chore(deps): update postgresql docker tag to v16.6.0

.sops.yaml

@@ -8,7 +8,3 @@ creation_rules:
     key_groups:
       - age:
           - age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
-  - path_regex: common/values/secrets.*
-    key_groups:
-      - age:
-          - age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8

charts/metallb-resources/Chart.yaml

@@ -1,24 +0,0 @@
-apiVersion: v2
-name: metallb-resources
-description: A Helm chart for Kubernetes
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "1.16.0"

charts/metallb-resources/templates/ip_address_pool.tpl

@@ -1,7 +0,0 @@
-apiVersion: metallb.io/v1beta1
-kind: IPAddressPool
-metadata:
-  name: {{ include "metallb-resources.fullname" . }}
-spec:
-  addresses:
-  - {{ .Values.addresses}}

charts/metallb-resources/values.yaml

@@ -1 +0,0 @@
-addresses: 1.1.1.1-1.1.1.1

charts/namespaces/chart/templates/namespaces.yaml

@@ -25,14 +25,6 @@ metadata:
   namespace: {{ $ns.name }}
 data:
   .dockerconfigjson: {{ $.Values.defaultRegcred }}
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: default
-  namespace: {{ $ns.name }}
-imagePullSecrets:
-  - name: regcred
 {{- end }}
 {{- end }}
 {{- end }}

charts/namespaces/kustomize/flux-system.yml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: flux-system
+  labels:
+    name: flux-system

charts/namespaces/kustomize/giantswarm-flux.yml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: giantswarm-flux
+  labels:
+    name: giantswarm-flux

charts/namespaces/kustomize/giantswarm.yml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: giantswarm
+  labels:
+    name: giantswarm

charts/namespaces/kustomize/kustomization.yaml

@@ -0,0 +1,5 @@
+resources:
+  - ./giantswarm-flux.yml
+  - ./giantswarm.yml
+  - ./monitoring.yml
+  - ./org-giantswarm.yml

charts/namespaces/kustomize/monitoring.yml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: monitoring
+  labels:
+    name: monitoring

charts/namespaces/kustomize/org-giantswarm.yml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: org-giantswarm
+  labels:
+    name: org-giantswarm

charts/root/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: root
+description: A Helm chart for Kubernetes
+type: application
+version: 0.1.5
+appVersion: "1.16.0"

charts/root/templates/_helpers.tpl

@@ -1,7 +1,7 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "metallb-resources.name" -}}
+{{- define "root.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
@@ -10,7 +10,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "metallb-resources.fullname" -}}
+{{- define "root.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
@@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "metallb-resources.chart" -}}
+{{- define "root.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
 {{/*
 Common labels
 */}}
-{{- define "metallb-resources.labels" -}}
+{{- define "root.labels" -}}
-helm.sh/chart: {{ include "metallb-resources.chart" . }}
+helm.sh/chart: {{ include "root.chart" . }}
-{{ include "metallb-resources.selectorLabels" . }}
+{{ include "root.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
@@ -45,17 +45,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{/*
 Selector labels
 */}}
-{{- define "metallb-resources.selectorLabels" -}}
+{{- define "root.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "metallb-resources.name" . }}
+app.kubernetes.io/name: {{ include "root.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 {{/*
 Create the name of the service account to use
 */}}
-{{- define "metallb-resources.serviceAccountName" -}}
+{{- define "root.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create }}
-{{- default (include "metallb-resources.fullname" .) .Values.serviceAccount.name }}
+{{- default (include "root.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}

charts/root/templates/root.yaml

@@ -0,0 +1,25 @@
+{{ if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: root
+spec:
+  interval: 30s
+  url: {{ .Values.url }}
+  ref:
+    branch: {{ .Values.branch }}
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: root
+spec:
+  interval: 30s
+  targetNamespace: flux-system
+  sourceRef:
+    kind: GitRepository
+    name: root
+  path: "."
+  prune: false
+  timeout: 1m
+{{- end }}

charts/root/templates/self.yaml

@@ -0,0 +1,25 @@
+{{ if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: root-self
+spec:
+  interval: 30s
+  url: {{ .Values.self.url }}
+  ref:
+    branch: {{ .Values.self.branch }}
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: root-self
+spec:
+  interval: 30s
+  targetNamespace: flux-system
+  sourceRef:
+    kind: GitRepository
+    name: root-self
+  path: "."
+  prune: false
+  timeout: 1m
+{{- end }}

charts/root/values.yaml

@@ -0,0 +1,5 @@
+url: https://git.badhouseplants.net/giantswarm/cluster-example.git
+branch: main
+self:
+  url: git@git.badhouseplants.net:giantswarm/root-config.git
+  branch: master

charts/tf-ocloud/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/tf-ocloud/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: helm-library
+  repository: oci://ghcr.io/allanger/allangers-helm-library
+  version: 0.1.4
+digest: sha256:6306a6a8d3c51b2b5f37cffa88c3731550da789d1ce2317a83a3f9a657310f8e
+generated: "2024-10-16T20:01:59.337767+02:00"

charts/tf-ocloud/Chart.yaml

@@ -0,0 +1,15 @@
+apiVersion: v2
+name: tf-ocloud
+type: application
+version: 0.1.0
+appVersion: 0.1.5
+maintainers:
+  - name: allanger
+    email: allanger@zohomail.com
+    url: https://badhouseplants.net
+dependencies:
+  - name: helm-library
+    version: 0.2.3
+    repository: oci://ghcr.io/allanger/allangers-helm-library
+annotations:
+  allowed_workload_kinds: "Deployment"

charts/tf-ocloud/templates/install.yaml

@@ -0,0 +1,3 @@
+{{ include "lib.component.workload" . }}
+{{ include "lib.component.files" . }}
+{{ include "lib.component.env" . }}

charts/tf-ocloud/values.yaml

@@ -0,0 +1,67 @@
+---
+workload:
+  kind: Deployment
+  strategy:
+    type: RollingUpdate
+  securityContext: {}
+  containers:
+    tf:
+      securityContext: {}
+      image:
+        registry: zot.badhouseplants.net
+        repository: badhouseplants/terraform-ocloud
+        tag: 7eae6ec805bc99618a196abf9d4d2e0fd19f75e6
+        pullPolicy: Always
+      envFrom:
+        - main
+      mounts:
+        files:
+          ocloudkey:
+            path: /src/key.pem
+            subPath: key.pem
+          publickey:
+            path: /src/public_key
+            subPath: public-key
+          privatekey:
+            path: /src/ssh_key
+            subPath: ssh-key
+          tfvars:
+            path: /src/terraform.tfvars
+            subPath: terraform.tfvars
+        extraVolumes:
+          dottf:
+            path: /src/.terraform
+
+extraVolumes:
+  dottf:
+    emptyDir: {}
+
+files:
+  ocloudkey:
+    enabled: true
+    sensitive: false
+    remove: []
+    entries:
+      key.pem:
+        data: dummy
+  publickey:
+    enabled: true
+    sensitive: false
+    remove: []
+    entries:
+      public-key:
+        data: dummy
+  privatekey:
+    enabled: true
+    sensitive: false
+    remove: []
+    entries:
+      ssh-key:
+        data: dummy
+  tfvars:
+    enabled: true
+    sensitive: false
+    remove: []
+    entries:
+      terraform.tfvars:
+        data: dummy

common/templates.yaml

@@ -1,6 +1,3 @@
-helmDefaults:
-  kubeContext: {{ .StateValues.kubeContext }}
-
 templates:
   # ---------------------------
   # -- Hooks
@@ -42,19 +39,19 @@ templates:
       - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/secrets.{{ `{{ .Release.Name }}` }}.yaml'
   common-values:
     values:
-      - '../values/common/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.yaml'
+      - '{{ requiredEnv "PWD" }}/values/common/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.yaml'
   common-values-tpl:
     values:
-      - '../values/common/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.gotmpl'
+      - '{{ requiredEnv "PWD" }}/values/common/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.gotmpl'
   env-values:
     values:
-      - '../values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.yaml'
+      - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.yaml'
   env-values-tpl:
     values:
-      - '../values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.gotmpl'
+      - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.gotmpl'
   env-secrets:
     secrets:
-      - '../values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/secrets.yaml'
+      - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/secrets.yaml'
   # ----------------------------
   # -- Extensions
   # ----------------------------
@@ -71,7 +68,7 @@ templates:
         version: 2.0.0
         alias: traefik
     values:
-      - '../values/common/values.tcp-route.yaml'
+      - '{{ requiredEnv "PWD" }}/values/common/values.tcp-route.yaml'
   ext-udp-routes:
     dependencies:
       - chart: bedag/raw
@@ -128,7 +125,7 @@ templates:
         version: 2.0.0
         alias: ext-database
     values:
-      - '../values/common/values.database.yaml'
+      - '{{ requiredEnv "PWD" }}/values/common/values.database.yaml'
   ext-secret:
     dependencies:
       - chart: bedag/raw

common/values/values.badhouseplants.yaml

@@ -1,6 +1 @@
-registry: registry.badhouseplants.net/containers
+registry: registry.badhouseplants.net
-registry_url: registry.badhouseplants.net
-main_ip: 195.201.249.91
-tools:
-  openebs:
-    enabled: true

common/values/values.etersoft.yaml

@@ -1,6 +1 @@
-registry: registry.ru.badhouseplants.net/containers
+registry: registry.ru.badhouseplants.net
-registry_url: registry.ru.badhouseplants.net
-main_ip: 91.232.225.63
-tools:
-  openebs:
-    enabled: false

