Update Helm release gatekeeper to v3.21.0

Revert "Merge branch 'renovate/authentik-2025.x' into 'main'"

See merge request developerdurp/homelab!50

.gitlab/.gitlab-ci.yml

@@ -24,3 +24,11 @@ build_dev:
   rules:
     - changes:
         - "dev/terraform/*.tf"
+
+build_prd:
+  stage: triggers
+  trigger:
+    include: prd/.gitlab/.gitlab-ci.yml
+  rules:
+    - changes:
+        - "prd/terraform/*.tf"

ansible/newcluster.yaml

@@ -1,2 +1,2 @@
 argocd login --insecure
-argocd cluster add <cluster> --name<name>
+argocd cluster add default --name prd --yes --kubeconfig ~/Documents/config-prd

ansible/roles/base/files/01proxy

@@ -0,0 +1 @@
+Acquire::http::Proxy "http://192.168.21.200:3142";

ansible/roles/base/files/authorized_keys_user

@@ -1 +1,2 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhPVgL8gXdRTw0E2FvlOUoUI4vd794nB0nZVIsc+U5M
+sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGilcndatMrXg06VxtNKuIo3scoyyXbYX8Z7cOjeA102AAAABHNzaDo= desktop-arch-09-08-2025-yubikey
+sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINsbNSZ5Wr+50Ahz+IeZxt6F7gZ6wm1J8uKXQLbdbKFaAAAABHNzaDo= desktop-arch-09-08-2025-yubikeyNano

ansible/roles/base/tasks/main.yaml

@@ -1,3 +1,15 @@
+- name: Copy apt proxy
+  copy: 
+    src: files/01proxy
+    dest: /etc/apt/apt.conf.d/01proxy
+    owner: root 
+    group: root 
+    mode: "0644"
+    force: yes
+  when: 
+    - ansible_os_family == "Debian"      
+    - inventory_hostname not in hosts_deny
+
 - name: Update packages
   apt:
     name: '*'

dev/cert-manager/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
   repository: https://charts.jetstack.io
-  version: v1.16.3
+  version: v1.17.2

dev/cert-manager/templates/secretvault.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: cloudflare-api-token-secret

dev/external-dns/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-dns
   repository: https://charts.bitnami.com/bitnami
-  version: 8.3.8
+  version: 8.9.2

dev/external-dns/templates/secrets.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: external-dns-secret

dev/external-secrets/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-secrets
   repository: https://charts.external-secrets.io
-  version: 0.13.0
+  version: 0.17.0

dev/metallb-system/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: metallb
   repository: https://metallb.github.io/metallb
-  version: 0.14.9
+  version: 0.15.2

dev/metallb-system/templates/config.yaml

@@ -4,7 +4,7 @@ metadata:
   name: cheap
 spec:
   addresses:
-    - 192.168.98.130-192.168.98.140
+    - 192.168.10.130-192.168.10.140
 ---
 apiVersion: metallb.io/v1beta1
 kind: L2Advertisement

dev/terraform/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     proxmox = {
       source  = "Telmate/proxmox"
-      version = "3.0.1-rc6"
+      version = "3.0.1-rc9"
     }
   }
 }
@@ -30,7 +30,7 @@ locals {
     cores   = 2
     memory  = "4096"
     drive   = 20
-    storage = "domains"
+    storage = "cache-domains"
     node    = ["mothership", "overlord", "vanguard"]
     ip      = ["11", "12", "13"]
   }
@@ -41,7 +41,7 @@ locals {
     cores   = 4
     memory  = "8192"
     drive   = 120
-    storage = "domains"
+    storage = "cache-domains"
     node    = ["mothership", "overlord", "vanguard"]
     ip      = ["21", "22", "23"]
   }

dev/traefik/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: traefik
   repository: https://traefik.github.io/charts
-  version: 34.0.0
+  version: 34.5.0

dev/vault/Chart.yaml

@@ -8,5 +8,5 @@ appVersion: 0.0.1
 dependencies:
 - name: vault
   repository: https://helm.releases.hashicorp.com  
-  version: 0.29.1
+  version: 0.30.0
 

dev/vault/templates/secret-store.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ClusterSecretStore
 metadata:
   name: vault

dmz/authentik/Chart.yaml

@@ -7,6 +7,6 @@ version: 0.1.0
 appVersion: "1.16.0"
 
 dependencies:
-- name: authentik-remote-cluster
+  - name: authentik-remote-cluster
     repository: https://charts.goauthentik.io
-  version: 2.0.0
+    version: 2.1.0

dmz/authentik/templates/ingress.yaml

@@ -0,0 +1,62 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: authentik-tls
+spec:
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  secretName: authentik-tls
+  commonName: "authentik.durp.info"
+  dnsNames:
+    - "authentik.durp.info"
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: authentik-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`authentik.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: infra-cluster
+          port: 443
+  tls:
+    secretName: authentik-tls
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: authentik-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info
+
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: infra-cluster
+subsets:
+  - addresses:
+      - ip: 192.168.12.130
+    ports:
+      - port: 443
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: infra-cluster
+spec:
+  ports:
+    - protocol: TCP
+      port: 443
+      targetPort: 443

dmz/cert-manager/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
   repository: https://charts.jetstack.io
-  version: v1.16.3
+  version: v1.17.2

dmz/cert-manager/templates/secretvault.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: cloudflare-api-token-secret

dmz/crowdsec/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: crowdsec
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+  - name: crowdsec
+    repository: https://crowdsecurity.github.io/helm-charts
+    version: 0.19.4

dmz/crowdsec/templates/secrets.yaml

@@ -0,0 +1,29 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: enroll-key
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: enroll-key
+  data:
+    - secretKey: ENROLL_INSTANCE_NAME
+      remoteRef:
+        key: kv/crowdsec/dmz-enroll
+        property: ENROLL_INSTANCE_NAME
+    - secretKey: ENROLL_KEY
+      remoteRef:
+        key: kv/crowdsec/dmz-enroll
+        property: ENROLL_KEY
+    - secretKey: ENROLL_TAGS
+      remoteRef:
+        key: kv/crowdsec/dmz-enroll
+        property: ENROLL_TAGS
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault

dmz/crowdsec/values.yaml

@@ -0,0 +1,24 @@
+crowdsec:
+  #
+  image:
+    repository: registry.durp.info/crowdsecurity/crowdsec
+    pullPolicy: Always
+
+  # for raw logs format: json or cri (docker|containerd)
+  container_runtime: containerd
+  agent:
+    # Specify each pod whose logs you want to process
+    acquisition:
+      # The namespace where the pod is located
+      - namespace: traefik
+        # The pod name
+        podName: traefik-*
+        # as in crowdsec configuration, we need to specify the program name to find a matching parser
+        program: traefik
+    env:
+      - name: COLLECTIONS
+        value: "crowdsecurity/traefik"
+  lapi:
+    envFrom:
+      - secretRef:
+          name: enroll-key

