.archive/kubernetes/apps/kube-system/snapshot-controller/app/snapshot-validation-webhook/helmrelease.yaml

@@ -1,6 +1,6 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: snapshot-validation-webhook

.github/workflows/link-check.yaml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Link Checker
         uses: lycheeverse/lychee-action@2b973e86fc7b1f6b36a93795fe2c9c6ae1118621 # v1.10.0
@@ -29,7 +29,7 @@ jobs:
             broken-links
 
       - name: Update Issue
-        uses: peter-evans/create-issue-from-file@24452a72d85239eacf1468b0f1982a9f3fec4c94 # v5.0.0
+        uses: peter-evans/create-issue-from-file@e8ef132d6df98ed982188e460ebb3b5d4ef3a9cd # v5.0.1
         with:
           title: Broken links detected 🔗
           issue-number: "${{ steps.link-checker-issue.outputs.issue-number }}"

.github/workflows/meta-sync-labels.yaml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Sync Labels
         uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2.3.3

.github/workflows/pr-commenter.yaml

@@ -18,11 +18,11 @@ jobs:
       matrix: ${{ steps.changed-files.outputs.all_changed_and_modified_files }}
     steps:
       - name: Checkout Default Branch
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Get Changed Files
         id: changed-files
-        uses: tj-actions/changed-files@c65cd883420fd2eb864698a825fc4162dd94482c # v44
+        uses: tj-actions/changed-files@dcc7a0cba800f454d79fff4b993e8c3555bcc0a8 # v45
         with:
           files: kubernetes/**
           dir_names: true
@@ -47,18 +47,18 @@ jobs:
       max-parallel: 4
     steps:
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           path: pull
 
       - name: Checkout Default Branch
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           ref: "${{ github.event.repository.default_branch }}"
           path: default
 
       - name: Diff Resources
-        uses: docker://ghcr.io/allenporter/flux-local:v5.5.1
+        uses: docker://ghcr.io/allenporter/flux-local:v7.1.0
         with:
           args: >-
             diff ${{ matrix.resources }}

.github/workflows/release-drafter.yaml

@@ -10,7 +10,7 @@ jobs:
   update:
     runs-on: ubuntu-latest
     steps:
-      - uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 # v6.0.0
+      - uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0
         with:
           config-name: release-drafter.yaml
         env:

.pre-commit-config.yaml

@@ -9,6 +9,6 @@ repos:
           - .yamllint.yaml
         id: yamllint
   - repo: https://github.com/gruntwork-io/pre-commit
-    rev: v0.1.23
+    rev: v0.1.25
     hooks:
       - id: terraform-fmt

.tool-versions

@@ -1,3 +1,3 @@
-ruby 3.3.3
-python 3.12.4
-terraform 1.8.4
+ruby 3.3.5
+python 3.13.1
+terraform 1.9.5

