chore(deps): update postgresql docker tag to v16.6.2

.sops.yaml

@@ -8,3 +8,7 @@ creation_rules:
     key_groups:
       - age:
           - age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+  - path_regex: common/values/secrets.*
+    key_groups:
+      - age:
+          - age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8

charts/metallb-resources/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: metallb-resources
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"

charts/metallb-resources/templates/_helpers.tpl

@@ -1,7 +1,7 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "root.name" -}}
+{{- define "metallb-resources.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
@@ -10,7 +10,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "root.fullname" -}}
+{{- define "metallb-resources.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
@@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "root.chart" -}}
+{{- define "metallb-resources.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
 {{/*
 Common labels
 */}}
-{{- define "root.labels" -}}
+{{- define "metallb-resources.labels" -}}
-helm.sh/chart: {{ include "root.chart" . }}
+helm.sh/chart: {{ include "metallb-resources.chart" . }}
-{{ include "root.selectorLabels" . }}
+{{ include "metallb-resources.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
@@ -45,17 +45,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{/*
 Selector labels
 */}}
-{{- define "root.selectorLabels" -}}
+{{- define "metallb-resources.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "root.name" . }}
+app.kubernetes.io/name: {{ include "metallb-resources.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 {{/*
 Create the name of the service account to use
 */}}
-{{- define "root.serviceAccountName" -}}
+{{- define "metallb-resources.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create }}
-{{- default (include "root.fullname" .) .Values.serviceAccount.name }}
+{{- default (include "metallb-resources.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}

charts/metallb-resources/templates/ip_address_pool.tpl

@@ -0,0 +1,7 @@
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: {{ include "metallb-resources.fullname" . }}
+spec:
+  addresses:
+  - {{ .Values.addresses}}

charts/metallb-resources/values.yaml

@@ -0,0 +1 @@
+addresses: 1.1.1.1-1.1.1.1

charts/namespaces/kustomize/flux-system.yml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: flux-system
-  labels:
-    name: flux-system

charts/namespaces/kustomize/giantswarm-flux.yml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: giantswarm-flux
-  labels:
-    name: giantswarm-flux

charts/namespaces/kustomize/giantswarm.yml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: giantswarm
-  labels:
-    name: giantswarm

charts/namespaces/kustomize/kustomization.yaml

@@ -1,5 +0,0 @@
-resources:
-  - ./giantswarm-flux.yml
-  - ./giantswarm.yml
-  - ./monitoring.yml
-  - ./org-giantswarm.yml

charts/namespaces/kustomize/monitoring.yml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: monitoring
-  labels:
-    name: monitoring

charts/namespaces/kustomize/org-giantswarm.yml

@@ -1,6 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: org-giantswarm
-  labels:
-    name: org-giantswarm

charts/namespaces/templates/namespaces.yaml

@@ -25,6 +25,14 @@ metadata:
   namespace: {{ $ns.name }}
 data:
   .dockerconfigjson: {{ $.Values.defaultRegcred }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: default
+  namespace: {{ $ns.name }}
+imagePullSecrets:
+  - name: regcred
 {{- end }}
 {{- end }}
 {{- end }}

charts/root/Chart.yaml

@@ -1,6 +0,0 @@
-apiVersion: v2
-name: root
-description: A Helm chart for Kubernetes
-type: application
-version: 0.1.5
-appVersion: "1.16.0"

charts/root/templates/root.yaml

@@ -1,25 +0,0 @@
-{{ if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: GitRepository
-metadata:
-  name: root
-spec:
-  interval: 30s
-  url: {{ .Values.url }}
-  ref:
-    branch: {{ .Values.branch }}
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: root
-spec:
-  interval: 30s
-  targetNamespace: flux-system
-  sourceRef:
-    kind: GitRepository
-    name: root
-  path: "."
-  prune: false
-  timeout: 1m
-{{- end }}

charts/root/templates/self.yaml

@@ -1,25 +0,0 @@
-{{ if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }}
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: GitRepository
-metadata:
-  name: root-self
-spec:
-  interval: 30s
-  url: {{ .Values.self.url }}
-  ref:
-    branch: {{ .Values.self.branch }}
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: root-self
-spec:
-  interval: 30s
-  targetNamespace: flux-system
-  sourceRef:
-    kind: GitRepository
-    name: root-self
-  path: "."
-  prune: false
-  timeout: 1m
-{{- end }}

charts/root/values.yaml

@@ -1,5 +0,0 @@
-url: https://git.badhouseplants.net/giantswarm/cluster-example.git
-branch: main
-self:
-  url: git@git.badhouseplants.net:giantswarm/root-config.git
-  branch: master

charts/tf-ocloud/.helmignore

@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/

charts/tf-ocloud/Chart.lock

@@ -1,6 +0,0 @@
-dependencies:
-- name: helm-library
-  repository: oci://ghcr.io/allanger/allangers-helm-library
-  version: 0.1.4
-digest: sha256:6306a6a8d3c51b2b5f37cffa88c3731550da789d1ce2317a83a3f9a657310f8e
-generated: "2024-10-16T20:01:59.337767+02:00"

charts/tf-ocloud/Chart.yaml

@@ -1,15 +0,0 @@
-apiVersion: v2
-name: tf-ocloud
-type: application
-version: 0.1.0
-appVersion: 0.1.5
-maintainers:
-  - name: allanger
-    email: allanger@zohomail.com
-    url: https://badhouseplants.net
-dependencies:
-  - name: helm-library
-    version: 0.2.3
-    repository: oci://ghcr.io/allanger/allangers-helm-library
-annotations:
-  allowed_workload_kinds: "Deployment"

charts/tf-ocloud/templates/install.yaml

@@ -1,3 +0,0 @@
-{{ include "lib.component.workload" . }}
-{{ include "lib.component.files" . }}
-{{ include "lib.component.env" . }}

charts/tf-ocloud/values.yaml

@@ -1,67 +0,0 @@
----
-workload:
-  kind: Deployment
-  strategy:
-    type: RollingUpdate
-  securityContext: {}
-  containers:
-    tf:
-      securityContext: {}
-      image:
-        registry: zot.badhouseplants.net
-        repository: badhouseplants/terraform-ocloud
-        tag: 7eae6ec805bc99618a196abf9d4d2e0fd19f75e6
-        pullPolicy: Always
-      envFrom:
-        - main
-      mounts:
-        files:
-          ocloudkey:
-            path: /src/key.pem
-            subPath: key.pem
-          publickey:
-            path: /src/public_key
-            subPath: public-key
-          privatekey:
-            path: /src/ssh_key
-            subPath: ssh-key
-          tfvars:
-            path: /src/terraform.tfvars
-            subPath: terraform.tfvars
-        extraVolumes:
-          dottf:
-            path: /src/.terraform
-
-extraVolumes:
-  dottf:
-    emptyDir: {}
-
-files:
-  ocloudkey:
-    enabled: true
-    sensitive: false
-    remove: []
-    entries:
-      key.pem:
-        data: dummy
-  publickey:
-    enabled: true
-    sensitive: false
-    remove: []
-    entries:
-      public-key:
-        data: dummy
-  privatekey:
-    enabled: true
-    sensitive: false
-    remove: []
-    entries:
-      ssh-key:
-        data: dummy
-  tfvars:
-    enabled: true
-    sensitive: false
-    remove: []
-    entries:
-      terraform.tfvars:
-        data: dummy

common/templates.yaml

@@ -1,3 +1,6 @@
+helmDefaults:
+  kubeContext: {{ .StateValues.kubeContext }}
+
 templates:
   # ---------------------------
   # -- Hooks
@@ -39,19 +42,19 @@ templates:
       - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/secrets.{{ `{{ .Release.Name }}` }}.yaml'
   common-values:
     values:
-      - '{{ requiredEnv "PWD" }}/values/common/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.yaml'
+      - '../values/common/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.yaml'
   common-values-tpl:
     values:
-      - '{{ requiredEnv "PWD" }}/values/common/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.gotmpl'
+      - '../values/common/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.gotmpl'
   env-values:
     values:
-      - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.yaml'
+      - '../values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.yaml'
   env-values-tpl:
     values:
-      - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.gotmpl'
+      - '../values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/values.gotmpl'
   env-secrets:
     secrets:
-      - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/secrets.yaml'
+      - '../values/{{ .Environment.Name }}/{{ `{{ .Release.Namespace }}` }}/{{ `{{ .Release.Name }}` }}/secrets.yaml'
   # ----------------------------
   # -- Extensions
   # ----------------------------
@@ -68,7 +71,7 @@ templates:
         version: 2.0.0
         alias: traefik
     values:
-      - '{{ requiredEnv "PWD" }}/values/common/values.tcp-route.yaml'
+      - '../values/common/values.tcp-route.yaml'
   ext-udp-routes:
     dependencies:
       - chart: bedag/raw
@@ -125,7 +128,7 @@ templates:
         version: 2.0.0
         alias: ext-database
     values:
-      - '{{ requiredEnv "PWD" }}/values/common/values.database.yaml'
+      - '../values/common/values.database.yaml'
   ext-secret:
     dependencies:
       - chart: bedag/raw

common/values/values.badhouseplants.yaml

@@ -1 +1,6 @@
-registry: registry.badhouseplants.net
+registry: registry.badhouseplants.net/containers
+registry_url: registry.badhouseplants.net
+main_ip: 195.201.249.91
+tools:
+  openebs:
+    enabled: true

common/values/values.etersoft.yaml

@@ -1 +1,6 @@
-registry: registry.ru.badhouseplants.net
+registry: registry.ru.badhouseplants.net/containers
+registry_url: registry.ru.badhouseplants.net
+main_ip: 91.232.225.63
+tools:
+  openebs:
+    enabled: false

