fix(forgejo-runner): Fix job image for generate-config after added global.image override

alertmanager-matrix/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: alertmanager-matrix
 description: Service for managing and receiving Alertmanager alerts on Matrix
 type: application
-version: "0.1.11"
+version: "0.1.12"
 # renovate: image=docker.io/silkeh/alertmanager_matrix
 appVersion: "0.5.0"
 maintainers:

alertmanager-matrix/README.adoc

@@ -1,366 +0,0 @@
-
-
-= alertmanager-matrix
-
-image::https://img.shields.io/badge/Version-0.1.11-informational?style=flat-square[Version: 0.1.11]
-image::https://img.shields.io/badge/Version-application-informational?style=flat-square[Type: application]
-image::https://img.shields.io/badge/AppVersion-0.5.0-informational?style=flat-square[AppVersion: 0.5.0]
-== Maintainers
-
-.Maintainers
-|===
-| Name | Email | Url
-
-| WrenIX
-|
-| <https://wrenix.eu>
-|===
-
-== Usage
-
-Helm must be installed and setup to your kubernetes cluster to use the charts.
-Refer to Helm's https://helm.sh/docs[documentation] to get started.
-Once Helm has been set up correctly, fetch the charts as follows:
-
-[source,bash]
-----
-helm pull oci://codeberg.org/wrenix/helm-charts/alertmanager-matrix
-----
-
-You can install a chart release using the following command:
-
-[source,bash]
-----
-helm install alertmanager-matrix-release oci://codeberg.org/wrenix/helm-charts/alertmanager-matrix --values values.yaml
-----
-
-To uninstall a chart release use `helm`'s delete command:
-
-[source,bash]
-----
-helm uninstall alertmanager-matrix-release
-----
-
-== Values
-
-.Values
-|===
-| Key | Type | Default | Description
-
-| affinity
-| object
-| `{}`
-|
-
-| autoscaling.enabled
-| bool
-| `false`
-|
-
-| autoscaling.maxReplicas
-| int
-| `100`
-|
-
-| autoscaling.minReplicas
-| int
-| `1`
-|
-
-| autoscaling.targetCPUUtilizationPercentage
-| int
-| `80`
-|
-
-| bot.alertmanager
-| string
-| `"http://localhost:9093"`
-|
-
-| bot.colors.alert
-| string
-| `"black"`
-|
-
-| bot.colors.critical
-| string
-| `"red"`
-|
-
-| bot.colors.error
-| string
-| `"red"`
-|
-
-| bot.colors.info
-| string
-| `"blue"`
-|
-
-| bot.colors.information
-| string
-| `"blue"`
-|
-
-| bot.colors.resolved
-| string
-| `"green"`
-|
-
-| bot.colors.silenced
-| string
-| `"gray"`
-|
-
-| bot.colors.warning
-| string
-| `"orange"`
-|
-
-| bot.icons.alert
-| string
-| `"🔔️"`
-|
-
-| bot.icons.critical
-| string
-| `"🚨"`
-|
-
-| bot.icons.error
-| string
-| `"🚨"`
-|
-
-| bot.icons.info
-| string
-| `"ℹ️"`
-|
-
-| bot.icons.information
-| string
-| `"ℹ️"`
-|
-
-| bot.icons.resolved
-| string
-| `"✅"`
-|
-
-| bot.icons.silenced
-| string
-| `"🔕"`
-|
-
-| bot.icons.warning
-| string
-| `"⚠️"`
-|
-
-| bot.matrix.homeserver
-| string
-| `"http://localhost:8008"`
-|
-
-| bot.matrix.rooms[0]
-| string
-| `"!not_existing:matrix.org"`
-|
-
-| bot.matrix.rooms[1]
-| string
-| `"!also_not_existing:matrix.org"`
-|
-
-| bot.matrix.token
-| string
-| `"SECRET_TOKEN"`
-|
-
-| bot.matrix.userID
-| string
-| `"bot"`
-|
-
-| bot.messageType
-| string
-| `"m.notice"`
-|
-
-| bot.showLabels
-| bool
-| `false`
-|
-
-| bot.template.html
-| string
-| `"{{ range .Alerts }}\n  <font color=\"{{.StatusString|color}}\">\n    {{.StatusString|icon}}\n    <b>{{.StatusString|upper}}</b>\n    {{.AlertName}}:\n  </font>\n  {{.Summary}}\n  {{if ne .Fingerprint \"\"}}\n    ({{.Fingerprint}})\n  {{end}}\n  {{if $.ShowLabels}}\n    <br/>\n    <b>Labels:</b>\n    <code>{{.LabelString}}</code>\n   {{end}}\n   <br/>\n{{- end -}}\n"`
-|
-
-| bot.template.text
-| string
-| `"{{ range .Alerts }}\n  {{- .StatusString|icon}} {{ .StatusString|upper }}{{ .AlertName }}: {{ .Summary }} {{ if ne .Fingerprint \"\" -}}\n    ({{.Fingerprint}})\n  {{- end}}\n  {{- if $.ShowLabels -}}\n    , labels:\n    {{- .LabelString}}\n  {{- end }}\n{{ end -}}\n"`
-|
-
-| fullnameOverride
-| string
-| `""`
-|
-
-| image.pullPolicy
-| string
-| `"IfNotPresent"`
-|
-
-| image.registry
-| string
-| `"registry.gitlab.com"`
-|
-
-| image.repository
-| string
-| `"wrenix/alertmanager_matrix"`
-|
-
-| image.tag
-| string
-| `""`
-|
-
-| imagePullSecrets
-| list
-| `[]`
-|
-
-| ingress.annotations
-| object
-| `{}`
-|
-
-| ingress.className
-| string
-| `""`
-|
-
-| ingress.enabled
-| bool
-| `false`
-|
-
-| ingress.hosts[0].host
-| string
-| `"chart-example.local"`
-|
-
-| ingress.hosts[0].paths[0].path
-| string
-| `"/"`
-|
-
-| ingress.hosts[0].paths[0].pathType
-| string
-| `"ImplementationSpecific"`
-|
-
-| ingress.tls
-| list
-| `[]`
-|
-
-| logging.additionalFilters
-| list
-| `[]`
-| Add other filters to Flow
-
-| logging.dedot
-| string
-| `nil`
-| if an filter (here or global) for dedot is active - for disable set `null`
-
-| logging.enabled
-| bool
-| `false`
-| Deploy Flow for logging-operator
-
-| logging.globalOutputRefs
-| list
-| `["default"]`
-| Flows globalOutputRefs for use of ClusterOutputs
-
-| logging.localOutputRefs
-| list
-| `[]`
-| Flows localOutputRefs for use of Outputs
-
-| nameOverride
-| string
-| `""`
-|
-
-| nodeSelector
-| object
-| `{}`
-|
-
-| podAnnotations
-| object
-| `{}`
-|
-
-| podLabels
-| object
-| `{}`
-|
-
-| podSecurityContext
-| object
-| `{}`
-|
-
-| replicaCount
-| int
-| `1`
-|
-
-| resources
-| object
-| `{}`
-|
-
-| securityContext
-| object
-| `{}`
-|
-
-| service.port
-| int
-| `4051`
-|
-
-| service.type
-| string
-| `"ClusterIP"`
-|
-
-| serviceAccount.annotations
-| object
-| `{}`
-|
-
-| serviceAccount.create
-| bool
-| `true`
-|
-
-| serviceAccount.name
-| string
-| `""`
-|
-
-| tolerations
-| list
-| `[]`
-|
-|===
-
-Autogenerated from chart metadata using https://github.com/norwoodj/helm-docs[helm-docs]

alertmanager-matrix/README.md

@@ -7,7 +7,7 @@ description: "Service for managing and receiving Alertmanager alerts on Matrix"
 
 # alertmanager-matrix
 
-![Version: 0.1.11](https://img.shields.io/badge/Version-0.1.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.5.0](https://img.shields.io/badge/AppVersion-0.5.0-informational?style=flat-square)
+![Version: 0.1.12](https://img.shields.io/badge/Version-0.1.12-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.5.0](https://img.shields.io/badge/AppVersion-0.5.0-informational?style=flat-square)
 
 Service for managing and receiving Alertmanager alerts on Matrix
 
@@ -72,13 +72,15 @@ helm uninstall alertmanager-matrix-release
 | bot.matrix.userID | string | `"bot"` |  |
 | bot.messageType | string | `"m.notice"` |  |
 | bot.showLabels | bool | `false` |  |
-| bot.template.html | string | `"{{ range .Alerts }}\n  <font color=\"{{.StatusString|color}}\">\n    {{.StatusString|icon}}\n    <b>{{.StatusString|upper}}</b>\n    {{.AlertName}}:\n  </font>\n  {{.Summary}}\n  {{if ne .Fingerprint \"\"}}\n    ({{.Fingerprint}})\n  {{end}}\n  {{if $.ShowLabels}}\n    <br/>\n    <b>Labels:</b>\n    <code>{{.LabelString}}</code>\n   {{end}}\n   <br/>\n{{- end -}}\n"` |  |
+| bot.template.html | string | `"{{ range .Alerts }}\n  <font color=\"{{.StatusString|color}}\">\n    {{.StatusString|icon}}\n    <b>{{.StatusString|upper}}</b>\n    {{.AlertName}}:\n  </font>\n  {{.Summary}}\n  {{if ne .Fingerprint \"\"}}\n    ({{.Fingerprint}})\n  {{end}}\n  {{if $.ShowLabels}}\n    <br/>\n    <b>Labels:</b>\n    <code>{{.LabelString}}</code>\n  {{end}}\n  <br/>\n{{- end -}}\n"` |  |
 | bot.template.text | string | `"{{ range .Alerts }}\n  {{- .StatusString|icon}} {{ .StatusString|upper }}{{ .AlertName }}: {{ .Summary }} {{ if ne .Fingerprint \"\" -}}\n    ({{.Fingerprint}})\n  {{- end}}\n  {{- if $.ShowLabels -}}\n    , labels:\n    {{- .LabelString}}\n  {{- end }}\n{{ end -}}\n"` |  |
 | fullnameOverride | string | `""` |  |
-| image.pullPolicy | string | `"IfNotPresent"` |  |
-| image.registry | string | `"registry.gitlab.com"` |  |
-| image.repository | string | `"wrenix/alertmanager_matrix"` |  |
-| image.tag | string | `""` |  |
+| global.image.pullPolicy | string | `nil` | if set it will overwrite all pullPolicy |
+| global.image.registry | string | `nil` | if set it will overwrite all registry entries |
+| image.pullPolicy | string | `"IfNotPresent"` | This sets the pull policy for images. (could be overwritten by global.image.pullPolicy) |
+| image.registry | string | `"registry.gitlab.com"` | image registry (could be overwritten by global.image.registry) |
+| image.repository | string | `"wrenix/alertmanager_matrix"` | image repository |
+| image.tag | string | `""` | image tag - Overrides the image tag whose default is the chart appVersion. latest with current:  - amd64      @sha256:2afd6d70f39fdfa98f11758090506f7845aee33cc8d900f9fe39a2574c272063  - 386 /x86   @sha256:beca95e9595de7169ab34406936b585d6676ce03a7fe51815b3a6a4944f9dd6d  - arm v6     @sha256:ce40ea204497bfc9b2e796cf984eba53ba7c59164d39dcd4c11f0ca561e57eca  - arm v7     @sha256:59ce3dfc73be5f70b873fe095e1eee4e0fe1f256b39f8f051ad0a2ffe9d1177e  - arm v8     @sha256:fdbf50e944f8118dd1a44dde21b9cc098fb13837031e2f2492c148848c3d3cc8  - ppc64le    @sha256:4ce02adbf4efe3ad04422e35bd4e87442a7c899fea13988adaeb985c720e0c63  - s390x      @sha256:a202252cc00664a17caa5760f749b35a7b71253d1b1474b861f233e83ada1c76 |
 | imagePullSecrets | list | `[]` |  |
 | ingress.annotations | object | `{}` |  |
 | ingress.className | string | `""` |  |
@@ -97,7 +99,7 @@ helm uninstall alertmanager-matrix-release
 | podAnnotations | object | `{}` |  |
 | podLabels | object | `{}` |  |
 | podSecurityContext | object | `{}` |  |
-| replicaCount | int | `1` |  |
+| replicaCount | int | `1` | replicas |
 | resources | object | `{}` |  |
 | securityContext | object | `{}` |  |
 | service.port | int | `4051` |  |

alertmanager-matrix/templates/deployment.yaml

@@ -37,8 +37,10 @@ spec:
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- with .Values.image }}
+          image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default $.Chart.AppVersion }}"
+          imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
+          {{- end }}
           command:
             - "/usr/local/bin/alertmanager_matrix"
             {{- if .Values.bot.showLabels }}

alertmanager-matrix/values.yaml

@@ -1,14 +1,22 @@
-# Default values for alertmanager-matrix.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
+global:
+  image:
+    # -- if set it will overwrite all registry entries
+    registry:
+    # -- if set it will overwrite all pullPolicy
+    pullPolicy:
 
