Update Helm release crowdsec to v0.20.0

2025-09-10 09:21:13 +00:00
22 changed files with 401 additions and 556 deletions
--- a/dmz/crowdsec/Chart.yaml
+++ b/dmz/crowdsec/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
  - name: crowdsec
    repository: https://crowdsecurity.github.io/helm-charts
-    version: 0.19.4
+    version: 0.20.0
--- a/dmz/internalproxy/templates/gitlab.yaml
+++ b/dmz/internalproxy/templates/gitlab.yaml
@@ -1,68 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: gitlab
 spec:
  ports:
    - name: app
      port: 9080
      protocol: TCP
      targetPort: 9080
  clusterIP: None
  type: ClusterIP
 ---
 apiVersion: v1
 kind: Endpoints
 metadata:
  name: gitlab
 subsets:
  - addresses:
      - ip: 192.168.21.200
    ports:
      - name: app
        port: 9080
        protocol: TCP
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: gitlab-ingress
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`gitlab.durp.info`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: gitlab
          port: 9080
          scheme: http
  tls:
    secretName: gitlab-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: gitlab-tls
 spec:
  secretName: gitlab-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  commonName: "gitlab.durp.info"
  dnsNames:
    - "gitlab.durp.info"
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: gitlab-external-dns
  annotations:
    external-dns.alpha.kubernetes.io/hostname: gitlab.durp.info
 spec:
  type: ExternalName
  externalName: durp.info
--- a/dmz/internalproxy/templates/n8n.yaml
+++ b/dmz/internalproxy/templates/n8n.yaml
@@ -12,19 +12,21 @@ spec:
  type: ClusterIP
 ---
 apiVersion: v1
 kind: Endpoints
 metadata:
  name: n8n
 subsets:
  - addresses:
-      - ip: 192.168.21.200
+      - ip: 192.168.20.104
    ports:
      - name: app
        port: 5678
        protocol: TCP
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
@@ -43,6 +45,7 @@ spec:
    secretName: n8n-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -57,6 +60,7 @@ spec:
    - "n8n.durp.info"
 ---
 kind: Service
 apiVersion: v1
 metadata:
--- a/dmz/internalproxy/templates/octopus.yaml
+++ b/dmz/internalproxy/templates/octopus.yaml
@@ -1,40 +1,40 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-  name: grafana-ingress
+  name: octopus-ingress
 spec:
  entryPoints:
    - websecure
  routes:
-    - match: Host(`grafana.durp.info`) && PathPrefix(`/`)
+    - match: Host(`octopus.durp.info`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: infra-cluster
          port: 443
  tls:
-    secretName: grafana-tls
+    secretName: octopus-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: grafana-tls
+  name: octopus-tls
 spec:
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
-  secretName: grafana-tls
+  secretName: octopus-tls
-  commonName: "grafana.durp.info"
+  commonName: "octopus.durp.info"
  dnsNames:
-    - "grafana.durp.info"
+    - "octopus.durp.info"
 ---
 kind: Service
 apiVersion: v1
 metadata:
-  name: grafana-external-dns
+  name: octopus-external-dns
  annotations:
-    external-dns.alpha.kubernetes.io/hostname: grafana.durp.info
+    external-dns.alpha.kubernetes.io/hostname: octopus.durp.info
 spec:
  type: ExternalName
  externalName: durp.info
--- a/dmz/internalproxy/templates/portainer.yaml
+++ b/dmz/internalproxy/templates/portainer.yaml
@@ -1,3 +1,32 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: portainer
 spec:
  ports:
  - name: app
    port: 9443
    protocol: TCP
    targetPort: 9443
  clusterIP: None
  type: ClusterIP
 ---
 apiVersion: v1
 kind: Endpoints
 metadata:
  name: portainer
 subsets:
 - addresses:
  - ip: 192.168.20.104
  ports:
  - name: app
    port: 9443
    protocol: TCP
 ---    
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
@@ -12,8 +41,9 @@ spec:
      #  namespace: traefik
    kind: Rule
    services:
-      - name: infra-cluster
+    - name: portainer
-        port: 443
+      port: 9443