helmfile.yaml

@@ -1,5 +0,0 @@
-bases:
-  - ./common/environments.yaml
-  - ./common/templates.yaml
-  - ./helmfiles/base.yaml
-  - ./helmfiles/system.yaml

helmfile.yaml.gotmpl

@@ -0,0 +1,26 @@
+---
+bases:
+  - ./common/environments.yaml
+
+---
+helmfiles:
+  - path: ./helmfiles/base.yaml
+    values:
+      - kubeContext: "{{ .Environment.KubeContext }}"
+      - {{ toYaml .Environment.Values | nindent 8 }}
+  - path: ./helmfiles/system.yaml
+    values:
+      - kubeContext: "{{ .Environment.KubeContext }}"
+      - {{ toYaml .Environment.Values | nindent 8 }}
+  - path: ./helmfiles/platform.yaml
+    values:
+      - kubeContext: "{{ .Environment.KubeContext }}"
+      - {{ toYaml .Environment.Values | nindent 8 }}
+  - path: ./helmfiles/databases.yaml
+    values:
+      - kubeContext: "{{ .Environment.KubeContext }}"
+      - {{ toYaml .Environment.Values | nindent 8 }}
+  - path: ./helmfiles/applications.yaml
+    values:
+      - kubeContext: "{{ .Environment.KubeContext }}"
+      - {{ toYaml .Environment.Values | nindent 8 }}

helmfiles/applications.yaml

@@ -0,0 +1,28 @@
+bases:
+  - ../common/templates.yaml
+
+repositories:
+  - name: gitea
+    url: https://dl.gitea.io/charts/
+  - name: bedag
+    url: https://bedag.github.io/helm-charts/
+  - name: minecraft
+    url: https://itzg.github.io/minecraft-server-charts/
+
+releases:
+  - name: app-gitea
+    chart: gitea/gitea
+    version: 11.0.0
+    namespace: org-badhouseplants
+    inherit:
+      - template: env-values
+      - template: env-secrets
+
+  - name: minecraft
+    chart: minecraft/minecraft
+    namespace: games
+    version: 4.26.1
+    inherit:
+      - template: common-values-tpl
+      - template: env-values
+      - template: env-secrets

helmfiles/base.yaml

@@ -1,7 +1,10 @@
+bases:
+  - ../common/templates.yaml
+
 releases:
   # -- This one must be executed with --take-ownership at least once
   - name: namespaces
-    chart: ./charts/namespaces/chart
+    chart: ../charts/namespaces
     namespace: kube-system
     createNamespace: false
     inherit:
@@ -9,7 +12,7 @@ releases:
       - template: env-secrets
 
   - name: roles
-    chart: ./charts/roles
+    chart: ../charts/roles
     namespace: kube-system
     createNamespace: false
     needs:

helmfiles/databases.yaml

@@ -1,12 +1,14 @@
 bases:
-  - ../../common/environments.yaml
+  - ../common/templates.yaml
-  - ../../common/templates.yaml
+
 repositories:
   - name: bitnami
     url: registry-1.docker.io/bitnamicharts
     oci: true
   - name: bedag
     url: https://bedag.github.io/helm-charts/
+commonLabels:
+  installation: databases
 releases:
   - name: redis
     chart: bitnami/redis
@@ -14,25 +16,30 @@ releases:
     condition: redis.enabled
     version: 20.11.3
     inherit:
-      - template: default-env-values
+      - template: common-values-tpl
-      - template: default-env-secrets
+      - template: env-values
+      - template: env-secrets
+
   - name: postgres16
     labels:
       bundle: postgres
     namespace: databases
     chart: bitnami/postgresql
     condition: postgres16.enabled
-    version: 15.5.38
+    version: 16.6.2
     inherit:
-      - template: default-env-values
+      - template: common-values-tpl
-      - template: default-env-secrets
+      - template: env-values
+      - template: env-secrets
+
   - name: postgres17
     labels:
       bundle: postgres
     namespace: databases
     chart: bitnami/postgresql
     condition: postgres17.enabled
-    version: 16.3.4
+    version: 16.6.2
     inherit:
-      - template: default-env-values
+      - template: common-values-tpl
-      - template: default-env-secrets
+      - template: env-values
+      - template: env-secrets

helmfiles/platform.yaml

@@ -1,36 +1,70 @@
 bases:
-  - ../../common/environments.yaml
+  - ../common/templates.yaml
-  - ../../common/templates.yaml
 
 repositories:
-  - name: argo
-    url: https://argoproj.github.io/argo-helm
-  - name: db-operator
-    url: https://db-operator.github.io/charts
-  - name: zot
-    url: https://zotregistry.dev/helm-charts/
-  - name: bedag
-    url: https://bedag.github.io/helm-charts/
-  - name: crossplane-stable
-    url: https://charts.crossplane.io/stable
-  - name: goauthentik
-    url: https://charts.goauthentik.io/
-  - name: minio-standalone
-    url: https://charts.min.io/
-  - name: kyverno
-    url: https://kyverno.github.io/kyverno/
-  - name: external-dns
-    url: https://kubernetes-sigs.github.io/external-dns/
   - name: keel
     url: https://keel-hq.github.io/keel/
   - name: uptime-kuma
     url: https://helm.irsigler.cloud
+  - name: external-dns
+    url: https://kubernetes-sigs.github.io/external-dns/
+  - name: minio-standalone
+    url: https://charts.min.io/
+  - name: db-operator
+    url: https://db-operator.github.io/charts
+  - name: zot
+    url: https://zotregistry.dev/helm-charts/
+  - name: goauthentik
+    url: https://charts.goauthentik.io/
 
 releases:
+  - name: external-dns
+    chart: external-dns/external-dns
+    labels:
+      layer: platform
+    version: 1.15.2
+    namespace: platform
+    inherit:
+      - template: common-values-tpl
+      - template: env-values
+      - template: env-secrets
+
+  - name: keel
+    chart: keel/keel
+    version: v1.0.5
+    labels:
+      layer: platform
+    namespace: platform
+    inherit:
+      - template: common-values-tpl
+
+  - name: uptime-kuma
+    chart: uptime-kuma/uptime-kuma
+    version: 2.21.2
+    namespace: platform
+    labels:
+      layer: platform
+    inherit:
+      - template: common-values-tpl
+      - template: env-values
+
+  - name: minio
+    chart: minio-standalone/minio
+    version: 5.4.0
+    namespace: platform
+    labels:
+      layer: platform
+    inherit:
+      - template: common-values-tpl
+      - template: env-values
+      - template: env-secrets
+
   - name: db-operator
     namespace: platform
     chart: db-operator/db-operator
     version: 1.34.0
+    inherit:
+      - template: common-values-tpl
 
   - name: db-instances
     chart: db-operator/db-instances
@@ -39,19 +73,18 @@ releases:
       - platform/db-operator
     version: 2.4.0
     inherit:
-      - template: default-env-values
+      - template: env-values
-      - template: default-env-secrets
+      - template: env-secrets
 
   - name: zot
     chart: zot/zot
     version: 0.1.67
-    createNamespace: false
-    installed: true
     namespace: platform
     condition: workload.enabled
     inherit:
-      - template: default-env-values
+      - template: common-values-tpl
-      - template: default-env-secrets
+      - template: env-values
+      - template: env-secrets
 
   - name: authentik
     chart: goauthentik/authentik
@@ -62,58 +95,7 @@ releases:
     needs:
       - platform/db-operator
     inherit:
-      - template: default-env-values
+      - template: common-values-tpl
-      - template: default-env-secrets
+      - template: env-values
+      - template: env-secrets
       - template: ext-database
-
-  - name: minio
-    chart: minio-standalone/minio
-    version: 5.4.0
-    namespace: platform
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-
-  - name: kyverno
-    chart: kyverno/kyverno
-    namespace: kyverno
-    labels:
-      bootstrap: true
-    version: 3.3.7
-
-  - name: kyverno-policies
-    chart: kyverno/kyverno-policies
-    namespace: kyverno
-    labels:
-      bootstrap: true
-    version: 3.3.4
-    needs:
-      - kyverno/kyverno
-
-  - name: custom-kyverno-policies
-    chart: "../../kustomizations/kyverno/{{ .Environment.Name }}"
-    namespace: kyverno
-    labels:
-      bootstrap: true
-    needs:
-      - kyverno/kyverno
-
-  - name: external-dns
-    chart: external-dns/external-dns
-    version: 1.15.2
-    namespace: platform
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-
-  - name: keel
-    chart: keel/keel
-    version: v1.0.5
-    namespace: platform
-
-  - name: uptime-kuma
-    chart: uptime-kuma/uptime-kuma
-    version: 2.21.2
-    namespace: platform
-    inherit:
-      - template: default-env-values

helmfiles/system.yaml

@@ -1,3 +1,6 @@
+bases:
+  - ../common/templates.yaml
+
 repositories:
   - name: coredns
     url: https://coredns.github.io/helm
@@ -11,6 +14,18 @@ repositories:
     url: https://charts.jetstack.io
   - name: metallb
     url: https://metallb.github.io/metallb
+  - name: traefik
+    url: https://traefik.github.io/charts
+  - name: local-path-provisioner
+    url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=master
+  - name: kyverno
+    url: https://kyverno.github.io/kyverno/
+  - name: vmware-tanzu
+    url: https://vmware-tanzu.github.io/helm-charts/
+  - name: openebs
+    url: https://openebs.github.io/openebs
+  - name: istio
+    url: https://istio-release.storage.googleapis.com/charts
 
 releases:
   - name: coredns
@@ -42,7 +57,7 @@ releases:
       - template: common-values-tpl
 