dmz/external-dns/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-dns
   repository: https://charts.bitnami.com/bitnami
-  version: 8.3.8
+  version: 8.9.2

dmz/external-dns/templates/secrets.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: external-dns-secret

dmz/external-dns/values.yaml

@@ -1,6 +1,8 @@
 external-dns:
   global:
     imageRegistry: "registry.durp.info"
+    security:
+      allowInsecureImages: true
 
   image:
     pullPolicy: Always
@@ -12,7 +14,7 @@ external-dns:
 
   provider: cloudflare
   cloudflare:
-    secretName : "external-dns"
+    secretName: "external-dns"
     proxied: false
 
   policy: sync

dmz/external-secrets/Chart.yaml

@@ -6,6 +6,6 @@ version: 0.0.1
 appVersion: 0.0.1
 
 dependencies:
-- name: external-secrets
+  - name: external-secrets
     repository: https://charts.external-secrets.io
-  version: 0.15.0
+    version: 0.17.0

dmz/external-secrets/values.yaml

@@ -1,7 +1,13 @@
 external-secrets:
-  replicaCount: 3
+  global:
+    security:
+      allowInsecureImages: true
+
+  log:
+    level: debug
+  replicaCount: 1
   revisionHistoryLimit: 1
-  leaderElect: true
+  leaderElect: false
 
   installCRDs: true
   crds:
@@ -27,13 +33,13 @@ external-secrets:
       subPath: vault.pem
       readOnly: true
 
-  resources: 
-    requests:
-      memory: 32Mi
-      cpu: 10m
-    limits:
-      memory: 32Mi
-      cpu: 10m
+  #  resources:
+  #    requests:
+  #      memory: 32Mi
+  #      cpu: 10m
+  #    limits:
+  #      memory: 32Mi
+  #      cpu: 10m
 
   webhook:
     create: false
@@ -55,13 +61,13 @@ external-secrets:
         subPath: vault.pem
         readOnly: true
 
-    resources: 
-      requests:
-        memory: 32Mi
-        cpu: 10m
-      limits:
-        memory: 32Mi
-        cpu: 10m
+  #    resources:
+  #      requests:
+  #        memory: 32Mi
+  #        cpu: 10m
+  #      limits:
+  #        memory: 32Mi
+  #        cpu: 10m
 
   certController:
     create: false

dmz/gitlab-runner/Chart.yaml

@@ -8,8 +8,8 @@ appVersion: 0.0.1
 dependencies:
 - name: gitlab-runner
   repository: https://charts.gitlab.io/
-  version: 0.69.0
+  version: 0.77.2
 - name: gitlab-runner
   repository: https://charts.gitlab.io/
-  version: 0.69.0
+  version: 0.77.2
   alias: personal

dmz/gitlab-runner/templates/secrets.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: gitlab-secret
@@ -27,7 +27,7 @@ metadata:
 
 ---
 
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: gitlab-secret-personal

dmz/internalproxy/templates/authentik.yaml

@@ -1,42 +1,40 @@
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: authentik-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`authentik.durp.info`) && PathPrefix(`/`) 
-    kind: Rule
-    services:
-    - name: infra-cluster
-      port: 443
-  tls:
-    secretName: authentik-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: authentik-tls
-spec:
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  secretName: authentik-tls
-  commonName: "authentik.durp.info"
-  dnsNames:
-  - "authentik.durp.info"
-
----
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: authentik-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info
+#apiVersion: traefik.io/v1alpha1
+#kind: IngressRoute
+#metadata:
+#  name: authentik-ingress
+#spec:
+#  entryPoints:
+#    - websecure
+#  routes:
+#    - match: Host(`authentik.durp.info`) && PathPrefix(`/`)
+#      kind: Rule
+#      services:
+#        - name: infra-cluster
+#          port: 443
+#  tls:
+#    secretName: authentik-tls
+#
+#---
+#apiVersion: cert-manager.io/v1
+#kind: Certificate
+#metadata:
+#  name: authentik-tls
+#spec:
+#  issuerRef:
+#    name: letsencrypt-production
+#    kind: ClusterIssuer
+#  secretName: authentik-tls
+#  commonName: "authentik.durp.info"
+#  dnsNames:
+#    - "authentik.durp.info"
+#
+#---
+#kind: Service
+#apiVersion: v1
+#metadata:
+#  name: authentik-external-dns
+#  annotations:
+#    external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
+#spec:
+#  type: ExternalName
+#  externalName: durp.info

dmz/internalproxy/templates/bitwarden.yaml

@@ -9,7 +9,7 @@ spec:
   - match: Host(`bitwarden.durp.info`) && PathPrefix(`/`) 
     kind: Rule
     services:
-    - name: master-cluster
+    - name: infra-cluster
       port: 443
   tls:
     secretName: bitwarden-tls

dmz/internalproxy/templates/gitlab.yaml

@@ -0,0 +1,68 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitlab
+spec:
+  ports:
+    - name: app
+      port: 9080
+      protocol: TCP
+      targetPort: 9080
+  clusterIP: None
+  type: ClusterIP
+
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: gitlab
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 9080
+        protocol: TCP
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitlab-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`gitlab.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: gitlab
+          port: 9080
+          scheme: http
+  tls:
+    secretName: gitlab-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gitlab-tls
+spec:
+  secretName: gitlab-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "gitlab.durp.info"
+  dnsNames:
+    - "gitlab.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: gitlab-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: gitlab.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/grafana.yaml

@@ -0,0 +1,40 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: grafana-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`grafana.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: infra-cluster
+          port: 443
+  tls:
+    secretName: grafana-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: grafana-tls
+spec:
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  secretName: grafana-tls
+  commonName: "grafana.durp.info"
+  dnsNames:
+    - "grafana.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: grafana-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: grafana.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/invidious.yaml

@@ -0,0 +1,74 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: invidious
+spec:
+  ports:
+  - name: app
+    port: 3000
+    protocol: TCP
+    targetPort: 3000
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: invidious
+subsets:
+- addresses:
+  - ip: 192.168.20.104
+  ports:
+  - name: app
+    port: 3000
+    protocol: TCP
+
+---    
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: invidious-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`invidious.durp.info`) && PathPrefix(`/`)
+    middlewares:
+    - name: authentik-proxy-provider
+      namespace: traefik  
+    kind: Rule
+    services:
+    - name: invidious
+      port: 3000
+  tls:
+    secretName: invidious-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: invidious-tls
+spec:
+  secretName: invidious-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "invidious.durp.info"
+  dnsNames:
+  - "invidious.durp.info"  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: invidious-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: invidious.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/n8n.yaml