      scheme: https
  tls:
    secretName: portainer-tls
@@ -30,4 +60,4 @@ spec:
    kind: ClusterIssuer
  commonName: "portainer.internal.durp.info"
  dnsNames:
-  - "portainer.internal.durp.info"
+  - "portainer.internal.durp.info"  
--- a/infra/argocd/templates/argocd-crossplane.yaml
+++ b/infra/argocd/templates/argocd-crossplane.yaml
@@ -0,0 +1,101 @@
 #apiVersion: external-secrets.io/v1
 #kind: ExternalSecret
 #metadata:
 #  name: argocd-secret-crossplane
 #spec:
 #  secretStoreRef:
 #    name: vault
 #    kind: ClusterSecretStore
 #  target:
 #    name: argocd-secret-crossplane
 #  data:
 #    - secretKey: authToken
 #      remoteRef:
 #        key: kv/argocd/provider-argocd
 #        property: token
 #
 #---
 #apiVersion: external-secrets.io/v1
 #kind: ExternalSecret
 #metadata:
 #  name: prod-kubeconfig
 #spec:
 #  secretStoreRef:
 #    name: vault
 #    kind: ClusterSecretStore
 #  target:
 #    name: prod-kubeconfig
 #  data:
 #    - secretKey: kubeconfig
 #      remoteRef:
 #        key: kv/argocd/prd
 #        property: kubeconfig
 #
 #---
 #apiVersion: argocd.crossplane.io/v1alpha1
 #kind: ProviderConfig
 #metadata:
 #  name: argocd-provider
 #spec:
 #  serverAddr: argocd-server.argocd.svc:443
 #  insecure: true
 #  plainText: false
 #  credentials:
 #    source: Secret
 #    secretRef:
 #      namespace: argocd
 #      name: argocd-secret-crossplane
 #      key: authToken
 #
 #---
 #apiVersion: cluster.argocd.crossplane.io/v1alpha1
 #kind: Cluster
 #metadata:
 #  name: prd
 #  labels:
 #    purpose: prd
 #spec:
 #  forProvider:
 #    name: prd
 #    config:
 #      kubeconfigSecretRef:
 #        name: prod-kubeconfig
 #        namespace: argocd
 #        key: kubeconfig
 #  providerConfigRef:
 #    name: argocd-provider
 #
 #---
 #apiVersion: external-secrets.io/v1
 #kind: ExternalSecret
 #metadata:
 #  name: dev-kubeconfig
 #spec:
 #  secretStoreRef:
 #    name: vault
 #    kind: ClusterSecretStore
 #  target:
 #    name: dev-kubeconfig
 #  data:
 #    - secretKey: kubeconfig
 #      remoteRef:
 #        key: kv/argocd/dev
 #        property: kubeconfig
 #
 #---
 #apiVersion: cluster.argocd.crossplane.io/v1alpha1
 #kind: Cluster
 #metadata:
 #  name: dev
 #  labels:
 #    purpose: dev
 #spec:
 #  forProvider:
 #    name: dev
 #    config:
 #      kubeconfigSecretRef:
 #        name: dev-kubeconfig
 #        namespace: argocd
 #        key: kubeconfig
 #  providerConfigRef:
 #    name: argocd-provider
--- a/infra/argocd/templates/portainer.yaml
+++ b/infra/argocd/templates/portainer.yaml
@@ -1,17 +1,17 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: portainer
+  name: crowdsec
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://gitlab.com/developerdurp/homelab.git
    targetRevision: main
-    path: infra/portainer
+    path: dmz/crowdsec
  destination:
-    namespace: portainer
+    namespace: crowdsec
-    name: in-cluster
+    name: dmz
  syncPolicy:
    automated:
      prune: true
--- a/infra/argocd/templates/kube-prometheus-stack.yaml
+++ b/infra/argocd/templates/kube-prometheus-stack.yaml
@@ -1,20 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: kube-prometheus-stack
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://gitlab.com/developerdurp/homelab.git
    targetRevision: main
    path: infra/kube-prometheus-stack
  destination:
    namespace: kube-prometheus-stack
    name: in-cluster
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
--- a/infra/argocd/templates/octopusdeploy.yaml
+++ b/infra/argocd/templates/octopusdeploy.yaml
@@ -0,0 +1,42 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: octopusdeploy
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://gitlab.com/developerdurp/homelab.git
    targetRevision: main
    path: infra/octopusdeploy
  destination:
    namespace: octopusdeploy
    name: in-cluster
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: octopusdeploy-agent
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://gitlab.com/developerdurp/homelab.git