   - name: issuer
-    chart: ./charts/issuer
+    chart: ../charts/issuer
     namespace: kube-system
     missingFileHandler: Warn
     needs:
@@ -50,7 +65,66 @@ releases:
     inherit:
       - template: common-values
 
-  - name: zot
+  - name: local-path-provisioner
+    chart: local-path-provisioner/local-path-provisioner
+    namespace: kube-system
+    inherit:
+      - template: common-values-tpl
+
+  - name: kyverno
+    chart: kyverno/kyverno
+    namespace: kyverno
+    version: 3.3.7
+    needs:
+      - kube-system/cilium
+    inherit:
+      - template: common-values-tpl
+
+  - name: kyverno-policies
+    chart: kyverno/kyverno-policies
+    namespace: kyverno
+    version: 3.3.4
+    needs:
+      - kyverno/kyverno
+
+  - name: custom-kyverno-policies
+    chart: ../kustomizations/kyverno/{{ .Environment.Name }}
+    namespace: kyverno
+    needs:
+      - kyverno/kyverno
+
+  - name: metallb
+    chart: metallb/metallb
+    namespace: kube-system
+    condition: base.enabled
+    version: 0.14.9
+    needs:
+      - registry/cluster-mirror
+    inherit:
+      - template: common-values
+      - template: common-values-tpl
+
+  - name: metallb-resources
+    chart: ../charts/metallb-resources
+    version: 2.0.0
+    condition: base.enabled
+    namespace: kube-system
+    needs:
+      - kube-system/metallb
+    inherit:
+      - template: common-values-tpl
+
+  - name: traefik
+    chart: traefik/traefik
+    version: 34.4.1
+    condition: base.enabled
+    namespace: kube-system
+    inherit:
+      - template: common-values-tpl
+      - template: common-values
+      - template: env-values
+
+  - name: cluster-mirror
     chart: zot/zot
     version: 0.1.67
     createNamespace: false
@@ -67,17 +141,41 @@ releases:
     version: 3.12.2
     namespace: kube-system
     needs:
-      - registry/zot
+      - registry/cluster-mirror
     inherit:
       - template: common-values-tpl
 
-  - name: metallb
+  - name: openebs
-    chart: metallb/metallb
+    chart: openebs/openebs
+    condition: tools.openebs.enabled
     namespace: kube-system
-    condition: base.enabled
+    version: 4.2.0
-    version: 0.14.9
+    inherit:
-    needs:
+      - template: common-values-tpl
-      - registry/zot
+      - template: env-values
+
+  - name: velero
+    chart: vmware-tanzu/velero
+    namespace: velero
+    version: 8.7.0
+    condition: velero.enabled
+    inherit:
+      - template: common-values-tpl
+      - template: env-values
+      - template: env-secrets
+
+  - name: istio-base
+    chart: istio/base
+    namespace: istio-system
+    version: 1.25.1
     inherit:
       - template: common-values
+
+  - name: istiod
+    chart: istio/istiod
+    namespace: istio-system
+    version: 1.25.1
+    inherit:
       - template: common-values-tpl
+    needs:
+      - istio-system/istio-base

installations/applications/helmfile-badhouseplants.yaml

@@ -111,7 +111,7 @@ releases:
 
   - name: memos
     chart: allangers-charts/memos
-    version: 0.2.0
+    version: 0.3.0
     namespace: applications
     inherit:
       - template: default-env-values

installations/applications/helmfile-etersoft.yaml

@@ -27,6 +27,14 @@ releases:
       - template: default-env-values
       - template: default-env-secrets
 
+  - name: memos
+    chart: allangers-charts/memos
+    version: 0.3.0
+    namespace: applications
+    inherit:
+      - template: default-env-values
+
+
   - name: external-service-xray
     chart: ../../kustomizations/external-service-xray
     installed: true

installations/development/helmfile.yaml

@@ -1,9 +0,0 @@
-bases:
-  - ../../common/environments.yaml
-  - ../../common/templates.yaml
-repositories:
-  - name: argo
-    url: https://argoproj.github.io/argo-helm
-releases:
-  - name: badhouseplants
-    namespace: platform

installations/games/helmfile.yaml

@@ -13,16 +13,7 @@ releases:
   - name: minecraft
     chart: minecraft/minecraft
     namespace: games
-    version: 4.25.1
+    version: 4.26.1
-    inherit:
-      - template: ext-tcp-routes
-      - template: default-env-values
-      - template: default-env-secrets
-
-  - name: team-fortress-2
-    chart: allangers-charts/team-fortress-2
-    namespace: team-fortress-2
-    version: 0.1.2
     inherit:
       - template: ext-tcp-routes
       - template: default-env-values

installations/pipelines/helmfile.yaml

@@ -26,7 +26,7 @@ releases:
       - template: default-env-secrets
   - name: renovate-github
     chart: renovate/renovate
-    installed: false
+    installed: true
     namespace: pipelines
     version: 39.208.1
     inherit:

installations/system/helmfile.yaml

@@ -1,162 +0,0 @@
-bases:
-  - ../../common/environments.yaml
-  - ../../common/templates.yaml
-
-repositories:
-  - name: bedag
-    url: https://bedag.github.io/helm-charts/
-  - name: metrics-server
-    url: https://kubernetes-sigs.github.io/metrics-server/
-  - name: jetstack
-    url: https://charts.jetstack.io
-  - name: metallb
-    url: https://metallb.github.io/metallb
-  - name: traefik
-    url: https://traefik.github.io/charts
-  - name: coredns
-    url: https://coredns.github.io/helm
-  - name: cilium
-    url: https://helm.cilium.io/
-  - name: vmware-tanzu
-    url: https://vmware-tanzu.github.io/helm-charts/
-  - name: openebs
-    url: https://openebs.github.io/openebs
-  - name: local-path-provisioner
-    url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=master
-  - name: istio
-    url: https://istio-release.storage.googleapis.com/charts
-  - name: zot
-    url: https://zotregistry.dev/helm-charts/
-
-releases:
-  - name: cert-manager
-    chart: jetstack/cert-manager
-    version: v1.17.1
-    namespace: kube-system
-    condition: base.enabled
-    missingFileHandler: Warn
-    needs:
-      - kube-system/cilium
-    inherit:
-      - template: default-common-values
-      - template: default-env-values
-
-  - name: issuer
-    chart: '{{ requiredEnv "PWD" }}/charts/issuer'
-    namespace: kube-public
-    missingFileHandler: Warn
-    condition: base.enabled
-    needs:
-      - kube-system/cert-manager
-    inherit:
-      - template: default-common-values
-      - template: default-env-values
-
-  - name: metrics-server
-    chart: metrics-server/metrics-server
-    version: 3.12.2
-    namespace: kube-system
-    needs:
-      - kube-system/cilium
-    inherit:
-      - template: default-common-values
-
-  - name: metallb
-    chart: metallb/metallb
-    namespace: kube-system
-    condition: base.enabled
-    version: 0.14.9
-    needs:
-      - kube-system/cilium
-    inherit:
-      - template: default-common-values
-
-  - name: metallb-resources
-    chart: bedag/raw
-    version: 2.0.0
-    condition: base.enabled
-    namespace: kube-system
-    needs:
-      - kube-system/metallb
-    inherit:
-      - template: ext-metallb
-      - template: default-env-values
-
-  - name: traefik
-    chart: traefik/traefik
-    version: 34.4.1
-    condition: base.enabled
-    namespace: kube-system
-    needs:
-      - kube-system/cilium
-    inherit:
-      - template: default-common-values
-      - template: default-env-values
-
-  - name: velero
-    chart: vmware-tanzu/velero
-    namespace: velero
-    version: 8.5.0
-    condition: velero.enabled
-    needs:
-      - kube-system/cilium
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets
-      - template: crd-management-hook
-
-  - name: openebs
-    chart: openebs/openebs
-    condition: openebs.enabled
-    namespace: kube-system
-    version: 4.2.0
-    needs:
-      - kube-system/cilium
-    inherit:
-      - template: default-env-values
-
-  # -- Not versions since it's idnstalled from git
-  - name: local-path-provisioner
-    chart: local-path-provisioner/local-path-provisioner
-    condition: localpath.enabled
-    namespace: kube-system
-    needs:
-      - kube-system/cilium
-    inherit:
-      - template: default-env-values
-
-  - name: istio-base
-    chart: istio/base
-    condition: istio.enabled
-    namespace: istio-system
-    inherit:
-      - template: crd-management-hook
-
-  - name: istio-ingressgateway
-    chart: istio/gateway
-    condition: istio.enabled
-    installed: false
-    namespace: istio-system
-    needs:
-      - istio-system/istio-base
-    inherit:
-      - template: default-env-values
-
-  - name: istiod
-    chart: istio/istiod
-    condition: istio.enabled
-    namespace: istio-system
-    inherit:
-      - template: default-env-values
-    needs:
-      - istio-system/istio-base
-
-  - name: zot-mirror
-    chart: zot/zot
-    version: 0.1.67
-    createNamespace: false
-    installed: true
-    namespace: kube-system
-    inherit:
-      - template: default-env-values
-      - template: default-env-secrets