+
+# -- replicas
 replicaCount: 1
 
 image:
+  # -- image registry (could be overwritten by global.image.registry)
   registry: registry.gitlab.com
+  # -- image repository
   repository: wrenix/alertmanager_matrix
+  # -- This sets the pull policy for images. (could be overwritten by global.image.pullPolicy)
   pullPolicy: IfNotPresent
-  # Overrides the image tag whose default is the chart appVersion.
+  # -- image tag - Overrides the image tag whose default is the chart appVersion.
   # latest with current:
   #  - amd64      @sha256:2afd6d70f39fdfa98f11758090506f7845aee33cc8d900f9fe39a2574c272063
   #  - 386 /x86   @sha256:beca95e9595de7169ab34406936b585d6676ce03a7fe51815b3a6a4944f9dd6d
@@ -79,8 +87,8 @@ bot:
           <br/>
           <b>Labels:</b>
           <code>{{.LabelString}}</code>
-         {{end}}
-         <br/>
+        {{end}}
+        <br/>
       {{- end -}}
 
 serviceAccount:

alertmanager-ntfy/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: alertmanager-ntfy
 description: Receiver for alertmanager to forward to ntfy.sh
 type: application
-version: 0.1.5
+version: "0.1.6"
 # renovate: image=codeberg.org/xenrox/ntfy-alertmanager
 appVersion: "0.4.0"
 maintainers:

alertmanager-ntfy/README.md

@@ -7,7 +7,7 @@ description: "Receiver for alertmanager to forward to ntfy.sh"
 
 # alertmanager-ntfy
 
-![Version: 0.1.5](https://img.shields.io/badge/Version-0.1.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.4.0](https://img.shields.io/badge/AppVersion-0.4.0-informational?style=flat-square)
+![Version: 0.1.6](https://img.shields.io/badge/Version-0.1.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.4.0](https://img.shields.io/badge/AppVersion-0.4.0-informational?style=flat-square)
 
 Receiver for alertmanager to forward to ntfy.sh
 
@@ -49,10 +49,12 @@ helm uninstall alertmanager-ntfy-release
 | autoscaling.minReplicas | int | `1` |  |
 | autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
 | fullnameOverride | string | `""` |  |
-| image.pullPolicy | string | `"IfNotPresent"` |  |
-| image.registry | string | `"codeberg.org"` |  |
-| image.repository | string | `"xenrox/ntfy-alertmanager"` |  |
-| image.tag | string | `""` |  |
+| global.image.pullPolicy | string | `nil` | if set it will overwrite all pullPolicy |
+| global.image.registry | string | `nil` | if set it will overwrite all registry entries |
+| image.pullPolicy | string | `"IfNotPresent"` | This sets the pull policy for images. (could be overwritten by global.image.pullPolicy) |
+| image.registry | string | `"codeberg.org"` | image registry (could be overwritten by global.image.registry) |
+| image.repository | string | `"xenrox/ntfy-alertmanager"` | image repository |
+| image.tag | string | `""` | image tag - Overrides the image tag whose default is the chart appVersion. |
 | imagePullSecrets | list | `[]` |  |
 | ingress.annotations | object | `{}` |  |
 | ingress.className | string | `""` |  |
@@ -84,7 +86,7 @@ helm uninstall alertmanager-ntfy-release
 | podAnnotations | object | `{}` |  |
 | podLabels | object | `{}` |  |
 | podSecurityContext | object | `{}` |  |
-| replicaCount | int | `1` |  |
+| replicaCount | int | `1` | replicas |
 | resources | object | `{}` |  |
 | securityContext | object | `{}` |  |
 | service.port | int | `80` |  |

alertmanager-ntfy/templates/deployment.yaml

@@ -35,8 +35,10 @@ spec:
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- with .Values.image }}
+          image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default $.Chart.AppVersion }}"
+          imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
+          {{- end }}
           ports:
             - name: http
               containerPort: {{ .Values.ntfyAlertmanager.port }}

alertmanager-ntfy/values.yaml

@@ -1,14 +1,22 @@
-# Default values for ntfy-alertmanager.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
+global:
+  image:
+    # -- if set it will overwrite all registry entries
+    registry:
+    # -- if set it will overwrite all pullPolicy
+    pullPolicy:
 
+
+# -- replicas
 replicaCount: 1
 
 image:
+  # -- image registry (could be overwritten by global.image.registry)
   registry: codeberg.org
+  # -- image repository
   repository: xenrox/ntfy-alertmanager
+  # -- This sets the pull policy for images. (could be overwritten by global.image.pullPolicy)
   pullPolicy: IfNotPresent
-  # Overrides the image tag whose default is the chart appVersion.
+  # -- image tag - Overrides the image tag whose default is the chart appVersion.
   tag: ""
 
 ntfyAlertmanager:

authentik-application/Chart.yaml

@@ -2,9 +2,7 @@ apiVersion: v2
 name: authentik-application
 description: "A Chart to deploy a secret for the authentik blueprint-sidecar."
 type: application
-version: "0.5.0"
-# renovate: image=ghcr.io/goauthentik/ldap
-appVersion: "2024.12.1"
+version: "0.4.6"
 maintainers:
   - name: WrenIX
     url: https://wrenix.eu

authentik-application/README.md

@@ -7,7 +7,7 @@ description: "A Chart to deploy a secret for the authentik blueprint-sidecar."
 
 # authentik-application
 
-![Version: 0.4.3](https://img.shields.io/badge/Version-0.4.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.4.6](https://img.shields.io/badge/Version-0.4.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 A Chart to deploy a secret for the authentik blueprint-sidecar.
 
@@ -121,6 +121,7 @@ helm uninstall authentik-application-release
 | blueprint.labels | object | `{"goauthentik_blueprint":"1"}` | label of generated secret with blueprint |
 | blueprint.provider.authorizationFlow | string | `"default-provider-authorization-implicit-consent"` |  |
 | blueprint.provider.enabled | bool | `true` | creat an provider for authentification (otherwise just a like in menu is created) |
+| blueprint.provider.invalidationFlow | string | `"default-provider-invalidation-flow"` |  |
 | blueprint.provider.name | string | `""` |  |
 | blueprint.provider.oidc.clientID | string | `nil` | client id - generated if secret enabled |
 | blueprint.provider.oidc.clientSecret | string | `nil` | client secret - generated if secret enabled |

authentik-application/ci/ct-ldap-values.yaml

@@ -1,6 +0,0 @@
-blueprint:
-  provider:
-    type: ldap
-ldap:
-  autoscaling:
-    enabled: true

authentik-application/files/application.yaml.gotmpl

@@ -1,6 +1,6 @@
 {{- with get . "root" }}
 - model: authentik_core.Application
-  id: app
+  id: {{ .Values.blueprint.application.name | default (include "authentik-application.fullname" .) }}
   identifiers:
     slug: {{ .Values.blueprint.application.slug }}
   state: present
@@ -8,7 +8,7 @@
     name: {{ .Values.blueprint.application.name | default (include "authentik-application.fullname" .) }}
     slug: {{ .Values.blueprint.application.slug }}
     {{- if .Values.blueprint.provider.enabled }}
-    provider: !KeyOf provider
+    provider: !KeyOf {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
     {{- end }}
     policy_engine_mode: {{ .Values.blueprint.application.policyEngineMode }}
     {{- with .Values.blueprint.application.group }}

authentik-application/files/groups.yaml.gotmpl

@@ -4,7 +4,7 @@
 {{- if (not (kindIs "slice" .Values.blueprint.groups)) }}
 
 - model: authentik_core.group
-  id: group
+  id: "app: {{ .Values.blueprint.application.slug }}"
   identifiers:
     name: "app: {{ .Values.blueprint.application.slug }}"
   state: "present"
@@ -16,9 +16,9 @@
   identifiers:
     pk: {{ $bindPolicyID | quote }}
   attrs:
-    group: !KeyOf group
+    group: !KeyOf "app: {{ .Values.blueprint.application.slug }}"
     order: 10
-    target: !KeyOf app
+    target: !Find [authentik_core.Application, [slug, {{ .Values.blueprint.application.slug }}]]
 {{- end }}
 
 {{- range $group := .Values.blueprint.groups }}
@@ -44,7 +44,6 @@
     pk: {{ $group.bindID | quote }}
     group: !KeyOf {{ $group.slug | quote}}
     order: 10
-    target: !KeyOf app
+    target: !Find [authentik_core.Application, [slug, {{ $.Values.blueprint.application.slug }}]]
 {{- end }}
-
-{{ end }}{{/* end with of get-root */}}
+{{- end }}{{/* end with of get-root */}}

authentik-application/files/provider/ldap.yaml.gotmpl

@@ -1,74 +0,0 @@
-{{- $name := include "authentik-application.fullname" .root }}
-{{- $token := get . "ldapToken" }}
-
-{{- with get . "root" }}
-
-- model: authentik_providers_ldap.LDAPProvider
-  id: provider
-  identifiers:
-    name: {{ .Values.blueprint.provider.name | default $name }}
-  state: present
-  attrs:
-    base_dn: "DC=ldap,DC=goauthentik,DC=io"
-    bind_mode: "direct"
-    search_mode: "direct"
-    mfa_support: False
-    authorization_flow: !Find [authentik_flows.flow, [slug, default-authentication-flow]]
-    invalidation_flow: !Find [authentik_flows.flow, [slug, default-invalidation-flow]]
-
-- model: authentik_core.user
-  id: outpost-user
-  state: present
-  identifiers:
-    username: {{ printf "outpost-user-%s" $name | quote }}
-  attrs:
-    username: {{ printf "outpost-user-%s" $name | quote }}
-    type: "service_account"
-    name: {{ printf "Outpost %s Service-Account" $name | quote }}
-    path: "goauthentik.io/outposts"
-
-{{/*
-- model: authentik_core.Token
-  id: outpost-token
-  identifiers:
-    identifier: {{ printf "outpost-token-%s-api" $name | quote }}
-  state: present
-  attrs:
-    identifier: {{ printf "outpost-token-%s-api" $name | quote }}
-    intent: "api"
-    user: !KeyOf outpost-user
-    description: {{ printf "Autogenerated by authentik for Outpost %s" $name | quote }}
-    key: {{ $token | quote }}
-    expiring: False
-*/}}
-
-- model: authentik_outposts.Outpost
-  id: outpost
-  identifiers:
-    name: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
-  state: present
-  attrs:
-    type: ldap
-    providers:
-      - !KeyOf provider
-    config:
-      authentik_host: {{ .Values.blueprint.authentik.domain | quote }}
-      authentik_host_insecure: False
-    user: !KeyOf "outpost-user"
-{{/*
-    token: !KeyOf "outpost-token"
-
-or:
-
-- model: UserObjectPermission
-  identifiers:
-    user: !KeyOf "outpost-user"
-    content_type: "authentik_outposts.outpost"
-  state: present
-  attrs:
-    user: !KeyOf "outpost-user"
-    content_type: "authentik_outposts.outpost"
-    object_pk: !KeyOf "outpost"
-    permission: "view_outpost"
-*/}}
-{{- end }}{{/* end with of get-root */}}

authentik-application/files/provider/oidc.yaml.gotmpl

@@ -16,17 +16,20 @@
 {{- end }}
 
 - model: authentik_providers_oauth2.OAuth2Provider
-  id: provider
+  id: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
   identifiers:
     name: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
   state: present
   attrs:
     authorization_flow: !Find [authentik_flows.flow, [slug, {{ .Values.blueprint.provider.authorizationFlow }}]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, {{ .Values.blueprint.provider.invalidationFlow }}]]
     {{- with .Values.blueprint.provider.oidc }}
     client_type: {{ .clientType | quote }}
     client_id: {{ $clientID | quote }}
     client_secret: {{ $clientSecret | quote }}
-    redirect_uris: {{ .redirectURL }}
+    redirect_uris:
+      - matching_mode: "strict"
+        url: {{ .redirectURL | quote }}
     {{- with .tokenDuration }}
     access_token_validity: {{ . | quote }}
     {{- end }} 

authentik-application/files/provider/proxy.yaml.gotmpl

@@ -1,11 +1,12 @@
 {{- with get . "root" }}
 - model: authentik_providers_proxy.ProxyProvider
-  id: provider
+  id: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
   identifiers:
     name: {{ .Values.blueprint.provider.name | default (include "authentik-application.fullname" .) }}
   state: present
   attrs:
     authorization_flow: !Find [authentik_flows.flow, [slug, {{ .Values.blueprint.provider.authorizationFlow }}]]
+    invalidation_flow: !Find [authentik_flows.flow, [slug, {{ .Values.blueprint.provider.invalidationFlow }}]]
     mode: "forward_single"
     {{- with .Values.blueprint.provider.proxy }}
     external_host: {{ .externalHost | quote }}

