Update docker.io/swaggerapi/swagger-ui Docker tag to v5.29.0

delete crossplane
update vaultwarden
2025-09-10 09:21:08 +00:00 · 2025-09-01 16:09:18 -05:00 · 2025-09-01 08:31:32 -05:00 · 2025-08-09 12:35:04 +00:00 · 2025-07-23 19:57:42 -05:00 · 2025-07-23 19:51:54 -05:00
116 changed files with 744 additions and 354 deletions
--- a/ansible/roles/base/files/authorized_keys_user
+++ b/ansible/roles/base/files/authorized_keys_user
@@ -1 +1,2 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhPVgL8gXdRTw0E2FvlOUoUI4vd794nB0nZVIsc+U5M
+sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGilcndatMrXg06VxtNKuIo3scoyyXbYX8Z7cOjeA102AAAABHNzaDo= desktop-arch-09-08-2025-yubikey
+sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINsbNSZ5Wr+50Ahz+IeZxt6F7gZ6wm1J8uKXQLbdbKFaAAAABHNzaDo= desktop-arch-09-08-2025-yubikeyNano
--- a/dev/cert-manager/Chart.yaml
+++ b/dev/cert-manager/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
  repository: https://charts.jetstack.io
-  version: v1.16.3
+  version: v1.17.2
--- a/dev/cert-manager/templates/secretvault.yaml
+++ b/dev/cert-manager/templates/secretvault.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: cloudflare-api-token-secret
--- a/dev/external-dns/Chart.yaml
+++ b/dev/external-dns/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-dns
  repository: https://charts.bitnami.com/bitnami
-  version: 8.3.8
+  version: 8.9.2
--- a/dev/external-dns/templates/secrets.yaml
+++ b/dev/external-dns/templates/secrets.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: external-dns-secret
--- a/dev/external-secrets/Chart.yaml
+++ b/dev/external-secrets/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-secrets
  repository: https://charts.external-secrets.io
-  version: 0.13.0
+  version: 0.17.0
--- a/dev/metallb-system/Chart.yaml
+++ b/dev/metallb-system/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: metallb
  repository: https://metallb.github.io/metallb
-  version: 0.14.9
+  version: 0.15.2
--- a/dev/terraform/main.tf
+++ b/dev/terraform/main.tf
@@ -3,7 +3,7 @@ terraform {
  required_providers {
    proxmox = {
      source  = "Telmate/proxmox"
-      version = "3.0.1-rc6"
+      version = "3.0.1-rc9"
    }
  }
 }
--- a/dev/traefik/Chart.yaml
+++ b/dev/traefik/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: traefik
  repository: https://traefik.github.io/charts
-  version: 34.0.0
+  version: 34.5.0
--- a/dev/vault/Chart.yaml
+++ b/dev/vault/Chart.yaml
@@ -8,5 +8,5 @@ appVersion: 0.0.1
 dependencies:
 - name: vault
  repository: https://helm.releases.hashicorp.com  
-  version: 0.29.1
+  version: 0.30.0

--- a/dev/vault/templates/secret-store.yaml
+++ b/dev/vault/templates/secret-store.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ClusterSecretStore
 metadata:
  name: vault
--- a/dmz/authentik/templates/ingress.yaml
+++ b/dmz/authentik/templates/ingress.yaml
@@ -0,0 +1,62 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: authentik-tls
+spec:
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  secretName: authentik-tls
+  commonName: "authentik.durp.info"
+  dnsNames:
+    - "authentik.durp.info"
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: authentik-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`authentik.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: infra-cluster
+          port: 443
+  tls:
+    secretName: authentik-tls
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: authentik-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info
+
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: infra-cluster
+subsets:
+  - addresses:
+      - ip: 192.168.12.130
+    ports:
+      - port: 443
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: infra-cluster
+spec:
+  ports:
+    - protocol: TCP
+      port: 443
+      targetPort: 443
--- a/dmz/cert-manager/Chart.yaml
+++ b/dmz/cert-manager/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
  repository: https://charts.jetstack.io
-  version: v1.16.3
+  version: v1.17.2
--- a/dmz/cert-manager/templates/secretvault.yaml
+++ b/dmz/cert-manager/templates/secretvault.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: cloudflare-api-token-secret
--- a/dmz/crowdsec/Chart.yaml
+++ b/dmz/crowdsec/Chart.yaml
@@ -0,0 +1,11 @@
+apiVersion: v2
+name: crowdsec
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+  - name: crowdsec
+    repository: https://crowdsecurity.github.io/helm-charts
+    version: 0.19.4
--- a/dmz/crowdsec/templates/secrets.yaml
+++ b/dmz/crowdsec/templates/secrets.yaml
@@ -0,0 +1,29 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: enroll-key
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: enroll-key
+  data:
+    - secretKey: ENROLL_INSTANCE_NAME
+      remoteRef:
+        key: kv/crowdsec/dmz-enroll
+        property: ENROLL_INSTANCE_NAME
+    - secretKey: ENROLL_KEY
+      remoteRef:
+        key: kv/crowdsec/dmz-enroll
+        property: ENROLL_KEY
+    - secretKey: ENROLL_TAGS
+      remoteRef:
+        key: kv/crowdsec/dmz-enroll
+        property: ENROLL_TAGS
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
--- a/dmz/crowdsec/values.yaml
+++ b/dmz/crowdsec/values.yaml
@@ -0,0 +1,24 @@
+crowdsec:
+  #
+  image:
+    repository: registry.durp.info/crowdsecurity/crowdsec
+    pullPolicy: Always
+
+  # for raw logs format: json or cri (docker|containerd)
+  container_runtime: containerd
+  agent:
+    # Specify each pod whose logs you want to process
+    acquisition:
+      # The namespace where the pod is located
+      - namespace: traefik
+        # The pod name
+        podName: traefik-*
+        # as in crowdsec configuration, we need to specify the program name to find a matching parser
+        program: traefik
+    env:
+      - name: COLLECTIONS
+        value: "crowdsecurity/traefik"
+  lapi:
+    envFrom:
+      - secretRef:
+          name: enroll-key
--- a/dmz/external-dns/Chart.yaml
+++ b/dmz/external-dns/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-dns
  repository: https://charts.bitnami.com/bitnami
-  version: 8.3.8
+  version: 8.9.2
--- a/dmz/external-dns/templates/secrets.yaml
+++ b/dmz/external-dns/templates/secrets.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: external-dns-secret
--- a/dmz/external-dns/values.yaml
+++ b/dmz/external-dns/values.yaml
@@ -1,6 +1,8 @@
 external-dns:
  global:
    imageRegistry: "registry.durp.info"
+    security:
+      allowInsecureImages: true