kustomizations/kyverno/badhouseplants/pvc-patch.yaml

@@ -4,6 +4,19 @@ metadata:
   name: replace-storage-class-by-openebs
 spec:
   rules:
+    - name: local-path-fix
+      match:
+        any:
+          - resources:
+              kinds:
+                - PersistentVolumeClaim
+              namespaces:
+                - registry
+      mutate:
+        patchStrategicMerge:
+          metadata:
+            annotations:
+              volume.kubernetes.io/selected-node: bordeaux
     - name: replace-storage-class
       match:
         any:
@@ -24,22 +37,22 @@ spec:
             storageClassName: openebs-hostpath
             accessModes:
               - ReadWriteOnce
-    - name: remove-unwanted-annotations
+    #- name: remove-unwanted-annotations
-      match:
+    #  match:
-        any:
+    #    any:
-          - resources:
+    #      - resources:
-              kinds:
+    #          kinds:
-                - PersistentVolumeClaim
+    #            - PersistentVolumeClaim
-              namespaces:
+    #          namespaces:
-                - games
+    #            - games
-      mutate:
+    #  mutate:
-        patchesJson6902: |-
+    #    patchesJson6902: |-
-          - path: "/metadata/annotations/volume.beta.kubernetes.io~1storage-class"
+    #      - path: "/metadata/annotations/volume.beta.kubernetes.io~1storage-class"
-            op: replace
+    #        op: replace
-            value: openebs-hostpath
+    #        value: openebs-hostpath
-          - path: "/metadata/annotations/volume.beta.kubernetes.io~1storage-provisioner"
+    #      - path: "/metadata/annotations/volume.beta.kubernetes.io~1storage-provisioner"
-            op: replace
+    #        op: replace
-            value: openebs.io/local
+    #        value: openebs.io/local
-          - path: "/metadata/annotations/volume.kubernetes.io~1storage-provisioner"
+    #      - path: "/metadata/annotations/volume.kubernetes.io~1storage-provisioner"
-            op: replace
+    #        op: replace
-            value: openebs.io/local
+    #        value: openebs.io/local

values/badhouseplants/games/minecraft/values.yaml

@@ -1,33 +1,15 @@
-service-account:
-  enabled: true
-  resources:
-    - name: minecraft-exporter
-      label:
-        app: minecraft-minecraft-metrics
-      endpoints:
-        port: metrics
-traefik:
-  enabled: true
-  tcpRoutes:
-    - name: minecraft-tcp
-      entrypoint: minecraft
-      gateway: istio-system/badhouseplants-minecraft
-      match: HostSNI(`*`)
-      service: minecraft-minecraft
-      port: 25565
 # --------------------------------------------------
 # -- Main values
 # --------------------------------------------------
 image:
-  #tag: java21-graalvm
+  tag: java23-graalvm
-  tag: java21-jdk
   pullPolicy: Always
 resources:
   requests:
-    memory: 3.5Gi
+    memory: 2.5Gi
     cpu: 2.5
   limits:
-    memory: 3.5Gi
+    memory: 2.5Gi
 lifecycle:
   postStart:
     - bash
@@ -52,32 +34,23 @@ readinessProbe:
   successThreshold: 1
   timeoutSeconds: 20
 minecraftServer:
-  memory: 3000M
+  memory: 2000M
   jvmOpts: |
     -server
   jvmXXOpts: |
-    -Xms3000G -Xmx3500G -XX:+UseG1GC -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=20 -XX:G1ReservePercent=20 -XX:MaxGCPauseMillis=50 -XX:G1HeapRegionSize=32M
+    -Xms2000G -Xmx2500G -XX:+UseG1GC -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=20 -XX:G1ReservePercent=20 -XX:MaxGCPauseMillis=50 -XX:G1HeapRegionSize=32M
   overrideServerProperties: true
   eula: "TRUE"
   onlineMode: false
   difficulty: hard
   hardcore: true
-  version: "1.21.1"
+  version: "1.21.4"
   maxWorldSize: 90000
   type: "FABRIC"
   gameMode: survival
   pvp: true
   modUrls: []
   serviceType: NodePort
-  #- https://github.com/CaffeineMC/lithium-fabric/releases/download/mc1.20.1-0.11.2/lithium-fabric-mc1.20.1-0.11.2-api.jar
-  #- https://github.com/CaffeineMC/sodium-fabric/releases/download/mc1.20.1-0.5.11/sodium-fabric-0.5.11+mc1.20.1.jar
-  #- https://github.com/CaffeineMC/lithium-fabric/releases/download/mc1.20.1-0.11.2/lithium-fabric-mc1.20.1-0.11.2.jar
-  #pluginUrls:
-  #  - https://github.com/dmulloy2/ProtocolLib/releases/download/5.2.0/ProtocolLib.jar
-  #  - https://mediafilez.forgecdn.net/files/3789/833/GravityControl-2.0.0.jar
-  #  - https://mediafilez.forgecdn.net/files/3151/915/CrackShot.jar
-  #  - https://s3.badhouseplants.net/public-download/MechanicsCore-3.4.8.jar
-  #  - https://s3.badhouseplants.net/public-download/WeaponMechanics-3.4.9.jar
   rcon:
     enabled: true
     withGeneratedPassword: false
@@ -85,7 +58,7 @@ minecraftServer:
     serviceType: ClusterIP
   extraPorts:
     - name: metrics
-      containerPort: 9225
+      containerPort: 19565
       protocol: TCP
       service:
         enabled: true
@@ -93,12 +66,11 @@ minecraftServer:
         labels:
           exporter: minecraft
         type: ClusterIP
-        port: 9925
+        port: 19565
       ingress:
         enabled: false
 persistence:
   storageClass: openebs-hostpath
-  #storageClass: local-path
   dataDir:
     enabled: true
     Size: 9Gi
@@ -121,35 +93,6 @@ mcbackup:
   persistence:
     backupDir:
       enabled: false
-# ---------------------------------------------
-# -- Install Plugins
-# ---------------------------------------------
-initContainers:
-  - name: 0-download-mods
-    image: alpine/curl
-    command:
-      - curl
-      - -L
-      - "https://s3.badhouseplants.net/minecraft-mods/server_mods.tar"
-      - -o
-      - /download/server_mods.tar
-    volumeMounts:
-      - name: download
-        mountPath: /download
-        readOnly: false
-  - name: 1-copy-plugins-to-minecraft
-    image: ubuntu
-    command:
-      - sh
-      - -c
-      - cd /mods  && tar -xvf /download/server_mods.tar || true
-    volumeMounts:
-      - name: plugins
-        mountPath: /mods
-        readOnly: false
-      - name: download
-        mountPath: /download
-        readOnly: false
 extraVolumes:
   - volumeMounts:
       - name: plugins
@@ -162,3 +105,36 @@ extraVolumes:
       - name: download
         emptyDir:
           sizeLimit: 500Mi
+extraDeploy:
+  - |-
+      apiVersion: monitoring.coreos.com/v1
+      kind: ServiceMonitor
+      metadata:
+        name: minecraft
+      spec:
+        endpoints:
+        - interval: 30s
+          port: metrics
+          scrapeTimeout: 10s
+          path: '/'
+        namespaceSelector:
+          matchNames:
+          - games
+        selector:
+          matchLabels:
+            app.kubernetes.io/instance: minecraft
+  - |-
+      apiVersion: traefik.io/v1alpha1
+      kind: IngressRouteTCP
+      metadata:
+        name: minecraft-tcp
+      spec:
+        entryPoints:
+        - minecraft
+        routes:
+        - match: HostSNI(`*`)
+          services:
+          - name: minecraft
+            nativeLB: true
+            port: 25565
+

values/badhouseplants/kube-system/namespaces/values.yaml

@@ -2,20 +2,36 @@ namespaces:
   - name: registry
   - name: kube-system
     defaultRegcred: true
+  - name: production
+    defaultRegcred: true
   - name: kyverno
+    defaultRegcred: true
   - name: velero
+    defaultRegcred: true
   - name: observability
+    defaultRegcred: true
   - name: databases
+    defaultRegcred: true
   - name: istio-system
+    defaultRegcred: true
   - name: applications
+    defaultRegcred: true
     labels:
-      istio-injection: disabled
+      istio-injection: enabled
   - name: platform
+    defaultRegcred: true
   - name: games
+    defaultRegcred: true
   - name: team-fortress-2
+    defaultRegcred: true
   - name: pipelines
+    defaultRegcred: true
   - name: public-xray
+    defaultRegcred: true
     labels:
       istio-injection: disabled
   - name: org-badhouseplants
+    defaultRegcred: true
   - name: org-allanger
+    labels:
+      istio-injection: enabled

values/badhouseplants/kube-system/openebs/values.yaml

@@ -1,6 +1,7 @@
 localpv-provisioner:
   hostpathClass:
     isDefaultClass: true
+
 zfs-localpv:
   crds:
     zfsLocalPv:

values/badhouseplants/kube-system/zot-mirror/secrets.yaml

@@ -1,22 +0,0 @@
-authHeader: ENC[AES256_GCM,data:nmlP0vRoKJRivvwJArnEO26sqIwFtnK5MYVPJBBCmAGCPpe/U00gYu6JET0gPqGV,iv:+GZwWrxoWw0mAZxZdITBLtHgRKYIyaj/NQwHbD8KppA=,tag:MAer3FiaBxyNwJr0BbDtow==,type:str]
-_mirror_password: ENC[AES256_GCM,data:W2xy2RMmD4d6N+DNceIgtDGUpygOGEbWgGa9Icsy,iv:YsQfm/EmBYY35q2irlZ2rmzkbJzlFnfgMSEKq0G1I5o=,tag:7rNG02Wm9g8GUXeM4nTHqA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVUlyVFZWcWFuWnEyS2Nv
-            Tkx6aTZKY1czQ25RTHhKNWNNQ0xIaWJLb1VFCkdoT0RBTW9EWG8zbzYxekdsUEY2
-            bE9nQUthV3NCa0kzRnBwZ2U2MWlVNzAKLS0tIFY4RVJDM05ZVmR3NEt5YUlpOWZa
-            ZVc1bmJnU1o4U3NGaGN0Sk90YTR0ckkK8gmkHty4Gwt4vuVK3xhWWg4h/EgvJULh
-            Trgn0lzx2pCThg/+82u5J1T/QLXdbbDFFFwGldiMwNjZQfpOmrZpVw==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-26T21:04:45Z"
-    mac: ENC[AES256_GCM,data:cTN6wq1m1XtsfNujCfQ4nKtX1Pkc8MFCipUeScDLJUuZZwg4St0h1OkYtYJBWeVSt3CSjjexQpb7Oi9K8wukboIVevaIj0BTT1hkf2ZUFeIV8W62mtftfdRex0yJ/4h1gTZaYBhHEw+qD6r+XvavDs1m22FF5RuF+5qfGUEWA4I=,iv:RsVuXbLVfZSJ7AkIvEdf7H2auFTiqXgpXLe/LbATAo8=,tag:1V5eIiJzjzv4C1JNNf5Quw==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.4