kubernetes/apps/auth/authelia/app/helmrelease.yaml

@@ -1,6 +1,6 @@
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helmrelease_v2beta1.json
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: &app "authelia-${NAME_SUFFIX}"
@@ -10,7 +10,7 @@ spec:
   chart:
     spec:
       chart: authelia
-      version: 0.8.58
+      version: 0.9.16
       sourceRef:
         kind: HelmRepository
         name: authelia
@@ -30,20 +30,6 @@ spec:
     pod:
       kind: Deployment
       replicas: 3
-      env:
-        - name: AUTHELIA_STORAGE_POSTGRES_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: "postgres-${NAME_SUFFIX}-app"
-              key: password
-
-    domain: "${AUTH_DOMAIN}"
-    secret:
-      existingSecret: authelia-external
-      ldap:
-        key: LDAP_PASSWORD
-      jwt:
-        key: JWT_KEY
     ingress:
       enabled: true
       className: "${INGRESS_CLASS}"
@@ -53,13 +39,31 @@ spec:
       tls:
         enabled: true
         secret: "${PRODUCTION_TLS}"
+    secret:
+      additionalSecrets:
+        postgres-dev-app:
+          items:
+            - key: password
+        authelia-external:
+          items:
+            - key: LDAP_PASSWORD
+            - key: JWT_KEY
+            - key: OIDC_HMAC_SECRET
+            - key: OIDC_PRIVATE_KEY
+            - key: STORAGE_ENCRYPTION_KEY
     configMap:
       storage:
+        encryption_key:
+          secret_name: authelia-external
+          path: STORAGE_ENCRYPTION_KEY
         postgres:
           enabled: true
           database: "app"
-          host: "postgres-${NAME_SUFFIX}-rw"
+          address: "postgres-${NAME_SUFFIX}-rw"
           username: app
+          password:
+            secret_name: "postgres-${NAME_SUFFIX}-app"
+            path: password
       access_control:
         default_policy: one_factor
         rules:
@@ -68,9 +72,13 @@ spec:
       session:
         expiration: 24h
         inactivity: 24h
-        remember_me_duration: 24h
+        remember_me: 24h
         redis:
+          enabled: true
           host: redis-master.default
+        cookies:
+          - domain: "${AUTH_DOMAIN}"
+            subdomain: auth
       notifier:
         filesystem:
           enabled: true
@@ -79,27 +87,43 @@ spec:
           enabled: false
       authentication_backend:
         ldap:
-          username_attribute: uid
-          display_name_attribute: givenName
+          implementation: custom
+          enabled: true
           additional_users_dn: ou=people
+          additional_groups_dn: ou=users
           users_filter: (&({username_attribute}={input})(objectClass=posixAccount))
           groups_filter: (&(memberUid={username})(objectClass=posixGroup))
-          group_name_attribute: cn
-          additional_groups_dn: ou=users
-          mail_attribute: mail
-          url: ldap://glauth
+          address: ldap://glauth
           base_dn: DC=home,DC=lab
           user: CN=search_user,DC=home,DC=lab
+          attributes:
+            username: uid
+            group_name: cn
+            display_name: givenName
+            mail: mail
+          password:
+            secret_name: "authelia-external"
+            path: LDAP_PASSWORD
       identity_providers:
         oidc:
           enabled: true
           cors:
             endpoints: ["authorization", "token", "revocation", "introspection"]
+            allowed_origins:
+              - "https://*.deangalvin.dev"
+              - "https://deangalvin.dev"
             allowed_origins_from_client_redirect_uris: true
+          hmac_secret:
+            secret_name: authelia-external
+            path: OIDC_HMAC_SECRET
+          jwks:
+            - key:
+                path: '/secrets/authelia-external/OIDC_PRIVATE_KEY'
           clients:
-            - id: grafana
+            - client_id: grafana
+              client_name: Grafana
               description: Grafana
-              secret: '$plaintext$grafana_client_secret'
+              client_secret: '$plaintext$grafana_client_secret'
               public: false
               authorization_policy: one_factor
               redirect_uris:
@@ -110,26 +134,12 @@ spec:
                 - profile
                 - groups
                 - email
-              userinfo_signing_algorithm: none
-              pre_configured_consent_duration: 1y
-            - id: gitops
-              description: Weave Gitops
-              secret: '$plaintext$gitops_client_secret'
-              public: false
-              authorization_policy: one_factor
-              redirect_uris:
-                - https://gitops.deangalvin.dev/oauth2/callback
-              scopes:
-                - offline_access
-                - openid
-                - profile
-                - groups
-                - email
-              userinfo_signing_algorithm: none
+              userinfo_signed_response_alg: none
               pre_configured_consent_duration: 1y
-            - id: proxmox
+            - client_id: proxmox
+              client_name: Proxmox
               description: Proxmox
-              secret: '$plaintext$proxmox_client_secret'
+              client_secret: '$plaintext$proxmox_client_secret'
               public: false
               authorization_policy: one_factor
               redirect_uris:
@@ -138,30 +148,10 @@ spec:
                 - openid
                 - profile
                 - email
-              userinfo_signing_algorithm: none
+              userinfo_signed_response_alg: none
               pre_configured_consent_duration: 1y
       telemetry:
         metrics:
           enabled: true
           serviceMonitor:
             enabled: true
-  postRenderers:
-    - kustomize:
-        patches:
-          - patch: |-
-              apiVersion: apps/v1
-              kind: Deployment
-              metadata:
-                name: authelia-.*
-              spec:
-                template:
-                  spec:
-                    containers:
-                      - name: authelia
-                        env:
-                          - name: AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE
-                            $patch: delete
-            target:
-              group: apps
-              version: v1
-              kind: Deployment

kubernetes/apps/auth/authelia/app/kustomization.yaml

@@ -4,4 +4,4 @@ kind: Kustomization
 resources:
   - ./helmrelease.yaml
   - ./pgcluster.yaml
-  # - ./objectbucketclaim.yaml
+  - ./objectbucketclaim.yaml

kubernetes/apps/auth/authelia/app/pgcluster.yaml

@@ -18,19 +18,19 @@ spec:
       shared_buffers: 512MB
   monitoring:
     enablePodMonitor: true
-      # backup:
-      #   retentionPolicy: 30d
-      #   barmanObjectStore:
-      #     wal:
-      #       compression: bzip2
-      #       maxParallel: 8
-      #     destinationPath: "s3://authelia-pg-${NAME_SUFFIX}/"
-      #     endpointURL: http://rook-ceph-rgw-ceph-objectstore.rook-ceph
-      #     serverName: "authelia-pg-${NAME_SUFFIX}"
-      #     s3Credentials:
-      #       accessKeyId:
-      #         name: "authelia-pg-${NAME_SUFFIX}"
-      #         key: AWS_ACCESS_KEY_ID
-      #       secretAccessKey:
-      #         name: "authelia-pg-${NAME_SUFFIX}"
-      #         key: AWS_SECRET_ACCESS_KEY
+  backup:
+    retentionPolicy: 30d
+    barmanObjectStore:
+      wal:
+        compression: bzip2
+        maxParallel: 8
+      destinationPath: "s3://authelia-pg-${NAME_SUFFIX}/"
+      endpointURL: http://10.0.0.102:7480
+      serverName: "authelia-pg-${NAME_SUFFIX}"
+      s3Credentials:
+        accessKeyId:
+          name: "authelia-pg-${NAME_SUFFIX}"
+          key: AWS_ACCESS_KEY_ID
+        secretAccessKey:
+          name: "authelia-pg-${NAME_SUFFIX}"
+          key: AWS_SECRET_ACCESS_KEY