@@ -0,0 +1,68 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: n8n
+spec:
+  ports:
+    - name: app
+      port: 5678
+      protocol: TCP
+      targetPort: 5678
+  clusterIP: None
+  type: ClusterIP
+
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: n8n
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 5678
+        protocol: TCP
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: n8n-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`n8n.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: n8n
+          port: 5678
+          scheme: http
+  tls:
+    secretName: n8n-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: n8n-tls
+spec:
+  secretName: n8n-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "n8n.durp.info"
+  dnsNames:
+    - "n8n.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: n8n-dns
+  annotations:
+    dns.alpha.kubernetes.io/hostname: n8n.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/octopus.yaml

@@ -0,0 +1,40 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: octopus-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`octopus.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: infra-cluster
+          port: 443
+  tls:
+    secretName: octopus-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: octopus-tls
+spec:
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  secretName: octopus-tls
+  commonName: "octopus.durp.info"
+  dnsNames:
+    - "octopus.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: octopus-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: octopus.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/ollama.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: ollama-secret

dmz/internalproxy/templates/redlib.yaml

@@ -1,74 +1,74 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: redlib
-spec:
-  ports:
-  - name: app
-    port: 8082
-    protocol: TCP
-    targetPort: 8082
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: redlib
-subsets:
-- addresses:
-  - ip: 192.168.21.200
-  ports:
-  - name: app
-    port: 8082
-    protocol: TCP
-
----    
-
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: redlib-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`redlib.durp.info`) && PathPrefix(`/`)
-    middlewares:
-    - name: authentik-proxy-provider
-      namespace: traefik  
-    kind: Rule
-    services:
-    - name: redlib
-      port: 8082
-  tls:
-    secretName: redlib-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: redlib-tls
-spec:
-  secretName: redlib-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "redlib.durp.info"
-  dnsNames:
-  - "redlib.durp.info"  
-
----
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: redlib-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: redlib.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info
+#apiVersion: v1
+#kind: Service
+#metadata:
+#  name: redlib
+#spec:
+#  ports:
+#  - name: app
+#    port: 8082
+#    protocol: TCP
+#    targetPort: 8082
+#  clusterIP: None
+#  type: ClusterIP
+#
+#---
+#
+#apiVersion: v1
+#kind: Endpoints
+#metadata:
+#  name: redlib
+#subsets:
+#- addresses:
+#  - ip: 192.168.21.200
+#  ports:
+#  - name: app
+#    port: 8082
+#    protocol: TCP
+#
+#---    
+#
+#apiVersion: traefik.io/v1alpha1
+#kind: IngressRoute
+#metadata:
+#  name: redlib-ingress
+#spec:
+#  entryPoints:
+#    - websecure
+#  routes:
+#  - match: Host(`redlib.durp.info`) && PathPrefix(`/`)
+#    middlewares:
+#    - name: authentik-proxy-provider
+#      namespace: traefik  
+#    kind: Rule
+#    services:
+#    - name: redlib
+#      port: 8082
+#  tls:
+#    secretName: redlib-tls
+#
+#---
+#
+#apiVersion: cert-manager.io/v1
+#kind: Certificate
+#metadata:
+#  name: redlib-tls
+#spec:
+#  secretName: redlib-tls
+#  issuerRef:
+#    name: letsencrypt-production
+#    kind: ClusterIssuer
+#  commonName: "redlib.durp.info"
+#  dnsNames:
+#  - "redlib.durp.info"  
+#
+#---
+#
+#kind: Service
+#apiVersion: v1
+#metadata:
+#  name: redlib-external-dns
+#  annotations:
+#    external-dns.alpha.kubernetes.io/hostname: redlib.durp.info
+#spec:
+#  type: ExternalName
+#  externalName: durp.info

dmz/internalproxy/templates/registry.yaml

@@ -12,13 +12,12 @@ spec:
   type: ClusterIP
 
 ---
-
 apiVersion: v1
 kind: Endpoints
 metadata:
   name: registry
 subsets:
-- addresses:
+  - addresses:
       - ip: 192.168.21.200
     ports:
       - name: app
@@ -26,7 +25,6 @@ subsets:
         protocol: TCP
 
 ---
-
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
@@ -37,6 +35,9 @@ spec:
   routes:
     - match: Host(`registry.durp.info`) && PathPrefix(`/`)
       kind: Rule
+      middlewares:
+        - name: whitelist
+          namespace: traefik
       services:
         - name: registry
           port: 5000
@@ -44,7 +45,6 @@ spec:
     secretName: registry-tls
 
 ---
-
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -59,13 +59,12 @@ spec:
     - "registry.durp.info"
 
 ---
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: registry-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: registry.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info
+#kind: Service
+#apiVersion: v1
+#metadata:
+#  name: registry-external-dns
+#  annotations:
+#    external-dns.alpha.kubernetes.io/hostname: registry.durp.info
+#spec:
+#  type: ExternalName
+#  externalName: durp.info

dmz/internalproxy/templates/speedtest.yaml

@@ -1,74 +1,74 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: speedtest
-spec:
-  ports:
-  - name: app
-    port: 6580
-    protocol: TCP
-    targetPort: 6580
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: speedtest
-subsets:
-- addresses:
-  - ip: 192.168.21.200
-  ports:
-  - name: app
-    port: 6580
-    protocol: TCP
-
----    
-
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: speedtest-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`speedtest.durp.info`) && PathPrefix(`/`)
-    kind: Rule
-    middlewares:
-    - name: authentik-proxy-provider
-      namespace: traefik 
-    services:
-    - name: speedtest
-      port: 6580
-  tls:
-    secretName: speedtest-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: speedtest-tls
-spec:
-  secretName: speedtest-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "speedtest.durp.info"
-  dnsNames:
-  - "speedtest.durp.info"  
-
----
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: speedtest-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info
+#apiVersion: v1
+#kind: Service
+#metadata:
+#  name: speedtest
+#spec:
+#  ports:
+#  - name: app
+#    port: 6580
+#    protocol: TCP
+#    targetPort: 6580
+#  clusterIP: None
+#  type: ClusterIP
+#
+#---
+#
+#apiVersion: v1
+#kind: Endpoints
+#metadata:
+#  name: speedtest
+#subsets:
+#- addresses:
+#  - ip: 192.168.21.200
+#  ports:
+#  - name: app
+#    port: 6580
+#    protocol: TCP
+#
+#---    
+#
+#apiVersion: traefik.io/v1alpha1
+#kind: IngressRoute
+#metadata:
+#  name: speedtest-ingress
+#spec:
+#  entryPoints:
+#    - websecure
+#  routes:
+#  - match: Host(`speedtest.durp.info`) && PathPrefix(`/`)
+#    kind: Rule
+#    middlewares:
+#    - name: authentik-proxy-provider
+#      namespace: traefik 
+#    services:
+#    - name: speedtest
+#      port: 6580
+#  tls:
+#    secretName: speedtest-tls
+#
+#---
+#
+#apiVersion: cert-manager.io/v1
+#kind: Certificate
+#metadata:
+#  name: speedtest-tls
+#spec:
+#  secretName: speedtest-tls
+#  issuerRef:
+#    name: letsencrypt-production
+#    kind: ClusterIssuer
+#  commonName: "speedtest.durp.info"
+#  dnsNames:
+#  - "speedtest.durp.info"  
+#
+#---
+#
+#kind: Service
+#apiVersion: v1
+#metadata:
+#  name: speedtest-external-dns
+#  annotations:
+#    external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info
+#spec:
+#  type: ExternalName
+#  externalName: durp.info

