chore(deps): update velero/velero-plugin-for-aws docker tag to v1.13.2

Reviewed-on: #180

black-start/services/talos-discovery/docker-compose.yaml

@@ -2,7 +2,7 @@ version: "3.8"
 services:
   discovery:
     restart: unless-stopped
-    image: ghcr.io/siderolabs/discovery-service:v1.0.12
+    image: ghcr.io/siderolabs/discovery-service:v1.0.13
     ports:
       - 10.105.6.215:3000:3000
       - 10.105.6.215:3001:3001

config-patches/cluster/weyma-bootstrap-metrics.yaml

@@ -1,8 +1,213 @@
 cluster:
   extraManifests:
     - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
-    - https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
   inlineManifests:
+    - name: metrics-server
+      contents: |-
+        apiVersion: v1
+        kind: ServiceAccount
+        metadata:
+          labels:
+            k8s-app: metrics-server
+          name: metrics-server
+          namespace: kube-system
+        ---
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: ClusterRole
+        metadata:
+          labels:
+            k8s-app: metrics-server
+            rbac.authorization.k8s.io/aggregate-to-admin: "true"
+            rbac.authorization.k8s.io/aggregate-to-edit: "true"
+            rbac.authorization.k8s.io/aggregate-to-view: "true"
+          name: system:aggregated-metrics-reader
+        rules:
+        - apiGroups:
+          - metrics.k8s.io
+          resources:
+          - pods
+          - nodes
+          verbs:
+          - get
+          - list
+          - watch
+        ---
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: ClusterRole
+        metadata:
+          labels:
+            k8s-app: metrics-server
+          name: system:metrics-server
+        rules:
+        - apiGroups:
+          - ""
+          resources:
+          - nodes/metrics
+          verbs:
+          - get
+        - apiGroups:
+          - ""
+          resources:
+          - pods
+          - nodes
+          verbs:
+          - get
+          - list
+          - watch
+        ---
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: RoleBinding
+        metadata:
+          labels:
+            k8s-app: metrics-server
+          name: metrics-server-auth-reader
+          namespace: kube-system
+        roleRef:
+          apiGroup: rbac.authorization.k8s.io
+          kind: Role
+          name: extension-apiserver-authentication-reader
+        subjects:
+        - kind: ServiceAccount
+          name: metrics-server
+          namespace: kube-system
+        ---
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: ClusterRoleBinding
+        metadata:
+          labels:
+            k8s-app: metrics-server
+          name: metrics-server:system:auth-delegator
+        roleRef:
+          apiGroup: rbac.authorization.k8s.io
+          kind: ClusterRole
+          name: system:auth-delegator
+        subjects:
+        - kind: ServiceAccount
+          name: metrics-server
+          namespace: kube-system
+        ---
+        apiVersion: rbac.authorization.k8s.io/v1
+        kind: ClusterRoleBinding
+        metadata:
+          labels:
+            k8s-app: metrics-server
+          name: system:metrics-server
+        roleRef:
+          apiGroup: rbac.authorization.k8s.io
+          kind: ClusterRole
+          name: system:metrics-server
+        subjects:
+        - kind: ServiceAccount
+          name: metrics-server
+          namespace: kube-system
+        ---
+        apiVersion: v1
+        kind: Service
+        metadata:
+          labels:
+            k8s-app: metrics-server
+          name: metrics-server
+          namespace: kube-system
+        spec:
+          ports:
+          - appProtocol: https
+            name: https
+            port: 443
+            protocol: TCP
+            targetPort: https
+          selector:
+            k8s-app: metrics-server
+        ---
+        apiVersion: apps/v1
+        kind: Deployment
+        metadata:
+          labels:
+            k8s-app: metrics-server
+          name: metrics-server
+          namespace: kube-system
+        spec:
+          selector:
+            matchLabels:
+              k8s-app: metrics-server
+          strategy:
+            rollingUpdate:
+              maxUnavailable: 0
+          template:
+            metadata:
+              labels:
+                k8s-app: metrics-server
+            spec:
+              containers:
+              - args:
+                - --cert-dir=/tmp
+                - --secure-port=10250
+                - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
+                - --kubelet-use-node-status-port
+                - --metric-resolution=15s
+                - --kubelet-insecure-tls
+                image: registry.k8s.io/metrics-server/metrics-server:v0.8.0
+                imagePullPolicy: IfNotPresent
+                livenessProbe:
+                  failureThreshold: 3
+                  httpGet:
+                    path: /livez
+                    port: https
+                    scheme: HTTPS
+                  periodSeconds: 10
+                name: metrics-server
+                ports:
+                - containerPort: 10250
+                  name: https
+                  protocol: TCP
+                readinessProbe:
+                  failureThreshold: 3
+                  httpGet:
+                    path: /readyz
+                    port: https
+                    scheme: HTTPS
+                  initialDelaySeconds: 20
+                  periodSeconds: 10
+                resources:
+                  requests:
+                    cpu: 100m
+                    memory: 200Mi
+                securityContext:
+                  allowPrivilegeEscalation: false
+                  capabilities:
+                    drop:
+                    - ALL
+                  readOnlyRootFilesystem: true
+                  runAsNonRoot: true
+                  runAsUser: 1000
+                  seccompProfile:
+                    type: RuntimeDefault
+                volumeMounts:
+                - mountPath: /tmp
+                  name: tmp-dir
+              nodeSelector:
+                kubernetes.io/os: linux
+              priorityClassName: system-cluster-critical
+              serviceAccountName: metrics-server
+              volumes:
+              - emptyDir: {}
+                name: tmp-dir
+        ---
+        apiVersion: apiregistration.k8s.io/v1
+        kind: APIService
+        metadata:
+          labels:
+            k8s-app: metrics-server
+          name: v1beta1.metrics.k8s.io
+        spec:
+          group: metrics.k8s.io
+          groupPriorityMinimum: 100
+          insecureSkipTLSVerify: true
+          service:
+            name: metrics-server
+            namespace: kube-system
+          version: v1beta1
+          versionPriority: 100
+
     - name: metrics-lb
       contents: |-
         apiVersion: v1
@@ -10,6 +215,8 @@ cluster:
         metadata:
           name: metrics-lb
           namespace: kube-system
+          annotations:
+            metallb.io/ip-allocated-from-pool: test-pool
         spec:
           type: LoadBalancer
           ports:
@@ -19,4 +226,3 @@ cluster:
             targetPort: https
           selector:
             k8s-app: metrics-server
-        

