fix(mycloud-matrix): update matrix-authentifcaton-service

fix(infra-certificate): add gateway api support
fix(mycloud-matrix): update element-web
2025-04-25 11:23:11 +02:00 · 2025-04-24 14:51:38 +02:00 · 2025-04-24 00:20:04 +02:00 · 2025-04-18 02:08:07 +02:00 · 2025-04-12 20:01:30 +02:00 · 2025-04-11 12:39:36 +02:00
106 changed files with 2151 additions and 523 deletions
--- a/base-values/commons.yaml
+++ b/base-values/commons.yaml
@ -48,8 +48,6 @@ commons:
    to:
      dns: []
      k8sAPI: []
      smtp: []
      matrix: []
  grafana:
    datasource:
--- a/base-values/mycloud-core.yaml
+++ b/base-values/mycloud-core.yaml
@ -27,6 +27,20 @@ commons:
      annotations:
        grafana.mon.local/dashboard-folder: "myCloud"
  networkpolicies:
    to:
      smtp: []
      matrix: []
      database:
        - ports:
            - port: 5432
              protocol: "TCP"
          to:
            - podSelector:
                matchLabels:
                  app.kubernetes.io/instance: mycloud-services-postgresql
                  app.kubernetes.io/name: postgresql
  redis:
    replicas: 0
--- a/base-values/mycloud-git-small.yaml
+++ b/base-values/mycloud-git-small.yaml
@ -0,0 +1,19 @@
 ##
 # commons are from mycloud-core
 ##
 components:
  mycloud-services:
    # patch mycloud-core to get another database
    values:
      databases:
        git-forgejo:
          type: postgresql
        git-woodpecker:
          type: postgresql
  mycloud-git-small:
    enabled: true
    namespace:
      # current namespace
      name:
--- a/base-values/mycloud-paperless.yaml
+++ b/base-values/mycloud-paperless.yaml
@ -0,0 +1,17 @@
 ##
 # commons are from mycloud-core
 ##
 components:
  mycloud-services:
    # patch mycloud-core to get another database
    values:
      databases:
        paperless:
          type: postgresql
  mycloud-paperless:
    enabled: true
    namespace:
      # current namespace
      name:
--- a/base-values/tracing.yaml
+++ b/base-values/tracing.yaml
@ -2,7 +2,7 @@ commons:
  tracing:
    enabled: true
    http:
-      endpoint: "http://tempo.monitoring.svc:4318"
+      endpoint: "http://tempo.monitoring.svc:4318/v1/traces"
    grpc:
      enabled: true
      insecure: true
--- a/base/templates/release.yaml
+++ b/base/templates/release.yaml
@ -2,7 +2,7 @@
 {{- if ($config.enabled | default false) }}
 {{- $componentName := $config.name | default $componentInstance }}
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: "{{ printf "%s-%s" $.Release.Name $componentInstance | replace (printf "%s-%s" $.Release.Name $.Release.Name) $.Release.Name }}"
--- a/docs/infra/_index.md
+++ b/docs/infra/_index.md
@ -50,7 +50,7 @@ spec:
  #   secretRef:
  #     name: gpg-publickey
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: infra <4>
--- a/docs/mycloud/_index.md
+++ b/docs/mycloud/_index.md
@ -69,7 +69,7 @@ spec:
  #     name: gpg-publickey
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: mycloud <1>
--- a/docs/mycloud/ingress.md
+++ b/docs/mycloud/ingress.md
@ -57,10 +57,12 @@ components:
  mycloud-nextcloud:
    values:
      ingress:
-        host: "files.wrenix.eu:"
+        host: "files.wrenix.eu"
  mycloud-collabora:
    values:
      remoteFont:
        url: "https://files.wrenix.eu/apps/richdocuments/settings/fonts.json"
      allowedHosts:
        files.wrenix.eu: []
 ```
--- a/infra-certificates/templates/certmanager/release.yaml
+++ b/infra-certificates/templates/certmanager/release.yaml
@ -1,5 +1,5 @@
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: cert-manager
@ -21,6 +21,8 @@ spec:
  interval: 10m
  values:
    installCRDs: true
    config:
      enableGatewayAPI: true
    resources:
      requests:
--- a/infra-certificates/templates/certmanager/repo.yaml
+++ b/infra-certificates/templates/certmanager/repo.yaml
@ -1,5 +1,5 @@
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: jetstack
--- a/infra-ingress/templates/configmap_init_crd.yaml
+++ b/infra-ingress/templates/configmap_init_crd.yaml
@ -7,6 +7,7 @@ metadata:
 data:
  {{- $isMonitoring := and
    (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor")
    (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PodMonitor")
  }}
  monitoring: {{ $isMonitoring | quote }}
  {{- $isTraefik := and
--- a/infra-ingress/templates/traefik/release.yaml
+++ b/infra-ingress/templates/traefik/release.yaml
@ -1,6 +1,6 @@
 {{- if (eq .Values.controller "traefik") }}
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: traefik
@ -30,6 +30,60 @@ spec:
      {{- if .Values.hostNetwork }}
      dnsPolicy: ClusterFirstWithHostNet
      {{- end }}
      podAnnotations:
      {{- if .Values.traefik.logs.metrics }}
        checksum/vector-config: {{ include (print $.Template.BasePath "/traefik/vector/configmap.yaml") $ | sha256sum }}
      {{- if .Values.traefik.logs.geoip.enabled }}
      initContainers:
        - name: "download-geoip"
          image: "alpine"
          command:
            - sh
            - -c
            - |
              cd /usr/share/GeoIP
              wget -O geoip-db.mmdb {{ .Values.traefik.logs.geoip.url | quote}}
              # gunzip geoip-db.mmdb.gz
          volumeMounts:
            - mountPath: "/usr/share/GeoIP"
              name: geoip
      {{- end }}
      additionalContainers:
        - name: "vector"
          image: docker.io/timberio/vector:0.45.0-debian
          args:
            - --watch-config
            - --watch-config-method
            - poll
          livenessProbe:
            httpGet:
              path: /health
              port: vector-api
          volumeMounts:
            - mountPath: "/etc/vector/vector.yaml"
              subPath: "vector.yaml"
              name: vector-config
              readOnly: true
          {{- if .Values.traefik.logs.geoip.enabled }}
            - mountPath: "/usr/share/GeoIP"
              name: geoip
          {{- end }}
          ports:
            - name: vector-api
              containerPort: 8686
              protocol: TCP
            - name: vector-metrics
              containerPort: 9116
              protocol: TCP
      additionalVolumes:
        - name: vector-config
          configMap:
            name: traefik-vector
        {{- if .Values.traefik.logs.geoip.enabled }}
        - name: geoip
          empty: {}
        {{- end }}
      {{- end }}
    hostNetwork: {{ .Values.hostNetwork }}
    updateStrategy:
      rollingUpdate:
@ -43,10 +97,18 @@ spec:
        - IPv6
        - IPv4
    {{- with .Values.traefik.additionalArguments }}
    additionalArguments:
      {{- with .Values.traefik.additionalArguments }}
      {{- toYaml . | nindent 6 }}
-    {{- end }}
+      {{- end }}
      {{- if .Values.traefik.logs.metrics }}
      - --experimental.otlpLogs=true
      - --accesslog=true
      - --accesslog.otlp=true
      - --accesslog.otlp.grpc=true
      - --accesslog.otlp.grpc.endpoint=localhost:4317
      - --accesslog.otlp.grpc.insecure=true
      {{- end }}
    tolerations:
      - key: "CriticalAddonsOnly"
@ -60,6 +122,7 @@ spec:
    priorityClassName: "system-cluster-critical"
    ports:
      metrics:
        port: 9111
@ -80,6 +143,10 @@ spec:
      {{- with .Values.traefik.ports }}
      {{- toYaml . | nindent 6 }}
      {{- end }}
    gateway:
      listeners:
        web:
          port: 80
    {{- if .Values.hostNetwork }}
    podSecurityContext: null
    securityContext:
@ -92,6 +159,8 @@ spec:
      kubernetesIngress:
        publishedService:
          enabled: true
      kubernetesGateway:
        enabled: true
    ingressRoute:
      dashboard:
@ -115,7 +184,7 @@ spec:
        format: "json"
        level: WARN
      access:
-        enabled: {{ toYaml .Values.logs.access }}
+        enabled: {{ toYaml (and .Values.logs.access (not .Values.traefik.logs.metrics)) }}
        format: "json"
    {{- end }}
@ -125,6 +194,7 @@ spec:
        service:
          enabled: true
        serviceMonitor:
          enabled: true
          additionalLabels:
            {{- toYaml $.Values.commons.prometheus.monitor.labels | nindent 12 }}
        {{- end }}
--- a/infra-ingress/templates/traefik/repo.yaml
+++ b/infra-ingress/templates/traefik/repo.yaml
@ -1,6 +1,6 @@
 {{- if (eq .Values.controller "traefik") }}
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: traefik
--- a/infra-ingress/templates/traefik/vector/configmap.yaml
+++ b/infra-ingress/templates/traefik/vector/configmap.yaml
@ -0,0 +1,117 @@
 {{- if and (eq .Values.controller "traefik") .Values.traefik.logs.metrics }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: traefik-vector
 data:
  vector.yaml: |
    api:
      enabled: true
      address: "0.0.0.0:8686"
    {{- if .Values.traefik.logs.geoip.enabled }}
    enrichment_tables:
      geoip:
        type: "geoip"
        path: "/usr/share/GeoIP/geoip-db.mmdb"
        locale: "en"
    {{- end }}
    sources:
      otlp:
        type: opentelemetry
        grpc:
          address: 127.0.0.1:4317
        http:
          address: 127.0.0.1:4318
    transforms:
      {{- with .Values.traefik.logs.additionalTransforms }}
      {{- toYaml . | nindent 6 }}
      {{- end }}
      {{ $input := "otlp.logs" }}
      {{- if .Values.traefik.logs.geoip.enabled }}
      geolookup:
        inputs:
          - "otlp.logs"
        type: "remap"
        source: |
          if ip_cidr_contains!([
            "10.0.0.0/8",
            "100.64.0.0/10",
            "172.16.0.0/12",
            "192.168.0.0/16",
            "fc00::/7",
            ], .attributes.ClientHost) {
              .geoip = {
                "latitude": 0.0,
                "longitude": 0.0,
                "continent_code": "internal",
                "country_code": "internal",
                "country_name": "internal"
              }
          } else {
            .geoip, .err = get_enrichment_table_record("geoip", {"ip": .attributes.ClientHost}, [
              "latitude",
              "longitude",
              "continent_code",
              "country_code",
              "country_name"
            ])
            if .err != null {
              log(.err, level: "error")
            }
            if !exists(.geoip.continent_code) {
              .geoip = {
                "latitude": 0.0,
                "longitude": 0.0,
                "continent_code": "unknown",
                "country_code": "unknown",
                "country_name": "unknown"
              }
            }
          }
          del(.err)
        {{ $input = "geolookup"}}
      {{- end }}
      metrics:
        inputs:
          - {{ $input }}
        type: log_to_metric
        metrics:
          - namespace: "traefik_logs"
            name: "access"
            field: "attributes.RequestHost"
            type: counter
            tags:
              {{`
              host: "{{ attributes.RequestHost }}"
              entryPoint: "{{ attributes.entryPointName }}"
              `}}
              {{- if .Values.traefik.logs.geoip.enabled }}
              {{`
              latitude: "{{ geoip.latitude }}"
              longitude: "{{ geoip.longitude }}"
              continent_code: "{{ geoip.continent_code }}"
              country_code: "{{ geoip.country_code }}"
              country_name: "{{ geoip.country_name }}"
              `}}
              {{- end }}
          {{- with .Values.traefik.logs.additionalMetrics }}
          {{- toYaml . | nindent 10 }}
          {{- end }}
    sinks:
      {{- if .Values.logs.access }}
      console:
        inputs:
          - {{ $input }}
        type: console
        encoding:
          codec: logfmt
      {{- end }}
      {{- with .Values.traefik.logs.additionalSinks }}
      {{- toYaml . | nindent 6 }}
      {{- end }}
      prometheus:
        inputs:
          - metrics
        type: prometheus_exporter
        address: "[::]:9116"
 {{- end }}
--- a/infra-ingress/templates/traefik/vector/podmonitor.yaml
+++ b/infra-ingress/templates/traefik/vector/podmonitor.yaml
@ -0,0 +1,16 @@
 {{- if and (eq .Values.controller "traefik") .Values.traefik.logs.metrics (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PodMonitor") }}
 apiVersion: monitoring.coreos.com/v1
 kind: PodMonitor
 metadata:
  name: traefik-vector
  labels:
    {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 4 }}
 spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: traefik
      app.kubernetes.io/instance: traefik-ingress
  podMetricsEndpoints:
    - port: vector-metrics
      path: /metrics
 {{- end }}
--- a/infra-ingress/values.yaml
+++ b/infra-ingress/values.yaml
@ -57,4 +57,14 @@ logs:
 traefik:
  ports: {}
  hostPath: /srv/k8s/pv/pvc-traefik-certs
  logs:
    # -- analyse logs to metrics
    metrics: false
    geoip:
      enabled: false
      url: "https://raw.githubusercontent.com/P3TERX/GeoLite.mmdb/download/GeoLite2-City.mmdb"
    # -- you could use the source `otlp.logs` to recieve access-logs and work with them
    additionalTransforms: {}
    additionalMetrics: []
    additionalSinks: {}
  additionalArguments: []
--- a/infra-logging/config/vector.yaml
+++ b/infra-logging/config/vector.yaml
@ -0,0 +1,53 @@
 data_dir: /vector-data-dir
 api:
  enabled: true
  address: 127.0.0.1:8686
  playground: false
 sources:
  kubernetes_logs:
    type: kubernetes_logs
  host_metrics:
    filesystem:
      devices:
        excludes: [binfmt_misc]
      filesystems:
        excludes: [binfmt_misc]
      mountpoints:
        excludes: ["*/proc/sys/fs/binfmt_misc"]
    type: host_metrics
  internal_metrics:
    type: internal_metrics
 transforms:
  logs:
    type: remap
    inputs:
      - kubernetes_logs
    source: |-
      if !exists(.pod_namespace) {
        .pod_namespace = "unknown"
      }
      if !exists(.metadata) {
        .metadata = {
          "not found": "unknown"
        }
      }
 sinks:
  prom_exporter:
    type: prometheus_exporter
    inputs: [host_metrics, internal_metrics]
    address: 0.0.0.0:9090