authentik-application/files/users.yaml.gotmpl

@@ -1,30 +0,0 @@
-{{- with get . "root" }}
-{{- $ = . }}
-
-{{- range $user := .Values.blueprint.users }}
-
-- model: authentik_core.group
-  id: {{ $user.username | quote }}
-  identifiers:
-    name: {{ $user.username | quote }}
-  state: {{ $user.state | default "present" | quote }}
-  attrs:
-    name: {{ $user.name | quote }}
-    ak_groups:
-      {{- range $group := $user.groups }}
-      - !Find [authentik_core.group, [name, {{ $group | quote }}]]
-      {{- else }}
-      {{- if (not (kindIs "slice" $.Values.blueprint.groups)) }}
-      - !Find [authentik_core.group, [name, "app: {{ .Values.blueprint.application.slug }}"]]
-      {{- end }}
-      {{- end }}{{/* end range-else */}}
-    {{- with $user.type }}
-    type: {{ . | quote }}
-    {{- end }}
-    {{- with $user.path }}
-    path: {{ . | quote }}
-    {{- end }}
-
-{{- end }}
-
-{{ end }}{{/* end with of get-root */}}

authentik-application/templates/_helpers.tpl

@@ -52,23 +52,12 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 
 {{/*
 Create the name of the service account to use
-needs argument:
-  root: $.Values
-  part: "ldap" 
 */}}
 {{- define "authentik-application.serviceAccountName" -}}
-{{- $ := get . "root" }}
-{{- $part := get . "part" }}
-{{- $partObj := get $.Values $part }}
-{{- if $partObj.serviceAccount.create }}
-{{- $defaultName := include "authentik-application.fullname" $ }}
-{{- if $part }}
-{{- $partObj.serviceAccount.name | default (printf "%s-%s" $defaultName $part) }}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "authentik-application.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
-{{- $partObj.serviceAccount.name | default $defaultName }}
-{{- end }}
-{{- else }}
-{{- $partObj.serviceAccount.name | default "default" }}
+{{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
 

authentik-application/templates/ldap/deployment.yaml

@@ -1,88 +0,0 @@
-{{- if (eq .Values.blueprint.provider.type "ldap") }}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "authentik-application.fullname" . }}-ldap
-  labels:
-    {{- include "authentik-application.labels" . | nindent 4 }}
-spec:
-  {{- if not .Values.ldap.autoscaling.enabled }}
-  replicas: {{ .Values.ldap.replicaCount }}
-  {{- end }}
-  selector:
-    matchLabels:
-      {{- include "authentik-application.selectorLabels" . | nindent 6 }}
-      app.kubernetes.io/component: ldap
-  template:
-    metadata:
-      annotations:
-        {{- with .Values.ldap.podAnnotations }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-      labels:
-        {{- include "authentik-application.selectorLabels" . | nindent 8 }}
-        app.kubernetes.io/component: ldap
-        {{- with .Values.ldap.podLabels }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
-    spec:
-      {{- with .Values.ldap.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "authentik-application.serviceAccountName" (dict "root" . "part" "ldap") }}
-      securityContext:
-        {{- toYaml .Values.ldap.podSecurityContext | nindent 8 }}
-      containers:
-        - name: {{ .Chart.Name }}-ldap
-          securityContext:
-            {{- toYaml .Values.ldap.securityContext | nindent 12 }}
-          image: "{{ .Values.ldap.image.registry }}/{{ .Values.ldap.image.repository }}:{{ .Values.ldap.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.ldap.image.pullPolicy }}
-          env:
-            - name: "AUTHENTIK_LISTEN__LDAP"
-              value: ":{{ .Values.ldap.config.listen.ldap }}"
-            - name: "AUTHENTIK_LISTEN__LDAPS"
-              value: ":{{ .Values.ldap.config.listen.ldaps }}"
-            - name: "AUTHENTIK_LISTEN__METRICS"
-              value: ":{{ .Values.ldap.config.listen.metrics }}"
-            - name: "AUTHENTIK_HOST"
-              value: {{ .Values.blueprint.authentik.domain | quote }}
-            - name: "AUTHENTIK_TOKEN"
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "authentik-application.fullname" . }}
-                  key: "ldapToken"
-          ports:
-            - name: ldap
-              containerPort: {{ .Values.ldap.config.listen.ldap }}
-              protocol: TCP
-            - name: ldaps
-              containerPort: {{ .Values.ldap.config.listen.ldaps }}
-              protocol: TCP
-            - name: metrics
-              containerPort: {{ .Values.ldap.config.listen.metrics }}
-              protocol: TCP
-          livenessProbe:
-            httpGet:
-              path: /metrics
-              port: metrics
-          readinessProbe:
-            httpGet:
-              path: /metrics
-              port: metrics
-          resources:
-            {{- toYaml .Values.ldap.resources | nindent 12 }}
-      {{- with .Values.ldap.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.ldap.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.ldap.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-{{- end }}

authentik-application/templates/ldap/hpa.yaml

@@ -1,28 +0,0 @@
-{{- if and (eq .Values.blueprint.provider.type "ldap") .Values.ldap.autoscaling.enabled }}
-apiVersion: autoscaling/v2beta1
-kind: HorizontalPodAutoscaler
-metadata:
-  name: {{ include "authentik-application.fullname" . }}-ldap
-  labels:
-    {{- include "authentik-application.labels" . | nindent 4 }}
-spec:
-  scaleTargetRef:
-    apiVersion: apps/v1
-    kind: Deployment
-    name: {{ include "authentik-application.fullname" . }}-ldap
-  minReplicas: {{ .Values.ldap.autoscaling.minReplicas }}
-  maxReplicas: {{ .Values.ldap.autoscaling.maxReplicas }}
-  metrics:
-    {{- if .Values.ldap.autoscaling.targetCPUUtilizationPercentage }}
-    - type: Resource
-      resource:
-        name: cpu
-        targetAverageUtilization: {{ .Values.ldap.autoscaling.targetCPUUtilizationPercentage }}
-    {{- end }}
-    {{- if .Values.ldap.autoscaling.targetMemoryUtilizationPercentage }}
-    - type: Resource
-      resource:
-        name: memory
-        targetAverageUtilization: {{ .Values.ldap.autoscaling.targetMemoryUtilizationPercentage }}
-    {{- end }}
-{{- end }}

authentik-application/templates/ldap/service.yaml

@@ -1,18 +0,0 @@
-{{- if (eq .Values.blueprint.provider.type "ldap") }}
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "authentik-application.fullname" . }}-ldap
-  labels:
-    {{- include "authentik-application.labels" . | nindent 4 }}
-spec:
-  selector:
-    {{- include "authentik-application.selectorLabels" . | nindent 4 }}
-    app.kubernetes.io/component: ldap
-  type: {{ .Values.ldap.service.type }}
-  ports:
-    - name: ldap
-      protocol: TCP
-      port: {{ .Values.ldap.service.port }}
-      targetPort: ldap
-{{- end }}

authentik-application/templates/ldap/serviceaccount.yaml

@@ -1,12 +0,0 @@
-{{- if and (eq .Values.blueprint.provider.type "ldap") .Values.ldap.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "authentik-application.serviceAccountName" (dict "root" . "part" "ldap" ) }}
-  labels:
-    {{- include "authentik-application.labels" . | nindent 4 }}
-  {{- with .Values.ldap.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}

authentik-application/templates/secrets.yaml

@@ -1,6 +1,5 @@
 {{- $clientID := include "authentik-application.staticValue" (dict "root" $ "name" "clientID" "default" (randAlphaNum 32) "overwrite" .Values.blueprint.provider.oidc.clientID) }}
 {{- $clientSecret := include "authentik-application.staticValue" (dict "root" $ "name" "clientSecret" "default" (randAlphaNum 32) "overwrite" .Values.blueprint.provider.oidc.clientSecret) }}
-{{- $ldapToken := include "authentik-application.staticValue" (dict "root" $ "name" "ldapToken" "default" (randAlphaNum 32) "overwrite" .Values.blueprint.provider.ldap.token) }}
 {{- $bindPolicyID := include "authentik-application.staticValue" (dict "root" $ "name" "bindPolicyID" "default" (uuidv4) "overwrite" .Values.blueprint.application.bindPolicyID) }}
 ---
 apiVersion: v1
@@ -40,11 +39,6 @@ stringData:
   claimGroups: {{ . | quote }}
   {{- end }}
   {{- end }}{{/* end with oidc */}}
-
-  {{- with .Values.blueprint.provider.ldap }}
-  ldapToken: {{ $ldapToken | quote }}
-  {{- end }}{{/* end with ldap */}}
-
   {{- end }}{{/* end if provider */}}
 ---
 apiVersion: v1
@@ -62,14 +56,10 @@ stringData:
     metadata:
       name: {{ include "authentik-application.fullname" . }}
     entries:
-      {{- $tplValues := (dict "root" $ "Template" .Template "bindPolicyID" $bindPolicyID "clientID" $clientID "clientSecret" $clientSecret "ldapToken" $ldapToken) }}
+      {{- $tplValues := (dict "root" $ "Template" .Template "bindPolicyID" $bindPolicyID "clientID" $clientID "clientSecret" $clientSecret) }}
       {{- if .Values.blueprint.provider.enabled }}
       {{- tpl (.Files.Get (printf "files/provider/%s.yaml.gotmpl" .Values.blueprint.provider.type)) $tplValues | nindent 6 }}
       {{- end }}
 
       {{- tpl (.Files.Get "files/application.yaml.gotmpl") $tplValues | nindent 6 }}
       {{- tpl (.Files.Get "files/groups.yaml.gotmpl") $tplValues | nindent 6 }}
-      {{- tpl (.Files.Get "files/users.yaml.gotmpl") $tplValues | nindent 6 }}
-      {{- with .Values.blueprint.extras }}
-      {{- toYaml . | nindent 6 }}
-      {{- end }}

authentik-application/values.yaml

@@ -16,7 +16,8 @@ blueprint:
     enabled: true
     name: ""
     authorizationFlow: "default-provider-authorization-implicit-consent"
-    # -- type of application connection, current support: oidc, ldap and proxy
+    invalidationFlow: "default-provider-invalidation-flow"
+    # -- type of application connection, current support: oidc, saml and proxy
     type: "oidc"
     oidc:
       clientType: "confidential"
@@ -33,10 +34,6 @@ blueprint:
         #   scope_name:
         #   expression:
     saml:
-    ldap:
-      # -- token - generated if secret enabled
-      token:
-      
     proxy:
       externalHost:
       skipPathRegex: ""
@@ -79,55 +76,4 @@ blueprint:
   #     parent: "app: infra"
   #     bindID: uuid
   #
-  groups: []
-  # -- Add users
-  # example:
-  #   - username: ""
-  #     name: ""
-  #     groups: # optional
-  #       - "name"
-  #     type: "" # optional
-  #     path: "users" # optional
-  users: []
-  # add additional groups
-  extras: []
-
-ldap:
-  replicaCount: 1
-  image:
-    registry: ghcr.io
-    repository: goauthentik/ldap
-    # -- Overrides the image tag whose default is the chart appVersion.
-    tag: ""
-    pullPolicy: IfNotPresent
-  imagePullSecrets: []
-  config:
-    listen:
-      ldap: 3389
-      ldaps: 6636
-      metrics: 9300
-  serviceAccount:
-    # Specifies whether a service account should be created
-    create: true
-    # Annotations to add to the service account
-    annotations: {}
-    # The name of the service account to use.
-    # If not set and create is true, a name is generated using the fullname template
-    name: ""
-  podLabels: {}
-  podAnnotations: {}
-  podSecurityContext: {}
-  securityContext: {}
-  service:
-    type: ClusterIP
-    port: 389
-  resources: {}
-  autoscaling:
-    enabled: false
-    minReplicas: 1
-    maxReplicas: 100
-    targetCPUUtilizationPercentage: 80
-    # targetMemoryUtilizationPercentage: 80
-  nodeSelector: {}
-  tolerations: []
-  affinity: {}
+  groups:

autopush/.gitignore

@@ -0,0 +1,2 @@
+charts/*.tgz
+values_test.yaml

autopush/.helmignore

@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

autopush/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: redis
+  repository: oci://docker.io/bitnamicharts
+  version: 20.8.0
+digest: sha256:030743b5498fc7245f4ed04df18386496aa8a33e1cefd992caf3fe839476f2b1
+generated: "2025-02-21T08:29:11.593498546+01:00"

autopush/Chart.yaml

@@ -0,0 +1,17 @@
+apiVersion: v2
+name: autopush
+description: A Helm chart for Kubernetes
+icon:
+type: application
+version: "0.0.13"
+# renovate: image=docker.io/mozilla-services/autopush-rs
+appVersion: "1.72.2"
+maintainers:
+  - name: WrenIX
+    url: https://wrenix.eu
+
+dependencies:
+  - name: redis
+    version: "20.8.0"
+    repository: "oci://docker.io/bitnamicharts"
+    condition: redis.internal