values/badhouseplants/org-badhouseplants/app-gitea/values.yaml

@@ -41,8 +41,7 @@ gitea:
   metrics:
     enabled: true
     serviceMonitor:
-      # -- TODO(@allanger): Enable it once prometheus is configured
+      enabled: true
-      enabled: false
   config:
     database:
       DB_TYPE: postgres
@@ -59,13 +58,14 @@ gitea:
       MAX_CREATION_LIMIT: 0
       DISABLED_REPO_UNITS: repo.wiki
     service:
-      DISABLE_REGISTRATION: false
+      DISABLE_REGISTRATION: true
     server:
       DOMAIN: gitea.badhouseplants.net
       ROOT_URL: https://gitea.badhouseplants.net
       LFS_START_SERVER: true
       LANDING_PAGE: explore
       START_SSH_SERVER: true
+      ENABLE_PPROF: true
     storage:
       STORAGE_TYPE: minio
       MINIO_ENDPOINT: "s3.badhouseplants.net:443"

values/badhouseplants/org-badhouseplants/app-stalwart/values.yaml

@@ -50,13 +50,14 @@ extraVolumes:
     emptyDir: {}
 ingress:
   main:
-    annotations:
+    metadata:
-      cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+      annotations:
-      kubernetes.io/ingress.allow-http: "false"
+        cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
-      kubernetes.io/ingress.class: traefik
+        kubernetes.io/ingress.allow-http: "false"
-      kubernetes.io/ingress.global-static-ip-name: ""
+        kubernetes.io/ingress.class: traefik
-      kubernetes.io/tls-acme: "true"
+        kubernetes.io/ingress.global-static-ip-name: ""
-      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+        kubernetes.io/tls-acme: "true"
+        traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
 config:
   files:
     config:

values/badhouseplants/org-badhouseplants/app-vaultwarden/secrets.yaml

@@ -1,31 +1,26 @@
 config:
     env:
         secrets:
-            enabled: ENC[AES256_GCM,data:C4TSoQ==,iv:kG2QtaNWHSc2sdhzo8HnMnPE0Mixqs1dvFsAcke/Gw4=,tag:HhbVmIw5RQ9hipQqZ5J2pw==,type:bool]
+            enabled: ENC[AES256_GCM,data:bai2CQ==,iv:NG7q1ZsDpCW9Lu00fGsibpTEHGtew+l5TFOLOpljlwU=,tag:Z2/fXmsEEqhDzCdTWS/Qhw==,type:bool]
-            sensitive: ENC[AES256_GCM,data:0wVOUg==,iv:FGxAd9h2e0LeWukZR/THhCscF3FWoK4dnkrX1mqSC+A=,tag:0rpeedT6x2V79WB5xRNbuA==,type:bool]
+            sensitive: ENC[AES256_GCM,data:n+dNXA==,iv:iFM0+5G5Bsw4NI+JH1vMMrty3Zo0El0HE9F6PEDsJrY=,tag:EcbzQHVeOHVLVC7kgaRPXw==,type:bool]
             data:
-                SMTP_USERNAME: ENC[AES256_GCM,data:82zb,iv:Z89+Wt6jGMQTZ73ghk1Ey504WYt2Li9XQ2gaH0SB8tI=,tag:RmqHxghik75E9LAABzyVxA==,type:str]
+                SMTP_USERNAME: ENC[AES256_GCM,data:eQ4c,iv:4vX/ioHWEA6DzMwZ+23dgUN4PJ7Asz7bbufG5Fy80iI=,tag:1Mq0Hj/23T4fvGEXuNUtxA==,type:str]
-                ADMIN_PASSWORD: ENC[AES256_GCM,data:ELi8dtNa/OhQKgrXbrgwHK95ntZjyzRSvQ==,iv:IVZbXZlFyCRMc3bW81Ak9UdjeGke0px9mGqrmaW7EHk=,tag:9xli08c0pqnxu2ktTbCMcg==,type:str]
+                ADMIN_PASSWORD: ENC[AES256_GCM,data:B08urSqwYgekI6I5LDYGHbPK5n3r+woRZw==,iv:K2O9aSJLRMbK+N2lfX4ojSqhbmb9KbWsuW2DtYZHCOA=,tag:Qz0OJ7aWwC+/9d1oc38ySw==,type:str]
-                ADMIN_TOKEN: ENC[AES256_GCM,data:CAAalqRcu9vsM1bjC76enJCSX/tc7yOd48mxGV0d5rTFxQz08b4JVhKyMzl7BRog7+PMtJkkTnRIXZHgj31FqhRylmHyuAn3iPc=,iv:PpZvZMhOEt6ecdkBcvAOSz+eZktPAzaAlYNjBSgiN/w=,tag:apHKw66HG7TYnpBNVyM7xA==,type:str]
+                ADMIN_TOKEN: ENC[AES256_GCM,data:sKVugfrrR9L5LtozHPibGiPULiwv8pAot925Z/rQ0V/mW+DVvNPEw4odgfX596Ddmd8oV5zo5Mz8WIPUCmrVmfdoz+3YzVywEy8=,iv:npthfz4xcW6fF10RhHCF6uXH/6526l3gjZGRu+Xpylg=,tag:vsPsRZ7EIQ7FMvqJga3hhg==,type:str]
                 DATABASE_URL: null
-                SMTP_PASSWORD: ENC[AES256_GCM,data:g212PzN9/4hxBKMAWFNiR0qAnPPK/tkffg==,iv:1l6dikIQGSjznW9MsaCTdz0wLJmAhiL0ZOdN2J4Q0yA=,tag:tNbPdORUa6IBWgh0HHaNjA==,type:str]
+                SMTP_PASSWORD: ENC[AES256_GCM,data:quvcZQKauXeW+l8xkYgVBElBQveoRWKDBA==,iv:KpQH+Ef87jl/M9XpBtIKNhn7ATHoV+Jgjpzg2Li28Kg=,tag:jniePrO7UVp/cz/eIh19mg==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoLys3dkJDK2lrQ0d4ZlJi
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGNnFwbWFpTWgxRk45S240
-            eFRTSmx1RUtZRnpxdkNvVFFCeXl6dDcvWXdvCitoNkcwVFFxRVJ6dkNUbGVPb1pU
+            cVI5ekJXdVIwaG5NcGRPa2xTN2pFV2tyN1JBClNVMGhNL2FaM2pCK0sxbjgyalJN
-            b3E4ZjZibFF6QytNdUhXNDFLZXRpSEUKLS0tIHpZTmFXNnptVzJmZFhIU2haRWhR
+            MnpQeHBxY2RtWkI2c1htV3oyQmNnbVUKLS0tIGg4ZXNwaFRKNTlIRDluT3k0VDRD
-            UjNEN1BlREFVak1xdmQzaFY1dHVyM3cKuvMIrQUL1cuw3Odz/Cv+kZV9ZZzBozSW
+            Y3pIaEdFb1JwMnVrYnJ4UkpWMERmZFUKa45EvUqkvjaL85xh3gyxTeJ02IxPJf9a
-            XimhDSkxNrH5OsGC1Jxz/8JOv8abBs4NROzffVdyqtZZzXOLzw3mJQ==
+            TGjAvpjBrym9v++OrHn2otw1NOeZwSP1hmSCc+sa6/0yFqcU031xjQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-02T08:58:16Z"
+    lastmodified: "2025-04-01T10:29:47Z"
-    mac: ENC[AES256_GCM,data:px+D6tlAZU6GzlE8/jLc0BaPyRwsfE1jRROy2mX7bhFTIW3lZqt/zangO46fFH5hXZjY5wLNIktCDbawIbUFwAp0vrmXxctZoAftl9hpdtW6ann3yfyv3pdcs7/BKu3s5QUswx6D13iLU0dvzyG4vGcQNmKpxuPQYLuDp2o74hM=,iv:2Y+wsS7QcgQ/8umZ+a21QjU25Yq24Y7UWjXVy9Gmvoo=,tag:APVtby5NCOQxrPAjIbMJ+w==,type:str]
+    mac: ENC[AES256_GCM,data:VmYotoR4BJJv2mZ+kt+NNn+oXLKWHed0o/TkJO93/4eLUm8Wg9SPMA1ZYYe9YRfgbIhYxPlQbPPKQBv95XeOS1FFL24VyenTTP3TXWroeXxOWubko/Fp88U3glJXs5jfL5DLYKvGwTXG3tchFDwH9m6QOABX+aRxvNBEP5zXUxs=,iv:HMzuvl8YCPj9ZA5tKfExQfSbvwu4IEHz6sMLAe8g7vo=,tag:lI2fh1b7prHsBS8Snrbdtw==,type:str]
-    pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.10.0