  image:
    pullPolicy: Always
@@ -9,10 +11,10 @@ external-dns:

  sources:
    - service
-    
+
  provider: cloudflare
  cloudflare:
-    secretName : "external-dns"
+    secretName: "external-dns"
    proxied: false

  policy: sync
--- a/dmz/external-secrets/Chart.yaml
+++ b/dmz/external-secrets/Chart.yaml
@@ -6,6 +6,6 @@ version: 0.0.1
 appVersion: 0.0.1

 dependencies:
- name: external-secrets
-  repository: https://charts.external-secrets.io
-  version: 0.15.0
+  - name: external-secrets
+    repository: https://charts.external-secrets.io
+    version: 0.17.0
--- a/dmz/external-secrets/values.yaml
+++ b/dmz/external-secrets/values.yaml
@@ -1,7 +1,13 @@
 external-secrets:
-  replicaCount: 3
+  global:
+    security:
+      allowInsecureImages: true
+
+  log:
+    level: debug
+  replicaCount: 1
  revisionHistoryLimit: 1
-  leaderElect: true
+  leaderElect: false

  installCRDs: true
  crds:
@@ -16,24 +22,24 @@ external-secrets:
    repository: registry.durp.info/external-secrets/external-secrets
    pullPolicy: Always

-  extraVolumes: 
+  extraVolumes:
    - name: ca-pemstore
      configMap:
        name: ca-pemstore

-  extraVolumeMounts: 
+  extraVolumeMounts:
    - name: ca-pemstore
      mountPath: /etc/ssl/certs/vault.pem
      subPath: vault.pem
      readOnly: true

-  resources: 
-    requests:
-      memory: 32Mi
-      cpu: 10m
-    limits:
-      memory: 32Mi
-      cpu: 10m
+  #  resources:
+  #    requests:
+  #      memory: 32Mi
+  #      cpu: 10m
+  #    limits:
+  #      memory: 32Mi
+  #      cpu: 10m

  webhook:
    create: false
@@ -44,24 +50,24 @@ external-secrets:
      repository: registry.durp.info/external-secrets/external-secrets
      pullPolicy: Always

-    extraVolumes: 
+    extraVolumes:
      - name: ca-pemstore
        configMap:
          name: ca-pemstore

-    extraVolumeMounts: 
+    extraVolumeMounts:
      - name: ca-pemstore
        mountPath: /etc/ssl/certs/vault.pem
        subPath: vault.pem
        readOnly: true

-    resources: 
-      requests:
-        memory: 32Mi
-        cpu: 10m
-      limits:
-        memory: 32Mi
-        cpu: 10m
+  #    resources:
+  #      requests:
+  #        memory: 32Mi
+  #        cpu: 10m
+  #      limits:
+  #        memory: 32Mi
+  #        cpu: 10m

  certController:
    create: false
@@ -74,7 +80,7 @@ external-secrets:
      pullPolicy: Always
      tag: ""

-    resources: 
+    resources:
      requests:
        memory: 32Mi
        cpu: 10m
@@ -82,12 +88,12 @@ external-secrets:
        memory: 32Mi
        cpu: 10m

-    extraVolumes: 
+    extraVolumes:
      - name: ca-pemstore
        configMap:
          name: ca-pemstore

-    extraVolumeMounts: 
+    extraVolumeMounts:
      - name: ca-pemstore
        mountPath: /etc/ssl/certs/vault.pem
        subPath: vault.pem
--- a/dmz/gitlab-runner/Chart.yaml
+++ b/dmz/gitlab-runner/Chart.yaml
@@ -8,8 +8,8 @@ appVersion: 0.0.1
 dependencies:
 - name: gitlab-runner
  repository: https://charts.gitlab.io/
-  version: 0.69.0
+  version: 0.77.2
 - name: gitlab-runner
  repository: https://charts.gitlab.io/
-  version: 0.69.0
+  version: 0.77.2
  alias: personal
--- a/dmz/gitlab-runner/templates/secrets.yaml
+++ b/dmz/gitlab-runner/templates/secrets.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: gitlab-secret
@@ -27,7 +27,7 @@ metadata:

 ---

-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: gitlab-secret-personal
--- a/dmz/internalproxy/templates/authentik.yaml
+++ b/dmz/internalproxy/templates/authentik.yaml
@@ -1,42 +1,40 @@
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: authentik-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`authentik.durp.info`) && PathPrefix(`/`) 
-    kind: Rule
-    services:
-    - name: infra-cluster
-      port: 443
-  tls:
-    secretName: authentik-tls
-
---
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: authentik-tls
-spec:
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  secretName: authentik-tls
-  commonName: "authentik.durp.info"
-  dnsNames:
-  - "authentik.durp.info"
-
---
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: authentik-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info
+#apiVersion: traefik.io/v1alpha1
+#kind: IngressRoute
+#metadata:
+#  name: authentik-ingress
+#spec:
+#  entryPoints:
+#    - websecure
+#  routes:
+#    - match: Host(`authentik.durp.info`) && PathPrefix(`/`)
+#      kind: Rule
+#      services:
+#        - name: infra-cluster
+#          port: 443
+#  tls:
+#    secretName: authentik-tls
+#
+#---
+#apiVersion: cert-manager.io/v1
+#kind: Certificate
+#metadata:
+#  name: authentik-tls
+#spec:
+#  issuerRef:
+#    name: letsencrypt-production
+#    kind: ClusterIssuer
+#  secretName: authentik-tls
+#  commonName: "authentik.durp.info"
+#  dnsNames:
+#    - "authentik.durp.info"
+#
+#---
+#kind: Service
+#apiVersion: v1
+#metadata:
+#  name: authentik-external-dns
+#  annotations:
+#    external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
+#spec:
+#  type: ExternalName
+#  externalName: durp.info
--- a/dmz/internalproxy/templates/n8n.yaml
+++ b/dmz/internalproxy/templates/n8n.yaml
@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: n8n
+spec:
+  ports:
+    - name: app
+      port: 5678
+      protocol: TCP
+      targetPort: 5678
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: n8n
+subsets:
+  - addresses:
+      - ip: 192.168.20.104
+    ports:
+      - name: app
+        port: 5678
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: n8n-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`n8n.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: n8n
+          port: 5678
+          scheme: http
+  tls:
+    secretName: n8n-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: n8n-tls
+spec:
+  secretName: n8n-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "n8n.durp.info"
+  dnsNames:
+    - "n8n.durp.info"
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: n8n-dns
+  annotations:
+    dns.alpha.kubernetes.io/hostname: n8n.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info
--- a/dmz/internalproxy/templates/octopus.yaml
+++ b/dmz/internalproxy/templates/octopus.yaml
@@ -15,7 +15,6 @@ spec:
    secretName: octopus-tls

 ---
-
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -30,7 +29,6 @@ spec:
    - "octopus.durp.info"

 ---
-
 kind: Service
 apiVersion: v1
 metadata:
--- a/dmz/internalproxy/templates/ollama.yaml
+++ b/dmz/internalproxy/templates/ollama.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: ollama-secret
--- a/dmz/internalproxy/templates/registry.yaml
+++ b/dmz/internalproxy/templates/registry.yaml
@@ -4,29 +4,27 @@ metadata:
  name: registry
 spec:
  ports:
-  - name: app
-    port: 5000
-    protocol: TCP
-    targetPort: 5000
+    - name: app
+      port: 5000
+      protocol: TCP
+      targetPort: 5000
  clusterIP: None
  type: ClusterIP

 ---
-
 apiVersion: v1
 kind: Endpoints
 metadata:
  name: registry
 subsets:
- addresses:
-  - ip: 192.168.21.200
-  ports:
-  - name: app
-    port: 5000
-    protocol: TCP
-
---    
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 5000
+        protocol: TCP

+---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
@@ -35,16 +33,18 @@ spec:
  entryPoints:
    - websecure
  routes:
-  - match: Host(`registry.durp.info`) && PathPrefix(`/`)
-    kind: Rule
-    services:
-    - name: registry
-      port: 5000
+    - match: Host(`registry.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      services:
+        - name: registry
+          port: 5000
  tls:
    secretName: registry-tls

 ---
-
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -56,16 +56,15 @@ spec:
    kind: ClusterIssuer
  commonName: "registry.durp.info"
  dnsNames:
-  - "registry.durp.info"  
+    - "registry.durp.info"

 ---
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: registry-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: registry.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info
+#kind: Service
+#apiVersion: v1
+#metadata:
+#  name: registry-external-dns
+#  annotations:
+#    external-dns.alpha.kubernetes.io/hostname: registry.durp.info
+#spec:
+#  type: ExternalName
+#  externalName: durp.info
--- a/dmz/istio-system/Chart.yaml
+++ b/dmz/istio-system/Chart.yaml
@@ -8,10 +8,10 @@ appVersion: 0.0.1
 dependencies:
  - name: base
    repository: https://istio-release.storage.googleapis.com/charts
-    version: 1.25.1
+    version: 1.26.2
  - name: istiod
    repository: https://istio-release.storage.googleapis.com/charts
-    version: 1.25.1
+    version: 1.26.2
  - name: gateway
    repository: https://istio-release.storage.googleapis.com/charts
-    version: 1.25.1
+    version: 1.26.2
--- a/dmz/longhorn/Chart.yaml
+++ b/dmz/longhorn/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: longhorn
  repository: https://charts.longhorn.io
-  version: 1.7.2
+  version: 1.9.0
--- a/dmz/longhorn/templates/secrets.yaml
+++ b/dmz/longhorn/templates/secrets.yaml
@@ -5,7 +5,7 @@ metadata:

 ---

-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: external-longhorn-backup-token-secret
--- a/dmz/metallb-system/Chart.yaml
+++ b/dmz/metallb-system/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: metallb
  repository: https://metallb.github.io/metallb
-  version: 0.14.9
+  version: 0.15.2
--- a/dmz/redlib/templates/ingress.yaml
+++ b/dmz/redlib/templates/ingress.yaml
@@ -6,19 +6,18 @@ spec:
  entryPoints:
    - websecure
  routes:
-  - match: Host(`redlib.durp.info`) && PathPrefix(`/`)
-    kind: Rule
-    middlewares:
-    - name: authentik-proxy-provider
-      namespace: traefik  
-    services:
-    - name: redlib
-      port: 8080
+    - match: Host(`redlib.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      middlewares:
+        - name: authentik-proxy-provider
+          namespace: traefik
+      services:
+        - name: redlib
+          port: 8080
  tls:
    secretName: redlib-tls

 ---
-
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -30,10 +29,9 @@ spec:
    kind: ClusterIssuer
  commonName: "redlib.durp.info"
  dnsNames:
-  - "redlib.durp.info"  
+    - "redlib.durp.info"