autopush/README.md

@@ -0,0 +1,199 @@
+---
+title: "autopush"
+
+description: "A Helm chart for Kubernetes"
+
+---
+
+# autopush
+
+![Version: 0.0.13](https://img.shields.io/badge/Version-0.0.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.72.2](https://img.shields.io/badge/AppVersion-1.72.2-informational?style=flat-square)
+
+A Helm chart for Kubernetes
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| WrenIX |  | <https://wrenix.eu> |
+
+= Beta
+
+WARNING
+====
+We let it run in production, but it is not stable / complete.
+
+TODOs:
+  - [ ] official container with redis backend, see: https://github.com/mozilla-services/autopush-rs/pull/813
+  - [ ] automatical create CRYPT_KEY (instatt of key)
+  - [ ] better ingress / host name support
+  - [ ] Improve monitoring with alerts and grafana dashboard
+ 
+====
+
+## Usage
+
+Helm must be installed and setup to your kubernetes cluster to use the charts.
+Refer to Helm's [documentation](https://helm.sh/docs) to get started.
+Once Helm has been set up correctly, fetch the charts as follows:
+
+```bash
+helm pull oci://codeberg.org/wrenix/helm-charts/autopush
+```
+
+You can install a chart release using the following command:
+
+```bash
+helm install autopush-release oci://codeberg.org/wrenix/helm-charts/autopush --values values.yaml
+```
+
+To uninstall a chart release use `helm`'s delete command:
+
+```bash
+helm uninstall autopush-release
+```
+
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| oci://docker.io/bitnamicharts | redis | 20.8.0 |
+
+## Values
+
+### Autoconnect
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| autoconnect.image.pullPolicy | string | `"IfNotPresent"` | This sets the pull policy for images. (could be overwritten by global.image.pullPolicy) |
+| autoconnect.image.registry | string | `"codeberg.org"` | image registry (could be overwritten by global.image.registry) |
+| autoconnect.image.repository | string | `"wrenix/autopush/autoconnect"` | image repository |
+| autoconnect.image.tag | string | `"latest"` | image tag - Overrides the image tag whose default is the chart appVersion. |
+| autoconnect.livenessProbe | object | `{"httpGet":{"path":"/health","port":"http"}}` | This is to setup the liveness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ |
+| autoconnect.podAnnotations | object | `{}` | This is for setting Kubernetes Annotations to a Pod. For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ |
+| autoconnect.podLabels | object | `{}` | This is for setting Kubernetes Labels to a Pod. For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ |
+| autoconnect.readinessProbe | object | `{"httpGet":{"path":"/health","port":"http"}}` | This is to setup the readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ |
+| autoconnect.replicaCount | int | `1` | This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/ |
+| autoconnect.resources | object | `{}` | We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits:   cpu: 100m   memory: 128Mi requests:   cpu: 100m   memory: 128Mi |
+| autoconnect.securityContext | object | `{}` | securityContext capabilities:   drop:   - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 |
+| autoconnect.service.ports.http | int | `80` | port of http service |
+| autoconnect.service.ports.router | int | `8081` | port of internal router service |
+| autoconnect.service.type | string | `"ClusterIP"` | This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
+| autoconnect.volumeMounts | list | `[]` | Additional volumeMounts on the output Deployment definition. - name: foo   mountPath: "/etc/foo"   readOnly: true |
+
+### Autoendpoint
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| autoendpoint.image.pullPolicy | string | `"IfNotPresent"` | This sets the pull policy for images. (could be overwritten by global.image.pullPolicy) |
+| autoendpoint.image.registry | string | `"codeberg.org"` | image registry (could be overwritten by global.image.registry) |
+| autoendpoint.image.repository | string | `"wrenix/autopush/autoendpoint"` | image repository |
+| autoendpoint.image.tag | string | `"latest"` | image tag - Overrides the image tag whose default is the chart appVersion. |
+| autoendpoint.livenessProbe | object | `{"httpGet":{"path":"/health","port":"http"}}` | This is to setup the liveness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ |
+| autoendpoint.podAnnotations | object | `{}` | This is for setting Kubernetes Annotations to a Pod. For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ |
+| autoendpoint.podLabels | object | `{}` | This is for setting Kubernetes Labels to a Pod. For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ |
+| autoendpoint.readinessProbe | object | `{"httpGet":{"path":"/health","port":"http"}}` | This is to setup the readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ |
+| autoendpoint.replicaCount | int | `1` | This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/ |
+| autoendpoint.resources | object | `{}` | We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits:   cpu: 100m   memory: 128Mi requests:   cpu: 100m   memory: 128Mi |
+| autoendpoint.service.port | int | `80` | This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports |
+| autoendpoint.service.type | string | `"ClusterIP"` | This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
+| autoendpoint.volumeMounts | list | `[]` | Additional volumeMounts on the output Deployment definition. - name: foo   mountPath: "/etc/foo"   readOnly: true |
+
+### UnifiedPush
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
+| serviceAccount.automount | bool | `true` | Automatically mount a ServiceAccount's API credentials? |
+| serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
+| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
+| unifiedPush.enabled | bool | `false` | enable/deploy common-proxy for unifiedpush |
+| unifiedPush.image.pullPolicy | string | `"IfNotPresent"` | This sets the pull policy for images. (could be overwritten by global.image.pullPolicy) |
+| unifiedPush.image.registry | string | `"docker.io"` | image registry (could be overwritten by global.image.registry) |
+| unifiedPush.image.repository | string | `"unifiedpush/common-proxies"` | image repository |
+| unifiedPush.image.tag | string | `"v2.2.0"` | image tag |
+| unifiedPush.livenessProbe | object | `{"httpGet":{"path":"/health","port":"http"}}` | This is to setup the liveness more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ |
+| unifiedPush.podAnnotations | object | `{}` | This is for setting Kubernetes Annotations to a Pod. For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ |
+| unifiedPush.podLabels | object | `{}` | This is for setting Kubernetes Labels to a Pod. For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ |
+| unifiedPush.readinessProbe | object | `{"httpGet":{"path":"/health","port":"http"}}` | This is to setup the readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ |
+| unifiedPush.replicaCount | int | `1` | This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/ |
+| unifiedPush.resources | object | `{}` | We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits:   cpu: 100m   memory: 128Mi requests:   cpu: 100m   memory: 128Mi |
+| unifiedPush.service.port | int | `80` | This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports |
+| unifiedPush.service.type | string | `"ClusterIP"` | This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
+| unifiedPush.volumeMounts | list | `[]` | Additional volumeMounts on the output Deployment definition. - name: foo   mountPath: "/etc/foo"   readOnly: true |
+
+### Other Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| autoconnect.affinity | object | `{}` |  |
+| autoconnect.nodeSelector | object | `{}` |  |
+| autoconnect.podSecurityContext | object | `{}` |  |
+| autoconnect.tolerations | list | `[]` |  |
+| autoendpoint.affinity | object | `{}` |  |
+| autoendpoint.nodeSelector | object | `{}` |  |
+| autoendpoint.podSecurityContext | object | `{}` |  |
+| autoendpoint.securityContext | object | `{}` |  |
+| autoendpoint.tolerations | list | `[]` |  |
+| config.cryptoKey | string | `""` | run https://github.com/mozilla-services/autopush-rs/blob/master/scripts/fernet_key.py |
+| config.logs.backtrace | bool | `false` | enable backtrace of autopush |
+| config.logs.level | string | `"warn"` | set log level of autopush |
+| fullnameOverride | string | `""` |  |
+| global.image.pullPolicy | string | `nil` | if set it will overwrite all pullPolicy |
+| global.image.registry | string | `nil` | if set it will overwrite all registry entries |
+| grafana.dashboards.annotations | object | `{}` |  |
+| grafana.dashboards.enabled | bool | `false` |  |
+| grafana.dashboards.labels.grafana_dashboard | string | `"1"` |  |
+| imagePullSecrets | list | `[]` | This is for the secretes for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
+| ingress.annotations | object | `{}` |  |
+| ingress.className | string | `""` |  |
+| ingress.enabled | bool | `false` |  |
+| ingress.host | string | `"chart-example.local"` |  |
+| ingress.tls | list | `[]` |  |
+| nameOverride | string | `""` | This is to override the chart name. |
+| prometheus.enabled | bool | `true` | start statsd sidecar and configure |
+| prometheus.image.pullPolicy | string | `"IfNotPresent"` |  |
+| prometheus.image.registry | string | `"docker.io"` |  |
+| prometheus.image.repository | string | `"prom/statsd-exporter"` |  |
+| prometheus.image.tag | string | `"v0.28.0"` |  |
+| prometheus.livenessProbe | object | `{"httpGet":{"path":"/","port":"metrics"}}` | This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ |
+| prometheus.readinessProbe.httpGet.path | string | `"/"` |  |
+| prometheus.readinessProbe.httpGet.port | string | `"metrics"` |  |
+| prometheus.resources | object | `{}` | We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits:   cpu: 100m   memory: 128Mi requests:   cpu: 100m   memory: 128Mi |
+| prometheus.rules.additionalRules | list | `[]` |  |
+| prometheus.rules.default.alertLabels | object | `{}` |  |
+| prometheus.rules.default.enabled | bool | `true` |  |
+| prometheus.rules.enabled | bool | `false` |  |
+| prometheus.rules.labels | object | `{}` |  |
+| prometheus.securityContext | object | `{}` | securityContext capabilities:   drop:   - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 |
+| prometheus.servicemonitor.enabled | bool | `false` |  |
+| prometheus.servicemonitor.labels | object | `{}` |  |
+| prometheus.volumeMounts | list | `[]` | Additional volumeMounts on the output Deployment definition. - name: foo   mountPath: "/etc/foo"   readOnly: true |
+| redis.architecture | string | `"standalone"` |  |
+| redis.auth.enabled | bool | `true` |  |
+| redis.auth.existingSecret | string | `""` | name of an existing secret with Redis credentials (instead of auth.password), must be created ahead of time |
+| redis.auth.existingSecretPasswordKey | string | `""` | Password key to be retrieved from existing secret |
+| redis.auth.password | string | `"autopush"` | XXX Change me! |
+| redis.dbid | int | `0` | Database ID for non-default database |
+| redis.external.existingSecretPasswordKey | string | `"redis-password"` | Password key to be retrieved from existing secret |
+| redis.external.host | string | `"redis"` |  |
+| redis.external.port | int | `6379` |  |
+| redis.global.storageClass | string | `""` |  |
+| redis.internal | bool | `true` |  |
+| redis.master.persistence.enabled | bool | `true` |  |
+| redis.master.service.port | int | `6379` |  |
+| redis.replica.persistence.enabled | bool | `true` |  |
+| unifiedPush.affinity | object | `{}` |  |
+| unifiedPush.config.gateway.allowedHosts | list | `[]` |  |
+| unifiedPush.config.gateway.generic.enable | bool | `true` |  |
+| unifiedPush.config.gateway.matrix.enable | bool | `true` |  |
+| unifiedPush.config.uaid | string | `""` |  |
+| unifiedPush.config.verbose | bool | `false` |  |
+| unifiedPush.nodeSelector | object | `{}` |  |
+| unifiedPush.podSecurityContext | object | `{}` |  |
+| unifiedPush.securityContext | object | `{}` |  |
+| unifiedPush.tolerations | list | `[]` |  |
+| volumes | list | `[]` | Additional volumes on the output Deployment definition. - name: foo   secret:     secretName: mysecret     optional: false |
+
+Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs)
+

autopush/_docs.gotmpl

@@ -0,0 +1,15 @@
+{{ define "chart.prerequirements" -}}
+= Beta
+
+WARNING
+====
+We let it run in production, but it is not stable / complete.
+
+TODOs:
+  - [ ] official container with redis backend, see: https://github.com/mozilla-services/autopush-rs/pull/813
+  - [ ] automatical create CRYPT_KEY (instatt of key)
+  - [ ] better ingress / host name support
+  - [ ] Improve monitoring with alerts and grafana dashboard
+  
+====
+{{ end }}

autopush/ci/ct-monitor-values.yaml

@@ -0,0 +1,6 @@
+prometheus:
+  enabled: true
+  servicemonitor:
+    enabled: true
+    labels:
+      prometheus: default

autopush/container/Containerfile

@@ -0,0 +1,15 @@
+FROM python:3.13-slim
+
+# Set the working directory
+WORKDIR /app
+
+# Copy the requirements file
+COPY requirements.txt .
+
+# Install any needed packages
+RUN pip install -r requirements.txt
+
+# Copy the application code into the container
+COPY setup.py setup.py
+
+CMD ["python", "setup.py"]

autopush/container/requirements.txt

@@ -0,0 +1 @@
+cryptography

autopush/container/setup.py

@@ -0,0 +1,5 @@
+#!/bin/env python3
+from cryptography.fernet import Fernet
+
+if __name__ == '__main__':
+    print(Fernet.generate_key().decode("UTF-8"))