values/badhouseplants/platform/authentik/values.yaml

@@ -14,10 +14,10 @@ ext-database:
     database: "{{ .Database }}"
 authentik:
   email:
-    host: email.badhouseplants.net
+    host: stalwart.badhouseplants.net
     port: 587
     username: bot@badhouseplants.net
-    use_tls: false
+    use_tls: true
     use_ssl: false
     timeout: 30
     from: bot@badhouseplants.net
@@ -26,7 +26,6 @@ authentik:
     user: file:///postgres-creds/username
     password: file:///postgres-creds/password
     name: file:///postgres-creds/database
-  secret_key: "2Scv6ivCfV6uGRTx9Kg5CYJ2KjBRHpR8GqSBearnBYvBFZBwR7"
   # This sends anonymous usage-data, stack traces on errors and
   # performance data to authentik.error-reporting.a7k.io, and is fully opt-in
   error_reporting:

values/badhouseplants/platform/db-instances/secrets.yaml

@@ -0,0 +1,29 @@
+dbinstances:
+    postgres16:
+        secrets:
+            adminUser: ENC[AES256_GCM,data:uuu/xvwJkHk=,iv:Pk+i8bf7AeeG9wKVh1RDJy7Dt3r5b1UKy4SJijlZfq0=,tag:QO3gwYXAG0sBBuHcKfTNQg==,type:str]
+            adminPassword: ENC[AES256_GCM,data:tjWATjuJT+C97D4TLQgk55BZOwVv,iv:1MWYtksmrEBQtOdGvtc6MZyLP4yBKA88eIpQ4mZCULM=,tag:3hOlT5n2Wd81ebxeEgW5tw==,type:str]
+    postgres17:
+        secrets:
+            adminUser: ENC[AES256_GCM,data:4w2EItIM++Q=,iv:cQLryeBskm2Y9OlbMFgQEWEBi7z/VxucLWbwZXsRtto=,tag:Ir2Q7KZv/sSDdA1MX/Niqw==,type:str]
+            adminPassword: ENC[AES256_GCM,data:wHUL2p8CXYwoEFu3ffCCsQO9xn/GqOZ6JPrcHKzy,iv:khoogPPFHSd+4xyp+jf1w0RfOUgrKzAmFjLnisQ8HXU=,tag:GRnkCQ0uOlUt2AiEAceFRQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuL1lwdVNHMm9nZHRld2lO
+            Rm4xVnVHWG9hNDc1cUVyakxzUU1PcFJhalM4CkNicEdUV2lEYWMwaWNqeGcrQ2p1
+            Qmw1b1FzRllqYW85bjF0cmRGcW1MbjQKLS0tIENUcG1oOXFNV3REaFU0aUEyd2k4
+            RDgzRmlKT1ArblpOV1plcFpyMnJXZTQKgm8Eaw591+EHZWofXAADTXRHPOdOvdOM
+            jYne1szB/V9UJz+pmLa10tNgruga+P5yP/j+DGcYrTj0pVh5IJLjTA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-10-30T19:59:46Z"
+    mac: ENC[AES256_GCM,data:3KrwiArDx/bPAHbFGgb9BdDVHC+uC1IHp4LZXlYRZzWSKtX1t+ODQVzUW97kigGFG1sx6WXddl/w3XeNOoT9JbS5iPXJQe6KAPleNV50S/oab+U53WeloO8uL68Wrk9v/NwMhCKwE9cCqBBhqk7wCb6N9ivt45mLrUf06L8fok0=,iv:bOWhyIm8FhKtZAZH/78bukkeDp5P4XShSD20mgr4Neo=,tag:RZMx9bi+ZEcLwTzk+Gm8RQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1

values/badhouseplants/platform/db-instances/values.yaml

@@ -0,0 +1,21 @@
+dbinstances:
+  postgres16:
+    monitoring:
+      enabled: false
+    adminSecretRef:
+      Name: postgres16-secret
+      Namespace: databases
+    engine: postgres
+    generic:
+      host: postgres16-postgresql.databases.svc.cluster.local
+      port: 5432
+  postgres17:
+    monitoring:
+      enabled: false
+    adminSecretRef:
+      Name: postgres17-secret
+      Namespace: databases
+    engine: postgres
+    generic:
+      host: postgres17-postgresql.databases.svc.cluster.local
+      port: 5432

values/badhouseplants/platform/minio/values.yaml

@@ -56,7 +56,7 @@ consoleService:
   port: '9001'
 resources:
   requests:
-    memory: 2Gi
+    memory: 1Gi
 buckets:
   - name: badhouseplants-net
     policy: download

values/badhouseplants/platform/zot/values.yaml

@@ -0,0 +1,27 @@
+image:
+  repository: ghcr.io/project-zot/zot
+  tag: v2.1.3-rc4
+ingress:
+  enabled: true
+  className: traefik
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+    kubernetes.io/tls-acme: "true"
+    kubernetes.io/ingress.allow-http: "false"
+    cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+  pathtype: Prefix
+  hosts:
+    - host: zot.badhouseplants.net
+      paths:
+        - path: /
+  tls:
+    - secretName: zot.badhouseplants.net
+      hosts:
+        - zot.badhouseplants.net
+service:
+  type: ClusterIP
+persistence: false
+pvc:
+  create: false
+mountConfig: true
+mountSecret: true

values/badhouseplants/secrets.renovate-github.yaml

@@ -1,22 +1,17 @@
 secrets:
-  RENOVATE_TOKEN: ENC[AES256_GCM,data:NwkAP50vrUc7dVB0wyWTgFDd+axltTqdyXuXFHHkmO2VF4QyV/svsw==,iv:kr53r5w7lVo9luC36mHghZ8fabo6/da8vLFEzhEOgDE=,tag:UnGnSXuvwlSzVuL6pEUXsw==,type:str]
+    RENOVATE_TOKEN: ENC[AES256_GCM,data:ohd4EhTlhRpQ+IXVf1Nb73+h0VHrMZduPhkbm53s3/+HRKUZd7JepA==,iv:qtbH0lz9Li+jjWcef6JGRpbcsOGlG+e3TNHDukAK2HE=,tag:KVmari0LUGHVb61VSFtgXw==,type:str]
 sops:
-  kms: []
+    age:
-  gcp_kms: []
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
-  azure_kv: []
+          enc: |
-  hc_vault: []
+            -----BEGIN AGE ENCRYPTED FILE-----
-  age:
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TGozODRjVzQvdzlvSE5s
-    - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+            RTlReWNSWDlzUVVLVmZXV1c3dWVwUU9hbWw4CnJUL20yTFpHMUJFWTdYQ2JWUisx
-      enc: |
+            Y0djU2FhaEtVSTlRWEY3Z0RnOUhVVjAKLS0tIEZEUjhqUTRtTEo0L3haWFlRT2JS
-        -----BEGIN AGE ENCRYPTED FILE-----
+            QTFVWU5RSTBldzBjalg1TFBDY3hGUEEKCH1rY+tGtRNGMYrfSjqXbVsrPAleVHDO
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtZDVVZm1UallMRzJpRVF0
+            Altiz0ceC5ODo01zwBf63vDVqjZtbIQNZ8oQ8Pjlktp3jCpL7JNK9A==
-        b2dHaUJlQldOeHN5RVhydm5oaG52ZG95SVVzCkZ0enk4Mit4KzV6Z0ErTmxhU29W
+            -----END AGE ENCRYPTED FILE-----
-        R0p6NVBiRjFSU0NWUjNKdGU2WXdrcFUKLS0tIHFURlFVLzJ5NkJVRVpCV2I5U2E4
+    lastmodified: "2025-04-01T08:52:26Z"
-        dE1VWExmY0xEdVlrZW8wRzlPRkVrRzAKVZHyy3AGktGuv7KEQX/M0xjyU/7FpgSB
+    mac: ENC[AES256_GCM,data:6PyWgR3f7lnen5Jun04Tsw1P7rcAgTSuF+YEh0fq3r3xHvQYFGesfEO4PHLfCGYtjyyCeyzpwBUIoUHTmI5tRYjLwjwRiIu/GH75eSLOx0y0gYMl8JUeaPxSpPvElpii3XAm7vKEJhTR9QzNuzduf0Q1JdlR6TM68XM8g78zeSc=,iv:CqTrPYoLg4IgW5zTsIcmGQUg5RfK+IQmxeQIQbd6oqk=,tag:P8Je5EhAv5TqqT77nPwlHw==,type:str]
-        OrWzXXds9h8PWC/19FU2puvdIER1G/2CajEq0PQmaC9YMvb8nLMv0w==
+    unencrypted_suffix: _unencrypted
-        -----END AGE ENCRYPTED FILE-----
+    version: 3.10.1
-  lastmodified: "2024-10-14T08:08:22Z"
-  mac: ENC[AES256_GCM,data:5FV7wwVyhB1UQOLW+iYyeImXAPv3dtTlw3Qjg2rBVBmbC8vHNpXFWloBhFeTSN4VAEjxm5tqACdP3IfNkrVT1SnYeySh6Xl/sdcAuAIao7uMjLDT/MK02AcS55T9pt7h+H4nkdNatMAX7jLKbHJwNoAnL5a/FgX+gKizAg4PRHc=,iv:7HRq2xMClJXYF2S9SQeYLZwCn2EOEc4JkEFzgze2e20=,tag:Fb3fm+wlnywr0hBfw5xyQQ==,type:str]
-  pgp: []
-  unencrypted_suffix: _unencrypted
-  version: 3.9.1