dmz/istio-system/Chart.yaml

@@ -8,10 +8,10 @@ appVersion: 0.0.1
 dependencies:
   - name: base
     repository: https://istio-release.storage.googleapis.com/charts
-    version: 1.25.1
+    version: 1.26.2
   - name: istiod
     repository: https://istio-release.storage.googleapis.com/charts
-    version: 1.25.1
+    version: 1.26.2
   - name: gateway
     repository: https://istio-release.storage.googleapis.com/charts
-    version: 1.25.1
+    version: 1.26.2

dmz/littlelink/templates/deployment.yaml

@@ -0,0 +1,101 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: littlelink
+  name: littlelink
+  labels:
+    app: littlelink
+spec:
+  selector:
+    matchLabels:
+      app: littlelink
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: littlelink
+    spec:
+      containers:
+      - name: littlelink
+        image: registry.durp.info/techno-tim/littlelink-server:latest
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /healthcheck
+            port: 3000
+        readinessProbe:
+          httpGet:
+            path: /healthcheck
+            port: 3000            
+        env:
+          - name: META_TITLE
+            value: DeveloperDurp
+          - name: META_DESCRIPTION
+            value: The Durpy Developer
+          - name: META_AUTHOR
+            value: DeveloperDurp
+          - name: LANG
+            value: en
+          - name: META_INDEX_STATUS
+            value: all
+          - name: OG_TITLE
+            value: DeveloperDurp
+          - name: OG_DESCRIPTION
+            value: DeveloperDurp
+          - name: OG_URL
+            value: https://gitlab.com/developerdurp
+          - name: OG_IMAGE
+            value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png
+          - name : OG_IMAGE_WIDTH
+            value: "400"
+          - name : OG_IMAGE_HEIGHT
+            value: "400"
+          - name : THEME
+            value: Dark 
+          - name : FAVICON_URL
+            value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png
+          - name : AVATAR_URL
+            value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png
+          - name : AVATAR_2X_URL
+            value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png   
+          - name : AVATAR_ALT
+            value: DeveloperDurp Profile Pic
+          - name : NAME
+            value: DeveloperDurp
+          - name : BIO
+            value: Sup Nerd,
+          - name : BUTTON_ORDER
+            value: GITHUB,GITLAB,YOUTUBE,INSTAGRAM,TWITTER,BLUESKY,COFFEE,EMAIL
+          - name : TWITTER
+            value: https://twitter.com/developerdurp                
+          - name : GITHUB
+            value: https://github.com/DeveloperDurp
+          - name: INSTAGRAM
+            value: https://instagram.com/developerdurp
+          - name : GITLAB
+            value: https://gitlab.com/developerdurp
+          - name: YOUTUBE
+            value: https://www.youtube.com/channel/UC1rGa6s6kER_gLpIQsxeMVQ
+          - name : EMAIL
+            value: DeveloperDurp@durp.info
+          - name : EMAIL_TEXT
+            value: DeveloperDurp@durp.info            
+          - name : FOOTER
+            value: DeveloperDurp © 2022         
+          - name: CUSTOM_BUTTON_TEXT
+            value: BuyMeACoffee,BlueSky
+          - name: CUSTOM_BUTTON_URL
+            value: https://www.buymeacoffee.com/DeveloperDurp,https://bsky.app/profile/durp.info
+          - name: CUSTOM_BUTTON_COLOR
+            value: '#ffdd00,#1185fe'
+          - name: CUSTOM_BUTTON_TEXT_COLOR
+            value: '#000000,#FFFFFF'
+          - name: CUSTOM_BUTTON_ALT_TEXT
+            value: Support,BlueSky
+          - name: CUSTOM_BUTTON_NAME
+            value: COFFEE,BLUESKY
+          - name: CUSTOM_BUTTON_ICON
+            value: fa-solid fa-cup-togo
+        ports:
+        - name: http
+          containerPort: 3000          

dmz/littlelink/templates/ingress.yaml

@@ -0,0 +1,42 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: littlelink-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`links.durp.info`) && PathPrefix(`/`)
+    kind: Rule
+    services:
+    - name: littlelink
+      port: 80
+  tls:
+    secretName: littlelink-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: littlelink-tls
+spec:
+  secretName: littlelink-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "links.durp.info"
+  dnsNames:
+  - "links.durp.info"  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: links-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: links.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/littlelink/templates/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: littlelink
+spec:
+  ports:
+  - name: http
+    port: 80
+    targetPort: 3000
+    protocol: TCP 
+  selector:
+    app: littlelink

dmz/longhorn/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: longhorn-system
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"
+
+dependencies:
+- name: longhorn
+  repository: https://charts.longhorn.io
+  version: 1.9.0

dmz/longhorn/templates/ingress.yaml

@@ -0,0 +1,34 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: longhorn-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: vault-issuer
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`longhorn.dmz.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      middlewares:
+        - name: authentik-proxy-provider
+          namespace: traefik
+      services:
+        - name: longhorn-frontend
+          port: 80
+  tls:
+    secretName: longhorn-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: longhorn-tls
+spec:
+  secretName: longhorn-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "longhorn.dmz.durp.info"
+  dnsNames:
+    - "longhorn.dmz.durp.info"

dmz/longhorn/templates/secrets.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
+
+---
+
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: external-longhorn-backup-token-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: longhorn-backup-token-secret
+  data:
+  - secretKey: AWS_ACCESS_KEY_ID
+    remoteRef:
+      key: kv/longhorn/backup
+      property: AWS_ACCESS_KEY_ID
+  - secretKey: AWS_ENDPOINTS 
+    remoteRef:
+      key: kv/longhorn/backup
+      property: AWS_ENDPOINTS 
+  - secretKey: AWS_SECRET_ACCESS_KEY
+    remoteRef:
+      key: kv/longhorn/backup
+      property: AWS_SECRET_ACCESS_KEY