 ---
-
 kind: Service
 apiVersion: v1
 metadata:
--- a/dmz/terraform/main.tf
+++ b/dmz/terraform/main.tf
@@ -3,7 +3,7 @@ terraform {
  required_providers {
    proxmox = {
      source  = "Telmate/proxmox"
-      version = "3.0.1-rc6"
+      version = "3.0.1-rc9"
    }
  }
 }
--- a/dmz/traefik/Chart.yaml
+++ b/dmz/traefik/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: traefik
  repository: https://traefik.github.io/charts
-  version: 34.0.0
+  version: 34.5.0
--- a/dmz/traefik/templates/middleware.yaml
+++ b/dmz/traefik/templates/middleware.yaml
@@ -1,11 +1,11 @@
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-    name: authentik-proxy-provider
-    namespace: traefik
+  name: authentik-proxy-provider
+  namespace: traefik
 spec:
  forwardAuth:
-    address: http://ak-outpost-dmz-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik?rd=$scheme://$http_host$request_uri
+    address: http://ak-outpost-authentik-dmz-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik?rd=$scheme://$http_host$request_uri
    trustForwardHeader: true
    authResponseHeaders:
      - X-authentik-username
@@ -21,7 +21,6 @@ spec:
      - X-authentik-meta-version

 ---
-
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
@@ -33,3 +32,23 @@ spec:
      - 192.168.0.0/16
      - 172.16.0.0/12
      - 10.0.0.0/8
+
+---
+#apiVersion: traefik.io/v1alpha1
+#kind: Middleware
+#metadata:
+#  name: bouncer
+#  namespace: traefik
+#spec:
+#  plugin:
+#    bouncer:
+#      enabled: true
+#      crowdsecMode: stream
+#      crowdsecLapiScheme: https
+#      crowdsecLapiTLSInsecureVerify: true
+#      crowdsecLapiHost: crowdsec-service.crowdsec:8080
+#      crowdsecLapiKey:
+#        valueFrom:
+#          secretKeyRef:
+#            name: crowdsec-lapi-key
+#            key: lapi-key
--- a/dmz/traefik/templates/secrets.yaml
+++ b/dmz/traefik/templates/secrets.yaml
@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: crowdsec-lapi-key
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: crowdsec-lapi-key
+  data:
+    - secretKey: lapi-key
+      remoteRef:
+        key: kv/crowdsec/api
+        property: key
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
--- a/dmz/traefik/templates/traefik-dashboard.yaml
+++ b/dmz/traefik/templates/traefik-dashboard.yaml
@@ -1,34 +1,35 @@
-#apiVersion: traefik.io/v1alpha1
-#kind: IngressRoute
-#metadata:
-#  name: traefik-ingress
-#spec:
-#  entryPoints:
-#    - websecure
-#  routes:
-#  - match: Host(`traefik.durp.info`)
-#    kind: Rule
-#    services:
-#    - name: api@internal
-#      kind: TraefikService
-#  tls:
-#    secretName: traefik-tls  
-#
-#---
-#
-#apiVersion: cert-manager.io/v1
-#kind: Certificate
-#metadata:
-#  name: traefik-tls
-#  namespace: traefik
-#spec:
-#  secretName: traefik-tls
-#  issuerRef:
-#    name: letsencrypt-production
-#    kind: ClusterIssuer
-#  commonName: "traefik.durp.info"
-#  dnsNames:
-#  - "traefik.durp.info"
-#
-#---
-#
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`traefik.dmz.durp.info`)
+      kind: Rule
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+        - name: authentik-proxy-provider
+          namespace: traefik
+      services:
+        - name: api@internal
+          kind: TraefikService
+  tls:
+    secretName: traefik-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: traefik-tls
+  namespace: traefik
+spec:
+  secretName: traefik-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "traefik.dmz.durp.info"
+  dnsNames:
+    - "traefik.dmz.durp.info"
--- a/dmz/traefik/values.yaml
+++ b/dmz/traefik/values.yaml
@@ -1,10 +1,10 @@
 traefik:
-  image: 
+  image:
    #    registry: registry.durp.info
    #    repository: traefik
    pullPolicy: Always
-  
-  providers:  
+
+  providers:
    kubernetesCRD:
      allowCrossNamespace: true
      allowExternalNameServices: true
@@ -18,40 +18,41 @@ traefik:
  #   - name: traefik-configmap
  #     mountPath: "/config"
  #     type: configMap
-  
+
  ingressRoute:
    dashboard:
      enabled: true
-  
-  additionalArguments: 
+
+  additionalArguments:
    #  - "--providers.file.filename=/config/config.yml"
    - "--serversTransport.insecureSkipVerify=true"
    - "--log.level=DEBUG"
    - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin
    - --experimental.plugins.jwt.version=v0.7.0
-  
+    - --experimental.plugins.bouncer.moduleName=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
+    - --experimental.plugins.bouncer.version=v1.4.2
+
  autoscaling:
    enabled: true
    minReplicas: 3
    maxReplicas: 10
    metrics:
-    - type: Resource
-      resource:
-        name: cpu
-        target:
-          type: Utilization
-          averageUtilization: 80
+      - type: Resource
+        resource:
+          name: cpu
+          target:
+            type: Utilization
+            averageUtilization: 80
    behavior:
      scaleDown:
        stabilizationWindowSeconds: 300
        policies:
-        - type: Pods
-          value: 1
-          periodSeconds: 60
-  
-  
+          - type: Pods
+            value: 1
+            periodSeconds: 60
+
  # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.
-  resources: 
+  resources:
    requests:
      cpu: "100m"
      memory: "512Mi"
--- a/dmz/vault/Chart.yaml
+++ b/dmz/vault/Chart.yaml
@@ -8,5 +8,5 @@ appVersion: 0.0.1
 dependencies:
 - name: vault
  repository: https://helm.releases.hashicorp.com  
-  version: 0.29.1
+  version: 0.30.0