autopush/grafana_dashboards/overview.json

@@ -0,0 +1,355 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "grafana",
+          "uid": "-- Grafana --"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "links": [],
+  "panels": [
+    {
+      "collapsed": false,
+      "gridPos": {
+        "h": 1,
+        "w": 24,
+        "x": 0,
+        "y": 0
+      },
+      "id": 4,
+      "panels": [],
+      "title": "Push",
+      "type": "row"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            }
+          },
+          "mappings": []
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 9,
+        "x": 0,
+        "y": 1
+      },
+      "id": 1,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true,
+          "values": [
+            "percent"
+          ]
+        },
+        "pieType": "pie",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "tooltip": {
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "11.4.0",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "sum(increase(autopush_notification_message_retrieved{namespace=~\"$namespace\"}[$__range])) without (container,endpoint,instance,pod,job,service)",
+          "legendFormat": "Retrieved: {{namespace}}",
+          "range": true,
+          "refId": "A"
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "sum(increase(autopush_notification_message_deleted{namespace=~\"$namespace\"}[$__range])) without (container,endpoint,instance,pod,job,service)",
+          "hide": false,
+          "instant": false,
+          "legendFormat": "Deleted: {{namespace}}",
+          "range": true,
+          "refId": "B"
+        }
+      ],
+      "title": "Notification Message",
+      "transparent": true,
+      "type": "piechart"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            }
+          },
+          "mappings": []
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 8,
+        "x": 10,
+        "y": 1
+      },
+      "id": 2,
+      "options": {
+        "legend": {
+          "displayMode": "list",
+          "placement": "right",
+          "showLegend": true,
+          "values": [
+            "percent"
+          ]
+        },
+        "pieType": "pie",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "tooltip": {
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "11.4.0",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "sum(increase(autopush_ua_notification_sent{namespace=~\"$namespace\"}[$__range])) without (container,endpoint,instance,pod,job,service)",
+          "hide": false,
+          "instant": false,
+          "legendFormat": "OS: {{namespace}}/{{os}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "UA Notify Send",
+      "transparent": true,
+      "type": "piechart"
+    },
+    {
+      "collapsed": false,
+      "gridPos": {
+        "h": 1,
+        "w": 24,
+        "x": 0,
+        "y": 9
+      },
+      "id": 5,
+      "panels": [],
+      "title": "Endpoint",
+      "type": "row"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "${DS_PROMETHEUS}"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "barWidthFactor": 0.6,
+            "drawStyle": "line",
+            "fillOpacity": 0,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 12,
+        "x": 0,
+        "y": 10
+      },
+      "id": 3,
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "11.4.0",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "${DS_PROMETHEUS}"
+          },
+          "editorMode": "code",
+          "expr": "sum(increase(autoendpoint_api_error_no_subscription{namespace=~\"$namespace\"}[$__range])) without(container,endpoint,instance,pod,service,job)",
+          "legendFormat": "__auto",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "No Subscription API Error",
+      "transparent": true,
+      "type": "timeseries"
+    }
+  ],
+  "preload": false,
+  "refresh": "",
+  "schemaVersion": 40,
+  "tags": [],
+  "templating": {
+    "list": [
+      {
+        "current": {
+          "text": "Prometheus",
+          "value": "prometheus"
+        },
+        "label": "datasource",
+        "name": "DS_PROMETHEUS",
+        "options": [],
+        "query": "prometheus",
+        "refresh": 1,
+        "regex": "",
+        "type": "datasource"
+      },
+      {
+        "current": {
+          "text": [
+            "chaos-autopush"
+          ],
+          "value": [
+            "chaos-autopush"
+          ]
+        },
+        "datasource": {
+          "type": "prometheus",
+          "uid": "${DS_PROMETHEUS}"
+        },
+        "definition": "label_values(statsd_exporter_build_info,namespace)",
+        "includeAll": true,
+        "multi": true,
+        "name": "namespace",
+        "options": [],
+        "query": {
+          "qryType": 1,
+          "query": "label_values(statsd_exporter_build_info,namespace)",
+          "refId": "PrometheusVariableQueryEditor-VariableQuery"
+        },
+        "refresh": 1,
+        "regex": "",
+        "type": "query"
+      }
+    ]
+  },
+  "time": {
+    "from": "now-24h",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "browser",
+  "title": "Autopush: Overview",
+  "version": 0,
+  "weekStart": ""
+}

autopush/templates/_helpers.tpl

@@ -0,0 +1,93 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "autopush.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "autopush.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "autopush.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "autopush.labels" -}}
+helm.sh/chart: {{ include "autopush.chart" . }}
+{{ include "autopush.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "autopush.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "autopush.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "autopush.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "autopush.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Prometheus-sidecar
+*/}}
+{{- define "autopush.containerPrometheus" -}}
+{{- with .Values.prometheus }}
+{{- if .enabled }}
+- name: statsd-exporter
+  securityContext:
+    {{- toYaml .securityContext | nindent 4 }}
+  {{- with .image }}
+  image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag }}"
+  imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
+  {{- end }}
+  ports:
+    - name: metrics
+      containerPort: 9102
+      protocol: TCP
+  livenessProbe:
+    {{- toYaml .livenessProbe | nindent 4 }}
+  readinessProbe:
+    {{- toYaml .readinessProbe | nindent 4 }}
+  resources:
+    {{- toYaml .resources | nindent 4 }}
+  {{- with .volumeMounts }}
+  volumeMounts:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

autopush/templates/autoconnect/deployment.yaml

@@ -0,0 +1,91 @@
+{{- with .Values.autoconnect }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "autopush.fullname" $ }}-autoconnect
+  labels:
+    {{- include "autopush.labels" $ | nindent 4 }}
+spec:
+  replicas: {{ .replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "autopush.selectorLabels" $ | nindent 6 }}
+      app.kubernetes.io/component: autoconnect
+  template:
+    metadata:
+      {{- with .podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "autopush.labels" $ | nindent 8 }}
+        app.kubernetes.io/component: autoconnect
+        {{- with .podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "autopush.serviceAccountName" $ }}
+      securityContext:
+        {{- toYaml .podSecurityContext | nindent 8 }}
+      containers:
+        - name: autoconnect
+          securityContext:
+            {{- toYaml .securityContext | nindent 12 }}
+          {{- with .image }}
+          image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default (printf "v%s" $.Chart.AppVersion) }}"
+          imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
+          {{- end }}
+          envFrom:
+            - secretRef:
+                name: {{ include "autopush.fullname" $ }}-env
+          env:
+            - name: "AUTOCONNECT__DB_DSN"
+              {{- if $.Values.redis.auth.enabled }}
+              value: "redis://:$(REDIS_HOST_PASSWORD)@$(REDIS_HOST)"
+              {{- else }}
+              value: "redis://$(REDIS_HOST)"
+              {{- end }}
+            - name: "AUTOCONNECT__CRYPTO_KEY"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "autopush.fullname" $ }}-env
+                  key: "CRYPTO_KEY"
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+            - name: router
+              containerPort: {{ .service.ports.router }}
+              protocol: TCP
+          livenessProbe:
+            {{- toYaml .livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .readinessProbe | nindent 12 }}
+          resources:
+            {{- toYaml .resources | nindent 12 }}
+          {{- with .volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+        {{- include "autopush.containerPrometheus" $ | nindent 8 }}
+      {{- with .volumes }}
+      volumes:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}

autopush/templates/autoconnect/service.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "autopush.fullname" . }}-autoconnect
+  labels:
+    {{- include "autopush.labels" . | nindent 4 }}
+    app.kubernetes.io/metrics: "true"
+spec:
+  type: {{ .Values.autoconnect.service.type }}
+  selector:
+    {{- include "autopush.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: autoconnect
+  ports:
+    - port: {{ .Values.autoconnect.service.ports.http }}
+      targetPort: http
+      protocol: TCP
+      name: http
+    - port: {{ .Values.autoconnect.service.ports.router }}
+      targetPort: router
+      protocol: TCP
+      name: router
+    {{- if .Values.prometheus.enabled }}
+    - port: 9100
+      targetPort: metrics
+      protocol: TCP
+      name: metrics
+    {{- end }}

autopush/templates/autoendpoint/deployment.yaml

@@ -0,0 +1,88 @@
+{{- with .Values.autoendpoint }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "autopush.fullname" $ }}-autoendpoint
+  labels:
+    {{- include "autopush.labels" $ | nindent 4 }}
+spec:
+  replicas: {{ .replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "autopush.selectorLabels" $ | nindent 6 }}
+      app.kubernetes.io/component: autoendpoint
+  template:
+    metadata:
+      {{- with .podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "autopush.labels" $ | nindent 8 }}
+        app.kubernetes.io/component: autoendpoint
+        {{- with .podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "autopush.serviceAccountName" $ }}
+      securityContext:
+        {{- toYaml .podSecurityContext | nindent 8 }}
+      containers:
+        - name: autoendpoint
+          securityContext:
+            {{- toYaml .securityContext | nindent 12 }}
+          {{- with .image }}
+          image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default (printf "v%s" $.Chart.AppVersion) }}"
+          imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
+          {{- end }}
+          envFrom:
+            - secretRef:
+                name: {{ include "autopush.fullname" $ }}-env
+          env:
+            - name: "AUTOEND__DB_DSN"
+              {{- if $.Values.redis.auth.enabled }}
+              value: "redis://:$(REDIS_HOST_PASSWORD)@$(REDIS_HOST)"
+              {{- else }}
+              value: "redis://$(REDIS_HOST)"
+              {{- end }}
+            - name: "AUTOEND__CRYPTO_KEYS"
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "autopush.fullname" $ }}-env
+                  key: "CRYPTO_KEY"
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+          livenessProbe:
+            {{- toYaml .livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .readinessProbe | nindent 12 }}
+          resources:
+            {{- toYaml .resources | nindent 12 }}
+          {{- with .volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+        {{- include "autopush.containerPrometheus" $ | nindent 8 }}
+      {{- with .volumes }}
+      volumes:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}

autopush/templates/autoendpoint/service.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "autopush.fullname" . }}-autoendpoint
+  labels:
+    {{- include "autopush.labels" . | nindent 4 }}
+    app.kubernetes.io/metrics: "true"
+spec:
+  type: {{ .Values.autoendpoint.service.type }}
+  selector:
+    {{- include "autopush.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: autoendpoint
+  ports:
+    - port: {{ .Values.autoendpoint.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+    {{- if .Values.prometheus.enabled }}
+    - port: 9100
+      targetPort: metrics
+      protocol: TCP
+      name: metrics
+    {{- end }}

autopush/templates/configmap_grafana_dashboards.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.grafana.dashboards.enabled }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "autopush.fullname" . }}-grafana-dashboards
+  labels:
+    {{- include "autopush.labels" . | nindent 4 }}
+    {{- toYaml .Values.grafana.dashboards.labels | nindent 4 }}
+  annotations:
+    {{- toYaml .Values.grafana.dashboards.annotations | nindent 4 }}
+data:
+  {{- (.Files.Glob "grafana_dashboards/*.json" ).AsConfig | nindent 2 }}
+{{- end }}

autopush/templates/ingress.yaml

@@ -0,0 +1,63 @@
+{{- if .Values.ingress.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "autopush.fullname" . }}
+  labels:
+    {{- include "autopush.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- with .Values.ingress.className }}
+  ingressClassName: {{ . }}
+  {{- end }}
+  {{- with .Values.ingress.tls }}
+  tls:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.ingress.host | quote }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ include "autopush.fullname" $ }}-autoconnect
+                port:
+                  name: http
+    - host: {{ printf "updates.%s" .Values.ingress.host | quote }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ include "autopush.fullname" $ }}-autoendpoint
+                port:
+                  name: http
+          {{- with .Values.unifiedPush }}
+          {{- if .enabled }}
+          {{- if .config.gateway.generic.enable }}
+          - path: /generic/
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ include "autopush.fullname" $ }}-unifiedpush
+                port:
+                  name: http
+          {{- end }}
+          {{- if .config.gateway.matrix.enable }}
+          - path: /_matrix/push/v1/notify
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ include "autopush.fullname" $ }}-unifiedpush
+                port:
+                  name: http
+          {{- end }}
+          {{- end }}
+          {{- end }}
+{{- end }}

autopush/templates/prometheus-rules.yaml

@@ -0,0 +1,38 @@
+{{- if and .Values.prometheus.rules.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: {{ include "autopush.fullname" . }}
+  labels:
+    {{- include "autopush.labels" . | nindent 4 }}
+    {{- with .Values.prometheus.rules.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  groups:
+    {{- if .Values.prometheus.rules.default.enabled }}
+    - name: {{ template "autopush.fullname" . }}-Endpoint
+      rules:
+        - alert: "autopush: No Subscription API Error"
+          expr: 'sum(increase(autoendpoint_api_error_no_subscription{}[1h])) without (container,endpoint,pod,instance) > 0'
+          for: 5m
+          labels:
+            severity: critical
+            {{- with .Values.prometheus.rules.default.alertLabels }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          annotations:
+            {{`
+            summary: "autoendpoint: No Subscription API Error in {{ $labels.namespace }}/{{ $labels.job }} increate in the last hour"
+            `}}
+    {{/*
+    - name: {{ template "autopush.fullname" . }}-Push
+      rules:
+    */}}
+    {{- end }}
+    {{- with .Values.prometheus.rules.additionalRules }}
+    - name: {{ template "autopush.fullname" $ }}-Additional
+      rules:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+{{- end }}

