A lot of untrackable changes

2024-09-03 14:15:47 +02:00 · 2024-09-03 14:15:47 +02:00 · 4daf2f24f7
commit 4daf2f24f7
parent 32429140d2
46 changed files with 1311 additions and 549 deletions
--- a/common/environments.yaml
+++ b/common/environments.yaml
@ -1,5 +1,21 @@
 environments:
  badhouseplants:
    kubeContext: badhouseplants
    values:
      - velero:
          enabled: true
      - workload:
          enabled: true
      - backups:
          enabled: false
  etersoft:
    kubeContext: etersoft
    values:
      - velero:
          enabled: false
      - workload:
          enabled: false
      - backups:
          enabled: true
--- a/helmfile.yaml
+++ b/helmfile.yaml
--- a/installations/applications/helmfile.yaml
+++ b/installations/applications/helmfile.yaml
@ -5,7 +5,10 @@ bases:
 repositories:
  - name: softplayer-oci
-    url: registry.badhouseplants.net/softplayer/helm
+    url: zot.badhouseplants.net/softplayer/helm
    oci: true
  - name: allanger-oci
    url: zot.badhouseplants.net/allanger/helm
    oci: true
  - name: requarks
    url: https://charts.js.wiki
@ -28,6 +31,8 @@ repositories:
  - name: allangers-charts
    url: ghcr.io/allanger/allangers-charts
    oci: true
  - name: robjuz 
    url: https://robjuz.github.io/helm-charts/
 releases:
  - name: authentik
@ -80,16 +85,16 @@ releases:
  - name: nrodionov
    chart: bitnami/wordpress
-    version: 22.4.20
+    version: 23.1.7
    namespace: applications
    inherit:
      - template: default-env-values
      - template: default-env-secrets
      - template: ext-database
-  - name: openvpn-xor
+  - name: openvpn
-    chart: softplayer-oci/openvpn-xor
+    chart: allanger-oci/openvpn
-    version: 1.2.0
+    version: 0.0.1
    namespace: applications
    inherit:
      - template: default-env-values
@ -152,3 +157,12 @@ releases:
    inherit:
      - template: default-env-values
      - template: default-env-secrets
  - name: kimai
    chart: robjuz/kimai2
    namespace: applications
    version: 4.2.3
    inherit:
      - template: default-env-values
      #- template: default-env-secrets
      - template: ext-database
--- a/installations/games/helmfile.yaml
+++ b/installations/games/helmfile.yaml
@ -14,7 +14,7 @@ releases:
  - name: minecraft
    chart: minecraft/minecraft
    namespace: games
-    version: 4.20.0
+    version: 4.21.0
    inherit:
      - template: ext-tcp-routes
      - template: default-env-values
--- a/installations/platform/helmfile.yaml
+++ b/installations/platform/helmfile.yaml
@ -12,26 +12,41 @@ repositories:
    url: https://zotregistry.dev/helm-charts/
  - name: bedag
    url: https://bedag.github.io/helm-charts/
-  - name: percona 
+  - name: minio-standalone
-    url: https://percona.github.io/percona-helm-charts/
+    url: https://charts.min.io/
  - name: minio 
    url: https://operator.min.io/
  - name: fluxcd-community 
    url: https://fluxcd-community.github.io/helm-charts
  - name: crossplane-stable 
    url: https://charts.crossplane.io/stable
 releases:
  - name: argocd
    chart: argo/argo-cd
    namespace: platform
-    version: 7.3.6
+    condition: workload.enabled
    version: 7.5.2
    inherit:
      - template: default-env-values
      - template: default-env-secrets
  - name: flux
    chart: fluxcd-community/flux2
    namespace: platform
    condition: workload.enabled
    version: 2.13.0
  - name: db-operator
    namespace: platform
    chart: db-operator/db-operator
-    version: 1.27.2
+    condition: workload.enabled
    version: 1.28.0
  - name: db-instances
    chart: db-operator/db-instances
    namespace: platform
    condition: workload.enabled
    needs:
      - platform/db-operator
    version: 2.3.4
@ -41,16 +56,44 @@ releases:
  - name: zot
    chart: zot/zot
-    version: 0.1.57
+    version: 0.1.60
    createNamespace: false
    namespace: platform
    condition: workload.enabled
    inherit:
      - template: default-env-values
      - template: default-env-secrets
-  - name: pg-operator
+  - name: minio
-    chart: percona/pg-operator
+    chart: minio-standalone/minio
-    installed: false
+    version: 5.2.0
    version: 2.4.0
    createNamespace: false
    namespace: platform
    condition: backups.enabled
    inherit:
      - template: default-env-values
      - template: default-env-secrets
  - name: minio-operator
    chart: minio/operator
    version: 6.0.3
    namespace: platform
    condition: workload.enabled
    inherit:
      - template: default-env-values
  - name: minio-tenant
    chart: minio/tenant
    version: 6.0.3
    namespace: platform
    condition: workload.enabled
    inherit:
      - template: default-env-values
  #     - template: default-env-secrets
  - name: crossplane
    chart: crossplane-stable/crossplane
    version: 1.17.0
    namespace: platform
    condition: workload.enabled
    inherit:
      - template: default-env-values
--- a/installations/storage/helmfile.yaml
+++ b/installations/storage/helmfile.yaml
@ -8,15 +8,13 @@ repositories:
    url: https://charts.longhorn.io
  - name: rook-release 
    url: https://charts.rook.io/release
  - name: local-path-provisioner
    url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=v0.0.28
 releases:
  - name: rook-ceph
    chart: rook-release/rook-ceph
    installed: true
    namespace: rook-ceph
-    version: v1.14.9
+    version: v1.14.6
    inherit:
      - template: default-env-values
@ -24,7 +22,7 @@ releases:
    chart: rook-release/rook-ceph-cluster
    installed: true
    namespace: rook-ceph
-    version: v1.14.9
+    version: v1.14.6
    needs:
      - rook-ceph/rook-ceph
    inherit:
@ -40,10 +38,3 @@ releases:
      - template: default-env-secrets
      - template: ext-secret
  - name: local-path-provisioner
    chart: local-path-provisioner/local-path-provisioner
    installed: false
    createNamespace: false
    namespace: kube-system
    inherit:
      - template: default-env-values
--- a/installations/system/helmfile.yaml
+++ b/installations/system/helmfile.yaml
@ -24,8 +24,7 @@ repositories:
    url: https://piraeus.io/helm-charts/
  - name: vmware-tanzu 
    url: https://vmware-tanzu.github.io/helm-charts/
-  - name: local-path-provisioner
+
    url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=v0.0.28
 releases:
  - name: namespaces
    chart: '{{ requiredEnv "PWD" }}/charts/namespaces/chart'
@ -45,7 +44,7 @@ releases:
  - name: coredns
    chart: coredns/coredns
-    version: 1.31.0
+    version: 1.32.0
    namespace: kube-system
    inherit:
      - template: default-env-values
@ -55,6 +54,7 @@ releases:
    installed: true
    version: 3.0.5
    namespace: kube-system
    condition: velero.enabled
    needs:
      - kube-system/cilium
    inherit:
@ -62,7 +62,7 @@ releases:
  - name: cilium
    chart: cilium/cilium
-    version: 1.16.0
+    version: 1.16.1
    namespace: kube-system
    needs:
      - kube-system/coredns
@ -71,7 +71,7 @@ releases:
  - name: cert-manager
    chart: jetstack/cert-manager
-    version: 1.15.2
+    version: 1.15.3
    namespace: kube-system
    needs:
      - kube-system/cilium
@ -116,7 +116,7 @@ releases:
  - name: traefik
    chart: traefik/traefik
-    version: 30.0.2
+    version: 30.1.0
    namespace: kube-system
    needs:
      - kube-system/cilium
@ -126,16 +126,11 @@ releases:
  - name: velero
    chart: vmware-tanzu/velero
    namespace: kube-system
-    version: 7.1.4
+    version: 7.1.5
    condition: velero.enabled
    needs:
      - kube-system/cilium
    inherit:
      - template: default-env-values
      - template: default-env-secrets
-  
+      - template: crd-management-hook
  - name: local-path-provisioner
    chart: local-path-provisioner/local-path-provisioner
    createNamespace: false
    namespace: kube-system
    inherit:
      - template: default-env-values
--- a/manifests/app.yaml
+++ b/manifests/app.yaml
@ -0,0 +1,18 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: test-apps
  namespace: platform
 spec:
  destination:
    namespace: default
    server: https://kubernetes.default.svc
  project: default
  syncPolicy:
    automated:
      prune: true
  source:
    path: manifests/postgresql-15.5.21.tgz
    repoURL: https://gitea.badhouseplants.net/allanger/k8s-deployment.git
    targetRevision: main
    helm: {}
--- a/manifests/bucket.yaml
+++ b/manifests/bucket.yaml
@ -0,0 +1,12 @@
 apiVersion: minio.crossplane.io/v1
 kind: Bucket
 metadata:
  creationTimestamp: null
  name: bucket-local-dev
 spec:
  forProvider:
    region: us-east-1
  providerConfigRef:
    name: provider-config
 status:
  atProvider: {}
--- a/manifests/minio-secret.yaml
+++ b/manifests/minio-secret.yaml
@ -0,0 +1,7 @@
 apiVersion: v1
 stringData:
  AWS_ACCESS_KEY_ID: minio
  AWS_SECRET_ACCESS_KEY: minio123
 kind: Secret
 metadata:
  name: minio-secret
--- a/manifests/minio-tf-workspace.yaml
+++ b/manifests/minio-tf-workspace.yaml
@ -0,0 +1,164 @@
 apiVersion: tf.upbound.io/v1beta1
 kind: ProviderConfig
 metadata:
  name: minio
 spec:
  configuration: |
    provider minio {
      // required
      minio_server   = "s3-new.badhouseplants.net:443"
      minio_region   = "us-east-1"
      minio_ssl      = "true"
    }
    terraform {
      backend "kubernetes" {
        secret_suffix     = "minio-tf-state"
        namespace         = "platform"
        in_cluster_config = true
      }
      required_providers {
         minio = {
           source = "aminueza/minio"
           version = "2.4.3"
         }
      }
    }
 ---
 apiVersion: tf.upbound.io/v1beta1
 kind: Workspace
 metadata:
  name: example-bucket-creation
 spec:
  providerConfigRef:
    name: minio
  writeConnectionSecretToRef:
    namespace: platform
    name: tf-minio-state-output
  forProvider:
    source: Inline
    env:
      - name: MINIO_PASSWORD
        secretKeyRef:
          namespace: platform
          name: minio-secret
          key: AWS_SECRET_ACCESS_KEY
      - name: MINIO_USER
        secretKeyRef:
          namespace: platform
          name: minio-secret
          key: AWS_ACCESS_KEY_ID
    module: |
      resource "minio_s3_bucket" "states" {
        bucket = "states"
      }
      resource "minio_iam_user" "terraform" {
         name = "terraform"
         force_destroy = true
         tags = {
          service = "terraform"
        }
      }
      resource "minio_iam_policy" "terraform" {
        name = "state-terraform"
        policy= <<EOF
      {
        "Version":"2012-10-17",
        "Statement": [
          {
            "Sid":"terraform",
            "Effect": "Allow",
            "Action": ["s3:PutObject"],
            "Resource": "arn:aws:s3:::state-terraform-s3/*"
          }
        ]
      }
      EOF
      }
      resource "minio_iam_user_policy_attachment" "terraform" {
        user_name   = minio_iam_user.terraform.id
        policy_name = minio_iam_policy.terraform.id
      }
      output "MINIO_USERNAME" {
        value       = minio_iam_user.terraform.id
      }
      output "MINIO_PASSWORD" {
        value       = minio_iam_user.terraform.secret
        sensitive   = true
      }
 ---
 apiVersion: tf.upbound.io/v1beta1
 kind: ProviderConfig
 metadata:
  name: minio-backend
 spec:
  configuration: |
    provider minio {
      // required
      minio_server   = "s3-new.badhouseplants.net:443"
      minio_region   = "us-east-1"
      minio_ssl      = "true"
    }
    terraform {
      backend "s3" {
        bucket = "states"
        key    = "test"
        region = "us-east-1"
        endpoint = "https://s3-new.badhouseplants.net"
      }
      required_providers {
         minio = {
           source = "aminueza/minio"
           version = "2.4.3"
         }
      }
      skip_credentials_validation = true
      skip_metadata_api_check     = true
      skip_region_validation      = true
      use_path_style              = true
      skip_requesting_account_id  = true
    }
 ---
 apiVersion: tf.upbound.io/v1beta1
 kind: Workspace
 metadata:
  name: try-backend
 spec:
  providerConfigRef:
    name: minio-backend
  writeConnectionSecretToRef:
    namespace: platform
    name: tf-minio-state-output
  forProvider:
    source: Inline
    env:
      - name: MINIO_PASSWORD
        secretKeyRef:
          namespace: platform
          name: tf-minio-state-output
          key: MINIO_PASSWORD
      - name: MINIO_USER
        secretKeyRef:
          namespace: platform
          name: tf-minio-state-output
          key: MINIO_USERNAME
      - name: AWS_ACCESS_KEY_ID
        secretKeyRef:
          namespace: platform
          name: minio-secret
          key: AWS_ACCESS_KEY_ID
      - name: AWS_SECRET_ACCESS_KEY
        secretKeyRef:
          namespace: platform
          name: minio-secret
          key: AWS_SECRET_ACCESS_KEY
    module: |
      resource "minio_s3_bucket" "states" {
        bucket = "states-test"
      }
--- a/manifests/postgresql-15.5.21.tgz
+++ b/manifests/postgresql-15.5.21.tgz
--- a/values.yaml
+++ b/values.yaml
@ -1,333 +0,0 @@
 # Default values for longhorn.
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 global:
  cattle:
    systemDefaultRegistry: ""
    windowsCluster:
      # Enable this to allow Longhorn to run on the Rancher deployed Windows cluster
      enabled: false
      # Tolerate Linux node taint
      tolerations:
      - key: "cattle.io/os"
        value: "linux"
        effect: "NoSchedule"
        operator: "Equal"
      # Select Linux nodes
      nodeSelector:
        kubernetes.io/os: "linux"
      # Recognize toleration and node selector for Longhorn run-time created components
      defaultSetting:
        taintToleration: cattle.io/os=linux:NoSchedule
        systemManagedComponentsNodeSelector: kubernetes.io/os:linux
 image:
  longhorn:
    engine:
      repository: longhornio/longhorn-engine
      tag: v1.4.0
    manager:
      repository: longhornio/longhorn-manager
      tag: v1.4.0
    ui:
      repository: longhornio/longhorn-ui
      tag: v1.4.0
    instanceManager:
      repository: longhornio/longhorn-instance-manager
      tag: v1.4.0
    shareManager:
      repository: longhornio/longhorn-share-manager
      tag: v1.4.0
    backingImageManager:
      repository: longhornio/backing-image-manager
      tag: v1.4.0
    supportBundleKit:
      repository: longhornio/support-bundle-kit
      tag: v0.0.17
  csi:
    attacher:
      repository: longhornio/csi-attacher
      tag: v3.4.0
    provisioner:
      repository: longhornio/csi-provisioner
      tag: v2.1.2
    nodeDriverRegistrar:
      repository: longhornio/csi-node-driver-registrar
      tag: v2.5.0
    resizer:
      repository: longhornio/csi-resizer
      tag: v1.3.0
    snapshotter:
      repository: longhornio/csi-snapshotter
      tag: v5.0.1
    livenessProbe:
      repository: longhornio/livenessprobe
      tag: v2.8.0
  pullPolicy: IfNotPresent
 service:
  ui:
    type: ClusterIP
    nodePort: null
  manager:
    type: ClusterIP
    nodePort: ""
    loadBalancerIP: ""
    loadBalancerSourceRanges: ""
 persistence:
  defaultClass: true
  defaultFsType: ext4
  defaultMkfsParams: ""
  defaultClassReplicaCount: 3
  defaultDataLocality: disabled # best-effort otherwise
  defaultReplicaAutoBalance: ignored # "disabled", "least-effort" or "best-effort" otherwise
  reclaimPolicy: Delete
  migratable: false
  recurringJobSelector:
    enable: false
    jobList: []
  backingImage:
    enable: false
    name: ~
    dataSourceType: ~
    dataSourceParameters: ~
    expectedChecksum: ~
  defaultNodeSelector:
    enable: false # disable by default
    selector: []
  removeSnapshotsDuringFilesystemTrim: ignored # "enabled" or "disabled" otherwise
 csi:
  kubeletRootDir: ~
  attacherReplicaCount: ~
  provisionerReplicaCount: ~
  resizerReplicaCount: ~
  snapshotterReplicaCount: ~
 defaultSettings:
  backupTarget: ~
  backupTargetCredentialSecret: ~
  allowRecurringJobWhileVolumeDetached: ~
  createDefaultDiskLabeledNodes: ~
  defaultDataPath: ~
  defaultDataLocality: ~
  replicaSoftAntiAffinity: ~
  replicaAutoBalance: ~
  storageOverProvisioningPercentage: ~
  storageMinimalAvailablePercentage: ~
  upgradeChecker: ~
  defaultReplicaCount: ~
  defaultLonghornStaticStorageClass: ~
  backupstorePollInterval: ~
  failedBackupTTL: ~
  restoreVolumeRecurringJobs: ~
  recurringSuccessfulJobsHistoryLimit: ~
  recurringFailedJobsHistoryLimit: ~
  supportBundleFailedHistoryLimit: ~
  taintToleration: ~
  systemManagedComponentsNodeSelector: ~
  priorityClass: ~
  autoSalvage: ~
  autoDeletePodWhenVolumeDetachedUnexpectedly: ~
  disableSchedulingOnCordonedNode: ~
  replicaZoneSoftAntiAffinity: ~
  nodeDownPodDeletionPolicy: ~
  allowNodeDrainWithLastHealthyReplica: ~
  mkfsExt4Parameters: ~
  disableReplicaRebuild: ~
  replicaReplenishmentWaitInterval: ~
  concurrentReplicaRebuildPerNodeLimit: ~
  concurrentVolumeBackupRestorePerNodeLimit: ~
  disableRevisionCounter: ~
  systemManagedPodsImagePullPolicy: ~
  allowVolumeCreationWithDegradedAvailability: ~
  autoCleanupSystemGeneratedSnapshot: ~
  concurrentAutomaticEngineUpgradePerNodeLimit: ~
  backingImageCleanupWaitInterval: ~
  backingImageRecoveryWaitInterval: ~
  guaranteedEngineManagerCPU: ~
  guaranteedReplicaManagerCPU: ~
  kubernetesClusterAutoscalerEnabled: ~
  orphanAutoDeletion: ~
  storageNetwork: ~
  deletingConfirmationFlag: ~
  engineReplicaTimeout: ~
  snapshotDataIntegrity: ~
  snapshotDataIntegrityImmediateCheckAfterSnapshotCreation: ~
  snapshotDataIntegrityCronjob: ~
  removeSnapshotsDuringFilesystemTrim: ~
  fastReplicaRebuildEnabled: ~
  replicaFileSyncHttpClientTimeout: ~
 privateRegistry:
  createSecret: ~
  registryUrl: ~
  registryUser: ~
  registryPasswd: ~
  registrySecret: ~
 longhornManager:
  log:
    ## Allowed values are `plain` or `json`.
    format: plain
  priorityClass: ~
  tolerations: []
  ## If you want to set tolerations for Longhorn Manager DaemonSet, delete the `[]` in the line above
  ## and uncomment this example block
  # - key: "key"
  #   operator: "Equal"
  #   value: "value"
  #   effect: "NoSchedule"
  nodeSelector: {}
  ## If you want to set node selector for Longhorn Manager DaemonSet, delete the `{}` in the line above
  ## and uncomment this example block
  #  label-key1: "label-value1"
  #  label-key2: "label-value2"
  serviceAnnotations: {}
  ## If you want to set annotations for the Longhorn Manager service, delete the `{}` in the line above
  ## and uncomment this example block
  #  annotation-key1: "annotation-value1"
  #  annotation-key2: "annotation-value2"
 longhornDriver:
  priorityClass: ~
  tolerations: []
  ## If you want to set tolerations for Longhorn Driver Deployer Deployment, delete the `[]` in the line above
  ## and uncomment this example block
  # - key: "key"
  #   operator: "Equal"
  #   value: "value"
  #   effect: "NoSchedule"
  nodeSelector: {}
  ## If you want to set node selector for Longhorn Driver Deployer Deployment, delete the `{}` in the line above
  ## and uncomment this example block
  #  label-key1: "label-value1"
  #  label-key2: "label-value2"
 longhornUI:
  replicas: 2
  priorityClass: ~
  tolerations: []
  ## If you want to set tolerations for Longhorn UI Deployment, delete the `[]` in the line above
  ## and uncomment this example block
  # - key: "key"
  #   operator: "Equal"
  #   value: "value"
  #   effect: "NoSchedule"
  nodeSelector: {}
  ## If you want to set node selector for Longhorn UI Deployment, delete the `{}` in the line above
  ## and uncomment this example block
  #  label-key1: "label-value1"
  #  label-key2: "label-value2"
 longhornConversionWebhook:
  replicas: 2
  priorityClass: ~
  tolerations: []
  ## If you want to set tolerations for Longhorn conversion webhook Deployment, delete the `[]` in the line above
  ## and uncomment this example block
  # - key: "key"
  #   operator: "Equal"
  #   value: "value"
  #   effect: "NoSchedule"
  nodeSelector: {}
  ## If you want to set node selector for Longhorn conversion webhook Deployment, delete the `{}` in the line above
  ## and uncomment this example block
  #  label-key1: "label-value1"
  #  label-key2: "label-value2"
 longhornAdmissionWebhook:
  replicas: 2
  priorityClass: ~
  tolerations: []
  ## If you want to set tolerations for Longhorn admission webhook Deployment, delete the `[]` in the line above
  ## and uncomment this example block
  # - key: "key"
  #   operator: "Equal"
  #   value: "value"
  #   effect: "NoSchedule"
  nodeSelector: {}
  ## If you want to set node selector for Longhorn admission webhook Deployment, delete the `{}` in the line above
  ## and uncomment this example block
  #  label-key1: "label-value1"
  #  label-key2: "label-value2"
 longhornRecoveryBackend:
  replicas: 2
  priorityClass: ~
  tolerations: []
  ## If you want to set tolerations for Longhorn recovery backend Deployment, delete the `[]` in the line above
  ## and uncomment this example block
  # - key: "key"
  #   operator: "Equal"
  #   value: "value"
  #   effect: "NoSchedule"
  nodeSelector: {}
  ## If you want to set node selector for Longhorn recovery backend Deployment, delete the `{}` in the line above
  ## and uncomment this example block
  #  label-key1: "label-value1"
  #  label-key2: "label-value2"
 ingress:
  ## Set to true to enable ingress record generation
  enabled: false
  ## Add ingressClassName to the Ingress
  ## Can replace the kubernetes.io/ingress.class annotation on v1.18+
  ingressClassName: ~
  host: sslip.io
  ## Set this to true in order to enable TLS on the ingress record
  tls: false
  ## Enable this in order to enable that the backend service will be connected at port 443
  secureBackends: false
  ## If TLS is set to true, you must declare what secret will store the key/certificate for TLS
  tlsSecret: longhorn.local-tls
  ## If ingress is enabled you can set the default ingress path
  ## then you can access the UI by using the following full path {{host}}+{{path}}
  path: /
  ## Ingress annotations done as key:value pairs
  ## If you're using kube-lego, you will want to add:
  ## kubernetes.io/tls-acme: true
  ##
  ## For a full list of possible ingress annotations, please see
  ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/annotations.md
  ##
  ## If tls is set to true, annotation ingress.kubernetes.io/secure-backends: "true" will automatically be set
  annotations:
  #  kubernetes.io/ingress.class: nginx
  #  kubernetes.io/tls-acme: true
  secrets:
  ## If you're providing your own certificates, please use this to add the certificates as secrets
  ## key and certificate should start with -----BEGIN CERTIFICATE----- or
  ## -----BEGIN RSA PRIVATE KEY-----
  ##
  ## name should line up with a tlsSecret set further up
  ## If you're using kube-lego, this is unneeded, as it will create the secret for you if it is not set
  ##
  ## It is also possible to create and manage the certificates outside of this helm chart
  ## Please see README.md for more information
  # - name: longhorn.local-tls
  #   key:
  #   certificate:
 #  For Kubernetes < v1.25, if your cluster enables Pod Security Policy admission controller,
 #  set this to `true` to ship longhorn-psp which allow privileged Longhorn pods to start
 enablePSP: false
 ## Specify override namespace, specifically this is useful for using longhorn as sub-chart
 ## and its release namespace is not the `longhorn-system`
 namespaceOverride: ""
 # Annotations to add to the Longhorn Manager DaemonSet Pods. Optional.
 annotations: {}
 serviceAccount:
  # Annotations to add to the service account
  annotations: {}
--- a/values/badhouseplants/secrets.minio.yaml
+++ b/values/badhouseplants/secrets.minio.yaml
@ -1,18 +1,18 @@
-rootPassword: ENC[AES256_GCM,data:xRKU4TSiXrxO24ngzxv9WXMT+Zk=,iv:IjhFM4bqeuBQK7f5qdoVi1d09JkaGXBxw6sQ0UluQdI=,tag:6UNdCNDP7m/NHciYNcM0FQ==,type:str]
+rootPassword: ENC[AES256_GCM,data:590lWmGK19hcFCuTIXgV5aXyJH0=,iv:T3KHE21UnDNiePZskMyf0FKiPlHEr9tO/QoRO9W3M/A=,tag:HvZFdLADzd99POGZeUx4zg==,type:str]
 users:
-    - accessKey: ENC[AES256_GCM,data:rKj7B4kq7N4=,iv:kw4tXzFM/Ff1qu1oKc5kwUG2cxaF3fMbQ1uvWkKuPFU=,tag:63Ci7t6X7uhoIg68wzZEjw==,type:str]
+    - accessKey: ENC[AES256_GCM,data:C8j0BB47C+U=,iv:9YwkZO6QtJXJ2vo6HF13BOJ3kjueEFGt+L/yHTLykKo=,tag:u4Ec+XC/JMjAkAVMNaiuCQ==,type:str]
-      secretKey: ENC[AES256_GCM,data:GZeM/jGs1tHJMHhD54hibWiHAg==,iv:ddaPxZ5HX/KCuOFB0fGEPWF06xo5f/mct/3qXcrUoU0=,tag:rYlgfRLSLana0/0DD2ixhg==,type:str]
+      secretKey: ENC[AES256_GCM,data:Tf5vlbvmZT1XPKbAOPW8IcuXqA==,iv:GTKyoyCCqcZkF6VFeutMQwdtL1EbkMHTs50LDTc/Yyc=,tag:3jxedHmuH/RdYzLIDag1OA==,type:str]
-      policy: ENC[AES256_GCM,data:y35Cf/1PDD4=,iv:l2HpLgBHH2P15bNiBVAK9KDnGv8qD7m5Fk3ppOLmXsM=,tag:FFRS6rUoiIy9uwbGV+zsJg==,type:str]
+      policy: ENC[AES256_GCM,data:7R9brCdGZWI=,iv:JPgs+Pe8yluwG4YcY2Zo4yFL0DCIdCVrosRgDODIUao=,tag:NnBPmPzYSjh8ClEnMc711A==,type:str]
 oidc:
-    enabled: ENC[AES256_GCM,data:AULTFg==,iv:bKvMfypv40rmWcOMT24r3C1i2taJmf520sAo1tsl5tg=,tag:vTp1Wjxyxn0bRy6o7GP8Hg==,type:bool]
+    enabled: ENC[AES256_GCM,data:v7bnBw==,iv:JJCvuhtrSYrjznP5iktZ3IQ2fNGy5heuiFPrTiEXRjc=,tag:K3dZHT0WtM8eQXPnD4mcHQ==,type:bool]
-    configUrl: ENC[AES256_GCM,data:WWJo/0V1n9oBfWAnq2k6MXvKEQu1lfXj2dKWyJAdv5AYkXd0CYSYBTSjKeD6WcrJTM3EZmMOdEvlZXoc2GP01uSnHzYlOD44oWK0qyxyiO8fsKbfn8aQIUY=,iv:cuR4u/8QxlYAm7TzHZMOEy6CzPfUiEhBVV7hi5cpfMA=,tag:/nUzcQPVE9BaN+uDLpPEkg==,type:str]
+    configUrl: ENC[AES256_GCM,data:8Q3qOVbAwKhDjoGGcmALPpIaJSpP3JHTRD2WooZdVbr74j21zVOJLAfiWIEtYfKa2sjPAVsmEIA2Pi7bddPrHHm9Tbiai3x7GgjWezSnJMYRko64rHaWcks=,iv:WrI3sy5KkOjHaJn4kHVRtqkTMoJ27eni0a7njN9LkdE=,tag:Kb/AneWQ6ilkKQsKneWUmg==,type:str]
-    clientId: ENC[AES256_GCM,data:xPzyvDU=,iv:HUKtVXQAyufvqjOlodme2PfVplw3fZo5CboZwj7p7Qw=,tag:oHsHh2U/CyVU1Okz129JqQ==,type:str]
+    clientId: ENC[AES256_GCM,data:qmSdmlY=,iv:m8I/9JJ+GUdHC+oLqQm8Bd03V0HDpotfCWMVFQUZkIg=,tag:4CI7n9zl+fuddvvCFy0WBg==,type:str]
-    clientSecret: ENC[AES256_GCM,data:jnNQX0BZYaDnCHOhO1fY1bmZbAh5yyjCdSc47CZboku79u5ZkUdZSg8yCHyy9OU2ne6e9fc2bwCzUCAlrxQDqKOn0fF9M3jARmMhFwdTS+cF2EE2jH25+eV6Px0/UFaQ5zEy7nsp225wFrW8NwXn21hGQH5HNqo7Yo7tjzgzgRs=,iv:Tq7XPom4uGuaWtSjZ2aEw5ngyljAZg8qYQp85MrUYEQ=,tag:zuRyqFAI5PPRjRk4DtmRsw==,type:str]
+    clientSecret: ENC[AES256_GCM,data:p861qML6DA7dmJMct6HUTjp24lB55nK2XP4bz1XJRoA9jJ6pHK51ZO3AZTu6uPJzGbEPOlS9IseHXfFhrm+/qsOX8kBKd+KNxgpEei5DX9VrWPYXUVEUnAWChePhcLaNQmOGbDaYQL02jvhtxWyhU2y9acQK82XUJvZ4fphJXkY=,iv:m99GKBMRa9/NZ3CnNEhK6OETNkwvEWk5pgsMq0D1JHU=,tag:bXyUCw37TO+2TbfI2OCDlw==,type:str]
-    claimName: ENC[AES256_GCM,data:BR6a7Ps4,iv:x219aNeYdfvUUmMh7Vcax/BAWs2jYzi8SFibszJA4bw=,tag:9xnaWC2Ih3eBgf70FqXRZg==,type:str]
+    claimName: ENC[AES256_GCM,data:TTcLpDYT,iv:UB4CnJzBAhZoQebnw+lwnyU/VblUp9ZIJAvBm5tcFlQ=,tag:rpA9bUmAwrkjNwWmm/fKSw==,type:str]
-    redirectUri: ENC[AES256_GCM,data:TS9kOya1UT1DXXZqmB7DfC6l2p4kE2+rl/kTJ2+r6oyKg0pEfz6pRR5WOycDuJU=,iv:2bHQ1bP/YdcPGd4RVLB1SIolKL0yO7aprf0228FBdSY=,tag:vpNAReeyMCTQkjy8AsmV/A==,type:str]
+    redirectUri: ENC[AES256_GCM,data:Z0mo2BbMWBp/kfBaplkQzzFdktjTvLTB3c50yMU2IfqQVta5Q2vQ9UJeIB16JX0=,iv:avVDsu8I3es4SMMocVk+HZfTHC7hovmBsKREn+nl4ZI=,tag:Pr3s4NJyaI7ptm0hET4pfA==,type:str]
-    comment: ENC[AES256_GCM,data:pFMsVTLEeHGSpHUBqWcLT6NdFvM=,iv:cecmL3rCVgNFdHl51/OOWj+n0dsAldznhgVflhEuW8E=,tag:u/epLP/ctnqjrzZAZhCSWA==,type:str]
+    comment: ENC[AES256_GCM,data:gfJ47KgduHgkAo/Xybg0YSNOqXg=,iv:pihROTdckwv9cehzIyYyhjwpgMurBMx57NbpqMDKu7k=,tag:Bf7saFGs/Iq71x739Q+zDQ==,type:str]
    claimPrefix: ""
-    scopes: ENC[AES256_GCM,data:KMSRU3jsWknn29TmdRUS+gVfLDa+8qQviK5X,iv:xu1Va/LfhfZo1QjTNbSTvI8INmUd4vKE34jSAFMXoWM=,tag:Hz5JPpo71xkCHzRgR5JCaA==,type:str]
+    scopes: ENC[AES256_GCM,data:Rql6kXzWAIkE5xcb6dwbNd2sa+mCGD2uuXkT,iv:9xccj1iHtkcpY2GbNoVdggrvX3sDO88M2dsoIVIhSPU=,tag:P/2ITVvGJhmwhmhPtT6Itg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -22,14 +22,14 @@ sops:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1cVlEckJ4cWNyYnZxaDVa
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmbE5TNzEwY2l3VE5EcHU0
-            ai9NeXpWMzU3a0xEanhyaGNKY2gzd3hVdUM4CmxGQ1B3em1vcUw4czNsejdEbnZz
+            cnNBazdHM0ZUd1ZJV0NMcDhPZUdrZVhuL1dNCkRHUzB5T1N3NFpUZ1JQalg0elA0
-            T3BhR1R3UVVScXNaT1lRRHFTOGhCck0KLS0tIE9VOW1BK1lxVVkzbFp0RzZnb0VR
+            K1J6SE9ML2svT2ovYjY3dnJnY20wMEEKLS0tIDZ1MldTanduV3FjaWNsSFdhdGRB
-            bElLVkNlOHJpMEkwVnFWUktHOE0vcU0Kc/oFKbItQDM3skgD/Ez4TafwBSoEUKsD
+            b2dkWUVReEtJSXFRSTVLVFJzVmU5Ym8KrIBGe2RNCHGBNDk9TIPTFL8ge1WukG/D
-            kYYGexUQG1GkdG5HPiABFNQu6zVDSYDjeEPOh5DRzzFvudQmy5NeyQ==
+            nzE+Gh0PiJrxJDzE/sWFtYgkzthMRBhDNjieZUmbgtpDULDe/9Q9ow==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-01T15:41:45Z"
+    lastmodified: "2024-08-19T11:07:01Z"
-    mac: ENC[AES256_GCM,data:yO91CR14zwhaNSXKkCUuJt7WqnJVREzh5XoSKX1tJ0+XvAyTGPYL/IxnbgTHwtYB0BgF/srQzV5rCNg6KhmA/T29BLRI5obIvmmLhf6AZe0QCCvrhYRr0SrgIngOgG0hMKIg22f2BKagzi7kSVF5BysdD0EtUeDvLaoa3ckWjRc=,iv:+mY9hZaZUyImWKx8cFX5FlwhMOr3u9ttAdlV3dCij2A=,tag:npJlSBxu1uVUvZ9+YFRrkw==,type:str]
+    mac: ENC[AES256_GCM,data:IU9IoU1gpwwnrEVLeMAC4B33lZcpCmoOectiavKBOuSnS5agEi5eR2V7TScO8MYpfOuLfM5dypAmL7I8CIcR0VESizUd4dbc34RUZ4VstjI6qiS43tbGgHxq1hAKaUbDCh1j743uK+bAe3NSG5LJfy1mfGIWEaOWRcu8elaJisk=,iv:6bDw+lViJEJjHd6P4s7shz6Y6lO6rR8YZ/2mSaf785c=,tag:7sZi+/JrjZhX4erCpMqhtg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.0
--- a/values/badhouseplants/secrets.nrodionov.yaml
+++ b/values/badhouseplants/secrets.nrodionov.yaml
@ -1,5 +1,5 @@
-wordpressPassword: ENC[AES256_GCM,data:0JSm0szXtZwNPw==,iv:ohVbIeIqhwdoJkPhEta+3sXopGkoL6Z3PVsWthZ2RGM=,tag:9a8xiWdWgyEc7u6ek856yA==,type:str]
+wordpressPassword: ENC[AES256_GCM,data:S/RmNSAaSZSrsw==,iv:Q5n+72jgUJKIpwblr8/VfBqPDfJZclipDKVTjt4BWWw=,tag:4hP0lUvKcphciEFxBQJCYw==,type:str]
-wordpressEmail: ENC[AES256_GCM,data:mCbGYDbY37zHVqYo2ZacGWbtVxud,iv:w3La8QpCs1GKWspjVe5XTZ6zcLSnApJw9i6MtYI8rP8=,tag:H+4M42u/5lE64LqyD5JEbw==,type:str]
+wordpressEmail: ENC[AES256_GCM,data:Ln2ISr/c7vESVumK7LGH12w2x7fF,iv:AZX5Gzd4vde+sM5XBuiKjAc72GWHfL46OoG6XMaKrq0=,tag:4ogLagGYSx0xYRWJU66//Q==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -9,14 +9,14 @@ sops:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4elh3ZjU2Z1JPckRmRi9Q
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxcUFLdEw4S3pHZmFiRlFB
-            ZURUaHNuMk9wQ0JWMktBZ08vZXpkQi9sNnhNCmxudXBIcDh5WGpJSTdXOUcxRGpx
+            M2JsSGRaS21SWG9CYU9uaVcyMjRJaVRNeEE0Cmh4Mks2c2pZVkZoeXAvZEJLazdR
-            S3RobjJwV01zamozeUJGWjZ2SkJnNHMKLS0tIHE4NlVCZnVqUTByT0xtVlpBNUZk
+            aDdKdXVSWllzdGw4am9POURGZWhxTmMKLS0tIGVqTzFia3cvdEVFaXI5REN5U2ZP
-            T2NTYWFZRkQxSzdTN3ppOWtaeHBxWU0KPH4OOrTptzmv9+QzSc6Kvq2leVc0/H2X
+            VjJBSnFrNm5lNldJK1RMZEtaZDAweDgKME1XCeE6hBP8T+tpocfisLA1RMVF0aDm
-            3bwsZK0/0toEEPGyrpJFcof1G9Y6GmW2JT2O79K5hm9R9FP1lqaxJA==
+            PJnJ+YzdmX28CgEkcZgJ97+Gvgpz2M/e99YTcwTa6rETRkWhlsCF4Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-21T12:13:26Z"
+    lastmodified: "2024-08-22T22:11:45Z"
-    mac: ENC[AES256_GCM,data:lBIOKXgW5EDzYGdXUP5c0OzdsyOVTbPhpNshlarm7UozDdnEW7brB0izRCp0+FjDxcDlhuBcpR69kel4x0O9NvDvCQHO6TfbEdFy43IgIg6bZAEAa55KNCeaXa9x+lyNWkTNJ066bcQYu8yFj2aOqwrksU96xsBqMk7t0CPgrDc=,iv:e5bjuz9ii50r22Dd7EHPqC71CJAA+jCW1VDQnyqk7TQ=,tag:eHW9xmzVASBGadSfTQwquQ==,type:str]
+    mac: ENC[AES256_GCM,data:pj9YTjQkn9PmQrlTvwpHHEaExjO1v4JYEihBHxObwhboM9qrwaIzweS0fREXRFcTh3EdShF/uvj7fRbQ20mP8kTDbzby55qlRVZPL3nb3fU748t8neL7kQuLTtj7JPYdk8ZgEBouatSOEjtCNCo7OIL2nKX4xJ8jNdWW/w5K8ik=,iv:x/IXD482UsXYvOMELHMMkacQSWxeKXGjYw4sY1yrYck=,tag:RKyQ1PpR9khmz/LkOlVdtA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.0
--- a/values/badhouseplants/secrets.velero.yaml
+++ b/values/badhouseplants/secrets.velero.yaml
@ -1,8 +1,8 @@
 credentials:
-    useSecret: ENC[AES256_GCM,data:zn9jOw==,iv:lEdpRvbV9vfwcWvImAg2yapCNgYwGxN37jrsrY3WBCs=,tag:50CBlc3UZQEbCDLXCOVgaw==,type:bool]
+    useSecret: ENC[AES256_GCM,data:synuEQ==,iv:DoTxRvHamHSPh6Fy7f2/lQbIXVQP7bg0+gRDNLK5ExI=,tag:IMxGc67WNUWtyv7xeqLKDw==,type:bool]
-    name: ENC[AES256_GCM,data:6jkV0vyc+qAO/iT6jZ6z,iv:GbWE1biI7+qZfqEnlG5tQNKvSBe0WpYApcg3RnYXYts=,tag:0K5vKZrAHhO7xNNRkguEFw==,type:str]
+    name: ENC[AES256_GCM,data:iOdJiWlezjgsI1NsET8Q,iv:dt3Ugyi1/B2pHhPlUUfJZ8lT57OUZZhXdQ8qbm0D/20=,tag:N4mxjl0NGNxNDtwEZjvrpg==,type:str]
    secretContents:
-        data: ENC[AES256_GCM,data:hFvL51EwLkX/sx0FL4PNRxFdK/jMjOVchgFK7GGtANBK9ZwzktAt1vd2YMp7gFgueltjC3qQYy6oHc0WnKgOo3XayBIstJNT,iv:Gwymmy0/M5B35qYOZOqW7g5MmfeDciAqIJbohU533Ng=,tag:tKi1amgZkyKcU4VkaPEWZA==,type:str]
+        data: ENC[AES256_GCM,data:x2kwYP7i0Nz0YhjaoOLY7mYdXchdYwy2wZDypePGyS18dfBttmrzgp4JCPpFbL3QbkmK4u+Cs1+/Gyz1Zk3I7lnzW+T0rp4t,iv:zYfGPyGe5fDHI2MbSjrxFqRmjSChzA9KrKXCGoEyzrw=,tag:AGOh63/OVROHo5VYXV9tzg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -12,14 +12,14 @@ sops:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTNjhYcnAxOW9Ib1lyTlFJ
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2QVJqcDUrSll4ZkJGZXFF
-            NFF3cWhYSU94UXA2N3ZPN3ZoWWRaRjE5aEVzCkdLbk1uUVEwNjdKVVRlTUNNbmpw
+            dWIybkc4QlduakIvSzM2eHkzNHdUWTdibFZJClROdDZmRU5NcE1TbjZnTDhZNEdY
-            SWR0Vkt5QkVtZnhqdGhTSUlYaXdNWTgKLS0tIG9DNzUwdktmN3FHVWtLWFNuakps
+            dytnU1l4Z3BUUk9NNVprK2o2UDZ6d3MKLS0tIG5EVHpZaThPYmkzcVZWaFgvbW5r
-            RVVKTDlWZ0ZNaVg3bXFmN0FhK1FaSnMKyOqdgYzP1QP3FcZat+8pZHjMxmUJs7vn
+            MnkvbjY1dzV1cU5BNjU4aG1EekNsWFEKZavz2hNlogTfUH2oz6ovfv9vmlmbBy7C
-            0LlnPd8hMg1nmM9P3kkE1/4X5z13yiuE2wdMV3iT7RqiexGlCi43Vw==
+            fIrWnBzmO+bl2GIb3mNXUPv8HjfuVN6YzFdew5Kxhls1P5op/8cEVQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-04T11:36:43Z"
+    lastmodified: "2024-08-22T13:52:31Z"
-    mac: ENC[AES256_GCM,data:5Vyq/jGjKbeONBkzFWCjdecoxMGSemY1EQJOeLgncmM+VW+hvck8m0PcHmZYLz5BNyzw8lfnFYdfBARtwD6wv2BvD4p5A/8iZUUd7BxmrCCtlm5P39Abi0E5OZkOgr+js6rGzmRM5vBUyE86hOHc9yXtD1F2isOPkHhlXH7atJs=,iv:eN9NgFn95tku7BEvlYNK5v6kAktyWPwG6Zomirx2W9E=,tag:PBZFykWJKKw6J7kAZn3H0A==,type:str]
+    mac: ENC[AES256_GCM,data:/tPHVPEigjHM3nmoNKcyF+v2rjFKPgMA0OVdjNtuPE6zkg/W2U59CqmFaqSfLkswH9OZdtC8ObyKELhEqPOAYdMzFpyOGAtYB0wpY6ghsza9O4qFhuvpHp0Nv2qFT4BtEvbIofn1tVAAfRiRvQo2oV18hW116HAcyoTLBsLAzPo=,iv:plcyO/TXxXgmuy8YA0bmCYWdEmWXhHydLQYZxr/bDpU=,tag:xAk6qnS2ju61Nhpi5gvWYw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.0
--- a/values/badhouseplants/secrets.woodpecker-ci.yaml
+++ b/values/badhouseplants/secrets.woodpecker-ci.yaml
@ -1,10 +1,10 @@
 server:
    env:
-        WOODPECKER_GITEA_SECRET: ENC[AES256_GCM,data:mGYEvlIeQC3mg+kxy3ZX6gAVf88DXLVdeSdgpQa8wixsb2rDoj4+l2ET2saquK+lVhjvv8ZKdvg=,iv:VlPgDYPj1xpxnpWnEHj+slBi0H2nWKeScclPItUaG9A=,tag:ox/Ur5vsOARXRT3g0hCgsg==,type:str]
+        WOODPECKER_GITEA_SECRET: ENC[AES256_GCM,data:YCK++7hNKOQ9cuXTdRsN/x6nt76PNqvM16XaLnw4O0Uh5LQGv8nZt+Oighd7KIXFhsUfgCfPUU0=,iv:WrTNlxO+6rMa1uxv58k74L1udl7r7XSw5yzOZHBJuAk=,tag:lsHvrNTsoq1aCl5Q/rzkdA==,type:str]
-        WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:WXwsmLmb37clb5xgv+2DeKfhk7cwaIJpaCW8/Kq/CmgfwCmrarPDDQGXZoLwOjGj3mh/ciDj7V5WgHfyxuIDhA==,iv:NhGlPyPrTrTbz1DjOZEieWAfOQHqSqhdLiqMspex1j0=,tag:vOfo+XiCUW6MhtJemkZPMA==,type:str]
+        WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:o3w9/9UJtKEHcsKz7lfTl/zboYAQjYZLQUpOs4i3UPxsSaOy1AvezQZauHwYJZoVsJwWFE0XtOLhnd8bx3UlHA==,iv:CD5lgqFY/cJFewbPJqo+lniMCQaZK8PY4CmL1IsC6IQ=,tag:R8GU3HgZXcSLqOedYuMeGg==,type:str]
 agent:
    env:
-        WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:4lTZ16jbrorU4B9gTAoWmgiGggrMWD7K5O/5R47OIDMdRInwXtaWviofFD8WJQMduiGvANxMVNs0J1DLvFKi9Q==,iv:Y0AsW63vdVEwKvpVYeMVLFmwYlsQSwnz602QjDgj/ZQ=,tag:aO9xh3psy/bRCCQEFUp75A==,type:str]
+        WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:aHTziUzut6goUZR2JtNaqRTC1mvdA1HS1OLJRHdXtI6coVGcLahxl14Kun4JqsKEXLHeAyU9WEijoRRgixOHsA==,iv:txYRgyO2XHbWnp81ow1EyT4VbzxW+Q3d/NzzclNGT6U=,tag:8nEPzQNPi2bXTDYa81M/aw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -14,14 +14,14 @@ sops:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlQjZqNE9iMDl6MlhnSUp5
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqOXBuOG1WaFc2cGVPeEp2
-            QTBSOG83WFBqZFZIU2dEMzlpengrUFg4alZFCld4MkI4WW8xMUZnMm1SU2hmMCtn
+            bkxTWWJYcFJMdjM4S01wTjRYY2RlZldSbTFRCks1TVlwS3BTTnUySDVjMGpobG43
-            bTZSVTIxTk5aZmo3OEJJdlJwL2xhV3MKLS0tIGJraERVZTNyMWFCVE1TbEhRR3J4
+            YWU3eHlLcGJMcEIvMUZiVmIyU1NnK28KLS0tIGlwZ3NLQndac0F0QTB1azJHQUlT
-            WXh3NGd4UG9OODhHNEp0cDVoQkM5dWMKcz4h0O4J2WlB+L9+/U8Rl+zzd87hsJo8
+            TmNXN1BYQ1JDOFRJV1A3WWFYQkR5R0kK+dSdoRdeiJBrhU6YnWb9P489dpTvhjBW
-            ThPZgnUNDGpdRrU2IYiXo03fZOhBoqBJe1ZG+Ol8z9bvTeyeMZxRIg==
+            GFPuTrQxqy3C6frb5K0huI1anarmdirwglD+/3UvTSQ0CEbUk95EMQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-11-18T17:43:53Z"
+    lastmodified: "2024-08-08T20:44:23Z"
-    mac: ENC[AES256_GCM,data:u8iu+Ia1u5c5AkdyKbGT//G/Zp+yDNv3TQIElSBA6qCTBu0lKAii3ywXrqdpQ1kYtytjazcwkOa7vKmVy1UoCNda+8wGGHfhfOIQlll+TKBNvgUO73lF5P7X5q6CcgFMvTazXKElESEC3G04uVLEOdG1W6d0ArVRnh8gFOY6Jgg=,iv:VT0pFoOcLPK14I1doJi+52wtCfUuqh2nxdSVu0ufVOY=,tag:SwAOYLxOYaouteqXdgP2Hg==,type:str]
+    mac: ENC[AES256_GCM,data:dMXGJRe5/k5+XFuvORJHGCmcSL2fsP9Pim2w1k3sUdJZslqptdDm+lk01mjPBMrQkgMyX7GHIwaqMU2hK5i8nBKYz6SSq91MgD+vtVHQoum5DtmAFwBOdT+m3VVo395OnLvXT1SvskgMU6ddy7uDD7UBrkVe/DxQjX3s0/IntRY=,iv:6v6j8U7nRlQ+YEs9wiPRpnkoGjCMPbfMp/ecrNgksis=,tag:P0aGi7qBJdTz90CNGF10dA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.0
--- a/values/badhouseplants/secrets.zot.yaml
+++ b/values/badhouseplants/secrets.zot.yaml
@ -1,8 +1,8 @@
 configFiles:
-    config.json: ENC[AES256_GCM,data:pTTLT0Tncq3asDud0P+EMg33lPP3wmJEkMgLV+5yAwYdc3evK3FiifxcbLup3hu4XWIn0LSpGKvW6tLzHjq6exeejyrn5G3/FfLNwWsTXZ6Yi6V/MLH/8xOpE/kXB6IOpAEz/TQXLFY+A6UJ2+4OQmacQ+PTVacZO64mnH1ZmF662vw7+XlFZixYaREUv9RaCHPO/c5J8lAGpL73ltylWrpGI5tozEg8bzYtvTNpVjwbffrAx2OJ4uVxaEEWJ6hXf+aH4KVmsFkX2q4N6qcIZSr/JMQiuzizMdcEs0liiHbNThahsNyIjH5yTODX0Q6l0JYiD3F1t0PQzH6NxvADB95lTbfWjJ3Rqd2UkUXsAhSZt7IzcCE+M4v3wbitPrnTVfVJidHzHlBq3hENfBgVl8012Wf2ZzMclkG2PM1Nf1sKx2yiX9RGF9m7cju2FIG7cdbJxDonj9zyfnFdJBsc6W9XY3Yk2sFwpHGLyrloZlsV/33p+REPDjRBOr2Q2LU+SqwFHYPV5Um1h04SyoMO6jwrc22emTH66zLqgf5lp9P0IE5DEp7UqW6bBVL0UsK0gD39l1xFJYiYnstC2kWtiR7RNU1Lj+lHxPcEmpSpH96EVLdjCogMModRlz482pO3in/j9Ip+RwVfYpHz64q2StkArQiUkbK15YJDyd0YQlW176tQl8wsEfK5nXsShyVzy5jLnypHaCkcPxOBycJLIOocnObCgHe7/g7h27rFxHki0Y/fQIAWKhMSgDiIFaX5e/iawn2VQ0KUp/oeTYtCYfsk0FvsUSG4zruXa+Qy0lutHNWuwrOefYbY9yyOXBZRrm2S1uzTokoCii/tOyUkzp9Yclk4iEpjC2CS4YvykqUYdUtQA065WcScSboSf8QlmlAP69ck6VRbyETI4kBgQOannVTtBC3fGSHXGUJ7Vq3Gk53iB8dsogsga2JLUzBf0NtsYp8ts8+d9XfWxQNY5eq7AsoUgQoFJXxEpIrAXXDKwPNZztU6MEV4FP7H3WZGUWIfbwfJbak2wFwIYewSSUWxD3kPdFmDCx8GZqs4KXv7onk3y479HjyI/EI7ShfPtKTvadk5JeEpfyt8Qo86CBTFtTZJDe4EPEK2GfSkXnZr6Fjw8Mi3K3NJ1syY8LxoUrNm7zndDQKilFrtKNf1DrhmtUsGZJcsO8eWEl9cHtqH8enF75ZtiVS4p/WMVX4pRYSyJkQVWqmjeXe9ec6ZpZcghU5zh7HHjU+54d6lcmSquCKjWGQ2dfTMYca5gnA9qKCdWHulXHGRs51Zag7yK/viZ3/kqFDNiBuuTci0YjPMBvOM0P1nFgF3laIKiClr+A/1gEdU+4EN257t+YgaGyHmGjP4081Dxh1er3hfsR4TCBBUBNVeRX6wH0F2ftihSqb4fwvyEE9sddAUT3D9tCwa8v81iLxfjkUbW9qo92VIUn8gTXsWgYN3743D9k3Rmen1Uwpvz5P/rN9UufGgbxHKHWGzMqdXJnD63QLm+d7JsSAOB7uCxsF5Pusi1C+LBBuSmVGz+RH8yXBos1vkhXepAkKIAC+QZRTOau4Qde5gnRW5FdacF4QNJaa8C6KlRggPFft0/RnW4hlym64IN+/IYcOpuTPENuJzYI3P9b4GUP99/hE7bVWFmCl4Y4TiZThrUUS/FSDBpfVHhM7SBiPqoCgeAhZKRMA35wYswb+e5wDqAAxXyERbciT05v7D4nZkQN28bimXtFlUliy1v3+3MMJaNh6B6o1+Q07z5qq3MOtDJ6KtFYNLD3ykoraEPUYRUW3RwYdbUhCwIeL2FWYYoESDcplrOxErf+x9WjG474ZiDDUuWXHhr+F5OAdVwH8WcM3hzAWBVsHZY2+PW9b6UpODNGJAezhVht8jDhCLAx+FWLmCFRbRibPjuFNi8EQhSEeAvBUqRX+6yxensC/hPdL0ZSA02W4P0AEVBM6cIWjsSQ9hjopThe4hGKJp0ugaRb/GfndDiTNb5N2dH4ES+k8JIwMs8t8xkRnqtiV1QJ2eTP9cuA0QxinLxOfCz1QknZbPGdUqHytL1k/cXiL4fWgLgi95bdWhV9iDjo+RLBQyuKcyfMseOy/4cS7LaRCLRc6qWBtJYC39wQVxEFaP97D6Th+1u39Z8V2qH6Jn+Y2jkykAz78/tfPHtCqN4a688pC8VqwXS+GyMzCCDPrWStKRFdLY19iuyoMZpfyN3DuwfS9I6jhxfMgPPBcMAdzR0iEL6bahYuhBQjjFsC1lapRc6c8xvibU2sZvZhUM/5ESuvD+o+o2lrzGkZd6a2X/GUOoj86nVisPS9qewrqOdZX2QWENBiA0XxohHSY4nUmUmSxVQzM3K0+pJYc8lLRppeoOAg8QbcP6M1KHsgWqlimB9UMG/ONYL/hjBeUZ2KXmEtSZILoO6dQYpofej8pYY+MZycRWUzA8e6cng5APvlV7TAFWgXkjFDA4x13zQdFbC0uEaOwMk8k6RI97XE7NqRsNqpm50T8oQyuuQEG23iOaPUp3Yg50S/BjmPyqSg9G0h2LhLoH9j08sm3mX/MjJ656/52h+jnCsagZdrec7coMh2oqPMosdh+73Nk3spWCQLe82peoVW7reGeqMSlLrsr5U9uFgW+ISdYfQxgF9rTHN3iCDpvvi6z56oeGALfdMCOC2KKz508DdEYOD/bQ60oNv2nxDmdL5AmMN83iKVvym2uRabispot4scXA/cO/eVW4lDKYBjiV/zU6KpFG3T4ecG7DE4ezP9dPfsw3e7KCzN02ggP0kj0=,iv:cIjqYtBfWUJtNTN1+lZq9lEviErqvkmFhhWV7w6URsY=,tag:UGu10tH7SfemTk+L/+xb9g==,type:str]
+    config.json: ENC[AES256_GCM,data:4fWBCzOvPeimQVO0xRF+dnIuG7rYNIQujDTdHD+E4SWRb7xsNpYLw5ugJq8RgkZZT/DVCevSQDYD9TaqKFPn9Gs3k32Z7Or3gQrx35ew5XFXFs66VT8gvqyKAjf8nXSn61Rsd1PCFvSNRxT04qvclsoFNLDjb/pr8rIlZVSyBRQ606WToVW5es85pDUFcNS3vT1rFLe46lPi2oIRCV7mVt2sXTb67jryuxUTMfjbboOE9JVwFPTgyPTwVvm9yP2tC3Czv+hUGKzQeJAFbFzLiVQz5ieY9KwHWv02N3gzKrNvzr325dxxrTuO+mzHHM2Ax8xELc8iTKApP4t4/4pAPB1cVg/ARWbcTIabZ9ygn6QtnTBTLK1r8nJSXcQ1mza7sOhVafq8U7e1XYID2QHb7/1FjZNzB1/fMaTPZXMr2kJlbc8HwOoirDJ3zQvzYRs0FO3fEYjktSXO04+FEPySc22dAy1eOASg0xn2s7SwyWs0yEBIHkfbsgDk9ykfOXZ2YZVHSPDFR8DYwBO2HJx9ONnZwBBjolSRYOktM8YZf+bhK4eorRu4/XPPxkmTSbHk9HrzeRuKlsv/mCIGjM3EbUNkHUljol9cxS7l8pc3F74mte7XC2TT4aoEnwt2ZxQhl8o8V3iZKlv9ZpzQDy/y5NZ+eC/lUoNgGORF/lT0IW1O63eAsNrTJwk5SFy1zaVNSiBJH86PYwCuI2Q7o5McZdo4Y/m8Pm5CiwKooo6D7vdpOIh3suOxK1kNTO3lYzEEF0KC4FpFmUZT2jr2Uu0iVmK46VPHeOjEz1pfIXiFDUtpxP/qbDw0HBipNouQDVCrrveK9RwrnNs9f0lGQ4Zjb346l+0FQTXOIwTM5ji9zxztLuHp2YhyBEaoZLJNdTimjbzBphiWsuuhndMWnAn89gzVZH4VrFYvDv10KtSXuV4XQSpgeBCwjPx0CjeuStfXn7/PRRMk00BFT3/RkHw5cRFlVU/WzWTeVboC/2aSEwgQIc9PPo5qtVCAPvNNiHyXfcq/zPbAH4u6lk1SivJm2PVUBDfdb+78EbQ53rZgQ0AcsQYqMuUVglUM7x6EC1Q0l+bXhUIPJ1NCu2Uf0qNCHtjOKBTSbnNdgsrWkNjpbhjVP/dhSweTijpXejeyiFWyr/8DEPfRABeqDQ7wHpq+HSo4xqqaB1ychrMxZ1DygMaX47dn7zImoDwXSYcF+Fgv1WIli6Pa7dl70PtkDxQCZj6FtDeVv2yJEIaA7+KuldSKfc4AquA+8619TmSEZ7VVqTvoHDCKCU9IC4jLqjMAvtueD23ILGzPeh4/bATisL8DGzBMTBsNC58sEAYRJaMf7lfHt8p+XYxaqU3C1onqPzh6/D5Ic+7bXhOOhjEul+6TOkUM+kbPZHRJ2RHMkfTFN6Ny8agTyq3Y6QGisFCu0hRcz06PzVCVg5bLMOhbqvv1rrhUC+jDntlQHwkuwVco66tLvwGR48mz1J7upuYPXdN9FWXBQvXinOEf+9vTOGApocVO6ckvvIkFycHPAuK2PmF73ZlMA1EoHi8SFc+LfIOqz1xZGBWrihsXsQ/M13jz1eOtuRXvzRa7MZn9jWe/6SPEDLzUVuwA5j71Tcfvaf0hcSqEp3mQ3QIbsLGA4u1/nhVVgHgYNPPqwSO3CdwT5hg4mAJiYtmqevs/AaohZ/gpo6JUsNtOIfClO0cMfEtvLfkT9aeI5asu5D638edTpu6+M3qepV7vvre/XmpyQPXMoB4Uta9GxIdxG5Df1qzzIF8UxsP2gm82vDfjM77hQxDWbioGMMMmQieUCFF4tzEJgoI7MaYB/c6E2BvDx4BFcHs+kSqBTtx+PqcDIKrUETQxQeyUJ0gguI8DGsEnaAxF4oROLhGyMYjNzyG2IxMPN76UusZaE7g2/yVBud+vt+EMFZW1212EghysWN2GI6jyNvF6+rWSRCPjVZsxB4MumuauTmSo+uaOv/VYFEgKolyxeain34oJFAd6rkOcPjjVEfE=,iv:ckg25YFoRwiCblA1WcPC3RL9duKOgCzW4BrofqdWVxY=,tag:YfovWhDDYeMN8nzARjjANg==,type:str]
 secretFiles:
-    htpasswd: ENC[AES256_GCM,data:R4eaeMqux4X+z8HOgRYfNGNrtUSEhBbrp6nXgrK9naGCMP5+RuW10quG2XT+a1fXYTzNFk2UhKr4mbhargNQXNM33adQR7VesEK3cFE6r5DWgL8QZ3Ok7cvPMs2GoBR4OopxlBZvY0Il0wPQ5jnFDRb6m9inFSUCvz1c+dtsuWCI6PFdGVpHMg==,iv:v8eFslayA1mFLJR9oGqnavLutzHU6EbTVinQ2B9BkWY=,tag:0preIu+1DxnBxirNsgPBbw==,type:str]
+    htpasswd: ENC[AES256_GCM,data:DjBPh4ycj3Cr8pmjlnkOPsLrA6joney4vfkZMQJzq3+Bo8ERECyV3Ttc193c3DAfJCd9/Vj2HGDHBhxyqR/mT85NT2LuMueFl6XgdrvWIm76sOts1hmfmstGBUT3o9UOk7B3JXgRyXe2hqA312lIrBswncsy1RQOJvUQyhEOcD/Li6R3CQFPFQ==,iv:C/F3vg9dcmS1uSlJkbOkOoj04ZvIVuHJ/IkIqGkYUgs=,tag:I/c8V9DF+xiuHYdnAyl3KQ==,type:str]
-authHeader: ENC[AES256_GCM,data:rF66ayPCsNqIE3q9GqlE9I7Z+/J4XEZ770oBw8x29dlFA6QOuR6XanF92eOx4xFl,iv:LnIbj8lJ6cO9wyPPIv4KIvFOvxrnoyUXgLGk6UCZS38=,tag:fR1AqnGDvjIwnn9ZWzRjvQ==,type:str]
+authHeader: ENC[AES256_GCM,data:xiqhgK8yQUtpOBUMDVWD7JxAi5xjz4HDsV4wveMBoDEp60lrZugT+23i9m4cifdl,iv:73GsdwwZHkhZvbaGQhKoHykLvvVwYrIuZSKJMWOUd8Q=,tag:3g8H1IACoqmC7mndixb+7Q==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -12,14 +12,14 @@ sops:
        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2byszZ2I4RE40ZTZBRHZs
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvc2NjZ0J3eWljdzlqSVM1
-            RjFxUjd0MFJ6SmFBZUYwZTAxL0cwdTl1U253ClpGWUhrVmpCZmorMDRtdjVEa1Vo
+            N2pqQ1pXVmJxTjZzMlFMdWgrYS9OVVFFWkVJCnpnaW44Vmo5VGUvSjFRWmFlQ0FX
-            T1VQTHNXZy9wWkNxY05FZFRLaTBkNjQKLS0tIEl1dlVkNnRGZ0F0aXpiVnRycDdH
+            aEpQajVJNzdQeXJ2bzFBQkkycjFYeVkKLS0tIFh5SGxEbW93ckc1WnJydzFWcVBR
-            WklIc3FXODJkMklVUEdQZlJVOFFDZUEKzG0b0TfKoN88zuTCKgcs6CXl/2kHWm77
+            RjZMZHEwbHR2bzZJZEFqeWRlZXlFTHcK4Z0WwYIIdBZRt2RTlSbRHER9BJNolHLV
-            dO9rVMXRhohLTT66K/nFOqRVvHjN0rvTJNa7/WIAJr2AeA4nGtEBTQ==
+            0EUjwcEnFQExF/uh2FTeoVudBhmlyfVjYvlI56QoeculVHPSS4YIhw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-25T11:21:00Z"
+    lastmodified: "2024-08-18T20:53:28Z"
-    mac: ENC[AES256_GCM,data:R2P5oMUnL3WCMdJ7a9hj/YQDc7SArLIUqeGVEd1BQYS9TYbuCULFUEBs9R6w0+PlM3safsMZ6kll5UIoYwk4/ewXIjJ+E5kgxo4BzREJLq9JIqJz5vMtCUN/Ejny5GsIw6rx+49YRYOVvwXtFG/2h1dizKzuwDQfeDtHctUMTYk=,iv:dT1i+F92NGZdvSdsdk3GkjRLsOYnqB7wmizWBYPHW5E=,tag:NH36reOpR8ptVy9gK63LRw==,type:str]
+    mac: ENC[AES256_GCM,data:RTUkxdfFLcqSHUjNTTzGHYtZubydqm+9cZmW6gXj2PIn5I0GXQoJVwWT6sZFbARrDpaMyANLBYYeh2P40i9M1GKqz1HnnelvMDEqN036e/5dtSRclPhQokDxtRMZAqM2tGDG0E3UVzMo0I2hQL3BJiGSkdNjz+rRXlJCOnrtUyc=,iv:jUhrVQKT2YVn3K9sY13M8ymEHnQahs0gHe0IOEbdCw8=,tag:jEcelDJi8HQdLS7/fUHq/g==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.0
--- a/values/badhouseplants/values.authentik.yaml
+++ b/values/badhouseplants/values.authentik.yaml
@ -61,6 +61,35 @@ server:
      memory: 512Mi
    limits:
      memory: 512Mi
  livenessProbe:
    failureThreshold: 3
    initialDelaySeconds: 5
    periodSeconds: 10
    successThreshold: 1
    timeoutSeconds: 3
    httpGet:
      path: /-/health/live/
      port: http
  readinessProbe:
    failureThreshold: 3
    initialDelaySeconds: 5
    periodSeconds: 10
    successThreshold: 1
    timeoutSeconds: 3
    httpGet:
      path: /-/health/ready/
      port: http
  startupProbe:
    failureThreshold: 60
    initialDelaySeconds: 5
    periodSeconds: 10
    successThreshold: 1
    timeoutSeconds: 3
    httpGet:
      path: /-/health/live/
      port: http
 worker:
  resources:
    requests:
@ -76,3 +105,35 @@ worker:
    - name: postgres-creds
      mountPath: /postgres-creds
      readOnly: true
  livenessProbe:
    failureThreshold: 3
    initialDelaySeconds: 5
    periodSeconds: 10
    successThreshold: 1
    timeoutSeconds: 3
    exec:
      command:
        - ak
        - healthcheck
  readinessProbe:
    failureThreshold: 3
    initialDelaySeconds: 5
    periodSeconds: 10
    successThreshold: 1
    timeoutSeconds: 3
    exec:
      command:
        - ak
        - healthcheck
  startupProbe:
    failureThreshold: 60
    initialDelaySeconds: 30
    periodSeconds: 10
    successThreshold: 1
    timeoutSeconds: 3
    exec:
      command:
        - ak
        - healthcheck
--- a/values/badhouseplants/values.crossplane.yaml
+++ b/values/badhouseplants/values.crossplane.yaml
@ -0,0 +1,3 @@
 provider:
  packages:
    - xpkg.upbound.io/upbound/provider-terraform:v0.17.0
--- a/values/badhouseplants/values.kimai.yaml
+++ b/values/badhouseplants/values.kimai.yaml
@ -0,0 +1,71 @@
 ext-database:
  enabled: true
  name: kimai-mariadb
  instance: mariadb
  credentials:
    mariadb-password: '{{ .Password }}'
 global:
  storageClass: ceph-filesystem
 kimaiEnvironment: prod
 kimaiAdminEmail: overlord@badhouseplants.net
 kimaiAdminPassword: 'ZYdsgd^X9LsjxmJ7i6Xjx6LEMDbK8EJ$JCtX$P$6SisEKGJaqL'
 kimaiMailerFrom: kimai@example.com
 kimaiMailerUrl: null://localhost
 kimaiTrustedProxies: ""
 kimaiRedisCache: false
 replicaCount: 1
 kimaiAppSecret: CVUwPmI9m6
 updateStrategy:
  type: RollingUpdate
 resources:
  limits:
    memory: 200Mi
  requests:
    cpu: 200m
 service:
  type: ClusterIP
 ingress:
  enabled: true
  pathType: ImplementationSpecific
  apiVersion: ""
  ingressClassName: traefik
  hostname: kimai.badhouseplants.net
  path: /
  annotations:
    kubernetes.io/tls-acme: "true"
    kubernetes.io/ingress.allow-http: "false"
    kubernetes.io/ingress.global-static-ip-name: ""
    cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
  tls: true
  selfSigned: false
 configuration: |-
  monolog:
      handlers:
          main:
              path: php://stderr
 persistence:
  enabled: true
  storageClass: ceph-filesystem
  accessModes:
    - ReadWriteMany
  size: 512Mi
  dataSource: {}
  existingClaim: ""
  selector: {}
  annotations: {}
 mariadb:
  enabled: false
 externalDatabase:
  host: mariadb.databases.svc.cluster.local
  port: 3306
  serverVersion: '8.0'
  user: applications_kimai_mariadb
  database: applications_kimai_mariadb
  ## NOTE: Must contain key `mariadb-password`
  ## NOTE: When it's set, the `externalDatabase.password` parameter is ignored
  existingSecret: kimai-mariadb-creds
--- a/values/badhouseplants/values.mariadb.yaml
+++ b/values/badhouseplants/values.mariadb.yaml
@ -1,17 +1,4 @@
 auth:
  rootPassword: ""
  database: ""
  username: ""
  password: ""
  replicationUser: replicator
  replicationPassword: ""
  existingSecret: ""
  forcePassword: false
  usePasswordFiles: false
  customPasswordFiles: {}
 initdbScripts: {}
 initdbScriptsConfigMap: ""
 primary:
  persistence:
    enabled: true
--- a/values/badhouseplants/values.metallb.yaml
+++ b/values/badhouseplants/values.metallb.yaml
@ -45,9 +45,9 @@ speaker:
  resources: 
    requests:
      cpu: 30m
-      memory: 130Mi
+      memory: 300Mi
    limits:
-      memory: 130Mi
+      memory: 300Mi
  livenessProbe:
    enabled: true
    failureThreshold: 3
--- a/values/badhouseplants/values.minecraft.yaml
+++ b/values/badhouseplants/values.minecraft.yaml
@ -27,30 +27,29 @@ traefik:
 # -- Main values
 # --------------------------------------------------
 image:
-  #tag: java21-graalvm
+  tag: java21-graalvm
-  tag: java21
+  #tag: java21-jdk
  pullPolicy: Always
 resources:
  requests:
-    memory: 3.5Gi
+    memory: 4.5Gi
-    cpu: 1
+    cpu: 2.5
  limits:
-    memory: 3.5Gi
+    memory: 4.5Gi
-    cpu: 2
+lifecycle:
-
+  postStart:
-      #lifecycle:
+    - bash
-      #  postStart:
+    - -c
-      #    - bash
+    - for i in {1..100}; do mc-health && break || sleep 20; done && rcon-cli auth setGlobalPassword 11223345
      #    - -c
 nodeSelector:
  node-role.kubernetes.io/minecraft: "true"
 livenessProbe:
  command:
    - mc-health
-  initialDelaySeconds: 30
+  initialDelaySeconds: 120
  periodSeconds: 5
-  failureThreshold: 20
+  failureThreshold: 50
  successThreshold: 1
  timeoutSeconds: 20
 readinessProbe:
@ -63,24 +62,30 @@ readinessProbe:
  timeoutSeconds: 20
 minecraftServer:
-  memory: 3072M
+  memory: 3584M
-  jvmXXOpts: "-Xms3072M -Xmx3072M --add-modules=jdk.incubator.vector -XX:+UseG1GC"
+  jvmXXOpts: |
    -XX:+UnlockExperimentalVMOptions -XX:+UseG1GC -XX:MaxGCPauseMillis=37 -XX:+PerfDisableSharedMem -XX:G1HeapRegionSize=16M -XX:G1NewSizePercent=23 -XX:G1ReservePercent=20 -XX:SurvivorRatio=32 -XX:G1MixedGCCountTarget=3 -XX:G1HeapWastePercent=20 -XX:InitiatingHeapOccupancyPercent=10 -XX:G1RSetUpdatingPauseTimePercent=0 -XX:MaxTenuringThreshold=1 -XX:G1SATBBufferEnqueueingThresholdPercent=30 -XX:G1ConcMarkStepDurationMillis=5.0 -XX:G1ConcRSHotCardLimit=16 -XX:G1ConcRefinementServiceIntervalMillis=150 -XX:GCTimeRatio=99
  overrideServerProperties: true
  eula: "TRUE"
  onlineMode: false
  difficulty: hard
  hardcore: true
-  version: "1.20.1"
+  version: "1.21.1"
  maxWorldSize: 90000
-  type: "PAPER"
+  type: "FABRIC"
  gameMode: survival
  pvp: true
-  pluginUrls:
+  modUrls: []
-    - https://github.com/dmulloy2/ProtocolLib/releases/download/5.2.0/ProtocolLib.jar
+  serviceType: NodePort
-    - https://mediafilez.forgecdn.net/files/3789/833/GravityControl-2.0.0.jar
+    #- https://github.com/CaffeineMC/lithium-fabric/releases/download/mc1.20.1-0.11.2/lithium-fabric-mc1.20.1-0.11.2-api.jar
-    - https://mediafilez.forgecdn.net/files/3151/915/CrackShot.jar
+    #- https://github.com/CaffeineMC/sodium-fabric/releases/download/mc1.20.1-0.5.11/sodium-fabric-0.5.11+mc1.20.1.jar
-    - https://s3.badhouseplants.net/public-download/MechanicsCore-3.4.8.jar
+    #- https://github.com/CaffeineMC/lithium-fabric/releases/download/mc1.20.1-0.11.2/lithium-fabric-mc1.20.1-0.11.2.jar
-    - https://s3.badhouseplants.net/public-download/WeaponMechanics-3.4.9.jar
+    #pluginUrls:
    #  - https://github.com/dmulloy2/ProtocolLib/releases/download/5.2.0/ProtocolLib.jar
    #  - https://mediafilez.forgecdn.net/files/3789/833/GravityControl-2.0.0.jar
    #  - https://mediafilez.forgecdn.net/files/3151/915/CrackShot.jar
    #  - https://s3.badhouseplants.net/public-download/MechanicsCore-3.4.8.jar
    #  - https://s3.badhouseplants.net/public-download/WeaponMechanics-3.4.9.jar
  rcon:
    enabled: true
    withGeneratedPassword: false
@ -127,41 +132,41 @@ mcbackup:
 # ---------------------------------------------
 # -- Install Plugins
 # ---------------------------------------------
-initContainers: {}
+initContainers:
-  #  - name: 0-download-mods
+  - name: 0-download-mods
-  #    image: alpine/curl
+    image: alpine/curl
-  #    command:
+    command:
-  #      - curl
+      - curl
-  #      - -L
+      - -L
-  #      - "https://s3.badhouseplants.net/public-download/server_mods.tar"
+      - "https://s3.badhouseplants.net/public-download/server_mods.tar"
-  #      - -o
+      - -o
-  #      - /download/server_mods.tar
+      - /download/server_mods.tar
-  #    volumeMounts:
+    volumeMounts:
-  #      - name: download
+      - name: download
-  #        mountPath: /download
+        mountPath: /download
-  #        readOnly: false
+        readOnly: false
-  #  - name: 1-copy-plugins-to-minecraft
+  - name: 1-copy-plugins-to-minecraft
-  #    image: ubuntu
+    image: ubuntu
-  #    command:
+    command:
-  #      - sh
+      - sh
-  #      - -c
+      - -c
-  #      - cd /mods  && tar -xvf /download/server_mods.tar || true
+      - cd /mods  && tar -xvf /download/server_mods.tar || true
-  #    volumeMounts:
+    volumeMounts:
-  #      - name: plugins
+      - name: plugins
-  #        mountPath: /mods
+        mountPath: /mods
-  #        readOnly: false
+        readOnly: false
-  #      - name: download
+      - name: download
-  #        mountPath: /download
+        mountPath: /download
-  #        readOnly: false
+        readOnly: false
-extraVolumes: {}
+extraVolumes: 
-  #  - volumeMounts:
+  - volumeMounts:
-  #      - name: plugins
+      - name: plugins
-  #        mountPath: /data/mods
+        mountPath: /data/mods
-  #        readOnly: false
+        readOnly: false
-  #    volumes:
+    volumes:
-  #      - name: plugins
+      - name: plugins
-  #        emptyDir:
+        emptyDir:
-  #          sizeLimit: 500Mi
+          sizeLimit: 500Mi
-  #      - name: download
+      - name: download
-  #        emptyDir:
+        emptyDir:
-  #          sizeLimit: 500Mi
+          sizeLimit: 500Mi
--- a/values/badhouseplants/values.minio-operator.yaml
+++ b/values/badhouseplants/values.minio-operator.yaml
@ -0,0 +1,2 @@
 operator:
  replicaCount: 1
--- a/values/badhouseplants/values.minio-tenant.yaml
+++ b/values/badhouseplants/values.minio-tenant.yaml
@ -0,0 +1,136 @@
 secrets: null
 tenant:
  name: minio
  # The Kubernetes secret name that contains MinIO environment variable configurations.
  # The secret is expected to have a key named config.env containing environment variables exports.
  existingSecret: false
  configSecret:
    name: myminio-env-configuration
    accessKey: minio
    secretKey: minio123
  pools:
    - servers: 1
      storageClassName: ceph-filesystem
      name: main
      volumesPerServer: 1
      size: 5Gi
      storageAnnotations: { }
      annotations: { }
      labels: { }
      tolerations: [ ]
      nodeSelector: { }
      resources: { }
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
        fsGroupChangePolicy: "OnRootMismatch"
        runAsNonRoot: true
      containerSecurityContext:
        runAsUser: 1000
        runAsGroup: 1000
        runAsNonRoot: true
        allowPrivilegeEscalation: false
        capabilities:
          drop:
            - ALL
        seccompProfile:
          type: RuntimeDefault
      topologySpreadConstraints: [ ]
  env:
    - name: MINIO_IDENTITY_OPENID_CONFIG_URL
      value: https://authentik.badhouseplants.net/application/o/minio/.well-known/openid-configuration
    - name: MINIO_IDENTITY_OPENID_CLIENT_ID 
      value: minio
    - name: MINIO_IDENTITY_OPENID_CLIENT_SECRET
      value: Z2vCo8rw5jsEVZlvc3wCjPjUIcN31PAxEJQvZvzfawUtWPRCefk8uCjzffsOlK61RImz7IRUeGOfBeDnt7Xa8hpnhkXe6Dq2kBF0lZaUh0v3Jm3HV9zNONdAjxWaUJrh
    - name: MINIO_IDENTITY_OPENID_SCOPES
      value: openid,profile,email,groups
    - name: MINIO_IDENTITY_OPENID_CLAIM_NAME
      value: groups
    - name: MINIO_IDENTITY_OPENID_REDIRECT_URI
      value: https://minio-new.badhouseplants.net/oauth_callback
    - name: MINIO_IDENTITY_OPENID_DISPLAY_NAME
      value: Authentik
    - name: MINIO_SERVER_URL
      value: https://s3-new.badhouseplants.net:443
  mountPath: /export
  subPath: /data
  metrics:
    enabled: false
    port: 9000
    protocol: http
  certificate:
    externalCaCertSecret: [ ]
    externalCertSecret: [ ]
    requestAutoCert: false
    certConfig: { }
  features:
    bucketDNS: false
    domains: { }
    enableSFTP: false
  ###
  # Array of objects describing one or more buckets to create during tenant provisioning.
  # Example:
  # 
  # .. code-block:: yaml
  #
  #    - name: my-minio-bucket
  #         objectLock: false        # optional
  #         region: us-east-1        # optional
  buckets:
    - name: test
  users: [ ]
  podManagementPolicy: Parallel
  liveness: { }
  readiness: { }
  startup: { }
  lifecycle: { }
  prometheusOperator: false
  additionalVolumes: [ ]
  ###
  # An array of volume mount points associated to each Tenant container.
  # 
  # Specify each item in the array as follows:
  #
  # .. code-block:: yaml
  #
  #    volumeMounts:
  #    - name: volumename
  #      mountPath: /path/to/mount
  #
  # The ``name`` field must correspond to an entry in the ``additionalVolumes`` array.
  additionalVolumeMounts: [ ]
 ingress:
  api:
    enabled: true
    ingressClassName: traefik
    annotations:
      kubernetes.io/tls-acme: "true"
      kubernetes.io/ingress.allow-http: "false"
      kubernetes.io/ingress.global-static-ip-name: ""
      cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
    tls:
      - secretName: s3-new.badhouseplants.net
        hosts:
          - s3-new.badhouseplants.net
    host: s3-new.badhouseplants.net
    path: /
    pathType: Prefix
  console:
    enabled: true
    ingressClassName: traefik
    annotations:
      kubernetes.io/tls-acme: "true"
      kubernetes.io/ingress.allow-http: "false"
      kubernetes.io/ingress.global-static-ip-name: ""
      cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
    tls:
      - secretName: minio-new.badhouseplants.net
        hosts:
          - minio-new.badhouseplants.net
    host: minio-new.badhouseplants.net
    path: /
    pathType: Prefix
--- a/values/badhouseplants/values.minio.yaml
+++ b/values/badhouseplants/values.minio.yaml
@ -99,6 +99,10 @@ buckets:
  - name: allanger-music
    policy: download
    purge: false
  - name: minecraft-mods
    policy: download
    purge: false
    versioning: false
 metrics:
  serviceMonitor:
    enabled: false
--- a/values/badhouseplants/values.openvpn.yaml
+++ b/values/badhouseplants/values.openvpn.yaml
@ -0,0 +1,46 @@
 ---
 # ------------------------------------------
 # -- Istio extenstion. Just because I'm
 # --  not using ingress nginx
 # ------------------------------------------
 # istio:
  # enabled: true
  # istio:
    # - name: openvpn-tcp-xor
      # gateway: istio-system/badhouseplants-vpn
      # kind: tcp
      # port_match: 1194
      # hostname: "*"
      # service: openvpn-xor
      # port: 1194
 # ------------------------------------------
 traefik:
  enabled: true
  tcpRoutes:
    - name: openvpn
      service: openvpn
      match: HostSNI(`*`)
      entrypoint: openvpn
      port: 1194
 tcproute:
  enabled: false
 storage:
  size: 128Mi
 openvpn:
  proto: tcp
  host: 195.201.249.91
 easyrsa:
  cn: Bad Houseplants
  country: Germany
  province: NRW
  city: Duesseldorf
  org: Bad Houseplants
  email: allanger@zohomail.com
 service:
  type: ClusterIP
  port: 1194
  targetPort: 1194
  protocol: TCP
--- a/values/badhouseplants/values.rook-ceph-cluster.yaml
+++ b/values/badhouseplants/values.rook-ceph-cluster.yaml
@ -83,9 +83,9 @@ cephClusterSpec:
    osd:
      requests:
        cpu: "500m"
-        memory: "1280Mi"
+        memory: "1408Mi"
      limits:
-        memory: "1280Mi"
+        memory: "1408Mi"
          #limits:
          #  cpu: "400m"
          #  memory: "1280Mi"
--- a/values/badhouseplants/values.stalwart.yaml
+++ b/values/badhouseplants/values.stalwart.yaml
@ -1,6 +1,54 @@
 shortcuts:
  hostname: stalwart.badhouseplants.net
 workload:
  initContainers:
    prepare-config:
      image:
        registry: registry.hub.docker.com
        repository: stalwartlabs/mail-server
        tag:
        pullPolicy: Always
      mounts:
        files:
          config:
            path: /app/config/config.toml
            subPath: config.toml
        extraVolumes:
          etc:
            path: /app/etc
      command:
        - sh
      args:
        - -c
        - cp /app/config/config.toml /app/etc/config.toml
  containers:
    stalwart:
      args:
        - --config
        - /app/etc/config.toml
      mounts:
        extraVolumes:
          certs:
            path: /app/certs
          data:
            path: /app/data
          logs:
            path: /app/logs
          etc:
            path: /app/etc
 extraVolumes:
  certs:
    secret:
      secretName: stalwart.badhouseplants.net
  etc:
    emptyDir: {}
  logs:
    emptyDir: {}
  data:
    emptyDir: {}
 ingress:
  main:
    annotations:
@ -44,3 +92,100 @@ traefik:
      service: stalwart-pop3s
      entrypoint: pop3s
      port: 995
 storage:
  data:
    storageClassName: ceph-filesystem
 files:
  config:
    enabled: true
    sensitive: true
    remove: []
    entries:
      # Ref: https://github.com/stalwartlabs/mail-server/blob/main/resources/config/config.toml
      config.toml:
        data: |
          [server.listener."smtp"]
          bind = ["[::]:25"]
          protocol = "smtp"
          [server.listener."submission"]
          bind = ["[::]:587"]
          protocol = "smtp"
          [server.listener."submissions"]
          bind = ["[::]:465"]
          protocol = "smtp"
          tls.implicit = true
          [server.listener."imap"]
          bind = ["[::]:143"]
          protocol = "imap"
          [server.listener."imaptls"]
          bind = ["[::]:993"]
          protocol = "imap"
          tls.implicit = true
          [server.listener.pop3]
          bind = "[::]:110"
          protocol = "pop3"
          [server.listener.pop3s]
          bind = "[::]:995"
          protocol = "pop3"
          tls.implicit = true
          [server.listener."sieve"]
          bind = ["[::]:4190"]
          protocol = "managesieve"
          [server.listener."https"]
          protocol = "https"
          bind = ["[::]:443"]
          tls.implicit = false
          [server.listener."http"]
          bind = "[::]:8080"
          protocol = "http"
          [storage]
          data = "rocksdb"
          fts = "rocksdb"
          blob = "rocksdb"
          lookup = "rocksdb"
          directory = "internal"
          [store."rocksdb"]
          type = "rocksdb"
          path = "/app/data"
          compression = "lz4"
          [directory."internal"]
          type = "internal"
          store = "rocksdb"
          [tracer."stdout"]
          type = "stdout"
          level = "info"
          ansi = false
          enable = true
          #[server.run-as]
          #user = "stalwart-mail"
          #group = "stalwart-mail"
          [authentication.fallback-admin]
          user = "admin"
          secret = 'R@ndomToken$tring'
          [tracer.console]
          type = "console"
          level = "info"
          ansi = true
          enable = true
          [certificate."default"]
          cert = "%{file:/app/certs/tls.crt}%"
          private-key = "%{file:/app/certs/tls.key}%"
--- a/values/badhouseplants/values.velero.yaml
+++ b/values/badhouseplants/values.velero.yaml
@ -5,13 +5,14 @@ initContainers:
    volumeMounts:
      - mountPath: /target
        name: plugins
 configuration:
  features: EnableCSI
  backupStorageLocation:
  - name: default
    provider: aws
    plugin: velero/velero-plugin-for-aws:v1.2.1
-    bucket: restic
+    bucket: velero
    accessMode: ReadWrite
    credential:
      name: velero-s3-creds
@ -26,6 +27,7 @@ configuration:
    provider: aws
    config:
      region: us-east-1
 deployNodeAgent: true
 schedules:
  daily:
--- a/values/badhouseplants/values.woodpecker-ci.yaml
+++ b/values/badhouseplants/values.woodpecker-ci.yaml
@ -34,7 +34,7 @@ server:
    WOODPECKER_GITEA: true
    WOODPECKER_GITEA_URL: https://gitea.badhouseplants.net
    WOODPECKER_DATABASE_DRIVER: postgres
-    WOODPECKER_GITEA_CLIENT: ab5e4687-a476-4668-9fbc-288d54095634
+    WOODPECKER_GITEA_CLIENT: 4ea3d706-691e-4cec-a748-5108715cf72d
    WOODPECKER_OPEN: true
    WOODPECKER_ADMIN: "woodpecker,allanger"
    WOODPECKER_HOST: "https://ci.badhouseplants.net"
--- a/values/badhouseplants/values.zot.yaml
+++ b/values/badhouseplants/values.zot.yaml
@ -1,22 +1,20 @@
 ingress:
  enabled: true
-  className: ~
+  className: traefik
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
    kubernetes.io/ingress.class: traefik
    kubernetes.io/tls-acme: "true"
    kubernetes.io/ingress.allow-http: "false"
    kubernetes.io/ingress.global-static-ip-name: ""
    cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
-  pathtype: ImplementationSpecific
+  pathtype: Prefix
  hosts:
-    - host: registry.badhouseplants.net
+    - host: zot.badhouseplants.net
      paths:
        - path: /
  tls:
-    - secretName: registry.badhouseplants.net
+    - secretName: zot.badhouseplants.net
      hosts:
-        - registry.badhouseplants.net
+        - zot.badhouseplants.net
 service:
  type: ClusterIP
 persistence: true
@ -24,24 +22,8 @@ pvc:
  create: true
  accessMode: "ReadWriteMany"
  storage: 5Gi
  storageClassName: ceph-filesystem
 mountConfig: true
 mountSecret: true
 strategy:
  type: Recreate
  #configFiles:
  #  ui.json: |-
  #    {
  #      "log": {
  #        "level": "info"
  #      },
  #      "extensions": {
  #        "search": {
  #          "cve": {
  #            "updateInterval": "2h"
  #          }
  #        },
  #        "ui": {
  #          "enable": true
  #        }
  #      }
  #    }
--- a/values/etersoft/values.cert-manager.yaml
+++ b/values/etersoft/values.cert-manager.yaml
@ -0,0 +1,25 @@
 crds:
  enabled: true
 networkPolicy:
  enabled: true
 resources:
  requests:
    cpu: 30m
    memory: 100Mi
  limits: 
    memory: 100Mi
 cainjector:
  resources:
    requests:
      cpu: 20m
      memory: 150Mi
    limits: 
      memory: 150Mi
 webhook:
  resources:
    requests:
      cpu: 50m
      memory: 150Mi
    limits: 
      memory: 150Mi
--- a/values/etersoft/values.cilium.yaml
+++ b/values/etersoft/values.cilium.yaml
@ -0,0 +1,8 @@
 operator:
  replicas: 1
 endpointRoutes:
  enabled: true
 ipam:
  ciliumNodeUpdateRate: "15s"
  operator:
    clusterPoolIPv4PodCIDRList: ["192.168.0.0/16"]
--- a/values/etersoft/values.coredns.yaml
+++ b/values/etersoft/values.coredns.yaml
@ -0,0 +1,32 @@
 service:
  clusterIP: 10.43.0.10
 servers:
  - zones:
      - zone: .
    port: 53
    plugins:
    - name: errors
    # Serves a /health endpoint on :8080, required for livenessProbe
    - name: health
      configBlock: |-
        lameduck 5s
    # Serves a /ready endpoint on :8181, required for readinessProbe
    - name: ready
    # Required to query kubernetes API for data
    - name: kubernetes
      parameters: cluster.local in-addr.arpa ip6.arpa
      configBlock: |-
        pods insecure
        fallthrough in-addr.arpa ip6.arpa
        ttl 30
    # Serves a /metrics endpoint on :9153, required for serviceMonitor
    - name: prometheus
      parameters: 0.0.0.0:9153
    - name: forward
      parameters: . 1.1.1.1 1.0.0.1
    - name: cache
      parameters: 30
    - name: loop
    - name: reload
    - name: loadbalance
--- a/values/etersoft/values.local-path-provisioner.yaml
+++ b/values/etersoft/values.local-path-provisioner.yaml
@ -0,0 +1,6 @@
 storageClass:
  create: true
  defaultClass: true
  defaultVolumeType: local
  reclaimPolicy: Delete
  volumeBindingMode: Immediate
--- a/values/etersoft/values.metallb-resources.yaml
+++ b/values/etersoft/values.metallb-resources.yaml
@ -0,0 +1,5 @@
 metallb:
  enabled: true
  ippools:
    - name: etersoft
      addresses: 91.232.225.63-91.232.225.63
--- a/values/etersoft/values.metallb.yaml
+++ b/values/etersoft/values.metallb.yaml
@ -0,0 +1,71 @@
 controller:
  enabled: true
  logLevel: warn
  image:
    repository: quay.io/metallb/controller
    tag:
    pullPolicy:
  strategy:
    type: RollingUpdate
  securityContext:
    runAsNonRoot: true
    # nobody
    runAsUser: 65534
    fsGroup: 65534
  resources:
    requests:
      cpu: 20m
      memory: 100Mi
    limits:
      memory: 100Mi
  livenessProbe:
    enabled: true
    failureThreshold: 3
    initialDelaySeconds: 10
    periodSeconds: 10
    successThreshold: 1
    timeoutSeconds: 3
  readinessProbe:
    enabled: true
    failureThreshold: 3
    initialDelaySeconds: 10
    periodSeconds: 10
    successThreshold: 1
    timeoutSeconds: 3
 speaker:
  enabled: true
  logLevel: warn
  tolerateMaster: true
  image:
    repository: quay.io/metallb/speaker
    tag:
    pullPolicy:
  securityContext: {}
  resources: 
    requests:
      cpu: 100m
      memory: 250Mi
    limits:
      memory: 250Mi
  livenessProbe:
    enabled: true
    failureThreshold: 3
    initialDelaySeconds: 10
    periodSeconds: 10
    successThreshold: 1
    timeoutSeconds: 3
  readinessProbe:
    enabled: true
    failureThreshold: 3
    initialDelaySeconds: 10
    periodSeconds: 10
    successThreshold: 1
    timeoutSeconds: 3
  startupProbe:
    enabled: true
    failureThreshold: 30
    periodSeconds: 5
 crds:
  enabled: true
  validationFailurePolicy: Fail
--- a/values/etersoft/values.minio.yaml
+++ b/values/etersoft/values.minio.yaml
@ -0,0 +1,131 @@
 ---
 ingress:
  enabled: true
  ingressClassName: ~
  annotations:
    kubernetes.io/ingress.class: traefik
    kubernetes.io/tls-acme: "true"
    kubernetes.io/ingress.allow-http: "false"
    kubernetes.io/ingress.global-static-ip-name: ""
    cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
  path: /
  hosts:
    - s3.3.badhouseplants.net
  tls:
    - secretName: s3.e.badhouseplants.net
      hosts:
        - s3.e.badhouseplants.net
 consoleIngress:
  enabled: true
  ingressClassName: ~
  annotations:
    kubernetes.io/ingress.class: traefik
    kubernetes.io/tls-acme: "true"
    kubernetes.io/ingress.allow-http: "false"
    kubernetes.io/ingress.global-static-ip-name: ""
    cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
  path: /
  hosts:
    - minio.e.badhouseplants.net
  tls:
    - secretName: minio.e.badhouseplants.net
      hosts:
        - minio.e.badhouseplants.net
 rootUser: 'overlord'
 replicas: 1
 mode: standalone
 environment:
  MINIO_SERVER_URL: "https://s3.e.badhouseplants.net:443"
 tls:
  enabled: false
  certSecret: ''
  publicCrt: public.crt
  privateKey: private.key
 persistence:
  enabled: true
  accessMode: ReadWriteOnce
  size: 100Gi
 service:
  type: ClusterIP
  clusterIP: ~
  port: '9000'
 consoleService:
  type: ClusterIP
  clusterIP: ~
  port: '9001'
 resources:
  requests:
    memory: 2Gi
 buckets:
  - name: badhouseplants-net
    policy: download
    purge: false
    versioning: false
  - name: badhouseplants-js
    policy: download
    purge: false
    versioning: false
  - name: badhouseplants-net-main
    policy: download
    purge: false
    versioning: false
  - name: sharing
    policy: download
    purge: false
    versioning: false
  - name: allanger-music
    policy: download
    purge: false
 metrics:
  serviceMonitor:
    enabled: false
    public: true
    additionalLabels: {}
 policies:
  - name: allanger
    statements:
      - resources:
          - 'arn:aws:s3:::*'
        actions:
          - "s3:*"
      - resources: []
        actions:
          - "admin:*"
      - resources: []
        actions:
          - "kms:*"
  - name: Admins
    statements:
      - resources:
          - 'arn:aws:s3:::*'
        actions:
          - "s3:*"
      - resources: []
        actions:
          - "admin:*"
      - resources: []
        actions:
          - "kms:*"
  - name: DevOps
    statements:
      - resources:
          - 'arn:aws:s3:::badhouseplants-net'
        actions:
          - "s3:*"
      - resources:
          - 'arn:aws:s3:::badhouseplants-net/*'
        actions:
          - "s3:*"
  - name: sharing
    statements:
      - resources:
          - 'arn:aws:s3:::sharing'
        actions:
          - "s3:*"
      - resources:
          - 'arn:aws:s3:::sharing/*'
        actions:
          - "s3:*"
--- a/values/etersoft/values.namespaces.yaml
+++ b/values/etersoft/values.namespaces.yaml
@ -0,0 +1,3 @@
 namespaces:
  - name: applications
  - name: platform
--- a/values/badhouseplants/values.openvpn-xor.yaml
+++ b/values/badhouseplants/values.openvpn-xor.yaml
@ -17,8 +17,8 @@
 traefik:
  enabled: true
  tcpRoutes:
-    - name: openvpn-xor
+    - name: openvpn
-      service: openvpn-xor
+      service: openvpn
      match: HostSNI(`*`)
      entrypoint: openvpn
      port: 1194
--- a/values/etersoft/values.openvpn.yaml
+++ b/values/etersoft/values.openvpn.yaml
@ -0,0 +1,35 @@
 storage:
  class: microk8s-hostpath
  size: 5Gi
 openvpn:
  proto: tcp
  host: 91.232.225.63
 service:
  type: ClusterIP
  port: 1194
  targetPort: 1194
  protocol: TCP
 easyrsa:
  cn: Bad Houseplants
  country: Germany
  province: NRW
  city: Duesseldorf
  org: Bad Houseplants
  email: allanger@zohomail.com
 istio-resources:
  enabled: true
  gateways:
    - metadata:
        name: etersoft-vpn
        namespace: istio-system
      spec:
        selector: 
          istio: ingressgateway
        servers: 
          - hosts:
              - '*'
            port:
              name: openvpn
              number: 1194
              protocol: TCP
--- a/values/etersoft/values.roles.yaml
+++ b/values/etersoft/values.roles.yaml
@ -0,0 +1 @@
 roles: []
--- a/values/etersoft/values.traefik.yaml
+++ b/values/etersoft/values.traefik.yaml
@ -0,0 +1,84 @@
 globalArguments:
  - "--serversTransport.insecureSkipVerify=true"
 ports:
  web:
    redirectTo:
      port: websecure
  ssh:
    port: 22
    expose:
      default: true
    exposedPort: 22
    protocol: TCP
  openvpn:
    port: 1194
    expose:
      default: true
    exposedPort: 1194
    protocol: TCP
  valve-server:
    port: 27015
    expose:
      default: true
    exposedPort: 27015
    protocol: UDP
  valve-rcon:
    port: 27015
    expose:
      default: true
    exposedPort: 27015
    protocol: TCP
  smtp:
    port: 25
    protocol: TCP
    exposedPort: 25
    expose:
      default: true
  smtps:
    port: 465
    protocol: TCP
    exposedPort: 465
    expose:
      default: true
  smtp-startls:
    port: 587
    protocol: TCP
    exposedPort: 587
    expose:
      default: true  
  imap:
    port: 143
    protocol: TCP
    exposedPort: 143
    expose:
      default: true
  imaps:
    port: 993
    protocol: TCP
    exposedPort: 993
    expose:
      default: true
  pop3:
    port: 110
    protocol: TCP
    exposedPort: 110
    expose:
      default: true
  pop3s:
    port: 995
    protocol: TCP
    exposedPort: 995
    expose:
      default: true
  minecraft:
    port: 25565
    protocol: TCP
    exposedPort: 25565
    expose:
      default: true
  shadowsocks:
    port: 8388
    protocol: TCP
    exposedPort: 8388
    expose:
      default: true
--- a/velero-cm/change-storage-class.yaml
+++ b/velero-cm/change-storage-class.yaml
@ -1,10 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: change-storage-class-config
  namespace: velero
  labels:
    velero.io/plugin-config: ""
    velero.io/change-storage-class: RestoreItemAction
 data:
  ceph-filesystem: local-path