    targetRevision: main
    path: infra/octopus-agent
  destination:
    namespace: octopus-agent
    name: in-cluster
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
--- a/infra/kube-prometheus-stack/Chart.yaml
+++ b/infra/kube-prometheus-stack/Chart.yaml
@@ -1,12 +0,0 @@
 apiVersion: v2
 name: kube-prometheus-stack
 description: A Helm chart for Kubernetes
 type: application
 version: 0.1.0
 appVersion: "1.16.0"
 dependencies:
  - name: kube-prometheus-stack
    repository: https://prometheus-community.github.io/helm-charts
    version: 77.10.0
--- a/infra/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml
+++ b/infra/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml
@@ -1,46 +0,0 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: vault
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: vault-grafana-oauth
 spec:
  secretStoreRef:
    name: vault
    kind: ClusterSecretStore
  target:
    name: grafana-oauth
  data:
    - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
      remoteRef:
        key: kv/grafana/oauth
        property: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
    - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
      remoteRef:
        key: kv/grafana/oauth
        property: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: vault-admin-credentials
 spec:
  secretStoreRef:
    name: vault
    kind: ClusterSecretStore
  target:
    name: grafana-admin-credentials
  data:
    - secretKey: admin-password
      remoteRef:
        key: kv/grafana/admin
        property: password
    - secretKey: admin-user
      remoteRef:
        key: kv/grafana/admin
        property: user
--- a/infra/kube-prometheus-stack/templates/ingress.yaml
+++ b/infra/kube-prometheus-stack/templates/ingress.yaml
@@ -1,77 +0,0 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: grafana-ingress
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`grafana.durp.info`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: grafana
          port: 80
  tls:
    secretName: grafana-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: grafana-tls
 spec:
  secretName: grafana-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  commonName: "grafana.durp.info"
  dnsNames:
    - "grafana.durp.info"
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: alertmanager-ingress
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`alertmanager.durp.info`) && PathPrefix(`/`)
      middlewares:
        - name: whitelist
          namespace: traefik
        - name: authentik-proxy-provider
          namespace: traefik
      kind: Rule
      services:
        - name: prometheus-alertmanager
          port: 9093
  tls:
    secretName: alertmanager-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: alertmanager-tls
 spec:
  secretName: alertmanager-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  commonName: "alertmanager.durp.info"
  dnsNames:
    - "alertmanager.durp.info"
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: grafana-external-dns
  annotations:
    external-dns.alpha.kubernetes.io/hostname: grafana.durp.info
 spec:
  type: ExternalName
  externalName: durp.info
--- a/infra/kube-prometheus-stack/values.yaml
+++ b/infra/kube-prometheus-stack/values.yaml
@@ -1,203 +0,0 @@
 kube-prometheus-stack:
  fullnameOverride: prometheus
  defaultRules:
    create: true
    rules:
      alertmanager: true
      etcd: true
      configReloaders: true
      general: true
      k8s: true
      kubeApiserverAvailability: true
      kubeApiserverBurnrate: true
      kubeApiserverHistogram: true
      kubeApiserverSlos: true
      kubelet: true
      kubeProxy: true
      kubePrometheusGeneral: true
      kubePrometheusNodeRecording: true
      kubernetesApps: true
      kubernetesResources: true
      kubernetesStorage: true
      kubernetesSystem: true
      kubeScheduler: true
      kubeStateMetrics: true
      network: true
      node: true