autopush/templates/secret.yaml

@@ -0,0 +1,51 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "autopush.fullname" . }}-env
+  annotations:
+    "helm.sh/hook": "pre-install,pre-upgrade"
+type: Opaque
+data:
+  {{/* GLOBAL */}}
+  RUST_BACKTRACE: {{ ternary "1" "0" .Values.config.logs.backtrace | b64enc }}
+  RUST_LOG: {{ .Values.config.logs.level | b64enc }}
+  {{- with .Values.redis }}
+  {{- if .auth.enabled }}
+  {{- with .auth.password }}
+  REDIS_HOST_PASSWORD: {{ . | b64enc }}
+  {{- end }}
+  {{- end }}
+  {{- if .internal }}
+  REDIS_HOST: {{ printf "%s-redis-master:%.0f/%.0f" (include "autopush.fullname" $) .master.service.port .dbid | b64enc }}
+  {{- else }}
+  REDIS_HOST: {{ printf "%s:%s/$.0f" .external.host .external.port .dbid | b64enc }}
+  {{- end }}
+  {{- end }}
+  CRYPTO_KEY: {{ printf "[%s]" .Values.config.cryptoKey | b64enc }}
+  {{/* autoconnect */}}
+  {{- if .Values.ingress.tls }}
+  AUTOCONNECT__ENDPOINT_SCHEME: {{ "https" | b64enc }}
+  AUTOCONNECT__ENDPOINT_PORT: {{ "443" | b64enc }}
+  {{- else }}
+  AUTOCONNECT__ENDPOINT_SCHEME: {{ "http" | b64enc }}
+  AUTOCONNECT__ENDPOINT_PORT: {{ "80" | b64enc }}
+  {{- end }}
+  AUTOCONNECT__ENDPOINT_HOSTNAME: {{ printf "updates.%s" .Values.ingress.host | b64enc }}
+  AUTOCONNECT__ROUTER_HOSTNAME: {{ printf "%s-autoconnect" (include "autopush.fullname" .) | b64enc }}
+  AUTOCONNECT__ROUTER_PORT: {{ toYaml .Values.autoconnect.service.ports.router | b64enc }}
+  {{- if .Values.prometheus.enabled }}
+  AUTOCONNECT__STATSD_HOST: {{ "127.0.0.1" | b64enc}}
+  AUTOCONNECT__STATSD_PORT: {{ "9125" | b64enc }}
+  {{- end }}
+  {{/* autoendpoint */}}
+  AUTOEND__HOST: {{ "::" | b64enc }}
+  {{- if .Values.ingress.tls }}
+  AUTOEND__ENDPOINT_URL: {{ printf "https://updates.%s" .Values.ingress.host | b64enc }}
+  {{- else }}
+  AUTOEND__ENDPOINT_URL: {{ printf "http://updates.%s" .Values.ingress.host | b64enc }}
+  {{- end }}
+  {{- if .Values.prometheus.enabled }}
+  AUTOEND__STATSD_HOST: {{ "127.0.0.1" | b64enc }}
+  AUTOEND__STATSD_PORT: {{ "9125" | b64enc }}
+  {{- end }}

autopush/templates/serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "autopush.serviceAccountName" . }}
+  labels:
+    {{- include "autopush.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
+{{- end }}

autopush/templates/servicemonitor.yaml

@@ -0,0 +1,18 @@
+{{- if and .Values.prometheus.enabled .Values.prometheus.servicemonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "autopush.fullname" . }}
+  labels:
+    {{- include "autopush.labels" . | nindent 4 }}
+    {{- with .Values.prometheus.servicemonitor.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "autopush.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/metrics: "true"
+  endpoints:
+    - port: metrics
+{{- end }}

autopush/templates/unifiedpush/deployment.yaml

@@ -0,0 +1,97 @@
+{{- with .Values.unifiedPush }}
+{{- if .enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "autopush.fullname" $ }}-unifiedpush
+  labels:
+    {{- include "autopush.labels" $ | nindent 4 }}
+spec:
+  replicas: {{ .replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "autopush.selectorLabels" $ | nindent 6 }}
+      app.kubernetes.io/component: unifiedpush
+  template:
+    metadata:
+      {{- with .podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "autopush.labels" $ | nindent 8 }}
+        app.kubernetes.io/component: unifiedpush
+        {{- with .podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "autopush.serviceAccountName" $ }}
+      securityContext:
+        {{- toYaml .podSecurityContext | nindent 8 }}
+      containers:
+        - name: common-proxies
+          securityContext:
+            {{- toYaml .securityContext | nindent 12 }}
+          {{- with .image }}
+          image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag }}"
+          imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
+          {{- end }}
+          env:
+            - name: "UP_LISTEN"
+              value: ":8080"
+            {{- if .config.verbose }}
+            - name: "UP_VERBOSE"
+              value: "true"
+            {{- end }}
+            {{- with .config.uaid }}
+            - name: "UP_UAID"
+              value: {{ . | quote }}
+            {{- end }}
+            {{- if .config.gateway.generic.enable }}
+            - name: "UP_GATEWAY_GENERIC_ENABLE"
+              value: "true"
+            {{- end }}
+            {{- if .config.gateway.matrix.enable }}
+            - name: "UP_GATEWAY_MATRIX_ENABLE"
+              value: "true"
+            {{- end }}
+            {{- with .config.gateway.allowedHosts }}
+            - name: "UP_GATEWAY_ALLOWEDHOSTS"
+              value: {{ join "," . | quote }}
+            {{- end }}
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            {{- toYaml .livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .readinessProbe | nindent 12 }}
+          resources:
+            {{- toYaml .resources | nindent 12 }}
+          {{- with .volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .volumes }}
+      volumes:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}
+{{- end }}

autopush/templates/unifiedpush/service.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.unifiedPush.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "autopush.fullname" . }}-unifiedpush
+  labels:
+    app.kubernetes.io/metrics: "true"
+    {{- include "autopush.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.unifiedPush.service.type }}
+  selector:
+    {{- include "autopush.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: unifiedpush
+  ports:
+    - port: {{ .Values.unifiedPush.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+{{- end }}

autopush/values.yaml

@@ -0,0 +1,440 @@
+global:
+  image:
+    # -- if set it will overwrite all registry entries
+    registry:
+    # -- if set it will overwrite all pullPolicy
+    pullPolicy:
+
+# -- This is for the secretes for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+imagePullSecrets: []
+# -- This is to override the chart name.
+nameOverride: ""
+fullnameOverride: ""
+
+
+config:
+  logs:
+    # -- set log level of autopush
+    level: warn
+    # -- enable backtrace of autopush
+    backtrace: false
+  # -- run https://github.com/mozilla-services/autopush-rs/blob/master/scripts/fernet_key.py
+  cryptoKey: ""
+
+prometheus:
+  # -- start statsd sidecar and configure
+  enabled: true
+
+  servicemonitor:
+    enabled: false
+    labels: {}
+  rules:
+    enabled: false
+    labels: {}
+    default:
+      enabled: true
+      alertLabels: {}
+    additionalRules: []
+
+  image:
+    registry: docker.io
+    repository: prom/statsd-exporter
+    pullPolicy: IfNotPresent
+    tag: v0.28.0
+
+  # -- securityContext
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+  securityContext: {}
+
+  # -- We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+  resources: {}
+
+  # -- This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
+  livenessProbe:
+    httpGet:
+      path: /
+      port: metrics
+  readinessProbe:
+    httpGet:
+      path: /
+      port: metrics
+
+  # -- Additional volumeMounts on the output Deployment definition.
+  # - name: foo
+  #   mountPath: "/etc/foo"
+  #   readOnly: true
+  volumeMounts: []
+
+grafana:
+  dashboards:
+    enabled: false
+    labels:
+      grafana_dashboard: "1"
+    annotations: {}
+
+## This configuration is for the internal Redis that's deployed for use with
+## workers/sharding, for an external Redis server you want to set enabled to
+## false and configure the externalRedis block.
+##
+redis:
+  internal: true
+  # -- Database ID for non-default database
+  dbid: 0
+
+  auth:
+    enabled: true
+    # -- XXX Change me!
+    password: autopush
+    # -- name of an existing secret with Redis credentials (instead of auth.password), must be created ahead of time
+    existingSecret: ""
+    # -- Password key to be retrieved from existing secret
+    existingSecretPasswordKey: ""
+
+  external:
+    host: redis
+    port: 6379
+
+    # -- Password key to be retrieved from existing secret
+    existingSecretPasswordKey: redis-password
+
+
+  architecture: standalone
+  global:
+    storageClass: ""
+  master:
+    persistence:
+      enabled: true
+    service:
+      port: 6379
+  replica:
+    persistence:
+      enabled: true
+
+autoconnect:
+  # -- This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
+  # @section -- Autoconnect
+  replicaCount: 1
+  image:
+    # -- image registry (could be overwritten by global.image.registry)
+    # @section -- Autoconnect
+    registry: codeberg.org
+    # -- image repository
+    # @section -- Autoconnect
+    repository: wrenix/autopush/autoconnect
+    # -- This sets the pull policy for images. (could be overwritten by global.image.pullPolicy)
+    # @section -- Autoconnect
+    pullPolicy: IfNotPresent
+    # -- image tag - Overrides the image tag whose default is the chart appVersion.
+    # @section -- Autoconnect
+    tag: latest
+  # -- This is for setting Kubernetes Annotations to a Pod.
+  # For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  # @section -- Autoconnect
+  podAnnotations: {}
+  # -- This is for setting Kubernetes Labels to a Pod.
+  # For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+  # @section -- Autoconnect
+  podLabels: {}
+
+  nodeSelector: {}
+
+  tolerations: []
+
+  affinity: {}
+
+  podSecurityContext: {}
+    # fsGroup: 2000
+
+  # -- securityContext
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+  # @section -- Autoconnect
+  securityContext: {}
+
+  # This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/
+  service:
+    # -- This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
+    # @section -- Autoconnect
+    type: ClusterIP
+    # This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports
+    ports:
+      # -- port of http service
+      # @section -- Autoconnect
+      http: 80
+      # -- port of internal router service
+        # @section -- Autoconnect
+      router: 8081
+
+  # -- We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # @section -- Autoconnect
+  resources: {}
+
+  # -- This is to setup the liveness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
+  # @section -- Autoconnect
+  livenessProbe:
+    httpGet:
+      path: /health
+      port: http
+  # -- This is to setup the readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
+  # @section -- Autoconnect
+  readinessProbe:
+    httpGet:
+      path: /health
+      port: http
+
+  # -- Additional volumeMounts on the output Deployment definition.
+  # - name: foo
+  #   mountPath: "/etc/foo"
+  #   readOnly: true
+  # @section -- Autoconnect
+  volumeMounts: []
+
+autoendpoint:
+  # -- This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
+  # @section -- Autoendpoint
+  replicaCount: 1
+  image:
+    # -- image registry (could be overwritten by global.image.registry)
+    # @section -- Autoendpoint
+    registry: codeberg.org
+    # -- image repository
+    # @section -- Autoendpoint
+    repository: wrenix/autopush/autoendpoint
+    # -- This sets the pull policy for images. (could be overwritten by global.image.pullPolicy)
+    # @section -- Autoendpoint
+    pullPolicy: IfNotPresent
+    # -- image tag - Overrides the image tag whose default is the chart appVersion.
+    # @section -- Autoendpoint
+    tag: latest
+
+  # -- This is for setting Kubernetes Annotations to a Pod.
+  # For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  # @section -- Autoendpoint
+  podAnnotations: {}
+  # -- This is for setting Kubernetes Labels to a Pod.
+  # For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+  # @section -- Autoendpoint
+  podLabels: {}
+
+  nodeSelector: {}
+
+  tolerations: []
+
+  affinity: {}
+
+  podSecurityContext: {}
+    # fsGroup: 2000
+
+  securityContext: {}
+    # capabilities:
+    #   drop:
+    #   - ALL
+    # readOnlyRootFilesystem: true
+    # runAsNonRoot: true
+    # runAsUser: 1000
+
+  # This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/
+  service:
+    # -- This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
+    # @section -- Autoendpoint
+    type: ClusterIP
+    # -- This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports
+    # @section -- Autoendpoint
+    port: 80
+
+  # -- We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # @section -- Autoendpoint
+  resources: {}
+
+  # -- This is to setup the liveness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
+  # @section -- Autoendpoint
+  livenessProbe:
+    httpGet:
+      path: /health
+      port: http
+  # -- This is to setup the readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
+  # @section -- Autoendpoint
+  readinessProbe:
+    httpGet:
+      path: /health
+      port: http
+
+  # -- Additional volumeMounts on the output Deployment definition.
+  # - name: foo
+  #   mountPath: "/etc/foo"
+  #   readOnly: true
+  # @section -- Autoendpoint
+  volumeMounts: []
+
+unifiedPush:
+  # -- enable/deploy common-proxy for unifiedpush
+  # @section -- UnifiedPush
+  enabled: false
+  # -- This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
+  # @section -- UnifiedPush
+  replicaCount: 1
+  image:
+    # -- image registry (could be overwritten by global.image.registry)
+    # @section -- UnifiedPush
+    registry: docker.io
+    # -- image repository
+    # @section -- UnifiedPush
+    repository: unifiedpush/common-proxies
+    # -- This sets the pull policy for images. (could be overwritten by global.image.pullPolicy)
+    # @section -- UnifiedPush
+    pullPolicy: IfNotPresent
+    # -- image tag
+    # @section -- UnifiedPush
+    tag: "v2.2.0"
+
+  config:
+    verbose: false
+    uaid: ""
+    gateway:
+      generic:
+        enable: true
+      matrix:
+        enable: true
+      allowedHosts: []
+
+  # -- This is for setting Kubernetes Annotations to a Pod.
+  # For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  # @section -- UnifiedPush
+  podAnnotations: {}
+  # -- This is for setting Kubernetes Labels to a Pod.
+  # For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+  # @section -- UnifiedPush
+  podLabels: {}
+
+  nodeSelector: {}
+
+  tolerations: []
+
+  affinity: {}
+
+  podSecurityContext: {}
+    # fsGroup: 2000
+
+  securityContext: {}
+    # capabilities:
+    #   drop:
+    #   - ALL
+    # readOnlyRootFilesystem: true
+    # runAsNonRoot: true
+    # runAsUser: 1000
+
+  # This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/
+  service:
+    # -- This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
+    # @section -- UnifiedPush
+    type: ClusterIP
+    # -- This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports
+    # @section -- UnifiedPush
+    port: 80
+
+  # -- We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # @section -- UnifiedPush
+  resources: {}
+
+  # -- This is to setup the liveness more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
+  # @section -- UnifiedPush
+  livenessProbe:
+    httpGet:
+      path: /health
+      port: http
+  # -- This is to setup the readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
+  # @section -- UnifiedPush
+  readinessProbe:
+    httpGet:
+      path: /health
+      port: http
+
+  # -- Additional volumeMounts on the output Deployment definition.
+  # - name: foo
+  #   mountPath: "/etc/foo"
+  #   readOnly: true
+  # @section -- UnifiedPush
+  volumeMounts: []
+
+
+# This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/
+serviceAccount:
+  # -- Specifies whether a service account should be created
+  # @section -- UnifiedPush
+  create: true
+  # -- Automatically mount a ServiceAccount's API credentials?
+  # @section -- UnifiedPush
+  automount: true
+  # -- Annotations to add to the service account
+  # @section -- UnifiedPush
+  annotations: {}
+  # -- The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  # @section -- UnifiedPush
+  name: ""
+
+# This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  host: chart-example.local
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+
+# -- Additional volumes on the output Deployment definition.
+# - name: foo
+#   secret:
+#     secretName: mysecret
+#     optional: false
+volumes: []