omni/weyma-talos.yaml

@@ -0,0 +1,492 @@
+kind: Cluster
+name: weyma-talos
+kubernetes:
+  version: v1.34.2
+talos:
+  version: v1.11.5
+features:
+  backupConfiguration:
+    interval: 6h0m0s
+patches:
+  - idOverride: 500-5100c0c3-f72e-45f5-8cde-4a1c3b6f72a8
+    annotations:
+      description: pod-svc-subnets
+      name: User defined patch
+    inline:
+      cluster:
+        network:
+          podSubnets:
+            - 10.244.0.0/16
+          serviceSubnets:
+            - 10.112.0.0/12
+  - idOverride: 500-7c228773-8b44-40b0-8b4c-30f617668af0
+    annotations:
+      description: weyma-image-cache
+      name: User defined patch
+    inline:
+      machine:
+        registries:
+          mirrors:
+            docker.io:
+              endpoints:
+                - http://10.105.6.215:6000
+            factory.talos.dev:
+              endpoints:
+                - http://10.105.6.215:6004
+            gcr.io:
+              endpoints:
+                - http://10.105.6.215:6002
+            ghcr.io:
+              endpoints:
+                - http://10.105.6.215:6003
+            registry.k8s.io:
+              endpoints:
+                - http://10.105.6.215:6001
+  - idOverride: 500-f198cacc-280b-4874-a410-252c160621a7
+    annotations:
+      name: weyma-bind-addr
+    inline:
+      cluster:
+        controllerManager:
+          extraArgs:
+            bind-address: 0.0.0.0
+        proxy:
+          extraArgs:
+            metrics-bind-address: 0.0.0.0:10249
+        scheduler:
+          extraArgs:
+            bind-address: 0.0.0.0
+  - idOverride: 500-fc113705-0777-4b52-8df0-7cee67fcc68e
+    annotations:
+      name: weyma-bootstrap-metrics
+    inline:
+      cluster:
+        extraManifests:
+          - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
+        inlineManifests:
+          - contents: |-
+              apiVersion: v1
+              kind: ServiceAccount
+              metadata:
+                labels:
+                  k8s-app: metrics-server
+                name: metrics-server
+                namespace: kube-system
+              ---
+              apiVersion: rbac.authorization.k8s.io/v1
+              kind: ClusterRole
+              metadata:
+                labels:
+                  k8s-app: metrics-server
+                  rbac.authorization.k8s.io/aggregate-to-admin: "true"
+                  rbac.authorization.k8s.io/aggregate-to-edit: "true"
+                  rbac.authorization.k8s.io/aggregate-to-view: "true"
+                name: system:aggregated-metrics-reader
+              rules:
+              - apiGroups:
+                - metrics.k8s.io
+                resources:
+                - pods
+                - nodes
+                verbs:
+                - get
+                - list
+                - watch
+              ---
+              apiVersion: rbac.authorization.k8s.io/v1
+              kind: ClusterRole
+              metadata:
+                labels:
+                  k8s-app: metrics-server
+                name: system:metrics-server
+              rules:
+              - apiGroups:
+                - ""
+                resources:
+                - nodes/metrics
+                verbs:
+                - get
+              - apiGroups:
+                - ""
+                resources:
+                - pods
+                - nodes
+                verbs:
+                - get
+                - list
+                - watch
+              ---
+              apiVersion: rbac.authorization.k8s.io/v1
+              kind: RoleBinding
+              metadata:
+                labels:
+                  k8s-app: metrics-server
+                name: metrics-server-auth-reader
+                namespace: kube-system
+              roleRef:
+                apiGroup: rbac.authorization.k8s.io
+                kind: Role
+                name: extension-apiserver-authentication-reader
+              subjects:
+              - kind: ServiceAccount
+                name: metrics-server
+                namespace: kube-system
+              ---
+              apiVersion: rbac.authorization.k8s.io/v1
+              kind: ClusterRoleBinding
+              metadata:
+                labels:
+                  k8s-app: metrics-server
+                name: metrics-server:system:auth-delegator
+              roleRef:
+                apiGroup: rbac.authorization.k8s.io
+                kind: ClusterRole
+                name: system:auth-delegator
+              subjects:
+              - kind: ServiceAccount
+                name: metrics-server
+                namespace: kube-system
+              ---
+              apiVersion: rbac.authorization.k8s.io/v1
+              kind: ClusterRoleBinding
+              metadata:
+                labels:
+                  k8s-app: metrics-server
+                name: system:metrics-server
+              roleRef:
+                apiGroup: rbac.authorization.k8s.io
+                kind: ClusterRole
+                name: system:metrics-server
+              subjects:
+              - kind: ServiceAccount
+                name: metrics-server
+                namespace: kube-system
+              ---
+              apiVersion: v1
+              kind: Service
+              metadata:
+                labels:
+                  k8s-app: metrics-server
+                name: metrics-server
+                namespace: kube-system
+              spec:
+                ports:
+                - appProtocol: https
+                  name: https
+                  port: 443
+                  protocol: TCP
+                  targetPort: https
+                selector:
+                  k8s-app: metrics-server
+              ---
+              apiVersion: apps/v1
+              kind: Deployment
+              metadata:
+                labels:
+                  k8s-app: metrics-server
+                name: metrics-server
+                namespace: kube-system
+              spec:
+                selector:
+                  matchLabels:
+                    k8s-app: metrics-server
+                strategy:
+                  rollingUpdate:
+                    maxUnavailable: 0
+                template:
+                  metadata:
+                    labels:
+                      k8s-app: metrics-server
+                  spec:
+                    containers:
+                    - args:
+                      - --cert-dir=/tmp
+                      - --secure-port=10250
+                      - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
+                      - --kubelet-use-node-status-port
+                      - --metric-resolution=15s
+                      - --kubelet-insecure-tls
+                      image: registry.k8s.io/metrics-server/metrics-server:v0.8.0
+                      imagePullPolicy: IfNotPresent
+                      livenessProbe:
+                        failureThreshold: 3
+                        httpGet:
+                          path: /livez
+                          port: https
+                          scheme: HTTPS
+                        periodSeconds: 10
+                      name: metrics-server
+                      ports:
+                      - containerPort: 10250
+                        name: https
+                        protocol: TCP
+                      readinessProbe:
+                        failureThreshold: 3
+                        httpGet:
+                          path: /readyz
+                          port: https
+                          scheme: HTTPS
+                        initialDelaySeconds: 20
+                        periodSeconds: 10
+                      resources:
+                        requests:
+                          cpu: 100m
+                          memory: 200Mi
+                      securityContext:
+                        allowPrivilegeEscalation: false
+                        capabilities:
+                          drop:
+                          - ALL
+                        readOnlyRootFilesystem: true
+                        runAsNonRoot: true
+                        runAsUser: 1000
+                        seccompProfile:
+                          type: RuntimeDefault
+                      volumeMounts:
+                      - mountPath: /tmp
+                        name: tmp-dir
+                    nodeSelector:
+                      kubernetes.io/os: linux
+                    priorityClassName: system-cluster-critical
+                    serviceAccountName: metrics-server
+                    volumes:
+                    - emptyDir: {}
+                      name: tmp-dir
+              ---
+              apiVersion: apiregistration.k8s.io/v1
+              kind: APIService
+              metadata:
+                labels:
+                  k8s-app: metrics-server
+                name: v1beta1.metrics.k8s.io
+              spec:
+                group: metrics.k8s.io
+                groupPriorityMinimum: 100
+                insecureSkipTLSVerify: true
+                service:
+                  name: metrics-server
+                  namespace: kube-system
+                version: v1beta1
+                versionPriority: 100
+            name: metrics-server
+          - contents: |-
+              apiVersion: v1
+              kind: Service
+              metadata:
+                name: metrics-lb
+                namespace: kube-system
+                annotations:
+                  metallb.io/ip-allocated-from-pool: test-pool
+              spec:
+                type: LoadBalancer
+                ports:
+                - name: https
+                  port: 443
+                  protocol: TCP
+                  targetPort: https
+                selector:
+                  k8s-app: metrics-server
+            name: metrics-lb
+---
+kind: ControlPlane
+machines:
+  - 20b4c826-e699-43b3-826d-73eb5173680b
+  - 5fdea709-56ad-45f2-966d-5e344dbe4fdf
+  - 30303031-3030-3030-6335-303731636665
+---
+kind: Workers
+machines:
+  - 02c02200-f403-11ef-9372-70f446672600
+  - 03000200-0400-0500-0006-000700080009
+  - 1006b91a-ecbf-11ea-aed4-046ba1ee3700
+  - 5f0cd701-0784-4fcc-8e52-3b3304049972
+  - da507021-8912-4337-86a3-94a05bd1cf05
+---
+kind: Machine
+name: 02c02200-f403-11ef-9372-70f446672600
+patches:
+  - idOverride: 400-cm-02c02200-f403-11ef-9372-70f446672600
+    annotations:
+      name: ""
+    inline:
+      machine:
+        network:
+          hostname: weyma-talos-w02
+          interfaces:
+            - deviceSelector:
+                driver: igc
+                hardwareAddr: e8:ff:1e:d4:b8:89
+              dhcp: true
+              vlans:
+                - dhcp: false
+                  vlanId: 50
+            - deviceSelector:
+                hardwareAddr: e8:ff:1e:d4:b8:8a
+              dhcp: true
+              mtu: 9000
+            - bridge:
+                interfaces:
+                  - enp1s0.50
+              dhcp: false
+              interface: br0
+---
+kind: Machine
+name: 03000200-0400-0500-0006-000700080009
+patches:
+  - idOverride: 400-cm-03000200-0400-0500-0006-000700080009
+    annotations:
+      name: ""
+    inline:
+      machine:
+        network:
+          hostname: weyma-talos-testw01
+          interfaces:
+            - deviceSelector:
+                driver: igc
+                hardwareAddr: e8:ff:1e:d5:f8:22
+              dhcp: true
+              vlans:
+                - dhcp: false
+                  vlanId: 50
+            - deviceSelector:
+                hardwareAddr: e8:ff:1e:d5:f8:21
+              dhcp: true
+              mtu: 9000
+            - bridge:
+                interfaces:
+                  - enp2s0.50
+              dhcp: false
+              interface: br0
+---
+kind: Machine
+name: 1006b91a-ecbf-11ea-aed4-046ba1ee3700
+patches:
+  - idOverride: 400-cm-1006b91a-ecbf-11ea-aed4-046ba1ee3700
+    annotations:
+      name: ""
+    inline:
+      machine:
+        network:
+          hostname: weyma-talos-testw04
+          interfaces:
+            - deviceSelector:
+                driver: mlx4_core
+                hardwareAddr: f4:52:14:60:5e:30
+              dhcp: true
+              vlans:
+                - dhcp: false
+                  vlanId: 50
+            - deviceSelector:
+                hardwareAddr: f4:52:14:60:5e:31
+              dhcp: true
+              mtu: 9000
+            - bridge:
+                interfaces:
+                  - eno1.50
+              dhcp: false
+              interface: br0
+---
+kind: Machine
+name: 30303031-3030-3030-6335-303731636665
+patches:
+  - idOverride: 400-cm-30303031-3030-3030-6335-303731636665
+    inline:
+      machine:
+        network:
+          hostname: weyma-talos-cp04
+          interfaces:
+            - deviceSelector:
+                hardwareAddr: dc:a6:32:95:0f:cb
+              dhcp: true
+---
+kind: Machine
+name: 20b4c826-e699-43b3-826d-73eb5173680b
+patches:
+  - idOverride: 400-cm-20b4c826-e699-43b3-826d-73eb5173680b
+    annotations:
+      name: ""
+    inline:
+      machine:
+        network:
+          hostname: weyma-talos-cp02
+          interfaces:
+            - deviceSelector:
+                driver: virtio*
+                hardwareAddr: 00:16:3e:9c:01:27
+              dhcp: true
+---
+kind: Machine
+name: 5f0cd701-0784-4fcc-8e52-3b3304049972
+patches:
+  - idOverride: 400-cm-5f0cd701-0784-4fcc-8e52-3b3304049972
+    annotations:
+      name: ""
+    inline:
+      machine:
+        network:
+          hostname: weyma-talos-testw05
+          interfaces:
+            - deviceSelector:
+                hardwareAddr: 00:16:3e:b3:dd:f8
+              dhcp: true
+            - deviceSelector:
+                hardwareAddr: 00:16:3e:e5:79:0a
+              dhcp: true
+              mtu: 9000
+            - deviceSelector:
+                hardwareAddr: 00:16:3e:6b:1c:1d
+              dhcp: false
+            - bridge:
+                interfaces:
+                  - enx00163e6b1c1d
+              dhcp: false
+              interface: br0
+---
+kind: Machine
+systemExtensions:
+  - siderolabs/nut-client
+  - siderolabs/qemu-guest-agent
+name: 5fdea709-56ad-45f2-966d-5e344dbe4fdf
+patches:
+  - idOverride: 400-cm-5fdea709-56ad-45f2-966d-5e344dbe4fdf
+    annotations:
+      name: ""
+    inline:
+      machine:
+        network:
+          hostname: weyma-talos-cp01
+          interfaces:
+            - deviceSelector:
+                driver: virtio*
+                hardwareAddr: bc:24:11:e6:ff:7b
+              dhcp: true
+---
+kind: Machine
+name: da507021-8912-4337-86a3-94a05bd1cf05
+patches:
+  - idOverride: 400-cm-da507021-8912-4337-86a3-94a05bd1cf05
+    annotations:
+      name: ""
+    inline:
+      machine:
+        network:
+          hostname: weyma-talos-w03
+          interfaces:
+            - deviceSelector:
+                driver: virtio*
+                hardwareAddr: bc:24:11:be:6c:08
+              dhcp: true
+            - deviceSelector:
+                driver: virtio*
+                hardwareAddr: bc:24:11:f8:4a:92
+              dhcp: true
+              mtu: 8996
+            - deviceSelector:
+                driver: virtio*
+                hardwareAddr: bc:24:11:93:02:0e
+              dhcp: false
+            - bridge:
+                interfaces:
+                  - enxbc241193020e
+              dhcp: false
+              interface: br0

renovate.json

@@ -14,6 +14,12 @@
     }
   ],
   "packageRules": [
+    {
+      "description": "Automerge patch updates",
+      "matchUpdateTypes": ["patch"],
+      "matchCurrentVersion": "!/^0/",
+      "automerge": true
+    },
     {
       "description": "Rook Ceph - auto-update minor and patch versions only",
       "matchDatasources": ["docker"],

system-apps/argocd/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: argo-cd
-  version: 9.1.5
+  version: 9.3.4
   repository: https://argoproj.github.io/argo-helm

system-apps/argocd/values.yaml

@@ -56,18 +56,6 @@ argo-cd:
                Argo CD has not reported any applications data for the past 15 minutes which
                means that it must be down or not functioning properly.  This needs to be
                resolved for this cloud to continue to maintain state.
-         - alert: ArgoAppNotSynced
-           expr: |
-             argocd_app_info{sync_status!="Synced"} == 1
-           for: 12h
-           labels:
-             severity: warning
-           annotations:
-             summary: "[{{`{{$labels.name}}`}}] Application not synchronized"
-             description: >
-               The application [{{`{{$labels.name}}`}} has not been synchronized for over
-               12 hours which means that the state of this cloud has drifted away from the
-               state inside Git.
   server:
     ingress:
       enabled: true

system-apps/cert-manager/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: cert-manager
-  version: v1.19.1
+  version: v1.19.2
   repository: https://charts.jetstack.io

system-apps/external-secrets/chart/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: external-secrets
-  version: 1.1.0
+  version: 1.2.1
   repository: https://charts.external-secrets.io

system-apps/kite/Chart.yaml

@@ -0,0 +1,28 @@
+apiVersion: v2
+name: kite
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: "1.0"
+
+dependencies:
+- name: kite
+  version: 0.7.7
+  repository: https://zxh326.github.io/kite

system-apps/kite/templates/secrets.yaml

@@ -0,0 +1,30 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: kite-secret
+  namespace: {{ .Release.Namespace }}
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: weyma-vault
+    kind: ClusterSecretStore
+  target:
+    name: kite-secret
+    creationPolicy: Owner
+  data:
+  - secretKey: JWT_SECRET
+    remoteRef:
+      key: kite
+      property: JWT_SECRET
+  - secretKey: KITE_ENCRYPT_KEY
+    remoteRef:
+      key: kite
+      property: KITE_ENCRYPT_KEY
+  - secretKey: KITE_PASSWORD
+    remoteRef:
+      key: kite
+      property: KITE_PASSWORD
+  - secretKey: KITE_USERNAME
+    remoteRef:
+      key: kite
+      property: KITE_USERNAME

system-apps/kite/values.yaml

@@ -0,0 +1,20 @@
+kite:
+  host: "https://weyma-kite.infra.dubyatp.xyz"
+  secret:
+    create: false
+    existingSecret: kite-secret
+  db:
+    sqlite:
+      persistence:
+        pvc:
+          enabled: true
+  ingress:
+    enabled: true
+    className: "traefik"
+    hosts:
+      - host: weyma-kite.infra.dubyatp.xyz
+        paths:
+          - path: /
+            pathType: ImplementationSpecific
+  podAnnotations:
+    backup.velero.io/backup-volumes: kite-storage

system-apps/metallb/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: metallb
-  version: 0.15.2
+  version: 0.15.3
   repository: https://metallb.github.io/metallb

system-apps/monitoring/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: kube-prometheus-stack
-  version: 79.11.0
+  version: 80.14.4
   repository: https://prometheus-community.github.io/helm-charts

system-apps/monitoring/templates/discord.yaml

@@ -9,6 +9,7 @@ metadata:
     app.kubernetes.io/name: alertmanager-discord
     app.kubernetes.io/instance: {{ .Release.Name }}
 spec:
+  replicas: 1
   selector:
     matchLabels:
       app: alertmanager-discord

system-apps/rook-ceph/operator/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: rook-ceph
-  version: v1.18.7
+  version: v1.18.9
   repository: https://charts.rook.io/release

system-apps/rook-ceph/operator/templates/rules.yaml

@@ -497,61 +497,6 @@ spec:
             oid: "1.3.6.1.4.1.50495.1.2.1.8.1"
             severity: "critical"
             type: "ceph_default"
-        - alert: "CephNodeNetworkPacketDrops"
-          annotations:
-            description: "Node {{ "{{" }} $labels.instance {{ "}}" }} experiences packet drop > 0.5% or > 10 packets/s on interface {{ "{{" }} $labels.device {{ "}}" }}."
-            summary: "One or more NICs reports packet drops"
-          expr: |
-            (
-              rate(node_network_receive_drop_total{device!="lo"}[1m]) +
-              rate(node_network_transmit_drop_total{device!="lo"}[1m])
-            ) / (
-              rate(node_network_receive_packets_total{device!="lo"}[1m]) +
-              rate(node_network_transmit_packets_total{device!="lo"}[1m])
-            ) >= 0.0050000000000000001 and (
-              rate(node_network_receive_drop_total{device!="lo"}[1m]) +
-              rate(node_network_transmit_drop_total{device!="lo"}[1m])
-            ) >= 10
-          labels:
-            oid: "1.3.6.1.4.1.50495.1.2.1.8.2"
-            severity: "warning"
-            type: "ceph_default"
-        - alert: "CephNodeNetworkPacketErrors"
-          annotations:
-            description: "Node {{ "{{" }} $labels.instance {{ "}}" }} experiences packet errors > 0.01% or > 10 packets/s on interface {{ "{{" }} $labels.device {{ "}}" }}."
-            summary: "One or more NICs reports packet errors"
-          expr: |
-            (
-              rate(node_network_receive_errs_total{device!="lo"}[1m]) +
-              rate(node_network_transmit_errs_total{device!="lo"}[1m])
-            ) / (
-              rate(node_network_receive_packets_total{device!="lo"}[1m]) +
-              rate(node_network_transmit_packets_total{device!="lo"}[1m])
-            ) >= 0.0001 or (
-              rate(node_network_receive_errs_total{device!="lo"}[1m]) +
-              rate(node_network_transmit_errs_total{device!="lo"}[1m])
-            ) >= 10
-          labels:
-            oid: "1.3.6.1.4.1.50495.1.2.1.8.3"
-            severity: "warning"
-            type: "ceph_default"
-        - alert: "CephNodeNetworkBondDegraded"
-          annotations:
-            description: "Bond {{ "{{" }} $labels.master {{ "}}" }} is degraded on Node {{ "{{" }} $labels.instance {{ "}}" }}."
-            summary: "Degraded Bond on Node {{ "{{" }} $labels.instance {{ "}}" }}"
-          expr: |
-            node_bonding_slaves - node_bonding_active != 0
-          labels:
-            severity: "warning"
-            type: "ceph_default"
-        - alert: "CephNodeInconsistentMTU"
-          annotations:
-            description: "Node {{ "{{" }} $labels.instance {{ "}}" }} has a different MTU size ({{ "{{" }} $value {{ "}}" }}) than the median of devices named {{ "{{" }} $labels.device {{ "}}" }}."
-            summary: "MTU settings across Ceph hosts are inconsistent"
-          expr: "node_network_mtu_bytes * (node_network_up{device!=\"lo\"} > 0) ==  scalar(    max by (device) (node_network_mtu_bytes * (node_network_up{device!=\"lo\"} > 0)) !=      quantile by (device) (.5, node_network_mtu_bytes * (node_network_up{device!=\"lo\"} > 0))  )or node_network_mtu_bytes * (node_network_up{device!=\"lo\"} > 0) ==  scalar(    min by (device) (node_network_mtu_bytes * (node_network_up{device!=\"lo\"} > 0)) !=      quantile by (device) (.5, node_network_mtu_bytes * (node_network_up{device!=\"lo\"} > 0))  )"
-          labels:
-            severity: "warning"
-            type: "ceph_default"
     - name: "pools"
       rules:
         - alert: "CephPoolGrowthWarning"

system-apps/traefik/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: traefik
-  version: 37.4.0
+  version: 38.0.2
   repository: https://traefik.github.io/charts

system-apps/traefik/values.yaml

@@ -81,6 +81,19 @@ traefik:
                 traefik-real-ip:
                   excludednets:
                     - "1.1.1.1/24"
+          routers:
+            dispatcharr:
+              entryPoints:
+              - websecure
+              service: dispatcharr
+              tls:
+                options: default
+              rule: 'Host(`dispatcharr.dubyatp.xyz`) && PathPrefix(`/`)'
+          services:
+            dispatcharr:
+              loadBalancer:
+                servers:
+                - url: http://10.105.15.20:9191
   service:
     spec:
       externalTrafficPolicy: Local

system-apps/velero/Chart.yaml

@@ -24,5 +24,5 @@ appVersion: "1.0"
 
 dependencies:
 - name: velero
-  version: 11.2.0
+  version: 11.3.2
   repository: https://vmware-tanzu.github.io/helm-charts

system-apps/velero/values.yaml

@@ -59,7 +59,7 @@ velero:
         insecureSkipTLSVerify: "true"
   initContainers:
   - name: velero-plugin-for-aws
-    image: velero/velero-plugin-for-aws:v1.13.1
+    image: velero/velero-plugin-for-aws:v1.13.2
     imagePullPolicy: IfNotPresent
     volumeMounts:
       - mountPath: /target