Update docker.io/swaggerapi/swagger-ui Docker tag to v5.30.3

update n8n
add gitlab
2025-11-26 07:03:08 +00:00 · 2025-10-22 05:23:07 -05:00 · 2025-10-09 06:25:05 -05:00 · 2025-09-20 09:24:21 -05:00 · 2025-09-20 08:05:50 -05:00 · 2025-09-20 07:56:57 -05:00
145 changed files with 2098 additions and 574 deletions
--- a/ansible/newcluster.yaml
+++ b/ansible/newcluster.yaml
@@ -1,2 +1,2 @@
 argocd login --insecure
-argocd cluster add <cluster> --name<name>
+argocd cluster add default --name prd --yes --kubeconfig ~/Documents/config-prd
--- a/ansible/roles/base/files/authorized_keys_user
+++ b/ansible/roles/base/files/authorized_keys_user
@@ -1 +1,2 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhPVgL8gXdRTw0E2FvlOUoUI4vd794nB0nZVIsc+U5M
+sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGilcndatMrXg06VxtNKuIo3scoyyXbYX8Z7cOjeA102AAAABHNzaDo= desktop-arch-09-08-2025-yubikey
 sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINsbNSZ5Wr+50Ahz+IeZxt6F7gZ6wm1J8uKXQLbdbKFaAAAABHNzaDo= desktop-arch-09-08-2025-yubikeyNano
--- a/dev/cert-manager/Chart.yaml
+++ b/dev/cert-manager/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
  repository: https://charts.jetstack.io
-  version: v1.16.3
+  version: v1.17.2
--- a/dev/cert-manager/templates/secretvault.yaml
+++ b/dev/cert-manager/templates/secretvault.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: cloudflare-api-token-secret
--- a/dev/external-dns/Chart.yaml
+++ b/dev/external-dns/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-dns
  repository: https://charts.bitnami.com/bitnami
-  version: 8.3.8
+  version: 8.9.2
--- a/dev/external-dns/templates/secrets.yaml
+++ b/dev/external-dns/templates/secrets.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: external-dns-secret
--- a/dev/external-secrets/Chart.yaml
+++ b/dev/external-secrets/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-secrets
  repository: https://charts.external-secrets.io
-  version: 0.13.0
+  version: 0.17.0
--- a/dev/metallb-system/Chart.yaml
+++ b/dev/metallb-system/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: metallb
  repository: https://metallb.github.io/metallb
-  version: 0.14.9
+  version: 0.15.2
--- a/dev/terraform/main.tf
+++ b/dev/terraform/main.tf
@@ -3,7 +3,7 @@ terraform {
  required_providers {
    proxmox = {
      source  = "Telmate/proxmox"
-      version = "3.0.1-rc6"
+      version = "3.0.1-rc9"
    }
  }
 }
--- a/dev/traefik/Chart.yaml
+++ b/dev/traefik/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: traefik
  repository: https://traefik.github.io/charts
-  version: 34.0.0
+  version: 34.5.0
--- a/dev/vault/Chart.yaml
+++ b/dev/vault/Chart.yaml
@@ -8,5 +8,5 @@ appVersion: 0.0.1
 dependencies:
 - name: vault
  repository: https://helm.releases.hashicorp.com  
-  version: 0.29.1
+  version: 0.30.0
--- a/dev/vault/templates/secret-store.yaml
+++ b/dev/vault/templates/secret-store.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ClusterSecretStore
 metadata:
  name: vault
--- a/dmz/authentik/Chart.yaml
+++ b/dmz/authentik/Chart.yaml
@@ -7,6 +7,6 @@ version: 0.1.0
 appVersion: "1.16.0"
 dependencies:
- name: authentik-remote-cluster
+  - name: authentik-remote-cluster
-  repository: https://charts.goauthentik.io
+    repository: https://charts.goauthentik.io
-  version: 2.0.0
+    version: 2.1.0
--- a/dmz/authentik/templates/ingress.yaml
+++ b/dmz/authentik/templates/ingress.yaml
@@ -0,0 +1,62 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: authentik-tls
 spec:
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  secretName: authentik-tls
  commonName: "authentik.durp.info"
  dnsNames:
    - "authentik.durp.info"
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: authentik-ingress
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`authentik.durp.info`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: infra-cluster
          port: 443
  tls:
    secretName: authentik-tls
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: authentik-external-dns
  annotations:
    external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
 spec:
  type: ExternalName
  externalName: durp.info
 ---
 apiVersion: v1
 kind: Endpoints
 metadata:
  name: infra-cluster
 subsets:
  - addresses:
      - ip: 192.168.12.130
    ports:
      - port: 443
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: infra-cluster
 spec:
  ports:
    - protocol: TCP
      port: 443
      targetPort: 443
--- a/dmz/cert-manager/Chart.yaml
+++ b/dmz/cert-manager/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
  repository: https://charts.jetstack.io
-  version: v1.16.3
+  version: v1.17.2
--- a/dmz/cert-manager/templates/secretvault.yaml
+++ b/dmz/cert-manager/templates/secretvault.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: cloudflare-api-token-secret
--- a/dmz/crowdsec/Chart.yaml
+++ b/dmz/crowdsec/Chart.yaml
@@ -0,0 +1,11 @@
 apiVersion: v2
 name: crowdsec
 description: A Helm chart for Kubernetes
 type: application
 version: 0.0.1
 appVersion: 0.0.1
 dependencies:
  - name: crowdsec
    repository: https://crowdsecurity.github.io/helm-charts
    version: 0.19.4
--- a/dmz/crowdsec/templates/secrets.yaml
+++ b/dmz/crowdsec/templates/secrets.yaml
@@ -0,0 +1,29 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: enroll-key
 spec:
  secretStoreRef:
    name: vault
    kind: ClusterSecretStore
  target:
    name: enroll-key
  data:
    - secretKey: ENROLL_INSTANCE_NAME
      remoteRef:
        key: kv/crowdsec/dmz-enroll
        property: ENROLL_INSTANCE_NAME
    - secretKey: ENROLL_KEY
      remoteRef:
        key: kv/crowdsec/dmz-enroll
        property: ENROLL_KEY
    - secretKey: ENROLL_TAGS
      remoteRef:
        key: kv/crowdsec/dmz-enroll
        property: ENROLL_TAGS
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: vault
--- a/dmz/crowdsec/values.yaml
+++ b/dmz/crowdsec/values.yaml
@@ -0,0 +1,24 @@
 crowdsec:
  #
  image:
    repository: registry.durp.info/crowdsecurity/crowdsec
    pullPolicy: Always
  # for raw logs format: json or cri (docker|containerd)
  container_runtime: containerd
  agent:
    # Specify each pod whose logs you want to process
    acquisition:
      # The namespace where the pod is located
      - namespace: traefik
        # The pod name
        podName: traefik-*
        # as in crowdsec configuration, we need to specify the program name to find a matching parser
        program: traefik
    env:
      - name: COLLECTIONS
        value: "crowdsecurity/traefik"
  lapi:
    envFrom:
      - secretRef:
          name: enroll-key
--- a/dmz/external-dns/Chart.yaml
+++ b/dmz/external-dns/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-dns
  repository: https://charts.bitnami.com/bitnami
-  version: 8.3.8
+  version: 8.9.2
--- a/dmz/external-dns/templates/secrets.yaml
+++ b/dmz/external-dns/templates/secrets.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: external-dns-secret
--- a/dmz/external-dns/values.yaml
+++ b/dmz/external-dns/values.yaml
@@ -1,6 +1,8 @@
 external-dns:
  global:
    imageRegistry: "registry.durp.info"
    security:
      allowInsecureImages: true
  image:
    pullPolicy: Always
@@ -9,10 +11,10 @@ external-dns:
  sources:
    - service
-    
+
  provider: cloudflare
  cloudflare:
-    secretName : "external-dns"
+    secretName: "external-dns"
    proxied: false
  policy: sync
--- a/dmz/external-secrets/Chart.yaml
+++ b/dmz/external-secrets/Chart.yaml
@@ -6,6 +6,6 @@ version: 0.0.1
 appVersion: 0.0.1
 dependencies:
- name: external-secrets
+  - name: external-secrets
-  repository: https://charts.external-secrets.io
+    repository: https://charts.external-secrets.io
-  version: 0.15.0
+    version: 0.17.0
--- a/dmz/external-secrets/values.yaml
+++ b/dmz/external-secrets/values.yaml
@@ -1,7 +1,13 @@
 external-secrets:
-  replicaCount: 3
+  global:
    security:
      allowInsecureImages: true
  log:
    level: debug
  replicaCount: 1
  revisionHistoryLimit: 1
-  leaderElect: true
+  leaderElect: false
  installCRDs: true
  crds:
@@ -16,24 +22,24 @@ external-secrets:
    repository: registry.durp.info/external-secrets/external-secrets
    pullPolicy: Always
-  extraVolumes: 
+  extraVolumes:
    - name: ca-pemstore
      configMap:
        name: ca-pemstore
-  extraVolumeMounts: 
+  extraVolumeMounts:
    - name: ca-pemstore
      mountPath: /etc/ssl/certs/vault.pem
      subPath: vault.pem
      readOnly: true
-  resources: 
+  #  resources:
-    requests:
+  #    requests:
-      memory: 32Mi
+  #      memory: 32Mi
-      cpu: 10m
+  #      cpu: 10m
-    limits:
+  #    limits:
-      memory: 32Mi
+  #      memory: 32Mi
-      cpu: 10m
+  #      cpu: 10m
  webhook:
    create: false
@@ -44,24 +50,24 @@ external-secrets:
      repository: registry.durp.info/external-secrets/external-secrets
      pullPolicy: Always
-    extraVolumes: 
+    extraVolumes:
      - name: ca-pemstore
        configMap:
          name: ca-pemstore
-    extraVolumeMounts: 
+    extraVolumeMounts:
      - name: ca-pemstore
        mountPath: /etc/ssl/certs/vault.pem
        subPath: vault.pem
        readOnly: true
-    resources: 
+  #    resources:
-      requests:
+  #      requests:
-        memory: 32Mi
+  #        memory: 32Mi
-        cpu: 10m
+  #        cpu: 10m
-      limits:
+  #      limits:
-        memory: 32Mi
+  #        memory: 32Mi
-        cpu: 10m
+  #        cpu: 10m
  certController:
    create: false
@@ -74,7 +80,7 @@ external-secrets:
      pullPolicy: Always
      tag: ""
-    resources: 
+    resources:
      requests:
        memory: 32Mi
        cpu: 10m
@@ -82,12 +88,12 @@ external-secrets:
        memory: 32Mi
        cpu: 10m
-    extraVolumes: 
+    extraVolumes:
      - name: ca-pemstore
        configMap:
          name: ca-pemstore
-    extraVolumeMounts: 
+    extraVolumeMounts:
      - name: ca-pemstore
        mountPath: /etc/ssl/certs/vault.pem
        subPath: vault.pem
--- a/dmz/gitlab-runner/Chart.yaml
+++ b/dmz/gitlab-runner/Chart.yaml
@@ -8,8 +8,8 @@ appVersion: 0.0.1
 dependencies:
 - name: gitlab-runner
  repository: https://charts.gitlab.io/
-  version: 0.69.0
+  version: 0.77.2
 - name: gitlab-runner
  repository: https://charts.gitlab.io/
-  version: 0.69.0
+  version: 0.77.2
  alias: personal
--- a/dmz/gitlab-runner/templates/secrets.yaml
+++ b/dmz/gitlab-runner/templates/secrets.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: gitlab-secret
@@ -27,7 +27,7 @@ metadata:
 ---
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: gitlab-secret-personal
--- a/dmz/internalproxy/templates/authentik.yaml
+++ b/dmz/internalproxy/templates/authentik.yaml
@@ -1,42 +1,40 @@
-apiVersion: traefik.io/v1alpha1
+#apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
+#kind: IngressRoute
-metadata:
+#metadata:
-  name: authentik-ingress
+#  name: authentik-ingress
-spec:
+#spec:
-  entryPoints:
+#  entryPoints:
-    - websecure
+#    - websecure
-  routes:
+#  routes:
-  - match: Host(`authentik.durp.info`) && PathPrefix(`/`) 
+#    - match: Host(`authentik.durp.info`) && PathPrefix(`/`)
-    kind: Rule
+#      kind: Rule
-    services:
+#      services:
-    - name: infra-cluster
+#        - name: infra-cluster
-      port: 443
+#          port: 443
-  tls:
+#  tls:
-    secretName: authentik-tls
+#    secretName: authentik-tls
-
+#
---
+#---
-
+#apiVersion: cert-manager.io/v1
-apiVersion: cert-manager.io/v1
+#kind: Certificate
-kind: Certificate
+#metadata:
-metadata:
+#  name: authentik-tls
-  name: authentik-tls
+#spec:
-spec:
+#  issuerRef:
-  issuerRef:
+#    name: letsencrypt-production
-    name: letsencrypt-production
+#    kind: ClusterIssuer
-    kind: ClusterIssuer
+#  secretName: authentik-tls
-  secretName: authentik-tls
+#  commonName: "authentik.durp.info"
-  commonName: "authentik.durp.info"
+#  dnsNames:
-  dnsNames:
+#    - "authentik.durp.info"
-  - "authentik.durp.info"
+#
-
+#---
---
+#kind: Service
-
+#apiVersion: v1
-kind: Service
+#metadata:
-apiVersion: v1
+#  name: authentik-external-dns
-metadata:
+#  annotations:
-  name: authentik-external-dns
+#    external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
-  annotations:
+#spec:
-    external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
+#  type: ExternalName
-spec:
+#  externalName: durp.info
  type: ExternalName
  externalName: durp.info
--- a/dmz/internalproxy/templates/gitlab.yaml
+++ b/dmz/internalproxy/templates/gitlab.yaml
@@ -0,0 +1,68 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: gitlab
 spec:
  ports:
    - name: app
      port: 9080
      protocol: TCP
      targetPort: 9080
  clusterIP: None
  type: ClusterIP
 ---
 apiVersion: v1
 kind: Endpoints
 metadata:
  name: gitlab
 subsets:
  - addresses:
      - ip: 192.168.21.200
    ports:
      - name: app
        port: 9080
        protocol: TCP
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: gitlab-ingress
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`gitlab.durp.info`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: gitlab
          port: 9080
          scheme: http
  tls:
    secretName: gitlab-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: gitlab-tls
 spec:
  secretName: gitlab-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  commonName: "gitlab.durp.info"
  dnsNames:
    - "gitlab.durp.info"
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: gitlab-external-dns
  annotations:
    external-dns.alpha.kubernetes.io/hostname: gitlab.durp.info
 spec:
  type: ExternalName
  externalName: durp.info
--- a/dmz/internalproxy/templates/grafana.yaml
+++ b/dmz/internalproxy/templates/grafana.yaml
@@ -0,0 +1,40 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: grafana-ingress
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`grafana.durp.info`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: infra-cluster
          port: 443
  tls:
    secretName: grafana-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: grafana-tls
 spec:
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  secretName: grafana-tls
  commonName: "grafana.durp.info"
  dnsNames:
    - "grafana.durp.info"
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: grafana-external-dns
  annotations:
    external-dns.alpha.kubernetes.io/hostname: grafana.durp.info
 spec:
  type: ExternalName
  externalName: durp.info
--- a/dmz/internalproxy/templates/invidious.yaml
+++ b/dmz/internalproxy/templates/invidious.yaml
@@ -0,0 +1,74 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: invidious
 spec:
  ports:
  - name: app
    port: 3000
    protocol: TCP
    targetPort: 3000
  clusterIP: None
  type: ClusterIP
 ---
 apiVersion: v1
 kind: Endpoints
 metadata:
  name: invidious
 subsets:
 - addresses:
  - ip: 192.168.20.104
  ports:
  - name: app
    port: 3000
    protocol: TCP
 ---    
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: invidious-ingress
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`invidious.durp.info`) && PathPrefix(`/`)
    middlewares:
    - name: authentik-proxy-provider
      namespace: traefik  
    kind: Rule
    services:
    - name: invidious
      port: 3000
  tls:
    secretName: invidious-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: invidious-tls
 spec:
  secretName: invidious-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  commonName: "invidious.durp.info"
  dnsNames:
  - "invidious.durp.info"  
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: invidious-external-dns
  annotations:
    external-dns.alpha.kubernetes.io/hostname: invidious.durp.info
 spec:
  type: ExternalName
  externalName: durp.info
--- a/dmz/internalproxy/templates/n8n.yaml
+++ b/dmz/internalproxy/templates/n8n.yaml
@@ -0,0 +1,68 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: n8n
 spec:
  ports:
    - name: app
      port: 5678
      protocol: TCP
      targetPort: 5678
  clusterIP: None
  type: ClusterIP
 ---
 apiVersion: v1
 kind: Endpoints
 metadata:
  name: n8n
 subsets:
  - addresses:
      - ip: 192.168.21.200
    ports:
      - name: app
        port: 5678
        protocol: TCP
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: n8n-ingress
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`n8n.durp.info`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: n8n
          port: 5678
          scheme: http
  tls:
    secretName: n8n-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: n8n-tls
 spec:
  secretName: n8n-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  commonName: "n8n.durp.info"
  dnsNames:
    - "n8n.durp.info"
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: n8n-dns
  annotations:
    dns.alpha.kubernetes.io/hostname: n8n.durp.info
 spec:
  type: ExternalName
  externalName: durp.info
--- a/dmz/internalproxy/templates/octopus.yaml
+++ b/dmz/internalproxy/templates/octopus.yaml
@@ -15,7 +15,6 @@ spec:
    secretName: octopus-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -30,7 +29,6 @@ spec:
    - "octopus.durp.info"
 ---
 kind: Service
 apiVersion: v1
 metadata:
--- a/dmz/internalproxy/templates/ollama.yaml
+++ b/dmz/internalproxy/templates/ollama.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: ollama-secret
--- a/dmz/internalproxy/templates/redlib.yaml
+++ b/dmz/internalproxy/templates/redlib.yaml
@@ -1,74 +1,74 @@
-apiVersion: v1
+#apiVersion: v1
-kind: Service
+#kind: Service
-metadata:
+#metadata:
-  name: redlib
+#  name: redlib
-spec:
+#spec:
-  ports:
+#  ports:
-  - name: app
+#  - name: app
-    port: 8082
+#    port: 8082
-    protocol: TCP
+#    protocol: TCP
-    targetPort: 8082
+#    targetPort: 8082
-  clusterIP: None
+#  clusterIP: None
-  type: ClusterIP
+#  type: ClusterIP
-
+#
---
+#---
-
+#
-apiVersion: v1
+#apiVersion: v1
-kind: Endpoints
+#kind: Endpoints
-metadata:
+#metadata:
-  name: redlib
+#  name: redlib
-subsets:
+#subsets:
- addresses:
+#- addresses:
-  - ip: 192.168.21.200
+#  - ip: 192.168.21.200
-  ports:
+#  ports:
-  - name: app
+#  - name: app
-    port: 8082
+#    port: 8082
-    protocol: TCP
+#    protocol: TCP
-
+#
---    
+#---    
-
+#
-apiVersion: traefik.io/v1alpha1
+#apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
+#kind: IngressRoute
-metadata:
+#metadata:
-  name: redlib-ingress
+#  name: redlib-ingress
-spec:
+#spec:
-  entryPoints:
+#  entryPoints:
-    - websecure
+#    - websecure
-  routes:
+#  routes:
-  - match: Host(`redlib.durp.info`) && PathPrefix(`/`)
+#  - match: Host(`redlib.durp.info`) && PathPrefix(`/`)
-    middlewares:
+#    middlewares:
-    - name: authentik-proxy-provider
+#    - name: authentik-proxy-provider
-      namespace: traefik  
+#      namespace: traefik  
-    kind: Rule
+#    kind: Rule
-    services:
+#    services:
-    - name: redlib
+#    - name: redlib
-      port: 8082
+#      port: 8082
-  tls:
+#  tls:
-    secretName: redlib-tls
+#    secretName: redlib-tls
-
+#
---
+#---
-
+#
-apiVersion: cert-manager.io/v1
+#apiVersion: cert-manager.io/v1
-kind: Certificate
+#kind: Certificate
-metadata:
+#metadata:
-  name: redlib-tls
+#  name: redlib-tls
-spec:
+#spec:
-  secretName: redlib-tls
+#  secretName: redlib-tls
-  issuerRef:
+#  issuerRef:
-    name: letsencrypt-production
+#    name: letsencrypt-production
-    kind: ClusterIssuer
+#    kind: ClusterIssuer
-  commonName: "redlib.durp.info"
+#  commonName: "redlib.durp.info"
-  dnsNames:
+#  dnsNames:
-  - "redlib.durp.info"  
+#  - "redlib.durp.info"  
-
+#
---
+#---
-
+#
-kind: Service
+#kind: Service
-apiVersion: v1
+#apiVersion: v1
-metadata:
+#metadata:
-  name: redlib-external-dns
+#  name: redlib-external-dns
-  annotations:
+#  annotations:
-    external-dns.alpha.kubernetes.io/hostname: redlib.durp.info
+#    external-dns.alpha.kubernetes.io/hostname: redlib.durp.info
-spec:
+#spec:
-  type: ExternalName
+#  type: ExternalName
-  externalName: durp.info
+#  externalName: durp.info
--- a/dmz/internalproxy/templates/registry.yaml
+++ b/dmz/internalproxy/templates/registry.yaml
@@ -4,29 +4,27 @@ metadata:
  name: registry
 spec:
  ports:
-  - name: app
+    - name: app
-    port: 5000
+      port: 5000
-    protocol: TCP
+      protocol: TCP
-    targetPort: 5000
+      targetPort: 5000
  clusterIP: None
  type: ClusterIP
 ---
 apiVersion: v1
 kind: Endpoints
 metadata:
  name: registry
 subsets:
- addresses:
+  - addresses:
-  - ip: 192.168.21.200
+      - ip: 192.168.21.200
-  ports:
+    ports:
-  - name: app
+      - name: app
-    port: 5000
+        port: 5000
-    protocol: TCP
+        protocol: TCP
 ---    
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
@@ -35,16 +33,18 @@ spec:
  entryPoints:
    - websecure
  routes:
-  - match: Host(`registry.durp.info`) && PathPrefix(`/`)
+    - match: Host(`registry.durp.info`) && PathPrefix(`/`)
-    kind: Rule
+      kind: Rule
-    services:
+      middlewares:
-    - name: registry
+        - name: whitelist
-      port: 5000
+          namespace: traefik
      services:
        - name: registry
          port: 5000
  tls:
    secretName: registry-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -56,16 +56,15 @@ spec:
    kind: ClusterIssuer
  commonName: "registry.durp.info"
  dnsNames:
-  - "registry.durp.info"  
+    - "registry.durp.info"
 ---
-
+#kind: Service
-kind: Service
+#apiVersion: v1
-apiVersion: v1
+#metadata:
-metadata:
+#  name: registry-external-dns
-  name: registry-external-dns
+#  annotations:
-  annotations:
+#    external-dns.alpha.kubernetes.io/hostname: registry.durp.info
-    external-dns.alpha.kubernetes.io/hostname: registry.durp.info
+#spec:
-spec:
+#  type: ExternalName
-  type: ExternalName