  {{- if .Values.loki.enabled }}
  loki:
    type: loki
    inputs:
      - logs
    endpoint: http://loki:3100
    encoding:
      codec: logfmt
    labels:
      {{`
      "pod_labels_*": "{{ kubernetes.pod_labels }}"
      "namespace": "{{ kubernetes.pod_namespace }}"
      "*": "{{ metadata }}"
      `}}
  {{- end }}
--- a/infra-logging/templates/configmap_init_crd.yaml
+++ b/infra-logging/templates/configmap_init_crd.yaml
@ -6,9 +6,8 @@ metadata:
  namespace: "{{ .Values.init.namespace }}"
 data:
  {{- if and
-    (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor")
+    (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PodMonitor")
    (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule")
    (.Capabilities.APIVersions.Has "logging.banzaicloud.io/v1beta1/Flow")
  }}
  init: "-1"
  {{- else }}
--- a/infra-logging/templates/flow/kube-system/coredns.yaml
+++ b/infra-logging/templates/flow/kube-system/coredns.yaml
@ -1,45 +0,0 @@
 {{- if (.Capabilities.APIVersions.Has "logging.banzaicloud.io/v1beta1/Flow") }}
 ---
 apiVersion: logging.banzaicloud.io/v1beta1
 kind: Flow
 metadata:
  name: coredns
  namespace: kube-system
 spec:
  match:
    - select:
        labels:
          k8s-app: "coredns"
  filters:
    - tag_normaliser: {}
    - parser:
        reserve_data: true
        remove_key_name_field: true
        parse:
          type: "multi_format"
          patterns:
            - format: "regexp"
              expression: '^\[(?<log.level>.*)\] \[?(?<source.address>.*)\]?:(?<source.port>.*) - (?<dns.id>.*) "(?<dns.question.type>.*) (?<dns.question.class>.*) (?<dns.question.name>.*)\.? (?<network.transport>.*) (?<coredns.query.size>.*) (?<coredns.dnssec_ok>.*) (?<bufsize>.*)" (?<dns.response_code>.*) (?<dns.header_flags>.*) (?<coredns.response.size>.*) (?<coredns.duration>.*)s'
              types: "source.port:integer,dns.id:integer,coredns.query.size:integer,coredns.dnssec_ok:bool,bufsize:integer,dns.header_flags:array,coredns.response.size:integer,coredns.duration:float"
            - format: "none"
    - record_transformer:
        enable_ruby: true
        records:
          - source.ip: '${ record["source.address"] }'
            dns.header_flags: '${ !(record["dns.header_flags"].nil?) ? record["dns.header_flags"].map(&:upcase) : nil }'
            event.duration: '${ !(record["coredns.duration"].nil?) ? record["coredns.duration"] * 1000000000 : nil }'
            event.kind: "event"
            event.category: "network"
            event.type: "protocol"
            event.outcome: '${ record["dns.response_code"] == "NOERROR" ? "success" : "failure" }'
            event.protocol: "dns"
            event.module: "coredns"
            related.ip: '${ record["source.address"] }'
            # for dashboard
            fileset.name: "kubernetes"
            coredns.query.name: '${ record["dns.question.name"] }'
        remove_keys: "coredns.duration,coredns.dnssec_ok"
  globalOutputRefs:
    - "default"
 {{- end }}
--- a/infra-logging/templates/flow/kube-system/klog.yaml
+++ b/infra-logging/templates/flow/kube-system/klog.yaml
@ -1,52 +0,0 @@
 {{- if (.Capabilities.APIVersions.Has "logging.banzaicloud.io/v1beta1/Flow") }}
 ---
 apiVersion: logging.banzaicloud.io/v1beta1
 kind: Flow
 metadata:
  name: klog
  namespace: kube-system
 spec:
  match:
    - select:
        labels:
          k8s-app: "konnectivity-agent"
    - select:
        labels:
          k8s-app: "kube-proxy"
    - select:
        labels:
          app: "snapshot-validation-webhook"
  filters:
    - tag_normaliser: {}
    - parser:
        hash_value_field: "klog"
        reserve_data: true
        remove_key_name_field: true
        parse:
          type: "multi_format"
          patterns:
            - format: "regexp"
              expression: '(?<log_level>[A-Z])(?<month>\d{2})(?<day>\d{2})\s+(?<time>\d{2}:\d{2}:\d{2}(|\.\d+))\s+(?<threadid>\d+)\s+(?<file>[^ ]*):(?<line>\d+)\]\s("(?<msg>([^"\\]*(?:\\.[^"\\]*)*))"(|\s+(?<kv>.*))|(?<greedy_msg>.*))$'
              types: "month:integer,day:integer,threadid:integer"
            - format: "none"
    - record_transformer:
        enable_ruby: true
        records:
          - timestamp: '${time.strftime("%Y")}-${ record["klog"]["month"] }-${ record["klog"]["day"] }T${ record["klog"]["time"] }Z'
            message: '${ !(record["klog"]["greedy_msg"].nil?) ? record["klog"]["greedy_msg"] : record["klog"]["msg"] }'
            log.level: '${ record["klog"]["log_level"].gsub("I", "info").gsub("W", "warn").gsub("E", "error").gsub("F", "fatal") }'
            klog_kv: '${ !(record["klog"]["kv"].nil?) ? record["klog"]["kv"] : "" }'
        remove_keys: "$['klog']['month'],$['klog']['day'],$['klog']['time'],$['klog']['log_level'],$['klog']['msg'],$['klog']['greedy_msg'],$['klog']['kv']"
    - parser:
        key_name: "klog_kv"
        hash_value_field: "klog.fields"
        reserve_data: true
        remove_key_name_field: true
        parse:
          type: "multi_format"
          patterns:
            - format: "logfmt"
            - format: "none"
  globalOutputRefs:
    - "default"
 {{- end }}
--- a/infra-logging/templates/logging-operator/flow/event-tailer.yaml
+++ b/infra-logging/templates/logging-operator/flow/event-tailer.yaml
@ -1,29 +0,0 @@
 {{- if (.Capabilities.APIVersions.Has "logging.banzaicloud.io/v1beta1/Flow") }}
 ---
 apiVersion: logging.banzaicloud.io/v1beta1
 kind: Flow
 metadata:
  name: event-tailer
 spec:
  match:
    - select:
        labels:
          "app.kubernetes.io/name": "event-tailer"
  filters:
    - tag_normaliser: {}
    - parser:
        hash_value_field: "kubernetes"
        remove_key_name_field: true
        reserve_data: true
        parse:
          type: "json"
    - record_transformer:
        enable_ruby: true
        records:
          - event.module: "kubernetes"
            message: '${ record["kubernetes"]["event"]["message"] }'
        remove_keys: "$['kubernetes']['event']['message']"
  globalOutputRefs:
    - "default"
 {{- end }}
--- a/infra-logging/templates/logging-operator/flow/fluentbit.yaml
+++ b/infra-logging/templates/logging-operator/flow/fluentbit.yaml
@ -1,36 +0,0 @@
 {{- if (.Capabilities.APIVersions.Has "logging.banzaicloud.io/v1beta1/Flow") }}
 ---
 apiVersion: logging.banzaicloud.io/v1beta1
 kind: Flow
 metadata:
  name: fluentbit
 spec:
  match:
    - select:
        labels:
          "app.kubernetes.io/name": "fluentbit"
  filters:
    - tag_normaliser: {}
    - parser:
        hash_value_field: "fluentbit"
        reserve_data: true
        remove_key_name_field: true
        parse:
          type: "regexp"
          expression: '^\[(?<timestamp>.*)\] \[(?<log.level>.*)\] \[(?<component>.*)\] (?<message>.*)'
          types: "timestamp:string,log.level:string,component:string,message:string"
          time_key: "timestamp"
          time_type: "string"
          time_format: "%Y/%m/%d %H:%M:%S"
    - record_transformer:
        enable_ruby: true
        records:
          - event.kind: "event"
            event.module: "fluentbit"
            message: '${record["fluentbit"]["message"]}'
            log.level: '${record["fluentbit"]["log.level"]}'
        remove_keys: "$['fluentbit']['log']['level'],$['fluentbit']['message']"
  globalOutputRefs:
    - default
 {{- end }}
--- a/infra-logging/templates/logging-operator/flow/logging-operator.yaml
+++ b/infra-logging/templates/logging-operator/flow/logging-operator.yaml
@ -1,34 +0,0 @@
 {{- if (.Capabilities.APIVersions.Has "logging.banzaicloud.io/v1beta1/Flow") }}
 ---
 apiVersion: logging.banzaicloud.io/v1beta1
 kind: Flow
 metadata:
  name: logging-operator
 spec:
  match:
    - select:
        labels:
          "app.kubernetes.io/name": "logging-operator"
  filters:
    - tag_normaliser: {}
    - parser:
        hash_value_field: "logging-operator"
        reserve_data: true
        remove_key_name_field: true
        parse:
          type: "json"
          time_key: "ts"
          time_type: "string"
          time_format: "%iso8601"
    - record_transformer:
        enable_ruby: true
        records:
          - event.kind: "event"
            event.module: "logging-operator"
            message: '${record["logging-operator"]["msg"]}'
            log.level: '${record["logging-operator"]["level"]}'
        remove_keys: "$['logging-operator']['level'],$['logging-operator']['msg']"
  globalOutputRefs:
    - default
 {{- end }}
--- a/infra-logging/templates/logging-operator/release.yaml
+++ b/infra-logging/templates/logging-operator/release.yaml
@ -1,202 +0,0 @@
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata:
  name: logging-operator
 spec:
  chart:
    spec:
      sourceRef:
        kind: HelmRepository
        name: kube-logging
      chart: logging-operator
  install:
    {{- toYaml .Values.commons.helm.release.install | nindent 4 }}
  test:
    {{- toYaml .Values.commons.helm.release.test | nindent 4 }}
  upgrade:
    {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
  driftDetection:
    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
  interval: 10m
  values:
    monitoring:
      serviceMonitor:
        enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
        additionalLabels:
          {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 10 }}
    # resources for logging-operator
    resources:
      limits:
        memory: 3Gi
      requests:
        cpu: 100m
        memory: 128Mi
    logging:
      enabled: true
      # fluentbit is used to collect data on nodes (so it is usefull to use hostPath)
      fluentbit:
        bufferStorageVolume:
          hostPath:
            path: "/var/lib/kube-logging/fluentbit/buffer"
        positiondb:
          hostPath:
            path: "/var/lib/kube-logging/fluentbit/positiondb"
        metrics:
          prometheusRules: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
          serviceMonitor: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
          serviceMonitorConfig:
            additionalLabels:
              {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 14 }}
      # fluentd is used to recieve data from fluentbit, filter (e.g. parse, grep) and forward output (e.g. loki)
      fluentd:
        scaling:
          replicas: {{ .Values.fluentd.replicas }}
        # resources for fluentd
        resources:
          limits:
            memory: "2400M"
          requests:
            cpu: "500m"
            memory: "200M"
        metrics:
          prometheusRules: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
          serviceMonitor: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
          serviceMonitorConfig:
            additionalLabels:
              {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 14 }}
        bufferVolumeMetrics:
          prometheusRules: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
          serviceMonitor: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
          serviceMonitorConfig:
            additionalLabels:
              {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 14 }}
      tls:
        # make problems on reinstall (maybe try it sometime again)
        enabled: false
      # allow clusteroutput from flow in other namespace
      allowClusterResourcesFromAllNamespaces: true
      enableRecreateWorkloadOnImmutableFieldChange: true
      # log kubernetes events
      eventTailer:
        name: "default"
      # forward errors to output
      errorOutputRef: "default"
      # if no (cluster)flow exits for pods:
      #  filter: drop log messages if they contains "debug"
      #  send logs: clusterOutput "default"
      defaultFlow:
        filters:
          - grep:
              exclude:
                - key: "message"
                  pattern: /.*[Dd]ebug.*/
          - prometheus:
              metrics:
                - name: "logs_defaultflow_count"
                  desc: "The total number of message in namespace"
                  type: "counter"
              labels:
                exported_namespace: "$.kubernetes.namespace_name"
                exported_pod: "$.kubernetes.pod_name"
                exported_container: "$.kubernetes.container_name"
                image: "$.kubernetes.container_image"
                app_kubernetes_io_name: "$['kubernetes']['labels']['app.kubernetes.io/name']"
                app_kubernetes_io_instance: "$['kubernetes']['labels']['app.kubernetes.io/instance']"
        globalOutputRefs:
          - "default"
      # usefull on elastic e.g. with dedot
      globalFilters:
        - prometheus:
            metrics:
              - name: "logs_all_count"
                desc: "The total number of messages in namespace"
                type: "counter"
            labels:
              exported_namespace: "$.kubernetes.namespace_name"
              exported_pod: "$.kubernetes.pod_name"
              exported_container: "$.kubernetes.container_name"
              image: "$.kubernetes.container_image"
              app_kubernetes_io_name: "$['kubernetes']['labels']['app.kubernetes.io/name']"
              app_kubernetes_io_instance: "$['kubernetes']['labels']['app.kubernetes.io/instance']"
      # deploy a clusteroutput (which all flows can use)
      clusterOutputs:
        - name: "default"
          spec:
            {{- if .Values.loki.enabled }}
            # for loki:
            # https://kube-logging.dev/docs/configuration/plugins/outputs/loki/
            loki:
              url: http://loki:3100
              buffer:
                timekey: 1m
                timekey_wait: 30s
                timekey_use_utc: true
              # do not use configure_kubernetes_labels strip other kubernetes labels
              extract_kubernetes_labels: true
              labels:
                # from configure_kubernetes_labels reimplement
                host: $.kubernetes.host
