Update Helm release cert-manager to v1.18.2

2025-07-14 06:02:49 +00:00
25 changed files with 300 additions and 570 deletions
--- a/ansible/roles/base/files/authorized_keys_user
+++ b/ansible/roles/base/files/authorized_keys_user
@@ -1,2 +1 @@
-sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGilcndatMrXg06VxtNKuIo3scoyyXbYX8Z7cOjeA102AAAABHNzaDo= desktop-arch-09-08-2025-yubikey
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhPVgL8gXdRTw0E2FvlOUoUI4vd794nB0nZVIsc+U5M
 sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINsbNSZ5Wr+50Ahz+IeZxt6F7gZ6wm1J8uKXQLbdbKFaAAAABHNzaDo= desktop-arch-09-08-2025-yubikeyNano
--- a/dev/cert-manager/Chart.yaml
+++ b/dev/cert-manager/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
  repository: https://charts.jetstack.io
-  version: v1.19.1
+  version: v1.18.2
--- a/dmz/cert-manager/Chart.yaml
+++ b/dmz/cert-manager/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
  repository: https://charts.jetstack.io
-  version: v1.19.1
+  version: v1.18.2
--- a/dmz/internalproxy/templates/gitlab.yaml
+++ b/dmz/internalproxy/templates/gitlab.yaml
@@ -1,68 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: gitlab
 spec:
  ports:
    - name: app
      port: 9080
      protocol: TCP
      targetPort: 9080
  clusterIP: None
  type: ClusterIP
 ---
 apiVersion: v1
 kind: Endpoints
 metadata:
  name: gitlab
 subsets:
  - addresses:
      - ip: 192.168.21.200
    ports:
      - name: app
        port: 9080
        protocol: TCP
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: gitlab-ingress
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`gitlab.durp.info`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: gitlab
          port: 9080
          scheme: http
  tls:
    secretName: gitlab-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: gitlab-tls
 spec:
  secretName: gitlab-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  commonName: "gitlab.durp.info"
  dnsNames:
    - "gitlab.durp.info"
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: gitlab-external-dns
  annotations:
    external-dns.alpha.kubernetes.io/hostname: gitlab.durp.info
 spec:
  type: ExternalName
  externalName: durp.info
--- a/dmz/internalproxy/templates/grafana.yaml
+++ b/dmz/internalproxy/templates/grafana.yaml
@@ -1,40 +0,0 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: grafana-ingress
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`grafana.durp.info`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: infra-cluster
          port: 443
  tls:
    secretName: grafana-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: grafana-tls
 spec:
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  secretName: grafana-tls
  commonName: "grafana.durp.info"
  dnsNames:
    - "grafana.durp.info"
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: grafana-external-dns
  annotations:
    external-dns.alpha.kubernetes.io/hostname: grafana.durp.info
 spec:
  type: ExternalName
  externalName: durp.info
--- a/dmz/internalproxy/templates/n8n.yaml
+++ b/dmz/internalproxy/templates/n8n.yaml
@@ -1,72 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: n8n
 spec:
  ports:
    - name: app
      port: 5678
      protocol: TCP
      targetPort: 5678
  clusterIP: None
  type: ClusterIP
 ---
 apiVersion: v1
 kind: Endpoints
 metadata:
  name: n8n
 subsets:
  - addresses:
      - ip: 192.168.20.104
    ports:
      - name: app
        port: 5678
        protocol: TCP
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: n8n-ingress
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`n8n.durp.info`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: n8n
          port: 5678
          scheme: http
  tls:
    secretName: n8n-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: n8n-tls
 spec:
  secretName: n8n-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  commonName: "n8n.durp.info"
  dnsNames:
    - "n8n.durp.info"
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: n8n-dns
  annotations:
    dns.alpha.kubernetes.io/hostname: n8n.durp.info
 spec:
  type: ExternalName
  externalName: durp.info
--- a/infra/argocd/templates/crossplane.yaml
+++ b/infra/argocd/templates/crossplane.yaml
@@ -0,0 +1,20 @@
 #apiVersion: argoproj.io/v1alpha1
 #kind: Application
 #metadata:
 #  name: crossplane
 #  namespace: argocd
 #spec:
 #  project: default
 #  source:
 #    repoURL: https://gitlab.com/developerdurp/homelab.git
 #    targetRevision: main
 #    path: infra/crossplane
 #  destination:
 #    namespace: crossplane
 #    name: in-cluster
 #  syncPolicy:
 #    automated:
 #      prune: true
 #      selfHeal: true
 #    syncOptions:
 #      - CreateNamespace=true
--- a/infra/argocd/templates/crowdsec.yaml
+++ b/infra/argocd/templates/crowdsec.yaml
@@ -1,20 +1,20 @@
-#apiVersion: argoproj.io/v1alpha1
+apiVersion: argoproj.io/v1alpha1
-#kind: Application
+kind: Application
-#metadata:
+metadata:
-#  name: crowdsec
+  name: crowdsec
-#  namespace: argocd
+  namespace: argocd
-#spec:
+spec:
-#  project: default
+  project: default
-#  source:
+  source:
-#    repoURL: https://gitlab.com/developerdurp/homelab.git
+    repoURL: https://gitlab.com/developerdurp/homelab.git
-#    targetRevision: main
+    targetRevision: main
-#    path: dmz/crowdsec
+    path: dmz/crowdsec
-#  destination:
+  destination:
-#    namespace: crowdsec
+    namespace: crowdsec
-#    name: dmz
+    name: dmz
-#  syncPolicy:
+  syncPolicy:
-#    automated:
+    automated:
-#      prune: true
+      prune: true
-#      selfHeal: true
+      selfHeal: true
-#    syncOptions:
+    syncOptions:
-#      - CreateNamespace=true
+      - CreateNamespace=true
--- a/infra/argocd/templates/kube-prometheus-stack.yaml
+++ b/infra/argocd/templates/kube-prometheus-stack.yaml
@@ -1,20 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: kube-prometheus-stack
  namespace: argocd
 spec:
  project: default
  source:
    repoURL: https://gitlab.com/developerdurp/homelab.git
    targetRevision: main
    path: infra/kube-prometheus-stack
  destination:
    namespace: kube-prometheus-stack
    name: in-cluster
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
--- a/infra/argocd/values.yaml
+++ b/infra/argocd/values.yaml
@@ -50,7 +50,6 @@ argo-cd:
            name: authentik
            type: oidc
            id: authentik
      resource.exclusions: ""
    rbac:
      create: true
@@ -61,4 +60,4 @@ argo-cd:
  server:
    route:
-      enabled: false
+      enabled: false
--- a/infra/bitwarden/templates/deployment.yaml
+++ b/infra/bitwarden/templates/deployment.yaml
@@ -17,7 +17,7 @@ spec:
    spec:
      containers:
        - name: bitwarden
-          image: registry.durp.info/vaultwarden/server:1.34.3
+          image: registry.durp.info/vaultwarden/server:1.33.2
          imagePullPolicy: Always
          volumeMounts:
            - name: bitwarden-pvc
--- a/infra/cert-manager/Chart.yaml
+++ b/infra/cert-manager/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
  repository: https://charts.jetstack.io
-  version: v1.19.1
+  version: v1.18.2
--- a/infra/crossplane/Chart.yaml
+++ b/infra/crossplane/Chart.yaml
@@ -0,0 +1,11 @@
 apiVersion: v2
 name: crossplane
 description: A Helm chart for Kubernetes
 type: application
 version: 0.1.0
 appVersion: "1.16.0"
 #dependencies:
 #  - name: crossplane
 #    repository: https://charts.crossplane.io/stable
 #    version: 1.19.1
--- a/infra/crossplane/templates/argocd.yaml
+++ b/infra/crossplane/templates/argocd.yaml
@@ -0,0 +1,6 @@
 #apiVersion: pkg.crossplane.io/v1
 #kind: Provider
 #metadata:
 #  name: provider-argocd
 #spec:
 #  package: xpkg.upbound.io/crossplane-contrib/provider-argocd:v0.10.1
--- a/infra/crossplane/templates/gitlab.yml
+++ b/infra/crossplane/templates/gitlab.yml
@@ -0,0 +1,57 @@
 #apiVersion: pkg.crossplane.io/v1
 #kind: Provider
 #metadata:
 #  name: provider-gitlab
 #spec:
 #  package: xpkg.upbound.io/crossplane-contrib/provider-gitlab:v0.10.4
 #---
 #apiVersion: v1
 #kind: ServiceAccount
 #metadata:
 #  name: vault
 #
 #---
 #apiVersion: external-secrets.io/v1
 #kind: ExternalSecret
 #metadata:
 #  name: gitlab-secret
 #spec:
 #  secretStoreRef:
 #    name: vault
 #    kind: ClusterSecretStore
 #  target:
 #    name: gitlab-secret
 #  data:
 #    - secretKey: accesstoken
 #      remoteRef:
 #        key: kv/renovate
 #        property: RENOVATE_TOKEN
 #
 #---
 #apiVersion: gitlab.crossplane.io/v1beta1
 #kind: ProviderConfig
 #metadata:
 #  name: gitlab-provider
 #spec:
 #  baseURL: https://gitlab.com/
 #  credentials:
 #    source: Secret
 #    secretRef:
 #      namespace: crossplane
 #      name: gitlab-secret
 #      key: accesstoken
 #---
 #apiVersion: projects.gitlab.crossplane.io/v1alpha1
 #kind: Project
 #metadata:
 #  name: example-project
 #spec:
 #  deletionPolicy: Orphan
 #  forProvider:
 #    name: "Example Project"
 #    description: "example project description"
 #  providerConfigRef:
 #    name: gitlab-provider
 #    policy:
 #      resolution: Optional
 #      resolve: Always
--- a/infra/crossplane/templates/proxmoxBackupServer.yaml
+++ b/infra/crossplane/templates/proxmoxBackupServer.yaml
@@ -0,0 +1,115 @@
 #apiVersion: opentofu.upbound.io/v1beta1
 #kind: Workspace
 #metadata:
 #  name: proxmoxbackupserver
 #  annotations:
 #    crossplane.io/external-name: proxmoxbackupserver
 #spec:
 #  forProvider:
 #    source: Inline
 #    env:
 #      - name: TF_VAR_pm_api_url
 #        secretKeyRef:
 #          namespace: crossplane
 #          name: proxmox-secret
 #          key: pm_api_url
 #      - name: TF_VAR_pm_password
 #        secretKeyRef:
 #          namespace: crossplane
 #          name: proxmox-secret
 #          key: pm_password
 #      - name: TF_VAR_pm_user
 #        secretKeyRef:
 #          namespace: crossplane
 #          name: proxmox-secret
 #          key: pm_user
 #    module: |
 #
 #      provider "proxmox" {
 #        pm_parallel     = 1
 #        pm_tls_insecure = true
 #        pm_api_url      = var.pm_api_url
 #        pm_user         = var.pm_user
 #        pm_password     = var.pm_password
 #        pm_debug        = false
 #      }
 #
 #      variable "pm_api_url" {
 #        description = "API URL to Proxmox provider"
 #        type        = string
 #      }
 #
 #      variable "pm_password" {
 #        description = "Passowrd to Proxmox provider"
 #        type        = string
 #      }
 #
 #      variable "pm_user" {
 #        description = "Username to Proxmox provider"
 #        type        = string
 #      }
 #
 #      locals {
 #        format    = "raw"
 #        dnsserver = "192.168.10.1"
 #        vlan      = 21
 #        proxmoxBackup = {
 #          tags    = "Proxmox"
 #          count   = 1
 #          name    = ["Proxmox-BackupServer"]
 #          cores   = 2
 #          memory  = "4096"
 #          drive   = 1024
 #          storage = "domains"
 #          node    = ["mothership"]
 #          ip      = ["250"]
 #        }
 #      }
 #
 #      resource "proxmox_vm_qemu" "proxmoxBackup" {
 #        count       = local.proxmoxBackup.count
 #        ciuser      = "administrator"
 #        vmid        = "${local.vlan}${local.proxmoxBackup.ip[count.index]}"
 #        name        = local.proxmoxBackup.name[count.index]
 #        target_node = local.proxmoxBackup.node[count.index]
 #        tags        = local.proxmoxBackup.tags
 #        qemu_os     = "l26"
 #        os_type     = "cloud-init"
 #        agent       = 1
 #        cores       = local.proxmoxBackup.cores
 #        sockets     = 1
 #        cpu_type    = "host"
 #        memory      = local.proxmoxBackup.memory
 #        scsihw      = "virtio-scsi-pci"
 #        #bootdisk    = "scsi0"
 #        boot    = "order=virtio0"
 #        onboot  = true
 #        vga {
 #          type = "serial0"
 #        }
 #        serial {
 #          id   = 0
 #          type = "socket"
 #        }
 #        disks {
 #          virtio {
 #            virtio0 {
 #              disk {
 #                size    = local.proxmoxBackup.drive
 #                format  = local.format
 #                storage = local.proxmoxBackup.storage
 #              }
 #            }
 #          }
 #        }
 #        network {
 #          id     = 0
 #          model  = "virtio"
 #          bridge = "vmbr0"
 #          tag    = local.vlan
 #        }
 #      }
 #
 #  writeConnectionSecretToRef:
 #    namespace: crossplane
 #    name: opentofu-workspace-example-inline
--- a/infra/crossplane/templates/tofu.yml
+++ b/infra/crossplane/templates/tofu.yml
@@ -0,0 +1,61 @@
 #apiVersion: pkg.crossplane.io/v1
 #kind: Provider
 #metadata:
 #  name: provider-opentofu
 #spec:
 #  package: xpkg.upbound.io/upbound/provider-opentofu:v0
 #
 #---
 #apiVersion: external-secrets.io/v1
 #kind: ExternalSecret
 #metadata:
 #  name: proxmox-secret
 #spec:
 #  secretStoreRef:
 #    name: vault
 #    kind: ClusterSecretStore
 #  target:
 #    name: proxmox-secret
 #  data:
 #    - secretKey: pm_api_url
 #      remoteRef:
 #        key: kv/crossplane/proxmox
 #        property: pm_api_url
 #    - secretKey: pm_password
 #      remoteRef:
 #        key: kv/crossplane/proxmox
 #        property: pm_password
 #    - secretKey: pm_user
 #      remoteRef:
 #        key: kv/crossplane/proxmox
 #        property: pm_user
 #
 #---
 #apiVersion: opentofu.upbound.io/v1beta1
 #kind: ProviderConfig
 #metadata:
 #  name: default
 #spec:
 #  #credentials:
 #  #  - filename: gcp-credentials.json
 #  #    source: Secret
 #  #    secretRef:
 #  #      namespace: upbound-system
 #  #      name: opentofu-gcp-creds
 #  #      key: credentials
 #  configuration: |
 #
 #    // Modules _must_ use remote state. The provider does not persist state.
 #    terraform {
 #      backend "kubernetes" {
 #        secret_suffix     = "providerconfig-default"
 #        namespace         = "crossplane"
 #        in_cluster_config = true
 #      }
 #      required_providers {
 #        proxmox = {
 #          source  = "Telmate/proxmox"
 #          version = "3.0.1-rc9"
 #        }
 #      }
 #    }
--- a/infra/kube-prometheus-stack/Chart.yaml
+++ b/infra/kube-prometheus-stack/Chart.yaml
@@ -1,12 +0,0 @@
 apiVersion: v2
 name: kube-prometheus-stack
 description: A Helm chart for Kubernetes
 type: application
 version: 0.1.0
 appVersion: "1.16.0"
 dependencies:
  - name: kube-prometheus-stack
    repository: https://prometheus-community.github.io/helm-charts
    version: 77.10.0
--- a/infra/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml
+++ b/infra/kube-prometheus-stack/templates/grafana-secrets-sealed.yaml
@@ -1,46 +0,0 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: vault
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: vault-grafana-oauth
 spec:
  secretStoreRef:
    name: vault
    kind: ClusterSecretStore
  target:
    name: grafana-oauth
  data:
    - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
      remoteRef:
        key: kv/grafana/oauth
        property: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
    - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
      remoteRef:
        key: kv/grafana/oauth
        property: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
  name: vault-admin-credentials
 spec:
  secretStoreRef:
    name: vault
    kind: ClusterSecretStore
  target:
    name: grafana-admin-credentials
  data:
    - secretKey: admin-password
      remoteRef:
        key: kv/grafana/admin
        property: password
    - secretKey: admin-user
      remoteRef:
        key: kv/grafana/admin
        property: user
--- a/infra/kube-prometheus-stack/templates/ingress.yaml
+++ b/infra/kube-prometheus-stack/templates/ingress.yaml
@@ -1,77 +0,0 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: grafana-ingress
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`grafana.durp.info`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: grafana
          port: 80
  tls:
    secretName: grafana-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: grafana-tls
 spec:
  secretName: grafana-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  commonName: "grafana.durp.info"
  dnsNames:
    - "grafana.durp.info"
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: alertmanager-ingress
 spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`alertmanager.durp.info`) && PathPrefix(`/`)
      middlewares:
        - name: whitelist
          namespace: traefik
        - name: authentik-proxy-provider
          namespace: traefik
      kind: Rule
      services:
        - name: prometheus-alertmanager
          port: 9093
  tls:
    secretName: alertmanager-tls
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: alertmanager-tls
 spec:
  secretName: alertmanager-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  commonName: "alertmanager.durp.info"
  dnsNames:
    - "alertmanager.durp.info"
 ---
 kind: Service
 apiVersion: v1
 metadata:
  name: grafana-external-dns
  annotations:
    external-dns.alpha.kubernetes.io/hostname: grafana.durp.info
 spec:
  type: ExternalName
  externalName: durp.info
--- a/infra/kube-prometheus-stack/values.yaml
+++ b/infra/kube-prometheus-stack/values.yaml
@@ -1,203 +0,0 @@
 kube-prometheus-stack:
  fullnameOverride: prometheus
  defaultRules:
    create: true
    rules:
      alertmanager: true
      etcd: true
      configReloaders: true
      general: true
      k8s: true
      kubeApiserverAvailability: true
      kubeApiserverBurnrate: true
      kubeApiserverHistogram: true
      kubeApiserverSlos: true
      kubelet: true
      kubeProxy: true
      kubePrometheusGeneral: true
      kubePrometheusNodeRecording: true
      kubernetesApps: true
      kubernetesResources: true
      kubernetesStorage: true
      kubernetesSystem: true
      kubeScheduler: true
      kubeStateMetrics: true
      network: true
      node: true
      nodeExporterAlerting: true
      nodeExporterRecording: true
      prometheus: true
      prometheusOperator: true
  alertmanager:
    fullnameOverride: alertmanager
    enabled: true
    ingress:
      enabled: false
  grafana:
    enabled: true
    fullnameOverride: grafana
    forceDeployDatasources: false
    forceDeployDashboards: false
    defaultDashboardsEnabled: true
    defaultDashboardsTimezone: utc
    plugins:
      - grafana-polystat-panel
    serviceMonitor:
      enabled: true
    admin:
      existingSecret: grafana-admin-credentials
      userKey: admin-user
      passwordKey: admin-password
    ingress:
      enabled: false
    grafana.ini:
      server:
        root_url: https://grafana.durp.info
      auth.generic_oauth:
        enabled: true
        scopes: openid profile email
        auth_url: https://authentik.durp.info/application/o/authorize/
        token_url: https://authentik.durp.info/application/o/token/
        api_url: https://authentik.durp.info/application/o/userinfo/
    envFromSecret: "grafana-oauth"
  kubeApiServer:
    enabled: true
  kubelet:
    enabled: true
    serviceMonitor:
      metricRelabelings:
        - action: replace
          sourceLabels:
            - node
          targetLabel: instance
  kubeControllerManager:
    enabled: true
    endpoints: # ips of servers
      - 192.168.12.11
      - 192.168.12.12
      - 192.168.12.13
  coreDns:
    enabled: false
  kubeDns:
    enabled: false
  kubeEtcd:
    enabled: true
    endpoints: # ips of servers
      - 192.168.12.11
      - 192.168.12.12
      - 192.168.12.13
    service:
      enabled: true
      port: 2381
      targetPort: 2381
  kubeScheduler:
    enabled: true
    endpoints: # ips of servers
      - 192.168.12.11
      - 192.168.12.12
      - 192.168.12.13
  kubeProxy:
    enabled: true
    endpoints: # ips of servers
      - 192.168.12.11
      - 192.168.12.12
      - 192.168.12.13
  kubeStateMetrics:
    enabled: true
  kube-state-metrics:
    fullnameOverride: kube-state-metrics
    selfMonitor:
      enabled: true
    prometheus:
      monitor:
        enabled: true
        relabelings:
          - action: replace
            regex: (.*)
            replacement: $1
            sourceLabels:
              - __meta_kubernetes_pod_node_name
            targetLabel: kubernetes_node
  nodeExporter:
    enabled: true
    serviceMonitor:
      relabelings:
        - action: replace
          regex: (.*)
          replacement: $1
          sourceLabels:
            - __meta_kubernetes_pod_node_name
          targetLabel: kubernetes_node
  prometheus-node-exporter:
    fullnameOverride: node-exporter
    podLabels:
      jobLabel: node-exporter
    extraArgs:
      - --collector.filesystem.mount-points-exclude=^/(dev|proc|sys|var/lib/docker/.+|var/lib/kubelet/.+)($|/)
      - --collector.filesystem.fs-types-exclude=^(autofs|binfmt_misc|bpf|cgroup2?|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|iso9660|mqueue|nsfs|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|selinuxfs|squashfs|sysfs|tracefs)$
    service:
      portName: http-metrics
    prometheus:
      monitor:
        enabled: true
        relabelings:
          - action: replace
            regex: (.*)
            replacement: $1
            sourceLabels:
              - __meta_kubernetes_pod_node_name
            targetLabel: kubernetes_node
    resources:
      requests:
        memory: 512Mi
        cpu: 250m
      limits:
        memory: 2048Mi
  prometheusOperator:
    enabled: true
    prometheusConfigReloader:
      resources:
        requests:
          cpu: 200m
          memory: 50Mi
        limits:
          memory: 100Mi
  prometheus:
    enabled: true
    prometheusSpec:
      replicas: 1
      replicaExternalLabelName: "replica"
      ruleSelectorNilUsesHelmValues: false
      serviceMonitorSelectorNilUsesHelmValues: false
      podMonitorSelectorNilUsesHelmValues: false
      probeSelectorNilUsesHelmValues: false
      retention: 6h
      enableAdminAPI: true
      walCompression: true
      storageSpec:
        volumeClaimTemplate:
          spec:
            storageClassName: longhorn
            accessModes: ["ReadWriteMany"]
            resources:
              requests:
                storage: 20Gi
  thanosRuler:
    enabled: false
--- a/infra/octopusdeploy/Chart.yaml
+++ b/infra/octopusdeploy/Chart.yaml
@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
  - name: octopusdeploy-helm
    repository: oci://ghcr.io/octopusdeploy
-    version: 1.7.0
+    version: 1.4.0
--- a/infra/octopusdeploy/values.yaml
+++ b/infra/octopusdeploy/values.yaml
@@ -2,7 +2,7 @@ octopusdeploy-helm:
  octopus:
    image:
      repository: registry.durp.info/octopusdeploy/octopusdeploy
-      tag: 2025.3
+      tag: 2025.1
    createSecrets: false
    acceptEula: Y
    replicaCount: 3
--- a/master/cert-manager/Chart.yaml
+++ b/master/cert-manager/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
  repository: https://charts.jetstack.io
-  version: v1.19.1
+  version: v1.18.2
--- a/prd/cert-manager/Chart.yaml
+++ b/prd/cert-manager/Chart.yaml
@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
  repository: https://charts.jetstack.io
-  version: v1.19.1
+  version: v1.18.2
`@@ -1,2 +1 @@`
	`sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGilcndatMrXg06VxtNKuIo3scoyyXbYX8Z7cOjeA102AAAABHNzaDo= desktop-arch-09-08-2025-yubikey`	`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhPVgL8gXdRTw0E2FvlOUoUI4vd794nB0nZVIsc+U5M`
	`sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINsbNSZ5Wr+50Ahz+IeZxt6F7gZ6wm1J8uKXQLbdbKFaAAAABHNzaDo= desktop-arch-09-08-2025-yubikeyNano`