+        "socketDir": "/host/run/multus/"
+    }
@@ -0,0 +1,44 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: network-attachment-definitions.k8s.cni.cncf.io
+spec:
+  group: k8s.cni.cncf.io
+  scope: Namespaced
+  names:
+    plural: network-attachment-definitions
+    singular: network-attachment-definition
+    kind: NetworkAttachmentDefinition
+    shortNames:
+      - net-attach-def
+  versions:
+    - name: v1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          description: 'NetworkAttachmentDefinition is a CRD schema specified by the Network Plumbing
+            Working Group to express the intent for attaching pods to one or more logical or physical
+            networks. More information available at: https://github.com/k8snetworkplumbingwg/multi-net-spec'
+          type: object
+          properties:
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this represen
+                tation of an object. Servers should convert recognized schemas to the
+                latest internal value, and may reject unrecognized values. More info:
+                https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource this
+                object represents. Servers may infer this from the endpoint the client
+                submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: 'NetworkAttachmentDefinition spec defines the desired state of a network attachment'
+              type: object
+              properties:
+                config:
+                  description: 'NetworkAttachmentDefinition config is a JSON-formatted CNI configuration'
+                  type: string
@@ -0,0 +1,132 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: kube-multus-ds
+  namespace: kube-system
+  labels:
+    tier: node
+    app: multus
+    name: multus
+spec:
+  selector:
+    matchLabels:
+      name: multus
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        tier: node
+        app: multus
+        name: multus
+    spec:
+      hostNetwork: true
+      hostPID: true
+      tolerations:
+        - operator: Exists
+          effect: NoSchedule
+        - operator: Exists
+          effect: NoExecute
+      serviceAccountName: multus
+      containers:
+        - name: kube-multus
+          image: ghcr.io/k8snetworkplumbingwg/multus-cni:v4.2.3-thick
+          command: [ "/usr/src/multus-cni/bin/multus-daemon" ]
+          resources:
+            requests:
+              cpu: "100m"
+              memory: "64Mi"
+            limits:
+              cpu: "200m"
+              memory: "256Mi"
+          securityContext:
+            privileged: true
+          terminationMessagePolicy: FallbackToLogsOnError
+          volumeMounts:
+            - name: cni
+              mountPath: /host/etc/cni/net.d
+            # multus-daemon expects that cnibin path must be identical between pod and container host.
+            # e.g. if the cni bin is in '/opt/cni/bin' on the container host side, then it should be mount to '/opt/cni/bin' in multus-daemon,
+            # not to any other directory, like '/opt/bin' or '/usr/bin'.
+            - name: cnibin
+              mountPath: /opt/cni/bin
+            - name: host-run
+              mountPath: /host/run
+            - name: host-var-lib-cni-multus
+              mountPath: /var/lib/cni/multus
+            - name: host-var-lib-kubelet
+              mountPath: /var/lib/kubelet
+              mountPropagation: HostToContainer
+            - name: host-run-k8s-cni-cncf-io
+              mountPath: /run/k8s.cni.cncf.io
+            - name: host-run-netns
+              mountPath: /run/netns
+              mountPropagation: HostToContainer
+            - name: multus-daemon-config
+              mountPath: /etc/cni/net.d/multus.d
+              readOnly: true
+            - name: hostroot
+              mountPath: /hostroot
+              mountPropagation: HostToContainer
+            - mountPath: /etc/cni/multus/net.d
+              name: multus-conf-dir
+          env:
+            - name: MULTUS_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+      initContainers:
+        - name: install-multus-binary
+          image: ghcr.io/k8snetworkplumbingwg/multus-cni:v4.2.3-thick
+          command:
+            - "/usr/src/multus-cni/bin/install_multus"
+            - "-d"
+            - "/host/opt/cni/bin"
+            - "-t"
+            - "thick"
+          resources:
+            requests:
+              cpu: "10m"
+              memory: "15Mi"
+          securityContext:
+            privileged: true
+          terminationMessagePolicy: FallbackToLogsOnError
+          volumeMounts:
+            - name: cnibin
+              mountPath: /host/opt/cni/bin
+              mountPropagation: Bidirectional
+      terminationGracePeriodSeconds: 10
+      volumes:
+        - name: cni
+          hostPath:
+            path: /etc/cni/net.d
+        - name: cnibin
+          hostPath:
+            path: /opt/cni/bin
+        - name: hostroot
+          hostPath:
+            path: /
+        - name: multus-daemon-config
+          configMap:
+            name: multus-daemon-config
+            items:
+            - key: daemon-config.json
+              path: daemon-config.json
+        - name: host-run
+          hostPath:
+            path: /run
+        - name: host-var-lib-cni-multus
+          hostPath:
+            path: /var/lib/cni/multus
+        - name: host-var-lib-kubelet
+          hostPath:
+            path: /var/lib/kubelet
+        - name: host-run-k8s-cni-cncf-io
+          hostPath:
+            path: /run/k8s.cni.cncf.io
+        - name: host-run-netns
+          hostPath:
+            path: /var/run/netns/
+        - name: multus-conf-dir
+          hostPath:
+            path: /etc/cni/multus/net.d
@@ -0,0 +1,32 @@
+apiVersion: "k8s.cni.cncf.io/v1"
+kind: NetworkAttachmentDefinition
+metadata:
+  name: kubevirt-nad
+spec:
+  config: '{
+    "cniVersion": "0.4.0",
+    "type": "bridge",
+    "bridge": "br0",
+    "ipam": {
+      "type": "whereabouts",
+      "range": "10.105.20.0/24",
+      "exclude": [
+        "10.105.20.1/32",
+        "10.105.20.254/32",
+        "10.105.20.253/32",
+        "10.105.20.252/32",
+        "10.105.20.251/32",
+        "10.105.20.250/32",
+        "10.105.20.249/32"
+      ],
+      "routes": [
+        {
+          "dst": "0.0.0.0/0",
+          "gw": "10.105.20.1"
+        }
+      ],
+      "dns": {
+        "nameservers": ["10.10.10.10"]
+      }
+    }
+   }'
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: multus
+  namespace: kube-system
@@ -21,7 +21,7 @@ spec:
    # versions running within the cluster. See tags available at https://hub.docker.com/r/ceph/ceph/tags/.
    # If you want to be more precise, you can always use a timestamp tag such as quay.io/ceph/ceph:v19.2.1-20250202
    # This tag might not contain a new Ceph version, just security fixes from the underlying operating system, which will reduce vulnerabilities
-    image: quay.io/ceph/ceph:v19.2.1
+    image: quay.io/ceph/ceph:v20.2.0-20251104
    # Whether to allow unsupported versions of Ceph. Currently Reef and Squid are supported.
    # Future versions such as Tentacle (v20) would require this to be set to `true`.
    # Do not set to true in production.
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: rook-ceph
-  version: v1.17.7
+  version: v1.19.4
  repository: https://charts.rook.io/release
@@ -0,0 +1,842 @@
+{{- if and .Values.monitoring.enabled -}}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: prometheus-pvc-rules
+  namespace: {{ .Release.Namespace }}
+spec:
+  groups:
+    - name: persistent-volume-alert.rules
+      rules:
+        - alert: PersistentVolumeUsageNearFull
+          annotations:
+            description: PVC {{ "{{" }} $labels.persistentvolumeclaim {{ "}}" }} utilization has crossed 75%. Free up some space or expand the PVC.
+            message: PVC {{ "{{" }} $labels.persistentvolumeclaim {{ "}}" }} is nearing full. Data deletion or PVC expansion is required.
+            severity_level: warning
+            storage_type: ceph
+          expr: |
+            (kubelet_volume_stats_used_bytes * on (namespace,persistentvolumeclaim) group_left(storageclass, provisioner) (kube_persistentvolumeclaim_info * on (storageclass)  group_left(provisioner) kube_storageclass_info {provisioner=~"(.*rbd.csi.ceph.com)|(.*cephfs.csi.ceph.com)"})) / (kubelet_volume_stats_capacity_bytes * on (namespace,persistentvolumeclaim) group_left(storageclass, provisioner) (kube_persistentvolumeclaim_info * on (storageclass)  group_left(provisioner) kube_storageclass_info {provisioner=~"(.*rbd.csi.ceph.com)|(.*cephfs.csi.ceph.com)"})) > 0.75
+          for: 5s
+          labels:
+            severity: warning
+        - alert: PersistentVolumeUsageCritical
+          annotations:
+            description: PVC {{ "{{" }} $labels.persistentvolumeclaim {{ "}}" }} utilization has crossed 85%. Free up some space or expand the PVC immediately.
+            message: PVC {{ "{{" }} $labels.persistentvolumeclaim {{ "}}" }} is critically full. Data deletion or PVC expansion is required.
+            severity_level: error
+            storage_type: ceph
+          expr: |
+            (kubelet_volume_stats_used_bytes * on (namespace,persistentvolumeclaim) group_left(storageclass, provisioner) (kube_persistentvolumeclaim_info * on (storageclass)  group_left(provisioner) kube_storageclass_info {provisioner=~"(.*rbd.csi.ceph.com)|(.*cephfs.csi.ceph.com)"})) / (kubelet_volume_stats_capacity_bytes * on (namespace,persistentvolumeclaim) group_left(storageclass, provisioner) (kube_persistentvolumeclaim_info * on (storageclass)  group_left(provisioner) kube_storageclass_info {provisioner=~"(.*rbd.csi.ceph.com)|(.*cephfs.csi.ceph.com)"})) > 0.85
+          for: 5s
+          labels:
+            severity: critical
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: prometheus-ceph-rules
+  namespace: {{ .Release.Namespace }}
+spec:
+  groups:
+    - name: "cluster health"
+      rules:
+        - alert: "CephHealthError"
+          annotations:
+            description: "The cluster state has been HEALTH_ERROR for more than 5 minutes. Please check 'ceph health detail' for more information."
+            summary: "Ceph is in the ERROR state"
+          expr: "ceph_health_status == 2"
+          for: "5m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.2.1"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "CephHealthWarning"
+          annotations:
+            description: "The cluster state has been HEALTH_WARN for more than 15 minutes. Please check 'ceph health detail' for more information."