                namespace: $.kubernetes.namespace_name
                pod: $.kubernetes.pod_name
                pod_id: $.kubernetes.pod_id
                container: $.kubernetes.container_name
                container_id: $.kubernetes.docker_id
            {{- else }}
            nullout: {}
            {{- end }}
      # add some usefull default clusterFlows
      clusterFlows:
        # parse all data with logfmt of pod which contain label: kube_logging_parser=logfmt (and send to ClusterOutput default)
        - name: logfmt
          spec:
            filters:
              - parser:
                  reserve_data: true
                  remove_key_name_field: true
                  hash_value_field: "logfmt"
                  parse:
                    type: "multi_format"
                    patterns:
                      - format: "logfmt"
                      # fallback, just keep data unparsed
                      - format: "none"
            match:
              - select:
                  labels:
                    "kube_logging_parser": "logfmt"
            globalOutputRefs:
              - "default"
        # parse all data with json of pod which contain label: kube_logging_parser=json (and send to ClusterOutput default)
        - name: json
          spec:
            filters:
              - parser:
                  reserve_data: true
                  remove_key_name_field: true
                  hash_value_field: "json"
                  parse:
                    type: "multi_format"
                    patterns:
                      - format: "json"
                      # fallback, just keep data unparsed
                      - format: "none"
            match:
              - select:
                  labels:
                    "kube_logging_parser": "json"
            globalOutputRefs:
              - "default"
--- a/infra-logging/templates/logging-operator/repo.yaml
+++ b/infra-logging/templates/logging-operator/repo.yaml
@ -1,9 +0,0 @@
 ---
 apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: HelmRepository
 metadata:
  name: kube-logging
 spec:
  url: oci://ghcr.io/kube-logging/helm-charts
  type: oci
  interval: 10m
--- a/infra-logging/templates/loki/release.yaml
+++ b/infra-logging/templates/loki/release.yaml
@ -1,6 +1,6 @@
 {{- if .Values.loki.enabled }}
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: loki
@ -12,11 +12,11 @@ spec:
        name: grafana
      chart: loki
  install:
-    {{- toYaml .Values.commons.helm.release.install | nindent 4 }}
+    {{- deepCopy .Values.commons.helm.release.install | merge (dict "crds" "Skip") | toYaml | nindent 4 }}
  test:
    {{- toYaml .Values.commons.helm.release.test | nindent 4 }}
  upgrade:
-    {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
+    {{- deepCopy .Values.commons.helm.release.upgrade | merge (dict "crds" "Skip") | toYaml | nindent 4 }}
  driftDetection:
    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
  interval: 10m
@ -47,6 +47,7 @@ spec:
              period: 24h
    monitoring:
      dashboards:
        enabled: true
        labels:
          {{- toYaml .Values.commons.grafana.dashboards.labels | nindent 10 }}
        annotations:
@ -59,14 +60,14 @@ spec:
        enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
        labels:
          {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 10 }}
-      metricsInstance:
+        metricsInstance:
-        enabled: false
+          enabled: false
      selfMonitoring:
        enabled: false
        grafanaAgent:
          installOperator: false
-      lokiCanary:
+    lokiCanary:
-        enabled: false
+      enabled: false
    test:
      enabled: false
    gateway:
--- a/infra-logging/templates/loki/repo.yaml
+++ b/infra-logging/templates/loki/repo.yaml
@ -1,6 +1,6 @@
 {{- if .Values.loki.enabled }}
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: grafana
--- a/infra-logging/templates/vector/configmap.yaml
+++ b/infra-logging/templates/vector/configmap.yaml
@ -0,0 +1,6 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: vector
 data:
  vector.yaml: {{ tpl (.Files.Get "config/vector.yaml" ) . | quote }}
--- a/infra-logging/templates/vector/prometheus-rule.yaml
+++ b/infra-logging/templates/vector/prometheus-rule.yaml
@ -0,0 +1,25 @@
 {{- if (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
 {{- $filter := printf `namespace="%s",job="vector"` .Release.Namespace }}
 {{- $without := "instance,endpoint,container,pod,job,host" }}
 ---
 apiVersion: "monitoring.coreos.com/v1"
 kind: "PrometheusRule"
 metadata:
  name: "vector"
  labels:
    {{- toYaml .Values.commons.prometheus.rules.labels | nindent 4 }}
 spec:
  groups:
    - name: "Vector"
      rules:
        - alert: "Log-Collector: Component Errors"
          expr: 'sum(increase(vector_component_errors_total{ {{ $filter }} }[1h])) without ({{ $without }}) > 0'
          for: "1m"
          labels:
            severity: "warning"
          annotations:
            {{`
            summary: "{{ $labels.component_kind }} {{ $labels.component_id }} ({{ $labels.component_type }}) has {{ $labels.error_type }} in stage {{ $labels.stage  }}"
            `}}
 {{- end }}{{/* end-if */}}
--- a/infra-logging/templates/vector/release.yaml
+++ b/infra-logging/templates/vector/release.yaml
@ -0,0 +1,42 @@
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: vector-agent
 spec:
  chart:
    spec:
      sourceRef:
        kind: HelmRepository
        name: vector
      chart: vector
  install:
    {{- toYaml .Values.commons.helm.release.install | nindent 4 }}
  test:
    {{- toYaml .Values.commons.helm.release.test | nindent 4 }}
  upgrade:
    {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
  driftDetection:
    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
  interval: 10m
  values:
    role: Agent
    updateStrategy:
      maxSurge: 1
    dataDir: "/vector-data-dir"
    logLevel: "warn"
    existingConfigMaps:
      - vector
    containerPorts:
      - name: prom-exporter
        containerPort: 9090
        protocol: TCP
    service:
      ports:
        - name: prom-exporter
          port: 9090
          protocol: TCP
    podMonitor:
      enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PodMonitor") }}
      additionalLabels:
        {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 10 }}
--- a/infra-logging/templates/vector/repo.yaml
+++ b/infra-logging/templates/vector/repo.yaml
@ -0,0 +1,8 @@
 ---
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: vector
 spec:
  url: https://helm.vector.dev
  interval: 10m
--- a/infra-logging/values.yaml
+++ b/infra-logging/values.yaml
@ -45,8 +45,5 @@ grafana:
    # -- annotations of grafana dashboard configmap
    annotations: {}
 fluentd:
  replicas: 1
 loki:
  enabled: true
--- a/infra-monitoring/templates/alertmanager/authentik-application.yaml
+++ b/infra-monitoring/templates/alertmanager/authentik-application.yaml
@ -3,7 +3,7 @@
  .Values.alertmanager.ingress.enabled
 }}
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: authentik-application-alertmanager
--- a/infra-monitoring/templates/alertmanager/matrix/release.yaml
+++ b/infra-monitoring/templates/alertmanager/matrix/release.yaml
@ -1,7 +1,7 @@
 {{- with .Values.alertmanager.receiver.matrix }}
 {{- if .enabled }}
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: "alertmanager-matrix"
@ -35,6 +35,7 @@ spec:
    bot:
      matrix:
        homeserver: {{ .homeserver | quote }}
        messageType: {{ .messageType | quote }}
        userID: {{ .userID | quote }}
        rooms:
          - {{ .default | quote }}
--- a/infra-monitoring/templates/alertmanager/ntfy/release.yaml
+++ b/infra-monitoring/templates/alertmanager/ntfy/release.yaml
@ -1,7 +1,7 @@
 {{- with .Values.alertmanager.receiver.ntfy }}
 {{- if .enabled }}
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: "alertmanager-ntfy"
--- a/infra-monitoring/templates/exporter/blackbox/release.yaml
+++ b/infra-monitoring/templates/exporter/blackbox/release.yaml
@ -1,6 +1,6 @@
 {{- if .Values.prometheus.exporter.blackbox.enabled }}
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: prometheus-blackbox-exporter
--- a/infra-monitoring/templates/grafana/authentik-application.yaml
+++ b/infra-monitoring/templates/grafana/authentik-application.yaml
@ -3,7 +3,7 @@
  .Values.grafana.ingress.enabled
 }}
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: authentik-application-grafana
--- a/infra-monitoring/templates/karma/authentik-application.yaml
+++ b/infra-monitoring/templates/karma/authentik-application.yaml
@ -3,7 +3,7 @@
  .Values.karma.enabled
 }}
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: authentik-application-karma
--- a/infra-monitoring/templates/karma/release.yaml
+++ b/infra-monitoring/templates/karma/release.yaml
@ -1,6 +1,6 @@
 {{- if .Values.karma.enabled }}
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: karma
--- a/infra-monitoring/templates/karma/repo.yaml
+++ b/infra-monitoring/templates/karma/repo.yaml
@ -1,5 +1,5 @@
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: wiremind
--- a/infra-monitoring/templates/kube-prometheus-stack/release.yaml
+++ b/infra-monitoring/templates/kube-prometheus-stack/release.yaml
@ -1,5 +1,5 @@
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: kube-prometheus-stack
@ -40,12 +40,6 @@ spec:
    defaultRules:
      rules:
        kubeProxy: false
        # just parts:
        # kubernetesApps: false
      disabled:
        KubePodNotReady: true
        KubePodCrashLooping: true
        KubeContainerWaiting: true
    prometheus:
      {{- $hostPrometheus := .Values.prometheus.ingress.host | default (printf "prometheus.%s" .Values.commons.ingress.domain) }}
@ -232,7 +226,7 @@ spec:
          searchNamespace: ALL
      serviceMonitor:
-        enabled: true
+        enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
        labels:
          prometheus: default
--- a/infra-monitoring/templates/prometheus/authentik-application.yaml
+++ b/infra-monitoring/templates/prometheus/authentik-application.yaml
@ -3,7 +3,7 @@
  .Values.prometheus.ingress.enabled
 }}
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: authentik-application-prometheus
--- a/infra-monitoring/templates/repo.yaml
+++ b/infra-monitoring/templates/repo.yaml
@ -1,5 +1,5 @@
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: prometheus-community
--- a/infra-monitoring/templates/tempo/release.yaml
+++ b/infra-monitoring/templates/tempo/release.yaml
@ -1,6 +1,6 @@
 {{- if .Values.tempo.enabled }}
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: tempo
--- a/infra-monitoring/templates/tempo/repo.yaml
+++ b/infra-monitoring/templates/tempo/repo.yaml
@ -1,6 +1,6 @@
 {{- if .Values.tempo.enabled }}
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: grafana
--- a/infra-monitoring/values.yaml
+++ b/infra-monitoring/values.yaml
@ -98,10 +98,13 @@ alertmanager:
      sendResolved: false
      homeserver: "https://matrix.org"
      userID: "@alert:matrix.org"
      # -- message type of alerts in matrix
      messageType: "m.notice"
      # -- token of matrix reciever (use valuesFrom in flux for it)
      token: ""
      # -- default room (additional rooms are possible)
      default: "!example-room:matrix.org"
-      #
+      # -- additional rooms
      rooms: {}
      # room-name:
      #   - room: "!example-room-name:matrix.org"
--- a/infra-trivy/templates/release.yaml
+++ b/infra-trivy/templates/release.yaml
@ -1,5 +1,5 @@
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: trivy-operator
--- a/infra-trivy/templates/repo.yaml
+++ b/infra-trivy/templates/repo.yaml
@ -1,5 +1,5 @@
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: aqua
--- a/mycloud-authentik/Chart.yaml
+++ b/mycloud-authentik/Chart.yaml
@ -6,4 +6,4 @@ maintainers:
  - name: WrenIX
    url: https://wrenix.eu
-version: 0.1.0
+version: 0.1.1
--- a/mycloud-authentik/README.md
+++ b/mycloud-authentik/README.md
@ -7,7 +7,7 @@ description: "A mycloud components using authentik (for central authentification
 # mycloud-authentik
-![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 A mycloud components using authentik (for central authentification using SSO)
--- a/mycloud-authentik/blueprints/tenant.gotmpl
+++ b/mycloud-authentik/blueprints/tenant.gotmpl
@ -2,16 +2,22 @@ version: 1
 metadata:
  name: myCloud - tenant
 entries:
-  - model: authentik_tenants.tenant
+  - model: authentik_brands.Brand
    identifiers:
      domain: "authentik-default"
    state: present
    attrs:
      {{- with .Values.commons.theme }}
-      branding_title: {{ .title }}
+      {{- with .title }}
-      branding_logo: {{ .logo }}
+      branding_title: {{ . | quote }}
      branding_favicon: {{ .favicon }}
      {{- end }}
      {{- with .logo }}
      branding_logo: {{ . | quote }}
      {{- end }}
      {{- with .favicon }}
      branding_favicon: {{ . | quote }}
      {{- end }}
      {{- end }}{{/* end-with .commons.theme */}}
      {{- with .Values.theme.background }}
      attributes:
        settings:
--- a/mycloud-authentik/templates/release.yaml
+++ b/mycloud-authentik/templates/release.yaml
@ -1,5 +1,5 @@
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: "{{ .Release.Name }}-hr"
@ -83,6 +83,7 @@ spec:
    server:
      metrics:
        enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
        serviceMonitor:
          enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
          labels:
@ -132,12 +133,6 @@ spec:
        {{- end }}
    worker:
      metrics:
        serviceMonitor:
          enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
          labels:
            {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 12 }}
      serviceAccountName: {{ .Release.Name }}
      extraContainers:
        - name: sidecar-blueprints
--- a/mycloud-authentik/templates/repo.yaml
+++ b/mycloud-authentik/templates/repo.yaml