dmz/longhorn/values.yaml

@@ -0,0 +1,192 @@
+longhorn: 
+  global:
+    cattle:
+      systemDefaultRegistry: ""
+  
+  image:
+    longhorn:
+      engine:
+        repository: longhornio/longhorn-engine
+      manager:
+        repository: longhornio/longhorn-manager
+      ui:
+        repository: longhornio/longhorn-ui
+      instanceManager:
+        repository: longhornio/longhorn-instance-manager
+      shareManager:
+        repository: longhornio/longhorn-share-manager
+      backingImageManager:
+        repository: longhornio/backing-image-manager
+    csi:
+      attacher:
+        repository: longhornio/csi-attacher
+      provisioner:
+        repository: longhornio/csi-provisioner
+      nodeDriverRegistrar:
+        repository: longhornio/csi-node-driver-registrar
+      resizer:
+        repository: longhornio/csi-resizer
+      snapshotter:
+        repository: longhornio/csi-snapshotter
+    pullPolicy: Always
+  
+  service:
+    ui:
+      type: ClusterIP
+      nodePort: null
+    manager:
+      type: ClusterIP
+      nodePort: ""
+      loadBalancerIP: ""
+      loadBalancerSourceRanges: ""
+  
+  persistence:
+    defaultClass: true
+    defaultFsType: ext4
+    defaultClassReplicaCount: 3
+    defaultDataLocality: disabled # best-effort otherwise
+    reclaimPolicy: Delete
+    migratable: false
+    recurringJobSelector:
+      enable: true
+      jobList: '[
+          {
+            "name":"backup", 
+            "task":"backup", 
+            "cron":"0 0 * * *", 
+            "retain":24
+          }
+        ]'
+    backingImage:
+      enable: false
+      name: ~
+      dataSourceType: ~
+      dataSourceParameters: ~
+      expectedChecksum: ~
+  
+  csi:
+    kubeletRootDir: ~
+    attacherReplicaCount: ~
+    provisionerReplicaCount: ~
+    resizerReplicaCount: ~
+    snapshotterReplicaCount: ~
+  
+  defaultSettings:
+    backupTarget: S3://longhorn-master@us-east-1/
+    backupTargetCredentialSecret: longhorn-backup-token-secret
+    allowRecurringJobWhileVolumeDetached: ~
+    createDefaultDiskLabeledNodes: ~
+    defaultDataPath: ~
+    defaultDataLocality: ~
+    replicaSoftAntiAffinity: ~
+    replicaAutoBalance: ~
+    storageOverProvisioningPercentage: ~
+    storageMinimalAvailablePercentage: ~
+    upgradeChecker: ~
+    defaultReplicaCount: ~
+    defaultLonghornStaticStorageClass: longhorn
+    backupstorePollInterval: ~
+    taintToleration: ~
+    systemManagedComponentsNodeSelector: ~
+    priorityClass: ~
+    autoSalvage: ~
+    autoDeletePodWhenVolumeDetachedUnexpectedly: ~
+    disableSchedulingOnCordonedNode: ~
+    replicaZoneSoftAntiAffinity: ~
+    nodeDownPodDeletionPolicy: ~
+    allowNodeDrainWithLastHealthyReplica: ~
+    mkfsExt4Parameters: ~
+    disableReplicaRebuild: ~
+    replicaReplenishmentWaitInterval: ~
+    concurrentReplicaRebuildPerNodeLimit: ~
+    disableRevisionCounter: ~
+    systemManagedPodsImagePullPolicy: ~
+    allowVolumeCreationWithDegradedAvailability: ~
+    autoCleanupSystemGeneratedSnapshot: ~
+    concurrentAutomaticEngineUpgradePerNodeLimit: ~
+    backingImageCleanupWaitInterval: ~
+    backingImageRecoveryWaitInterval: ~
+    guaranteedEngineManagerCPU: ~
+    guaranteedReplicaManagerCPU: ~
+    kubernetesClusterAutoscalerEnabled: ~
+    orphanAutoDeletion: ~
+    storageNetwork: ~
+  privateRegistry:
+    createSecret: ~
+    registryUrl: ~
+    registryUser: ~
+    registryPasswd: ~
+    registrySecret: ~
+  
+  longhornManager:
+    priorityClass: ~
+    tolerations: []
+    ## If you want to set tolerations for Longhorn Manager DaemonSet, delete the `[]` in the line above
+    ## and uncomment this example block
+    # - key: "key"
+    #   operator: "Equal"
+    #   value: "value"
+    #   effect: "NoSchedule"
+    nodeSelector: {}
+    ## If you want to set node selector for Longhorn Manager DaemonSet, delete the `{}` in the line above
+    ## and uncomment this example block
+    #  label-key1: "label-value1"
+    #  label-key2: "label-value2"
+  
+  longhornDriver:
+    priorityClass: ~
+    tolerations: []
+    ## If you want to set tolerations for Longhorn Driver Deployer Deployment, delete the `[]` in the line above
+    ## and uncomment this example block
+    # - key: "key"
+    #   operator: "Equal"
+    #   value: "value"
+    #   effect: "NoSchedule"
+    nodeSelector: {}
+    ## If you want to set node selector for Longhorn Driver Deployer Deployment, delete the `{}` in the line above
+    ## and uncomment this example block
+    #  label-key1: "label-value1"
+    #  label-key2: "label-value2"
+  
+  longhornUI:
+    priorityClass: ~
+    tolerations: []
+    ## If you want to set tolerations for Longhorn UI Deployment, delete the `[]` in the line above
+    ## and uncomment this example block
+    # - key: "key"
+    #   operator: "Equal"
+    #   value: "value"
+    #   effect: "NoSchedule"
+    nodeSelector: {}
+    ## If you want to set node selector for Longhorn UI Deployment, delete the `{}` in the line above
+    ## and uncomment this example block
+    #  label-key1: "label-value1"
+    #  label-key2: "label-value2"
+  
+  resources: {}
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    # limits:
+    #  cpu: 100m
+    #  memory: 128Mi
+    # requests:
+    #  cpu: 100m
+    #  memory: 128Mi
+    #
+  
+  ingress:
+    enabled: false
+  
+  ## Specify override namespace, specifically this is useful for using longhorn as sub-chart
+  ## and its release namespace is not the `longhorn-system`
+  namespaceOverride: ""
+  
+  # Annotations to add to the Longhorn Manager DaemonSet Pods. Optional.
+  annotations: {}
+  
+  serviceAccount:
+    # Annotations to add to the service account
+    annotations: {}
+  

dmz/metallb-system/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: metallb
   repository: https://metallb.github.io/metallb
-  version: 0.14.9
+  version: 0.15.2

dmz/openspeedtest/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: openspeedtest
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"

dmz/openspeedtest/templates/deployment.yaml

@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: openspeedtest
+  name: openspeedtest
+  labels:
+    app: openspeedtest
+spec:
+  selector:
+    matchLabels:
+      app: openspeedtest
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: openspeedtest
+    spec:
+      containers:
+      - name: openspeedtest
+        image: registry.durp.info/openspeedtest/latest
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 3000
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 3000
+        env:
+        ports:
+        - name: http
+          containerPort: 3000

dmz/openspeedtest/templates/ingress.yaml

@@ -0,0 +1,56 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: openspeedtest-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`speedtest.durp.info`) && PathPrefix(`/`)
+    kind: Rule
+    middlewares:
+    - name: authentik-proxy-provider
+      namespace: traefik  
+    - name: limit-buffering
+    services:
+    - name: openspeedtest
+      port: 3000
+  tls:
+    secretName: openspeedtest-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: openspeedtest-tls
+spec:
+  secretName: openspeedtest-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "speedtest.durp.info"
+  dnsNames:
+  - "speedtest.durp.info"  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: openspeedtest-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: limit-buffering
+spec:
+  buffering:
+    maxRequestBodyBytes: 10000000000

dmz/openspeedtest/templates/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: openspeedtest
+spec:
+  ports:
+  - name: http
+    port: 3000
+    targetPort: 3000
+    protocol: TCP 
+  selector:
+    app: openspeedtest

dmz/redlib/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: redlib
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"

dmz/redlib/templates/deployment.yaml

@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: redlib
+  name: redlib
+  labels:
+    app: redlib
+spec:
+  selector:
+    matchLabels:
+      app: redlib
+  replicas: 3
+  template:
+    metadata:
+      labels:
+        app: redlib
+    spec:
+      containers:
+      - name: redlib
+        image: registry.durp.info/redlib/redlib:latest
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 8080
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 8080
+        env:
+        ports:
+        - name: http
+          containerPort: 8080

dmz/redlib/templates/ingress.yaml

@@ -0,0 +1,43 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: redlib-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`redlib.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      middlewares:
+        - name: authentik-proxy-provider
+          namespace: traefik
+      services:
+        - name: redlib
+          port: 8080
+  tls:
+    secretName: redlib-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: redlib-tls
+spec:
+  secretName: redlib-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "redlib.durp.info"
+  dnsNames:
+    - "redlib.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: redlib-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: redlib.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/redlib/templates/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: redlib
+spec:
+  ports:
+  - name: http
+    port: 8080
+    targetPort: 8080
+    protocol: TCP 
+  selector:
+    app: redlib

dmz/terraform/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     proxmox = {
       source  = "Telmate/proxmox"
-      version = "3.0.1-rc6"
+      version = "3.0.1-rc9"
     }
   }
 }

dmz/traefik/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: traefik
   repository: https://traefik.github.io/charts
-  version: 34.0.0
+  version: 34.5.0

dmz/traefik/templates/middleware.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: traefik
 spec:
   forwardAuth:
-    address: http://ak-outpost-dmz-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik?rd=$scheme://$http_host$request_uri
+    address: http://ak-outpost-authentik-dmz-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik?rd=$scheme://$http_host$request_uri
     trustForwardHeader: true
     authResponseHeaders:
       - X-authentik-username
@@ -21,7 +21,6 @@ spec:
       - X-authentik-meta-version
 
 ---
-
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
@@ -33,3 +32,23 @@ spec:
       - 192.168.0.0/16
       - 172.16.0.0/12
       - 10.0.0.0/8
+
+---
+#apiVersion: traefik.io/v1alpha1
+#kind: Middleware
+#metadata:
+#  name: bouncer
+#  namespace: traefik
+#spec:
+#  plugin:
+#    bouncer:
+#      enabled: true
+#      crowdsecMode: stream
+#      crowdsecLapiScheme: https
+#      crowdsecLapiTLSInsecureVerify: true
+#      crowdsecLapiHost: crowdsec-service.crowdsec:8080
+#      crowdsecLapiKey:
+#        valueFrom:
+#          secretKeyRef:
+#            name: crowdsec-lapi-key
+#            key: lapi-key

dmz/traefik/templates/secrets.yaml

@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: crowdsec-lapi-key
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: crowdsec-lapi-key
+  data:
+    - secretKey: lapi-key
+      remoteRef:
+        key: kv/crowdsec/api
+        property: key
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault

dmz/traefik/templates/traefik-dashboard.yaml

@@ -1,34 +1,35 @@
-#apiVersion: traefik.io/v1alpha1
-#kind: IngressRoute
-#metadata:
-#  name: traefik-ingress
-#spec:
-#  entryPoints:
-#    - websecure
-#  routes:
-#  - match: Host(`traefik.durp.info`)
-#    kind: Rule
-#    services:
-#    - name: api@internal
-#      kind: TraefikService
-#  tls:
-#    secretName: traefik-tls  
-#
-#---
-#
-#apiVersion: cert-manager.io/v1
-#kind: Certificate
-#metadata:
-#  name: traefik-tls
-#  namespace: traefik
-#spec:
-#  secretName: traefik-tls
-#  issuerRef:
-#    name: letsencrypt-production
-#    kind: ClusterIssuer
-#  commonName: "traefik.durp.info"
-#  dnsNames:
-#  - "traefik.durp.info"
-#
-#---
-#
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`traefik.dmz.durp.info`)
+      kind: Rule
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+        - name: authentik-proxy-provider
+          namespace: traefik
+      services:
+        - name: api@internal
+          kind: TraefikService
+  tls:
+    secretName: traefik-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: traefik-tls
+  namespace: traefik
+spec:
+  secretName: traefik-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "traefik.dmz.durp.info"
+  dnsNames:
+    - "traefik.dmz.durp.info"

dmz/traefik/values.yaml

@@ -29,6 +29,8 @@ traefik:
     - "--log.level=DEBUG"
     - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin
     - --experimental.plugins.jwt.version=v0.7.0
+    - --experimental.plugins.bouncer.moduleName=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
+    - --experimental.plugins.bouncer.version=v1.4.2
 
   autoscaling:
     enabled: true
@@ -49,7 +51,6 @@ traefik:
             value: 1
             periodSeconds: 60
 
-  
   # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.
   resources:
     requests:

dmz/vault/Chart.yaml

@@ -8,5 +8,5 @@ appVersion: 0.0.1
 dependencies:
 - name: vault
   repository: https://helm.releases.hashicorp.com  
-  version: 0.29.1
+  version: 0.30.0
 

dmz/vault/templates/secret-store.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ClusterSecretStore
 metadata:
   name: vault

infra/argocd/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: argo-cd
   repository: https://argoproj.github.io/argo-helm
-  version: 6.11.1
+  version: 8.1.3

infra/argocd/templates/argocd-crossplane.yaml

@@ -0,0 +1,101 @@
+#apiVersion: external-secrets.io/v1
+#kind: ExternalSecret
+#metadata:
+#  name: argocd-secret-crossplane
+#spec:
+#  secretStoreRef:
+#    name: vault
+#    kind: ClusterSecretStore
+#  target:
+#    name: argocd-secret-crossplane
+#  data:
+#    - secretKey: authToken
+#      remoteRef:
+#        key: kv/argocd/provider-argocd
+#        property: token
+#
+#---
+#apiVersion: external-secrets.io/v1
+#kind: ExternalSecret
+#metadata:
+#  name: prod-kubeconfig
+#spec:
+#  secretStoreRef:
+#    name: vault
+#    kind: ClusterSecretStore
+#  target:
+#    name: prod-kubeconfig
+#  data:
+#    - secretKey: kubeconfig
+#      remoteRef:
+#        key: kv/argocd/prd
+#        property: kubeconfig
+#
+#---
+#apiVersion: argocd.crossplane.io/v1alpha1
+#kind: ProviderConfig
+#metadata:
+#  name: argocd-provider
+#spec:
+#  serverAddr: argocd-server.argocd.svc:443
+#  insecure: true
+#  plainText: false
+#  credentials:
+#    source: Secret
+#    secretRef:
+#      namespace: argocd
+#      name: argocd-secret-crossplane
+#      key: authToken
+#
+#---
+#apiVersion: cluster.argocd.crossplane.io/v1alpha1
+#kind: Cluster
+#metadata:
+#  name: prd
+#  labels:
+#    purpose: prd
+#spec:
+#  forProvider:
+#    name: prd
+#    config:
+#      kubeconfigSecretRef:
+#        name: prod-kubeconfig
+#        namespace: argocd
+#        key: kubeconfig
+#  providerConfigRef:
+#    name: argocd-provider
+#
+#---
+#apiVersion: external-secrets.io/v1
+#kind: ExternalSecret
+#metadata:
+#  name: dev-kubeconfig
+#spec:
+#  secretStoreRef:
+#    name: vault
+#    kind: ClusterSecretStore
+#  target:
+#    name: dev-kubeconfig
+#  data:
+#    - secretKey: kubeconfig
+#      remoteRef:
+#        key: kv/argocd/dev
+#        property: kubeconfig
+#
+#---
+#apiVersion: cluster.argocd.crossplane.io/v1alpha1
+#kind: Cluster
+#metadata:
+#  name: dev
+#  labels:
+#    purpose: dev
+#spec:
+#  forProvider:
+#    name: dev
+#    config:
+#      kubeconfigSecretRef:
+#        name: dev-kubeconfig
+#        namespace: argocd
+#        key: kubeconfig
+#  providerConfigRef:
+#    name: argocd-provider

infra/argocd/templates/argocd.yaml

@@ -21,7 +21,7 @@ spec:
 
 ---
 
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: vault-argocd

infra/argocd/templates/authentik.yaml

@@ -23,7 +23,6 @@ spec:
       - CreateNamespace=true
 
 ---
-
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -44,4 +43,3 @@ spec:
       selfHeal: true
     syncOptions:
       - CreateNamespace=true
-

infra/argocd/templates/bitwarden.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: bitwarden
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/bitwarden
+  destination:
+    namespace: bitwarden
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/argocd/templates/crowdsec.yaml

@@ -0,0 +1,20 @@
+#apiVersion: argoproj.io/v1alpha1
+#kind: Application
+#metadata:
+#  name: crowdsec
+#  namespace: argocd
+#spec:
+#  project: default
+#  source:
+#    repoURL: https://gitlab.com/developerdurp/homelab.git
+#    targetRevision: main
+#    path: dmz/crowdsec
+#  destination:
+#    namespace: crowdsec
+#    name: dmz
+#  syncPolicy:
+#    automated:
+#      prune: true
+#      selfHeal: true
+#    syncOptions:
+#      - CreateNamespace=true

infra/argocd/templates/istio.yaml

@@ -28,7 +28,6 @@ spec:
         - /webhooks/0/failurePolicy
 
 ---
-
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:

infra/argocd/templates/kube-prometheus-stack.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kube-prometheus-stack
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/kube-prometheus-stack
+  destination:
+    namespace: kube-prometheus-stack
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/argocd/templates/littlelink.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: littlelink
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: dmz/littlelink
+    directory:
+      recurse: true
+  destination:
+    name: dmz
+    namespace: littlelink
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/argocd/templates/longhorn.yaml

@@ -18,4 +18,30 @@ spec:
       selfHeal: true
     syncOptions:
       - CreateNamespace=true
+  ignoreDifferences:
+    - group: engineimages.longhorn.io
+      jsonPointers:
+        - /spec/preserveUnknownFields
+      kind: CustomResourceDefinition
 
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: longhorn-system-dmz
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: dmz/longhorn
+  destination:
+    namespace: longhorn-system
+    name: dmz
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/argocd/templates/metallb-system.yaml

@@ -42,3 +42,25 @@ spec:
     syncOptions:
       - CreateNamespace=true 
 
+---
+
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: metallb-system-dev
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: dev/metallb-system
+  destination:
+    namespace: metallb-system
+    name: dev
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 

infra/argocd/templates/nfs.yaml

@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nfs
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/nfs
+  destination:
+    namespace: kube-system
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  

infra/argocd/templates/octopusdeploy.yaml

@@ -0,0 +1,42 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: octopusdeploy
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/octopusdeploy
+  destination:
+    namespace: octopusdeploy
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: octopusdeploy-agent
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/octopus-agent
+  destination:
+    namespace: octopus-agent
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/argocd/templates/openspeedtest.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: openspeedtest
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: dmz/openspeedtest
+    directory:
+      recurse: true
+  destination:
+    name: dmz
+    namespace: openspeedtest
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/argocd/templates/redlib.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: redlib
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: dmz/redlib
+    directory:
+      recurse: true
+  destination:
+    name: dmz
+    namespace: redlib
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/argocd/templates/renovate.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: renovate
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/renovate
+  destination:
+    namespace: renovate
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/argocd/values.yaml

@@ -1,12 +1,11 @@
 argo-cd:
-
   global:
     revisionHistoryLimit: 1
     image:
       repository: registry.durp.info/argoproj/argocd
       imagePullPolicy: Always
 
-  server:
+  #server:
   #extraArgs:
   #  - --dex-server-plaintext
   #  - --dex-server=argocd-dex-server:5556
@@ -35,6 +34,7 @@ argo-cd:
       annotations: {}
       url: https://argocd.infra.durp.info
       oidc.tls.insecure.skip.verify: "true"
+      accounts.provider-argocd: apiKey
       dex.config: |
         connectors:
           - config:
@@ -50,11 +50,13 @@ argo-cd:
             name: authentik
             type: oidc
             id: authentik
+      resource.exclusions: ""
 
     rbac:
       create: true
       policy.csv: |
         g, ArgoCD Admins, role:admin
+        g, provider-argocd, role:admin
       scopes: "[groups]"
 
   server:

infra/authentik/Chart.yaml

@@ -7,6 +7,7 @@ version: 0.1.0
 appVersion: "1.16.0"
 
 dependencies:
-- name: authentik
+  - name: authentik
     repository: https://charts.goauthentik.io
-  version: 2024.8.3
+    version: 2025.4.1
+

infra/authentik/templates/ingress.yaml

@@ -11,11 +11,15 @@ spec:
       services:
         - name: authentik-server
           port: 80
+    - match: Host(`authentik.durp.info`) && PathPrefix(`/outpost.goauthentik.io`)
+      kind: Rule
+      services:
+        - name: ak-outpost-authentik-embedded-outpost
+          port: 9000
   tls:
     secretName: authentik-tls
 
 ---
-
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -28,4 +32,3 @@ spec:
   commonName: "authentik.durp.info"
   dnsNames:
     - "authentik.durp.info"
-

infra/authentik/templates/secrets.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: authentik-secret

infra/authentik/values.yaml

@@ -1,5 +1,7 @@
 authentik:
   global:
+    security:
+      allowInsecureImages: true
     env:
       - name: AUTHENTIK_POSTGRESQL__PASSWORD
         valueFrom:
@@ -19,7 +21,7 @@ authentik:
     outposts:
       container_image_base: registry.durp.info/goauthentik/%(type)s:%(version)s
     postgresql:
-      host: '{{ .Release.Name }}-postgresql-hl'
+      host: "{{ .Release.Name }}-postgresql-hl"
       name: "authentik"
       user: "authentik"
       port: 5432

infra/bitwarden/templates/deployment.yaml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
         - name: bitwarden
-        image: registry.durp.info/vaultwarden/server:1.32.7
+          image: registry.durp.info/vaultwarden/server:1.34.3
           imagePullPolicy: Always
           volumeMounts:
             - name: bitwarden-pvc

infra/bitwarden/templates/ingress.yaml

@@ -1,4 +1,4 @@
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
   name: bitwarden-ingress
@@ -23,20 +23,8 @@ metadata:
 spec:
   secretName: bitwarden-tls
   issuerRef:
-    name: letsencrypt-production
+    name: vault-issuer
     kind: ClusterIssuer
   commonName: "bitwarden.durp.info"
   dnsNames:
   - "bitwarden.durp.info"
-
----
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: bitwarden-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: bitwarden.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info

infra/bitwarden/templates/secrets.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: bitwarden-secret
@@ -14,3 +14,10 @@ spec:
       key: kv/bitwarden
       property: admin_token
 
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
+

infra/cert-manager/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
   repository: https://charts.jetstack.io
-  version: v1.16.3
+  version: v1.17.2

infra/cert-manager/templates/secretvault.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: cloudflare-api-token-secret

infra/external-secrets/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-secrets
   repository: https://charts.external-secrets.io
-  version: 0.15.0
+  version: 0.17.0

infra/external-secrets/values.yaml

@@ -1,7 +1,13 @@
 external-secrets:
-  replicaCount: 3
+  global:
+    security:
+      allowInsecureImages: true
+
+  log:
+    level: debug
+  replicaCount: 1
   revisionHistoryLimit: 1
-  leaderElect: true
+  leaderElect: false
 
   installCRDs: true
   crds:
@@ -27,13 +33,13 @@ external-secrets:
       subPath: vault.pem
       readOnly: true
 
-  resources: 
-    requests:
-      memory: 32Mi
-      cpu: 10m
-    limits:
-      memory: 32Mi
-      cpu: 10m
+  #  resources:
+  #    requests:
+  #      memory: 32Mi
+  #      cpu: 10m
+  #    limits:
+  #      memory: 32Mi
+  #      cpu: 10m
 
   webhook:
     log:
@@ -42,13 +48,13 @@ external-secrets:
       repository: registry.durp.info/external-secrets/external-secrets
       pullPolicy: Always
 
-    resources: 
-      requests:
-        memory: 32Mi
-        cpu: 10m
-      limits:
-        memory: 32Mi
-        cpu: 10m
+  #    resources:
+  #      requests:
+  #        memory: 32Mi
+  #        cpu: 10m
+  #      limits:
+  #        memory: 32Mi
+  #        cpu: 10m
 
   certController:
     create: false

infra/istio-system/Chart.yaml

@@ -8,10 +8,10 @@ appVersion: 0.0.1
 dependencies:
 - name: base
   repository: https://istio-release.storage.googleapis.com/charts
-  version: 1.25.1
+  version: 1.26.2
 - name: istiod
   repository: https://istio-release.storage.googleapis.com/charts
-  version: 1.25.1
+  version: 1.26.2
 - name: gateway
   repository: https://istio-release.storage.googleapis.com/charts
-  version: 1.25.1
+  version: 1.26.2

infra/istio-system/templates/issuer.yaml

@@ -1,8 +1,8 @@
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: vault-issuer
-  namespace: istio-system
-spec:
-  ca:
-    secretName: ca-key-pair
+#apiVersion: cert-manager.io/v1
+#kind: Issuer
+#metadata:
+#  name: vault-issuer
+#  namespace: istio-system
+#spec:
+#  ca:
+#    secretName: ca-key-pair

infra/kube-prometheus-stack/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: kube-prometheus-stack
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"
+
+dependencies:
+  - name: kube-prometheus-stack
+    repository: https://prometheus-community.github.io/helm-charts
+    version: 77.10.0

infra/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: vault-grafana-oauth
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: grafana-oauth
+  data:
+    - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
+      remoteRef:
+        key: kv/grafana/oauth
+        property: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
+    - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
+      remoteRef:
+        key: kv/grafana/oauth
+        property: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: vault-admin-credentials
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: grafana-admin-credentials
+  data:
+    - secretKey: admin-password
+      remoteRef:
+        key: kv/grafana/admin
+        property: password
+    - secretKey: admin-user
+      remoteRef:
+        key: kv/grafana/admin
+        property: user