values/badhouseplants/secrets.velero.yaml

@@ -1,26 +0,0 @@
-credentials:
-    useSecret: ENC[AES256_GCM,data:7gOgTQ==,iv:Wiutik5u1CZ3jkI5lL4JLwvKDQrjNPSfmnyet7SBVzo=,tag:SYm+fm393zhqNMKejQfYKw==,type:bool]
-    name: ENC[AES256_GCM,data:NKs3qbFPKGIhXI7lzGTq,iv:MWumBc7eHro/P1oLZxQArvfoWmdJN+S0d/Qxb+ohI9E=,tag:pxJQzB82Us+UflGc271wGg==,type:str]
-    secretContents:
-        hetzner: ENC[AES256_GCM,data:tlumlKIfwugQj5Dj8Lu9HuEcKRv8v/JhTTz4oOvRavxmeBIGElfn/MyWbK68pagfDatyKsrYjqPTutYykJWVOWdHFOCIXunnI8vkDbzpxAH0BqyZQrek3s4mkTOPJkjfW6V1MNr5AvWMYLwptcIp2Q==,iv:E3jBlMgIXzuLCNVxEBlTiiVpLCdEolJuv96bSYamwLI=,tag:4zkhZUu+on0K1zF4/8tiWQ==,type:str]
-        etersoft: ENC[AES256_GCM,data:/kQ9eCnHIfDSzHxy2tbVgwe7C0cF+l5LaKCgksodxUJgxTQs2pJHyx4cluoW62RwOQKHxMCy3IaqphD2zZOIVKbR0q3xVmBoxcBxrKE5UIlSxbQ=,iv:YcJF8OMiFMz147c8lXVU+ccjq1okYnHiwUvJLmJHi20=,tag:hnwtfAkBCpZUy4TEGtMOOw==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiaW9NQVR6OGtLV3ZqMThn
-            bWsrcGZKNVk1cXB2aDc5RnRNbTMwZVoyRERVCnEyQ2tFSlZmTnhRdGQxNW1BVGNs
-            QzBjM2tXWnhQYTBaR1pUZnUzMWpYTmMKLS0tIGQ1emdDNlVGdzNWRlRQcU5xSWxB
-            bWdPdVF3RjU0Z0RQWXZWVUVocVBTeWsKogQ3kmwrShfBOwMC+JHNiavRHryv+WNY
-            dkUkONkUH5HEWN/6M7bsMMqjkH0D/upD5UXOXr4fiibcM/w+XI/BpA==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-16T14:51:45Z"
-    mac: ENC[AES256_GCM,data:65vGxoFLwH9WpxvqKYi1FEb8DhRWpq4K5cTjfqQEXDxbzKDk/RjTtHpFZ2iLnAOcL2ECvL+JU9yPeM7fS06nTW/TC/oP3yNGfyJp84IWNzrBVBE8HCTaXthxcRSIbGwvdCihViT4gZU7VkMaDt1WnEesjq/KQqcK/TSpCxhSyjI=,iv:HPfV3MRyeilrAFprdsLT6H//V74YzRiGM8O7TmU/g5c=,tag:tQHA6JW5ELAUXzIlJdLYFA==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.2

values/badhouseplants/values.gitea.yaml

@@ -40,11 +40,11 @@ replicaCount: 1
 clusterDomain: cluster.local
 resources:
   limits:
-    memory: 1024Mi
+    memory: 1.5Gi
     cpu: 1
   requests:
     cpu: 1
-    memory: 1024Mi
+    memory: 1.5Gi
 persistence:
   enabled: true
   size: 15Gi
@@ -57,8 +57,7 @@ gitea:
   metrics:
     enabled: true
     serviceMonitor:
-      # -- TODO(@allanger): Enable it once prometheus is configured
+      enabled: true
-      enabled: false
   config:
     database:
       DB_TYPE: postgres
@@ -82,6 +81,7 @@ gitea:
       LFS_START_SERVER: true
       LANDING_PAGE: explore
       START_SSH_SERVER: true
+      ENABLE_PPROF: true
     storage:
       STORAGE_TYPE: minio
       MINIO_ENDPOINT: "s3.badhouseplants.net:443"

values/badhouseplants/values.istiod.yaml

@@ -1,13 +0,0 @@
-pilot:
-  resources:
-    requests:
-      cpu: 50m
-      memory: 2048Mi
-global:
-  proxy:
-    resources:
-      requests:
-        cpu: 20m
-        memory: 128Mi
-      limits:
-        memory: 128Mi

values/badhouseplants/values.memos.yaml

@@ -2,25 +2,34 @@ shortcuts:
   hostname: notes.badhouseplants.net
 ext-database:
   enabled: true
-  name: memos-postgres17
+  name: memos-postgres16
-  instance: postgres17
+  instance: postgres16
   credentials:
     MEMOS_DRIVER: postgres
     MEMOS_DSN: "{{ .Protocol }}://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{ .Port }}/{{ .Database }}?sslmode=disable"
+base:
+  workload:
+    containers:
+      memos:
+        envFrom:
+          main: {}
+          raw:
+            - secretRef:
+                name: memos-postgres16-creds
 
-workload:
+storage:
-  containers:
+  data:
-    memos:
+    metadata:
-      envFrom:
+      annotations:
-        - main
+        volume.kubernetes.io/selected-node: bordeaux
-        - secretRef:
+    storageClassName: openebs-hostpath
-            name: memos-postgres16-creds
 ingress:
   main:
-    annotations:
+    metadata:
-      kubernetes.io/ingress.class: traefik
+      annotations:
-      kubernetes.io/tls-acme: "true"
+        kubernetes.io/ingress.class: traefik
-      kubernetes.io/ingress.allow-http: "false"
+        kubernetes.io/tls-acme: "true"
-      kubernetes.io/ingress.global-static-ip-name: ""
+        kubernetes.io/ingress.allow-http: "false"
-      cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+        kubernetes.io/ingress.global-static-ip-name: ""
-      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+        cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+        traefik.ingress.kubernetes.io/router.entrypoints: web,websecure

values/badhouseplants/values.prometheus.yaml

@@ -1,7 +1,3 @@
-# ------------------------------------------
-# -- Istio extenstion. Just because I'm
-# --  not using ingress nginx
-# ------------------------------------------
 coreDns:
   enabled: false
 kubeEtcd:

values/badhouseplants/velero/velero/secrets.yaml

@@ -0,0 +1,21 @@
+credentials:
+    useSecret: ENC[AES256_GCM,data:JeoOyQ==,iv:fu/UL5pN+RfYRluV1ipqbJ7AMmb6mBzo9Cs8MEaH90g=,tag:SXueO8IzwQ12MjSQUx5K4A==,type:bool]
+    name: ENC[AES256_GCM,data:jHBOoXdfbcm9/tWworFG,iv:EZdqinT6tBFS2t7/l3bA2A5OspmmXVBhlM4ENIMlWeI=,tag:ltP1tFsWxRiQV8GgNe2RmA==,type:str]
+    secretContents:
+        hetzner: ENC[AES256_GCM,data:cLAnAdz3RlBE4YOVDIcQ+gjWxsA2jsNJgh2zkBV9LbPHU2eJDaLmQIzGov28vQK0tpdGBk8uncjg7eLVpqQFnn/+4mbMrCICLNqeNYJNG9sTRhBoA8EqODRQ7mJoHMdvSqk8dp+9nGXrgO/HCKZCbg==,iv:pEQbq9pqWcuUG3Jj93QNbD4N9a/NxLPc1XqmfYNdOoc=,tag:Ss8hyMYYm24UG2aVXw6MQQ==,type:str]
+        etersoft: ENC[AES256_GCM,data:f7opp9R8bLoOSqpzJdjUXiVHF0hxH3uE+fRQfgEA/G0wDrPio6SPNUG+ROeZCrLJgizFTR6x4/r/yTIglEeaa9aefF1OG9dEdlpko7AALnf3DYQ=,iv:NGXNl5BbQS5dgVn5wNqN7ba11AeDgHXPloYTBC95l2E=,tag:kA/7bvS9h20/a7se5e1zUg==,type:str]
+sops:
+    age:
+        - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2emd4d1gyWjlYL3dYRmw4
+            Y2J0UkJaMTR6b0NsNTVzcTBHMXJ3WnNRdWlJCnB0ZEJmclRzY0Y1WEsvQmRWYU9k
+            cDRtQ3J4azNBUnN5bVUvdm9EbEo1ZHcKLS0tIGN6L0VpTWlQNm1sVnA4UldBbk9C
+            Q1dWek5PVjNkZUdJYllJSTZhQ1p0QU0K4LFd1ITs38M101fqy6KZGZ43x4Ou3VtB
+            EN1uxBEt5AdfX4F+FbOnA5qAOUdRRN31TjIXs948E/1vgm8zRxSx1Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-02T21:11:55Z"
+    mac: ENC[AES256_GCM,data:ArJNDbctyrzJIVo9CojFPAKlhW9xCBYvfpA27iG2YGWYfCRQ0uAIVmUn0jVsbfYWdtQ5WZD7p05itXMobQMMlFlv3twi7B7taXYXQQzZghhOCVJBYo8I3gFl9wxVpKHNc+WxuerFCQUCOXyBMI9CLmXsKBwlciLl78OSU6SMe/s=,iv:wHFF4yhYLs6QjOcvcU4WDpNyjQZl0dI42mouVR/43Eo=,tag:notDIF/S/r7MlYogftz9aA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.1