@ -1,5 +1,5 @@
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: "{{ .Release.Name }}-hr"
--- a/mycloud-collabora/Chart.yaml
+++ b/mycloud-collabora/Chart.yaml
@ -6,4 +6,4 @@ maintainers:
  - name: WrenIX
    url: https://wrenix.eu
-version: 0.1.0
+version: 0.1.2
--- a/mycloud-collabora/README.md
+++ b/mycloud-collabora/README.md
@ -7,7 +7,7 @@ description: "myCloud component to setup collabora"
 # mycloud-collabora
-![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 myCloud component to setup collabora
@ -52,6 +52,13 @@ myCloud component to setup collabora
 |-----|------|---------|-------------|
 | commons.masterPassword | string | `"CHANGEME"` | masterPassword to generate secrets |
 ### Remote font
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | remoteFont.enabled | bool | `true` | remote font setup |
 | remoteFont.url | string | `nil` | url to remote font default (set to nextcloud) |
 ### Other Values
 | Key | Type | Default | Description |
--- a/mycloud-collabora/templates/release.yaml
+++ b/mycloud-collabora/templates/release.yaml
@ -1,5 +1,5 @@
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: "{{ .Release.Name }}-hr"
@ -30,7 +30,20 @@ spec:
    collabora:
      username: collabora-admin
      password: {{ .Values.adminPassword | default (derivePassword 1 "long" .Values.commons.masterPassword "nextcloud" "admin_password") | quote }}
-      extra_params: --o:user_interface.mode=tabbed --o:ssl.termination=true --o:ssl.enable=false
+      extra_params: >
        --o:user_interface.mode=tabbed
        --o:ssl.enable=false
        --o:ssl.termination=true
        --o:fetch_update_check=0
        {{- if .Values.remoteFont.enabled }}
        {{- with .Values.remoteFont.url }}
        --o:remote_font_config.url={{ . }}
        {{- else }}
        --o:remote_font_config.url=https://fs.{{ .Values.commons.ingress.domain }}/apps/richdocuments/settings/fonts.json
        {{- end }}
        {{- end }}
        --o:net.proto=all
      server_name: {{ $host | quote }}
      aliasgroups:
        {{- range $host, $aliases := .Values.allowedHosts }}
@ -81,3 +94,26 @@ spec:
          {{- toYaml .Values.commons.grafana.dashboards.labels | nindent 10 }}
        annotations:
          {{- toYaml .Values.commons.grafana.dashboards.annotations | nindent 10 }}
    serviceAccount:
      create: true
    podSecurityContext:
      fsGroup: 100
    securityContext:
      allowPrivilegeEscalation: true
      privileged: false
      readOnlyRootFilesystem: false
      runAsNonRoot: true
      runAsUser: 100
      runAsGroup: 101
      seccompProfile:
        type: "RuntimeDefault"
      capabilities:
        drop:
          - "ALL"
        add:
          - "CHOWN"
          - "FOWNER"
          - "SYS_CHROOT"
--- a/mycloud-collabora/templates/repo.yaml
+++ b/mycloud-collabora/templates/repo.yaml
@ -1,5 +1,5 @@
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: {{ .Release.Name }}-repo
--- a/mycloud-collabora/values.yaml
+++ b/mycloud-collabora/values.yaml
@ -84,6 +84,15 @@ ingress:
 # -- adminPassword to access collabora admin platform
 adminPassword:
 remoteFont:
  # -- remote font setup
  # @section -- Remote font
  enabled: true
  # -- url to remote font
  # default (set to nextcloud)
  # @section -- Remote font
  url:
 # -- allowed host to use this collabora instance
 # if not set we allow defaults (like nextcloud)
 # example:
--- a/mycloud-firefly-iii/templates/authentik-application.yaml
+++ b/mycloud-firefly-iii/templates/authentik-application.yaml
@ -1,5 +1,5 @@
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: {{ .Release.Name }}-auth
--- a/mycloud-firefly-iii/templates/release.yaml
+++ b/mycloud-firefly-iii/templates/release.yaml
@ -1,5 +1,5 @@
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: "{{ .Release.Name }}-hr"
--- a/mycloud-firefly-iii/templates/repo.yaml
+++ b/mycloud-firefly-iii/templates/repo.yaml
@ -1,5 +1,5 @@
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: {{ .Release.Name }}-repo
--- a/mycloud-git-small/.helmignore
+++ b/mycloud-git-small/.helmignore
@ -0,0 +1,23 @@
 # Patterns to ignore when building packages.
 # This supports shell glob matching, relative path matching, and
 # negation (prefixed with !). Only one pattern per line.
 .DS_Store
 # Common VCS dirs
 .git/
 .gitignore
 .bzr/
 .bzrignore
 .hg/
 .hgignore
 .svn/
 # Common backup files
 *.swp
 *.bak
 *.tmp
 *.orig
 *~
 # Various IDEs
 .project
 .idea/
 *.tmproj
 .vscode/
--- a/mycloud-git-small/Chart.yaml
+++ b/mycloud-git-small/Chart.yaml
@ -0,0 +1,9 @@
 apiVersion: v2
 name: mycloud-git-small
 description: myCloud component to setup forgjo and codeberg
 type: application
 maintainers:
  - name: WrenIX
    url: https://wrenix.eu
 version: 0.0.1
--- a/mycloud-git-small/README.md
+++ b/mycloud-git-small/README.md
@ -0,0 +1,133 @@
 ---
 title: "mycloud-git-small"
 description: "myCloud component to setup forgjo and codeberg"
 ---
 # mycloud-git-small
 ![Version: 0.0.1](https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 myCloud component to setup forgjo and codeberg
 ## Maintainers
 | Name | Email | Url |
 | ---- | ------ | --- |
 | WrenIX |  | <https://wrenix.eu> |
 ## Values
 ### Commons
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | commons.auth.host | string | `nil` | default auth.(.Values.commons.ingress.domain) |
 | commons.masterPassword | string | `"CHANGEME"` | masterPassword to generate secrets |
 ### Commons Monitoring
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | commons.grafana.dashboards.annotations | string | `nil` | annotations of grafana dashboard configmap |
 | commons.grafana.dashboards.labels | object | `{"grafana_dashboard":"1"}` | labels of grafana dashboard configmap |
 | commons.prometheus.monitor.labels | object | `{}` | labels on Pod- and Service-Monitor |
 | commons.prometheus.rules.labels | object | `{}` | labels on PrometheusRules |
 ### Commons helm release
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | commons.helm.release.driftDetection | object | `{}` | driftDetection of FluxCD HelmRelease |
 | commons.helm.release.install | object | `{}` | install of FluxCD HelmRelease |
 | commons.helm.release.test | object | `{}` | test of FluxCD HelmRelease |
 | commons.helm.release.upgrade | object | `{}` | upgrade of FluxCD HelmRelease |
 ### Commons Ingress
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | commons.ingress.annotations | object | `{"cert-manager.io/cluster-issuer":"letsencrypt-prod"}` | annotations for all ingress objects |
 | commons.ingress.domain | string | `"wrenix.eu"` | top domain for all services |
 | commons.ingress.tls.enabled | bool | `true` | tls on every ingress |
 | commons.ingress.tls.override | list | `[]` | use own definition of tls (e.g. for own or wildcard certificate) |
 ### Commons mail
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | commons.mail.from | string | `nil` | send from address |
 | commons.mail.host | string | `""` | smtp server |
 | commons.mail.password | string | `""` | smtp password |
 | commons.mail.use_ssl | bool | `false` | smtp server use ssl |
 | commons.mail.use_tls | bool | `false` | smtp server use start tls |
 | commons.mail.username | string | `""` | smtp username |
 ### Commons Persistence
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | commons.persistence.hostPath.enabled | bool | `false` | use hostPath instatt of PVC |
 | commons.persistence.hostPath.prefix | string | `"/var/lib/mycloud"` | use hostPath under the following path |
 | commons.persistence.storageClass | string | `nil` | storageClass of PVC |
 ### Commons theme
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | commons.theme.favicon | string | `"/static/dist/assets/icons/icon.png"` | favicon everywhere |
 | commons.theme.logo | string | `"/static/dist/assets/icons/icon_left_brand.svg"` | logo everywhere |
 | commons.theme.title | string | `"myCloud"` | title everywhere |
 ### Commons Tracing
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | commons.tracing.enabled | bool | `false` | enable tracing on all components |
 | commons.tracing.grpc.enabled | bool | `true` | prefer grpc over http |
 | commons.tracing.grpc.endpoint | string | `"tempo.monitoring.svc:4317"` | grpc endpoint |
 | commons.tracing.grpc.insecure | bool | `true` | allow insecure connection per grpc |
 | commons.tracing.http.endpoint | string | `"http://tempo.monitoring.svc:4318/v1/traces"` | http endpoint |
 ### Other Values
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | auth.clientID | string | `nil` | OIDC client id (default: "mycloud-git-small"-forgejo) |
 | auth.clientSecret | string | `nil` | generated by .Values.commons.masterPassword |
 | commons.networkpolicies.enabled | bool | `false` |  |
 | commons.networkpolicies.from.ingress | list | `[]` |  |
 | commons.networkpolicies.from.metrics | list | `[]` |  |
 | commons.networkpolicies.to.database | list | `[]` |  |
 | commons.networkpolicies.to.dns | list | `[]` |  |
 | commons.networkpolicies.to.k8sAPI.ports[0].port | int | `6443` |  |
 | commons.networkpolicies.to.k8sAPI.ports[0].protocol | string | `"TCP"` |  |
 | commons.networkpolicies.to.k8sAPI.to | list | `[]` |  |
 | databases.forgejo.host | string | `"mycloud-services-postgresql"` | default is from mysql-services |
 | databases.forgejo.name | string | `"git-forgejo"` |  |
 | databases.forgejo.password | string | `nil` | generated by .Values.commons.masterPassword (equal to mycloud-services) |
 | databases.forgejo.username | string | `"git-forgejo"` |  |
 | databases.woodpecker.host | string | `"mycloud-services-postgresql"` | default is from mysql-services |
 | databases.woodpecker.name | string | `"git-woodpecker"` |  |
 | databases.woodpecker.password | string | `nil` | generated by .Values.commons.masterPassword (equal to mycloud-services) |
 | databases.woodpecker.username | string | `"git-woodpecker"` |  |
 | forgejo | string | `nil` |  |
 | ingress.forgejo.annotations | string | `nil` |  |
 | ingress.forgejo.host | string | `nil` | default: git.(Values.commons.ingress.domain) |
 | ingress.woodpecker.annotations | string | `nil` |  |
 | ingress.woodpecker.host | string | `nil` | default: ci.(Values.commons.ingress.domain) |
 | init.namespace | string | `"bases"` |  |
 | init.version | int | `0` |  |
 | mail.from | string | `nil` | generade by Values.commons.mail.from |
 | mail.host | string | `nil` | default Values.commons.mail.host |
 | persistence.forgejo.size | string | `"16Gi"` |  |
 | persistence.forgejo.storageClass | string | `nil` |  |
 | traefik.enabled | bool | `true` |  |
 | woodpecker.admins | list | `[]` | admins of woodpecker (manage manuelle) |
 | woodpecker.auth.clientID | string | `""` | need to be manuelle set, after setup on forgejo |
 | woodpecker.auth.clientSecret | string | `""` | need to be manuelle set, after setup on forgejo |
 | woodpecker.jobs.namespace.create | bool | `true` |  |
 | woodpecker.jobs.namespace.name | string | `"woodpecker"` |  |
 Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs)
--- a/mycloud-git-small/_docs.gotmpl
+++ b/mycloud-git-small/_docs.gotmpl
--- a/mycloud-git-small/templates/authentik-application.yaml
+++ b/mycloud-git-small/templates/authentik-application.yaml
@ -0,0 +1,73 @@
 {{ $name := printf "%s-forgejo" .Release.Name }}
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: {{ .Release.Name }}-auth
 spec:
  chart:
    spec:
      sourceRef:
        kind: GitRepository
        name: "wrenix-helm-charts"
        namespace: "flux-system"
      chart: "./authentik-application"
      reconcileStrategy: "Revision"
  install:
    {{- toYaml .Values.commons.helm.release.install | nindent 4 }}
  test:
    {{- toYaml .Values.commons.helm.release.test | nindent 4 }}
  upgrade:
    {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
  driftDetection:
    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
  interval: 10m
  values:
    {{- $host := .Values.ingress.host | default (printf "git.%s" .Values.commons.ingress.domain) }}
    blueprint:
      authentik:
        domain: "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}"
      provider:
        type: "oidc"
        name: {{ $name }}
        oidc:
          clientType: "confidential"
          redirectURL: "https://{{ $host }}/user/oauth2/authentik/callback"
          clientID: {{ .Values.auth.clientID | default $name | quote }}
          clientSecret: {{ .Values.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "git-forgejo" "auth.clientSecret") | quote }}
          signingKey: "authentik Self-signed Certificate"
          scopes:
            - name: "authentik default OAuth Mapping: OpenID 'openid'"
            - name: "authentik default OAuth Mapping: OpenID 'email'"
            - name: "authentik gitea OAuth Mapping: OpenID 'gitea'"
              scope_name: gitea
              expression: |-
                groups = [group.name for group in user.ak_groups.all()]
                gitea = {}
                if user.is_superuser:
                    gitea = "admin"
                    if "admin" not in groups:
                        groups.append("admin")
                else:
                    gitea = "user"
                return {
                  "nickname": request.user.username,
                  "groups": groups,
                  "gitea": gitea
                }
      groups:
        - slug: "mycloud - users"
          bindID: "cefc0c13-49fa-4374-a909-e201a88a473b"
      application:
        policyEngineMode: "any"
        openInNewTab: true
        publisher: "WrenIX's myCloud"
        slug: {{ $name }}
        group: "Communication"
        name: "Forgejo"
        launchURL: "https://{{ $host }}"
        icon: "https://{{ $host }}/assets/img/logo.png"
        description: "With GoToSocial, you can keep in touch with your friends, post, read, and share images and articles. All without being tracked or advertised to!"