--- a/dmz/vault/templates/secret-store.yaml
+++ b/dmz/vault/templates/secret-store.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ClusterSecretStore
 metadata:
  name: vault
--- a/infra/argocd/Chart.yaml
+++ b/infra/argocd/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: argo-cd
  repository: https://argoproj.github.io/argo-helm
-  version: 6.11.1
+  version: 8.1.3
--- a/infra/argocd/templates/argocd-crossplane.yaml
+++ b/infra/argocd/templates/argocd-crossplane.yaml
@@ -0,0 +1,101 @@
+#apiVersion: external-secrets.io/v1
+#kind: ExternalSecret
+#metadata:
+#  name: argocd-secret-crossplane
+#spec:
+#  secretStoreRef:
+#    name: vault
+#    kind: ClusterSecretStore
+#  target:
+#    name: argocd-secret-crossplane
+#  data:
+#    - secretKey: authToken
+#      remoteRef:
+#        key: kv/argocd/provider-argocd
+#        property: token
+#
+#---
+#apiVersion: external-secrets.io/v1
+#kind: ExternalSecret
+#metadata:
+#  name: prod-kubeconfig
+#spec:
+#  secretStoreRef:
+#    name: vault
+#    kind: ClusterSecretStore
+#  target:
+#    name: prod-kubeconfig
+#  data:
+#    - secretKey: kubeconfig
+#      remoteRef:
+#        key: kv/argocd/prd
+#        property: kubeconfig
+#
+#---
+#apiVersion: argocd.crossplane.io/v1alpha1
+#kind: ProviderConfig
+#metadata:
+#  name: argocd-provider
+#spec:
+#  serverAddr: argocd-server.argocd.svc:443
+#  insecure: true
+#  plainText: false
+#  credentials:
+#    source: Secret
+#    secretRef:
+#      namespace: argocd
+#      name: argocd-secret-crossplane
+#      key: authToken
+#
+#---
+#apiVersion: cluster.argocd.crossplane.io/v1alpha1
+#kind: Cluster
+#metadata:
+#  name: prd
+#  labels:
+#    purpose: prd
+#spec:
+#  forProvider:
+#    name: prd
+#    config:
+#      kubeconfigSecretRef:
+#        name: prod-kubeconfig
+#        namespace: argocd
+#        key: kubeconfig
+#  providerConfigRef:
+#    name: argocd-provider
+#
+#---
+#apiVersion: external-secrets.io/v1
+#kind: ExternalSecret
+#metadata:
+#  name: dev-kubeconfig
+#spec:
+#  secretStoreRef:
+#    name: vault
+#    kind: ClusterSecretStore
+#  target:
+#    name: dev-kubeconfig
+#  data:
+#    - secretKey: kubeconfig
+#      remoteRef:
+#        key: kv/argocd/dev
+#        property: kubeconfig
+#
+#---
+#apiVersion: cluster.argocd.crossplane.io/v1alpha1
+#kind: Cluster
+#metadata:
+#  name: dev
+#  labels:
+#    purpose: dev
+#spec:
+#  forProvider:
+#    name: dev
+#    config:
+#      kubeconfigSecretRef:
+#        name: dev-kubeconfig
+#        namespace: argocd
+#        key: kubeconfig
+#  providerConfigRef:
+#    name: argocd-provider
--- a/infra/argocd/templates/argocd.yaml
+++ b/infra/argocd/templates/argocd.yaml
@@ -21,7 +21,7 @@ spec:

 ---

-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: vault-argocd
--- a/infra/argocd/templates/authentik.yaml
+++ b/infra/argocd/templates/authentik.yaml
@@ -18,12 +18,11 @@ spec:
    #    istio-injection: enabled
    automated:
      prune: true
-      selfHeal: true  
+      selfHeal: true
    syncOptions:
-      - CreateNamespace=true 
+      - CreateNamespace=true

 ---
-
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -41,7 +40,6 @@ spec:
  syncPolicy:
    automated:
      prune: true
-      selfHeal: true  
+      selfHeal: true
    syncOptions:
-      - CreateNamespace=true 
-
+      - CreateNamespace=true
--- a/infra/argocd/templates/crowdsec.yaml
+++ b/infra/argocd/templates/crowdsec.yaml
@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: crowdsec
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: dmz/crowdsec
+  destination:
+    namespace: crowdsec
+    name: dmz
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
--- a/infra/argocd/templates/istio.yaml
+++ b/infra/argocd/templates/istio.yaml
@@ -18,17 +18,16 @@ spec:
        topology.istio.io/network: network1
    automated:
      prune: true
-      selfHeal: true  
+      selfHeal: true
    syncOptions:
-      - CreateNamespace=true 
+      - CreateNamespace=true
  ignoreDifferences:
-  - group: admissionregistration.k8s.io
-    kind: ValidatingWebhookConfiguration
-    jsonPointers:
-    - /webhooks/0/failurePolicy
+    - group: admissionregistration.k8s.io
+      kind: ValidatingWebhookConfiguration
+      jsonPointers:
+        - /webhooks/0/failurePolicy

 ---
-
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -53,7 +52,7 @@ spec:
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
-  - group: admissionregistration.k8s.io
-    kind: ValidatingWebhookConfiguration
-    jsonPointers:
-    - /webhooks/0/failurePolicy
+    - group: admissionregistration.k8s.io
+      kind: ValidatingWebhookConfiguration
+      jsonPointers:
+        - /webhooks/0/failurePolicy
--- a/infra/argocd/templates/longhorn.yaml
+++ b/infra/argocd/templates/longhorn.yaml
@@ -18,6 +18,11 @@ spec:
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
+  ignoreDifferences:
+    - group: engineimages.longhorn.io
+      jsonPointers:
+        - /spec/preserveUnknownFields
+      kind: CustomResourceDefinition

 ---
 apiVersion: argoproj.io/v1alpha1
--- a/infra/argocd/templates/octopusdeploy.yaml
+++ b/infra/argocd/templates/octopusdeploy.yaml
@@ -20,7 +20,6 @@ spec:
      - CreateNamespace=true