+#  externalName: durp.info
  externalName: durp.info
--- a/dmz/internalproxy/templates/speedtest.yaml
+++ b/dmz/internalproxy/templates/speedtest.yaml
@@ -1,74 +1,74 @@
-apiVersion: v1
+#apiVersion: v1
-kind: Service
+#kind: Service
-metadata:
+#metadata:
-  name: speedtest
+#  name: speedtest
-spec:
+#spec:
-  ports:
+#  ports:
-  - name: app
+#  - name: app
-    port: 6580
+#    port: 6580
-    protocol: TCP
+#    protocol: TCP
-    targetPort: 6580
+#    targetPort: 6580
-  clusterIP: None
+#  clusterIP: None
-  type: ClusterIP
+#  type: ClusterIP
-
+#
---
+#---
-
+#
-apiVersion: v1
+#apiVersion: v1
-kind: Endpoints
+#kind: Endpoints
-metadata:
+#metadata:
-  name: speedtest
+#  name: speedtest
-subsets:
+#subsets:
- addresses:
+#- addresses:
-  - ip: 192.168.21.200
+#  - ip: 192.168.21.200
-  ports:
+#  ports:
-  - name: app
+#  - name: app
-    port: 6580
+#    port: 6580
-    protocol: TCP
+#    protocol: TCP
-
+#
---    
+#---    
-
+#
-apiVersion: traefik.io/v1alpha1
+#apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
+#kind: IngressRoute
-metadata:
+#metadata:
-  name: speedtest-ingress
+#  name: speedtest-ingress
-spec:
+#spec:
-  entryPoints:
+#  entryPoints:
-    - websecure
+#    - websecure
-  routes:
+#  routes:
-  - match: Host(`speedtest.durp.info`) && PathPrefix(`/`)
+#  - match: Host(`speedtest.durp.info`) && PathPrefix(`/`)
-    kind: Rule
+#    kind: Rule
-    middlewares:
+#    middlewares:
-    - name: authentik-proxy-provider
+#    - name: authentik-proxy-provider
-      namespace: traefik 
+#      namespace: traefik 
-    services:
+#    services:
-    - name: speedtest
+#    - name: speedtest
-      port: 6580
+#      port: 6580
-  tls:
+#  tls:
-    secretName: speedtest-tls
+#    secretName: speedtest-tls
-
+#
---
+#---
-
+#
-apiVersion: cert-manager.io/v1
+#apiVersion: cert-manager.io/v1
-kind: Certificate
+#kind: Certificate
-metadata:
+#metadata:
-  name: speedtest-tls
+#  name: speedtest-tls
-spec:
+#spec:
-  secretName: speedtest-tls
+#  secretName: speedtest-tls
-  issuerRef:
+#  issuerRef:
-    name: letsencrypt-production
+#    name: letsencrypt-production
-    kind: ClusterIssuer
+#    kind: ClusterIssuer
-  commonName: "speedtest.durp.info"
+#  commonName: "speedtest.durp.info"
-  dnsNames:
+#  dnsNames:
-  - "speedtest.durp.info"  
+#  - "speedtest.durp.info"  
-
+#
---
+#---
-
+#
-kind: Service
+#kind: Service
-apiVersion: v1
+#apiVersion: v1
-metadata:
+#metadata:
-  name: speedtest-external-dns
+#  name: speedtest-external-dns
-  annotations:
+#  annotations:
-    external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info
+#    external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info
-spec:
+#spec:
-  type: ExternalName
+#  type: ExternalName
-  externalName: durp.info
+#  externalName: durp.info
--- a/dmz/istio-system/Chart.yaml
+++ b/dmz/istio-system/Chart.yaml
@@ -8,10 +8,10 @@ appVersion: 0.0.1
 dependencies:
  - name: base
    repository: https://istio-release.storage.googleapis.com/charts
-    version: 1.25.1
+    version: 1.26.2
  - name: istiod
    repository: https://istio-release.storage.googleapis.com/charts
-    version: 1.25.1
+    version: 1.26.2
  - name: gateway
    repository: https://istio-release.storage.googleapis.com/charts
-    version: 1.25.1
+    version: 1.26.2
--- a/dmz/longhorn/Chart.yaml
+++ b/dmz/longhorn/Chart.yaml
@@ -0,0 +1,12 @@
 apiVersion: v2
 name: longhorn-system
 description: A Helm chart for Kubernetes
 type: application
 version: 0.1.0
 appVersion: "1.16.0"
 dependencies:
 - name: longhorn
  repository: https://charts.longhorn.io
  version: 1.9.0
--- a/dmz/longhorn/templates/ingress.yaml
+++ b/dmz/longhorn/templates/ingress.yaml
@@ -0,0 +1,34 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: longhorn-ingress
  annotations:
    cert-manager.io/cluster-issuer: vault-issuer
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`longhorn.dmz.durp.info`) && PathPrefix(`/`)
      kind: Rule
      middlewares:
        - name: authentik-proxy-provider
          namespace: traefik
      services:
        - name: longhorn-frontend
          port: 80
  tls:
    secretName: longhorn-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: longhorn-tls
 spec:
  secretName: longhorn-tls
  issuerRef:
    name: vault-issuer
    kind: ClusterIssuer
  commonName: "longhorn.dmz.durp.info"
  dnsNames:
    - "longhorn.dmz.durp.info"
--- a/dmz/longhorn/templates/secrets.yaml
+++ b/dmz/longhorn/templates/secrets.yaml
@@ -0,0 +1,30 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: vault
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: external-longhorn-backup-token-secret
 spec:
  secretStoreRef:
    name: vault
    kind: ClusterSecretStore
  target:
    name: longhorn-backup-token-secret
  data:
  - secretKey: AWS_ACCESS_KEY_ID
    remoteRef:
      key: kv/longhorn/backup
      property: AWS_ACCESS_KEY_ID
  - secretKey: AWS_ENDPOINTS 
    remoteRef:
      key: kv/longhorn/backup
      property: AWS_ENDPOINTS 
  - secretKey: AWS_SECRET_ACCESS_KEY
    remoteRef:
      key: kv/longhorn/backup
      property: AWS_SECRET_ACCESS_KEY
--- a/dmz/longhorn/values.yaml
+++ b/dmz/longhorn/values.yaml
@@ -0,0 +1,192 @@
 longhorn: 
  global:
    cattle:
      systemDefaultRegistry: ""
  image:
    longhorn:
      engine:
        repository: longhornio/longhorn-engine
      manager:
        repository: longhornio/longhorn-manager
      ui:
        repository: longhornio/longhorn-ui
      instanceManager:
        repository: longhornio/longhorn-instance-manager
      shareManager:
        repository: longhornio/longhorn-share-manager
      backingImageManager:
        repository: longhornio/backing-image-manager
    csi:
      attacher:
        repository: longhornio/csi-attacher
      provisioner:
        repository: longhornio/csi-provisioner
      nodeDriverRegistrar:
        repository: longhornio/csi-node-driver-registrar
      resizer:
        repository: longhornio/csi-resizer
      snapshotter:
        repository: longhornio/csi-snapshotter
    pullPolicy: Always
  service:
    ui:
      type: ClusterIP
      nodePort: null
    manager:
      type: ClusterIP
      nodePort: ""
      loadBalancerIP: ""
      loadBalancerSourceRanges: ""
  persistence:
    defaultClass: true
    defaultFsType: ext4
    defaultClassReplicaCount: 3
    defaultDataLocality: disabled # best-effort otherwise
    reclaimPolicy: Delete
    migratable: false
    recurringJobSelector:
      enable: true
      jobList: '[
          {
            "name":"backup", 
            "task":"backup", 
            "cron":"0 0 * * *", 
            "retain":24
          }
        ]'
    backingImage:
      enable: false
      name: ~
      dataSourceType: ~
      dataSourceParameters: ~
      expectedChecksum: ~
  csi:
    kubeletRootDir: ~
    attacherReplicaCount: ~
    provisionerReplicaCount: ~
    resizerReplicaCount: ~
    snapshotterReplicaCount: ~
  defaultSettings:
    backupTarget: S3://longhorn-master@us-east-1/
    backupTargetCredentialSecret: longhorn-backup-token-secret
    allowRecurringJobWhileVolumeDetached: ~
    createDefaultDiskLabeledNodes: ~
    defaultDataPath: ~
    defaultDataLocality: ~
    replicaSoftAntiAffinity: ~
    replicaAutoBalance: ~
    storageOverProvisioningPercentage: ~
    storageMinimalAvailablePercentage: ~
    upgradeChecker: ~
    defaultReplicaCount: ~
    defaultLonghornStaticStorageClass: longhorn
    backupstorePollInterval: ~
    taintToleration: ~
    systemManagedComponentsNodeSelector: ~
    priorityClass: ~
    autoSalvage: ~
    autoDeletePodWhenVolumeDetachedUnexpectedly: ~
    disableSchedulingOnCordonedNode: ~
    replicaZoneSoftAntiAffinity: ~
    nodeDownPodDeletionPolicy: ~
    allowNodeDrainWithLastHealthyReplica: ~
    mkfsExt4Parameters: ~
    disableReplicaRebuild: ~
    replicaReplenishmentWaitInterval: ~
    concurrentReplicaRebuildPerNodeLimit: ~
    disableRevisionCounter: ~
    systemManagedPodsImagePullPolicy: ~
    allowVolumeCreationWithDegradedAvailability: ~
    autoCleanupSystemGeneratedSnapshot: ~
    concurrentAutomaticEngineUpgradePerNodeLimit: ~
    backingImageCleanupWaitInterval: ~
    backingImageRecoveryWaitInterval: ~
    guaranteedEngineManagerCPU: ~
    guaranteedReplicaManagerCPU: ~
    kubernetesClusterAutoscalerEnabled: ~
    orphanAutoDeletion: ~
    storageNetwork: ~
  privateRegistry:
    createSecret: ~
    registryUrl: ~
    registryUser: ~
    registryPasswd: ~
    registrySecret: ~
  longhornManager:
    priorityClass: ~
    tolerations: []
    ## If you want to set tolerations for Longhorn Manager DaemonSet, delete the `[]` in the line above
    ## and uncomment this example block
    # - key: "key"
    #   operator: "Equal"
    #   value: "value"
    #   effect: "NoSchedule"
    nodeSelector: {}
    ## If you want to set node selector for Longhorn Manager DaemonSet, delete the `{}` in the line above
    ## and uncomment this example block
    #  label-key1: "label-value1"
    #  label-key2: "label-value2"
  longhornDriver:
    priorityClass: ~
    tolerations: []
    ## If you want to set tolerations for Longhorn Driver Deployer Deployment, delete the `[]` in the line above
    ## and uncomment this example block
    # - key: "key"
    #   operator: "Equal"
    #   value: "value"
    #   effect: "NoSchedule"
    nodeSelector: {}
    ## If you want to set node selector for Longhorn Driver Deployer Deployment, delete the `{}` in the line above
    ## and uncomment this example block
    #  label-key1: "label-value1"
    #  label-key2: "label-value2"
  longhornUI:
    priorityClass: ~
    tolerations: []
    ## If you want to set tolerations for Longhorn UI Deployment, delete the `[]` in the line above
    ## and uncomment this example block
    # - key: "key"
    #   operator: "Equal"
    #   value: "value"
    #   effect: "NoSchedule"
    nodeSelector: {}
    ## If you want to set node selector for Longhorn UI Deployment, delete the `{}` in the line above
    ## and uncomment this example block
    #  label-key1: "label-value1"
    #  label-key2: "label-value2"
  resources: {}
    # We usually recommend not to specify default resources and to leave this as a conscious
    # choice for the user. This also increases chances charts run on environments with little
    # resources, such as Minikube. If you do want to specify resources, uncomment the following
    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
    # limits:
    #  cpu: 100m
    #  memory: 128Mi
    # requests:
    #  cpu: 100m
    #  memory: 128Mi
    #
  ingress:
    enabled: false
  ## Specify override namespace, specifically this is useful for using longhorn as sub-chart
  ## and its release namespace is not the `longhorn-system`
  namespaceOverride: ""
  # Annotations to add to the Longhorn Manager DaemonSet Pods. Optional.
  annotations: {}
  serviceAccount:
    # Annotations to add to the service account
    annotations: {}
--- a/dmz/metallb-system/Chart.yaml
+++ b/dmz/metallb-system/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: metallb
  repository: https://metallb.github.io/metallb
-  version: 0.14.9
+  version: 0.15.2
--- a/dmz/openspeedtest/Chart.yaml
+++ b/dmz/openspeedtest/Chart.yaml
@@ -0,0 +1,7 @@
 apiVersion: v2
 name: openspeedtest
 description: A Helm chart for Kubernetes
 type: application
 version: 0.1.0
 appVersion: "1.16.0"
--- a/dmz/openspeedtest/templates/deployment.yaml
+++ b/dmz/openspeedtest/templates/deployment.yaml
@@ -0,0 +1,33 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  namespace: openspeedtest
  name: openspeedtest
  labels:
    app: openspeedtest
 spec:
  selector:
    matchLabels:
      app: openspeedtest
  replicas: 1
  template:
    metadata:
      labels:
        app: openspeedtest
    spec:
      containers:
      - name: openspeedtest
        image: registry.durp.info/openspeedtest/latest
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
            path: /
            port: 3000
        readinessProbe:
          httpGet:
            path: /
            port: 3000
        env:
        ports:
        - name: http
          containerPort: 3000
--- a/dmz/openspeedtest/templates/ingress.yaml
+++ b/dmz/openspeedtest/templates/ingress.yaml
@@ -0,0 +1,56 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: openspeedtest-ingress
 spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`speedtest.durp.info`) && PathPrefix(`/`)
    kind: Rule
    middlewares:
    - name: authentik-proxy-provider
      namespace: traefik  
    - name: limit-buffering
    services:
    - name: openspeedtest
      port: 3000
  tls:
    secretName: openspeedtest-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: openspeedtest-tls
 spec:
  secretName: openspeedtest-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  commonName: "speedtest.durp.info"
  dnsNames:
  - "speedtest.durp.info"  
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: openspeedtest-external-dns
  annotations:
    external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info
 spec:
  type: ExternalName
  externalName: durp.info
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: limit-buffering
 spec:
  buffering:
    maxRequestBodyBytes: 10000000000
--- a/dmz/openspeedtest/templates/service.yaml
+++ b/dmz/openspeedtest/templates/service.yaml
@@ -0,0 +1,12 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: openspeedtest
 spec:
  ports:
  - name: http
    port: 3000
    targetPort: 3000
    protocol: TCP 
  selector:
    app: openspeedtest
--- a/dmz/redlib/Chart.yaml
+++ b/dmz/redlib/Chart.yaml
@@ -0,0 +1,7 @@
 apiVersion: v2
 name: redlib
 description: A Helm chart for Kubernetes
 type: application
 version: 0.1.0
 appVersion: "1.16.0"
--- a/dmz/redlib/templates/deployment.yaml
+++ b/dmz/redlib/templates/deployment.yaml
@@ -0,0 +1,33 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  namespace: redlib
  name: redlib
  labels:
    app: redlib
 spec:
  selector:
    matchLabels:
      app: redlib
  replicas: 3
  template:
    metadata:
      labels:
        app: redlib
    spec:
      containers:
      - name: redlib
        image: registry.durp.info/redlib/redlib:latest
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
            path: /
            port: 8080
        readinessProbe:
          httpGet:
            path: /
            port: 8080
        env:
        ports:
        - name: http
          containerPort: 8080
--- a/dmz/redlib/templates/ingress.yaml
+++ b/dmz/redlib/templates/ingress.yaml
@@ -0,0 +1,43 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: redlib-ingress
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`redlib.durp.info`) && PathPrefix(`/`)
      kind: Rule
      middlewares:
        - name: authentik-proxy-provider
          namespace: traefik
      services:
        - name: redlib
          port: 8080
  tls:
    secretName: redlib-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: redlib-tls
 spec:
  secretName: redlib-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  commonName: "redlib.durp.info"
  dnsNames:
    - "redlib.durp.info"
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: redlib-external-dns
  annotations:
    external-dns.alpha.kubernetes.io/hostname: redlib.durp.info
 spec:
  type: ExternalName
  externalName: durp.info
--- a/dmz/redlib/templates/service.yaml
+++ b/dmz/redlib/templates/service.yaml
@@ -0,0 +1,12 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: redlib
 spec:
  ports:
  - name: http
    port: 8080
    targetPort: 8080
    protocol: TCP 
  selector:
    app: redlib
--- a/dmz/redlib/values.yaml
+++ b/dmz/redlib/values.yaml
--- a/dmz/terraform/main.tf
+++ b/dmz/terraform/main.tf
@@ -3,7 +3,7 @@ terraform {
  required_providers {
    proxmox = {
      source  = "Telmate/proxmox"
-      version = "3.0.1-rc6"
+      version = "3.0.1-rc9"
    }
  }
 }
--- a/dmz/traefik/Chart.yaml
+++ b/dmz/traefik/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: traefik
  repository: https://traefik.github.io/charts
-  version: 34.0.0
+  version: 34.5.0
--- a/dmz/traefik/templates/middleware.yaml
+++ b/dmz/traefik/templates/middleware.yaml
@@ -1,11 +1,11 @@
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-    name: authentik-proxy-provider
+  name: authentik-proxy-provider
-    namespace: traefik
+  namespace: traefik
 spec:
  forwardAuth:
-    address: http://ak-outpost-dmz-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik?rd=$scheme://$http_host$request_uri
+    address: http://ak-outpost-authentik-dmz-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik?rd=$scheme://$http_host$request_uri
    trustForwardHeader: true
    authResponseHeaders:
      - X-authentik-username
@@ -21,7 +21,6 @@ spec:
      - X-authentik-meta-version
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
@@ -33,3 +32,23 @@ spec:
      - 192.168.0.0/16
      - 172.16.0.0/12
      - 10.0.0.0/8
 ---
 #apiVersion: traefik.io/v1alpha1
 #kind: Middleware
 #metadata:
 #  name: bouncer
 #  namespace: traefik
 #spec:
 #  plugin:
 #    bouncer:
 #      enabled: true
 #      crowdsecMode: stream
 #      crowdsecLapiScheme: https
 #      crowdsecLapiTLSInsecureVerify: true
 #      crowdsecLapiHost: crowdsec-service.crowdsec:8080
 #      crowdsecLapiKey:
 #        valueFrom:
 #          secretKeyRef:
 #            name: crowdsec-lapi-key
 #            key: lapi-key
--- a/dmz/traefik/templates/secrets.yaml
+++ b/dmz/traefik/templates/secrets.yaml
@@ -0,0 +1,21 @@
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: crowdsec-lapi-key
 spec:
  secretStoreRef:
    name: vault
    kind: ClusterSecretStore
  target:
    name: crowdsec-lapi-key
  data:
    - secretKey: lapi-key
      remoteRef:
        key: kv/crowdsec/api
        property: key
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: vault
--- a/dmz/traefik/templates/traefik-dashboard.yaml
+++ b/dmz/traefik/templates/traefik-dashboard.yaml
@@ -1,34 +1,35 @@
-#apiVersion: traefik.io/v1alpha1
+apiVersion: traefik.io/v1alpha1
-#kind: IngressRoute
+kind: IngressRoute
-#metadata:
+metadata:
-#  name: traefik-ingress
+  name: traefik-ingress
-#spec:
+spec:
-#  entryPoints:
+  entryPoints:
-#    - websecure
+    - websecure
-#  routes:
+  routes:
-#  - match: Host(`traefik.durp.info`)
+    - match: Host(`traefik.dmz.durp.info`)
-#    kind: Rule
+      kind: Rule
-#    services:
+      middlewares:
-#    - name: api@internal
+        - name: whitelist
-#      kind: TraefikService
+          namespace: traefik
-#  tls:
+        - name: authentik-proxy-provider
-#    secretName: traefik-tls  
+          namespace: traefik
-#
+      services:
-#---
+        - name: api@internal
-#
+          kind: TraefikService
-#apiVersion: cert-manager.io/v1
+  tls:
-#kind: Certificate
+    secretName: traefik-tls
-#metadata:
+
-#  name: traefik-tls
+---
-#  namespace: traefik
+apiVersion: cert-manager.io/v1
-#spec:
+kind: Certificate
-#  secretName: traefik-tls
+metadata:
-#  issuerRef:
+  name: traefik-tls
-#    name: letsencrypt-production
+  namespace: traefik
-#    kind: ClusterIssuer
+spec:
-#  commonName: "traefik.durp.info"
+  secretName: traefik-tls
-#  dnsNames:
+  issuerRef:
-#  - "traefik.durp.info"
+    name: vault-issuer
-#
+    kind: ClusterIssuer
-#---
+  commonName: "traefik.dmz.durp.info"
-#
+  dnsNames:
    - "traefik.dmz.durp.info"
--- a/dmz/traefik/values.yaml
+++ b/dmz/traefik/values.yaml
@@ -1,10 +1,10 @@
 traefik:
-  image: 
+  image:
    #    registry: registry.durp.info
    #    repository: traefik
    pullPolicy: Always
-  
+
-  providers:  
+  providers:
    kubernetesCRD:
      allowCrossNamespace: true
      allowExternalNameServices: true
@@ -18,40 +18,41 @@ traefik:
  #   - name: traefik-configmap
  #     mountPath: "/config"
  #     type: configMap
-  
+
  ingressRoute:
    dashboard:
      enabled: true
-  
+
-  additionalArguments: 
+  additionalArguments:
    #  - "--providers.file.filename=/config/config.yml"
    - "--serversTransport.insecureSkipVerify=true"
    - "--log.level=DEBUG"
    - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin
    - --experimental.plugins.jwt.version=v0.7.0
-  
+    - --experimental.plugins.bouncer.moduleName=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
    - --experimental.plugins.bouncer.version=v1.4.2
  autoscaling:
    enabled: true
    minReplicas: 3
    maxReplicas: 10
    metrics:
-    - type: Resource
+      - type: Resource
-      resource:
+        resource:
-        name: cpu
+          name: cpu
-        target:
+          target:
-          type: Utilization
+            type: Utilization
-          averageUtilization: 80
+            averageUtilization: 80
    behavior:
      scaleDown:
        stabilizationWindowSeconds: 300
        policies:
-        - type: Pods
+          - type: Pods
-          value: 1
+            value: 1
-          periodSeconds: 60
+            periodSeconds: 60
-  
+
  # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.