--- a/mycloud-git-small/templates/configmap_init_crd.yaml
+++ b/mycloud-git-small/templates/configmap_init_crd.yaml
@ -0,0 +1,14 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ .Release.Name }}-init
  namespace: "{{ .Values.init.namespace }}"
 data:
  {{- if and
    (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule")
    (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor")
  }}
  init: "-1"
  {{- else }}
  init: "{{ add1 .Values.init.version }}"
  {{- end }}
--- a/mycloud-git-small/templates/forgejo/release.yaml
+++ b/mycloud-git-small/templates/forgejo/release.yaml
@ -0,0 +1,158 @@
 {{ $name := printf "%s-forgejo" .Release.Name }}
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: {{ $name }}-hr
 spec:
  chartRef:
    kind: OCIRepository
    name: "{{ .Release.Name }}-forgejo"
  install:
    {{- toYaml .Values.commons.helm.release.install | nindent 4 }}
  test:
    {{- toYaml .Values.commons.helm.release.test | nindent 4 }}
  upgrade:
    {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
  driftDetection:
    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
  interval: 10m
  valuesFrom:
    - kind: Secret
      name: {{ $name }}
      valuesKey: "DATABASE_PASSWD"
      targetPath: "gitea.config.database.PASSWD"
    - kind: Secret
      name: {{ $name }}
      valuesKey: "MAILER_PASSWD"
      targetPath: "gitea.config.mailer.PASSWD"
  values:
    {{- $host := .Values.ingress.host | default (printf "git.%s" .Values.commons.ingress.domain) }}
    redis-cluster:
      enabled: false
    redis:
      enabled: true
      replica:
        # just one replica
        replicaCount: {{ .Values.commons.redis.replicas }}
      metrics:
        enabled: true
        serviceMonitor:
          enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
          additionalLabels:
            {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 12 }}
        prometheusRule:
          # empty rules
          enabled: false
          # {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
          additionalLabels:
            {{- toYaml .Values.commons.prometheus.rules.labels | nindent 12 }}
          rules: []
    postgresql-ha:
      enabled: false
    gitea:
      admin:
        username: false
        password: false
      config:
        APP_NAME: {{ .Values.commons.theme.title | quote }}
        database:
          DB_TYPE: postgres
          HOST: {{ .Values.databases.forgejo.host | quote }}
          USER: {{ .Values.databases.forgejo.username | quote }}
          NAME: {{ .Values.databases.forgejo.name | quote }}
        mailer:
          ENABLED: true
          PROTOCOL: "smtp+starttls"
          SMTP_ADDR: {{ .Values.mail.host | default .Values.commons.mail.host | quote }}
          SMTP_PORT: 587
          USER: {{ .Values.commons.mail.username | quote }}
          FROM: {{ .Values.mail.from | default (printf "\"[%s] %s\" <%s>" .Values.commons.theme.title "git" .Values.commons.mail.from) | quote }}
        server:
          LFS_START_SERVER: true
        openid:
          ENABLE_OPENID_SIGNUP: false
        oauth2_client:
          OPENID_CONNECT_SCOPES: "email gitea"
          ENABLE_AUTO_REGISTRATION: true
          USERNAME: nickname
          UPDATE_AVATAR: true
          ACCOUNT_LINKING: disabled
        service:
          DISABLE_REGISTRATION: true
          ALLOW_ONLY_EXTERNAL_REGISTRATION: true
        picture:
          DISABLE_GRAVATAR: true
          ENABLE_FEDERATED_AVATAR: true
        federation:
          ENABLED: true
      oauth:
        - name: "authentik"
          provider: "openidConnect"
          autoDiscoverUrl: "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}/application/o/{{ $name }}/"
          existingSecret: {{ $name }}
          scopes: "email gitea"
          groupClaimName: groups
          adminGroup: admin
      metrics:
        enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
        serviceMonitor:
          enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
          labels:
            {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 12 }}
    ingress:
      enabled: true
      annotations:
        {{- with .Values.commons.ingress.annotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
        {{- with .Values.ingress.forgejo.annotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      hosts:
        - host: "{{ $host }}"
          paths:
            - path: /
              pathType: Prefix
      {{- if .Values.commons.ingress.tls.enabled }}
      tls:
        {{- with .Values.commons.ingress.tls.override }}
        {{- toYaml . | nindent 8 }}
        {{- else }}
        - secretName: "mycloud-forgejo-cert"
          hosts:
            - "{{ $host }}"
        {{- end }}
      {{- end }}
    {{- if .Values.commons.persistence.hostPath.enabled }}
    # TODO has no effect
    extraInitContainers:
      - name: "take-ownership"
        image: "alpine:3"
        command: ["chown", "-R", "1000:1000", "/data" ]
        volumeMounts:
          - name: "data"
            mountPath: /data
    extraVolumes:
      - name: data
        hostPath:
          path: "{{ .Values.commons.persistence.hostPath.prefix }}/git-small/forgejo"
          type: Directory
    {{- end }}
    persistence:
      enabled: true
      {{- with .Values.persistence.forgejo }}
      size: {{ .size }}
      {{- with .storageClass | default $.Values.commons.persistence.storageClass }}
      storageClass: {{ . }}
      {{- end }}
      {{- if $.Values.commons.persistence.hostPath.enabled }}
      create: false
      mount: false
      {{- end }}
      {{- end }}
--- a/mycloud-git-small/templates/forgejo/repo.yaml
+++ b/mycloud-git-small/templates/forgejo/repo.yaml
@ -0,0 +1,10 @@
 ---
 apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: OCIRepository
 metadata:
  name: "{{ .Release.Name }}-forgejo"
 spec:
  url: oci://code.forgejo.org/forgejo-helm/forgejo
  interval: 5m
  ref:
    semver: "^11.0.1"
--- a/mycloud-git-small/templates/forgejo/secret.yaml
+++ b/mycloud-git-small/templates/forgejo/secret.yaml
@ -0,0 +1,12 @@
 {{- $name := printf "%s-forgejo" .Release.Name }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ $name | quote }}
 data:
  DATABASE_PASSWD: {{ .Values.databases.forgejo.password | default (derivePassword 1 "long" .Values.commons.masterPassword "git-forgejo" "database_password" | b64enc) | b64enc }}
  MAILER_PASSWD: {{ .Values.commons.mail.password | b64enc }}
  # for OIDC
  key: {{ .Values.auth.clientID | default $name | b64enc }}
  secret: {{ .Values.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "git-forgejo" "auth.clientSecret") | b64enc }}
--- a/mycloud-git-small/templates/forgejo/traefik.yaml
+++ b/mycloud-git-small/templates/forgejo/traefik.yaml
@ -0,0 +1,16 @@
 {{- if .Values.traefik.enabled }}
 {{- $host := .Values.ingress.host | default (printf "git.%s" .Values.commons.ingress.domain) }}
 ---
 apiVersion: traefik.io/v1alpha1
 kind: IngressRouteTCP
 metadata:
  name: {{ .Release.Name }}-forgejo
 spec:
  entryPoints:
    - ssh
  routes:
    - match: "HostSNI(`*`)"
      services:
        - name: {{ .Release.Name }}-forgejo-hr-ssh
          port: 22
 {{- end }}
--- a/mycloud-git-small/templates/woodpecker/jobs/namespace.yaml
+++ b/mycloud-git-small/templates/woodpecker/jobs/namespace.yaml
@ -0,0 +1,8 @@
 {{- with .Values.woodpecker.jobs.namespace }}
 {{- if .create }}
 apiVersion: v1
 kind: Namespace
 metadata:
  name: {{ .name }}
 {{- end }}
 {{- end }}
--- a/mycloud-git-small/templates/woodpecker/release.yaml
+++ b/mycloud-git-small/templates/woodpecker/release.yaml
@ -0,0 +1,141 @@
 {{- $name := printf "%s-woodpecker" .Release.Name }}
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: {{ $name | quote }}
 spec:
  chartRef:
    kind: OCIRepository
    name: {{ $name | quote }}
  install:
    {{- toYaml .Values.commons.helm.release.install | nindent 4 }}
  test:
    {{- toYaml .Values.commons.helm.release.test | nindent 4 }}
  upgrade:
    {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
  driftDetection:
    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
  interval: 10m
  values:
    {{- $hostCI := .Values.ingress.woodpecker.host | default (printf "ci.%s" .Values.commons.ingress.domain) }}
    {{- $hostGit := .Values.ingress.woodpecker.host | default (printf "git.%s" .Values.commons.ingress.domain) }}
    agent:
      replicaCount: 1
      env:
        WOODPECKER_MAX_WORKFLOWS: 4
        WOODPECKER_BACKEND_K8S_NAMESPACE: {{ .Values.woodpecker.jobs.namespace.name }}
        WOODPECKER_BACKEND_K8S_STORAGE_RWX: false
        WOODPECKER_BACKEND_K8S_POD_LABELS_ALLOW_FROM_STEP: true
        WOODPECKER_BACKEND_K8S_POD_LABELS: |
          {
            "app.kubernetes.io/name": "server",
            "app.kubernetes.io/instance": "{{.Release.Namespace }}-{{ $name }}",
            "app.kubernetes.io/component": "job"
          }
        WOODPECKER_SERVER: "{{ $name }}-server:9000"
      {{- if .Values.commons.networkpolicies.enabled }}
      networkPolicy:
        enabled: true
        egress:
          enabled: true
          dns:
            {{- toYaml .Values.commons.networkpolicies.to.dns | nindent 12 }}
          apiserver:
            {{- toYaml .Values.commons.networkpolicies.to.k8sAPI | nindent 12 }}
          server:
            to:
              - podSelector:
                  matchLabels:
                    app.kubernetes.io/name: server
                    app.kubernetes.io/instance: {{ $name }}
      {{- end }}
      persistentVolume:
        enabled: false
    server:
      env:
        WOODPECKER_OPEN: "true"
        WOODPECKER_HOST: {{ printf "https://%s" $hostCI | quote }}
        WOODPECKER_FORGEJO: "true"
        WOODPECKER_FORGEJO_URL: {{ printf "https://%s" $hostGit | quote }}
        WOODPECKER_ADMIN: {{ join "," .Values.woodpecker.admins | quote }}
        WOODPECKER_DATABASE_DRIVER: postgres
        WOODPECKER_LOG_FILE: "stdout"
      podAnnotations:
        config-hash: {{ include (print $.Template.BasePath "/woodpecker/secret.yaml") . | sha256sum }}
      extraSecretNamesForEnvFrom:
        - {{ $name }}
      metrics:
        enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PodMonitor") }}
      prometheus:
        podmonitor:
          enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PodMonitor") }}
          labels:
            {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 12 }}
        rules:
          enabled: true
          labels:
            {{- toYaml .Values.commons.prometheus.rules.labels | nindent 12 }}
      grafana:
        dashboards:
          enabled: true
          labels:
            {{- toYaml .Values.commons.grafana.dashboards.labels | nindent 12 }}
          annotations:
            {{- toYaml .Values.commons.grafana.dashboards.annotations | nindent 12 }}
      ingress:
        enabled: true
        annotations:
          {{- with .Values.commons.ingress.annotations }}
          {{- toYaml . | nindent 10 }}
          {{- end }}
          {{- with .Values.ingress.woodpecker.annotations }}
          {{- toYaml . | nindent 10 }}
          {{- end }}
        hosts:
          - host: {{ $hostCI }}
            paths:
              - path: /
        {{- if .Values.commons.ingress.tls.enabled }}
        tls:
          {{- with .Values.commons.ingress.tls.override }}
          {{- toYaml . | nindent 10 }}
          {{- else }}
          - secretName: "mycloud-woodpecker-cert"
            hosts:
              - "{{ $hostCI }}"
          {{- end }}
        {{- end }}
      {{- if .Values.commons.networkpolicies.enabled }}
      networkPolicy:
        enabled: true
        ingress:
          http:
            {{- toYaml .Values.commons.networkpolicies.from.ingress | nindent 12 }}
          metrics:
            {{- toYaml .Values.commons.networkpolicies.from.metrics | nindent 12 }}
          grpc:
            - podSelector:
                matchLabels:
                  app.kubernetes.io/name: agent
                  app.kubernetes.io/instance: "{{ .Release.Name }}-woodpecker"
        egress:
          enabled: true
          dns:
            {{- toYaml .Values.commons.networkpolicies.to.dns | nindent 12 }}
          database:
            {{- with .Values.commons.networkpolicies.to.database }}
            {{- toYaml . | nindent 12 }}
            {{- end }}
          extra:
             {{/* need to call git instance*/}}
            - ports:
                - port: 443
                  protocol: TCP
              to:
                {{- toYaml .Values.commons.networkpolicies.from.ingress | nindent 16 }}
      {{- end }}
      persistentVolume:
        enabled: false
--- a/mycloud-git-small/templates/woodpecker/repo.yaml
+++ b/mycloud-git-small/templates/woodpecker/repo.yaml
@ -0,0 +1,10 @@