 ---
-
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -33,7 +32,7 @@ spec:
    targetRevision: main
    path: infra/octopus-agent
  destination:
-    namespace: octpus-agent
+    namespace: octopus-agent
    name: in-cluster
  syncPolicy:
    automated:
@@ -41,4 +40,3 @@ spec:
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
-
--- a/infra/argocd/values.yaml
+++ b/infra/argocd/values.yaml
@@ -34,6 +34,7 @@ argo-cd:
      annotations: {}
      url: https://argocd.infra.durp.info
      oidc.tls.insecure.skip.verify: "true"
+      accounts.provider-argocd: apiKey
      dex.config: |
        connectors:
          - config:
@@ -49,13 +50,15 @@ argo-cd:
            name: authentik
            type: oidc
            id: authentik
+      resource.exclusions: ""

    rbac:
      create: true
      policy.csv: |
        g, ArgoCD Admins, role:admin
+        g, provider-argocd, role:admin
      scopes: "[groups]"

  server:
    route:
-      enabled: false
+      enabled: false
--- a/infra/authentik/Chart.yaml
+++ b/infra/authentik/Chart.yaml
@@ -9,5 +9,5 @@ appVersion: "1.16.0"
 dependencies:
  - name: authentik
    repository: https://charts.goauthentik.io
-    version: 2025.4.0
+    version: 2025.4.1

--- a/infra/authentik/templates/ingress.yaml
+++ b/infra/authentik/templates/ingress.yaml
@@ -6,16 +6,20 @@ spec:
  entryPoints:
    - websecure
  routes:
-  - match: Host(`authentik.durp.info`) && PathPrefix(`/`) 
-    kind: Rule
-    services:
-    - name: authentik-server
-      port: 80
+    - match: Host(`authentik.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: authentik-server
+          port: 80
+    - match: Host(`authentik.durp.info`) && PathPrefix(`/outpost.goauthentik.io`)
+      kind: Rule
+      services:
+        - name: ak-outpost-authentik-embedded-outpost
+          port: 9000
  tls:
    secretName: authentik-tls

 ---
-
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -27,5 +31,4 @@ spec:
    kind: ClusterIssuer
  commonName: "authentik.durp.info"
  dnsNames:
-  - "authentik.durp.info" 
-
+    - "authentik.durp.info"
--- a/infra/authentik/templates/secrets.yaml
+++ b/infra/authentik/templates/secrets.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: authentik-secret
--- a/infra/bitwarden/templates/deployment.yaml
+++ b/infra/bitwarden/templates/deployment.yaml
@@ -16,35 +16,35 @@ spec:
        app: bitwarden
    spec:
      containers:
-      - name: bitwarden
-        image: registry.durp.info/vaultwarden/server:1.32.7
-        imagePullPolicy: Always
-        volumeMounts:
-        - name: bitwarden-pvc
-          mountPath: /data
-          subPath: bitwaren-data              
-        ports:
-        - name: http
-          containerPort: 80
-        env:
-          - name: SIGNUPS_ALLOWED
-            value: "FALSE"
-          - name: INVITATIONS_ALLOWED
-            value: "FALSE"                      
-          - name: WEBSOCKET_ENABLED
-            value: "TRUE"          
-          - name: ROCKET_ENV
-            value: "staging"              
-          - name: ROCKET_PORT
-            value: "80"            
-          - name: ROCKET_WORKERS
-            value: "10"
-          - name: SECRET_USERNAME
-            valueFrom:
-              secretKeyRef:
-                name: bitwarden-secret
-                key: ADMIN_TOKEN
+        - name: bitwarden
+          image: registry.durp.info/vaultwarden/server:1.34.3
+          imagePullPolicy: Always
+          volumeMounts:
+            - name: bitwarden-pvc
+              mountPath: /data
+              subPath: bitwaren-data
+          ports:
+            - name: http
+              containerPort: 80
+          env:
+            - name: SIGNUPS_ALLOWED
+              value: "FALSE"
+            - name: INVITATIONS_ALLOWED
+              value: "FALSE"
+            - name: WEBSOCKET_ENABLED
+              value: "TRUE"
+            - name: ROCKET_ENV
+              value: "staging"
+            - name: ROCKET_PORT
+              value: "80"
+            - name: ROCKET_WORKERS
+              value: "10"
+            - name: SECRET_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: bitwarden-secret
+                  key: ADMIN_TOKEN
      volumes:
-      - name: bitwarden-pvc
-        persistentVolumeClaim:
-          claimName: bitwarden-pvc             
+        - name: bitwarden-pvc
+          persistentVolumeClaim:
+            claimName: bitwarden-pvc
--- a/infra/bitwarden/templates/secrets.yaml
+++ b/infra/bitwarden/templates/secrets.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: bitwarden-secret
--- a/infra/cert-manager/Chart.yaml
+++ b/infra/cert-manager/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
  repository: https://charts.jetstack.io
-  version: v1.16.3
+  version: v1.17.2
--- a/infra/cert-manager/templates/secretvault.yaml
+++ b/infra/cert-manager/templates/secretvault.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: cloudflare-api-token-secret
--- a/infra/external-secrets/Chart.yaml
+++ b/infra/external-secrets/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-secrets
  repository: https://charts.external-secrets.io
-  version: 0.15.0
+  version: 0.17.0
--- a/infra/external-secrets/values.yaml
+++ b/infra/external-secrets/values.yaml
@@ -1,7 +1,13 @@
 external-secrets:
+  global:
+    security:
+      allowInsecureImages: true
+
+  log:
+    level: debug
  replicaCount: 1
  revisionHistoryLimit: 1
-  leaderElect: true
+  leaderElect: false

  installCRDs: true
  crds:
@@ -27,13 +33,13 @@ external-secrets:
      subPath: vault.pem
      readOnly: true

-  resources:
-    requests:
-      memory: 32Mi
-      cpu: 10m
-    limits:
-      memory: 32Mi
-      cpu: 10m
+  #  resources:
+  #    requests:
+  #      memory: 32Mi
+  #      cpu: 10m
+  #    limits:
+  #      memory: 32Mi
+  #      cpu: 10m

  webhook:
    log:
@@ -42,13 +48,13 @@ external-secrets:
      repository: registry.durp.info/external-secrets/external-secrets
      pullPolicy: Always