helmfile.yaml

@@ -0,0 +1,5 @@
+bases:
+  - ./common/environments.yaml
+  - ./common/templates.yaml
+  - ./helmfiles/base.yaml
+  - ./helmfiles/system.yaml

helmfile.yaml.gotmpl

@@ -1,26 +0,0 @@
----
-bases:
-  - ./common/environments.yaml
-
----
-helmfiles:
-  - path: ./helmfiles/base.yaml
-    values:
-      - kubeContext: "{{ .Environment.KubeContext }}"
-      - {{ toYaml .Environment.Values | nindent 8 }}
-  - path: ./helmfiles/system.yaml
-    values:
-      - kubeContext: "{{ .Environment.KubeContext }}"
-      - {{ toYaml .Environment.Values | nindent 8 }}
-  - path: ./helmfiles/platform.yaml
-    values:
-      - kubeContext: "{{ .Environment.KubeContext }}"
-      - {{ toYaml .Environment.Values | nindent 8 }}
-  - path: ./helmfiles/databases.yaml
-    values:
-      - kubeContext: "{{ .Environment.KubeContext }}"
-      - {{ toYaml .Environment.Values | nindent 8 }}
-  - path: ./helmfiles/applications.yaml
-    values:
-      - kubeContext: "{{ .Environment.KubeContext }}"
-      - {{ toYaml .Environment.Values | nindent 8 }}

helmfiles/applications.yaml

@@ -1,28 +0,0 @@
-bases:
-  - ../common/templates.yaml
-
-repositories:
-  - name: gitea
-    url: https://dl.gitea.io/charts/
-  - name: bedag
-    url: https://bedag.github.io/helm-charts/
-  - name: minecraft
-    url: https://itzg.github.io/minecraft-server-charts/
-
-releases:
-  - name: app-gitea
-    chart: gitea/gitea
-    version: 11.0.0
-    namespace: org-badhouseplants
-    inherit:
-      - template: env-values
-      - template: env-secrets
-
-  - name: minecraft
-    chart: minecraft/minecraft
-    namespace: games
-    version: 4.26.1
-    inherit:
-      - template: common-values-tpl
-      - template: env-values
-      - template: env-secrets

helmfiles/base.yaml

@@ -1,10 +1,7 @@
-bases:
-  - ../common/templates.yaml
-
 releases:
   # -- This one must be executed with --take-ownership at least once
   - name: namespaces
-    chart: ../charts/namespaces
+    chart: ./charts/namespaces/chart
     namespace: kube-system
     createNamespace: false
     inherit:
@@ -12,7 +9,7 @@ releases:
       - template: env-secrets
 
   - name: roles
-    chart: ../charts/roles
+    chart: ./charts/roles
     namespace: kube-system
     createNamespace: false
     needs:

helmfiles/system.yaml

@@ -1,6 +1,3 @@
-bases:
-  - ../common/templates.yaml
-
 repositories:
   - name: coredns
     url: https://coredns.github.io/helm
@@ -14,18 +11,6 @@ repositories:
     url: https://charts.jetstack.io
   - name: metallb
     url: https://metallb.github.io/metallb
-  - name: traefik
-    url: https://traefik.github.io/charts
-  - name: local-path-provisioner
-    url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=master
-  - name: kyverno
-    url: https://kyverno.github.io/kyverno/
-  - name: vmware-tanzu
-    url: https://vmware-tanzu.github.io/helm-charts/
-  - name: openebs
-    url: https://openebs.github.io/openebs
-  - name: istio
-    url: https://istio-release.storage.googleapis.com/charts
 
 releases:
   - name: coredns
@@ -57,7 +42,7 @@ releases:
       - template: common-values-tpl
 
   - name: issuer
-    chart: ../charts/issuer
+    chart: ./charts/issuer
     namespace: kube-system
     missingFileHandler: Warn
     needs:
@@ -65,66 +50,7 @@ releases:
     inherit:
       - template: common-values
 
-  - name: local-path-provisioner
+  - name: zot
-    chart: local-path-provisioner/local-path-provisioner
-    namespace: kube-system
-    inherit:
-      - template: common-values-tpl
-
-  - name: kyverno
-    chart: kyverno/kyverno
-    namespace: kyverno
-    version: 3.3.7
-    needs:
-      - kube-system/cilium
-    inherit:
-      - template: common-values-tpl
-
-  - name: kyverno-policies
-    chart: kyverno/kyverno-policies
-    namespace: kyverno
-    version: 3.3.4
-    needs:
-      - kyverno/kyverno
-
-  - name: custom-kyverno-policies
-    chart: ../kustomizations/kyverno/{{ .Environment.Name }}
-    namespace: kyverno
-    needs:
-      - kyverno/kyverno
-
-  - name: metallb
-    chart: metallb/metallb
-    namespace: kube-system
-    condition: base.enabled
-    version: 0.14.9
-    needs:
-      - registry/cluster-mirror
-    inherit:
-      - template: common-values
-      - template: common-values-tpl
-
-  - name: metallb-resources
-    chart: ../charts/metallb-resources
-    version: 2.0.0
-    condition: base.enabled
-    namespace: kube-system
-    needs:
-      - kube-system/metallb
-    inherit:
-      - template: common-values-tpl
-
-  - name: traefik
-    chart: traefik/traefik
-    version: 34.4.1
-    condition: base.enabled
-    namespace: kube-system
-    inherit:
-      - template: common-values-tpl
-      - template: common-values
-      - template: env-values
-
-  - name: cluster-mirror
     chart: zot/zot
     version: 0.1.67
     createNamespace: false
@@ -141,41 +67,17 @@ releases:
     version: 3.12.2
     namespace: kube-system
     needs:
-      - registry/cluster-mirror
+      - registry/zot
     inherit:
       - template: common-values-tpl
 
-  - name: openebs
+  - name: metallb
-    chart: openebs/openebs
+    chart: metallb/metallb
-    condition: tools.openebs.enabled
     namespace: kube-system
-    version: 4.2.0
+    condition: base.enabled
-    inherit:
+    version: 0.14.9
-      - template: common-values-tpl
+    needs:
-      - template: env-values
+      - registry/zot
-
-  - name: velero
-    chart: vmware-tanzu/velero
-    namespace: velero
-    version: 8.7.0
-    condition: velero.enabled
-    inherit:
-      - template: common-values-tpl
-      - template: env-values
-      - template: env-secrets
-
-  - name: istio-base
-    chart: istio/base
-    namespace: istio-system
-    version: 1.25.1
     inherit:
       - template: common-values
-
-  - name: istiod
-    chart: istio/istiod
-    namespace: istio-system
-    version: 1.25.1
-    inherit:
       - template: common-values-tpl
-    needs:
-      - istio-system/istio-base

installations/applications/helmfile-badhouseplants.yaml

@@ -111,7 +111,7 @@ releases:
 
   - name: memos
     chart: allangers-charts/memos
-    version: 0.3.0
+    version: 0.2.0
     namespace: applications
     inherit:
       - template: default-env-values

installations/applications/helmfile-etersoft.yaml

@@ -27,14 +27,6 @@ releases:
       - template: default-env-values
       - template: default-env-secrets
 
-  - name: memos
-    chart: allangers-charts/memos
-    version: 0.3.0
-    namespace: applications
-    inherit:
-      - template: default-env-values
-
-
   - name: external-service-xray
     chart: ../../kustomizations/external-service-xray
     installed: true

installations/databases/helmfile.yaml

@@ -1,14 +1,12 @@
 bases:
-  - ../common/templates.yaml
+  - ../../common/environments.yaml
-
+  - ../../common/templates.yaml
 repositories:
   - name: bitnami
     url: registry-1.docker.io/bitnamicharts
     oci: true
   - name: bedag
     url: https://bedag.github.io/helm-charts/
-commonLabels:
-  installation: databases
 releases:
   - name: redis
     chart: bitnami/redis
@@ -16,30 +14,25 @@ releases:
     condition: redis.enabled
     version: 20.11.3
     inherit:
-      - template: common-values-tpl
+      - template: default-env-values
-      - template: env-values
+      - template: default-env-secrets
-      - template: env-secrets
-
   - name: postgres16
     labels:
       bundle: postgres
     namespace: databases
     chart: bitnami/postgresql
     condition: postgres16.enabled
-    version: 16.6.2
+    version: 16.6.0
     inherit:
-      - template: common-values-tpl
+      - template: default-env-values
-      - template: env-values
+      - template: default-env-secrets
-      - template: env-secrets
-
   - name: postgres17
     labels:
       bundle: postgres
     namespace: databases
     chart: bitnami/postgresql
     condition: postgres17.enabled
-    version: 16.6.2
+    version: 16.6.0
     inherit:
-      - template: common-values-tpl
+      - template: default-env-values
-      - template: env-values
+      - template: default-env-secrets
-      - template: env-secrets

installations/development/helmfile.yaml

@@ -0,0 +1,9 @@
+bases:
+  - ../../common/environments.yaml
+  - ../../common/templates.yaml
+repositories:
+  - name: argo
+    url: https://argoproj.github.io/argo-helm
+releases:
+  - name: badhouseplants
+    namespace: platform

installations/games/helmfile.yaml

@@ -13,7 +13,16 @@ releases:
   - name: minecraft
     chart: minecraft/minecraft
     namespace: games
-    version: 4.26.1
+    version: 4.25.1
+    inherit:
+      - template: ext-tcp-routes
+      - template: default-env-values
+      - template: default-env-secrets
+
+  - name: team-fortress-2
+    chart: allangers-charts/team-fortress-2
+    namespace: team-fortress-2
+    version: 0.1.2
     inherit:
       - template: ext-tcp-routes
       - template: default-env-values