conduit/Chart.yaml

@@ -3,7 +3,7 @@ name: conduit
 description: Conduit is a simple, fast and reliable chat server powered by Matrix.
 icon: https://conduit.rs/conduit.svg
 type: application
-version: "1.0.2"
+version: "1.0.4"
 # renovate: image=docker.io/matrixconduit/matrix-conduit
 appVersion: "0.9.0"
 maintainers:

conduit/README.md

@@ -7,7 +7,7 @@ description: "Conduit is a simple, fast and reliable chat server powered by Matr
 
 # conduit
 
-![Version: 1.0.2](https://img.shields.io/badge/Version-1.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.9.0](https://img.shields.io/badge/AppVersion-0.9.0-informational?style=flat-square)
+![Version: 1.0.4](https://img.shields.io/badge/Version-1.0.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.9.0](https://img.shields.io/badge/AppVersion-0.9.0-informational?style=flat-square)
 
 Conduit is a simple, fast and reliable chat server powered by Matrix.
 
@@ -41,6 +41,36 @@ helm uninstall conduit-release
 
 ## Values
 
+### well known
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| wellknown.affinity | object | `{}` | pod affinity |
+| wellknown.client | object | `{"m.homeserver":{"base_url":"https://your.server.name/"},"org.matrix.msc3575.proxy":{"url":"https://your.server.name/"}}` | client entry in well-known |
+| wellknown.containerPort | int | `80` | port webservice |
+| wellknown.enabled | bool | `false` | enable/deploy add extra webservice for well-known urls |
+| wellknown.env | list | `[]` | pod env |
+| wellknown.image.pullPolicy | string | `"IfNotPresent"` | This sets the pull policy for images. (could be overwritten by global.image.pullPolicy) |
+| wellknown.image.registry | string | `"docker.io"` | image registry (could be overwritten by global.image.registry) |
+| wellknown.image.repository | string | `"library/nginx"` | image repository |
+| wellknown.image.tag | string | `"1.27.4"` | image tag |
+| wellknown.nginxServerConf | string | `"server {\n    listen       {{ .containerPort }};\n    server_name  localhost;\n\n    location /.well-known/matrix/server {\n      return 200 {{ toJson .server | quote }};\n      types { } default_type \"application/json; charset=utf-8\";\n    }\n\n    location /.well-known/matrix/client {\n      return 200 {{ toJson .client | quote }};\n      types { } default_type \"application/json; charset=utf-8\";\n      add_header \"Access-Control-Allow-Origin\" *;\n    }\n\n    location / {\n      # return 200 'Welcome to the your.server.name conduit server!';\n      # types { } default_type \"text/plain; charset=utf-8\";\n      return 404;\n    }\n\n    location /nginx_health {\n      return 200 'OK';\n      types { } default_type \"text/plain; charset=utf-8\";\n    }\n}"` | nginx config |
+| wellknown.nodeSelector | object | `{}` | pod node selector |
+| wellknown.podAnnotations | list | `[]` | pod annotations |
+| wellknown.podLabels | object | `{}` | pod labels |
+| wellknown.podSecurityContext | object | `{}` | securityContext of Pod |
+| wellknown.replicaCount | int | `1` | replicas |
+| wellknown.resources | object | `{}` | pod resources |
+| wellknown.rewriteRoot | bool | `false` | if ingress is enabled: specifies whether ingress should redirect the `/`-Location to the wellknown server |
+| wellknown.securityContext | object | `{}` | securityContext of container |
+| wellknown.server | object | `{"m.server":"your.server.name:443"}` | server entry in well-known |
+| wellknown.service.annotations | object | `{}` | annotations of service |
+| wellknown.service.port | int | `8080` | port of service |
+| wellknown.service.type | string | `"ClusterIP"` | service type |
+| wellknown.tolerations | list | `[]` | pod tolerations |
+
+### Other Values
+
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` |  |
@@ -62,10 +92,12 @@ helm uninstall conduit-release
 | conduit.wellKnown.client | string | `""` | client well-known configuration in conduit |
 | conduit.wellKnown.server | string | `"https://your.server.name"` | server well-known configuration in conduit |
 | fullnameOverride | string | `""` |  |
-| image.pullPolicy | string | `"IfNotPresent"` |  |
-| image.registry | string | `"docker.io"` |  |
-| image.repository | string | `"matrixconduit/matrix-conduit"` |  |
-| image.tag | string | `""` |  |
+| global.image.pullPolicy | string | `nil` | if set it will overwrite all pullPolicy |
+| global.image.registry | string | `nil` | if set it will overwrite all registry entries |
+| image.pullPolicy | string | `"IfNotPresent"` | This sets the pull policy for images. (could be overwritten by global.image.pullPolicy) |
+| image.registry | string | `"docker.io"` | image registry (could be overwritten by global.image.registry) |
+| image.repository | string | `"matrixconduit/matrix-conduit"` | image repository |
+| image.tag | string | `""` | image tag - Overrides the image tag whose default is the chart appVersion. |
 | imagePullSecrets | list | `[]` |  |
 | ingress.annotations | object | `{}` |  |
 | ingress.className | string | `""` |  |
@@ -86,7 +118,7 @@ helm uninstall conduit-release
 | podAnnotations | object | `{}` |  |
 | podLabels | object | `{}` |  |
 | podSecurityContext | object | `{}` |  |
-| replicaCount | int | `1` |  |
+| replicaCount | int | `1` | replicas |
 | resources | object | `{}` |  |
 | securityContext | object | `{}` |  |
 | service.port | int | `6167` |  |
@@ -95,28 +127,5 @@ helm uninstall conduit-release
 | serviceAccount.create | bool | `true` |  |
 | serviceAccount.name | string | `""` |  |
 | tolerations | list | `[]` |  |
-| wellknown.affinity | object | `{}` |  |
-| wellknown.client | object | `{"m.homeserver":{"base_url":"https://your.server.name/"},"org.matrix.msc3575.proxy":{"url":"https://your.server.name/"}}` | client entry in well-known |
-| wellknown.containerPort | int | `80` |  |
-| wellknown.enabled | bool | `false` |  |
-| wellknown.env | list | `[]` |  |
-| wellknown.image.pullPolicy | string | `"IfNotPresent"` |  |
-| wellknown.image.registry | string | `"docker.io"` |  |
-| wellknown.image.repository | string | `"library/nginx"` |  |
-| wellknown.image.tag | string | `"1.27.3"` |  |
-| wellknown.nginxServerConf | string | `"server {\n    listen       {{ .containerPort }};\n    server_name  localhost;\n\n    location /.well-known/matrix/server {\n      return 200 {{ toJson .server | quote }};\n      types { } default_type \"application/json; charset=utf-8\";\n    }\n\n    location /.well-known/matrix/client {\n      return 200 {{ toJson .client | quote }};\n      types { } default_type \"application/json; charset=utf-8\";\n      add_header \"Access-Control-Allow-Origin\" *;\n    }\n\n    location / {\n      # return 200 'Welcome to the your.server.name conduit server!';\n      # types { } default_type \"text/plain; charset=utf-8\";\n      return 404;\n    }\n\n    location /nginx_health {\n      return 200 'OK';\n      types { } default_type \"text/plain; charset=utf-8\";\n    }\n}"` | nginx config |
-| wellknown.nodeSelector | object | `{}` |  |
-| wellknown.podAnnotations | list | `[]` |  |
-| wellknown.podLabels | object | `{}` |  |
-| wellknown.podSecurityContext | object | `{}` |  |
-| wellknown.replicaCount | int | `1` |  |
-| wellknown.resources | object | `{}` |  |
-| wellknown.rewriteRoot | bool | `false` | if ingress is enabled: specifies whether ingress should redirect the `/`-Location to the wellknown server |
-| wellknown.securityContext | object | `{}` |  |
-| wellknown.server | object | `{"m.server":"your.server.name:443"}` | server entry in well-known |
-| wellknown.service.annotations | object | `{}` |  |
-| wellknown.service.port | int | `8080` |  |
-| wellknown.service.type | string | `"ClusterIP"` |  |
-| wellknown.tolerations | list | `[]` |  |
 
 Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs)

conduit/templates/deployment.yaml

@@ -39,9 +39,9 @@ spec:
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
           {{- with .Values.image }}
-          image: "{{ .registry }}/{{ .repository }}:{{ .tag | default (printf "v%s" $.Chart.AppVersion) }}"
+          image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default $.Chart.AppVersion }}"
+          imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
           {{- end }}
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
             - name: http
               containerPort: {{ .Values.service.port }}

conduit/templates/wellknown/deployment.yaml

@@ -38,9 +38,9 @@ spec:
           securityContext:
             {{- toYaml .Values.wellknown.securityContext | nindent 12 }}
           {{- with .Values.wellknown.image }}
-          image: "{{ .registry }}/{{ .repository }}:{{ .tag }}"
+          image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default $.Chart.AppVersion }}"
+          imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
           {{- end }}
-          imagePullPolicy: {{ .Values.wellknown.image.pullPolicy }}
           ports:
             - name: http
               containerPort: {{ .Values.wellknown.containerPort }}

conduit/values.yaml

@@ -1,14 +1,22 @@
-# Default values for conduit.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
+global:
+  image:
+    # -- if set it will overwrite all registry entries
+    registry:
+    # -- if set it will overwrite all pullPolicy
+    pullPolicy:
 
+
+# -- replicas
 replicaCount: 1
 
 image:
+  # -- image registry (could be overwritten by global.image.registry)
   registry: docker.io
+  # -- image repository
   repository: matrixconduit/matrix-conduit
+  # -- This sets the pull policy for images. (could be overwritten by global.image.pullPolicy)
   pullPolicy: IfNotPresent
-  # Overrides the image tag whose default is the chart appVersion.
+  # -- image tag - Overrides the image tag whose default is the chart appVersion.
   tag: ""
 
 imagePullSecrets: []
@@ -47,37 +55,78 @@ conduit:
     server: "https://your.server.name"
 
 wellknown:
+  # -- enable/deploy add extra webservice for well-known urls
+  # @section -- well known
   enabled: false
   image:
+    # -- image registry (could be overwritten by global.image.registry)
+    # @section -- well known
     registry: docker.io
+    # -- image repository
+    # @section -- well known
     repository: library/nginx
+    # -- This sets the pull policy for images. (could be overwritten by global.image.pullPolicy)
+    # @section -- well known
     pullPolicy: IfNotPresent
-    tag: "1.27.3"
+    # -- image tag
+    # @section -- well known
+    tag: "1.27.4"
 