-    resources:
-      requests:
-        memory: 32Mi
-        cpu: 10m
-      limits:
-        memory: 32Mi
-        cpu: 10m
+  #    resources:
+  #      requests:
+  #        memory: 32Mi
+  #        cpu: 10m
+  #      limits:
+  #        memory: 32Mi
+  #        cpu: 10m

  certController:
    create: false
--- a/infra/istio-system/Chart.yaml
+++ b/infra/istio-system/Chart.yaml
@@ -8,10 +8,10 @@ appVersion: 0.0.1
 dependencies:
 - name: base
  repository: https://istio-release.storage.googleapis.com/charts
-  version: 1.25.1
+  version: 1.26.2
 - name: istiod
  repository: https://istio-release.storage.googleapis.com/charts
-  version: 1.25.1
+  version: 1.26.2
 - name: gateway
  repository: https://istio-release.storage.googleapis.com/charts
-  version: 1.25.1
+  version: 1.26.2
--- a/infra/longhorn/Chart.yaml
+++ b/infra/longhorn/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: longhorn
  repository: https://charts.longhorn.io
-  version: 1.7.2
+  version: 1.9.0
--- a/infra/longhorn/templates/secrets.yaml
+++ b/infra/longhorn/templates/secrets.yaml
@@ -5,7 +5,7 @@ metadata:

 ---

-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: external-longhorn-backup-token-secret
--- a/infra/metallb-system/Chart.yaml
+++ b/infra/metallb-system/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: metallb
  repository: https://metallb.github.io/metallb
-  version: 0.14.9
+  version: 0.15.2
--- a/infra/nebula-sync/templates/secrets.yaml
+++ b/infra/nebula-sync/templates/secrets.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: nebula-sync-secret
--- a/infra/octopus-agent/templates/secret.yaml
+++ b/infra/octopus-agent/templates/secret.yaml
@@ -5,7 +5,7 @@ metadata:

 ---

-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: agent-token
--- a/infra/octopus-agent/values.yaml
+++ b/infra/octopus-agent/values.yaml
@@ -4,7 +4,9 @@ kubernetes-agent:
    acceptEula: "Y"
    serverUrl: "https://octopus.durp.info/"
    serverCommsAddresses:
-      - "https://octopusdeploy-octopus-deploy.octopusdeploy.svc.cluster.local:10943/"
+      - "https://octopus-deploy-node0.octopusdeploy.svc.cluster.local:10943/"
+      - "https://octopus-deploy-node1.octopusdeploy.svc.cluster.local:10943/"
+      - "https://octopus-deploy-node2.octopusdeploy.svc.cluster.local:10943/"
    space: "Default"
    name: "infra"
    deploymentTarget:
--- a/infra/octopusdeploy/Chart.yaml
+++ b/infra/octopusdeploy/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
  - name: octopusdeploy-helm
    repository: oci://ghcr.io/octopusdeploy
-    version: 1.3.1
+    version: 1.4.0
--- a/infra/octopusdeploy/templates/secrets.yaml
+++ b/infra/octopusdeploy/templates/secrets.yaml
@@ -4,8 +4,7 @@ metadata:
  name: vault

 ---
-
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: octopusdeploy-adminpassword
@@ -22,8 +21,7 @@ spec:
        property: adminpassword

 ---
-
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: octopusdeploy-adminusername
@@ -40,8 +38,7 @@ spec:
        property: adminusername

 ---
-
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: octopusdeploy-connectionstring
@@ -58,8 +55,7 @@ spec:
        property: connectionstring

 ---
-
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: octopusdeploy-masterkey
@@ -76,8 +72,7 @@ spec:
        property: masterkey

 ---
-
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: octopusdeploy-sapassword
@@ -92,3 +87,20 @@ spec:
      remoteRef:
        key: kv/octopusdeploy
        property: sapassword
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: octopusdeploy-licensekey
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: octopusdeploy-licensekey
+  data:
+    - secretKey: secret
+      remoteRef:
+        key: kv/octopusdeploy
+        property: licensekey
--- a/infra/openclarity/templates/secret.yaml
+++ b/infra/openclarity/templates/secret.yaml
@@ -5,7 +5,7 @@ metadata:

 ---

-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: openclarity-postgres-secret
--- a/infra/openclarity/values.yaml
+++ b/infra/openclarity/values.yaml
@@ -317,7 +317,7 @@ openclarity:
      # -- Gateway service container repository
      repository: nginxinc/nginx-unprivileged
      # -- Gateway service container tag
-      tag: 1.27.3
+      tag: 1.29.0
      # -- Gateway image digest. If set will override the tag.
      digest: ""
      # -- Gateway service container pull policy
@@ -542,7 +542,7 @@ openclarity:
      # -- Trivy Server container repository
      repository: aquasec/trivy
      # -- Trivy Server container tag
-      tag: 0.58.2
+      tag: 0.64.1
      # -- Trivy Server image digest. If set will override the tag.
      digest: ""
      # -- Trivy Server image pull policy
@@ -719,7 +719,7 @@ openclarity:
      # -- Swagger UI container repository
      repository: swaggerapi/swagger-ui
      # -- Swagger UI container tag
-      tag: v5.21.0
+      tag: v5.29.0
      # -- Swagger UI image digest. If set will override the tag.
      digest: ""
      # -- Swagger UI image pull policy
--- a/infra/renovate/templates/secrets.yaml
+++ b/infra/renovate/templates/secrets.yaml
@@ -4,7 +4,7 @@ metadata:
  name: vault

