Merge pull request 'chore(deps): update all-minor-patch-updates' (#297) from renovate/all-minor-patch-updates into main

Reviewed-on: #297

README.md

@@ -0,0 +1,37 @@
+# Main Infrastructure: weyma-talos
+
+**Production Kubernetes infrastructure with disaster recovery capabilities**
+
+This repository contains the foundational infrastructure for my Kubernetes homelab, designed with reliability and rapid recovery as core principles.
+
+## Architecture
+
+My infrastructure follows a layered "black start" approach - essential services run outside the Kubernetes cluster to enable cluster bootstrapping and recovery from total failures.
+
+### Black Start Layer
+Static services (Docker Compose on TrueNAS/Proxmox) that provide cluster dependencies:
+- Image cache for faster deployments and offline capability
+- Talos discovery server for node bootstrapping  
+- HashiCorp Vault for secrets management (external to cluster)
+- Future: Self-hosted Sidero Omni server (migrating from SaaS)
+
+### System Apps Layer
+Applications running within Kubernetes that provide core cluster functionality, managed via ArgoCD with GitOps principles.
+
+## Repository Structure
+
+- **`black-start/`** - Docker Compose services for cluster dependencies
+- **`config-patches/`** - Talos Linux configuration patches for cluster and individual machines
+- **`omni/`** - Sidero Omni [cluster template](https://docs.siderolabs.com/omni/reference/cluster-templates)
+- **`system-apps/`** - System applications (ArgoCD projects) - monitoring, ingress, certificates, storage
+
+## Tech Stack
+
+**OS:** Talos Linux | **Orchestration:** Kubernetes | **GitOps:** ArgoCD | **Secrets:** Vault | **Storage:** Rook-Ceph
+
+## Recovery Process
+
+The "black start" architecture enables ~15-20 minute automated recovery from complete infrastructure failure:
+1. Start black-start services → 2. Bootstrap Talos → 3. Deploy system apps → 4. Deploy core apps
+
+For application deployments, see [core-apps](https://git.dubyatp.xyz/core-apps).

black-start/services/talos-discovery/docker-compose.yaml

@@ -2,7 +2,7 @@ version: "3.8"
 services:
   discovery:
     restart: unless-stopped
-    image: ghcr.io/siderolabs/discovery-service:v1.0.13
+    image: ghcr.io/siderolabs/discovery-service:v1.0.17
     ports:
       - 10.105.6.215:3000:3000
       - 10.105.6.215:3001:3001

black-start/services/vault/docker-compose.yaml

@@ -5,7 +5,7 @@ services:
     command: tunnel run weyma-vault
     env_file: ".env"
   vault:
-    image: hashicorp/vault:1.21
+    image: hashicorp/vault:2.0
     env_file: ".env.vault"
     environment:
       VAULT_ADDR: "https://weyma-vault.infra.dubyatp.xyz:8200"

omni/weyma-talos.yaml

@@ -52,6 +52,7 @@ patches:
             bind-address: 0.0.0.0
         proxy:
           extraArgs:
+            proxy-mode: ipvs
             metrics-bind-address: 0.0.0.0:10249
         scheduler:
           extraArgs:

renovate.json

@@ -15,10 +15,9 @@
   ],
   "packageRules": [
     {
-      "description": "Automerge patch updates",
+      "description": "Consolidate patch and minor updates to one PR",
-      "matchUpdateTypes": ["patch"],
+      "matchUpdateTypes": ["minor", "patch"],
-      "matchCurrentVersion": "!/^0/",
+      "groupName": "all-minor-patch-updates"
-      "automerge": true
     },
     {
       "description": "Rook Ceph - auto-update minor and patch versions only",

system-apps/argocd/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: argo-cd
-  version: 9.4.1
+  version: 9.5.4
   repository: https://argoproj.github.io/argo-helm

system-apps/argocd/values.yaml

@@ -131,6 +131,7 @@ argo-cd:
             conversionStrategy: Default
             decodingStrategy: None
             metadataPolicy: None
+            nullBytePolicy: Ignore
         - secretKey: admin.password
           remoteRef:
             key: argo-cd
@@ -138,6 +139,7 @@ argo-cd:
             conversionStrategy: Default
             decodingStrategy: None
             metadataPolicy: None
+            nullBytePolicy: Ignore
         - secretKey: admin.passwordMtime
           remoteRef:
             key: argo-cd
@@ -145,6 +147,7 @@ argo-cd:
             conversionStrategy: Default
             decodingStrategy: None
             metadataPolicy: None
+            nullBytePolicy: Ignore
         - secretKey: dex.authentik.clientSecret
           remoteRef:
             key: argo-cd
@@ -152,6 +155,7 @@ argo-cd:
             conversionStrategy: Default
             decodingStrategy: None
             metadataPolicy: None
+            nullBytePolicy: Ignore
     - apiVersion: external-secrets.io/v1
       kind: ExternalSecret
       metadata:
@@ -175,6 +179,7 @@ argo-cd:
             conversionStrategy: Default
             decodingStrategy: None
             metadataPolicy: None
+            nullBytePolicy: Ignore
         - secretKey: type
           remoteRef:
             key: argo-cd-git
@@ -182,6 +187,7 @@ argo-cd:
             conversionStrategy: Default
             decodingStrategy: None
             metadataPolicy: None
+            nullBytePolicy: Ignore
         - secretKey: url
           remoteRef:
             key: argo-cd-git
@@ -189,6 +195,7 @@ argo-cd:
             conversionStrategy: Default
             decodingStrategy: None
             metadataPolicy: None
+            nullBytePolicy: Ignore
     - apiVersion: external-secrets.io/v1
       kind: ExternalSecret
       metadata:
@@ -212,6 +219,7 @@ argo-cd:
             conversionStrategy: Default
             decodingStrategy: None
             metadataPolicy: None
+            nullBytePolicy: Ignore
         - secretKey: type
           remoteRef:
             key: argo-cd-git
@@ -219,6 +227,7 @@ argo-cd:
             conversionStrategy: Default
             decodingStrategy: None
             metadataPolicy: None
+            nullBytePolicy: Ignore
         - secretKey: url
           remoteRef:
             key: argo-cd-git
@@ -226,6 +235,7 @@ argo-cd:
             conversionStrategy: Default
             decodingStrategy: None
             metadataPolicy: None
+            nullBytePolicy: Ignore
     - apiVersion: external-secrets.io/v1
       kind: ExternalSecret
       metadata:
@@ -249,6 +259,7 @@ argo-cd:
             conversionStrategy: Default
             decodingStrategy: None
             metadataPolicy: None
+            nullBytePolicy: Ignore
         - secretKey: type
           remoteRef:
             key: argo-cd-git
@@ -256,6 +267,7 @@ argo-cd:
             conversionStrategy: Default
             decodingStrategy: None
             metadataPolicy: None
+            nullBytePolicy: Ignore
         - secretKey: url
           remoteRef:
             key: argo-cd-git
@@ -263,6 +275,7 @@ argo-cd:
             conversionStrategy: Default
             decodingStrategy: None
             metadataPolicy: None
+            nullBytePolicy: Ignore
     - apiVersion: external-secrets.io/v1
       kind: ExternalSecret
       metadata:
@@ -286,6 +299,7 @@ argo-cd:
             conversionStrategy: Default
             decodingStrategy: None
             metadataPolicy: None
+            nullBytePolicy: Ignore
         - secretKey: type
           remoteRef:
             key: argo-cd-git
@@ -293,10 +307,12 @@ argo-cd:
             conversionStrategy: Default
             decodingStrategy: None
             metadataPolicy: None
+            nullBytePolicy: Ignore
         - secretKey: url
           remoteRef:
             key: argo-cd-git
             property: url.db-operators
             conversionStrategy: Default
             decodingStrategy: None
-            metadataPolicy: None
+            metadataPolicy: None
+            nullBytePolicy: Ignore

system-apps/cert-manager/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: cert-manager
-  version: v1.19.3
+  version: v1.20.2
   repository: https://charts.jetstack.io

system-apps/external-secrets/chart/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: external-secrets
-  version: 1.3.2
+  version: 2.3.0
   repository: https://charts.external-secrets.io

system-apps/kite/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: kite
-  version: 0.7.8
+  version: 0.10.0
   repository: https://zxh326.github.io/kite

system-apps/kubernetes-replicator/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: kubernetes-replicator
-  version: 2.12.2
+  version: 2.12.3
   repository: https://helm.mittwald.de

system-apps/monitoring/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: kube-prometheus-stack
-  version: 81.5.0
+  version: 83.7.0
   repository: https://prometheus-community.github.io/helm-charts

system-apps/monitoring/templates/discord-webhook-secret.yaml

@@ -17,5 +17,6 @@ spec:
       conversionStrategy: Default
       decodingStrategy: None
       metadataPolicy: None
+      nullBytePolicy: Ignore
       key: monitoring
       property: discord_webhook

system-apps/rook-ceph/operator/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: rook-ceph
-  version: v1.19.1
+  version: v1.19.4
   repository: https://charts.rook.io/release

system-apps/traefik/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: traefik
-  version: 39.0.0
+  version: 39.0.8
   repository: https://traefik.github.io/charts

system-apps/traefik/values.yaml

@@ -37,7 +37,7 @@ traefik:
     kind: DaemonSet
     additionalContainers:
     - name: cloudflared
-      image: cloudflare/cloudflared:2026.1.2
+      image: cloudflare/cloudflared:2026.3.0
       command:
         - cloudflared
         - tunnel

system-apps/velero/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: velero
-  version: 11.3.2
+  version: 12.0.0
   repository: https://vmware-tanzu.github.io/helm-charts

system-apps/velero/values.yaml

@@ -59,7 +59,7 @@ velero:
         insecureSkipTLSVerify: "true"
   initContainers:
   - name: velero-plugin-for-aws
-    image: velero/velero-plugin-for-aws:v1.13.2
+    image: velero/velero-plugin-for-aws:v1.14.0
     imagePullPolicy: IfNotPresent
     volumeMounts:
       - mountPath: /target