 ---
 apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: OCIRepository
 metadata:
  name: "{{ .Release.Name }}-woodpecker"
 spec:
  url: oci://ghcr.io/woodpecker-ci/helm/woodpecker
  interval: 10m
  ref:
    semver: "^2.0.0"
--- a/mycloud-git-small/templates/woodpecker/secret.yaml
+++ b/mycloud-git-small/templates/woodpecker/secret.yaml
@ -0,0 +1,13 @@
 {{- $name := printf "%s-woodpecker" .Release.Name }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ $name | quote }}
 data:
  {{- with .Values.databases.woodpecker }}
  {{- $db_pass := .password | default (derivePassword 1 "long" $.Values.commons.masterPassword "git-woodpecker" "database_password" | b64enc) }}
  WOODPECKER_DATABASE_DATASOURCE: {{ printf "postgres://%s:%s@%s/%s?sslmode=disable" .username $db_pass .host .name | b64enc }}
  {{- end }}
  WOODPECKER_FORGEJO_CLIENT: {{ .Values.woodpecker.auth.clientID | b64enc }}
  WOODPECKER_FORGEJO_SECRET: {{ .Values.woodpecker.auth.clientSecret | b64enc }}
--- a/mycloud-git-small/values.yaml
+++ b/mycloud-git-small/values.yaml
@ -0,0 +1,202 @@
 init:
  version: 0
  namespace: "bases"
 commons:
  # -- masterPassword to generate secrets
  # @section -- Commons
  masterPassword: "CHANGEME"
  auth:
    # -- default auth.(.Values.commons.ingress.domain)
    # @section -- Commons
    host:
  theme:
    # -- title everywhere
    # @section -- Commons theme
    title: myCloud
    # -- logo everywhere
    # @section -- Commons theme
    logo: /static/dist/assets/icons/icon_left_brand.svg
    # -- favicon everywhere
    # @section -- Commons theme
    favicon: /static/dist/assets/icons/icon.png
  mail:
    # -- smtp server
    # @section -- Commons mail
    host: ""
    # -- smtp username
    # @section -- Commons mail
    username: ""
    # -- smtp password
    # @section -- Commons mail
    password: ""
    # -- send from address
    # @section -- Commons mail
    from:
    # -- smtp server use start tls
    # @section -- Commons mail
    use_tls: false
    # -- smtp server use ssl
    # @section -- Commons mail
    use_ssl: false
  persistence:
    # -- storageClass of PVC
    # @section -- Commons Persistence
    storageClass:
    hostPath:
      # -- use hostPath instatt of PVC
      # @section -- Commons Persistence
      enabled: false
      # -- use hostPath under the following path
      # @section -- Commons Persistence
      prefix: "/var/lib/mycloud"
  helm:
    release:
      # -- install of FluxCD HelmRelease
      # @section -- Commons helm release
      install: {}
      # -- test of FluxCD HelmRelease
      # @section -- Commons helm release
      test: {}
      # -- upgrade of FluxCD HelmRelease
      # @section -- Commons helm release
      upgrade: {}
      # -- driftDetection of FluxCD HelmRelease
      # @section -- Commons helm release
      driftDetection: {}
  ingress:
    # -- top domain for all services
    # @section -- Commons Ingress
    domain: "wrenix.eu"
    # -- annotations for all ingress objects
    # @section -- Commons Ingress
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    tls:
      # -- tls on every ingress
      # @section -- Commons Ingress
      enabled: true
      # -- use own definition of tls (e.g. for own or wildcard certificate)
      # @section -- Commons Ingress
      override: []
  networkpolicies:
    enabled: false
    from:
      ingress: []
      metrics: []
    to:
      dns: []
      k8sAPI:
        ports:
          - port: 6443
            protocol: TCP
        to: []
      database: []
  prometheus:
    monitor:
      # -- labels on Pod- and Service-Monitor
      # @section -- Commons Monitoring
      labels: {}
    rules:
      # -- labels on PrometheusRules
      # @section -- Commons Monitoring
      labels: {}
  grafana:
    dashboards:
      # -- labels of grafana dashboard configmap
      # @section -- Commons Monitoring
      labels:
        grafana_dashboard: "1"
      # -- annotations of grafana dashboard configmap
      # @section -- Commons Monitoring
      annotations:
  tracing:
    # -- enable tracing on all components
    # @section -- Commons Tracing
    enabled: false
    http:
      # -- http endpoint
      # @section -- Commons Tracing
      endpoint: "http://tempo.monitoring.svc:4318/v1/traces"
    grpc:
      # -- prefer grpc over http
      # @section -- Commons Tracing
      enabled: true
      # -- allow insecure connection per grpc
      # @section -- Commons Tracing
      insecure: true
      # -- grpc endpoint
      # @section -- Commons Tracing
      endpoint: "tempo.monitoring.svc:4317" 
 auth:
  # -- OIDC client id (default: "mycloud-git-small"-forgejo)
  clientID:
  # -- generated by .Values.commons.masterPassword
  clientSecret:
 ingress:
  forgejo:
    # -- default: git.(Values.commons.ingress.domain)
    host:
    annotations:
  woodpecker:
    # -- default: ci.(Values.commons.ingress.domain)
    host:
    annotations:
 traefik:
  enabled: true
 databases:
  forgejo:
    # -- default is from mysql-services
    host: mycloud-services-postgresql
    name: git-forgejo
    username: git-forgejo
    # -- generated by .Values.commons.masterPassword (equal to mycloud-services)
    password:
  woodpecker:
    # -- default is from mysql-services
    host: mycloud-services-postgresql
    name: git-woodpecker
    username: git-woodpecker
    # -- generated by .Values.commons.masterPassword (equal to mycloud-services)
    password:
 mail:
  # -- generade by Values.commons.mail.from
  from:
  # -- default Values.commons.mail.host
  host:
 persistence:
  forgejo:
    storageClass:
    size: 16Gi
 woodpecker:
  auth:
    # -- need to be manuelle set, after setup on forgejo
    clientID: ""
    # -- need to be manuelle set, after setup on forgejo
    clientSecret: ""
  # -- admins of woodpecker (manage manuelle)
  admins: []
  jobs:
    namespace:
      create: true
      name: "woodpecker"
 forgejo:
--- a/mycloud-gotosocial/templates/authentik-application.yaml
+++ b/mycloud-gotosocial/templates/authentik-application.yaml
@ -1,5 +1,5 @@
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: {{ .Release.Name }}-auth
--- a/mycloud-gotosocial/templates/release.yaml
+++ b/mycloud-gotosocial/templates/release.yaml
@ -1,5 +1,5 @@
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: "{{ .Release.Name }}-hr"
--- a/mycloud-matrix/Chart.yaml
+++ b/mycloud-matrix/Chart.yaml
@ -6,4 +6,4 @@ maintainers:
  - name: WrenIX
    url: https://wrenix.eu
-version: 0.1.1
+version: 0.1.2
--- a/mycloud-matrix/README.md
+++ b/mycloud-matrix/README.md
@ -7,7 +7,7 @@ description: "myCloud component to setup matrix"
 # mycloud-matrix
-![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 myCloud component to setup matrix
@ -126,6 +126,12 @@ myCloud component to setup matrix
 | databases.slidingSync.username | string | `"matrix-sliding-sync"` |  |
 | ingress.authenticationService.annotations | object | `{}` |  |
 | ingress.authenticationService.host | string | `nil` | default: auth.matrix.(.commons.ingress.domain) |
 | ingress.cinny.annotations | object | `{}` |  |
 | ingress.cinny.enabled | bool | `false` |  |
 | ingress.cinny.featuredCommunities.rooms | list | `[]` | add rooms to featured communites in cinny |
 | ingress.cinny.featuredCommunities.servers | list | `[]` | add servers to featured communites in cinny |
 | ingress.cinny.featuredCommunities.spaces | list | `[]` | set spaces as featured communites in cinny |
 | ingress.cinny.host | string | `nil` | default: cinny.(.commons.ingress.domain) |
 | ingress.element.annotations | object | `{}` |  |
 | ingress.element.config.features.feature_location_share_live | bool | `true` |  |
 | ingress.element.config.features.feature_new_room_decoration_ui | bool | `true` |  |
--- a/mycloud-matrix/templates/clients/cinny.yaml
+++ b/mycloud-matrix/templates/clients/cinny.yaml
@ -0,0 +1,80 @@
 {{- if .Values.ingress.cinny.enabled }}
 ---
 apiVersion: source.toolkit.fluxcd.io/v1beta2
 kind: OCIRepository
 metadata:
  name: "{{ .Release.Name }}-cinny"
 spec:
  url: oci://codeberg.org/wrenix/helm-charts/cinny
  interval: 10m
  ref:
    semver: "^0.2.1"
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: "{{ .Release.Name }}-cinny"
 spec:
  chartRef:
    kind: OCIRepository
    name: "{{ .Release.Name }}-cinny"
  install:
    {{- toYaml .Values.commons.helm.release.install | nindent 4 }}
  test:
    {{- toYaml .Values.commons.helm.release.test | nindent 4 }}
  upgrade:
    {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
  driftDetection:
    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
  interval: 10m
  values:
    {{- $host := .Values.ingress.cinny.host | default (printf "cinny.%s" .Values.commons.ingress.domain) }}
    config:
      defaultHomeserver: 0
      homeserverList:
        - {{ include "mycloud-matrix.domain" . | quote }}
      featuredCommunities:
        spaces:
          {{- toYaml .Values.ingress.cinny.featuredCommunities.spaces | nindent 10 }}
        rooms:
          {{- toYaml .Values.ingress.cinny.featuredCommunities.rooms | nindent 10 }}
        servers:
          {{- with .Values.ingress.cinny.featuredCommunities.server }}
          {{- toYaml . | nindent 10 }}
          {{- else }}
          - {{ include "mycloud-matrix.domain" . | quote }}
          {{- end }}
    {{- if .Values.commons.networkpolicies.enabled }}
    networkPolicy:
      enabled: true
      ingress:
        http:
          {{- toYaml .Values.commons.networkpolicies.from.ingress | nindent 10 }}
      egress:
        enabled: true
    {{- end }}
    ingress:
      enabled: true
      annotations:
        {{- with .Values.commons.ingress.annotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
        {{- with .Values.ingress.cinny.annotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      hosts:
        - host: {{ $host | quote }}
          paths:
            - path: /
              pathType: ImplementationSpecific
      {{- if .Values.commons.ingress.tls.enabled }}
      tls:
        {{- with .Values.commons.ingress.tls.override }}
        {{- toYaml . | nindent 8 }}
        {{- else }}
        - secretName: "{{ .Release.Name }}-cinny-cert"
          hosts:
            - "{{ $host }}"
        {{- end }}
      {{- end }}
 {{- end }}
--- a/mycloud-matrix/templates/clients/element.yaml
+++ b/mycloud-matrix/templates/clients/element.yaml
@ -1,6 +1,6 @@
 {{- if .Values.ingress.element.enabled }}
 ---
-apiVersion: source.toolkit.fluxcd.io/v1beta2
+apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
  name: "{{ .Release.Name }}-element-web"
@ -29,6 +29,9 @@ spec:
    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
  interval: 10m
  values:
    image:
      repository: ghcr.io/element-hq/element-web
      tag: v1.11.99
    {{- $host := .Values.ingress.element.host | default (printf "element.%s" .Values.commons.ingress.domain) }}
    defaultServer:
      url: https://{{ include "mycloud-matrix.host.server" . }}
--- a/mycloud-matrix/templates/server/authentication-service.yaml
+++ b/mycloud-matrix/templates/server/authentication-service.yaml
@ -29,7 +29,7 @@ spec:
  url: oci://codeberg.org/wrenix/helm-charts/matrix-authentication-service
  interval: 10m
  ref:
-    semver: "^0.0.7"
+    semver: "^0.0.11"
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
--- a/mycloud-matrix/templates/server/synapse.yaml
+++ b/mycloud-matrix/templates/server/synapse.yaml
@ -93,6 +93,7 @@ spec:
          client_id: 0000000000000000000SYNAPSE
          client_auth_method: client_secret_basic
          account_management_url: "https://{{ include "mycloud-matrix.host.authenticationService" . }}/account/"
        msc4108_enabled: true
      {{- else }}
      oidc_providers:
        - idp_id: mycloud
@ -294,6 +295,25 @@ spec:
      database: {{ .name | quote }}
      {{- end }}
    redis:
      enabled: true
      replica:
        # just one replica
        replicaCount: {{ .Values.commons.redis.replicas }}
      metrics:
        enabled: true
        serviceMonitor:
          enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
          additionalLabels:
            {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 12 }}
        prometheusRule:
          # empty rules
          enabled: false
          # {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
          additionalLabels:
            {{- toYaml .Values.commons.prometheus.rules.labels | nindent 12 }}
          rules: []
    prometheus:
      podmonitor:
        enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PodMonitor") }}
--- a/mycloud-matrix/values.yaml
+++ b/mycloud-matrix/values.yaml
@ -208,6 +208,18 @@ ingress:
    # -- default: hydrogen.(.commons.ingress.domain)
    host:
    annotations: {}
  cinny:
    enabled: false
    # -- default: cinny.(.commons.ingress.domain)
