Update Helm release gatekeeper to v3.21.0

dmz/internalproxy/templates/gitlab.yaml

@@ -0,0 +1,68 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitlab
+spec:
+  ports:
+    - name: app
+      port: 9080
+      protocol: TCP
+      targetPort: 9080
+  clusterIP: None
+  type: ClusterIP
+
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: gitlab
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 9080
+        protocol: TCP
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitlab-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`gitlab.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: gitlab
+          port: 9080
+          scheme: http
+  tls:
+    secretName: gitlab-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gitlab-tls
+spec:
+  secretName: gitlab-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "gitlab.durp.info"
+  dnsNames:
+    - "gitlab.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: gitlab-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: gitlab.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/grafana.yaml

@@ -0,0 +1,40 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: grafana-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`grafana.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: infra-cluster
+          port: 443
+  tls:
+    secretName: grafana-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: grafana-tls
+spec:
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  secretName: grafana-tls
+  commonName: "grafana.durp.info"
+  dnsNames:
+    - "grafana.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: grafana-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: grafana.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/n8n.yaml

@@ -12,21 +12,19 @@ spec:
   type: ClusterIP
 
 ---
-
 apiVersion: v1
 kind: Endpoints
 metadata:
   name: n8n
 subsets:
   - addresses:
-      - ip: 192.168.20.104
+      - ip: 192.168.21.200
     ports:
       - name: app
         port: 5678
         protocol: TCP
 
 ---
-
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
@@ -45,7 +43,6 @@ spec:
     secretName: n8n-tls
 
 ---
-
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -60,7 +57,6 @@ spec:
     - "n8n.durp.info"
 
 ---
-
 kind: Service
 apiVersion: v1
 metadata:

infra/argocd/templates/crossplane.yaml

@@ -1,20 +0,0 @@
-#apiVersion: argoproj.io/v1alpha1
-#kind: Application
-#metadata:
-#  name: crossplane
-#  namespace: argocd
-#spec:
-#  project: default
-#  source:
-#    repoURL: https://gitlab.com/developerdurp/homelab.git
-#    targetRevision: main
-#    path: infra/crossplane
-#  destination:
-#    namespace: crossplane
-#    name: in-cluster
-#  syncPolicy:
-#    automated:
-#      prune: true
-#      selfHeal: true
-#    syncOptions:
-#      - CreateNamespace=true

infra/argocd/templates/crowdsec.yaml

@@ -1,20 +1,20 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: crowdsec
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: dmz/crowdsec
-  destination:
-    namespace: crowdsec
-    name: dmz
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
+#apiVersion: argoproj.io/v1alpha1
+#kind: Application
+#metadata:
+#  name: crowdsec
+#  namespace: argocd
+#spec:
+#  project: default
+#  source:
+#    repoURL: https://gitlab.com/developerdurp/homelab.git
+#    targetRevision: main
+#    path: dmz/crowdsec
+#  destination:
+#    namespace: crowdsec
+#    name: dmz
+#  syncPolicy:
+#    automated:
+#      prune: true
+#      selfHeal: true
+#    syncOptions:
+#      - CreateNamespace=true

infra/argocd/templates/kube-prometheus-stack.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kube-prometheus-stack
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/kube-prometheus-stack
+  destination:
+    namespace: kube-prometheus-stack
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/bitwarden/templates/deployment.yaml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
         - name: bitwarden
-          image: registry.durp.info/vaultwarden/server:1.33.2
+          image: registry.durp.info/vaultwarden/server:1.34.3
           imagePullPolicy: Always
           volumeMounts:
             - name: bitwarden-pvc

infra/crossplane/Chart.yaml

@@ -1,11 +0,0 @@
-apiVersion: v2
-name: crossplane
-description: A Helm chart for Kubernetes
-type: application
-
-version: 0.1.0
-appVersion: "1.16.0"
-#dependencies:
-#  - name: crossplane
-#    repository: https://charts.crossplane.io/stable
-#    version: 1.19.1

infra/crossplane/templates/argocd.yaml

@@ -1,6 +0,0 @@
-#apiVersion: pkg.crossplane.io/v1
-#kind: Provider
-#metadata:
-#  name: provider-argocd
-#spec:
-#  package: xpkg.upbound.io/crossplane-contrib/provider-argocd:v0.10.1

infra/crossplane/templates/gitlab.yml

@@ -1,57 +0,0 @@
-#apiVersion: pkg.crossplane.io/v1
-#kind: Provider
-#metadata:
-#  name: provider-gitlab
-#spec:
-#  package: xpkg.upbound.io/crossplane-contrib/provider-gitlab:v0.10.4
-#---
-#apiVersion: v1
-#kind: ServiceAccount
-#metadata:
-#  name: vault
-#
-#---
-#apiVersion: external-secrets.io/v1
-#kind: ExternalSecret
-#metadata:
-#  name: gitlab-secret
-#spec:
-#  secretStoreRef:
-#    name: vault
-#    kind: ClusterSecretStore
-#  target:
-#    name: gitlab-secret
-#  data:
-#    - secretKey: accesstoken
-#      remoteRef:
-#        key: kv/renovate
-#        property: RENOVATE_TOKEN
-#
-#---
-#apiVersion: gitlab.crossplane.io/v1beta1
-#kind: ProviderConfig
-#metadata:
-#  name: gitlab-provider
-#spec:
-#  baseURL: https://gitlab.com/
-#  credentials:
-#    source: Secret
-#    secretRef:
-#      namespace: crossplane
-#      name: gitlab-secret
-#      key: accesstoken
-#---
-#apiVersion: projects.gitlab.crossplane.io/v1alpha1
-#kind: Project
-#metadata:
-#  name: example-project
-#spec:
-#  deletionPolicy: Orphan
-#  forProvider:
-#    name: "Example Project"
-#    description: "example project description"
-#  providerConfigRef:
-#    name: gitlab-provider
-#    policy:
-#      resolution: Optional
-#      resolve: Always

infra/crossplane/templates/proxmoxBackupServer.yaml

@@ -1,115 +0,0 @@
-#apiVersion: opentofu.upbound.io/v1beta1
-#kind: Workspace
-#metadata:
-#  name: proxmoxbackupserver
-#  annotations:
-#    crossplane.io/external-name: proxmoxbackupserver
-#spec:
-#  forProvider:
-#    source: Inline
-#    env:
-#      - name: TF_VAR_pm_api_url
-#        secretKeyRef:
-#          namespace: crossplane
-#          name: proxmox-secret
-#          key: pm_api_url
-#      - name: TF_VAR_pm_password
-#        secretKeyRef:
-#          namespace: crossplane
-#          name: proxmox-secret
-#          key: pm_password
-#      - name: TF_VAR_pm_user
-#        secretKeyRef:
-#          namespace: crossplane
-#          name: proxmox-secret
-#          key: pm_user
-#    module: |
-#
-#      provider "proxmox" {
-#        pm_parallel     = 1
-#        pm_tls_insecure = true
-#        pm_api_url      = var.pm_api_url
-#        pm_user         = var.pm_user
-#        pm_password     = var.pm_password
-#        pm_debug        = false
-#      }
-#
-#      variable "pm_api_url" {
-#        description = "API URL to Proxmox provider"
-#        type        = string
-#      }
-#
-#      variable "pm_password" {
-#        description = "Passowrd to Proxmox provider"
-#        type        = string
-#      }
-#
-#      variable "pm_user" {
-#        description = "Username to Proxmox provider"
-#        type        = string
-#      }
-#
-#      locals {
-#        format    = "raw"
-#        dnsserver = "192.168.10.1"
-#        vlan      = 21
-#        proxmoxBackup = {
-#          tags    = "Proxmox"
-#          count   = 1
-#          name    = ["Proxmox-BackupServer"]
-#          cores   = 2
-#          memory  = "4096"
-#          drive   = 1024
-#          storage = "domains"
-#          node    = ["mothership"]
-#          ip      = ["250"]
-#        }
-#      }
-#
-#      resource "proxmox_vm_qemu" "proxmoxBackup" {
-#        count       = local.proxmoxBackup.count
-#        ciuser      = "administrator"
-#        vmid        = "${local.vlan}${local.proxmoxBackup.ip[count.index]}"
-#        name        = local.proxmoxBackup.name[count.index]
-#        target_node = local.proxmoxBackup.node[count.index]
-#        tags        = local.proxmoxBackup.tags
-#        qemu_os     = "l26"
-#        os_type     = "cloud-init"
-#        agent       = 1
-#        cores       = local.proxmoxBackup.cores
-#        sockets     = 1
-#        cpu_type    = "host"
-#        memory      = local.proxmoxBackup.memory
-#        scsihw      = "virtio-scsi-pci"
-#        #bootdisk    = "scsi0"
-#        boot    = "order=virtio0"
-#        onboot  = true
-#        vga {
-#          type = "serial0"
-#        }
-#        serial {
-#          id   = 0
-#          type = "socket"
-#        }
-#        disks {
-#          virtio {
-#            virtio0 {
-#              disk {
-#                size    = local.proxmoxBackup.drive
-#                format  = local.format
-#                storage = local.proxmoxBackup.storage
-#              }
-#            }
-#          }
-#        }
-#        network {
-#          id     = 0
-#          model  = "virtio"
-#          bridge = "vmbr0"
-#          tag    = local.vlan
-#        }
-#      }
-#
-#  writeConnectionSecretToRef:
-#    namespace: crossplane
-#    name: opentofu-workspace-example-inline

infra/crossplane/templates/tofu.yml

@@ -1,61 +0,0 @@
-#apiVersion: pkg.crossplane.io/v1
-#kind: Provider
-#metadata:
-#  name: provider-opentofu
-#spec:
-#  package: xpkg.upbound.io/upbound/provider-opentofu:v0
-#
-#---
-#apiVersion: external-secrets.io/v1
-#kind: ExternalSecret
-#metadata:
-#  name: proxmox-secret
-#spec:
-#  secretStoreRef:
-#    name: vault
-#    kind: ClusterSecretStore
-#  target:
-#    name: proxmox-secret
-#  data:
-#    - secretKey: pm_api_url
-#      remoteRef:
-#        key: kv/crossplane/proxmox
-#        property: pm_api_url
-#    - secretKey: pm_password
-#      remoteRef:
-#        key: kv/crossplane/proxmox
-#        property: pm_password
-#    - secretKey: pm_user
-#      remoteRef:
-#        key: kv/crossplane/proxmox
-#        property: pm_user
-#
-#---
-#apiVersion: opentofu.upbound.io/v1beta1
-#kind: ProviderConfig
-#metadata:
-#  name: default
-#spec:
-#  #credentials:
-#  #  - filename: gcp-credentials.json
-#  #    source: Secret
-#  #    secretRef:
-#  #      namespace: upbound-system
-#  #      name: opentofu-gcp-creds
-#  #      key: credentials
-#  configuration: |
-#
-#    // Modules _must_ use remote state. The provider does not persist state.
-#    terraform {
-#      backend "kubernetes" {
-#        secret_suffix     = "providerconfig-default"
-#        namespace         = "crossplane"
-#        in_cluster_config = true
-#      }
-#      required_providers {
-#        proxmox = {
-#          source  = "Telmate/proxmox"
-#          version = "3.0.1-rc9"
-#        }
-#      }
-#    }

infra/kube-prometheus-stack/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: kube-prometheus-stack
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"
+
+dependencies:
+  - name: kube-prometheus-stack
+    repository: https://prometheus-community.github.io/helm-charts
+    version: 77.10.0

infra/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: vault-grafana-oauth
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: grafana-oauth
+  data:
+    - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
+      remoteRef:
+        key: kv/grafana/oauth
+        property: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
+    - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
+      remoteRef:
+        key: kv/grafana/oauth
+        property: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: vault-admin-credentials
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: grafana-admin-credentials
+  data:
+    - secretKey: admin-password
+      remoteRef:
+        key: kv/grafana/admin
+        property: password
+    - secretKey: admin-user
+      remoteRef:
+        key: kv/grafana/admin
+        property: user

infra/kube-prometheus-stack/templates/ingress.yaml

@@ -0,0 +1,77 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: grafana-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`grafana.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: grafana
+          port: 80
+  tls:
+    secretName: grafana-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: grafana-tls
+spec:
+  secretName: grafana-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "grafana.durp.info"
+  dnsNames:
+    - "grafana.durp.info"
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: alertmanager-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`alertmanager.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+        - name: authentik-proxy-provider
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: prometheus-alertmanager
+          port: 9093
+  tls:
+    secretName: alertmanager-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: alertmanager-tls
+spec:
+  secretName: alertmanager-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "alertmanager.durp.info"
+  dnsNames:
+    - "alertmanager.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: grafana-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: grafana.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info
+

infra/kube-prometheus-stack/values.yaml

@@ -0,0 +1,203 @@
+kube-prometheus-stack:
+  fullnameOverride: prometheus
+
+  defaultRules:
+    create: true
+    rules:
+      alertmanager: true
+      etcd: true
+      configReloaders: true
+      general: true
+      k8s: true
+      kubeApiserverAvailability: true
+      kubeApiserverBurnrate: true
+      kubeApiserverHistogram: true
+      kubeApiserverSlos: true
+      kubelet: true
+      kubeProxy: true
+      kubePrometheusGeneral: true
+      kubePrometheusNodeRecording: true
+      kubernetesApps: true
+      kubernetesResources: true
+      kubernetesStorage: true
+      kubernetesSystem: true
+      kubeScheduler: true
+      kubeStateMetrics: true
+      network: true
+      node: true
+      nodeExporterAlerting: true
+      nodeExporterRecording: true
+      prometheus: true
+      prometheusOperator: true
+
+  alertmanager:
+    fullnameOverride: alertmanager
+    enabled: true
+    ingress:
+      enabled: false
+  grafana:
+    enabled: true
+    fullnameOverride: grafana
+    forceDeployDatasources: false
+    forceDeployDashboards: false
+    defaultDashboardsEnabled: true
+    defaultDashboardsTimezone: utc
+    plugins:
+      - grafana-polystat-panel
+    serviceMonitor:
+      enabled: true
+    admin:
+      existingSecret: grafana-admin-credentials
+      userKey: admin-user
+      passwordKey: admin-password
+    ingress:
+      enabled: false
+    grafana.ini:
+      server:
+        root_url: https://grafana.durp.info
+      auth.generic_oauth:
+        enabled: true
+        scopes: openid profile email
+        auth_url: https://authentik.durp.info/application/o/authorize/
+        token_url: https://authentik.durp.info/application/o/token/
+        api_url: https://authentik.durp.info/application/o/userinfo/
+    envFromSecret: "grafana-oauth"
+
+  kubeApiServer:
+    enabled: true
+
+  kubelet:
+    enabled: true
+    serviceMonitor:
+      metricRelabelings:
+        - action: replace
+          sourceLabels:
+            - node
+          targetLabel: instance
+
+  kubeControllerManager:
+    enabled: true
+    endpoints: # ips of servers
+      - 192.168.12.11
+      - 192.168.12.12
+      - 192.168.12.13
+
+  coreDns:
+    enabled: false
+
+  kubeDns:
+    enabled: false
+
+  kubeEtcd:
+    enabled: true
+    endpoints: # ips of servers
+      - 192.168.12.11
+      - 192.168.12.12
+      - 192.168.12.13
+    service:
+      enabled: true
+      port: 2381
+      targetPort: 2381
+
+  kubeScheduler:
+    enabled: true
+    endpoints: # ips of servers
+      - 192.168.12.11
+      - 192.168.12.12
+      - 192.168.12.13
+
+  kubeProxy:
+    enabled: true
+    endpoints: # ips of servers
+      - 192.168.12.11
+      - 192.168.12.12
+      - 192.168.12.13
+
+  kubeStateMetrics:
+    enabled: true
+
+  kube-state-metrics:
+    fullnameOverride: kube-state-metrics
+    selfMonitor:
+      enabled: true
+    prometheus:
+      monitor:
+        enabled: true
+        relabelings:
+          - action: replace
+            regex: (.*)
+            replacement: $1
+            sourceLabels:
+              - __meta_kubernetes_pod_node_name
+            targetLabel: kubernetes_node
+
+  nodeExporter:
+    enabled: true
+    serviceMonitor:
+      relabelings:
+        - action: replace
+          regex: (.*)
+          replacement: $1
+          sourceLabels:
+            - __meta_kubernetes_pod_node_name
+          targetLabel: kubernetes_node
+
+  prometheus-node-exporter:
+    fullnameOverride: node-exporter
+    podLabels:
+      jobLabel: node-exporter
+    extraArgs:
+      - --collector.filesystem.mount-points-exclude=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/.+)($|/)
+      - --collector.filesystem.fs-types-exclude=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$
+    service:
+      portName: http-metrics
+    prometheus:
+      monitor:
+        enabled: true
+        relabelings:
+          - action: replace
+            regex: (.*)
+            replacement: $1
+            sourceLabels:
+              - __meta_kubernetes_pod_node_name
+            targetLabel: kubernetes_node
+    resources:
+      requests:
+        memory: 512Mi
+        cpu: 250m
+      limits:
+        memory: 2048Mi
+
+  prometheusOperator:
+    enabled: true
+    prometheusConfigReloader:
+      resources:
+        requests:
+          cpu: 200m
+          memory: 50Mi
+        limits:
+          memory: 100Mi
+
+  prometheus:
+    enabled: true
+    prometheusSpec:
+      replicas: 1
+      replicaExternalLabelName: "replica"
+      ruleSelectorNilUsesHelmValues: false
+      serviceMonitorSelectorNilUsesHelmValues: false
+      podMonitorSelectorNilUsesHelmValues: false
+      probeSelectorNilUsesHelmValues: false
+      retention: 6h
+      enableAdminAPI: true
+      walCompression: true
+      storageSpec:
+        volumeClaimTemplate:
+          spec:
+            storageClassName: longhorn
+            accessModes: ["ReadWriteMany"]
+            resources:
+              requests:
+                storage: 20Gi
+
+  thanosRuler:
+    enabled: false

infra/octopusdeploy/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
   - name: octopusdeploy-helm
     repository: oci://ghcr.io/octopusdeploy
-    version: 1.4.0
+    version: 1.7.0

infra/octopusdeploy/values.yaml

@@ -2,7 +2,7 @@ octopusdeploy-helm:
   octopus:
     image:
       repository: registry.durp.info/octopusdeploy/octopusdeploy
-      tag: 2025.1
+      tag: 2025.3
     createSecrets: false
     acceptEula: Y
     replicaCount: 3

master/gatekeeper/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: gatekeeper
   repository: https://open-policy-agent.github.io/gatekeeper/charts
-  version: 3.19.2
+  version: 3.21.0