installations/pipelines/helmfile.yaml

@@ -26,7 +26,7 @@ releases:
       - template: default-env-secrets
   - name: renovate-github
     chart: renovate/renovate
-    installed: true
+    installed: false
     namespace: pipelines
     version: 39.208.1
     inherit:

installations/platform/helmfile.yaml

@@ -1,70 +1,36 @@
 bases:
-  - ../common/templates.yaml
+  - ../../common/environments.yaml
+  - ../../common/templates.yaml
 
 repositories:
-  - name: keel
+  - name: argo
-    url: https://keel-hq.github.io/keel/
+    url: https://argoproj.github.io/argo-helm
-  - name: uptime-kuma
-    url: https://helm.irsigler.cloud
-  - name: external-dns
-    url: https://kubernetes-sigs.github.io/external-dns/
-  - name: minio-standalone
-    url: https://charts.min.io/
   - name: db-operator
     url: https://db-operator.github.io/charts
   - name: zot
     url: https://zotregistry.dev/helm-charts/
+  - name: bedag
+    url: https://bedag.github.io/helm-charts/
+  - name: crossplane-stable
+    url: https://charts.crossplane.io/stable
   - name: goauthentik
     url: https://charts.goauthentik.io/
+  - name: minio-standalone
+    url: https://charts.min.io/
+  - name: kyverno
+    url: https://kyverno.github.io/kyverno/
+  - name: external-dns
+    url: https://kubernetes-sigs.github.io/external-dns/
+  - name: keel
+    url: https://keel-hq.github.io/keel/
+  - name: uptime-kuma
+    url: https://helm.irsigler.cloud
 
 releases:
-  - name: external-dns
-    chart: external-dns/external-dns
-    labels:
-      layer: platform
-    version: 1.15.2
-    namespace: platform
-    inherit:
-      - template: common-values-tpl
-      - template: env-values
-      - template: env-secrets
-
-  - name: keel
-    chart: keel/keel
-    version: v1.0.5
-    labels:
-      layer: platform
-    namespace: platform
-    inherit:
-      - template: common-values-tpl
-
-  - name: uptime-kuma
-    chart: uptime-kuma/uptime-kuma
-    version: 2.21.2
-    namespace: platform
-    labels:
-      layer: platform
-    inherit:
-      - template: common-values-tpl
-      - template: env-values
-
-  - name: minio
-    chart: minio-standalone/minio
-    version: 5.4.0
-    namespace: platform
-    labels:
-      layer: platform
-    inherit:
-      - template: common-values-tpl
-      - template: env-values
-      - template: env-secrets
-
   - name: db-operator
     namespace: platform
     chart: db-operator/db-operator
     version: 1.34.0
-    inherit:
-      - template: common-values-tpl
 
   - name: db-instances
     chart: db-operator/db-instances
@@ -73,18 +39,19 @@ releases:
       - platform/db-operator
     version: 2.4.0
     inherit:
-      - template: env-values
+      - template: default-env-values
-      - template: env-secrets
+      - template: default-env-secrets
 
   - name: zot
     chart: zot/zot
     version: 0.1.67
+    createNamespace: false
+    installed: true
     namespace: platform
     condition: workload.enabled
     inherit:
-      - template: common-values-tpl
+      - template: default-env-values
-      - template: env-values
+      - template: default-env-secrets
-      - template: env-secrets
 
   - name: authentik
     chart: goauthentik/authentik
@@ -95,7 +62,58 @@ releases:
     needs:
       - platform/db-operator
     inherit:
-      - template: common-values-tpl
+      - template: default-env-values
-      - template: env-values
+      - template: default-env-secrets
-      - template: env-secrets
       - template: ext-database
+
+  - name: minio
+    chart: minio-standalone/minio
+    version: 5.4.0
+    namespace: platform
+    inherit:
+      - template: default-env-values
+      - template: default-env-secrets
+
+  - name: kyverno
+    chart: kyverno/kyverno
+    namespace: kyverno
+    labels:
+      bootstrap: true
+    version: 3.3.7
+
+  - name: kyverno-policies
+    chart: kyverno/kyverno-policies
+    namespace: kyverno
+    labels:
+      bootstrap: true
+    version: 3.3.4
+    needs:
+      - kyverno/kyverno
+
+  - name: custom-kyverno-policies
+    chart: "../../kustomizations/kyverno/{{ .Environment.Name }}"
+    namespace: kyverno
+    labels:
+      bootstrap: true
+    needs:
+      - kyverno/kyverno
+
+  - name: external-dns
+    chart: external-dns/external-dns
+    version: 1.15.2
+    namespace: platform
+    inherit:
+      - template: default-env-values
+      - template: default-env-secrets
+
+  - name: keel
+    chart: keel/keel
+    version: v1.0.5
+    namespace: platform
+
+  - name: uptime-kuma
+    chart: uptime-kuma/uptime-kuma
+    version: 2.21.2
+    namespace: platform
+    inherit:
+      - template: default-env-values

installations/system/helmfile.yaml

@@ -0,0 +1,162 @@
+bases:
+  - ../../common/environments.yaml
+  - ../../common/templates.yaml
+
+repositories:
+  - name: bedag
+    url: https://bedag.github.io/helm-charts/
+  - name: metrics-server
+    url: https://kubernetes-sigs.github.io/metrics-server/
+  - name: jetstack
+    url: https://charts.jetstack.io
+  - name: metallb
+    url: https://metallb.github.io/metallb
+  - name: traefik
+    url: https://traefik.github.io/charts
+  - name: coredns
+    url: https://coredns.github.io/helm
+  - name: cilium
+    url: https://helm.cilium.io/
+  - name: vmware-tanzu
+    url: https://vmware-tanzu.github.io/helm-charts/
+  - name: openebs
+    url: https://openebs.github.io/openebs
+  - name: local-path-provisioner
+    url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=master
+  - name: istio
+    url: https://istio-release.storage.googleapis.com/charts
+  - name: zot
+    url: https://zotregistry.dev/helm-charts/
+
+releases:
+  - name: cert-manager
+    chart: jetstack/cert-manager
+    version: v1.17.1
+    namespace: kube-system
+    condition: base.enabled
+    missingFileHandler: Warn
+    needs:
+      - kube-system/cilium
+    inherit:
+      - template: default-common-values
+      - template: default-env-values
+
+  - name: issuer
+    chart: '{{ requiredEnv "PWD" }}/charts/issuer'
+    namespace: kube-public
+    missingFileHandler: Warn
+    condition: base.enabled
+    needs:
+      - kube-system/cert-manager
+    inherit:
+      - template: default-common-values
+      - template: default-env-values
+
+  - name: metrics-server
+    chart: metrics-server/metrics-server
+    version: 3.12.2
+    namespace: kube-system
+    needs:
+      - kube-system/cilium
+    inherit:
+      - template: default-common-values
+
+  - name: metallb
+    chart: metallb/metallb
+    namespace: kube-system
+    condition: base.enabled
+    version: 0.14.9
+    needs:
+      - kube-system/cilium
+    inherit:
+      - template: default-common-values
+
+  - name: metallb-resources
+    chart: bedag/raw
+    version: 2.0.0
+    condition: base.enabled
+    namespace: kube-system
+    needs:
+      - kube-system/metallb
+    inherit:
+      - template: ext-metallb
+      - template: default-env-values
+
+  - name: traefik
+    chart: traefik/traefik
+    version: 34.4.1
+    condition: base.enabled
+    namespace: kube-system
+    needs:
+      - kube-system/cilium
+    inherit:
+      - template: default-common-values
+      - template: default-env-values
+
+  - name: velero
+    chart: vmware-tanzu/velero
+    namespace: velero
+    version: 8.5.0
+    condition: velero.enabled
+    needs:
+      - kube-system/cilium
+    inherit:
+      - template: default-env-values
+      - template: default-env-secrets
+      - template: crd-management-hook
+
+  - name: openebs
+    chart: openebs/openebs
+    condition: openebs.enabled
+    namespace: kube-system
+    version: 4.2.0
+    needs:
+      - kube-system/cilium
+    inherit:
+      - template: default-env-values
+
+  # -- Not versions since it's idnstalled from git
+  - name: local-path-provisioner
+    chart: local-path-provisioner/local-path-provisioner
+    condition: localpath.enabled
+    namespace: kube-system
+    needs:
+      - kube-system/cilium
+    inherit:
+      - template: default-env-values
+
+  - name: istio-base
+    chart: istio/base
+    condition: istio.enabled
+    namespace: istio-system
+    inherit:
+      - template: crd-management-hook
+
+  - name: istio-ingressgateway
+    chart: istio/gateway
+    condition: istio.enabled
+    installed: false
+    namespace: istio-system
+    needs:
+      - istio-system/istio-base
+    inherit:
+      - template: default-env-values
+
+  - name: istiod
+    chart: istio/istiod
+    condition: istio.enabled
+    namespace: istio-system
+    inherit:
+      - template: default-env-values
+    needs:
+      - istio-system/istio-base
+
+  - name: zot-mirror
+    chart: zot/zot
+    version: 0.1.67
+    createNamespace: false
+    installed: true
+    namespace: kube-system
+    inherit:
+      - template: default-env-values
+      - template: default-env-secrets