 ---
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: renovate-config-secret
--- a/infra/renovate/values.yaml
+++ b/infra/renovate/values.yaml
@@ -103,7 +103,8 @@ renovate:
        "autodiscover": "true",
        "dryRun": false,
        "printConfig": false,
-        "autodiscoverFilter": ["developerdurp/*", "durfy/*"]
+        "autodiscoverFilter": ["developerdurp/*", "durfy/*"],
+        "assignees": ["developerdurp"],
      }
    # See https://docs.renovatebot.com/self-hosted-configuration
    # config: |
@@ -304,7 +305,7 @@ renovate:
  # -- Create extra manifests via values. Would be passed through `tpl` for templating
  extraObjects: []
  # extraObjects:
-  #   - apiVersion: external-secrets.io/v1beta1
+  #   - apiVersion: external-secrets.io/v1
  #     kind: ExternalSecret
  #     metadata:
  #       name: '{{ include "renovate.fullname" . }}-token'
--- a/infra/terraform/main.tf
+++ b/infra/terraform/main.tf
@@ -3,7 +3,7 @@ terraform {
  required_providers {
    proxmox = {
      source  = "Telmate/proxmox"
-      version = "3.0.1-rc6"
+      version = "3.0.1-rc9"
    }
  }
 }
--- a/infra/traefik/Chart.yaml
+++ b/infra/traefik/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: traefik
  repository: https://traefik.github.io/charts
-  version: 34.0.0
+  version: 34.5.0
--- a/infra/vault/Chart.yaml
+++ b/infra/vault/Chart.yaml
@@ -8,5 +8,5 @@ appVersion: 0.0.1
 dependencies:
 - name: vault
  repository: https://helm.releases.hashicorp.com  
-  version: 0.29.1
+  version: 0.30.0

--- a/infra/vault/templates/secret-store.yaml
+++ b/infra/vault/templates/secret-store.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ClusterSecretStore
 metadata:
  name: vault
--- a/master/argocd/Chart.yaml
+++ b/master/argocd/Chart.yaml
@@ -9,6 +9,6 @@ appVersion: "1.16.0"
 dependencies:
 - name: argo-cd
  repository: https://argoproj.github.io/argo-helm
-  version: 6.11.1
+  version: 8.1.3


--- a/master/argocd/templates/secrets.yaml
+++ b/master/argocd/templates/secrets.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: vault-argocd
--- a/master/authentik/Chart.yaml
+++ b/master/authentik/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: authentik-remote-cluster
  repository: https://charts.goauthentik.io
-  version: 2.0.0
+  version: 2.1.0
--- a/master/authentik/templates/secrets.yaml
+++ b/master/authentik/templates/secrets.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: authentik-secret
--- a/master/bitwarden/templates/secrets.yaml
+++ b/master/bitwarden/templates/secrets.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: bitwarden-secret
--- a/master/cert-manager/Chart.yaml
+++ b/master/cert-manager/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
  repository: https://charts.jetstack.io
-  version: v1.15.3
+  version: v1.17.2
--- a/master/cert-manager/templates/sealedsecret.yaml
+++ b/master/cert-manager/templates/sealedsecret.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: cloudflare-api-token-secret
--- a/master/crossplane/Chart.yaml
+++ b/master/crossplane/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: crossplane
  repository: https://charts.crossplane.io/stable
-  version: 1.17.1
+  version: 1.20.0
--- a/master/crossplane/templates/gitlab.yml
+++ b/master/crossplane/templates/gitlab.yml
@@ -6,7 +6,7 @@ spec:
  package: xpkg.upbound.io/crossplane-contrib/provider-gitlab:v0.5.0
 ---

-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: gitlab-secret
--- a/master/durpapi/Chart.yaml
+++ b/master/durpapi/Chart.yaml
@@ -8,6 +8,6 @@ appVersion: 0.1.0

 dependencies:
 - condition: postgresql.enabled
-  version: 12.5.*
+  version: 16.7.*
  repository: https://charts.bitnami.com/bitnami
  name: postgresql
--- a/master/durpapi/templates/secrets.yaml
+++ b/master/durpapi/templates/secrets.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: durpapi-secret
--- a/master/durpot/templates/secrets.yaml
+++ b/master/durpot/templates/secrets.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: durpot-secert
--- a/master/external-dns/Chart.yaml
+++ b/master/external-dns/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-dns
  repository: https://charts.bitnami.com/bitnami
-  version: 8.3.8
+  version: 8.9.2
--- a/master/external-dns/templates/secrets.yaml
+++ b/master/external-dns/templates/secrets.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: external-dns-secret
--- a/master/external-secrets/Chart.yaml
+++ b/master/external-secrets/Chart.yaml
@@ -8,5 +8,5 @@ appVersion: 0.0.1
 dependencies:
 - name: external-secrets
  repository: https://charts.external-secrets.io
-  version: 0.10.4
+  version: 0.17.0

--- a/master/gatekeeper/Chart.yaml
+++ b/master/gatekeeper/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: gatekeeper
  repository: https://open-policy-agent.github.io/gatekeeper/charts
-  version: 3.17.1
+  version: 3.19.2
--- a/master/gitlab-runner/Chart.yaml
+++ b/master/gitlab-runner/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: gitlab-runner
  repository: https://charts.gitlab.io/
-  version: 0.69.0
+  version: 0.77.2
--- a/master/gitlab-runner/templates/secrets.yaml
+++ b/master/gitlab-runner/templates/secrets.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: gitlab-secret
--- a/master/internalproxy/templates/ollama.yaml
+++ b/master/internalproxy/templates/ollama.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: ollama-secret
--- a/master/krakend/templates/secrets.yaml
+++ b/master/krakend/templates/secrets.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: krakend-secret
--- a/master/kube-prometheus-stack/Chart.yaml
+++ b/master/kube-prometheus-stack/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: kube-prometheus-stack
  repository: https://prometheus-community.github.io/helm-charts
-  version: 63.1.0
+  version: 72.9.1
--- a/master/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml
+++ b/master/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: vault-grafana-oauth
@@ -20,7 +20,7 @@ spec:
         
 ---

-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: vault-admin-credentials
--- a/master/longhorn/Chart.yaml
+++ b/master/longhorn/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: longhorn
  repository: https://charts.longhorn.io
-  version: 1.7.1
+  version: 1.9.0
--- a/Show More
+++ b/Show More