    host:
    annotations: {}
    featuredCommunities:
      # -- set spaces as featured communites in cinny
      spaces: []
      # -- add rooms to featured communites in cinny
      rooms: []
      # -- add servers to featured communites in cinny
      servers: []
  livekit:
    enabled: false
    # -- default: sfu.call.(.commons.ingress.domain)
--- a/mycloud-nextcloud/Chart.yaml
+++ b/mycloud-nextcloud/Chart.yaml
@ -6,4 +6,4 @@ maintainers:
  - name: WrenIX
    url: https://wrenix.eu
-version: 0.1.0
+version: 0.1.1
--- a/mycloud-nextcloud/README.md
+++ b/mycloud-nextcloud/README.md
@ -7,7 +7,7 @@ description: "myCloud component to setup nextcloud"
 # mycloud-nextcloud
-![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 myCloud component to setup nextcloud
@ -131,6 +131,7 @@ myCloud component to setup nextcloud
 | persistence.main.pvc | string | `"nextcloud"` |  |
 | persistence.main.size | string | `"8Gi"` |  |
 | quota | string | `nil` | default quota for an user |
 | replica.nextcliud | int | `1` |  |
 | theme.color | string | `nil` | set theme color in nextcloud |
 Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs)
--- a/mycloud-nextcloud/templates/authentik-application.yaml
+++ b/mycloud-nextcloud/templates/authentik-application.yaml
@ -1,5 +1,5 @@
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: {{ .Release.Name }}-auth
--- a/mycloud-nextcloud/templates/networkpolicy.yaml
+++ b/mycloud-nextcloud/templates/networkpolicy.yaml
@ -22,6 +22,11 @@ spec:
              app.kubernetes.io/component: metrics
              app.kubernetes.io/instance: {{ .Release.Name }}-hr
              app.kubernetes.io/name: nextcloud 
        - podSelector:
            matchLabels:
              app.kubernetes.io/component: notify-push
              app.kubernetes.io/instance: {{ .Release.Name }}-hr
              app.kubernetes.io/name: nextcloud 
        {{- with .Values.commons.networkpolicies.from.ingress }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
@ -86,33 +91,4 @@ spec:
          protocol: UDP
      to:
        {{- toYaml .Values.commons.networkpolicies.to.dns | nindent 8 }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: {{ .Release.Name }}-redis
 spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/component: master
      app.kubernetes.io/instance: {{ .Release.Name }}-hr
      app.kubernetes.io/name: redis
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - ports:
        - port: 6379
          protocol: TCP
      from:
        - podSelector:
            matchLabels:
              app.kubernetes.io/component: app
              app.kubernetes.io/instance: {{ .Release.Name }}-hr
              app.kubernetes.io/name: nextcloud
    - ports:
        - port: 9121
          protocol: TCP
      from:
        {{- toYaml .Values.commons.networkpolicies.from.metrics | nindent 8 }}
 {{- end }}
--- a/mycloud-nextcloud/templates/release.yaml
+++ b/mycloud-nextcloud/templates/release.yaml
@ -1,5 +1,5 @@
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
+apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: "{{ .Release.Name }}-hr"
@ -26,6 +26,7 @@ spec:
    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
  interval: 10m
  values:
    replicaCount: {{ .Values.replica.nextcloud }}
    {{- $host := .Values.ingress.host | default (printf "fs.%s" .Values.commons.ingress.domain) }}
    nextcloud:
      update: true
@ -208,8 +209,19 @@ spec:
    imaginary:
      enabled: {{ toYaml .Values.imaginary.enabled }}
    notifyPush:
      enabled: true
      autoSetup: true
      image:
        registry: "ghcr.io"
    metrics:
      enabled: true
      info:
        apps: true
        update: true
    prometheus:
      serviceMonitor:
        enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
        labels:
@ -260,6 +272,18 @@ spec:
          additionalLabels:
            {{- toYaml .Values.commons.prometheus.rules.labels | nindent 12 }}
          rules: []
      networkPolicy:
        allowExternal: false
        allowExternalEgress: false
        metrics:
          allowExternal: false
          {{- with .Values.commons.networkpolicies.from.metrics }}
          {{- $nsMetrics := first . }}
          ingressNSMatchLabels:
            {{- toYaml $nsMetrics.namespaceSelector.matchLabels | nindent 12 }}
          ingressNSPodMatchLabels:
            {{- toYaml $nsMetrics.podSelector.matchLabels | nindent 12 }}
          {{- end }}
    {{- $pvHelper := (or .Values.commons.persistence.hostPath.enabled) }}
    {{- $storageClass := $pvHelper | ternary "manual" .Values.commons.persistence.storageClass }}
--- a/mycloud-nextcloud/values.yaml
+++ b/mycloud-nextcloud/values.yaml
@ -116,6 +116,9 @@ chart:
  ref:
    branch: main
 replica:
  nextcliud: 1
 # -- generated by .Values.commons.masterPassword
 adminPassword:
--- a/mycloud-paperless/.helmignore
+++ b/mycloud-paperless/.helmignore
@ -0,0 +1,23 @@
 # Patterns to ignore when building packages.
 # This supports shell glob matching, relative path matching, and
 # negation (prefixed with !). Only one pattern per line.
 .DS_Store
 # Common VCS dirs
 .git/
 .gitignore
 .bzr/
 .bzrignore
 .hg/
 .hgignore
 .svn/
 # Common backup files
 *.swp
 *.bak
 *.tmp
 *.orig
 *~
 # Various IDEs
 .project
 .idea/
 *.tmproj
 .vscode/
--- a/mycloud-paperless/Chart.yaml
+++ b/mycloud-paperless/Chart.yaml
@ -0,0 +1,9 @@
 apiVersion: v2
 name: mycloud-paperless
 description: A Helm chart for Kubernetes
 type: application
 maintainers:
  - name: WrenIX
    url: https://wrenix.eu
 version: 0.1.0
--- a/mycloud-paperless/README.md
+++ b/mycloud-paperless/README.md
@ -0,0 +1,117 @@
 ---
 title: "mycloud-paperless"
 description: "A Helm chart for Kubernetes"
 ---
 # mycloud-paperless
 ![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 A Helm chart for Kubernetes
 ## Maintainers
 | Name | Email | Url |
 | ---- | ------ | --- |
 | WrenIX |  | <https://wrenix.eu> |
 ## Values
 ### Commons
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | commons.auth.host | string | `nil` | default auth.(.Values.commons.ingress.domain) |
 | commons.masterPassword | string | `"CHANGEME"` | masterPassword to generate secrets |
 ### Commons Monitoring
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | commons.grafana.dashboards.annotations | object | `{}` | annotations of grafana dashboard configmap |
 | commons.grafana.dashboards.labels | object | `{}` | labels of grafana dashboard configmap |
 | commons.prometheus.monitor.labels | object | `{}` | labels on Pod- and Service-Monitor |
 | commons.prometheus.rules.labels | object | `{}` | labels on PrometheusRules |
 ### Commons helm release
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | commons.helm.release.driftDetection | object | `{}` | driftDetection of FluxCD HelmRelease |
 | commons.helm.release.install | object | `{}` | install of FluxCD HelmRelease |
 | commons.helm.release.test | object | `{}` | test of FluxCD HelmRelease |
 | commons.helm.release.upgrade | object | `{}` | upgrade of FluxCD HelmRelease |
 ### Commons Ingress
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | commons.ingress.annotations | object | `{"cert-manager.io/cluster-issuer":"letsencrypt-prod"}` | annotations for all ingress objects |
 | commons.ingress.domain | string | `"wrenix.eu"` | top domain for all services |
 | commons.ingress.tls.enabled | bool | `true` | tls on every ingress |
 | commons.ingress.tls.override | list | `[]` | use own definition of tls (e.g. for own or wildcard certificate) |
 ### Commons mail
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | commons.mail.from | string | `nil` | send from address |
 | commons.mail.host | string | `nil` | smtp server |
 | commons.mail.password | string | `nil` | smtp password |
 | commons.mail.use_ssl | bool | `false` | smtp server use ssl |
 | commons.mail.use_tls | bool | `false` | smtp server use start tls |
 | commons.mail.username | string | `nil` | smtp username |
 ### Commons Persistence
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | commons.persistence.hostPath.enabled | bool | `false` | use hostPath instatt of PVC |
 | commons.persistence.hostPath.prefix | string | `"/var/lib/mycloud"` | use hostPath under the following path |
 | commons.persistence.storageClass | string | `nil` | storageClass of PVC |
 ### Commons theme
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | commons.theme.title | string | `"myCloud"` | title everywhere |
 ### Other Values
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | auth.clientID | string | `nil` | generated by .Values.commons.masterPassword |
 | auth.clientSecret | string | `nil` | generated by .Values.commons.masterPassword |
 | auth.extra | string | `nil` | in format of paperless |
 | commons.auth.authentik.backend | string | `"authentik-server"` |  |
 | commons.auth.authentik.domain | string | `""` |  |
 | commons.auth.enabled | bool | `false` |  |
 | commons.auth.namespace | string | `""` |  |
 | commons.auth.type | string | `"authentik"` |  |
 | commons.networkpolicies.enabled | bool | `false` |  |
 | commons.networkpolicies.from.ingress | list | `[]` |  |
 | commons.networkpolicies.from.metrics | list | `[]` |  |
 | commons.networkpolicies.to.database | list | `[]` |  |
 | commons.networkpolicies.to.dns | list | `[]` |  |
 | commons.networkpolicies.to.smtp | list | `[]` |  |
 | database.host | string | `"mycloud-services-postgresql"` | default is from mysql-services |
 | database.name | string | `"paperless"` |  |
 | database.password | string | `nil` | generated by .Values.commons.masterPassword (equal to mycloud-services) |
 | database.username | string | `"paperless"` |  |
 | env.PAPERLESS_DISABLE_REGULAR_LOGIN | bool | `true` |  |
 | env.PAPERLESS_OCR_LANGUAGE | string | `"deu"` |  |
 | env.PAPERLESS_REDIRECT_LOGIN_TO_SSO | bool | `true` |  |
 | env.PAPERLESS_SOCIAL_ACCOUNT_SYNC_GROUPS | bool | `true` |  |
 | env.PAPERLESS_SOCIAL_AUTO_SIGNUP | bool | `true` |  |
 | ingress.annotations | object | `{}` |  |
 | ingress.host | string | `nil` | default: paperless.(Values.commons.ingress.domain) |
 | init.namespace | string | `"bases"` |  |
 | init.version | int | `0` |  |
 | mail.from | string | `nil` | generade by Values.commons.mail.from |
 | mail.host | string | `nil` | default Values.commons.mail.host |
 | persistence.size | string | `"16Gi"` |  |
 | persistence.storageClass | string | `nil` |  |
 Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs)
--- a/mycloud-paperless/_docs.gotmpl
+++ b/mycloud-paperless/_docs.gotmpl
--- a/mycloud-paperless/templates/authentik-application.yaml
+++ b/mycloud-paperless/templates/authentik-application.yaml
@ -0,0 +1,56 @@
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: {{ .Release.Name }}-auth
 spec:
  chart:
    spec:
      sourceRef:
        kind: GitRepository
        name: "wrenix-helm-charts"
        namespace: "flux-system"
      chart: "./authentik-application"
      reconcileStrategy: "Revision"
  install:
    {{- toYaml .Values.commons.helm.release.install | nindent 4 }}
  test:
    {{- toYaml .Values.commons.helm.release.test | nindent 4 }}
  upgrade:
    {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
  driftDetection:
    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
  interval: 10m
  values:
    {{- $host := .Values.ingress.host | default (printf "paperless.%s" .Values.commons.ingress.domain) }}
    blueprint:
      authentik:
        domain: "https://{{ .Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain) }}"
      provider:
        type: "oidc"
        name: "Paperless"
        oidc:
          clientType: "confidential"
          redirectURL: "https://{{ $host }}/accounts/oidc/mycloud/login/callback/"
          clientID: {{ .Values.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "auth.clientID") | quote }}
          clientSecret: {{ .Values.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "auth.clientSecret") | quote }}
          signingKey: "authentik Self-signed Certificate"
          scopes:
            - name: "authentik default OAuth Mapping: OpenID 'openid'"
            - name: "authentik default OAuth Mapping: OpenID 'email'"
            - name: "authentik default OAuth Mapping: OpenID 'profile'"
      groups:
        - slug: "mycloud - users"
          bindID: "cefc0c13-49fa-4374-a909-e201a88a473b"
      application:
        policyEngineMode: "any"
        openInNewTab: true
        publisher: "WrenIX's myCloud"
        slug: "mycloud-paperless"
        group: "Office"
        name: "Paperless"
        launchURL: "https://{{ $host }}/"
        icon: "https://{{ $host }}/favicon.ico"
        description: "A document management system that transforms your physical documents into a searchable online archive so you can keep, well, less paper."