kustomizations/kyverno/badhouseplants/pvc-patch.yaml

@@ -4,19 +4,6 @@ metadata:
   name: replace-storage-class-by-openebs
 spec:
   rules:
-    - name: local-path-fix
-      match:
-        any:
-          - resources:
-              kinds:
-                - PersistentVolumeClaim
-              namespaces:
-                - registry
-      mutate:
-        patchStrategicMerge:
-          metadata:
-            annotations:
-              volume.kubernetes.io/selected-node: bordeaux
     - name: replace-storage-class
       match:
         any:
@@ -37,22 +24,22 @@ spec:
             storageClassName: openebs-hostpath
             accessModes:
               - ReadWriteOnce
-    #- name: remove-unwanted-annotations
+    - name: remove-unwanted-annotations
-    #  match:
+      match:
-    #    any:
+        any:
-    #      - resources:
+          - resources:
-    #          kinds:
+              kinds:
-    #            - PersistentVolumeClaim
+                - PersistentVolumeClaim
-    #          namespaces:
+              namespaces:
-    #            - games
+                - games
-    #  mutate:
+      mutate:
-    #    patchesJson6902: |-
+        patchesJson6902: |-
-    #      - path: "/metadata/annotations/volume.beta.kubernetes.io~1storage-class"
+          - path: "/metadata/annotations/volume.beta.kubernetes.io~1storage-class"
-    #        op: replace
+            op: replace
-    #        value: openebs-hostpath
+            value: openebs-hostpath
-    #      - path: "/metadata/annotations/volume.beta.kubernetes.io~1storage-provisioner"
+          - path: "/metadata/annotations/volume.beta.kubernetes.io~1storage-provisioner"
-    #        op: replace
+            op: replace
-    #        value: openebs.io/local
+            value: openebs.io/local
-    #      - path: "/metadata/annotations/volume.kubernetes.io~1storage-provisioner"
+          - path: "/metadata/annotations/volume.kubernetes.io~1storage-provisioner"
-    #        op: replace
+            op: replace
-    #        value: openebs.io/local
+            value: openebs.io/local

values/badhouseplants/kube-system/namespaces/values.yaml

@@ -2,36 +2,20 @@ namespaces:
   - name: registry
   - name: kube-system
     defaultRegcred: true
-  - name: production
-    defaultRegcred: true
   - name: kyverno
-    defaultRegcred: true
   - name: velero
-    defaultRegcred: true
   - name: observability
-    defaultRegcred: true
   - name: databases
-    defaultRegcred: true
   - name: istio-system
-    defaultRegcred: true
   - name: applications
-    defaultRegcred: true
     labels:
-      istio-injection: enabled
+      istio-injection: disabled
   - name: platform
-    defaultRegcred: true
   - name: games
-    defaultRegcred: true
   - name: team-fortress-2
-    defaultRegcred: true
   - name: pipelines
-    defaultRegcred: true
   - name: public-xray
-    defaultRegcred: true
     labels:
       istio-injection: disabled
   - name: org-badhouseplants
-    defaultRegcred: true
   - name: org-allanger
-    labels:
-      istio-injection: enabled

values/badhouseplants/kube-system/zot-mirror/secrets.yaml

@@ -0,0 +1,22 @@
+authHeader: ENC[AES256_GCM,data:nmlP0vRoKJRivvwJArnEO26sqIwFtnK5MYVPJBBCmAGCPpe/U00gYu6JET0gPqGV,iv:+GZwWrxoWw0mAZxZdITBLtHgRKYIyaj/NQwHbD8KppA=,tag:MAer3FiaBxyNwJr0BbDtow==,type:str]
+_mirror_password: ENC[AES256_GCM,data:W2xy2RMmD4d6N+DNceIgtDGUpygOGEbWgGa9Icsy,iv:YsQfm/EmBYY35q2irlZ2rmzkbJzlFnfgMSEKq0G1I5o=,tag:7rNG02Wm9g8GUXeM4nTHqA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVUlyVFZWcWFuWnEyS2Nv
+            Tkx6aTZKY1czQ25RTHhKNWNNQ0xIaWJLb1VFCkdoT0RBTW9EWG8zbzYxekdsUEY2
+            bE9nQUthV3NCa0kzRnBwZ2U2MWlVNzAKLS0tIFY4RVJDM05ZVmR3NEt5YUlpOWZa
+            ZVc1bmJnU1o4U3NGaGN0Sk90YTR0ckkK8gmkHty4Gwt4vuVK3xhWWg4h/EgvJULh
+            Trgn0lzx2pCThg/+82u5J1T/QLXdbbDFFFwGldiMwNjZQfpOmrZpVw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-26T21:04:45Z"
+    mac: ENC[AES256_GCM,data:cTN6wq1m1XtsfNujCfQ4nKtX1Pkc8MFCipUeScDLJUuZZwg4St0h1OkYtYJBWeVSt3CSjjexQpb7Oi9K8wukboIVevaIj0BTT1hkf2ZUFeIV8W62mtftfdRex0yJ/4h1gTZaYBhHEw+qD6r+XvavDs1m22FF5RuF+5qfGUEWA4I=,iv:RsVuXbLVfZSJ7AkIvEdf7H2auFTiqXgpXLe/LbATAo8=,tag:1V5eIiJzjzv4C1JNNf5Quw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4

values/badhouseplants/org-badhouseplants/app-gitea/values.yaml

@@ -41,7 +41,8 @@ gitea:
   metrics:
     enabled: true
     serviceMonitor:
-      enabled: true
+      # -- TODO(@allanger): Enable it once prometheus is configured
+      enabled: false
   config:
     database:
       DB_TYPE: postgres
@@ -58,14 +59,13 @@ gitea:
       MAX_CREATION_LIMIT: 0
       DISABLED_REPO_UNITS: repo.wiki
     service:
-      DISABLE_REGISTRATION: true
+      DISABLE_REGISTRATION: false
     server:
       DOMAIN: gitea.badhouseplants.net
       ROOT_URL: https://gitea.badhouseplants.net
       LFS_START_SERVER: true
       LANDING_PAGE: explore
       START_SSH_SERVER: true
-      ENABLE_PPROF: true
     storage:
       STORAGE_TYPE: minio
       MINIO_ENDPOINT: "s3.badhouseplants.net:443"

values/badhouseplants/org-badhouseplants/app-stalwart/values.yaml

@@ -50,7 +50,6 @@ extraVolumes:
     emptyDir: {}
 ingress:
   main:
-    metadata:
     annotations:
       cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
       kubernetes.io/ingress.allow-http: "false"

values/badhouseplants/org-badhouseplants/app-vaultwarden/secrets.yaml

@@ -1,26 +1,31 @@
 config:
     env:
         secrets:
-            enabled: ENC[AES256_GCM,data:bai2CQ==,iv:NG7q1ZsDpCW9Lu00fGsibpTEHGtew+l5TFOLOpljlwU=,tag:Z2/fXmsEEqhDzCdTWS/Qhw==,type:bool]
+            enabled: ENC[AES256_GCM,data:C4TSoQ==,iv:kG2QtaNWHSc2sdhzo8HnMnPE0Mixqs1dvFsAcke/Gw4=,tag:HhbVmIw5RQ9hipQqZ5J2pw==,type:bool]
-            sensitive: ENC[AES256_GCM,data:n+dNXA==,iv:iFM0+5G5Bsw4NI+JH1vMMrty3Zo0El0HE9F6PEDsJrY=,tag:EcbzQHVeOHVLVC7kgaRPXw==,type:bool]
+            sensitive: ENC[AES256_GCM,data:0wVOUg==,iv:FGxAd9h2e0LeWukZR/THhCscF3FWoK4dnkrX1mqSC+A=,tag:0rpeedT6x2V79WB5xRNbuA==,type:bool]
             data:
-                SMTP_USERNAME: ENC[AES256_GCM,data:eQ4c,iv:4vX/ioHWEA6DzMwZ+23dgUN4PJ7Asz7bbufG5Fy80iI=,tag:1Mq0Hj/23T4fvGEXuNUtxA==,type:str]
+                SMTP_USERNAME: ENC[AES256_GCM,data:82zb,iv:Z89+Wt6jGMQTZ73ghk1Ey504WYt2Li9XQ2gaH0SB8tI=,tag:RmqHxghik75E9LAABzyVxA==,type:str]
-                ADMIN_PASSWORD: ENC[AES256_GCM,data:B08urSqwYgekI6I5LDYGHbPK5n3r+woRZw==,iv:K2O9aSJLRMbK+N2lfX4ojSqhbmb9KbWsuW2DtYZHCOA=,tag:Qz0OJ7aWwC+/9d1oc38ySw==,type:str]
+                ADMIN_PASSWORD: ENC[AES256_GCM,data:ELi8dtNa/OhQKgrXbrgwHK95ntZjyzRSvQ==,iv:IVZbXZlFyCRMc3bW81Ak9UdjeGke0px9mGqrmaW7EHk=,tag:9xli08c0pqnxu2ktTbCMcg==,type:str]
-                ADMIN_TOKEN: ENC[AES256_GCM,data:sKVugfrrR9L5LtozHPibGiPULiwv8pAot925Z/rQ0V/mW+DVvNPEw4odgfX596Ddmd8oV5zo5Mz8WIPUCmrVmfdoz+3YzVywEy8=,iv:npthfz4xcW6fF10RhHCF6uXH/6526l3gjZGRu+Xpylg=,tag:vsPsRZ7EIQ7FMvqJga3hhg==,type:str]
+                ADMIN_TOKEN: ENC[AES256_GCM,data:CAAalqRcu9vsM1bjC76enJCSX/tc7yOd48mxGV0d5rTFxQz08b4JVhKyMzl7BRog7+PMtJkkTnRIXZHgj31FqhRylmHyuAn3iPc=,iv:PpZvZMhOEt6ecdkBcvAOSz+eZktPAzaAlYNjBSgiN/w=,tag:apHKw66HG7TYnpBNVyM7xA==,type:str]
                 DATABASE_URL: null
-                SMTP_PASSWORD: ENC[AES256_GCM,data:quvcZQKauXeW+l8xkYgVBElBQveoRWKDBA==,iv:KpQH+Ef87jl/M9XpBtIKNhn7ATHoV+Jgjpzg2Li28Kg=,tag:jniePrO7UVp/cz/eIh19mg==,type:str]
+                SMTP_PASSWORD: ENC[AES256_GCM,data:g212PzN9/4hxBKMAWFNiR0qAnPPK/tkffg==,iv:1l6dikIQGSjznW9MsaCTdz0wLJmAhiL0ZOdN2J4Q0yA=,tag:tNbPdORUa6IBWgh0HHaNjA==,type:str]
 sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
     age:
         - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGNnFwbWFpTWgxRk45S240
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoLys3dkJDK2lrQ0d4ZlJi
-            cVI5ekJXdVIwaG5NcGRPa2xTN2pFV2tyN1JBClNVMGhNL2FaM2pCK0sxbjgyalJN
+            eFRTSmx1RUtZRnpxdkNvVFFCeXl6dDcvWXdvCitoNkcwVFFxRVJ6dkNUbGVPb1pU
-            MnpQeHBxY2RtWkI2c1htV3oyQmNnbVUKLS0tIGg4ZXNwaFRKNTlIRDluT3k0VDRD
+            b3E4ZjZibFF6QytNdUhXNDFLZXRpSEUKLS0tIHpZTmFXNnptVzJmZFhIU2haRWhR
-            Y3pIaEdFb1JwMnVrYnJ4UkpWMERmZFUKa45EvUqkvjaL85xh3gyxTeJ02IxPJf9a
+            UjNEN1BlREFVak1xdmQzaFY1dHVyM3cKuvMIrQUL1cuw3Odz/Cv+kZV9ZZzBozSW
-            TGjAvpjBrym9v++OrHn2otw1NOeZwSP1hmSCc+sa6/0yFqcU031xjQ==
+            XimhDSkxNrH5OsGC1Jxz/8JOv8abBs4NROzffVdyqtZZzXOLzw3mJQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-01T10:29:47Z"
+    lastmodified: "2025-03-02T08:58:16Z"
-    mac: ENC[AES256_GCM,data:VmYotoR4BJJv2mZ+kt+NNn+oXLKWHed0o/TkJO93/4eLUm8Wg9SPMA1ZYYe9YRfgbIhYxPlQbPPKQBv95XeOS1FFL24VyenTTP3TXWroeXxOWubko/Fp88U3glJXs5jfL5DLYKvGwTXG3tchFDwH9m6QOABX+aRxvNBEP5zXUxs=,iv:HMzuvl8YCPj9ZA5tKfExQfSbvwu4IEHz6sMLAe8g7vo=,tag:lI2fh1b7prHsBS8Snrbdtw==,type:str]
+    mac: ENC[AES256_GCM,data:px+D6tlAZU6GzlE8/jLc0BaPyRwsfE1jRROy2mX7bhFTIW3lZqt/zangO46fFH5hXZjY5wLNIktCDbawIbUFwAp0vrmXxctZoAftl9hpdtW6ann3yfyv3pdcs7/BKu3s5QUswx6D13iLU0dvzyG4vGcQNmKpxuPQYLuDp2o74hM=,iv:2Y+wsS7QcgQ/8umZ+a21QjU25Yq24Y7UWjXVy9Gmvoo=,tag:APVtby5NCOQxrPAjIbMJ+w==,type:str]
+    pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.10.0
+    version: 3.9.4

values/badhouseplants/platform/db-instances/secrets.yaml

@@ -1,29 +0,0 @@
-dbinstances:
-    postgres16:
-        secrets:
-            adminUser: ENC[AES256_GCM,data:uuu/xvwJkHk=,iv:Pk+i8bf7AeeG9wKVh1RDJy7Dt3r5b1UKy4SJijlZfq0=,tag:QO3gwYXAG0sBBuHcKfTNQg==,type:str]
-            adminPassword: ENC[AES256_GCM,data:tjWATjuJT+C97D4TLQgk55BZOwVv,iv:1MWYtksmrEBQtOdGvtc6MZyLP4yBKA88eIpQ4mZCULM=,tag:3hOlT5n2Wd81ebxeEgW5tw==,type:str]
-    postgres17:
-        secrets:
-            adminUser: ENC[AES256_GCM,data:4w2EItIM++Q=,iv:cQLryeBskm2Y9OlbMFgQEWEBi7z/VxucLWbwZXsRtto=,tag:Ir2Q7KZv/sSDdA1MX/Niqw==,type:str]
-            adminPassword: ENC[AES256_GCM,data:wHUL2p8CXYwoEFu3ffCCsQO9xn/GqOZ6JPrcHKzy,iv:khoogPPFHSd+4xyp+jf1w0RfOUgrKzAmFjLnisQ8HXU=,tag:GRnkCQ0uOlUt2AiEAceFRQ==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuL1lwdVNHMm9nZHRld2lO
-            Rm4xVnVHWG9hNDc1cUVyakxzUU1PcFJhalM4CkNicEdUV2lEYWMwaWNqeGcrQ2p1
-            Qmw1b1FzRllqYW85bjF0cmRGcW1MbjQKLS0tIENUcG1oOXFNV3REaFU0aUEyd2k4
-            RDgzRmlKT1ArblpOV1plcFpyMnJXZTQKgm8Eaw591+EHZWofXAADTXRHPOdOvdOM
-            jYne1szB/V9UJz+pmLa10tNgruga+P5yP/j+DGcYrTj0pVh5IJLjTA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-30T19:59:46Z"
-    mac: ENC[AES256_GCM,data:3KrwiArDx/bPAHbFGgb9BdDVHC+uC1IHp4LZXlYRZzWSKtX1t+ODQVzUW97kigGFG1sx6WXddl/w3XeNOoT9JbS5iPXJQe6KAPleNV50S/oab+U53WeloO8uL68Wrk9v/NwMhCKwE9cCqBBhqk7wCb6N9ivt45mLrUf06L8fok0=,iv:bOWhyIm8FhKtZAZH/78bukkeDp5P4XShSD20mgr4Neo=,tag:RZMx9bi+ZEcLwTzk+Gm8RQ==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.1

values/badhouseplants/platform/db-instances/values.yaml

@@ -1,21 +0,0 @@
-dbinstances:
-  postgres16:
-    monitoring:
-      enabled: false
-    adminSecretRef:
-      Name: postgres16-secret
-      Namespace: databases
-    engine: postgres
-    generic:
-      host: postgres16-postgresql.databases.svc.cluster.local
-      port: 5432
-  postgres17:
-    monitoring:
-      enabled: false
-    adminSecretRef:
-      Name: postgres17-secret
-      Namespace: databases
-    engine: postgres
-    generic:
-      host: postgres17-postgresql.databases.svc.cluster.local
-      port: 5432

values/badhouseplants/platform/zot/values.yaml

@@ -1,27 +0,0 @@
-image:
-  repository: ghcr.io/project-zot/zot
-  tag: v2.1.3-rc4
-ingress:
-  enabled: true
-  className: traefik
-  annotations:
-    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
-    kubernetes.io/tls-acme: "true"
-    kubernetes.io/ingress.allow-http: "false"
-    cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
-  pathtype: Prefix
-  hosts:
-    - host: zot.badhouseplants.net
-      paths:
-        - path: /
-  tls:
-    - secretName: zot.badhouseplants.net
-      hosts:
-        - zot.badhouseplants.net
-service:
-  type: ClusterIP
-persistence: false
-pvc:
-  create: false
-mountConfig: true
-mountSecret: true

values/badhouseplants/secrets.renovate-github.yaml

@@ -1,17 +1,22 @@
 secrets:
-    RENOVATE_TOKEN: ENC[AES256_GCM,data:ohd4EhTlhRpQ+IXVf1Nb73+h0VHrMZduPhkbm53s3/+HRKUZd7JepA==,iv:qtbH0lz9Li+jjWcef6JGRpbcsOGlG+e3TNHDukAK2HE=,tag:KVmari0LUGHVb61VSFtgXw==,type:str]
+  RENOVATE_TOKEN: ENC[AES256_GCM,data:NwkAP50vrUc7dVB0wyWTgFDd+axltTqdyXuXFHHkmO2VF4QyV/svsw==,iv:kr53r5w7lVo9luC36mHghZ8fabo6/da8vLFEzhEOgDE=,tag:UnGnSXuvwlSzVuL6pEUXsw==,type:str]
 sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
   age:
     - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TGozODRjVzQvdzlvSE5s
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtZDVVZm1UallMRzJpRVF0
-            RTlReWNSWDlzUVVLVmZXV1c3dWVwUU9hbWw4CnJUL20yTFpHMUJFWTdYQ2JWUisx
+        b2dHaUJlQldOeHN5RVhydm5oaG52ZG95SVVzCkZ0enk4Mit4KzV6Z0ErTmxhU29W
-            Y0djU2FhaEtVSTlRWEY3Z0RnOUhVVjAKLS0tIEZEUjhqUTRtTEo0L3haWFlRT2JS
+        R0p6NVBiRjFSU0NWUjNKdGU2WXdrcFUKLS0tIHFURlFVLzJ5NkJVRVpCV2I5U2E4
-            QTFVWU5RSTBldzBjalg1TFBDY3hGUEEKCH1rY+tGtRNGMYrfSjqXbVsrPAleVHDO
+        dE1VWExmY0xEdVlrZW8wRzlPRkVrRzAKVZHyy3AGktGuv7KEQX/M0xjyU/7FpgSB
-            Altiz0ceC5ODo01zwBf63vDVqjZtbIQNZ8oQ8Pjlktp3jCpL7JNK9A==
+        OrWzXXds9h8PWC/19FU2puvdIER1G/2CajEq0PQmaC9YMvb8nLMv0w==
         -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-01T08:52:26Z"
+  lastmodified: "2024-10-14T08:08:22Z"
-    mac: ENC[AES256_GCM,data:6PyWgR3f7lnen5Jun04Tsw1P7rcAgTSuF+YEh0fq3r3xHvQYFGesfEO4PHLfCGYtjyyCeyzpwBUIoUHTmI5tRYjLwjwRiIu/GH75eSLOx0y0gYMl8JUeaPxSpPvElpii3XAm7vKEJhTR9QzNuzduf0Q1JdlR6TM68XM8g78zeSc=,iv:CqTrPYoLg4IgW5zTsIcmGQUg5RfK+IQmxeQIQbd6oqk=,tag:P8Je5EhAv5TqqT77nPwlHw==,type:str]
+  mac: ENC[AES256_GCM,data:5FV7wwVyhB1UQOLW+iYyeImXAPv3dtTlw3Qjg2rBVBmbC8vHNpXFWloBhFeTSN4VAEjxm5tqACdP3IfNkrVT1SnYeySh6Xl/sdcAuAIao7uMjLDT/MK02AcS55T9pt7h+H4nkdNatMAX7jLKbHJwNoAnL5a/FgX+gKizAg4PRHc=,iv:7HRq2xMClJXYF2S9SQeYLZwCn2EOEc4JkEFzgze2e20=,tag:Fb3fm+wlnywr0hBfw5xyQQ==,type:str]
+  pgp: []
   unencrypted_suffix: _unencrypted
-    version: 3.10.1
+  version: 3.9.1

values/badhouseplants/secrets.velero.yaml

@@ -0,0 +1,26 @@
+credentials:
+    useSecret: ENC[AES256_GCM,data:7gOgTQ==,iv:Wiutik5u1CZ3jkI5lL4JLwvKDQrjNPSfmnyet7SBVzo=,tag:SYm+fm393zhqNMKejQfYKw==,type:bool]
+    name: ENC[AES256_GCM,data:NKs3qbFPKGIhXI7lzGTq,iv:MWumBc7eHro/P1oLZxQArvfoWmdJN+S0d/Qxb+ohI9E=,tag:pxJQzB82Us+UflGc271wGg==,type:str]
+    secretContents:
+        hetzner: ENC[AES256_GCM,data:tlumlKIfwugQj5Dj8Lu9HuEcKRv8v/JhTTz4oOvRavxmeBIGElfn/MyWbK68pagfDatyKsrYjqPTutYykJWVOWdHFOCIXunnI8vkDbzpxAH0BqyZQrek3s4mkTOPJkjfW6V1MNr5AvWMYLwptcIp2Q==,iv:E3jBlMgIXzuLCNVxEBlTiiVpLCdEolJuv96bSYamwLI=,tag:4zkhZUu+on0K1zF4/8tiWQ==,type:str]
+        etersoft: ENC[AES256_GCM,data:/kQ9eCnHIfDSzHxy2tbVgwe7C0cF+l5LaKCgksodxUJgxTQs2pJHyx4cluoW62RwOQKHxMCy3IaqphD2zZOIVKbR0q3xVmBoxcBxrKE5UIlSxbQ=,iv:YcJF8OMiFMz147c8lXVU+ccjq1okYnHiwUvJLmJHi20=,tag:hnwtfAkBCpZUy4TEGtMOOw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiaW9NQVR6OGtLV3ZqMThn
+            bWsrcGZKNVk1cXB2aDc5RnRNbTMwZVoyRERVCnEyQ2tFSlZmTnhRdGQxNW1BVGNs
+            QzBjM2tXWnhQYTBaR1pUZnUzMWpYTmMKLS0tIGQ1emdDNlVGdzNWRlRQcU5xSWxB
+            bWdPdVF3RjU0Z0RQWXZWVUVocVBTeWsKogQ3kmwrShfBOwMC+JHNiavRHryv+WNY
+            dkUkONkUH5HEWN/6M7bsMMqjkH0D/upD5UXOXr4fiibcM/w+XI/BpA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-12-16T14:51:45Z"
+    mac: ENC[AES256_GCM,data:65vGxoFLwH9WpxvqKYi1FEb8DhRWpq4K5cTjfqQEXDxbzKDk/RjTtHpFZ2iLnAOcL2ECvL+JU9yPeM7fS06nTW/TC/oP3yNGfyJp84IWNzrBVBE8HCTaXthxcRSIbGwvdCihViT4gZU7VkMaDt1WnEesjq/KQqcK/TSpCxhSyjI=,iv:HPfV3MRyeilrAFprdsLT6H//V74YzRiGM8O7TmU/g5c=,tag:tQHA6JW5ELAUXzIlJdLYFA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2

values/badhouseplants/values.authentik.yaml

@@ -14,10 +14,10 @@ ext-database:
     database: "{{ .Database }}"
 authentik:
   email:
-    host: stalwart.badhouseplants.net
+    host: email.badhouseplants.net
     port: 587
     username: bot@badhouseplants.net
-    use_tls: true
+    use_tls: false
     use_ssl: false
     timeout: 30
     from: bot@badhouseplants.net
@@ -26,6 +26,7 @@ authentik:
     user: file:///postgres-creds/username
     password: file:///postgres-creds/password
     name: file:///postgres-creds/database
+  secret_key: "2Scv6ivCfV6uGRTx9Kg5CYJ2KjBRHpR8GqSBearnBYvBFZBwR7"
   # This sends anonymous usage-data, stack traces on errors and
   # performance data to authentik.error-reporting.a7k.io, and is fully opt-in
   error_reporting:

values/badhouseplants/values.gitea.yaml

@@ -40,11 +40,11 @@ replicaCount: 1
 clusterDomain: cluster.local
 resources:
   limits:
-    memory: 1.5Gi
+    memory: 1024Mi
     cpu: 1
   requests:
     cpu: 1
-    memory: 1.5Gi
+    memory: 1024Mi
 persistence:
   enabled: true
   size: 15Gi
@@ -57,7 +57,8 @@ gitea:
   metrics:
     enabled: true
     serviceMonitor:
-      enabled: true
+      # -- TODO(@allanger): Enable it once prometheus is configured
+      enabled: false
   config:
     database:
       DB_TYPE: postgres
@@ -81,7 +82,6 @@ gitea:
       LFS_START_SERVER: true
       LANDING_PAGE: explore
       START_SSH_SERVER: true
-      ENABLE_PPROF: true
     storage:
       STORAGE_TYPE: minio
       MINIO_ENDPOINT: "s3.badhouseplants.net:443"

values/badhouseplants/values.istiod.yaml

@@ -0,0 +1,13 @@
+pilot:
+  resources:
+    requests:
+      cpu: 50m
+      memory: 2048Mi
+global:
+  proxy:
+    resources:
+      requests:
+        cpu: 20m
+        memory: 128Mi
+      limits:
+        memory: 128Mi

values/badhouseplants/values.memos.yaml

@@ -2,30 +2,21 @@ shortcuts:
   hostname: notes.badhouseplants.net
 ext-database:
   enabled: true
-  name: memos-postgres16
+  name: memos-postgres17
-  instance: postgres16
+  instance: postgres17
   credentials:
     MEMOS_DRIVER: postgres
     MEMOS_DSN: "{{ .Protocol }}://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{ .Port }}/{{ .Database }}?sslmode=disable"
-base:
+
-  workload:
+workload:
   containers:
     memos:
       envFrom:
-          main: {}
+        - main
-          raw:
         - secretRef:
             name: memos-postgres16-creds
-
-storage:
-  data:
-    metadata:
-      annotations:
-        volume.kubernetes.io/selected-node: bordeaux
-    storageClassName: openebs-hostpath
 ingress:
   main:
-    metadata:
     annotations:
       kubernetes.io/ingress.class: traefik
       kubernetes.io/tls-acme: "true"

values/badhouseplants/values.minecraft.yaml

@@ -1,15 +1,33 @@
+service-account:
+  enabled: true
+  resources:
+    - name: minecraft-exporter
+      label:
+        app: minecraft-minecraft-metrics
+      endpoints:
+        port: metrics
+traefik:
+  enabled: true
+  tcpRoutes:
+    - name: minecraft-tcp
+      entrypoint: minecraft
+      gateway: istio-system/badhouseplants-minecraft
+      match: HostSNI(`*`)
+      service: minecraft-minecraft
+      port: 25565
 # --------------------------------------------------
 # -- Main values
 # --------------------------------------------------
 image:
-  tag: java23-graalvm
+  #tag: java21-graalvm
+  tag: java21-jdk
   pullPolicy: Always
 resources:
   requests:
-    memory: 2.5Gi
+    memory: 3.5Gi
     cpu: 2.5
   limits:
-    memory: 2.5Gi
+    memory: 3.5Gi
 lifecycle:
   postStart:
     - bash
@@ -34,23 +52,32 @@ readinessProbe:
   successThreshold: 1
   timeoutSeconds: 20
 minecraftServer:
-  memory: 2000M
+  memory: 3000M
   jvmOpts: |
     -server
   jvmXXOpts: |
-    -Xms2000G -Xmx2500G -XX:+UseG1GC -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=20 -XX:G1ReservePercent=20 -XX:MaxGCPauseMillis=50 -XX:G1HeapRegionSize=32M
+    -Xms3000G -Xmx3500G -XX:+UseG1GC -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=20 -XX:G1ReservePercent=20 -XX:MaxGCPauseMillis=50 -XX:G1HeapRegionSize=32M
   overrideServerProperties: true
   eula: "TRUE"
   onlineMode: false
   difficulty: hard
   hardcore: true
-  version: "1.21.4"
+  version: "1.21.1"
   maxWorldSize: 90000
   type: "FABRIC"
   gameMode: survival
   pvp: true
   modUrls: []
   serviceType: NodePort
+  #- https://github.com/CaffeineMC/lithium-fabric/releases/download/mc1.20.1-0.11.2/lithium-fabric-mc1.20.1-0.11.2-api.jar
+  #- https://github.com/CaffeineMC/sodium-fabric/releases/download/mc1.20.1-0.5.11/sodium-fabric-0.5.11+mc1.20.1.jar
+  #- https://github.com/CaffeineMC/lithium-fabric/releases/download/mc1.20.1-0.11.2/lithium-fabric-mc1.20.1-0.11.2.jar
+  #pluginUrls:
+  #  - https://github.com/dmulloy2/ProtocolLib/releases/download/5.2.0/ProtocolLib.jar
+  #  - https://mediafilez.forgecdn.net/files/3789/833/GravityControl-2.0.0.jar
+  #  - https://mediafilez.forgecdn.net/files/3151/915/CrackShot.jar
+  #  - https://s3.badhouseplants.net/public-download/MechanicsCore-3.4.8.jar
+  #  - https://s3.badhouseplants.net/public-download/WeaponMechanics-3.4.9.jar
   rcon:
     enabled: true
     withGeneratedPassword: false
@@ -58,7 +85,7 @@ minecraftServer:
     serviceType: ClusterIP
   extraPorts:
     - name: metrics
-      containerPort: 19565
+      containerPort: 9225
       protocol: TCP
       service:
         enabled: true
@@ -66,11 +93,12 @@ minecraftServer:
         labels:
           exporter: minecraft
         type: ClusterIP
-        port: 19565
+        port: 9925
       ingress:
         enabled: false
 persistence:
   storageClass: openebs-hostpath
+  #storageClass: local-path
   dataDir:
     enabled: true
     Size: 9Gi
@@ -93,6 +121,35 @@ mcbackup:
   persistence:
     backupDir:
       enabled: false
+# ---------------------------------------------
+# -- Install Plugins
+# ---------------------------------------------
+initContainers:
+  - name: 0-download-mods
+    image: alpine/curl
+    command:
+      - curl
+      - -L
+      - "https://s3.badhouseplants.net/minecraft-mods/server_mods.tar"
+      - -o
+      - /download/server_mods.tar
+    volumeMounts:
+      - name: download
+        mountPath: /download
+        readOnly: false
+  - name: 1-copy-plugins-to-minecraft
+    image: ubuntu
+    command:
+      - sh
+      - -c
+      - cd /mods  && tar -xvf /download/server_mods.tar || true
+    volumeMounts:
+      - name: plugins
+        mountPath: /mods
+        readOnly: false
+      - name: download
+        mountPath: /download
+        readOnly: false
 extraVolumes:
   - volumeMounts:
       - name: plugins
@@ -105,36 +162,3 @@ extraVolumes:
       - name: download
         emptyDir:
           sizeLimit: 500Mi
-extraDeploy:
-  - |-
-      apiVersion: monitoring.coreos.com/v1
-      kind: ServiceMonitor
-      metadata:
-        name: minecraft
-      spec:
-        endpoints:
-        - interval: 30s
-          port: metrics
-          scrapeTimeout: 10s
-          path: '/'
-        namespaceSelector:
-          matchNames:
-          - games
-        selector:
-          matchLabels:
-            app.kubernetes.io/instance: minecraft
-  - |-
-      apiVersion: traefik.io/v1alpha1
-      kind: IngressRouteTCP
-      metadata:
-        name: minecraft-tcp
-      spec:
-        entryPoints:
-        - minecraft
-        routes:
-        - match: HostSNI(`*`)
-          services:
-          - name: minecraft
-            nativeLB: true
-            port: 25565
-

values/badhouseplants/values.minio.yaml

@@ -56,7 +56,7 @@ consoleService:
   port: '9001'
 resources:
   requests:
-    memory: 1Gi
+    memory: 2Gi
 buckets:
   - name: badhouseplants-net
     policy: download

values/badhouseplants/values.openebs.yaml

@@ -1,7 +1,6 @@
 localpv-provisioner:
   hostpathClass:
     isDefaultClass: true
-
 zfs-localpv:
   crds:
     zfsLocalPv:

values/badhouseplants/values.prometheus.yaml

@@ -1,3 +1,7 @@
+# ------------------------------------------
+# -- Istio extenstion. Just because I'm
+# --  not using ingress nginx
+# ------------------------------------------
 coreDns:
   enabled: false
 kubeEtcd:

values/badhouseplants/values.velero.yaml

@@ -1,3 +1,10 @@
+initContainers:
+  - name: velero-plugin-for-aws
+    image: velero/velero-plugin-for-aws:v1.11.0
+    imagePullPolicy: IfNotPresent
+    volumeMounts:
+      - mountPath: /target
+        name: plugins
 configuration:
   logLevel: error
   repositoryMaintenanceJob:
@@ -10,7 +17,7 @@ configuration:
   backupStorageLocation:
     - name: hetzner
       provider: aws
-      plugin: velero/velero-plugin-for-aws:v1.11.1
+      plugin: velero/velero-plugin-for-aws:v1.11.0
       bucket: badhouseplants-backups
       accessMode: ReadWrite
       credential:
@@ -22,10 +29,9 @@ configuration:
         s3Url: https://nbg1.your-objectstorage.com
         publicUrl: https://nbg1.your-objectstorage.com
         checksumAlgorithm: ""
-
     - name: etersoft
       provider: aws
-      plugin: velero/velero-plugin-for-aws:v1.11.1
+      plugin: velero/velero-plugin-for-aws:v1.11.0
       bucket: velero
       accessMode: ReadWrite
       credential:

values/badhouseplants/velero/velero/secrets.yaml

@@ -1,21 +0,0 @@
-credentials:
-    useSecret: ENC[AES256_GCM,data:JeoOyQ==,iv:fu/UL5pN+RfYRluV1ipqbJ7AMmb6mBzo9Cs8MEaH90g=,tag:SXueO8IzwQ12MjSQUx5K4A==,type:bool]
-    name: ENC[AES256_GCM,data:jHBOoXdfbcm9/tWworFG,iv:EZdqinT6tBFS2t7/l3bA2A5OspmmXVBhlM4ENIMlWeI=,tag:ltP1tFsWxRiQV8GgNe2RmA==,type:str]
-    secretContents:
-        hetzner: ENC[AES256_GCM,data:cLAnAdz3RlBE4YOVDIcQ+gjWxsA2jsNJgh2zkBV9LbPHU2eJDaLmQIzGov28vQK0tpdGBk8uncjg7eLVpqQFnn/+4mbMrCICLNqeNYJNG9sTRhBoA8EqODRQ7mJoHMdvSqk8dp+9nGXrgO/HCKZCbg==,iv:pEQbq9pqWcuUG3Jj93QNbD4N9a/NxLPc1XqmfYNdOoc=,tag:Ss8hyMYYm24UG2aVXw6MQQ==,type:str]
-        etersoft: ENC[AES256_GCM,data:f7opp9R8bLoOSqpzJdjUXiVHF0hxH3uE+fRQfgEA/G0wDrPio6SPNUG+ROeZCrLJgizFTR6x4/r/yTIglEeaa9aefF1OG9dEdlpko7AALnf3DYQ=,iv:NGXNl5BbQS5dgVn5wNqN7ba11AeDgHXPloYTBC95l2E=,tag:kA/7bvS9h20/a7se5e1zUg==,type:str]
-sops:
-    age:
-        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2emd4d1gyWjlYL3dYRmw4
-            Y2J0UkJaMTR6b0NsNTVzcTBHMXJ3WnNRdWlJCnB0ZEJmclRzY0Y1WEsvQmRWYU9k
-            cDRtQ3J4azNBUnN5bVUvdm9EbEo1ZHcKLS0tIGN6L0VpTWlQNm1sVnA4UldBbk9C
-            Q1dWek5PVjNkZUdJYllJSTZhQ1p0QU0K4LFd1ITs38M101fqy6KZGZ43x4Ou3VtB
-            EN1uxBEt5AdfX4F+FbOnA5qAOUdRRN31TjIXs948E/1vgm8zRxSx1Q==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-02T21:11:55Z"
-    mac: ENC[AES256_GCM,data:ArJNDbctyrzJIVo9CojFPAKlhW9xCBYvfpA27iG2YGWYfCRQ0uAIVmUn0jVsbfYWdtQ5WZD7p05itXMobQMMlFlv3twi7B7taXYXQQzZghhOCVJBYo8I3gFl9wxVpKHNc+WxuerFCQUCOXyBMI9CLmXsKBwlciLl78OSU6SMe/s=,iv:wHFF4yhYLs6QjOcvcU4WDpNyjQZl0dI42mouVR/43Eo=,tag:notDIF/S/r7MlYogftz9aA==,type:str]
-    unencrypted_suffix: _unencrypted
-    version: 3.10.1

values/common/databases/postgres16/values.gotmpl

@@ -1,6 +0,0 @@
-global:
-  imageRegistry: {{ .Values.registry }}
-  imagePullSecrets:
-    - regcred
-  security:
-    allowInsecureImages: true

values/common/databases/postgres17/values.gotmpl

@@ -1,6 +0,0 @@
-global:
-  imageRegistry: {{ .Values.registry }}
-  imagePullSecrets:
-    - regcred
-  security:
-    allowInsecureImages: true

values/common/databases/redis/values.gotmpl

@@ -1,6 +0,0 @@
-global:
-  imageRegistry: {{ .Values.registry}}
-  imagePullSecrets:
-    - regcred
-  security:
-    allowInsecureImages: true

values/common/games/minecraft/values.gotmpl

@@ -1,33 +0,0 @@
-image:
-  repository: {{ .Values.registry }}/itzg/minecraft-server
-  pullSecret: regcred
-
-# ---------------------------------------------
-# -- Install Plugins
-# ---------------------------------------------
-initContainers:
-  - name: 0-download-mods
-    image: {{.Values.registry}}/alpine/curl
-    command:
-      - curl
-      - -L
-      - "https://s3.badhouseplants.net/minecraft-mods/server_mods.tar"
-      - -o
-      - /download/server_mods.tar
-    volumeMounts:
-      - name: download
-        mountPath: /download
-        readOnly: false
-  - name: 1-copy-plugins-to-minecraft
-    image: {{ .Values.registry }}/ubuntu
-    command:
-      - sh
-      - -c
-      - cd /mods  && tar -xvf /download/server_mods.tar || true
-    volumeMounts:
-      - name: plugins
-        mountPath: /mods
-        readOnly: false
-      - name: download
-        mountPath: /download
-        readOnly: false

values/common/istio-system/istio-base/values.yaml

@@ -1,3 +0,0 @@
-global:
-  imagePullSecrets:
-    - regcred

values/common/istio-system/istiod/values.gotmpl

@@ -1,16 +0,0 @@
-pilot:
-  resources:
-    requests:
-      cpu: 50m
-      memory: 256Mi
-global:
- hub: {{ .Values.registry }}/istio
- imagePullSecrets:
-   - regcred
- proxy:
-   resources:
-     requests:
-       cpu: 20m
-       memory: 54Mi
-     limits:
-       memory: 54Mi

values/common/kube-system/cert-manager/values.gotmpl

@@ -3,17 +3,22 @@ global:
   imagePullSecrets:
     - name: regcred
 image:
-  repository: {{ .Values.registry }}/jetstack/cert-manager-controller
+  repository: {{ .Values.registry }}/quay/jetstack/cert-manager-controller
+  pullPolicy: Always
 cainjector:
   image:
-    repository: {{ .Values.registry }}/jetstack/cert-manager-cainjector
+    repository: {{ .Values.registry }}/quay/jetstack/cert-manager-cainjector
+    pullPolicy: Always
 webhook:
   image:
-    repository: {{ .Values.registry }}/jetstack/cert-manager-webhook
+    repository: {{ .Values.registry }}/quay/jetstack/cert-manager-webhook
+    pullPolicy: Always
 acmesolver:
   image:
-    repository: {{ .Values.registry }}/jetstack/cert-manager-acmesolver
+    repository: {{ .Values.registry }}/quay/jetstack/cert-manager-acmesolver
+    pullPolicy: Always
 startupapicheck:
   image:
-    repository: {{ .Values.registry }}/jetstack/cert-manager-startupapicheck
+    repository: {{ .Values.registry }}/quay/jetstack/cert-manager-startupapicheck
+    pullPolicy: Always
 {{- end }}

values/common/kube-system/cilium/values.gotmpl

@@ -2,15 +2,15 @@
 imagePullSecrets:
   - name: regcred
 image:
-  repository: {{ .Values.registry }}/cilium/cilium
+  repository: {{ .Values.registry }}/quay/cilium/cilium
   useDigest: false
 envoy:
   image:
-    repository: {{ .Values.registry }}/cilium/cilium-envoy
+    repository: {{ .Values.registry }}/quay/cilium/cilium-envoy
     useDigest: false
 operator:
   image:
-    repository: {{ .Values.registry }}/cilium/operator
+    repository: {{ .Values.registry }}/quay/cilium/operator
     useDigest: false
 hubble:
   tls:

values/common/kube-system/coredns/values.gotmpl

@@ -1,6 +1,6 @@
 {{- if not (env "HELMFILE_BOOTSTRAP") }}
 image:
-  repository: {{ .Values.registry }}/coredns/coredns
+  repository: {{ .Values.registry }}/dockerhub/coredns/coredns
   pullSecrets:
     - name: regcred
 {{- end }}

values/common/kube-system/local-path-provisioner/values.gotmpl

@@ -1,17 +0,0 @@
-{{- if not (env "HELMFILE_BOOTSTRAP") }}
-image:
-  repository: {{ .Values.registry }}/rancher/local-path-provisioner
-
-helperImage:
-  repository: {{ .Values.registry }}/library/busybox
-
-imagePullSecrets:
-  - name: regcred
-{{- end }}
-
-storageClass:
-  create: true
-  defaultClass: true
-  defaultVolumeType: local
-  reclaimPolicy: Delete
-  volumeBindingMode: Immediate

values/common/kube-system/metallb-resources/values.gotmpl

@@ -1 +0,0 @@
-addresses: "{{ .Values.main_ip }}-{{ .Values.main_ip }}"

values/common/kube-system/metallb/values.gotmpl

@@ -1,15 +1,13 @@
-{{- if not (env "HELMFILE_BOOTSTRAP") }}
 imagePullSecrets:
   - name: regcred
 
 controller:
   image:
-    repository: {{ .Values.registry }}/metallb/controller
+    repository: {{ .Values.registry }}/quay/metallb/controller
 
 speaker:
   image:
-    repository: {{ .Values.registry }}/metallb/speaker
+    repository: {{ .Values.registry }}/quay/metallb/speaker
   frr:
     image:
-      repository: {{ .Values.registry }}/frrouting/frr
+      repository: {{ .Values.registry }}/quay/frrouting/frr
-{{- end }}

values/common/kube-system/metallb/values.yaml

@@ -3,20 +3,17 @@ controller:
   logLevel: warn
   strategy:
     type: RollingUpdate
-
   securityContext:
     runAsNonRoot: true
     # nobody
     runAsUser: 65534
     fsGroup: 65534
-
   resources:
     requests:
       cpu: 20m
-      memory: 150Mi
+      memory: 100Mi
     limits:
-      memory: 150Mi
+      memory: 100Mi
-
   livenessProbe:
     enabled: true
     failureThreshold: 3
@@ -40,9 +37,9 @@ speaker:
   resources:
     requests:
       cpu: 30m
-      memory: 350Mi
+      memory: 300Mi
     limits:
-      memory: 350Mi
+      memory: 300Mi
   livenessProbe:
     enabled: true
     failureThreshold: 3

values/common/kube-system/metrics-server/values.gotmpl

@@ -1,5 +1,5 @@
 image:
-  repository: {{ .Values.registry }}/metrics-server/metrics-server
+  repository: {{ .Values.registry }}/k8s/metrics-server/metrics-server
 imagePullSecrets:
   - name: regcred
 apiService:

values/common/kube-system/openebs/values.gotmpl

@@ -1,6 +0,0 @@
-global:
-  imageRegistry: {{ .Values.registry }}
-
-localpv-provisioner:
-  imagePullSecrets:
-    - name: regcred

values/common/kube-system/traefik/values.gotmpl

@@ -1,8 +0,0 @@
-{{- if not (env "HELMFILE_BOOTSTRAP") }}
-deployment:
-  imagePullSecrets:
-    - name: regcred
-
-image:
-  registry: {{ .Values.registry }}/library
-{{- end }}

values/common/kyverno/kyverno/values.gotmpl

@@ -1,7 +0,0 @@
-{{- if not (env "HELMFILE_BOOTSTRAP") }}
-global:
-  image:
-    registry: {{ .Values.registry }}
-  imagePullSecrets:
-    - name: regcred
-{{- end }}

values/common/platform/authentik/values.gotmpl

@@ -1,12 +0,0 @@
-global:
-  image:
-    repository: {{ .Values.registry }}/goauthentik/server
-  imagePullSecrets:
-    - name: regcred
-redis:
-  global:
-    imageRegistry: {{ .Values.registry}}
-    imagePullSecrets:
-      - regcred
-    security:
-      allowInsecureImages: true

values/common/platform/db-operator/values.gotmpl

@@ -1,4 +0,0 @@
-image:
-  repository: {{ .Values.registry }}/db-operator/db-operator
-imagePullSecrets:
-  - name: regcred

values/common/platform/external-dns/values.gotmpl

@@ -1,7 +0,0 @@
-
-global:
-  imagePullSecrets:
-    - name: regcred
-
-image:
-  repository: {{ .Values.registry}}/external-dns/external-dns