-  resources: 
+  resources:
    requests:
      cpu: "100m"
      memory: "512Mi"
--- a/dmz/vault/Chart.yaml
+++ b/dmz/vault/Chart.yaml
@@ -8,5 +8,5 @@ appVersion: 0.0.1
 dependencies:
 - name: vault
  repository: https://helm.releases.hashicorp.com  
-  version: 0.29.1
+  version: 0.30.0
--- a/dmz/vault/templates/secret-store.yaml
+++ b/dmz/vault/templates/secret-store.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ClusterSecretStore
 metadata:
  name: vault
--- a/infra/argocd/Chart.yaml
+++ b/infra/argocd/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: argo-cd
  repository: https://argoproj.github.io/argo-helm
-  version: 6.11.1
+  version: 8.1.3
--- a/infra/argocd/templates/argocd-crossplane.yaml
+++ b/infra/argocd/templates/argocd-crossplane.yaml
@@ -0,0 +1,101 @@
 #apiVersion: external-secrets.io/v1
 #kind: ExternalSecret
 #metadata:
 #  name: argocd-secret-crossplane
 #spec:
 #  secretStoreRef:
 #    name: vault
 #    kind: ClusterSecretStore
 #  target:
 #    name: argocd-secret-crossplane
 #  data:
 #    - secretKey: authToken
 #      remoteRef:
 #        key: kv/argocd/provider-argocd
 #        property: token
 #
 #---
 #apiVersion: external-secrets.io/v1
 #kind: ExternalSecret
 #metadata:
 #  name: prod-kubeconfig
 #spec:
 #  secretStoreRef:
 #    name: vault
 #    kind: ClusterSecretStore
 #  target:
 #    name: prod-kubeconfig
 #  data:
 #    - secretKey: kubeconfig
 #      remoteRef:
 #        key: kv/argocd/prd
 #        property: kubeconfig
 #
 #---
 #apiVersion: argocd.crossplane.io/v1alpha1
 #kind: ProviderConfig
 #metadata:
 #  name: argocd-provider
 #spec:
 #  serverAddr: argocd-server.argocd.svc:443
 #  insecure: true
 #  plainText: false
 #  credentials:
 #    source: Secret
 #    secretRef:
 #      namespace: argocd
 #      name: argocd-secret-crossplane
 #      key: authToken
 #
 #---
 #apiVersion: cluster.argocd.crossplane.io/v1alpha1
 #kind: Cluster
 #metadata:
 #  name: prd
 #  labels:
 #    purpose: prd
 #spec:
 #  forProvider:
 #    name: prd
 #    config:
 #      kubeconfigSecretRef:
 #        name: prod-kubeconfig
 #        namespace: argocd
 #        key: kubeconfig
 #  providerConfigRef:
 #    name: argocd-provider
 #
 #---
 #apiVersion: external-secrets.io/v1
 #kind: ExternalSecret
 #metadata:
 #  name: dev-kubeconfig
 #spec:
 #  secretStoreRef:
 #    name: vault
 #    kind: ClusterSecretStore
 #  target:
 #    name: dev-kubeconfig
 #  data:
 #    - secretKey: kubeconfig
 #      remoteRef:
 #        key: kv/argocd/dev
 #        property: kubeconfig
 #
 #---
 #apiVersion: cluster.argocd.crossplane.io/v1alpha1
 #kind: Cluster
 #metadata:
 #  name: dev
 #  labels:
 #    purpose: dev
 #spec:
 #  forProvider:
 #    name: dev
 #    config:
 #      kubeconfigSecretRef:
 #        name: dev-kubeconfig
 #        namespace: argocd
 #        key: kubeconfig
 #  providerConfigRef:
 #    name: argocd-provider
--- a/infra/argocd/templates/argocd.yaml
+++ b/infra/argocd/templates/argocd.yaml
@@ -21,7 +21,7 @@ spec:
 ---
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: vault-argocd
--- a/infra/argocd/templates/authentik.yaml
+++ b/infra/argocd/templates/authentik.yaml
@@ -18,12 +18,11 @@ spec:
    #    istio-injection: enabled
    automated:
      prune: true
-      selfHeal: true  
+      selfHeal: true
    syncOptions:
-      - CreateNamespace=true 
+      - CreateNamespace=true
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -41,7 +40,6 @@ spec:
  syncPolicy:
    automated:
      prune: true
-      selfHeal: true  
+      selfHeal: true
    syncOptions:
-      - CreateNamespace=true 
+      - CreateNamespace=true
--- a/infra/argocd/templates/crowdsec.yaml
+++ b/infra/argocd/templates/crowdsec.yaml
@@ -0,0 +1,20 @@
 #apiVersion: argoproj.io/v1alpha1
 #kind: Application
 #metadata:
 #  name: crowdsec
 #  namespace: argocd
 #spec:
 #  project: default
 #  source:
 #    repoURL: https://gitlab.com/developerdurp/homelab.git
 #    targetRevision: main
 #    path: dmz/crowdsec
 #  destination:
 #    namespace: crowdsec
 #    name: dmz
 #  syncPolicy:
 #    automated:
 #      prune: true
 #      selfHeal: true
 #    syncOptions:
 #      - CreateNamespace=true
--- a/infra/argocd/templates/istio.yaml
+++ b/infra/argocd/templates/istio.yaml
@@ -18,17 +18,16 @@ spec:
        topology.istio.io/network: network1
    automated:
      prune: true
-      selfHeal: true  
+      selfHeal: true
    syncOptions:
-      - CreateNamespace=true 
+      - CreateNamespace=true
  ignoreDifferences:
-  - group: admissionregistration.k8s.io
+    - group: admissionregistration.k8s.io
-    kind: ValidatingWebhookConfiguration
+      kind: ValidatingWebhookConfiguration
-    jsonPointers:
+      jsonPointers:
-    - /webhooks/0/failurePolicy
+        - /webhooks/0/failurePolicy
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -53,7 +52,7 @@ spec:
    syncOptions:
      - CreateNamespace=true
  ignoreDifferences:
-  - group: admissionregistration.k8s.io
+    - group: admissionregistration.k8s.io
-    kind: ValidatingWebhookConfiguration
+      kind: ValidatingWebhookConfiguration
-    jsonPointers:
+      jsonPointers:
-    - /webhooks/0/failurePolicy
+        - /webhooks/0/failurePolicy
--- a/infra/argocd/templates/kube-prometheus-stack.yaml
+++ b/infra/argocd/templates/kube-prometheus-stack.yaml
@@ -0,0 +1,20 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: kube-prometheus-stack
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://gitlab.com/developerdurp/homelab.git
    targetRevision: main
    path: infra/kube-prometheus-stack
  destination:
    namespace: kube-prometheus-stack
    name: in-cluster
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
--- a/infra/argocd/templates/longhorn.yaml
+++ b/infra/argocd/templates/longhorn.yaml
@@ -15,7 +15,33 @@ spec:
  syncPolicy:
    automated:
      prune: true
-      selfHeal: true  
+      selfHeal: true
    syncOptions:
-      - CreateNamespace=true 
+      - CreateNamespace=true
  ignoreDifferences:
    - group: engineimages.longhorn.io
      jsonPointers:
        - /spec/preserveUnknownFields
      kind: CustomResourceDefinition
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: longhorn-system-dmz
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://gitlab.com/developerdurp/homelab.git
    targetRevision: main
    path: dmz/longhorn
  destination:
    namespace: longhorn-system
    name: dmz
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
--- a/infra/argocd/templates/octopusdeploy.yaml
+++ b/infra/argocd/templates/octopusdeploy.yaml
@@ -20,7 +20,6 @@ spec:
      - CreateNamespace=true
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -33,7 +32,7 @@ spec:
    targetRevision: main
    path: infra/octopus-agent
  destination:
-    namespace: octpus-agent
+    namespace: octopus-agent
    name: in-cluster
  syncPolicy:
    automated:
@@ -41,4 +40,3 @@ spec:
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
--- a/infra/argocd/templates/openspeedtest.yaml
+++ b/infra/argocd/templates/openspeedtest.yaml
@@ -0,0 +1,22 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: openspeedtest
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://gitlab.com/developerdurp/homelab.git
    targetRevision: main
    path: dmz/openspeedtest
    directory:
      recurse: true
  destination:
    name: dmz
    namespace: openspeedtest
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
--- a/infra/argocd/templates/redlib.yaml
+++ b/infra/argocd/templates/redlib.yaml
@@ -0,0 +1,22 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: redlib
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://gitlab.com/developerdurp/homelab.git
    targetRevision: main
    path: dmz/redlib
    directory:
      recurse: true
  destination:
    name: dmz
    namespace: redlib
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
--- a/infra/argocd/values.yaml
+++ b/infra/argocd/values.yaml
@@ -1,27 +1,26 @@
 argo-cd:
  global:
    revisionHistoryLimit: 1
    image:
      repository: registry.durp.info/argoproj/argocd
      imagePullPolicy: Always
-  server:
+  #server:
-    #extraArgs:
+  #extraArgs:
-    #  - --dex-server-plaintext
+  #  - --dex-server-plaintext
-    #  - --dex-server=argocd-dex-server:5556
+  #  - --dex-server=argocd-dex-server:5556
-    # oidc.config: |
+  # oidc.config: |
-    #   name: AzureAD
+  #   name: AzureAD
-    #   issuer: https://login.microsoftonline.com/TENANT_ID/v2.0
+  #   issuer: https://login.microsoftonline.com/TENANT_ID/v2.0
-    #   clientID: CLIENT_ID
+  #   clientID: CLIENT_ID
-    #   clientSecret: $oidc.azuread.clientSecret
+  #   clientSecret: $oidc.azuread.clientSecret
-    #   requestedIDTokenClaims:
+  #   requestedIDTokenClaims:
-    #     groups:
+  #     groups:
-    #       essential: true
+  #       essential: true
-    #   requestedScopes:
+  #   requestedScopes:
-    #     - openid
+  #     - openid
-    #     - profile
+  #     - profile
-    #     - email
+  #     - email
  dex:
    enabled: true
@@ -35,6 +34,7 @@ argo-cd:
      annotations: {}
      url: https://argocd.infra.durp.info
      oidc.tls.insecure.skip.verify: "true"
      accounts.provider-argocd: apiKey
      dex.config: |
        connectors:
          - config:
@@ -50,13 +50,15 @@ argo-cd:
            name: authentik
            type: oidc
            id: authentik
      resource.exclusions: ""
    rbac:
      create: true
      policy.csv: |
        g, ArgoCD Admins, role:admin
        g, provider-argocd, role:admin
      scopes: "[groups]"
  server:
-    route: 
+    route:
-      enabled: false
+      enabled: false
--- a/infra/authentik/Chart.yaml
+++ b/infra/authentik/Chart.yaml
@@ -7,6 +7,7 @@ version: 0.1.0
 appVersion: "1.16.0"
 dependencies:
- name: authentik
+  - name: authentik
-  repository: https://charts.goauthentik.io
+    repository: https://charts.goauthentik.io