+            summary: "Ceph is in the WARNING state"
+          expr: "ceph_health_status == 1"
+          for: "15m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+    - name: "mon"
+      rules:
+        - alert: "CephMonDownQuorumAtRisk"
+          annotations:
+            description: "{{ "{{" }} $min := query \"floor(count(ceph_mon_metadata) / 2) + 1\" | first | value {{ "}}" }}Quorum requires a majority of monitors (x {{ "{{" }} $min {{ "}}" }}) to be active. Without quorum the cluster will become inoperable, affecting all services and connected clients. The following monitors are down: {{ "{{" }}- range query \"(ceph_mon_quorum_status == 0) + on(ceph_daemon) group_left(hostname) (ceph_mon_metadata * 0)\" {{ "}}" }} - {{ "{{" }} .Labels.ceph_daemon {{ "}}" }} on {{ "{{" }} .Labels.hostname {{ "}}" }} {{ "{{" }}- end {{ "}}" }}"
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#mon-down"
+            summary: "Monitor quorum is at risk"
+          expr: |
+            (
+              (ceph_health_detail{name="MON_DOWN"} == 1) * on() (
+                count(ceph_mon_quorum_status == 1) == bool (floor(count(ceph_mon_metadata) / 2) + 1)
+              )
+            ) == 1
+          for: "30s"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.3.1"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "CephMonDown"
+          annotations:
+            description: |
+              {{ "{{" }} $down := query "count(ceph_mon_quorum_status == 0)" | first | value {{ "}}" }}{{ "{{" }} $s := "" {{ "}}" }}{{ "{{" }} if gt $down 1.0 {{ "}}" }}{{ "{{" }} $s = "s" {{ "}}" }}{{ "{{" }} end {{ "}}" }}You have {{ "{{" }} $down {{ "}}" }} monitor{{ "{{" }} $s {{ "}}" }} down. Quorum is still intact, but the loss of an additional monitor will make your cluster inoperable.  The following monitors are down: {{ "{{" }}- range query "(ceph_mon_quorum_status == 0) + on(ceph_daemon) group_left(hostname) (ceph_mon_metadata * 0)" {{ "}}" }}   - {{ "{{" }} .Labels.ceph_daemon {{ "}}" }} on {{ "{{" }} .Labels.hostname {{ "}}" }} {{ "{{" }}- end {{ "}}" }}
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#mon-down"
+            summary: "One or more monitors down"
+          expr: |
+            count(ceph_mon_quorum_status == 0) <= (count(ceph_mon_metadata) - floor(count(ceph_mon_metadata) / 2) + 1)
+          for: "30s"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "CephMonDiskspaceCritical"
+          annotations:
+            description: "The free space available to a monitor's store is critically low. You should increase the space available to the monitor(s). The default directory is /var/lib/ceph/mon-*/data/store.db on traditional deployments, and /var/lib/rook/mon-*/data/store.db on the mon pod's worker node for Rook. Look for old, rotated versions of *.log and MANIFEST*. Do NOT touch any *.sst files. Also check any other directories under /var/lib/rook and other directories on the same filesystem, often /var/log and /var/tmp are culprits. Your monitor hosts are; {{ "{{" }}- range query \"ceph_mon_metadata\"{{ "}}" }} - {{ "{{" }} .Labels.hostname {{ "}}" }} {{ "{{" }}- end {{ "}}" }}"
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#mon-disk-crit"
+            summary: "Filesystem space on at least one monitor is critically low"
+          expr: "ceph_health_detail{name=\"MON_DISK_CRIT\"} == 1"
+          for: "1m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.3.2"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "CephMonDiskspaceLow"
+          annotations:
+            description: "The space available to a monitor's store is approaching full (>70% is the default). You should increase the space available to the monitor(s). The default directory is /var/lib/ceph/mon-*/data/store.db on traditional deployments, and /var/lib/rook/mon-*/data/store.db on the mon pod's worker node for Rook. Look for old, rotated versions of *.log and MANIFEST*.  Do NOT touch any *.sst files. Also check any other directories under /var/lib/rook and other directories on the same filesystem, often /var/log and /var/tmp are culprits. Your monitor hosts are; {{ "{{" }}- range query \"ceph_mon_metadata\"{{ "}}" }} - {{ "{{" }} .Labels.hostname {{ "}}" }} {{ "{{" }}- end {{ "}}" }}"
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#mon-disk-low"
+            summary: "Drive space on at least one monitor is approaching full"
+          expr: "ceph_health_detail{name=\"MON_DISK_LOW\"} == 1"
+          for: "5m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "CephMonClockSkew"
+          annotations:
+            description: "Ceph monitors rely on closely synchronized time to maintain quorum and cluster consistency. This event indicates that the time on at least one mon has drifted too far from the lead mon. Review cluster status with ceph -s. This will show which monitors are affected. Check the time sync status on each monitor host with 'ceph time-sync-status' and the state and peers of your ntpd or chrony daemon."
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#mon-clock-skew"
+            summary: "Clock skew detected among monitors"
+          expr: "ceph_health_detail{name=\"MON_CLOCK_SKEW\"} == 1"
+          for: "1m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+    - name: "osd"
+      rules:
+        - alert: "CephOSDDownHigh"
+          annotations:
+            description: "{{ "{{" }} $value | humanize {{ "}}" }}% or {{ "{{" }} with query \"count(ceph_osd_up == 0)\" {{ "}}" }}{{ "{{" }} . | first | value {{ "}}" }}{{ "{{" }} end {{ "}}" }} of {{ "{{" }} with query \"count(ceph_osd_up)\" {{ "}}" }}{{ "{{" }} . | first | value {{ "}}" }}{{ "{{" }} end {{ "}}" }} OSDs are down (>= 10%). The following OSDs are down: {{ "{{" }}- range query \"(ceph_osd_up * on(ceph_daemon) group_left(hostname) ceph_osd_metadata) == 0\" {{ "}}" }} - {{ "{{" }} .Labels.ceph_daemon {{ "}}" }} on {{ "{{" }} .Labels.hostname {{ "}}" }} {{ "{{" }}- end {{ "}}" }}"
+            summary: "More than 10% of OSDs are down"
+          expr: "count(ceph_osd_up == 0) / count(ceph_osd_up) * 100 >= 10"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.4.1"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "CephOSDHostDown"
+          annotations:
+            description: "The following OSDs are down: {{ "{{" }}- range query \"(ceph_osd_up * on(ceph_daemon) group_left(hostname) ceph_osd_metadata) == 0\" {{ "}}" }} - {{ "{{" }} .Labels.hostname {{ "}}" }} : {{ "{{" }} .Labels.ceph_daemon {{ "}}" }} {{ "{{" }}- end {{ "}}" }}"
+            summary: "An OSD host is offline"
+          expr: "ceph_health_detail{name=\"OSD_HOST_DOWN\"} == 1"
+          for: "5m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.4.8"
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "CephOSDDown"
+          annotations:
+            description: |
+              {{ "{{" }} $num := query "count(ceph_osd_up == 0)" | first | value {{ "}}" }}{{ "{{" }} $s := "" {{ "}}" }}{{ "{{" }} if gt $num 1.0 {{ "}}" }}{{ "{{" }} $s = "s" {{ "}}" }}{{ "{{" }} end {{ "}}" }}{{ "{{" }} $num {{ "}}" }} OSD{{ "{{" }} $s {{ "}}" }} down for over 5mins. The following OSD{{ "{{" }} $s {{ "}}" }} {{ "{{" }} if eq $s "" {{ "}}" }}is{{ "{{" }} else {{ "}}" }}are{{ "{{" }} end {{ "}}" }} down: {{ "{{" }}- range query "(ceph_osd_up * on(ceph_daemon) group_left(hostname) ceph_osd_metadata) == 0"{{ "}}" }} - {{ "{{" }} .Labels.ceph_daemon {{ "}}" }} on {{ "{{" }} .Labels.hostname {{ "}}" }} {{ "{{" }}- end {{ "}}" }}
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#osd-down"
+            summary: "An OSD has been marked down"
+          expr: "ceph_health_detail{name=\"OSD_DOWN\"} == 1"
+          for: "5m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.4.2"
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "CephOSDNearFull"
+          annotations:
+            description: "One or more OSDs have reached the NEARFULL threshold. Use 'ceph health detail' and 'ceph osd df' to identify the problem. To resolve, add capacity to the affected OSD's failure domain, restore down/out OSDs, or delete unwanted data."
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#osd-nearfull"
+            summary: "OSD(s) running low on free space (NEARFULL)"
+          expr: "ceph_health_detail{name=\"OSD_NEARFULL\"} == 1"
+          for: "5m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.4.3"
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "CephOSDFull"
+          annotations:
+            description: "An OSD has reached the FULL threshold. Writes to pools that share the affected OSD will be blocked. Use 'ceph health detail' and 'ceph osd df' to identify the problem. To resolve, add capacity to the affected OSD's failure domain, restore down/out OSDs, or delete unwanted data."
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#osd-full"
+            summary: "OSD full, writes blocked"
+          expr: "ceph_health_detail{name=\"OSD_FULL\"} > 0"
+          for: "1m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.4.6"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "CephOSDBackfillFull"
+          annotations:
+            description: "An OSD has reached the BACKFILL FULL threshold. This will prevent rebalance operations from completing. Use 'ceph health detail' and 'ceph osd df' to identify the problem. To resolve, add capacity to the affected OSD's failure domain, restore down/out OSDs, or delete unwanted data."
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#osd-backfillfull"
+            summary: "OSD(s) too full for backfill operations"
+          expr: "ceph_health_detail{name=\"OSD_BACKFILLFULL\"} > 0"
+          for: "1m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "CephOSDTooManyRepairs"
+          annotations:
+            description: "Reads from an OSD have used a secondary PG to return data to the client, indicating a potential failing drive."
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#osd-too-many-repairs"
+            summary: "OSD reports a high number of read errors"
+          expr: "ceph_health_detail{name=\"OSD_TOO_MANY_REPAIRS\"} == 1"
+          for: "30s"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "CephOSDTimeoutsPublicNetwork"
+          annotations:
+            description: "OSD heartbeats on the cluster's 'public' network (frontend) are running slow. Investigate the network for latency or loss issues. Use 'ceph health detail' to show the affected OSDs."
+            summary: "Network issues delaying OSD heartbeats (public network)"
+          expr: "ceph_health_detail{name=\"OSD_SLOW_PING_TIME_FRONT\"} == 1"
+          for: "1m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "CephOSDTimeoutsClusterNetwork"
+          annotations:
+            description: "OSD heartbeats on the cluster's 'cluster' network (backend) are slow. Investigate the network for latency issues on this subnet. Use 'ceph health detail' to show the affected OSDs."
+            summary: "Network issues delaying OSD heartbeats (cluster network)"
+          expr: "ceph_health_detail{name=\"OSD_SLOW_PING_TIME_BACK\"} == 1"
+          for: "1m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "CephOSDInternalDiskSizeMismatch"
+          annotations:
+            description: "One or more OSDs have an internal inconsistency between metadata and the size of the device. This could lead to the OSD(s) crashing in future. You should redeploy the affected OSDs."
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#bluestore-disk-size-mismatch"
+            summary: "OSD size inconsistency error"
+          expr: "ceph_health_detail{name=\"BLUESTORE_DISK_SIZE_MISMATCH\"} == 1"
+          for: "1m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "CephDeviceFailurePredicted"
+          annotations:
+            description: "The device health module has determined that one or more devices will fail soon. To review device status use 'ceph device ls'. To show a specific device use 'ceph device info <dev id>'. Mark the OSD out so that data may migrate to other OSDs. Once the OSD has drained, destroy the OSD, replace the device, and redeploy the OSD."
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#id2"
+            summary: "Device(s) predicted to fail soon"
+          expr: "ceph_health_detail{name=\"DEVICE_HEALTH\"} == 1"
+          for: "1m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "CephDeviceFailurePredictionTooHigh"
+          annotations:
+            description: "The device health module has determined that devices predicted to fail can not be remediated automatically, since too many OSDs would be removed from the cluster to ensure performance and availability. Prevent data integrity issues by adding new OSDs so that data may be relocated."