      nodeExporterAlerting: true
      nodeExporterRecording: true
      prometheus: true
      prometheusOperator: true
  alertmanager:
    fullnameOverride: alertmanager
    enabled: true
    ingress:
      enabled: false
  grafana:
    enabled: true
    fullnameOverride: grafana
    forceDeployDatasources: false
    forceDeployDashboards: false
    defaultDashboardsEnabled: true
    defaultDashboardsTimezone: utc
    plugins:
      - grafana-polystat-panel
    serviceMonitor:
      enabled: true
    admin:
      existingSecret: grafana-admin-credentials
      userKey: admin-user
      passwordKey: admin-password
    ingress:
      enabled: false
    grafana.ini:
      server:
        root_url: https://grafana.durp.info
      auth.generic_oauth:
        enabled: true
        scopes: openid profile email
        auth_url: https://authentik.durp.info/application/o/authorize/
        token_url: https://authentik.durp.info/application/o/token/
        api_url: https://authentik.durp.info/application/o/userinfo/
    envFromSecret: "grafana-oauth"
  kubeApiServer:
    enabled: true
  kubelet:
    enabled: true
    serviceMonitor:
      metricRelabelings:
        - action: replace
          sourceLabels:
            - node
          targetLabel: instance
  kubeControllerManager:
    enabled: true
    endpoints: # ips of servers
      - 192.168.12.11
      - 192.168.12.12
      - 192.168.12.13
  coreDns:
    enabled: false
  kubeDns:
    enabled: false
  kubeEtcd:
    enabled: true
    endpoints: # ips of servers
      - 192.168.12.11
      - 192.168.12.12
      - 192.168.12.13
    service:
      enabled: true
      port: 2381
      targetPort: 2381
  kubeScheduler:
    enabled: true
    endpoints: # ips of servers
      - 192.168.12.11
      - 192.168.12.12
      - 192.168.12.13
  kubeProxy:
    enabled: true
    endpoints: # ips of servers
      - 192.168.12.11
      - 192.168.12.12
      - 192.168.12.13
  kubeStateMetrics:
    enabled: true
  kube-state-metrics:
    fullnameOverride: kube-state-metrics
    selfMonitor:
      enabled: true
    prometheus:
      monitor:
        enabled: true
        relabelings:
          - action: replace
            regex: (.*)
            replacement: $1
            sourceLabels:
              - __meta_kubernetes_pod_node_name
            targetLabel: kubernetes_node
  nodeExporter:
    enabled: true
    serviceMonitor:
      relabelings:
        - action: replace
          regex: (.*)
          replacement: $1
          sourceLabels:
            - __meta_kubernetes_pod_node_name
          targetLabel: kubernetes_node
  prometheus-node-exporter:
    fullnameOverride: node-exporter
    podLabels:
      jobLabel: node-exporter
    extraArgs:
      - --collector.filesystem.mount-points-exclude=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/.+)($|/)
      - --collector.filesystem.fs-types-exclude=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$
    service:
      portName: http-metrics
    prometheus:
      monitor:
        enabled: true
        relabelings:
          - action: replace
            regex: (.*)
            replacement: $1
            sourceLabels:
              - __meta_kubernetes_pod_node_name
            targetLabel: kubernetes_node
    resources:
      requests:
        memory: 512Mi
        cpu: 250m
      limits:
        memory: 2048Mi
  prometheusOperator:
    enabled: true
    prometheusConfigReloader:
      resources:
        requests:
          cpu: 200m
          memory: 50Mi
        limits:
          memory: 100Mi
  prometheus:
    enabled: true
    prometheusSpec:
      replicas: 1
      replicaExternalLabelName: "replica"
      ruleSelectorNilUsesHelmValues: false
      serviceMonitorSelectorNilUsesHelmValues: false
      podMonitorSelectorNilUsesHelmValues: false
      probeSelectorNilUsesHelmValues: false
      retention: 6h
      enableAdminAPI: true
      walCompression: true
      storageSpec:
        volumeClaimTemplate:
          spec:
            storageClassName: longhorn
            accessModes: ["ReadWriteMany"]
            resources:
              requests:
                storage: 20Gi
  thanosRuler:
    enabled: false
--- a/infra/octopus-agent/Chart.yaml
+++ b/infra/octopus-agent/Chart.yaml
@@ -0,0 +1,12 @@
 apiVersion: v2
 name: octopusdeploy
 description: A Helm chart for Kubernetes
 type: application
 version: 0.1.0
 appVersion: "1.16.0"
 dependencies:
  - name: kubernetes-agent
    repository: oci://registry-1.docker.io/octopusdeploy
    version: 2.*.*
--- a/infra/octopus-agent/templates/secret.yaml
+++ b/infra/octopus-agent/templates/secret.yaml
@@ -0,0 +1,23 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: vault
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: agent-token
 spec:
  secretStoreRef:
    name: vault
    kind: ClusterSecretStore
  target:
    name: agent-token
  data:
    - secretKey: bearer-token
      remoteRef:
        key: kv/octopusdeploy
        property: infra-bearer-token
--- a/infra/octopus-agent/values.yaml
+++ b/infra/octopus-agent/values.yaml
@@ -0,0 +1,19 @@
 kubernetes-agent:
  agent:
    bearerTokenSecretName: agent-token
    acceptEula: "Y"
    serverUrl: "https://octopus.durp.info/"
    serverCommsAddresses:
      - "https://octopus-deploy-node0.octopusdeploy.svc.cluster.local:10943/"
      - "https://octopus-deploy-node1.octopusdeploy.svc.cluster.local:10943/"
      - "https://octopus-deploy-node2.octopusdeploy.svc.cluster.local:10943/"
    space: "Default"
    name: "infra"
    deploymentTarget:
      initial:
        environments:
          - "development"
          - "production"
        tags:
          - "infra-cluster"
      enabled: "true"
--- a/infra/octopusdeploy/Chart.yaml
+++ b/infra/octopusdeploy/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-name: portainer
+name: octopusdeploy
 description: A Helm chart for Kubernetes
 type: application
@@ -7,6 +7,6 @@ version: 0.1.0
 appVersion: "1.16.0"
 dependencies:
-  - name: portainer
+  - name: octopusdeploy-helm
-    repository: https://portainer.github.io/k8s/
+    repository: oci://ghcr.io/octopusdeploy
-    version: 2.33.5
+    version: 1.4.0
--- a/infra/octopusdeploy/templates/ingress.yaml
+++ b/infra/octopusdeploy/templates/ingress.yaml
@@ -0,0 +1,32 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: octopus-ingress
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`octopus.durp.info`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: octopusdeploy-octopus-deploy
          port: 80
  tls:
    secretName: octopus-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: octopus-tls
 spec:
  secretName: octopus-tls
  issuerRef:
    name: vault-issuer
    kind: ClusterIssuer
  commonName: "octopus.durp.info"
  dnsNames:
    - "octopus.durp.info"
--- a/infra/octopusdeploy/templates/secrets.yaml
+++ b/infra/octopusdeploy/templates/secrets.yaml
@@ -0,0 +1,106 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: vault
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: octopusdeploy-adminpassword
 spec:
  secretStoreRef:
    name: vault
    kind: ClusterSecretStore
  target:
    name: octopusdeploy-adminpassword
  data:
    - secretKey: secret
      remoteRef:
        key: kv/octopusdeploy
        property: adminpassword
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: octopusdeploy-adminusername
 spec:
  secretStoreRef:
    name: vault
    kind: ClusterSecretStore
  target:
    name: octopusdeploy-adminusername
  data:
    - secretKey: secret
      remoteRef:
        key: kv/octopusdeploy
        property: adminusername
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: octopusdeploy-connectionstring
 spec:
  secretStoreRef:
    name: vault
    kind: ClusterSecretStore
  target:
    name: octopusdeploy-connectionstring
  data:
    - secretKey: secret
      remoteRef:
        key: kv/octopusdeploy
        property: connectionstring
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: octopusdeploy-masterkey