-  version: 2024.8.3
+    version: 2025.4.1
--- a/infra/authentik/templates/ingress.yaml
+++ b/infra/authentik/templates/ingress.yaml
@@ -6,16 +6,20 @@ spec:
  entryPoints:
    - websecure
  routes:
-  - match: Host(`authentik.durp.info`) && PathPrefix(`/`) 
+    - match: Host(`authentik.durp.info`) && PathPrefix(`/`)
-    kind: Rule
+      kind: Rule
-    services:
+      services:
-    - name: authentik-server
+        - name: authentik-server
-      port: 80
+          port: 80
    - match: Host(`authentik.durp.info`) && PathPrefix(`/outpost.goauthentik.io`)
      kind: Rule
      services:
        - name: ak-outpost-authentik-embedded-outpost
          port: 9000
  tls:
    secretName: authentik-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -27,5 +31,4 @@ spec:
    kind: ClusterIssuer
  commonName: "authentik.durp.info"
  dnsNames:
-  - "authentik.durp.info" 
+    - "authentik.durp.info"
--- a/infra/authentik/templates/secrets.yaml
+++ b/infra/authentik/templates/secrets.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: authentik-secret
--- a/infra/authentik/values.yaml
+++ b/infra/authentik/values.yaml
@@ -1,6 +1,8 @@
 authentik:
  global:
-    env: 
+    security:
      allowInsecureImages: true
    env:
      - name: AUTHENTIK_POSTGRESQL__PASSWORD
        valueFrom:
          secretKeyRef:
@@ -19,7 +21,7 @@ authentik:
    outposts:
      container_image_base: registry.durp.info/goauthentik/%(type)s:%(version)s
    postgresql:
-      host: '{{ .Release.Name }}-postgresql-hl'
+      host: "{{ .Release.Name }}-postgresql-hl"
      name: "authentik"
      user: "authentik"
      port: 5432
@@ -36,7 +38,7 @@ authentik:
      pullPolicy: Always
    postgresqlUsername: "authentik"
    postgresqlDatabase: "authentik"
-    existingSecret: db-pass 
+    existingSecret: db-pass
    persistence:
      enabled: true
      storageClass: longhorn
@@ -47,7 +49,7 @@ authentik:
    enabled: true
    master:
      persistence:
-        enabled: false    
+        enabled: false
    image:
      registry: registry.durp.info
      repository: bitnami/redis
--- a/infra/bitwarden/templates/deployment.yaml
+++ b/infra/bitwarden/templates/deployment.yaml
@@ -16,35 +16,35 @@ spec:
        app: bitwarden
    spec:
      containers:
-      - name: bitwarden
+        - name: bitwarden
-        image: registry.durp.info/vaultwarden/server:1.32.7
+          image: registry.durp.info/vaultwarden/server:1.34.3
-        imagePullPolicy: Always
+          imagePullPolicy: Always
-        volumeMounts:
+          volumeMounts:
-        - name: bitwarden-pvc
+            - name: bitwarden-pvc
-          mountPath: /data
+              mountPath: /data
-          subPath: bitwaren-data              
+              subPath: bitwaren-data
-        ports:
+          ports:
-        - name: http
+            - name: http
-          containerPort: 80
+              containerPort: 80
-        env:
+          env:
-          - name: SIGNUPS_ALLOWED
+            - name: SIGNUPS_ALLOWED
-            value: "FALSE"
+              value: "FALSE"
-          - name: INVITATIONS_ALLOWED
+            - name: INVITATIONS_ALLOWED
-            value: "FALSE"                      
+              value: "FALSE"
-          - name: WEBSOCKET_ENABLED
+            - name: WEBSOCKET_ENABLED
-            value: "TRUE"          
+              value: "TRUE"
-          - name: ROCKET_ENV
+            - name: ROCKET_ENV
-            value: "staging"              
+              value: "staging"
-          - name: ROCKET_PORT
+            - name: ROCKET_PORT
-            value: "80"            
+              value: "80"
-          - name: ROCKET_WORKERS
+            - name: ROCKET_WORKERS
-            value: "10"
+              value: "10"
-          - name: SECRET_USERNAME
+            - name: SECRET_USERNAME
-            valueFrom:
+              valueFrom:
-              secretKeyRef:
+                secretKeyRef:
-                name: bitwarden-secret
+                  name: bitwarden-secret
-                key: ADMIN_TOKEN
+                  key: ADMIN_TOKEN
      volumes:
-      - name: bitwarden-pvc
+        - name: bitwarden-pvc
-        persistentVolumeClaim:
+          persistentVolumeClaim:
-          claimName: bitwarden-pvc             
+            claimName: bitwarden-pvc
--- a/infra/bitwarden/templates/secrets.yaml
+++ b/infra/bitwarden/templates/secrets.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: bitwarden-secret
--- a/infra/cert-manager/Chart.yaml
+++ b/infra/cert-manager/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
  repository: https://charts.jetstack.io
-  version: v1.16.3
+  version: v1.17.2
--- a/infra/cert-manager/templates/secretvault.yaml
+++ b/infra/cert-manager/templates/secretvault.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: cloudflare-api-token-secret
--- a/infra/external-secrets/Chart.yaml
+++ b/infra/external-secrets/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-secrets
  repository: https://charts.external-secrets.io
-  version: 0.15.0
+  version: 0.17.0
--- a/infra/external-secrets/values.yaml
+++ b/infra/external-secrets/values.yaml
@@ -1,7 +1,13 @@
 external-secrets:
-  replicaCount: 3
+  global:
    security:
      allowInsecureImages: true
  log:
    level: debug
  replicaCount: 1
  revisionHistoryLimit: 1
-  leaderElect: true
+  leaderElect: false
  installCRDs: true
  crds:
@@ -16,24 +22,24 @@ external-secrets:
    repository: registry.durp.info/external-secrets/external-secrets
    pullPolicy: Always
-  extraVolumes: 
+  extraVolumes:
    - name: ca-pemstore
      configMap:
        name: ca-pemstore
-  extraVolumeMounts: 
+  extraVolumeMounts:
    - name: ca-pemstore
      mountPath: /etc/ssl/certs/vault.pem
      subPath: vault.pem
      readOnly: true
-  resources: 
+  #  resources:
-    requests:
+  #    requests:
-      memory: 32Mi
+  #      memory: 32Mi
-      cpu: 10m
+  #      cpu: 10m
-    limits:
+  #    limits:
-      memory: 32Mi
+  #      memory: 32Mi
-      cpu: 10m
+  #      cpu: 10m
  webhook:
    log:
@@ -42,13 +48,13 @@ external-secrets:
      repository: registry.durp.info/external-secrets/external-secrets
      pullPolicy: Always
-    resources: 
+  #    resources:
-      requests:
+  #      requests:
-        memory: 32Mi
+  #        memory: 32Mi
-        cpu: 10m
+  #        cpu: 10m
-      limits:
+  #      limits:
-        memory: 32Mi
+  #        memory: 32Mi
-        cpu: 10m
+  #        cpu: 10m
  certController:
    create: false
@@ -61,7 +67,7 @@ external-secrets:
      pullPolicy: Always
      tag: ""
-    resources: 
+    resources:
      requests:
        memory: 32Mi
        cpu: 10m
--- a/infra/istio-system/Chart.yaml
+++ b/infra/istio-system/Chart.yaml
@@ -8,10 +8,10 @@ appVersion: 0.0.1
 dependencies:
 - name: base
  repository: https://istio-release.storage.googleapis.com/charts
-  version: 1.25.1
+  version: 1.26.2
 - name: istiod
  repository: https://istio-release.storage.googleapis.com/charts
-  version: 1.25.1
+  version: 1.26.2
 - name: gateway
  repository: https://istio-release.storage.googleapis.com/charts
-  version: 1.25.1
+  version: 1.26.2
--- a/infra/kube-prometheus-stack/Chart.yaml
+++ b/infra/kube-prometheus-stack/Chart.yaml
@@ -0,0 +1,12 @@
 apiVersion: v2
 name: kube-prometheus-stack
 description: A Helm chart for Kubernetes
 type: application
 version: 0.1.0
 appVersion: "1.16.0"
 dependencies:
  - name: kube-prometheus-stack
    repository: https://prometheus-community.github.io/helm-charts
    version: 77.10.0
--- a/infra/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml
+++ b/infra/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml
@@ -0,0 +1,46 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: vault
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: vault-grafana-oauth
 spec:
  secretStoreRef:
    name: vault
    kind: ClusterSecretStore
  target:
    name: grafana-oauth
  data:
    - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
      remoteRef:
        key: kv/grafana/oauth
        property: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
    - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
      remoteRef:
        key: kv/grafana/oauth
        property: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: vault-admin-credentials
 spec:
  secretStoreRef:
    name: vault
    kind: ClusterSecretStore
  target:
    name: grafana-admin-credentials
  data:
    - secretKey: admin-password
      remoteRef:
        key: kv/grafana/admin
        property: password
    - secretKey: admin-user
      remoteRef:
        key: kv/grafana/admin
        property: user
--- a/infra/kube-prometheus-stack/templates/ingress.yaml
+++ b/infra/kube-prometheus-stack/templates/ingress.yaml
@@ -0,0 +1,77 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: grafana-ingress
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`grafana.durp.info`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: grafana
          port: 80
  tls:
    secretName: grafana-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: grafana-tls
 spec:
  secretName: grafana-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  commonName: "grafana.durp.info"
  dnsNames:
    - "grafana.durp.info"
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: alertmanager-ingress
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`alertmanager.durp.info`) && PathPrefix(`/`)
      middlewares:
        - name: whitelist
          namespace: traefik
        - name: authentik-proxy-provider
          namespace: traefik
      kind: Rule
      services:
        - name: prometheus-alertmanager
          port: 9093
  tls:
    secretName: alertmanager-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: alertmanager-tls
 spec:
  secretName: alertmanager-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  commonName: "alertmanager.durp.info"
  dnsNames:
    - "alertmanager.durp.info"
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: grafana-external-dns
  annotations:
    external-dns.alpha.kubernetes.io/hostname: grafana.durp.info
 spec:
  type: ExternalName
  externalName: durp.info
--- a/infra/kube-prometheus-stack/values.yaml
+++ b/infra/kube-prometheus-stack/values.yaml
@@ -0,0 +1,203 @@
 kube-prometheus-stack:
  fullnameOverride: prometheus
  defaultRules:
    create: true
    rules:
      alertmanager: true
      etcd: true
      configReloaders: true
      general: true
      k8s: true
      kubeApiserverAvailability: true
      kubeApiserverBurnrate: true
      kubeApiserverHistogram: true
      kubeApiserverSlos: true
      kubelet: true
      kubeProxy: true
      kubePrometheusGeneral: true
      kubePrometheusNodeRecording: true
      kubernetesApps: true
      kubernetesResources: true
      kubernetesStorage: true
      kubernetesSystem: true
      kubeScheduler: true
      kubeStateMetrics: true
      network: true
      node: true
      nodeExporterAlerting: true
      nodeExporterRecording: true
      prometheus: true
      prometheusOperator: true
  alertmanager:
    fullnameOverride: alertmanager
    enabled: true
    ingress:
      enabled: false
  grafana:
    enabled: true
    fullnameOverride: grafana
    forceDeployDatasources: false
    forceDeployDashboards: false
    defaultDashboardsEnabled: true
    defaultDashboardsTimezone: utc
    plugins:
      - grafana-polystat-panel
    serviceMonitor:
      enabled: true
    admin:
      existingSecret: grafana-admin-credentials
      userKey: admin-user
      passwordKey: admin-password
    ingress:
      enabled: false
    grafana.ini:
      server:
        root_url: https://grafana.durp.info
      auth.generic_oauth:
        enabled: true
        scopes: openid profile email
        auth_url: https://authentik.durp.info/application/o/authorize/
        token_url: https://authentik.durp.info/application/o/token/
        api_url: https://authentik.durp.info/application/o/userinfo/
    envFromSecret: "grafana-oauth"
  kubeApiServer:
    enabled: true
  kubelet:
    enabled: true
    serviceMonitor:
      metricRelabelings:
        - action: replace
          sourceLabels:
            - node
          targetLabel: instance
  kubeControllerManager:
    enabled: true
    endpoints: # ips of servers
      - 192.168.12.11
      - 192.168.12.12
      - 192.168.12.13
  coreDns:
    enabled: false
  kubeDns:
    enabled: false
  kubeEtcd:
    enabled: true
    endpoints: # ips of servers
      - 192.168.12.11
      - 192.168.12.12
      - 192.168.12.13
    service:
      enabled: true
      port: 2381
      targetPort: 2381
  kubeScheduler:
    enabled: true
    endpoints: # ips of servers
      - 192.168.12.11
      - 192.168.12.12
      - 192.168.12.13
  kubeProxy:
    enabled: true
    endpoints: # ips of servers
      - 192.168.12.11
      - 192.168.12.12
      - 192.168.12.13
  kubeStateMetrics:
    enabled: true
  kube-state-metrics:
    fullnameOverride: kube-state-metrics
    selfMonitor:
      enabled: true
    prometheus:
      monitor:
        enabled: true
        relabelings:
          - action: replace
            regex: (.*)
            replacement: $1
            sourceLabels:
              - __meta_kubernetes_pod_node_name
            targetLabel: kubernetes_node
  nodeExporter:
    enabled: true
    serviceMonitor:
      relabelings:
        - action: replace
          regex: (.*)
          replacement: $1
          sourceLabels:
            - __meta_kubernetes_pod_node_name
          targetLabel: kubernetes_node
  prometheus-node-exporter:
    fullnameOverride: node-exporter
    podLabels:
      jobLabel: node-exporter
    extraArgs:
      - --collector.filesystem.mount-points-exclude=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/.+)($|/)
      - --collector.filesystem.fs-types-exclude=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$
    service:
      portName: http-metrics
    prometheus:
      monitor:
        enabled: true
        relabelings:
          - action: replace
            regex: (.*)
            replacement: $1
            sourceLabels:
              - __meta_kubernetes_pod_node_name
            targetLabel: kubernetes_node
    resources:
      requests:
        memory: 512Mi
        cpu: 250m
      limits:
        memory: 2048Mi
  prometheusOperator:
    enabled: true
    prometheusConfigReloader:
      resources:
        requests:
          cpu: 200m
          memory: 50Mi
        limits:
          memory: 100Mi
  prometheus:
    enabled: true
    prometheusSpec:
      replicas: 1
      replicaExternalLabelName: "replica"
      ruleSelectorNilUsesHelmValues: false
      serviceMonitorSelectorNilUsesHelmValues: false
      podMonitorSelectorNilUsesHelmValues: false
      probeSelectorNilUsesHelmValues: false
      retention: 6h
      enableAdminAPI: true
      walCompression: true
      storageSpec:
        volumeClaimTemplate:
          spec:
            storageClassName: longhorn
            accessModes: ["ReadWriteMany"]
            resources:
              requests:
                storage: 20Gi
  thanosRuler:
    enabled: false
--- a/infra/longhorn/Chart.yaml
+++ b/infra/longhorn/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: longhorn
  repository: https://charts.longhorn.io
-  version: 1.7.2
+  version: 1.9.0
--- a/infra/longhorn/templates/ingress.yaml
+++ b/infra/longhorn/templates/ingress.yaml
@@ -3,21 +3,23 @@ kind: IngressRoute
 metadata:
  name: longhorn-ingress
  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
+    cert-manager.io/cluster-issuer: vault-issuer
 spec:
  entryPoints:
    - websecure
  routes:
-  - match: Host(`longhorn.infra.durp.info`) && PathPrefix(`/`)
+    - match: Host(`longhorn.infra.durp.info`) && PathPrefix(`/`)
-    kind: Rule
+      kind: Rule
-    services:
+      middlewares:
-    - name: longhorn-frontend
+        - name: authentik-proxy-provider
-      port: 80
+          namespace: traefik
      services:
        - name: longhorn-frontend
          port: 80
  tls:
    secretName: longhorn-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
--- a/infra/longhorn/templates/secrets.yaml
+++ b/infra/longhorn/templates/secrets.yaml
@@ -5,7 +5,7 @@ metadata:
 ---
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: external-longhorn-backup-token-secret
--- a/infra/metallb-system/Chart.yaml
+++ b/infra/metallb-system/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: metallb
  repository: https://metallb.github.io/metallb
-  version: 0.14.9
+  version: 0.15.2
--- a/infra/nebula-sync/templates/secrets.yaml
+++ b/infra/nebula-sync/templates/secrets.yaml
@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: nebula-sync-secret
--- a/infra/octopus-agent/templates/secret.yaml
+++ b/infra/octopus-agent/templates/secret.yaml
@@ -5,7 +5,7 @@ metadata:
 ---
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: agent-token
--- a/infra/octopus-agent/values.yaml
+++ b/infra/octopus-agent/values.yaml
@@ -4,7 +4,9 @@ kubernetes-agent:
    acceptEula: "Y"
    serverUrl: "https://octopus.durp.info/"
    serverCommsAddresses:
-      - "https://octopusdeploy-octopus-deploy.octopusdeploy.svc.cluster.local:10943/"
+      - "https://octopus-deploy-node0.octopusdeploy.svc.cluster.local:10943/"
      - "https://octopus-deploy-node1.octopusdeploy.svc.cluster.local:10943/"
      - "https://octopus-deploy-node2.octopusdeploy.svc.cluster.local:10943/"
    space: "Default"
    name: "infra"
    deploymentTarget:
--- a/infra/octopusdeploy/Chart.yaml
+++ b/infra/octopusdeploy/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
  - name: octopusdeploy-helm
    repository: oci://ghcr.io/octopusdeploy
-    version: 1.3.1
+    version: 1.7.0
--- a/infra/octopusdeploy/templates/secrets.yaml
+++ b/infra/octopusdeploy/templates/secrets.yaml
@@ -4,8 +4,7 @@ metadata:
  name: vault
 ---
-
+apiVersion: external-secrets.io/v1
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: octopusdeploy-adminpassword
@@ -22,8 +21,7 @@ spec:
        property: adminpassword
 ---
-
+apiVersion: external-secrets.io/v1
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: octopusdeploy-adminusername
@@ -40,8 +38,7 @@ spec:
        property: adminusername
 ---
-
+apiVersion: external-secrets.io/v1
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: octopusdeploy-connectionstring
@@ -58,8 +55,7 @@ spec:
        property: connectionstring
 ---
-
+apiVersion: external-secrets.io/v1
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: octopusdeploy-masterkey
@@ -76,8 +72,7 @@ spec:
        property: masterkey
 ---
-
+apiVersion: external-secrets.io/v1
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: octopusdeploy-sapassword
@@ -92,3 +87,20 @@ spec:
      remoteRef:
        key: kv/octopusdeploy
        property: sapassword
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: octopusdeploy-licensekey
 spec:
  secretStoreRef:
    name: vault
    kind: ClusterSecretStore
  target:
    name: octopusdeploy-licensekey
  data:
    - secretKey: secret
      remoteRef:
        key: kv/octopusdeploy
        property: licensekey
--- a/infra/octopusdeploy/values.yaml
+++ b/infra/octopusdeploy/values.yaml
@@ -2,7 +2,7 @@ octopusdeploy-helm:
  octopus:
    image:
      repository: registry.durp.info/octopusdeploy/octopusdeploy
-      tag: 2025.1
+      tag: 2025.3
    createSecrets: false
    acceptEula: Y
    replicaCount: 3
--- a/infra/openclarity/templates/secret.yaml
+++ b/infra/openclarity/templates/secret.yaml
@@ -5,7 +5,7 @@ metadata:
 ---
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: openclarity-postgres-secret
--- a/infra/openclarity/values.yaml
+++ b/infra/openclarity/values.yaml
@@ -317,7 +317,7 @@ openclarity:
      # -- Gateway service container repository
      repository: nginxinc/nginx-unprivileged
      # -- Gateway service container tag
-      tag: 1.27.3
+      tag: 1.29.0
      # -- Gateway image digest. If set will override the tag.
      digest: ""
      # -- Gateway service container pull policy
@@ -542,7 +542,7 @@ openclarity:
      # -- Trivy Server container repository
      repository: aquasec/trivy
      # -- Trivy Server container tag
-      tag: 0.58.2
+      tag: 0.64.1
      # -- Trivy Server image digest. If set will override the tag.
      digest: ""
      # -- Trivy Server image pull policy
@@ -719,7 +719,7 @@ openclarity:
      # -- Swagger UI container repository
      repository: swaggerapi/swagger-ui
      # -- Swagger UI container tag
-      tag: v5.18.2
+      tag: v5.30.3
      # -- Swagger UI image digest. If set will override the tag.
      digest: ""
      # -- Swagger UI image pull policy
--- a/infra/renovate/templates/secrets.yaml
+++ b/infra/renovate/templates/secrets.yaml
@@ -4,8 +4,7 @@ metadata:
  name: vault
 ---
-
+apiVersion: external-secrets.io/v1
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: renovate-config-secret
@@ -20,3 +19,23 @@ spec:
      remoteRef:
        key: kv/renovate
        property: config
    - secretKey: RENOVATE_AUTODISCOVER
      remoteRef:
        key: kv/renovate
        property: RENOVATE_AUTODISCOVER
    - secretKey: RENOVATE_ENDPOINT
      remoteRef:
        key: kv/renovate
        property: RENOVATE_ENDPOINT
    - secretKey: RENOVATE_GIT_AUTHOR
      remoteRef:
        key: kv/renovate
        property: RENOVATE_GIT_AUTHOR
    - secretKey: RENOVATE_PLATFORM
      remoteRef:
        key: kv/renovate
        property: RENOVATE_PLATFORM
    - secretKey: RENOVATE_TOKEN
      remoteRef:
        key: kv/renovate
        property: RENOVATE_TOKEN
--- a/infra/renovate/values.yaml
+++ b/infra/renovate/values.yaml
@@ -5,20 +5,20 @@ renovate:
    compatibility:
      openshift:
        # --  Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: `auto` (apply if the detected running cluster is Openshift), `force` (perform the adaptation always), `disabled` (do not perform adaptation)
-        adaptSecurityContext: 'auto'
+        adaptSecurityContext: "auto"
  # -- Override the name of the chart
-  nameOverride: ''
+  nameOverride: ""
  # -- Override the fully qualified app name
-  fullnameOverride: ''
+  fullnameOverride: ""
  # -- Annotations to add to secret
  secretAnnotations: {}
  cronjob:
    # -- Schedules the job to run using cron notation
-    schedule: '0 1 * * *'  # At 01:00 every day
+    schedule: "0 1 * * *" # At 01:00 every day
    # -- You can specify a time zone for a CronJob by setting timeZone to the name of a valid time zone. (starting with k8s 1.27) <https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones>
-    timeZone: ''  # see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for valid names
+    timeZone: "" # see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones for valid names
    # -- If it is set to true, all subsequent executions are suspended. This setting does not apply to already started executions.
    suspend: false
    # -- Annotations to set on the cronjob
@@ -26,48 +26,47 @@ renovate:
    # -- Labels to set on the cronjob
    labels: {}
    # -- "Allow" to allow concurrent runs, "Forbid" to skip new runs if a previous run is still running or "Replace" to replace the previous run
-    concurrencyPolicy: ''
+    concurrencyPolicy: ""
    # -- "Number of successful completions is reached to mark the job as complete"
-    completions: ''
+    completions: ""
    # -- "Where the jobs should be NonIndexed or Indexed"
-    completionMode: ''
+    completionMode: ""
    # -- Amount of failed jobs to keep in history
-    failedJobsHistoryLimit: ''
+    failedJobsHistoryLimit: ""
    # -- Amount of completed jobs to keep in history
-    successfulJobsHistoryLimit: ''
+    successfulJobsHistoryLimit: ""
    # -- Set to Never to restart the job when the pod fails or to OnFailure to restart when a container fails
    jobRestartPolicy: Never
    # -- Time to keep the job after it finished before automatically deleting it
-    ttlSecondsAfterFinished: ''
+    ttlSecondsAfterFinished: ""
    # -- Deadline for the job to finish
-    activeDeadlineSeconds: ''
+    activeDeadlineSeconds: ""
    # -- Number of times to retry running the pod before considering the job as being failed
-    jobBackoffLimit: ''
+    jobBackoffLimit: ""
    # -- Maximal number of failures per index
-    backoffLimitPerIndex: ''
+    backoffLimitPerIndex: ""
    # -- Maximal number of failed indexes before terminating the Job execution
-    maxFailedIndexes: ''
+    maxFailedIndexes: ""
    # -- Deadline to start the job, skips execution if job misses it's configured deadline
-    startingDeadlineSeconds: ''
+    startingDeadlineSeconds: ""
    # -- Additional initContainers that can be executed before renovate
    initContainers: []
    # initContainers:
    # - name: INIT_CONTAINER_NAME
    #   image: INIT_CONTAINER_IMAGE
    # -- Number of pods to run in parallel
-    parallelism: ''
+    parallelism: ""
    # -- Custom command to run in the container
    commandOverride: []
    # -- Custom arguments to run in the container
    argsOverride: []
    # -- Prepend shell commands before renovate runs
-    preCommand: ''
+    #preCommand: ''
-    # preCommand: |
+    #preCommand: |
-    #   echo hello
+    #  ls /config
-    #   echo world
+    #  cat /config/renovate.json
-    # -- Append shell commands after renovate runs
+    postCommand: ""
    postCommand: ''
    # postCommand: |
    #   echo hello
    #   echo world
@@ -95,9 +94,18 @@ renovate:
  renovate:
    # -- Custom exiting global renovate config
-    existingConfigFile: '/config/renovate.json'
+    #existingConfigFile: "/config/renovate.json"
    # -- Inline global renovate config.json
-    config: ''
+    config: |
      {
        "platform": "gitlab",
        "endpoint": "https://gitlab.com/api/v4",
        "autodiscover": "true",
        "dryRun": false,
        "printConfig": false,
        "autodiscoverFilter": ["developerdurp/*", "durfy/*"],
        "assignees": ["developerdurp"],
      }
    # See https://docs.renovatebot.com/self-hosted-configuration
    # config: |
    #   {
@@ -145,20 +153,20 @@ renovate:
    # Provide .ssh config file contents
    # -- Contents of the id_rsa file
-    id_rsa: ''
+    id_rsa: ""
    # -- Contents of the id_rsa_pub file
-    id_rsa_pub: ''
+    id_rsa_pub: ""
    # -- Contents of the config file
-    config: ''
+    config: ""
    # or provide the name of an existing secret to be read instead.
    # -- Name of the existing secret containing a valid .ssh configuration
-    existingSecret: ''
+    existingSecret: ""
  # -- Environment variables that should be referenced from a k8s secret, cannot be used when existingSecret is set
  secrets: {}
  # -- k8s secret to reference environment variables from. Overrides secrets if set
-  existingSecret: ''
+  existingSecret: "renovate-config-secret"
  # -- Additional configmaps. A generated configMap name is: "renovate.fullname" + "extra" + name(below) e.g. renovate-netrc-config
  extraConfigmaps: []
@@ -175,15 +183,18 @@ renovate:
  #         "key"="value"
  #         "key1"="value1"
-  extraVolumes: 
+  #extraVolumes:
-    - name: renovate-config
+  #  - name: renovate-config-secret
-      secretName:
+  #    secretName:
-        name: renovate-config-secret
+  #      name: renovate-config-secret
  #      items:
  #        - key: renovate.json
  #          path: renovate.json
-  extraVolumeMounts:
+  #extraVolumeMounts:
-    - mountPath: "/config"
+  #  - name: renovate-config-secret
-      name: renovate.json
+  #    mountPath: /config
-      readOnly: true
+  #    subPath: renovate.json
  # -- Additional containers to the pod
  extraContainers: []
@@ -209,10 +220,11 @@ renovate:
    annotations: {}
    # -- The name of the service account to use
    # If not set and create is true, a name is generated using the fullname template
-    name: ''
+    name: ""
  # -- Specify resource limits and requests for the renovate container
-  resources: {}
+  resources:
    {}
    # We usually recommend not to specify default resources and to leave this as a conscious
    # choice for the user. This also increases chances charts run on environments with little
    # resources, such as Minikube. If you do want to specify resources, uncomment the following
@@ -233,7 +245,8 @@ renovate:
  #       name: env-configmap
  # -- Environment variables to set on the renovate container
-  env: {}
+  env:
    RENOVATE_AUTODISCOVER: true
  # env:
  #   VARIABLE_NAME: "value"
@@ -253,7 +266,7 @@ renovate:
    enabled: false
    # -- Override the prefix of the redisHost
-    nameOverride: ''
+    nameOverride: ""
    # -- Disable replication by default
    architecture: standalone
@@ -263,7 +276,7 @@ renovate:
      enabled: false
    # -- Override Kubernetes version for redis chart
-    kubeVersion: ''
+    kubeVersion: ""
  # -- Override hostname resolution
  hostAliases: []
@@ -292,7 +305,7 @@ renovate:
  # -- Create extra manifests via values. Would be passed through `tpl` for templating
  extraObjects: []
  # extraObjects:
-  #   - apiVersion: external-secrets.io/v1beta1
+  #   - apiVersion: external-secrets.io/v1
  #     kind: ExternalSecret
  #     metadata:
  #       name: '{{ include "renovate.fullname" . }}-token'
--- a/Show More
+++ b/Show More
`@@ -1,2 +1,2 @@`
	`argocd login --insecure`	`argocd login --insecure`
	`argocd cluster add <cluster> --name<name>`	`argocd cluster add default --name prd --yes --kubeconfig ~/Documents/config-prd`
`@@ -1 +1,2 @@`
	`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhPVgL8gXdRTw0E2FvlOUoUI4vd794nB0nZVIsc+U5M`	`sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGilcndatMrXg06VxtNKuIo3scoyyXbYX8Z7cOjeA102AAAABHNzaDo= desktop-arch-09-08-2025-yubikey`
		`sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINsbNSZ5Wr+50Ahz+IeZxt6F7gZ6wm1J8uKXQLbdbKFaAAAABHNzaDo= desktop-arch-09-08-2025-yubikeyNano`