--- a/mycloud-paperless/templates/configmap_init_crd.yaml
+++ b/mycloud-paperless/templates/configmap_init_crd.yaml
@ -0,0 +1,14 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ .Release.Name }}-init
  namespace: "{{ .Values.init.namespace }}"
 data:
  {{- if and
    (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule")
    (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor")
  }}
  init: "-1"
  {{- else }}
  init: "{{ add1 .Values.init.version }}"
  {{- end }}
--- a/mycloud-paperless/templates/release.yaml
+++ b/mycloud-paperless/templates/release.yaml
@ -0,0 +1,185 @@
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: "{{ .Release.Name }}-ngx"
 spec:
  chart:
    spec:
      sourceRef:
        kind: GitRepository
        name: "wrenix-helm-charts"
        namespace: "flux-system"
      chart: "./paperless-ngx"
      reconcileStrategy: "Revision"
  install:
    {{- toYaml .Values.commons.helm.release.install | nindent 4 }}
  test:
    {{- toYaml .Values.commons.helm.release.test | nindent 4 }}
  upgrade:
    {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
  driftDetection:
    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
  interval: 10m
  valuesFrom:
    - name: {{ .Release.Name }}
      kind: Secret
      valuesKey: "DB_PASS"
      targetPath: "config.database.pass"
    - name: {{ .Release.Name }}
      kind: Secret
      valuesKey: "ADMIN_PASS"
      targetPath: "env.PAPERLESS_ADMIN_PASSWORD"
    - name: {{ .Release.Name }}
      kind: Secret
      valuesKey: "EMAIL_PASS"
      targetPath: "env.PAPERLESS_EMAIL_HOST_PASSWORD"
      optional: true
    - name: {{ .Release.Name }}
      kind: Secret
      valuesKey: "oidc"
  values:
    {{- $host := .Values.ingress.host | default (printf "paperless.%s" .Values.commons.ingress.domain) }}
    config:
      redis:
        prefix: {{ .Release.Name }}
      database:
        engine: postgres
        host: {{ .Values.database.host | quote }}
        name: {{ .Values.database.name | quote }}
        user: {{ .Values.database.username | quote }}
      apps: allauth.socialaccount.providers.openid_connect
      oidcProviders:
        openid_connect:
          OAUTH_PKCE_ENABLED: true
    env:
      PAPERLESS_APP_TITLE: {{ .Values.commons.theme.title }}
      PAPERLESS_ADMIN_USER: admin
      PAPERLESS_EMAIL_HOST: {{ .Values.mail.host | default .Values.commons.mail.host | quote }}
      PAPERLESS_EMAIL_PORT: 587
      PAPERLESS_EMAIL_HOST_USER: {{ .Values.commons.mail.username | quote }}
      PAPERLESS_EMAIL_FROM: {{ .Values.mail.from | default (printf "\"[%s] %s\" <%s>" .Values.commons.theme.title "paperless" .Values.commons.mail.from) | quote }}
      PAPERLESS_EMAIL_USE_TLS: true
      {{- with .Values.env }}
      {{- toYaml . | nindent 6 }}
      {{- end }}
    podLabels:
      "{{ .Release.Name }}-ngx-redis-client": "true"
    postgresql:
      enabled: false
    redis:
      metrics:
        enabled: true
        serviceMonitor:
          enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
          additionalLabels:
            {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 12 }}
        prometheusRule:
          # empty rules
          enabled: false
          # {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
          additionalLabels:
            {{- toYaml .Values.commons.prometheus.rules.labels | nindent 12 }}
          rules: []
      networkPolicy:
        allowExternal: false
        allowExternalEgress: false
        metrics:
          allowExternal: false
          {{- with .Values.commons.networkpolicies.from.metrics }}
          {{- $nsMetrics := first . }}
          ingressNSMatchLabels:
            {{- toYaml $nsMetrics.namespaceSelector.matchLabels | nindent 12 }}
          ingressNSPodMatchLabels:
            {{- toYaml $nsMetrics.podSelector.matchLabels | nindent 12 }}
          {{- end }}
    networkPolicy:
      enabled: true
      ingress:
        http:
          {{- toYaml .Values.commons.networkpolicies.from.ingress | nindent 12 }}
        metrics:
          {{- toYaml .Values.commons.networkpolicies.from.metrics | nindent 12 }}
      egress:
        enabled: true
        dns:
          {{- toYaml .Values.commons.networkpolicies.to.dns | nindent 10 }}
        database:
          - ports:
              - port: 6379
                protocol: TCP
            to:
              - podSelector:
                  matchLabels:
                    app.kubernetes.io/instance: "{{ .Release.Name }}-ngx"
                    app.kubernetes.io/name: redis
                    app.kubernetes.io/component: master
          {{- with .Values.commons.networkpolicies.to.database }}
          {{- toYaml . | nindent 10 }}
          {{- end }}
        extra:
          - ports:
              - port: 443
                protocol: TCP
            to:
              {{- toYaml .Values.commons.networkpolicies.from.ingress | nindent 14 }}
          {{- with .Values.commons.networkpolicies.to.smtp }}
          {{- toYaml . | nindent 10 }}
          {{- end }}
    ingress:
      enabled: true
      annotations:
        {{- with .Values.commons.ingress.annotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
        {{- with .Values.ingress.annotations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      hosts:
        - host: "{{ $host }}"
          paths:
            - path: /
              pathType: Prefix
      {{- if .Values.commons.ingress.tls.enabled }}
      tls:
        {{- with .Values.commons.ingress.tls.override }}
        {{- toYaml . | nindent 8 }}
        {{- else }}
        - secretName: "mycloud-paperless-cert"
          hosts:
            - "{{ $host }}"
        {{- end }}
      {{- end }}
    persistence:
      enabled: true
      size: {{ .Values.persistence.size }}
      {{- with .Values.persistence.storageClass | default .Values.commons.persistence.storageClass }}
      storageClass: {{ . }}
      {{- end }}
      {{- if .Values.commons.persistence.hostPath.enabled }}
      hostPath: "{{ .Values.commons.persistence.hostPath.prefix }}/paperless"
      {{- end }}
    prometheus:
      servicemonitor:
        enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
        labels:
          {{- toYaml .Values.commons.prometheus.monitor.labels | nindent 10 }}
      rules:
        enabled: {{ (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/PrometheusRule") }}
        additionalLabels:
          {{- toYaml .Values.commons.prometheus.rules.labels | nindent 10 }}
    grafana:
      dashboards:
        enabled: true
        labels:
          {{- toYaml .Values.commons.grafana.dashboards.labels | nindent 10 }}
        annotations:
          {{- toYaml .Values.commons.grafana.dashboards.annotations | nindent 10 }}
--- a/mycloud-paperless/templates/secret.yaml
+++ b/mycloud-paperless/templates/secret.yaml
@ -0,0 +1,29 @@
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ .Release.Name }}
 data:
  DB_PASS: {{ .Values.database.password | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "database_password" | b64enc) | b64enc }}
  {{- with .Values.commons.mail.password }}
  EMAIL_PASS: {{ . | b64enc }}
  {{- end }}
  ADMIN_PASS: {{ .Values.auth.admin | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "admin_password" | b64enc) | b64enc }}
  # - "authentik Admins"
  oidc: {{ toYaml (dict
    "config" (dict
      "oidcProviders" (dict
        "openid_connect" (dict
          "APPS" (list (dict
            "provider_id" "mycloud"
            "name" .Values.commons.theme.title
            "client_id" (.Values.auth.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "auth.clientID"))
            "secret" (.Values.auth.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "paperless" "auth.clientSecret"))
            "settings" (dict
              "server_url" (printf "https://%s/application/o/mycloud-paperless/.well-known/openid-configuration" (.Values.commons.auth.host | default (printf "auth.%s" .Values.commons.ingress.domain)))
            )
          ) .Values.auth.extra | compact)
        )
      )
    )
  ) | b64enc }}
--- a/Show more
+++ b/Show more
Author	SHA1	Message	Date
WrenIX	91f580659d	fix(mycloud-matrix): update matrix-authentifcaton-service	2025-04-25 11:23:11 +02:00
WrenIX	4f6b9e7b64	fix(infra-certificate): add gateway api support	2025-04-24 14:51:38 +02:00
WrenIX	4da76e0073	fix(mycloud-matrix): update element-web	2025-04-24 00:20:04 +02:00
WrenIX	936d4b505b	fix(infra-logging): migrate from logging-operator to vector-agent	2025-04-18 02:08:07 +02:00
WrenIX	a87841325d	fix(base): adjust url for otlp http tracing	2025-04-12 20:01:30 +02:00
WrenIX	b99df46cbf	feat(mycloud-services): enable monitoring	2025-04-11 12:39:36 +02:00
WrenIX	f118c878d1	fix(mycloud-matrix): update element-web	2025-04-11 11:47:17 +02:00
WrenIX	e8810f000a	fix(mycloud-matrix): Add client cinny	2025-04-05 17:43:25 +02:00
WrenIX	c5bf68c60c	fix(infra-monitoring): add pod alerts again	2025-04-02 00:29:47 +02:00
WrenIX	f7b24a09b1	fix(infra-ingress): analyse logs for metrics	2025-03-27 13:19:36 +01:00
WrenIX	a1e9d9c920	fix(mycloud-matrix): update element-web	2025-03-27 09:22:43 +01:00
WrenIX	2414e0fdab	fix(infra-monitoring): add possiblity to change message type of alerts in matrix	2025-03-24 09:13:27 +01:00
WrenIX	d7d7009365	fix(mycloud-nextcloud): use ghcr.io registry for notify_push image	2025-03-24 09:13:27 +01:00
WrenIX	8e8ac4ffb8	fix(mycloud-services): update postgresql	2025-03-17 19:41:19 +01:00
WrenIX	57ec503dae	fix(mycloud-matrix): update element-web	2025-03-12 17:37:51 +01:00
WrenIX	3440877e36	fix(mycloud-matrix): update element-web	2025-02-27 14:39:57 +01:00
WrenIX	10c84cdcf4	fix(mycloud-matrix): update element-web	2025-02-26 20:33:16 +01:00
WrenIX	99120a4472	fix(mycloud-nextcloud): use networkpolicy from redis	2025-02-26 18:41:36 +01:00
WrenIX	3424660b8b	feat(mycloud-paperless): add paperless-ngx	2025-02-25 01:57:44 +01:00
WrenIX	50d4fad2a3	fix(mycloud-matrix): enable server synapse MSC4108 for QR Code login	2025-02-20 03:20:55 +01:00
WrenIX	fb7dadd62a	fix(mycloud-git-small): forgejo conflict with inner and outside chart secret - also traefik	2025-02-18 09:44:16 +01:00
WrenIX	8258769eb0	fix(mycloud-logging): loki disable metricsInstance correct	2025-02-14 01:41:17 +01:00
WrenIX	45fb279e49	fix(mycloud-git-small): forgejo conflict with inner and outside chart secret	2025-02-13 16:25:48 +01:00
WrenIX	3b80a91678	fix(mycloud-nextcloud): improve metrics and alerts (workaround)	2025-02-13 15:43:36 +01:00
WrenIX	d08028c2aa	fix(infra-monitoring): bootstrap servicemonitor of grafana (from kube-prometheus-stack)	2025-02-12 18:28:54 +01:00
WrenIX	f8bb9786cf	fix(global): update apiVersion of HelmRepo to v1	2025-02-12 18:14:06 +01:00
WrenIX	9f36709ca1	fix(global): update apiVersion of HelmRelease to v2	2025-02-12 18:08:15 +01:00
WrenIX	d736f81a5e	fix(infra-logging): loki do not deploy crds	2025-02-12 18:02:14 +01:00
WrenIX	248ba81cdc	fix(mycloud-matrix): update element-web	2025-02-11 23:30:42 +01:00
WrenIX	389c5d26a2	fix(mycloud-git-small): networkpolicy for k8sAPI on woodpecker	2025-02-02 19:53:19 +01:00
WrenIX	312e734588	fix(mycloud-authentik): migrate from tenant to brands	2025-01-31 00:57:50 +01:00
WrenIX	95f26af7fd	fix(mycloud-matrix): update element-web	2025-01-29 21:32:14 +01:00
WrenIX	febaf8be74	fix(mycloud-git-small): update element-web	2025-01-29 21:32:10 +01:00
WrenIX	189580f0cd	fix(mycloud-git-small): update forgejo	2025-01-23 21:58:33 +01:00
WrenIX	d45b748908	fix(mycloud-git-small): networkpolicy for woodpecker to connect to k8sAPI	2025-01-23 21:33:58 +01:00
WrenIX	116af617c9	fix(mycloud-git-small): add monitoring for redis	2025-01-16 16:03:21 +01:00
WrenIX	a19a763e0a	fix(mycloud-matrix): add monitoring for redis	2025-01-16 15:59:22 +01:00
WrenIX	cce04498dc	fix(mycloud-matrix): update element-web	2025-01-15 22:03:29 +01:00
WrenIX	9bcb8800bc	fix(mycloud-git-small): ingress annotations	2025-01-12 17:00:30 +01:00
WrenIX	d3e75b3e96	fix(mycloud-git-small): add mycloud-git-small alpha (with forgejo and woodpecker)	2025-01-12 15:49:59 +01:00
WrenIX	ee51d3677e	fix(mycloud-nextcloud): metrics	2025-01-08 22:25:01 +01:00
WrenIX	4c914aa0fc	fix(mycloud-authentik): metrics	2025-01-08 22:22:06 +01:00
WrenIX	df5aea9134	fix(mycloud-nextcloud): add option for replica	2024-12-22 11:58:06 +01:00
WrenIX	786c34de91	fix(mycloud-matrix): update element-web	2024-12-19 01:39:04 +01:00
WrenIX	5461ab1b4b	fix(mycloud-matrix): update element-web	2024-12-06 23:29:26 +01:00
WrenIX	dbb1b531a5	fix(mycloud-collabora): with less privilegs	2024-12-04 00:46:15 +01:00
WrenIX	9281c1e9be	chore(mycloud): update docs for ingress (collabora remote font to nextcloud)	2024-12-04 00:39:51 +01:00
WrenIX	40b8afb2a2	fix(mycloud-collabora): set remote-font-url	2024-12-04 00:38:24 +01:00
WrenIX	0a923ac69b	fix(mycloud-nextcloud): develop notify_push	2024-11-27 22:24:08 +01:00