 spec:
  secretStoreRef:
    name: vault
    kind: ClusterSecretStore
  target:
    name: octopusdeploy-masterkey
  data:
    - secretKey: secret
      remoteRef:
        key: kv/octopusdeploy
        property: masterkey
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: octopusdeploy-sapassword
 spec:
  secretStoreRef:
    name: vault
    kind: ClusterSecretStore
  target:
    name: octopusdeploy-sapassword
  data:
    - secretKey: secret
      remoteRef:
        key: kv/octopusdeploy
        property: sapassword
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: octopusdeploy-licensekey
 spec:
  secretStoreRef:
    name: vault
    kind: ClusterSecretStore
  target:
    name: octopusdeploy-licensekey
  data:
    - secretKey: secret
      remoteRef:
        key: kv/octopusdeploy
        property: licensekey
--- a/infra/octopusdeploy/values.yaml
+++ b/infra/octopusdeploy/values.yaml
@@ -0,0 +1,10 @@
 octopusdeploy-helm:
  octopus:
    image:
      repository: registry.durp.info/octopusdeploy/octopusdeploy
      tag: 2025.1
    createSecrets: false
    acceptEula: Y
    replicaCount: 3
  mssql:
    enabled: true
--- a/infra/portainer/templates/ingress.yaml
+++ b/infra/portainer/templates/ingress.yaml
@@ -1,30 +0,0 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: portainer-ingress
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`portainer.internal.durp.info`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: portainer
          port: 9000
  tls:
    secretName: portainer-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: portainer-tls
 spec:
  secretName: portainer-tls
  issuerRef:
    name: vault-issuer
    kind: ClusterIssuer
  commonName: "portainer.internal.durp.info"
  dnsNames:
    - "portainer.internal.durp.info"
--- a/infra/portainer/values.yaml
+++ b/infra/portainer/values.yaml
@@ -1,78 +0,0 @@
 portainer:
  replicaCount: 1
  image:
    repository: registry.durp.info/portainer/portainer-ce
    tag: 2.33.5
    pullPolicy: Always
  imagePullSecrets: []
  nodeSelector: {}
  tolerations: []
  serviceAccount:
    annotations: {}
    name: portainer-sa-clusteradmin
  # This flag provides the ability to enable or disable RBAC-related resources during the deployment of the Portainer application
  # If you are using Portainer to manage the K8s cluster it is deployed to, this flag must be set to true
  localMgmt: true
  service:
    # Set the httpNodePort and edgeNodePort only if the type is NodePort
    # For Ingress, set the type to be ClusterIP and set ingress.enabled to true
    # For Cloud Providers, set the type to be LoadBalancer
    type: NodePort
    httpPort: 9000
    httpsPort: 9443
    httpNodePort: 30777
    httpsNodePort: 30779
    edgePort: 8000
    edgeNodePort: 30776
    annotations: {}
  tls:
    # If set, Portainer will be configured to use TLS only
    force: false
    # If set, will mount the existing secret into the pod
    existingSecret: ""
  trusted_origins:
    # If set, Portainer will be configured to trust the domains specified in domains
      enabled: false
        # specify (in a comma-separated list) the domain(s) used to access Portainer when it is behind a reverse proxy
          # example: portainer.mydomain.com,portainer.example.com
      domains: ""
  mtls:
    # If set, Portainer will be configured to use mTLS only
    enable: false
    # If set, will mount the existing secret into the pod
    existingSecret: ""
  feature:
    flags: []
  ingress:
    enabled: false
    ingressClassName: ""
    annotations: {}
      # kubernetes.io/ingress.class: nginx
      # Only use below if tls.force=true
      # nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    # Note: Hosts and paths are of type array
    hosts:
      - host:
        paths: []
        # - path: "/"
    tls: []
  resources: {}
  persistence:
    enabled: true
    size: "10Gi"
    annotations: {}
    storageClass: longhorn
    existingClaim: