Update Helm release gitlab-runner to v0.82.0

dmz/gitlab-runner/Chart.yaml

@@ -8,8 +8,8 @@ appVersion: 0.0.1
 dependencies:
 - name: gitlab-runner
   repository: https://charts.gitlab.io/
-  version: 0.77.2
+  version: 0.82.0
 - name: gitlab-runner
   repository: https://charts.gitlab.io/
-  version: 0.77.2
+  version: 0.82.0
   alias: personal

dmz/internalproxy/templates/gitlab.yaml

@@ -0,0 +1,68 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitlab
+spec:
+  ports:
+    - name: app
+      port: 9080
+      protocol: TCP
+      targetPort: 9080
+  clusterIP: None
+  type: ClusterIP
+
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: gitlab
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 9080
+        protocol: TCP
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitlab-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`gitlab.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: gitlab
+          port: 9080
+          scheme: http
+  tls:
+    secretName: gitlab-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gitlab-tls
+spec:
+  secretName: gitlab-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "gitlab.durp.info"
+  dnsNames:
+    - "gitlab.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: gitlab-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: gitlab.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/grafana.yaml

@@ -0,0 +1,40 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: grafana-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`grafana.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: infra-cluster
+          port: 443
+  tls:
+    secretName: grafana-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: grafana-tls
+spec:
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  secretName: grafana-tls
+  commonName: "grafana.durp.info"
+  dnsNames:
+    - "grafana.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: grafana-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: grafana.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

infra/argocd/templates/crowdsec.yaml

@@ -1,20 +1,20 @@
-apiVersion: argoproj.io/v1alpha1
+#apiVersion: argoproj.io/v1alpha1
-kind: Application
+#kind: Application
-metadata:
+#metadata:
-  name: crowdsec
+#  name: crowdsec
-  namespace: argocd
+#  namespace: argocd
-spec:
+#spec:
-  project: default
+#  project: default
-  source:
+#  source:
-    repoURL: https://gitlab.com/developerdurp/homelab.git
+#    repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
+#    targetRevision: main
-    path: dmz/crowdsec
+#    path: dmz/crowdsec
-  destination:
+#  destination:
-    namespace: crowdsec
+#    namespace: crowdsec
-    name: dmz
+#    name: dmz
-  syncPolicy:
+#  syncPolicy:
-    automated:
+#    automated:
-      prune: true
+#      prune: true
-      selfHeal: true
+#      selfHeal: true
-    syncOptions:
+#    syncOptions:
-      - CreateNamespace=true
+#      - CreateNamespace=true

infra/argocd/templates/kube-prometheus-stack.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kube-prometheus-stack
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/kube-prometheus-stack
+  destination:
+    namespace: kube-prometheus-stack
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/kube-prometheus-stack/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: kube-prometheus-stack
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"
+
+dependencies:
+  - name: kube-prometheus-stack
+    repository: https://prometheus-community.github.io/helm-charts
+    version: 77.10.0

infra/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: vault-grafana-oauth
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: grafana-oauth
+  data:
+    - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
+      remoteRef:
+        key: kv/grafana/oauth
+        property: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
+    - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
+      remoteRef:
+        key: kv/grafana/oauth
+        property: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: vault-admin-credentials
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: grafana-admin-credentials
+  data:
+    - secretKey: admin-password
+      remoteRef:
+        key: kv/grafana/admin
+        property: password
+    - secretKey: admin-user
+      remoteRef:
+        key: kv/grafana/admin
+        property: user

infra/kube-prometheus-stack/templates/ingress.yaml

@@ -0,0 +1,77 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: grafana-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`grafana.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: grafana
+          port: 80
+  tls:
+    secretName: grafana-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: grafana-tls
+spec:
+  secretName: grafana-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "grafana.durp.info"
+  dnsNames:
+    - "grafana.durp.info"
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: alertmanager-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`alertmanager.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+        - name: authentik-proxy-provider
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: prometheus-alertmanager
+          port: 9093
+  tls:
+    secretName: alertmanager-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: alertmanager-tls
+spec:
+  secretName: alertmanager-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "alertmanager.durp.info"
+  dnsNames:
+    - "alertmanager.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: grafana-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: grafana.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info
+

infra/kube-prometheus-stack/values.yaml

@@ -0,0 +1,203 @@
+kube-prometheus-stack:
+  fullnameOverride: prometheus
+
+  defaultRules:
+    create: true
+    rules:
+      alertmanager: true
+      etcd: true
+      configReloaders: true
+      general: true
+      k8s: true
+      kubeApiserverAvailability: true
+      kubeApiserverBurnrate: true
+      kubeApiserverHistogram: true
+      kubeApiserverSlos: true
+      kubelet: true
+      kubeProxy: true
+      kubePrometheusGeneral: true
+      kubePrometheusNodeRecording: true
+      kubernetesApps: true
+      kubernetesResources: true
+      kubernetesStorage: true
+      kubernetesSystem: true
+      kubeScheduler: true
+      kubeStateMetrics: true
+      network: true
+      node: true
+      nodeExporterAlerting: true
+      nodeExporterRecording: true
+      prometheus: true
+      prometheusOperator: true
+
+  alertmanager:
+    fullnameOverride: alertmanager
+    enabled: true
+    ingress:
+      enabled: false
+  grafana:
+    enabled: true
+    fullnameOverride: grafana
+    forceDeployDatasources: false
+    forceDeployDashboards: false
+    defaultDashboardsEnabled: true
+    defaultDashboardsTimezone: utc
+    plugins:
+      - grafana-polystat-panel
+    serviceMonitor:
+      enabled: true
+    admin:
+      existingSecret: grafana-admin-credentials
+      userKey: admin-user
+      passwordKey: admin-password
+    ingress:
+      enabled: false
+    grafana.ini:
+      server:
+        root_url: https://grafana.durp.info
+      auth.generic_oauth:
+        enabled: true
+        scopes: openid profile email
+        auth_url: https://authentik.durp.info/application/o/authorize/
+        token_url: https://authentik.durp.info/application/o/token/
+        api_url: https://authentik.durp.info/application/o/userinfo/
+    envFromSecret: "grafana-oauth"
+
+  kubeApiServer:
+    enabled: true
+
+  kubelet:
+    enabled: true
+    serviceMonitor:
+      metricRelabelings:
+        - action: replace
+          sourceLabels:
+            - node
+          targetLabel: instance
+
+  kubeControllerManager:
+    enabled: true
+    endpoints: # ips of servers
+      - 192.168.12.11
+      - 192.168.12.12
+      - 192.168.12.13
+
+  coreDns:
+    enabled: false
+
+  kubeDns:
+    enabled: false
+
+  kubeEtcd:
+    enabled: true
+    endpoints: # ips of servers
+      - 192.168.12.11
+      - 192.168.12.12
+      - 192.168.12.13
+    service:
+      enabled: true
+      port: 2381
+      targetPort: 2381
+
+  kubeScheduler:
+    enabled: true
+    endpoints: # ips of servers
+      - 192.168.12.11
+      - 192.168.12.12
+      - 192.168.12.13
+
+  kubeProxy:
+    enabled: true
+    endpoints: # ips of servers
+      - 192.168.12.11
+      - 192.168.12.12
+      - 192.168.12.13
+
+  kubeStateMetrics:
+    enabled: true
+
+  kube-state-metrics:
+    fullnameOverride: kube-state-metrics
+    selfMonitor:
+      enabled: true
+    prometheus:
+      monitor:
+        enabled: true
+        relabelings:
+          - action: replace
+            regex: (.*)
+            replacement: $1
+            sourceLabels:
+              - __meta_kubernetes_pod_node_name
+            targetLabel: kubernetes_node
+
+  nodeExporter:
+    enabled: true
+    serviceMonitor:
+      relabelings:
+        - action: replace
+          regex: (.*)
+          replacement: $1
+          sourceLabels:
+            - __meta_kubernetes_pod_node_name
+          targetLabel: kubernetes_node
+
+  prometheus-node-exporter:
+    fullnameOverride: node-exporter
+    podLabels:
+      jobLabel: node-exporter
+    extraArgs:
+      - --collector.filesystem.mount-points-exclude=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/.+)($|/)
+      - --collector.filesystem.fs-types-exclude=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$
+    service:
+      portName: http-metrics
+    prometheus:
+      monitor:
+        enabled: true
+        relabelings:
+          - action: replace
+            regex: (.*)
+            replacement: $1
+            sourceLabels:
+              - __meta_kubernetes_pod_node_name
+            targetLabel: kubernetes_node
+    resources:
+      requests:
+        memory: 512Mi
+        cpu: 250m
+      limits:
+        memory: 2048Mi
+
+  prometheusOperator:
+    enabled: true
+    prometheusConfigReloader:
+      resources:
+        requests:
+          cpu: 200m
+          memory: 50Mi
+        limits:
+          memory: 100Mi
+
+  prometheus:
+    enabled: true
+    prometheusSpec:
+      replicas: 1
+      replicaExternalLabelName: "replica"
+      ruleSelectorNilUsesHelmValues: false
+      serviceMonitorSelectorNilUsesHelmValues: false
+      podMonitorSelectorNilUsesHelmValues: false
+      probeSelectorNilUsesHelmValues: false
+      retention: 6h
+      enableAdminAPI: true
+      walCompression: true
+      storageSpec:
+        volumeClaimTemplate:
+          spec:
+            storageClassName: longhorn
+            accessModes: ["ReadWriteMany"]
+            resources:
+              requests:
+                storage: 20Gi
+
+  thanosRuler:
+    enabled: false

infra/octopusdeploy/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
   - name: octopusdeploy-helm
     repository: oci://ghcr.io/octopusdeploy
-    version: 1.4.0
+    version: 1.7.0

infra/octopusdeploy/values.yaml

@@ -2,7 +2,7 @@ octopusdeploy-helm:
   octopus:
     image:
       repository: registry.durp.info/octopusdeploy/octopusdeploy
-      tag: 2025.1
+      tag: 2025.3
     createSecrets: false
     acceptEula: Y
     replicaCount: 3

master/gitlab-runner/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: gitlab-runner
   repository: https://charts.gitlab.io/
-  version: 0.77.2
+  version: 0.82.0