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#device-health-toomany"
+            summary: "Too many devices are predicted to fail, unable to resolve"
+          expr: "ceph_health_detail{name=\"DEVICE_HEALTH_TOOMANY\"} == 1"
+          for: "1m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.4.7"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "CephDeviceFailureRelocationIncomplete"
+          annotations:
+            description: "The device health module has determined that one or more devices will fail soon, but the normal process of relocating the data on the device to other OSDs in the cluster is blocked. \nEnsure that the cluster has available free space. It may be necessary to add capacity to the cluster to allow data from the failing device to successfully migrate, or to enable the balancer."
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#device-health-in-use"
+            summary: "Device failure is predicted, but unable to relocate data"
+          expr: "ceph_health_detail{name=\"DEVICE_HEALTH_IN_USE\"} == 1"
+          for: "1m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "CephOSDFlapping"
+          annotations:
+            description: "OSD {{ "{{" }} $labels.ceph_daemon {{ "}}" }} on {{ "{{" }} $labels.hostname {{ "}}" }} was marked down and back up {{ "{{" }} $value | humanize {{ "}}" }} times once a minute for 5 minutes. This may indicate a network issue (latency, packet loss, MTU mismatch) on the cluster network, or the public network if no cluster network is deployed. Check the network stats on the listed host(s)."
+            documentation: "https://docs.ceph.com/en/latest/rados/troubleshooting/troubleshooting-osd#flapping-osds"
+            summary: "Network issues are causing OSDs to flap (mark each other down)"
+          expr: "(rate(ceph_osd_up[5m]) * on(ceph_daemon) group_left(hostname) ceph_osd_metadata) * 60 > 1"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.4.4"
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "CephOSDReadErrors"
+          annotations:
+            description: "An OSD has encountered read errors, but the OSD has recovered by retrying the reads. This may indicate an issue with hardware or the kernel."
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#bluestore-spurious-read-errors"
+            summary: "Device read errors detected"
+          expr: "ceph_health_detail{name=\"BLUESTORE_SPURIOUS_READ_ERRORS\"} == 1"
+          for: "30s"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "CephPGImbalance"
+          annotations:
+            description: "OSD {{ "{{" }} $labels.ceph_daemon {{ "}}" }} on {{ "{{" }} $labels.hostname {{ "}}" }} deviates by more than 30% from average PG count."
+            summary: "PGs are not balanced across OSDs"
+          expr: |
+            abs(
+              ((ceph_osd_numpg > 0) - on (job) group_left avg(ceph_osd_numpg > 0) by (job)) /
+              on (job) group_left avg(ceph_osd_numpg > 0) by (job)
+            ) * on (ceph_daemon) group_left(hostname) ceph_osd_metadata > 0.30
+          for: "5m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.4.5"
+            severity: "warning"
+            type: "ceph_default"
+    - name: "mds"
+      rules:
+        - alert: "CephFilesystemDamaged"
+          annotations:
+            description: "Filesystem metadata has been corrupted. Data may be inaccessible. Analyze metrics from the MDS daemon admin socket, or escalate to support."
+            documentation: "https://docs.ceph.com/en/latest/cephfs/health-messages#cephfs-health-messages"
+            summary: "CephFS filesystem is damaged."
+          expr: "ceph_health_detail{name=\"MDS_DAMAGE\"} > 0"
+          for: "1m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.5.1"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "CephFilesystemOffline"
+          annotations:
+            description: "All MDS ranks are unavailable. The MDS daemons managing metadata are down, rendering the filesystem offline."
+            documentation: "https://docs.ceph.com/en/latest/cephfs/health-messages/#mds-all-down"
+            summary: "CephFS filesystem is offline"
+          expr: "ceph_health_detail{name=\"MDS_ALL_DOWN\"} > 0"
+          for: "1m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.5.3"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "CephFilesystemDegraded"
+          annotations:
+            description: "One or more metadata daemons (MDS ranks) are failed or in a damaged state. At best the filesystem is partially available, at worst the filesystem is completely unusable."
+            documentation: "https://docs.ceph.com/en/latest/cephfs/health-messages/#fs-degraded"
+            summary: "CephFS filesystem is degraded"
+          expr: "ceph_health_detail{name=\"FS_DEGRADED\"} > 0"
+          for: "1m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.5.4"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "CephFilesystemMDSRanksLow"
+          annotations:
+            description: "The filesystem's 'max_mds' setting defines the number of MDS ranks in the filesystem. The current number of active MDS daemons is less than this value."
+            documentation: "https://docs.ceph.com/en/latest/cephfs/health-messages/#mds-up-less-than-max"
+            summary: "Ceph MDS daemon count is lower than configured"
+          expr: "ceph_health_detail{name=\"MDS_UP_LESS_THAN_MAX\"} > 0"
+          for: "1m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "CephFilesystemInsufficientStandby"
+          annotations:
+            description: "The minimum number of standby daemons required by standby_count_wanted is less than the current number of standby daemons. Adjust the standby count or increase the number of MDS daemons."
+            documentation: "https://docs.ceph.com/en/latest/cephfs/health-messages/#mds-insufficient-standby"
+            summary: "Ceph filesystem standby daemons too few"
+          expr: "ceph_health_detail{name=\"MDS_INSUFFICIENT_STANDBY\"} > 0"
+          for: "1m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "CephFilesystemFailureNoStandby"
+          annotations:
+            description: "An MDS daemon has failed, leaving only one active rank and no available standby. Investigate the cause of the failure or add a standby MDS."
+            documentation: "https://docs.ceph.com/en/latest/cephfs/health-messages/#fs-with-failed-mds"
+            summary: "MDS daemon failed, no further standby available"
+          expr: "ceph_health_detail{name=\"FS_WITH_FAILED_MDS\"} > 0"
+          for: "1m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.5.5"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "CephFilesystemReadOnly"
+          annotations:
+            description: "The filesystem has switched to READ ONLY due to an unexpected error when writing to the metadata pool. Either analyze the output from the MDS daemon admin socket, or escalate to support."
+            documentation: "https://docs.ceph.com/en/latest/cephfs/health-messages#cephfs-health-messages"
+            summary: "CephFS filesystem in read only mode due to write error(s)"
+          expr: "ceph_health_detail{name=\"MDS_HEALTH_READ_ONLY\"} > 0"
+          for: "1m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.5.2"
+            severity: "critical"
+            type: "ceph_default"
+    - name: "mgr"
+      rules:
+        - alert: "CephMgrModuleCrash"
+          annotations:
+            description: "One or more mgr modules have crashed and have yet to be acknowledged by an administrator. A crashed module may impact functionality within the cluster. Use the 'ceph crash' command to determine which module has failed, and archive it to acknowledge the failure."
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#recent-mgr-module-crash"
+            summary: "A manager module has recently crashed"
+          expr: "ceph_health_detail{name=\"RECENT_MGR_MODULE_CRASH\"} == 1"
+          for: "5m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.6.1"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "CephMgrPrometheusModuleInactive"
+          annotations:
+            description: "The mgr/prometheus module at {{ "{{" }} $labels.instance {{ "}}" }} is unreachable. This could mean that the module has been disabled or the mgr daemon itself is down. Without the mgr/prometheus module metrics and alerts will no longer function. Open a shell to an admin node or toolbox pod and use 'ceph -s' to to determine whether the mgr is active. If the mgr is not active, restart it, otherwise you can determine module status with 'ceph mgr module ls'. If it is not listed as enabled, enable it with 'ceph mgr module enable prometheus'."
+            summary: "The mgr/prometheus module is not available"
+          expr: "up{job=\"ceph\"} == 0"
+          for: "1m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.6.2"
+            severity: "critical"
+            type: "ceph_default"
+    - name: "pgs"
+      rules:
+        - alert: "CephPGsInactive"
+          annotations:
+            description: "{{ "{{" }} $value {{ "}}" }} PGs have been inactive for more than 5 minutes in pool {{ "{{" }} $labels.name {{ "}}" }}. Inactive placement groups are not able to serve read/write requests."
+            summary: "One or more placement groups are inactive"
+          expr: "ceph_pool_metadata * on(pool_id,instance) group_left() (ceph_pg_total - ceph_pg_active) > 0"
+          for: "5m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.7.1"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "CephPGsUnclean"
+          annotations:
+            description: "{{ "{{" }} $value {{ "}}" }} PGs have been unclean for more than 15 minutes in pool {{ "{{" }} $labels.name {{ "}}" }}. Unclean PGs have not recovered from a previous failure."
+            summary: "One or more placement groups are marked unclean"
+          expr: "ceph_pool_metadata * on(pool_id,instance) group_left() (ceph_pg_total - ceph_pg_clean) > 0"
+          for: "15m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.7.2"
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "CephPGsDamaged"
+          annotations:
+            description: "During data consistency checks (scrub), at least one PG has been flagged as being damaged or inconsistent. Check to see which PG is affected, and attempt a manual repair if necessary. To list problematic placement groups, use 'rados list-inconsistent-pg <pool>'. To repair PGs use the 'ceph pg repair <pg_num>' command."
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#pg-damaged"
+            summary: "Placement group damaged, manual intervention needed"
+          expr: "ceph_health_detail{name=~\"PG_DAMAGED|OSD_SCRUB_ERRORS\"} == 1"
+          for: "5m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.7.4"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "CephPGRecoveryAtRisk"
+          annotations:
+            description: "Data redundancy is at risk since one or more OSDs are at or above the 'full' threshold. Add more capacity to the cluster, restore down/out OSDs, or delete unwanted data."
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#pg-recovery-full"
+            summary: "OSDs are too full for recovery"
+          expr: "ceph_health_detail{name=\"PG_RECOVERY_FULL\"} == 1"
+          for: "1m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.7.5"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "CephPGUnavailableBlockingIO"
+          annotations:
+            description: "Data availability is reduced, impacting the cluster's ability to service I/O. One or more placement groups (PGs) are in a state that blocks I/O."
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#pg-availability"
+            summary: "PG is unavailable, blocking I/O"
+          expr: "((ceph_health_detail{name=\"PG_AVAILABILITY\"} == 1) - scalar(ceph_health_detail{name=\"OSD_DOWN\"})) == 1"
+          for: "1m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.7.3"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "CephPGBackfillAtRisk"
+          annotations:
+            description: "Data redundancy may be at risk due to lack of free space within the cluster. One or more OSDs have reached the 'backfillfull' threshold. Add more capacity, or delete unwanted data."
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#pg-backfill-full"
+            summary: "Backfill operations are blocked due to lack of free space"
+          expr: "ceph_health_detail{name=\"PG_BACKFILL_FULL\"} == 1"
+          for: "1m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.7.6"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "CephPGNotScrubbed"
+          annotations:
+            description: "One or more PGs have not been scrubbed recently. Scrubs check metadata integrity, protecting against bit-rot. They check that metadata is consistent across data replicas. When PGs miss their scrub interval, it may indicate that the scrub window is too small, or PGs were not in a 'clean' state during the scrub window. You can manually initiate a scrub with: ceph pg scrub <pgid>"
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#pg-not-scrubbed"
+            summary: "Placement group(s) have not been scrubbed"
+          expr: "ceph_health_detail{name=\"PG_NOT_SCRUBBED\"} == 1"
+          for: "5m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "CephPGsHighPerOSD"
+          annotations:
+            description: "The number of placement groups per OSD is too high (exceeds the mon_max_pg_per_osd setting).\n Check that the pg_autoscaler has not been disabled for any pools with 'ceph osd pool autoscale-status', and that the profile selected is appropriate. You may also adjust the target_size_ratio of a pool to guide the autoscaler based on the expected relative size of the pool ('ceph osd pool set cephfs.cephfs.meta target_size_ratio .1') or set the pg_autoscaler mode to 'warn' and adjust pg_num appropriately for one or more pools."
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks/#too-many-pgs"
+            summary: "Placement groups per OSD is too high"
+          expr: "ceph_health_detail{name=\"TOO_MANY_PGS\"} == 1"
+          for: "1m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "CephPGNotDeepScrubbed"
+          annotations:
+            description: "One or more PGs have not been deep scrubbed recently. Deep scrubs protect against bit-rot. They compare data replicas to ensure consistency. When PGs miss their deep scrub interval, it may indicate that the window is too small or PGs were not in a 'clean' state during the deep-scrub window."
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#pg-not-deep-scrubbed"
+            summary: "Placement group(s) have not been deep scrubbed"
+          expr: "ceph_health_detail{name=\"PG_NOT_DEEP_SCRUBBED\"} == 1"
+          for: "5m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+    - name: "nodes"
+      rules:
+        - alert: "CephNodeRootFilesystemFull"
+          annotations:
+            description: "Root volume is dangerously full: {{ "{{" }} $value | humanize {{ "}}" }}% free."
+            summary: "Root filesystem is dangerously full"
+          expr: "node_filesystem_avail_bytes{mountpoint=\"/\"} / node_filesystem_size_bytes{mountpoint=\"/\"} * 100 < 5"
+          for: "5m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.8.1"
+            severity: "critical"
+            type: "ceph_default"
+    - name: "pools"
+      rules:
+        - alert: "CephPoolGrowthWarning"
+          annotations:
+            description: "Pool '{{ "{{" }} $labels.name {{ "}}" }}' will be full in less than 5 days assuming the average fill-up rate of the past 48 hours."
+            summary: "Pool growth rate may soon exceed capacity"
+          expr: "(predict_linear(ceph_pool_percent_used[2d], 3600 * 24 * 5) * on(pool_id, instance, pod) group_right() ceph_pool_metadata) >= 95"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.9.2"
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "CephPoolBackfillFull"
+          annotations:
+            description: "A pool is approaching the near full threshold, which will prevent recovery/backfill operations from completing. Consider adding more capacity."
+            summary: "Free space in a pool is too low for recovery/backfill"
+          expr: "ceph_health_detail{name=\"POOL_BACKFILLFULL\"} > 0"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "CephPoolFull"
+          annotations:
+            description: "A pool has reached its MAX quota, or OSDs supporting the pool have reached the FULL threshold. Until this is resolved, writes to the pool will be blocked. Pool Breakdown (top 5) {{ "{{" }}- range query \"topk(5, sort_desc(ceph_pool_percent_used * on(pool_id) group_right ceph_pool_metadata))\" {{ "}}" }} - {{ "{{" }} .Labels.name {{ "}}" }} at {{ "{{" }} .Value {{ "}}" }}% {{ "{{" }}- end {{ "}}" }} Increase the pool's quota, or add capacity to the cluster first then increase the pool's quota (e.g. ceph osd pool set quota <pool_name> max_bytes <bytes>)"
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#pool-full"
+            summary: "Pool is full - writes are blocked"
+          expr: "ceph_health_detail{name=\"POOL_FULL\"} > 0"
+          for: "1m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.9.1"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "CephPoolNearFull"
+          annotations:
+            description: "A pool has exceeded the warning (percent full) threshold, or OSDs supporting the pool have reached the NEARFULL threshold. Writes may continue, but you are at risk of the pool going read-only if more capacity isn't made available. Determine the affected pool with 'ceph df detail', looking at QUOTA BYTES and STORED. Increase the pool's quota, or add capacity to the cluster first then increase the pool's quota (e.g. ceph osd pool set quota <pool_name> max_bytes <bytes>). Also ensure that the balancer is active."
+            summary: "One or more Ceph pools are nearly full"
+          expr: "ceph_health_detail{name=\"POOL_NEAR_FULL\"} > 0"
+          for: "5m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+    - name: "healthchecks"
+      rules:
+        - alert: "CephSlowOps"
+          annotations:
+            description: "{{ "{{" }} $value {{ "}}" }} OSD requests are taking too long to process (osd_op_complaint_time exceeded)"
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#slow-ops"
+            summary: "OSD operations are slow to complete"
+          expr: "ceph_healthcheck_slow_ops > 0"
+          for: "30s"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "CephDaemonSlowOps"
+          annotations:
+            description: "{{ "{{" }} $labels.ceph_daemon {{ "}}" }} operations are taking too long to process (complaint time exceeded)"
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#slow-ops"
+            summary: "{{ "{{" }} $labels.ceph_daemon {{ "}}" }} operations are slow to complete"
+          expr: "ceph_daemon_health_metrics{type=\"SLOW_OPS\"} > 0"
+          for: "30s"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+    - name: "hardware"
+      rules:
+        - alert: "HardwareStorageError"
+          annotations:
+            description: "Some storage devices are in error. Check `ceph health detail`."
+            summary: "Storage devices error(s) detected"
+          expr: "ceph_health_detail{name=\"HARDWARE_STORAGE\"} > 0"
+          for: "30s"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.13.1"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "HardwareMemoryError"
+          annotations:
+            description: "DIMM error(s) detected. Check `ceph health detail`."
+            summary: "DIMM error(s) detected"
+          expr: "ceph_health_detail{name=\"HARDWARE_MEMORY\"} > 0"
+          for: "30s"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.13.2"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "HardwareProcessorError"
+          annotations:
+            description: "Processor error(s) detected. Check `ceph health detail`."
+            summary: "Processor error(s) detected"
+          expr: "ceph_health_detail{name=\"HARDWARE_PROCESSOR\"} > 0"
+          for: "30s"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.13.3"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "HardwareNetworkError"
+          annotations:
+            description: "Network error(s) detected. Check `ceph health detail`."
+            summary: "Network error(s) detected"
+          expr: "ceph_health_detail{name=\"HARDWARE_NETWORK\"} > 0"
+          for: "30s"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.13.4"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "HardwarePowerError"
+          annotations:
+            description: "Power supply error(s) detected. Check `ceph health detail`."
+            summary: "Power supply error(s) detected"
+          expr: "ceph_health_detail{name=\"HARDWARE_POWER\"} > 0"
+          for: "30s"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.13.5"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "HardwareFanError"
+          annotations:
+            description: "Fan error(s) detected. Check `ceph health detail`."
+            summary: "Fan error(s) detected"
+          expr: "ceph_health_detail{name=\"HARDWARE_FANS\"} > 0"
+          for: "30s"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.13.6"
+            severity: "critical"
+            type: "ceph_default"
+    - name: "PrometheusServer"
+      rules:
+        - alert: "PrometheusJobMissing"
+          annotations:
+            description: "The prometheus job that scrapes from Ceph MGR is no longer defined, this will effectively mean you'll have no metrics or alerts for the cluster.  Please review the job definitions in the prometheus.yml file of the prometheus instance."
+            summary: "The scrape job for Ceph MGR is missing from Prometheus"
+          expr: "absent(up{job=\"rook-ceph-mgr\"})"
+          for: "30s"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.12.1"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "PrometheusJobExporterMissing"
+          annotations:
+            description: "The prometheus job that scrapes from Ceph Exporter is no longer defined, this will effectively mean you'll have no metrics or alerts for the cluster.  Please review the job definitions in the prometheus.yml file of the prometheus instance."
+            summary: "The scrape job for Ceph Exporter is missing from Prometheus"
+          expr: "sum(absent(up{job=\"rook-ceph-exporter\"})) and sum(ceph_osd_metadata{ceph_version=~\"^ceph version (1[89]|[2-9][0-9]).*\"}) > 0"
+          for: "30s"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.12.1"
+            severity: "critical"
+            type: "ceph_default"
+    - name: "rados"
+      rules:
+        - alert: "CephObjectMissing"
+          annotations:
+            description: "The latest version of a RADOS object can not be found, even though all OSDs are up. I/O requests for this object from clients will block (hang). Resolving this issue may require the object to be rolled back to a prior version manually, and manually verified."
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks#object-unfound"
+            summary: "Object(s) marked UNFOUND"
+          expr: "(ceph_health_detail{name=\"OBJECT_UNFOUND\"} == 1) * on() (count(ceph_osd_up == 1) == bool count(ceph_osd_metadata)) == 1"
+          for: "30s"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.10.1"
+            severity: "critical"
+            type: "ceph_default"
+    - name: "generic"
+      rules:
+        - alert: "CephDaemonCrash"
+          annotations:
+            description: "One or more daemons have crashed recently, and need to be acknowledged. This notification ensures that software crashes do not go unseen. To acknowledge a crash, use the 'ceph crash archive <id>' command."
+            documentation: "https://docs.ceph.com/en/latest/rados/operations/health-checks/#recent-crash"
+            summary: "One or more Ceph daemons have crashed, and are pending acknowledgement"
+          expr: "ceph_health_detail{name=\"RECENT_CRASH\"} == 1"
+          for: "1m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.1.2"
+            severity: "critical"
+            type: "ceph_default"
+    - name: "rbdmirror"
+      rules:
+        - alert: "CephRBDMirrorImagesPerDaemonHigh"
+          annotations:
+            description: "Number of image replications per daemon is not supposed to go beyond threshold 100"
+            summary: "Number of image replications are now above 100"
+          expr: "sum by (ceph_daemon, namespace) (ceph_rbd_mirror_snapshot_image_snapshots) > 100"
+          for: "1m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.10.2"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "CephRBDMirrorImagesNotInSync"
+          annotations:
+            description: "Both local and remote RBD mirror images should be in sync."
+            summary: "Some of the RBD mirror images are not in sync with the remote counter parts."
+          expr: "sum by (ceph_daemon, image, namespace, pool) (topk by (ceph_daemon, image, namespace, pool) (1, ceph_rbd_mirror_snapshot_image_local_timestamp) - topk by (ceph_daemon, image, namespace, pool) (1, ceph_rbd_mirror_snapshot_image_remote_timestamp)) != 0"
+          for: "1m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.10.3"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "CephRBDMirrorImagesNotInSyncVeryHigh"
+          annotations:
+            description: "More than 10% of the images have synchronization problems"
+            summary: "Number of unsynchronized images are very high."
+          expr: "count by (ceph_daemon) ((topk by (ceph_daemon, image, namespace, pool) (1, ceph_rbd_mirror_snapshot_image_local_timestamp) - topk by (ceph_daemon, image, namespace, pool) (1, ceph_rbd_mirror_snapshot_image_remote_timestamp)) != 0) > (sum by (ceph_daemon) (ceph_rbd_mirror_snapshot_snapshots)*.1)"
+          for: "1m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.10.4"
+            severity: "critical"
+            type: "ceph_default"
+        - alert: "CephRBDMirrorImageTransferBandwidthHigh"
+          annotations:
+            description: "Detected a heavy increase in bandwidth for rbd replications (over 80%) in the last 30 min. This might not be a problem, but it is good to review the number of images being replicated simultaneously"
+            summary: "The replication network usage has been increased over 80% in the last 30 minutes. Review the number of images being replicated. This alert will be cleaned automatically after 30 minutes"
+          expr: "rate(ceph_rbd_mirror_journal_replay_bytes[30m]) > 0.80"
+          for: "1m"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.10.5"
+            severity: "warning"
+            type: "ceph_default"
+    - name: "nvmeof"
+      rules:
+        - alert: "NVMeoFSubsystemNamespaceLimit"
+          annotations:
+            description: "Subsystems have a max namespace limit defined at creation time. This alert means that no more namespaces can be added to {{ "{{" }} $labels.nqn {{ "}}" }}"
+            summary: "{{ "{{" }} $labels.nqn {{ "}}" }} subsystem has reached its maximum number of namespaces "
+          expr: "(count by(nqn) (ceph_nvmeof_subsystem_namespace_metadata)) >= ceph_nvmeof_subsystem_namespace_limit"
+          for: "1m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "NVMeoFTooManyGateways"
+          annotations:
+            description: "You may create many gateways, but 4 is the tested limit"
+            summary: "Max supported gateways exceeded "
+          expr: "count(ceph_nvmeof_gateway_info) > 4.00"
+          for: "1m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "NVMeoFMaxGatewayGroupSize"
+          annotations:
+            description: "You may create many gateways in a gateway group, but 2 is the tested limit"
+            summary: "Max gateways within a gateway group ({{ "{{" }} $labels.group {{ "}}" }}) exceeded "
+          expr: "count by(group) (ceph_nvmeof_gateway_info) > 2.00"
+          for: "1m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "NVMeoFSingleGatewayGroup"
+          annotations:
+            description: "Although a single member gateway group is valid, it should only be used for test purposes"
+            summary: "The gateway group {{ "{{" }} $labels.group {{ "}}" }} consists of a single gateway - HA is not possible "
+          expr: "count by(group) (ceph_nvmeof_gateway_info) == 1"
+          for: "5m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "NVMeoFHighGatewayCPU"
+          annotations:
+            description: "Typically, high CPU may indicate degraded performance. Consider increasing the number of reactor cores"
+            summary: "CPU used by {{ "{{" }} $labels.instance {{ "}}" }} NVMe-oF Gateway is high "
+          expr: "label_replace(avg by(instance) (rate(ceph_nvmeof_reactor_seconds_total{mode=\"busy\"}[1m])),\"instance\",\"$1\",\"instance\",\"(.*):.*\") > 80.00"
+          for: "10m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "NVMeoFGatewayOpenSecurity"
+          annotations:
+            description: "It is good practice to ensure subsystems use host security to reduce the risk of unexpected data loss"
+            summary: "Subsystem {{ "{{" }} $labels.nqn {{ "}}" }} has been defined without host level security "
+          expr: "ceph_nvmeof_subsystem_metadata{allow_any_host=\"yes\"}"
+          for: "5m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "NVMeoFTooManySubsystems"
+          annotations:
+            description: "Although you may continue to create subsystems in {{ "{{" }} $labels.gateway_host {{ "}}" }}, the configuration may not be supported"
+            summary: "The number of subsystems defined to the gateway exceeds supported values "
+          expr: "count by(gateway_host) (label_replace(ceph_nvmeof_subsystem_metadata,\"gateway_host\",\"$1\",\"instance\",\"(.*):.*\")) > 16.00"
+          for: "1m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "NVMeoFVersionMismatch"
+          annotations:
+            description: "This may indicate an issue with deployment. Check cephadm logs"
+            summary: "The cluster has different NVMe-oF gateway releases active "
+          expr: "count(count by(version) (ceph_nvmeof_gateway_info)) > 1"
+          for: "1h"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "NVMeoFHighClientCount"
+          annotations:
+            description: "The supported limit for clients connecting to a subsystem is 32"
+            summary: "The number of clients connected to {{ "{{" }} $labels.nqn {{ "}}" }} is too high "
+          expr: "ceph_nvmeof_subsystem_host_count > 32.00"
+          for: "1m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "NVMeoFHighHostCPU"
+          annotations:
+            description: "High CPU on a gateway host can lead to CPU contention and performance degradation"
+            summary: "The CPU is high ({{ "{{" }} $value {{ "}}" }}%) on NVMeoF Gateway host ({{ "{{" }} $labels.host {{ "}}" }}) "
+          expr: "100-((100*(avg by(host) (label_replace(rate(node_cpu_seconds_total{mode=\"idle\"}[5m]),\"host\",\"$1\",\"instance\",\"(.*):.*\")) * on(host) group_right label_replace(ceph_nvmeof_gateway_info,\"host\",\"$1\",\"instance\",\"(.*):.*\")))) >= 80.00"
+          for: "10m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "NVMeoFInterfaceDown"
+          annotations:
+            description: "A NIC used by one or more subsystems is in a down state"
+            summary: "Network interface {{ "{{" }} $labels.device {{ "}}" }} is down "
+          expr: "ceph_nvmeof_subsystem_listener_iface_info{operstate=\"down\"}"
+          for: "30s"
+          labels:
+            oid: "1.3.6.1.4.1.50495.1.2.1.14.1"
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "NVMeoFInterfaceDuplex"
+          annotations:
+            description: "Until this is resolved, performance from the gateway will be degraded"
+            summary: "Network interface {{ "{{" }} $labels.device {{ "}}" }} is not running in full duplex mode "
+          expr: "ceph_nvmeof_subsystem_listener_iface_info{duplex!=\"full\"}"
+          for: "30s"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "NVMeoFHighReadLatency"
+          annotations:
+            description: "High latencies may indicate a constraint within the cluster e.g. CPU, network. Please investigate"
+            summary: "The average read latency over the last 5 mins has reached 10 ms or more on {{ "{{" }} $labels.gateway {{ "}}" }}"
+          expr: "label_replace((avg by(instance) ((rate(ceph_nvmeof_bdev_read_seconds_total[1m]) / rate(ceph_nvmeof_bdev_reads_completed_total[1m])))),\"gateway\",\"$1\",\"instance\",\"(.*):.*\") > 0.01"
+          for: "5m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+        - alert: "NVMeoFHighWriteLatency"
+          annotations:
+            description: "High latencies may indicate a constraint within the cluster e.g. CPU, network. Please investigate"
+            summary: "The average write latency over the last 5 mins has reached 20 ms or more on {{ "{{" }} $labels.gateway {{ "}}" }}"
+          expr: "label_replace((avg by(instance) ((rate(ceph_nvmeof_bdev_write_seconds_total[5m]) / rate(ceph_nvmeof_bdev_writes_completed_total[5m])))),\"gateway\",\"$1\",\"instance\",\"(.*):.*\") > 0.02"
+          for: "5m"
+          labels:
+            severity: "warning"
+            type: "ceph_default"
+{{- end }}
@@ -0,0 +1,56 @@
+{{- if and .Values.monitoring.enabled -}}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: rook-ceph-exporter
+  namespace: {{ .Release.Namespace }}
+spec:
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      app: rook-ceph-exporter
+      rook_cluster: {{ .Values.monitoring.cluster_name | default "rook-ceph" }}
+  endpoints:
+    - port: ceph-exporter-http-metrics
+      path: /metrics
+      interval: 10s
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: rook-ceph-mgr
+  namespace: {{ .Release.Namespace }}
+spec:
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      app: rook-ceph-mgr
+      rook_cluster: {{ .Values.monitoring.cluster_name | default "rook-ceph" }}
+  endpoints:
+    - port: http-metrics
+      path: /metrics
+      interval: 10s
+      honorLabels: true
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: csi-metrics
+  namespace: {{ .Release.Namespace }}
+spec:
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      app: csi-metrics
+  endpoints:
+    - port: csi-http-metrics
+      path: /metrics
+      interval: 5s
+{{- end }}
@@ -1,661 +1,2 @@
-# Default values for rook-ceph-operator
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-image:
-  # -- Image
-  repository: docker.io/rook/ceph
-  # -- Image tag
-  # @default -- `v1.16.4`
-  tag: v1.17.8
-  # -- Image pull policy
-  pullPolicy: IfNotPresent
-
-crds:
-  # -- Whether the helm chart should create and update the CRDs. If false, the CRDs must be
-  # managed independently with deploy/examples/crds.yaml.
-  # **WARNING** Only set during first deployment. If later disabled the cluster may be DESTROYED.
-  # If the CRDs are deleted in this case, see
-  # [the disaster recovery guide](https://rook.io/docs/rook/latest/Troubleshooting/disaster-recovery/#restoring-crds-after-deletion)
-  # to restore them.
-  enabled: true
-
-# -- Pod resource requests & limits
-resources:
-  limits:
-    memory: 512Mi
-  requests:
-    cpu: 200m
-    memory: 128Mi
-
-# -- Kubernetes [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) to add to the Deployment.
-nodeSelector: {}
-# Constraint rook-ceph-operator Deployment to nodes with label `disktype: ssd`.
-# For more info, see https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
-#  disktype: ssd
-
-# -- List of Kubernetes [`tolerations`](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to add to the Deployment.
-tolerations: []
-
-# -- Delay to use for the `node.kubernetes.io/unreachable` pod failure toleration to override
-# the Kubernetes default of 5 minutes
-unreachableNodeTolerationSeconds: 5
-
-# -- Whether the operator should watch cluster CRD in its own namespace or not
-currentNamespaceOnly: false
-
-# -- Custom pod labels for the operator
-operatorPodLabels: {}
-
-# -- Pod annotations
-annotations: {}
-
-# -- Global log level for the operator.
-# Options: `ERROR`, `WARNING`, `INFO`, `DEBUG`
-logLevel: INFO
-
-# -- If true, create & use RBAC resources
-rbacEnable: true
-
-rbacAggregate:
-  # -- If true, create a ClusterRole aggregated to [user facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) for objectbucketclaims
-  enableOBCs: false
-
-# -- If true, create & use PSP resources
-pspEnable: false
-
-# -- Set the priority class for the rook operator deployment if desired
-priorityClassName:
-
-# -- Set the container security context for the operator
-containerSecurityContext:
-  runAsNonRoot: true
-  runAsUser: 2016
-  runAsGroup: 2016
-  capabilities:
-    drop: ["ALL"]
-# -- If true, loop devices are allowed to be used for osds in test clusters
-allowLoopDevices: false
-
-# Settings for whether to disable the drivers or other daemons if they are not
-# needed
-csi:
-  # -- Enable Ceph CSI RBD driver
-  enableRbdDriver: true
-  # -- Enable Ceph CSI CephFS driver
-  enableCephfsDriver: true
-  # -- Disable the CSI driver.
-  disableCsiDriver: "false"
-
-  # -- Enable host networking for CSI CephFS and RBD nodeplugins. This may be necessary
-  # in some network configurations where the SDN does not provide access to an external cluster or
-  # there is significant drop in read/write performance
-  enableCSIHostNetwork: true
-  # -- Enable Snapshotter in CephFS provisioner pod
-  enableCephfsSnapshotter: true
-  # -- Enable Snapshotter in NFS provisioner pod
-  enableNFSSnapshotter: true
-  # -- Enable Snapshotter in RBD provisioner pod
-  enableRBDSnapshotter: true
-  # -- Enable Host mount for `/etc/selinux` directory for Ceph CSI nodeplugins
-  enablePluginSelinuxHostMount: false
-  # -- Enable Ceph CSI PVC encryption support
-  enableCSIEncryption: false
-
-  # -- Enable volume group snapshot feature. This feature is
-  # enabled by default as long as the necessary CRDs are available in the cluster.
-  enableVolumeGroupSnapshot: true
-  # -- PriorityClassName to be set on csi driver plugin pods
-  pluginPriorityClassName: system-node-critical
-
-  # -- PriorityClassName to be set on csi driver provisioner pods
-  provisionerPriorityClassName: system-cluster-critical
-
-  # -- Policy for modifying a volume's ownership or permissions when the RBD PVC is being mounted.
-  # supported values are documented at https://kubernetes-csi.github.io/docs/support-fsgroup.html
-  rbdFSGroupPolicy: "File"
-
-  # -- Policy for modifying a volume's ownership or permissions when the CephFS PVC is being mounted.
-  # supported values are documented at https://kubernetes-csi.github.io/docs/support-fsgroup.html
-  cephFSFSGroupPolicy: "File"
-
-  # -- Policy for modifying a volume's ownership or permissions when the NFS PVC is being mounted.
-  # supported values are documented at https://kubernetes-csi.github.io/docs/support-fsgroup.html
-  nfsFSGroupPolicy: "File"
-
-  # -- OMAP generator generates the omap mapping between the PV name and the RBD image
-  # which helps CSI to identify the rbd images for CSI operations.
-  # `CSI_ENABLE_OMAP_GENERATOR` needs to be enabled when we are using rbd mirroring feature.
-  # By default OMAP generator is disabled and when enabled, it will be deployed as a
-  # sidecar with CSI provisioner pod, to enable set it to true.
-  enableOMAPGenerator: false
-
-  # -- Set CephFS Kernel mount options to use https://docs.ceph.com/en/latest/man/8/mount.ceph/#options.
-  # Set to "ms_mode=secure" when connections.encrypted is enabled in CephCluster CR
-  cephFSKernelMountOptions:
-
-  # -- Enable adding volume metadata on the CephFS subvolumes and RBD images.
-  # Not all users might be interested in getting volume/snapshot details as metadata on CephFS subvolume and RBD images.
-  # Hence enable metadata is false by default
-  enableMetadata: false
-
-  # -- Set replicas for csi provisioner deployment
-  provisionerReplicas: 2
-
-  # -- Cluster name identifier to set as metadata on the CephFS subvolume and RBD images. This will be useful
-  # in cases like for example, when two container orchestrator clusters (Kubernetes/OCP) are using a single ceph cluster
-  clusterName:
-
-  # -- Set logging level for cephCSI containers maintained by the cephCSI.
-  # Supported values from 0 to 5. 0 for general useful logs, 5 for trace level verbosity.
-  logLevel: 0
-
-  # -- Set logging level for Kubernetes-csi sidecar containers.
-  # Supported values from 0 to 5. 0 for general useful logs (the default), 5 for trace level verbosity.
-  # @default -- `0`
-  sidecarLogLevel:
-
-  # -- CSI driver name prefix for cephfs, rbd and nfs.
-  # @default -- `namespace name where rook-ceph operator is deployed`
-  csiDriverNamePrefix:
-
-  # -- CSI RBD plugin daemonset update strategy, supported values are OnDelete and RollingUpdate
-  # @default -- `RollingUpdate`
-  rbdPluginUpdateStrategy:
-
-  # -- A maxUnavailable parameter of CSI RBD plugin daemonset update strategy.
-  # @default -- `1`
-  rbdPluginUpdateStrategyMaxUnavailable:
-
-  # -- CSI CephFS plugin daemonset update strategy, supported values are OnDelete and RollingUpdate
-  # @default -- `RollingUpdate`
-  cephFSPluginUpdateStrategy:
-
-  # -- A maxUnavailable parameter of CSI cephFS plugin daemonset update strategy.
-  # @default -- `1`
-  cephFSPluginUpdateStrategyMaxUnavailable:
-
-  # -- CSI NFS plugin daemonset update strategy, supported values are OnDelete and RollingUpdate
-  # @default -- `RollingUpdate`
-  nfsPluginUpdateStrategy:
-
-  # -- Set GRPC timeout for csi containers (in seconds). It should be >= 120. If this value is not set or is invalid, it defaults to 150
-  grpcTimeoutInSeconds: 150
-
-  # -- Burst to use while communicating with the kubernetes apiserver.
-  kubeApiBurst:
-
-  # -- QPS to use while communicating with the kubernetes apiserver.
-  kubeApiQPS:
-
-  # -- The volume of the CephCSI RBD plugin DaemonSet
-  csiRBDPluginVolume:
-  #  - name: lib-modules
-  #    hostPath:
-  #      path: /run/booted-system/kernel-modules/lib/modules/
-  #  - name: host-nix
-  #    hostPath:
-  #      path: /nix
-
-  # -- The volume mounts of the CephCSI RBD plugin DaemonSet
-  csiRBDPluginVolumeMount:
-  #  - name: host-nix
-  #    mountPath: /nix
-  #    readOnly: true
-
-  # -- The volume of the CephCSI CephFS plugin DaemonSet
-  csiCephFSPluginVolume:
-  #  - name: lib-modules
-  #    hostPath:
-  #      path: /run/booted-system/kernel-modules/lib/modules/
-  #  - name: host-nix
-  #    hostPath:
-  #      path: /nix
-
-  # -- The volume mounts of the CephCSI CephFS plugin DaemonSet
-  csiCephFSPluginVolumeMount:
-  #  - name: host-nix
-  #    mountPath: /nix
-  #    readOnly: true
-
-  # -- CEPH CSI RBD provisioner resource requirement list
-  # csi-omap-generator resources will be applied only if `enableOMAPGenerator` is set to `true`
-  # @default -- see values.yaml
-  csiRBDProvisionerResource: |
-    - name : csi-provisioner
-      resource:
-        requests:
-          memory: 128Mi
-          cpu: 100m
-        limits:
-          memory: 256Mi
-    - name : csi-resizer
-      resource:
-        requests:
-          memory: 128Mi
-          cpu: 100m
-        limits:
-          memory: 256Mi
-    - name : csi-attacher
-      resource:
-        requests:
-          memory: 128Mi
-          cpu: 100m
-        limits:
-          memory: 256Mi
-    - name : csi-snapshotter
-      resource:
-        requests:
-          memory: 128Mi
-          cpu: 100m
-        limits:
-          memory: 256Mi
-    - name : csi-rbdplugin
-      resource:
-        requests:
-          memory: 512Mi
-        limits:
-          memory: 1Gi
-    - name : csi-omap-generator
-      resource:
-        requests:
-          memory: 512Mi
-          cpu: 250m
-        limits:
-          memory: 1Gi
-    - name : liveness-prometheus
-      resource:
-        requests:
-          memory: 128Mi
-          cpu: 50m
-        limits:
-          memory: 256Mi
-
-  # -- CEPH CSI RBD plugin resource requirement list
-  # @default -- see values.yaml
-  csiRBDPluginResource: |
-    - name : driver-registrar
-      resource:
-        requests:
-          memory: 128Mi
-          cpu: 50m
-        limits:
-          memory: 256Mi
-    - name : csi-rbdplugin
-      resource:
-        requests:
-          memory: 512Mi
-          cpu: 250m
-        limits:
-          memory: 1Gi
-    - name : liveness-prometheus
-      resource:
-        requests:
-          memory: 128Mi
-          cpu: 50m
-        limits:
-          memory: 256Mi
-
-  # -- CEPH CSI CephFS provisioner resource requirement list
-  # @default -- see values.yaml
-  csiCephFSProvisionerResource: |
-    - name : csi-provisioner
-      resource:
-        requests:
-          memory: 128Mi
-          cpu: 100m
-        limits:
-          memory: 256Mi
-    - name : csi-resizer
-      resource:
-        requests:
-          memory: 128Mi
-          cpu: 100m
-        limits:
-          memory: 256Mi
-    - name : csi-attacher
-      resource:
-        requests:
-          memory: 128Mi
-          cpu: 100m
-        limits:
-          memory: 256Mi
-    - name : csi-snapshotter
-      resource:
-        requests:
-          memory: 128Mi
-          cpu: 100m
-        limits:
-          memory: 256Mi
-    - name : csi-cephfsplugin
-      resource:
-        requests:
-          memory: 512Mi
-          cpu: 250m
-        limits:
-          memory: 1Gi
-    - name : liveness-prometheus
-      resource:
-        requests:
-          memory: 128Mi
-          cpu: 50m
-        limits:
-          memory: 256Mi
-
-  # -- CEPH CSI CephFS plugin resource requirement list
-  # @default -- see values.yaml
-  csiCephFSPluginResource: |
-    - name : driver-registrar
-      resource:
-        requests:
-          memory: 128Mi
-          cpu: 50m
-        limits:
-          memory: 256Mi
-    - name : csi-cephfsplugin
-      resource:
-        requests:
-          memory: 512Mi
-          cpu: 250m
-        limits:
-          memory: 1Gi
-    - name : liveness-prometheus
-      resource:
-        requests:
-          memory: 128Mi
-          cpu: 50m
-        limits:
-          memory: 256Mi
-
-  # -- CEPH CSI NFS provisioner resource requirement list
-  # @default -- see values.yaml
-  csiNFSProvisionerResource: |
-    - name : csi-provisioner
-      resource:
-        requests:
-          memory: 128Mi
-          cpu: 100m
-        limits:
-          memory: 256Mi
-    - name : csi-nfsplugin
-      resource:
-        requests:
-          memory: 512Mi
-          cpu: 250m
-        limits:
-          memory: 1Gi
-    - name : csi-attacher
-      resource:
-        requests:
-          memory: 512Mi
-          cpu: 250m
-        limits:
-          memory: 1Gi
-
-  # -- CEPH CSI NFS plugin resource requirement list
-  # @default -- see values.yaml
-  csiNFSPluginResource: |
-    - name : driver-registrar
-      resource:
-        requests:
-          memory: 128Mi
-          cpu: 50m
-        limits:
-          memory: 256Mi
-    - name : csi-nfsplugin
-      resource:
-        requests:
-          memory: 512Mi
-          cpu: 250m
-        limits:
-          memory: 1Gi
-
-  # Set provisionerTolerations and provisionerNodeAffinity for provisioner pod.
-  # The CSI provisioner would be best to start on the same nodes as other ceph daemons.
-
-  # -- Array of tolerations in YAML format which will be added to CSI provisioner deployment
-  provisionerTolerations:
-  #    - key: key
-  #      operator: Exists
-  #      effect: NoSchedule
-
-  # -- The node labels for affinity of the CSI provisioner deployment [^1]
-  provisionerNodeAffinity: #key1=value1,value2; key2=value3
-  # Set pluginTolerations and pluginNodeAffinity for plugin daemonset pods.
-  # The CSI plugins need to be started on all the nodes where the clients need to mount the storage.
-
-  # -- Array of tolerations in YAML format which will be added to CephCSI plugin DaemonSet
-  pluginTolerations:
-  #    - key: key
-  #      operator: Exists
-  #      effect: NoSchedule
-
-  # -- The node labels for affinity of the CephCSI RBD plugin DaemonSet [^1]
-  pluginNodeAffinity: # key1=value1,value2; key2=value3
-
-  # -- Enable Ceph CSI Liveness sidecar deployment
-  enableLiveness: false
-
-  # -- CSI CephFS driver metrics port
-  # @default -- `9081`
-  cephfsLivenessMetricsPort:
-
-  # -- CSI Addons server port
-  # @default -- `9070`
-  csiAddonsPort:
-
-  # -- Enable Ceph Kernel clients on kernel < 4.17. If your kernel does not support quotas for CephFS
-  # you may want to disable this setting. However, this will cause an issue during upgrades
-  # with the FUSE client. See the [upgrade guide](https://rook.io/docs/rook/v1.2/ceph-upgrade.html)
-  forceCephFSKernelClient: true
-
-  # -- Ceph CSI RBD driver metrics port
-  # @default -- `8080`
-  rbdLivenessMetricsPort:
-
-  serviceMonitor:
-    # -- Enable ServiceMonitor for Ceph CSI drivers
-    enabled: false
-    # -- Service monitor scrape interval
-    interval: 10s
-    # -- ServiceMonitor additional labels
-    labels: {}
-    # -- Use a different namespace for the ServiceMonitor
-    namespace:
-
-  # -- Kubelet root directory path (if the Kubelet uses a different path for the `--root-dir` flag)
-  # @default -- `/var/lib/kubelet`
-  kubeletDirPath:
-
-  # -- Duration in seconds that non-leader candidates will wait to force acquire leadership.
-  # @default -- `137s`
-  csiLeaderElectionLeaseDuration:
-
-  # -- Deadline in seconds that the acting leader will retry refreshing leadership before giving up.
-  # @default -- `107s`
-  csiLeaderElectionRenewDeadline:
-
-  # -- Retry period in seconds the LeaderElector clients should wait between tries of actions.
-  # @default -- `26s`
-  csiLeaderElectionRetryPeriod:
-
-  cephcsi:
-    # -- Ceph CSI image repository
-    repository: quay.io/cephcsi/cephcsi
-    # -- Ceph CSI image tag
-    tag: v3.13.0
-
-  registrar:
-    # -- Kubernetes CSI registrar image repository
-    repository: registry.k8s.io/sig-storage/csi-node-driver-registrar
-    # -- Registrar image tag
-    tag: v2.13.0
-
-  provisioner:
-    # -- Kubernetes CSI provisioner image repository
-    repository: registry.k8s.io/sig-storage/csi-provisioner
-    # -- Provisioner image tag
-    tag: v5.1.0
-
-  snapshotter:
-    # -- Kubernetes CSI snapshotter image repository
-    repository: registry.k8s.io/sig-storage/csi-snapshotter
-    # -- Snapshotter image tag
-    tag: v8.2.0
-
-  attacher:
-    # -- Kubernetes CSI Attacher image repository
-    repository: registry.k8s.io/sig-storage/csi-attacher
-    # -- Attacher image tag
-    tag: v4.8.0
-
-  resizer:
-    # -- Kubernetes CSI resizer image repository
-    repository: registry.k8s.io/sig-storage/csi-resizer
-    # -- Resizer image tag
-    tag: v1.13.1
-
-  # -- Image pull policy
-  imagePullPolicy: IfNotPresent
-
-  # -- Labels to add to the CSI CephFS Deployments and DaemonSets Pods
-  cephfsPodLabels: #"key1=value1,key2=value2"
-
-  # -- Labels to add to the CSI NFS Deployments and DaemonSets Pods
-  nfsPodLabels: #"key1=value1,key2=value2"
-
-  # -- Labels to add to the CSI RBD Deployments and DaemonSets Pods
-  rbdPodLabels: #"key1=value1,key2=value2"
-
-  csiAddons:
-    # -- Enable CSIAddons
-    enabled: false
-    # -- CSIAddons sidecar image repository
-    repository: quay.io/csiaddons/k8s-sidecar
-    # -- CSIAddons sidecar image tag
-    tag: v0.11.0
-
-  nfs:
-    # -- Enable the nfs csi driver
-    enabled: false
-
-  topology:
-    # -- Enable topology based provisioning
-    enabled: false
-    # NOTE: the value here serves as an example and needs to be
-    # updated with node labels that define domains of interest
-    # -- domainLabels define which node labels to use as domains
-    # for CSI nodeplugins to advertise their domains
-    domainLabels:
-    # - kubernetes.io/hostname
-    # - topology.kubernetes.io/zone
-    # - topology.rook.io/rack
-
-  # -- Whether to skip any attach operation altogether for CephFS PVCs. See more details
-  # [here](https://kubernetes-csi.github.io/docs/skip-attach.html#skip-attach-with-csi-driver-object).
-  # If cephFSAttachRequired is set to false it skips the volume attachments and makes the creation
-  # of pods using the CephFS PVC fast. **WARNING** It's highly discouraged to use this for
-  # CephFS RWO volumes. Refer to this [issue](https://github.com/kubernetes/kubernetes/issues/103305) for more details.
-  cephFSAttachRequired: true
-  # -- Whether to skip any attach operation altogether for RBD PVCs. See more details
-  # [here](https://kubernetes-csi.github.io/docs/skip-attach.html#skip-attach-with-csi-driver-object).
-  # If set to false it skips the volume attachments and makes the creation of pods using the RBD PVC fast.
-  # **WARNING** It's highly discouraged to use this for RWO volumes as it can cause data corruption.
-  # csi-addons operations like Reclaimspace and PVC Keyrotation will also not be supported if set
-  # to false since we'll have no VolumeAttachments to determine which node the PVC is mounted on.
-  # Refer to this [issue](https://github.com/kubernetes/kubernetes/issues/103305) for more details.
-  rbdAttachRequired: true
-  # -- Whether to skip any attach operation altogether for NFS PVCs. See more details
-  # [here](https://kubernetes-csi.github.io/docs/skip-attach.html#skip-attach-with-csi-driver-object).
-  # If cephFSAttachRequired is set to false it skips the volume attachments and makes the creation
-  # of pods using the NFS PVC fast. **WARNING** It's highly discouraged to use this for
-  # NFS RWO volumes. Refer to this [issue](https://github.com/kubernetes/kubernetes/issues/103305) for more details.
-  nfsAttachRequired: true
-
-# -- Enable discovery daemon
-enableDiscoveryDaemon: false
-# -- Set the discovery daemon device discovery interval (default to 60m)
-discoveryDaemonInterval: 60m
-
-# -- The timeout for ceph commands in seconds
-cephCommandsTimeoutSeconds: "15"
-
-# -- If true, run rook operator on the host network
-useOperatorHostNetwork:
-
-# -- If true, scale down the rook operator.
-# This is useful for administrative actions where the rook operator must be scaled down, while using gitops style tooling
-# to deploy your helm charts.
-scaleDownOperator: false
-
-## Rook Discover configuration
-## toleration: NoSchedule, PreferNoSchedule or NoExecute
-## tolerationKey: Set this to the specific key of the taint to tolerate
-## tolerations: Array of tolerations in YAML format which will be added to agent deployment
-## nodeAffinity: Set to labels of the node to match
-
-discover:
-  # -- Toleration for the discover pods.
-  # Options: `NoSchedule`, `PreferNoSchedule` or `NoExecute`
-  toleration:
-  # -- The specific key of the taint to tolerate
-  tolerationKey:
-  # -- Array of tolerations in YAML format which will be added to discover deployment
-  tolerations:
-  #   - key: key
-  #     operator: Exists
-  #     effect: NoSchedule
-  # -- The node labels for affinity of `discover-agent` [^1]
-  nodeAffinity:
-  #   key1=value1,value2; key2=value3
-  #
-  #   or
-  #
-  #   requiredDuringSchedulingIgnoredDuringExecution:
-  #     nodeSelectorTerms:
-  #       - matchExpressions:
-  #           - key: storage-node
-  #             operator: Exists
-  # -- Labels to add to the discover pods
-  podLabels: # "key1=value1,key2=value2"
-  # -- Add resources to discover daemon pods
-  resources:
-  #   - limits:
-  #       memory: 512Mi
-  #   - requests:
-  #       cpu: 100m
-  #       memory: 128Mi
-
-# -- Custom label to identify node hostname. If not set `kubernetes.io/hostname` will be used
-customHostnameLabel:
-
-# -- Runs Ceph Pods as privileged to be able to write to `hostPaths` in OpenShift with SELinux restrictions.
-hostpathRequiresPrivileged: false
-
-# -- Whether to create all Rook pods to run on the host network, for example in environments where a CNI is not enabled
-enforceHostNetwork: false
-
-# -- Disable automatic orchestration when new devices are discovered.
-disableDeviceHotplug: false
-
-# -- The revision history limit for all pods created by Rook. If blank, the K8s default is 10.
-revisionHistoryLimit:
-
-# -- Blacklist certain disks according to the regex provided.
-discoverDaemonUdev:
-
-# -- imagePullSecrets option allow to pull docker images from private docker registry. Option will be passed to all service accounts.
-imagePullSecrets:
-# - name: my-registry-secret
-
-# -- Whether the OBC provisioner should watch on the operator namespace or not, if not the namespace of the cluster will be used
-enableOBCWatchOperatorNamespace: true
-
-# -- Specify the prefix for the OBC provisioner in place of the cluster namespace
-# @default -- `ceph cluster namespace`
-obcProvisionerNamePrefix:
-
 monitoring:
-  # -- Enable monitoring. Requires Prometheus to be pre-installed.
-  # Enabling will also create RBAC rules to allow Operator to create ServiceMonitors
-  enabled: false
+  enabled: true
@@ -10,7 +10,10 @@ parameters:
    imageFeatures: layering
    csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
    csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
+    csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
+    csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
    csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
    csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
    csi.storage.k8s.io/fstype: ext4
 reclaimPolicy: Delete
+allowVolumeExpansion: true
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cert-dubyatp-xyz
+  annotations:
+    replicator.v1.mittwald.de/replicate-from: cert-manager/cert-dubyatp-xyz
+    replicator.v1.mittwald.de/replicated-keys: tls.crt,tls.key
+type: Opaque
+stringData:
+  tls.crt: ""
+  tls.key: ""
@@ -0,0 +1,32 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: weyma-s3-ingress
+spec:
+  rules:
+  - host: "weyma-s3.infra.dubyatp.xyz"
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: rook-ceph-rgw-weyma-s3
+            port: 
+              number: 80
+        
+  - host: "*.weyma-s3.infra.dubyatp.xyz"
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: rook-ceph-rgw-weyma-s3
+            port: 
+              number: 80
+  tls:
+    - secretName: cert-dubyatp-xyz
+      hosts:
+       - weyma-s3.infra.dubyatp.xyz
+       - "*.weyma-s3.infra.dubyatp.xyz"
@@ -0,0 +1,9 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: weyma-s3-bucket
+provisioner: rook-ceph.ceph.rook.io/bucket
+reclaimPolicy: Delete
+parameters:
+  objectStoreName: weyma-s3
+  objectStoreNamespace: rook-ceph
@@ -0,0 +1,27 @@
+apiVersion: ceph.rook.io/v1
+kind: CephObjectStore
+metadata:
+  name: weyma-s3
+  namespace: rook-ceph
+spec:
+  dataPool:
+    application: ""
+    failureDomain: host
+    replicated:
+      size: 3
+  gateway:
+    instances: 3
+    port: 80
+  metadataPool:
+    application: ""
+    erasureCoded:
+      codingChunks: 0
+      dataChunks: 0
+    failureDomain: host
+    replicated:
+      size: 3
+  preservePoolsOnDelete: true
+  sharedPools:
+    preserveRadosNamespaceDataOnDelete: false
+  zone:
+    name: ""
@@ -28,3 +28,5 @@ parameters:
  csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph

 reclaimPolicy: Delete
+
+allowVolumeExpansion: true
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: traefik
-  version: 37.0.0
+  version: 39.0.8
  repository: https://traefik.github.io/charts
@@ -4,6 +4,7 @@ traefik:
    - --entryPoints.websecure.transport.respondingTimeouts.readTimeout=0
  ports:
    web:
+      http:
        redirections:
          entryPoint:
            to: websecure
@@ -14,19 +15,29 @@ traefik:
      exposedPort: 22
      expose:
        default: true
-      tls:
-        passthrough: true
  metrics:
    prometheus:
      service:
        enabled: true
+      serviceMonitor:
+        enabled: true
+      prometheusRule:
+        enabled: true
+        rules:
+          - alert: TraefikDown
+            expr: up{job="traefik"} == 0
+            for: 5m
            labels:
-          metrics_enabled: "true"
+              context: traefik
+              severity: critical
+            annotations:
+              summary: "Traefik Down"
+              description: "{{ $labels.pod }} on {{ $labels.nodename }} is down"
  deployment:
    kind: DaemonSet
    additionalContainers:
    - name: cloudflared
-      image: cloudflare/cloudflared:2025.8.0
+      image: cloudflare/cloudflared:2026.3.0
      command:
        - cloudflared
        - tunnel
@@ -69,6 +80,19 @@ traefik:
                traefik-real-ip:
                  excludednets:
                    - "1.1.1.1/24"
+          routers:
+            dispatcharr:
+              entryPoints:
+              - websecure
+              service: dispatcharr
+              tls:
+                options: default
+              rule: 'Host(`dispatcharr.dubyatp.xyz`) && PathPrefix(`/`)'
+          services:
+            dispatcharr:
+              loadBalancer:
+                servers:
+                - url: http://10.105.15.20:9191
  service:
    spec:
      externalTrafficPolicy: Local
@@ -105,3 +129,26 @@ traefik:
    data:
      tls.crt: ""
      tls.key: ""
+  - apiVersion: v1
+    kind: Service
+    metadata:
+      name: traefik-local
+    spec:
+      sessionAffinity: ClientIP
+      sessionAffinityConfig:
+        clientIP:
+          timeoutSeconds: 3600
+      selector:
+        app.kubernetes.io/name: traefik
+        app.kubernetes.io/instance: traefik-traefik
+      ports:
+      - name: gitssh
+        port: 22
+        targetPort: gitssh
+      - name: web
+        port: 80
+        targetPort: web
+      - name: websecure
+        port: 443
+        targetPort: websecure
+      type: ClusterIP
@@ -24,5 +24,5 @@ appVersion: "1.0"

 dependencies:
 - name: velero
-  version: 10.1.0
+  version: 12.0.0
  repository: https://vmware-tanzu.github.io/helm-charts
@@ -2,8 +2,48 @@ velero:
  backupsEnabled: true
  snapshotsEnabled: false
  metrics:
+    serviceMonitor:
+      enabled: true
+    prometheusRule:
+      enabled: true
+      spec:
+      - alert: VeleroBackupFailed
+        annotations:
+          message: Velero backup {{ $labels.schedule }} has failed
+        expr: |-
+          velero_backup_last_status{schedule!=""} != 1
+        for: 15m
        labels:
-      metrics_enabled: "true"
+          severity: warning
+      - alert: VeleroBackupFailing
+        annotations:
+          message: Velero backup {{ $labels.schedule }} has been failing for the last 12h
+        expr: |-
+          velero_backup_last_status{schedule!=""} != 1
+        for: 12h
+        labels:
+          severity: critical
+      - alert: VeleroNoNewBackup
+        annotations:
+          message: Velero backup {{ $labels.schedule }} has not run successfully in the last 25h
+        expr: |-
+          (
+          (time() - velero_backup_last_successful_timestamp{schedule!=""}) >bool (25 * 3600)
+          or
+          absent(velero_backup_last_successful_timestamp{schedule!=""})
+          ) == 1
+        for: 1h
+        labels:
+          severity: critical
+      - alert: VeleroBackupPartialFailures
+        annotations:
+          message: Velero backup {{ $labels.schedule }} has {{ $value | humanizePercentage }} partialy failed backups
+        expr: |-
+          rate(velero_backup_partial_failure_total{schedule!=""}[25m])
+            / rate(velero_backup_attempt_total{schedule!=""}[25m]) > 0.5
+        for: 15m
+        labels:
+          severity: warning
  configuration:
    backupStorageLocation:
    - name: weyma-truenas
@@ -19,7 +59,7 @@ velero:
        insecureSkipTLSVerify: "true"
  initContainers:
  - name: velero-plugin-for-aws
-    image: velero/velero-plugin-for-aws:v1.12.2
+    image: velero/velero-plugin-for-aws:v1.14.0
    imagePullPolicy: IfNotPresent
    volumeMounts:
      - mountPath: /target
@@ -32,6 +72,9 @@ velero:
        velero.io/change-storage-class: RestoreItemAction
      data:
        ceph-block: weyma-shared
+  kubectl:
+    image:
+      tag: "1.33.4"
  extraObjects:
  - apiVersion: external-secrets.io/v1
    kind: ExternalSecret
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: whereabouts-config
+  namespace: kube-system
+  annotations:
+    kubernetes.io/description: |
+      Configmap containing user customizable cronjob schedule
+data:
+  cron-expression: "30 4 * * *" # Default schedule is once per day at 4:30am. Users may configure this value to their liking.
@@ -0,0 +1,70 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  name: ippools.whereabouts.cni.cncf.io
+spec:
+  group: whereabouts.cni.cncf.io
+  names:
+    kind: IPPool
+    listKind: IPPoolList
+    plural: ippools
+    singular: ippool
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: IPPool is the Schema for the ippools API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: IPPoolSpec defines the desired state of IPPool
+            properties:
+              allocations:
+                additionalProperties:
+                  description: IPAllocation represents metadata about the pod/container
+                    owner of a specific IP
+                  properties:
+                    id:
+                      type: string
+                    ifname:
+                      type: string
+                    podref:
+                      type: string
+                  required:
+                  - id
+                  - podref
+                  type: object
+                description: |-
+                  Allocations is the set of allocated IPs for the given range. Its` indices are a direct mapping to the
+                  IP with the same index/offset for the pool's range.
+                type: object
+              range:
+                description: Range is a RFC 4632/4291-style string that represents
+                  an IP address and prefix length in CIDR notation
+                type: string
+            required:
+            - allocations
+            - range
+            type: object
+        type: object
+    served: true
+    storage: true
@@ -0,0 +1,56 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.14.0
+  name: overlappingrangeipreservations.whereabouts.cni.cncf.io
+spec:
+  group: whereabouts.cni.cncf.io
+  names:
+    kind: OverlappingRangeIPReservation
+    listKind: OverlappingRangeIPReservationList
+    plural: overlappingrangeipreservations
+    singular: overlappingrangeipreservation
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: OverlappingRangeIPReservation is the Schema for the OverlappingRangeIPReservations
+          API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: OverlappingRangeIPReservationSpec defines the desired state
+              of OverlappingRangeIPReservation
+            properties:
+              containerid:
+                type: string
+              ifname:
+                type: string
+              podref:
+                type: string
+            required:
+            - podref
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
@@ -0,0 +1,76 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: whereabouts
+  namespace: kube-system
+  labels:
+    tier: node
+    app: whereabouts
+spec:
+  selector:
+    matchLabels:
+      name: whereabouts
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        tier: node
+        app: whereabouts
+        name: whereabouts
+    spec:
+      hostNetwork: true
+      serviceAccountName: whereabouts
+      tolerations:
+      - operator: Exists
+        effect: NoSchedule
+      containers:
+      - name: whereabouts
+        command: [ "/bin/sh" ]
+        args:
+          - -c
+          - |
+            SLEEP=false source /install-cni.sh
+            /token-watcher.sh &
+            /ip-control-loop -log-level debug
+        image: ghcr.io/k8snetworkplumbingwg/whereabouts:v0.9.2
+        env:
+        - name: NODENAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName
+        - name: WHEREABOUTS_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        resources:
+          requests:
+            cpu: "100m"
+            memory: "100Mi"
+          limits:
+            cpu: "300m"
+            memory: "200Mi"
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: cnibin
+          mountPath: /host/opt/cni/bin
+        - name: cni-net-dir
+          mountPath: /host/etc/cni/net.d
+        - name: cron-scheduler-configmap
+          mountPath: /cron-schedule
+      volumes:
+        - name: cnibin
+          hostPath:
+            path: /opt/cni/bin
+        - name: cni-net-dir
+          hostPath:
+            path: /etc/cni/net.d
+        - name: cron-scheduler-configmap
+          configMap:
+            name: "whereabouts-config"
+            defaultMode: 0744
+            items:
+            - key: "cron-expression"
+              path: "config"
@@ -0,0 +1,76 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: whereabouts
+  namespace: kube-system
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: whereabouts
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: whereabouts-cni
+subjects:
+- kind: ServiceAccount
+  name: whereabouts
+  namespace: kube-system
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: whereabouts-cni
+rules:
+- apiGroups:
+  - whereabouts.cni.cncf.io
+  resources:
+  - ippools
+  - overlappingrangeipreservations
+  - nodeslicepools
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - '*'
+- apiGroups: [""]
+  resources:
+  - pods
+  verbs:
+  - list
+  - watch
+  - get
+- apiGroups: [""]
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups: ["k8s.cni.cncf.io"]
+  resources:
+    - network-attachment-definitions
+  verbs:
+    - get
+    - list
+    - watch
+- apiGroups:
+  - ""
+  - events.k8s.io
+  resources:
+    - events
+  verbs:
+  - create
+  - patch
+  - update
+  - get