values/badhouseplants/velero/velero/values.yaml

@@ -1,10 +1,3 @@
-initContainers:
-  - name: velero-plugin-for-aws
-    image: velero/velero-plugin-for-aws:v1.11.0
-    imagePullPolicy: IfNotPresent
-    volumeMounts:
-      - mountPath: /target
-        name: plugins
 configuration:
   logLevel: error
   repositoryMaintenanceJob:
@@ -17,7 +10,7 @@ configuration:
   backupStorageLocation:
     - name: hetzner
       provider: aws
-      plugin: velero/velero-plugin-for-aws:v1.11.0
+      plugin: velero/velero-plugin-for-aws:v1.11.1
       bucket: badhouseplants-backups
       accessMode: ReadWrite
       credential:
@@ -29,9 +22,10 @@ configuration:
         s3Url: https://nbg1.your-objectstorage.com
         publicUrl: https://nbg1.your-objectstorage.com
         checksumAlgorithm: ""
+
     - name: etersoft
       provider: aws
-      plugin: velero/velero-plugin-for-aws:v1.11.0
+      plugin: velero/velero-plugin-for-aws:v1.11.1
       bucket: velero
       accessMode: ReadWrite
       credential:

values/common/databases/postgres16/values.gotmpl

@@ -0,0 +1,6 @@
+global:
+  imageRegistry: {{ .Values.registry }}
+  imagePullSecrets:
+    - regcred
+  security:
+    allowInsecureImages: true

values/common/databases/postgres17/values.gotmpl

@@ -0,0 +1,6 @@
+global:
+  imageRegistry: {{ .Values.registry }}
+  imagePullSecrets:
+    - regcred
+  security:
+    allowInsecureImages: true

values/common/databases/redis/values.gotmpl

@@ -0,0 +1,6 @@
+global:
+  imageRegistry: {{ .Values.registry}}
+  imagePullSecrets:
+    - regcred
+  security:
+    allowInsecureImages: true

values/common/games/minecraft/values.gotmpl

@@ -0,0 +1,33 @@
+image:
+  repository: {{ .Values.registry }}/itzg/minecraft-server
+  pullSecret: regcred
+
+# ---------------------------------------------
+# -- Install Plugins
+# ---------------------------------------------
+initContainers:
+  - name: 0-download-mods
+    image: {{.Values.registry}}/alpine/curl
+    command:
+      - curl
+      - -L
+      - "https://s3.badhouseplants.net/minecraft-mods/server_mods.tar"
+      - -o
+      - /download/server_mods.tar
+    volumeMounts:
+      - name: download
+        mountPath: /download
+        readOnly: false
+  - name: 1-copy-plugins-to-minecraft
+    image: {{ .Values.registry }}/ubuntu
+    command:
+      - sh
+      - -c
+      - cd /mods  && tar -xvf /download/server_mods.tar || true
+    volumeMounts:
+      - name: plugins
+        mountPath: /mods
+        readOnly: false
+      - name: download
+        mountPath: /download
+        readOnly: false

values/common/istio-system/istio-base/values.yaml

@@ -0,0 +1,3 @@
+global:
+  imagePullSecrets:
+    - regcred

values/common/istio-system/istiod/values.gotmpl

@@ -0,0 +1,16 @@
+pilot:
+  resources:
+    requests:
+      cpu: 50m
+      memory: 256Mi
+global:
+ hub: {{ .Values.registry }}/istio
+ imagePullSecrets:
+   - regcred
+ proxy:
+   resources:
+     requests:
+       cpu: 20m
+       memory: 54Mi
+     limits:
+       memory: 54Mi

values/common/kube-system/cert-manager/values.gotmpl

@@ -3,22 +3,17 @@ global:
   imagePullSecrets:
     - name: regcred
 image:
-  repository: {{ .Values.registry }}/quay/jetstack/cert-manager-controller
+  repository: {{ .Values.registry }}/jetstack/cert-manager-controller
-  pullPolicy: Always
 cainjector:
   image:
-    repository: {{ .Values.registry }}/quay/jetstack/cert-manager-cainjector
+    repository: {{ .Values.registry }}/jetstack/cert-manager-cainjector
-    pullPolicy: Always
 webhook:
   image:
-    repository: {{ .Values.registry }}/quay/jetstack/cert-manager-webhook
+    repository: {{ .Values.registry }}/jetstack/cert-manager-webhook
-    pullPolicy: Always
 acmesolver:
   image:
-    repository: {{ .Values.registry }}/quay/jetstack/cert-manager-acmesolver
+    repository: {{ .Values.registry }}/jetstack/cert-manager-acmesolver
-    pullPolicy: Always
 startupapicheck:
   image:
-    repository: {{ .Values.registry }}/quay/jetstack/cert-manager-startupapicheck
+    repository: {{ .Values.registry }}/jetstack/cert-manager-startupapicheck
-    pullPolicy: Always
 {{- end }}

values/common/kube-system/cilium/values.gotmpl

@@ -2,15 +2,15 @@
 imagePullSecrets:
   - name: regcred
 image:
-  repository: {{ .Values.registry }}/quay/cilium/cilium
+  repository: {{ .Values.registry }}/cilium/cilium
   useDigest: false
 envoy:
   image:
-    repository: {{ .Values.registry }}/quay/cilium/cilium-envoy
+    repository: {{ .Values.registry }}/cilium/cilium-envoy
     useDigest: false
 operator:
   image:
-    repository: {{ .Values.registry }}/quay/cilium/operator
+    repository: {{ .Values.registry }}/cilium/operator
     useDigest: false
 hubble:
   tls:

values/common/kube-system/coredns/values.gotmpl

@@ -1,6 +1,6 @@
 {{- if not (env "HELMFILE_BOOTSTRAP") }}
 image:
-  repository: {{ .Values.registry }}/dockerhub/coredns/coredns
+  repository: {{ .Values.registry }}/coredns/coredns
   pullSecrets:
     - name: regcred
 {{- end }}

values/common/kube-system/local-path-provisioner/values.gotmpl

@@ -0,0 +1,17 @@
+{{- if not (env "HELMFILE_BOOTSTRAP") }}
+image:
+  repository: {{ .Values.registry }}/rancher/local-path-provisioner
+
+helperImage:
+  repository: {{ .Values.registry }}/library/busybox
+
+imagePullSecrets:
+  - name: regcred
+{{- end }}
+
+storageClass:
+  create: true
+  defaultClass: true
+  defaultVolumeType: local
+  reclaimPolicy: Delete
+  volumeBindingMode: Immediate

values/common/kube-system/metallb-resources/values.gotmpl

@@ -0,0 +1 @@
+addresses: "{{ .Values.main_ip }}-{{ .Values.main_ip }}"

values/common/kube-system/metallb/values.gotmpl

@@ -1,13 +1,15 @@
+{{- if not (env "HELMFILE_BOOTSTRAP") }}
 imagePullSecrets:
   - name: regcred
 
 controller:
   image:
-    repository: {{ .Values.registry }}/quay/metallb/controller
+    repository: {{ .Values.registry }}/metallb/controller
 
 speaker:
   image:
-    repository: {{ .Values.registry }}/quay/metallb/speaker
+    repository: {{ .Values.registry }}/metallb/speaker
   frr:
     image:
-      repository: {{ .Values.registry }}/quay/frrouting/frr
+      repository: {{ .Values.registry }}/frrouting/frr
+{{- end }}

values/common/kube-system/metallb/values.yaml

@@ -3,17 +3,20 @@ controller:
   logLevel: warn
   strategy:
     type: RollingUpdate
+
   securityContext:
     runAsNonRoot: true
     # nobody
     runAsUser: 65534
     fsGroup: 65534
+
   resources:
     requests:
       cpu: 20m
-      memory: 100Mi
+      memory: 150Mi
     limits:
-      memory: 100Mi
+      memory: 150Mi
+
   livenessProbe:
     enabled: true
     failureThreshold: 3
@@ -37,9 +40,9 @@ speaker:
   resources:
     requests:
       cpu: 30m
-      memory: 300Mi
+      memory: 350Mi
     limits:
-      memory: 300Mi
+      memory: 350Mi
   livenessProbe:
     enabled: true
     failureThreshold: 3

values/common/kube-system/metrics-server/values.gotmpl

@@ -1,5 +1,5 @@
 image:
-  repository: {{ .Values.registry }}/k8s/metrics-server/metrics-server
+  repository: {{ .Values.registry }}/metrics-server/metrics-server
 imagePullSecrets:
   - name: regcred
 apiService:

values/common/kube-system/openebs/values.gotmpl

@@ -0,0 +1,6 @@
+global:
+  imageRegistry: {{ .Values.registry }}
+
+localpv-provisioner:
+  imagePullSecrets:
+    - name: regcred

values/common/kube-system/traefik/values.gotmpl

@@ -0,0 +1,8 @@
+{{- if not (env "HELMFILE_BOOTSTRAP") }}
+deployment:
+  imagePullSecrets:
+    - name: regcred
+
+image:
+  registry: {{ .Values.registry }}/library
+{{- end }}

values/common/kube-system/traefik/values.yaml

@@ -1,13 +1,14 @@
 globalArguments:
   - "--serversTransport.insecureSkipVerify=true"
   - "--providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik"
+
 ports:
   web:
     redirections:
-      port: websecure
+        entryPoint:
+          to: websecure
+          scheme: https
+          permanent: true
+
 deployment:
   replicas: 2
-  imagePullSecrets:
-    - name: regcred
-image:
-  registry: registry.badhouseplants.net/dockerhub/library

values/common/kyverno/kyverno/values.gotmpl

@@ -0,0 +1,7 @@
+{{- if not (env "HELMFILE_BOOTSTRAP") }}
+global:
+  image:
+    registry: {{ .Values.registry }}
+  imagePullSecrets:
+    - name: regcred
+{{- end }}

values/common/platform/authentik/values.gotmpl

@@ -0,0 +1,12 @@
+global:
+  image:
+    repository: {{ .Values.registry }}/goauthentik/server
+  imagePullSecrets:
+    - name: regcred
+redis:
+  global:
+    imageRegistry: {{ .Values.registry}}
+    imagePullSecrets:
+      - regcred
+    security:
+      allowInsecureImages: true