+  # -- replicas
+  # @section -- well known
   replicaCount: 1
+  # -- pod labels
+  # @section -- well known
   podLabels: {}
+  # -- pod annotations
+  # @section -- well known
   podAnnotations: []
+  # -- securityContext of Pod
+  # @section -- well known
   podSecurityContext: {}
+  # -- securityContext of container
+  # @section -- well known
   securityContext: {}
+  # -- port webservice
+  # @section -- well known
   containerPort: 80
+  # -- pod env
+  # @section -- well known
   env: []
+  # -- pod resources
+  # @section -- well known
   resources: {}
+  # -- pod node selector
+  # @section -- well known
   nodeSelector: {}
+  # -- pod tolerations
+  # @section -- well known
   tolerations: []
+  # -- pod affinity
+  # @section -- well known
   affinity: {}
 
   service:
+    # -- service type
+    # @section -- well known
     type: ClusterIP
+    # -- port of service
+    # @section -- well known
     port: 8080
+    # -- annotations of service
+    # @section -- well known
     annotations: {}
 
   # -- if ingress is enabled: specifies whether ingress should redirect the `/`-Location to the wellknown server
+  # @section -- well known
   rewriteRoot: false
 
   # -- server entry in well-known
+  # @section -- well known
   server:
     "m.server": "your.server.name:443"
   # -- client entry in well-known
+  # @section -- well known
   client:
     "m.homeserver":
       "base_url": "https://your.server.name/"
@@ -85,6 +134,7 @@ wellknown:
       "url": "https://your.server.name/"
 
   # -- nginx config
+  # @section -- well known
   nginxServerConf: |-
       server {
           listen       {{ .containerPort }};

element-call/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: element-call
 description: Run Element-Call and his dependencies
 type: application
-version: "0.1.7"
+version: "0.1.8"
 # renovate: image=ghcr.io/element-hq/element-call
 appVersion: "0.7.1"
 maintainers:

element-call/README.md

@@ -7,7 +7,7 @@ description: "Run Element-Call and his dependencies"
 
 # element-call
 
-![Version: 0.1.7](https://img.shields.io/badge/Version-0.1.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.1](https://img.shields.io/badge/AppVersion-0.7.1-informational?style=flat-square)
+![Version: 0.1.8](https://img.shields.io/badge/Version-0.1.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.7.1](https://img.shields.io/badge/AppVersion-0.7.1-informational?style=flat-square)
 
 Run Element-Call and his dependencies
 
@@ -41,6 +41,29 @@ helm uninstall element-call-release
 
 ## Values
 
+### livekit JWT
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| service.lkJWT.config.key | string | `"devkey"` | key to livekit |
+| service.lkJWT.config.secret | string | `"secret"` | secret to livekit |
+| service.lkJWT.config.url | string | `""` | url to livekit |
+| service.lkJWT.enabled | bool | `true` | enable to deploy livekit jwt service for element-call |
+| service.lkJWT.image.pullPolicy | string | `"IfNotPresent"` | This sets the pull policy for images. (could be overwritten by global.image.pullPolicy) |
+| service.lkJWT.image.registry | string | `"ghcr.io"` | image registry (could be overwritten by global.image.registry) |
+| service.lkJWT.image.repository | string | `"element-hq/lk-jwt-service"` | image repository |
+| service.lkJWT.image.tag | string | `"sha-4a29504"` | image tag |
+| service.lkJWT.networkPolicy.egress.enabled | bool | `false` | activate egress no networkpolicy |
+| service.lkJWT.networkPolicy.egress.extra | list | `[]` | egress rules |
+| service.lkJWT.networkPolicy.ingress.http | list | `[]` | ingress for http port (e.g. ingress-controller) |
+| service.lkJWT.replicaCount | int | `1` | replicas |
+| service.lkJWT.serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
+| service.lkJWT.serviceAccount.automount | bool | `true` | Automatically mount a ServiceAccount's API credentials? |
+| service.lkJWT.serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
+| service.lkJWT.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
+
+### Other Values
+
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | autoscaling.enabled | bool | `false` |  |
@@ -58,10 +81,10 @@ helm uninstall element-call-release
 | nameOverride | string | `""` |  |
 | service.call.affinity | object | `{}` |  |
 | service.call.config | object | `{}` |  |
-| service.call.image.pullPolicy | string | `"IfNotPresent"` |  |
-| service.call.image.registry | string | `"ghcr.io"` |  |
-| service.call.image.repository | string | `"element-hq/element-call"` |  |
-| service.call.image.tag | string | `nil` | Overrides the image tag whose default is the chart appVersion. |
+| service.call.image.pullPolicy | string | `"IfNotPresent"` | This sets the pull policy for images. (could be overwritten by global.image.pullPolicy) |
+| service.call.image.registry | string | `"ghcr.io"` | image registry (could be overwritten by global.image.registry) |
+| service.call.image.repository | string | `"element-hq/element-call"` | image repository |
+| service.call.image.tag | string | `nil` | image tag - Overrides the image tag whose default is the chart appVersion |
 | service.call.ingress.host | string | `nil` |  |
 | service.call.livenessProbe.httpGet.path | string | `"/"` |  |
 | service.call.livenessProbe.httpGet.port | string | `"http"` |  |
@@ -75,7 +98,7 @@ helm uninstall element-call-release
 | service.call.podSecurityContext | object | `{}` |  |
 | service.call.readinessProbe.httpGet.path | string | `"/"` |  |
 | service.call.readinessProbe.httpGet.port | string | `"http"` |  |
-| service.call.replicaCount | int | `1` |  |
+| service.call.replicaCount | int | `1` | replicas |
 | service.call.resources | object | `{}` |  |
 | service.call.securityContext | object | `{}` |  |
 | service.call.serviceAccount.annotations | object | `{}` |  |
@@ -84,34 +107,18 @@ helm uninstall element-call-release
 | service.call.serviceAccount.name | string | `""` |  |
 | service.call.tolerations | list | `[]` |  |
 | service.lkJWT.affinity | object | `{}` |  |
-| service.lkJWT.config.key | string | `"devkey"` |  |
-| service.lkJWT.config.secret | string | `"secret"` |  |
-| service.lkJWT.config.url | string | `""` |  |
-| service.lkJWT.enabled | bool | `true` |  |
-| service.lkJWT.image.pullPolicy | string | `"IfNotPresent"` |  |
-| service.lkJWT.image.registry | string | `"ghcr.io"` |  |
-| service.lkJWT.image.repository | string | `"element-hq/lk-jwt-service"` |  |
-| service.lkJWT.image.tag | string | `"sha-4a29504"` |  |
 | service.lkJWT.ingress.host | string | `nil` |  |
 | service.lkJWT.livenessProbe.httpGet.path | string | `"/healthz"` |  |
 | service.lkJWT.livenessProbe.httpGet.port | string | `"http"` |  |
-| service.lkJWT.networkPolicy.egress.enabled | bool | `false` | activate egress no networkpolicy |
-| service.lkJWT.networkPolicy.egress.extra | list | `[]` | egress rules |
 | service.lkJWT.networkPolicy.enabled | bool | `false` |  |
-| service.lkJWT.networkPolicy.ingress.http | list | `[]` | ingress for http port (e.g. ingress-controller) |
 | service.lkJWT.nodeSelector | object | `{}` |  |
 | service.lkJWT.podAnnotations | object | `{}` |  |
 | service.lkJWT.podLabels | object | `{}` |  |
 | service.lkJWT.podSecurityContext | object | `{}` |  |
 | service.lkJWT.readinessProbe.httpGet.path | string | `"/healthz"` |  |
 | service.lkJWT.readinessProbe.httpGet.port | string | `"http"` |  |
-| service.lkJWT.replicaCount | int | `1` |  |
 | service.lkJWT.resources | object | `{}` |  |
 | service.lkJWT.securityContext | object | `{}` |  |
-| service.lkJWT.serviceAccount.annotations | object | `{}` |  |
-| service.lkJWT.serviceAccount.automount | bool | `true` |  |
-| service.lkJWT.serviceAccount.create | bool | `true` |  |
-| service.lkJWT.serviceAccount.name | string | `""` |  |
 | service.lkJWT.tolerations | list | `[]` |  |
 
 Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs)

element-call/values.yaml

@@ -27,12 +27,16 @@ autoscaling:
 
 service:
   call:
+    # -- replicas
     replicaCount: 1
     image:
+      # -- image registry (could be overwritten by global.image.registry)
       registry: ghcr.io
+      # -- image repository
       repository: element-hq/element-call
+      # -- This sets the pull policy for images. (could be overwritten by global.image.pullPolicy)
       pullPolicy: IfNotPresent
-      # -- Overrides the image tag whose default is the chart appVersion.
+      # -- image tag - Overrides the image tag whose default is the chart appVersion
       tag:
     config: {}
     ingress:
@@ -85,16 +89,34 @@ service:
     affinity: {}
 
   lkJWT:
+    # -- enable to deploy livekit jwt service for element-call
+    # @section -- livekit JWT
     enabled: true
+    # -- replicas
+    # @section -- livekit JWT
     replicaCount: 1
     image:
+      # -- image registry (could be overwritten by global.image.registry)
+      # @section -- livekit JWT
       registry: ghcr.io
+      # -- image repository
+      # @section -- livekit JWT
       repository: element-hq/lk-jwt-service
+      # -- This sets the pull policy for images. (could be overwritten by global.image.pullPolicy)
+      # @section -- livekit JWT
       pullPolicy: IfNotPresent
+      # -- image tag
+      # @section -- livekit JWT
       tag: sha-4a29504
     config:
+      # -- url to livekit
+      # @section -- livekit JWT
       url: ""
+      # -- key to livekit
+      # @section -- livekit JWT
       key: "devkey"
+      # -- secret to livekit
+      # @section -- livekit JWT
       secret: "secret"
     ingress:
       host:
@@ -102,11 +124,14 @@ service:
       enabled: false
       ingress:
         # -- ingress for http port (e.g. ingress-controller)
+        # @section -- livekit JWT
         http: []
       egress:
         # -- activate egress no networkpolicy
+        # @section -- livekit JWT
         enabled: false
         # -- egress rules
+        # @section -- livekit JWT
         extra: []
     livenessProbe:
       httpGet:
@@ -118,14 +143,18 @@ service:
         port: http
     resources: {}
     serviceAccount:
-      # Specifies whether a service account should be created
+      # -- Specifies whether a service account should be created
+      # @section -- livekit JWT
       create: true
-      # Automatically mount a ServiceAccount's API credentials?
+      # -- Automatically mount a ServiceAccount's API credentials?
+      # @section -- livekit JWT
       automount: true
-      # Annotations to add to the service account
+      # -- Annotations to add to the service account
+      # @section -- livekit JWT
       annotations: {}
-      # The name of the service account to use.
+      # -- The name of the service account to use.
       # If not set and create is true, a name is generated using the fullname template
+      # @section -- livekit JWT
       name: ""
 
     podAnnotations: {}

forgejo-runner/Chart.yaml

@@ -2,9 +2,9 @@ apiVersion: v2
 name: forgejo-runner
 description: Deploy runner for an forgejo instance (default codeberg.org)
 type: application
-version: "0.4.7"
+version: "0.4.18"
 # renovate: image=code.forgejo.org/forgejo/runner
-appVersion: "5.0.4"
+appVersion: "6.2.2"
 maintainers:
   - name: WrenIX
     url: https://wrenix.eu

forgejo-runner/README.md

@@ -7,7 +7,7 @@ description: "Deploy runner for an forgejo instance (default codeberg.org)"
 
 # forgejo-runner
 
-![Version: 0.4.7](https://img.shields.io/badge/Version-0.4.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 5.0.4](https://img.shields.io/badge/AppVersion-5.0.4-informational?style=flat-square)
+![Version: 0.4.18](https://img.shields.io/badge/Version-0.4.18-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 6.2.2](https://img.shields.io/badge/AppVersion-6.2.2-informational?style=flat-square)
 
 Deploy runner for an forgejo instance (default codeberg.org)
 
@@ -76,6 +76,16 @@ helm uninstall forgejo-runner-release
 
 ## Values
 
+### Docker in Docker
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| dind.image.pullPolicy | string | `"IfNotPresent"` | This sets the pull policy for images. (could be overwritten by global.image.pullPolicy) |
+| dind.image.registry | string | `"docker.io"` | image registry (could be overwritten by global.image.registry) |
+| dind.image.repository | string | `"library/docker"` | image repository |
+| dind.image.tag | string | `"28.0.0-dind"` | image tag |
+| dind.resources | object | `{}` | We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits:   cpu: 100m   memory: 128Mi requests:   cpu: 100m   memory: 128Mi |
+
 ### Configuration yaml of runner (see: https://code.forgejo.org/forgejo/runner/src/branch/main/internal/pkg/config/config.example.yaml)
 
 | Key | Type | Default | Description |
@@ -116,28 +126,26 @@ helm uninstall forgejo-runner-release
 | autoscaling.maxReplicas | int | `100` |  |
 | autoscaling.minReplicas | int | `1` |  |
 | autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
-| dind.image.pullPolicy | string | `"IfNotPresent"` |  |
-| dind.image.registry | string | `"docker.io"` |  |
-| dind.image.repository | string | `"library/docker"` |  |
-| dind.image.tag | string | `"27.4.1-dind"` |  |
 | extraEnvVars | list | `[]` | Additional environment variables to be set on runner container Example: extraEnvVars:   - name: FOO     value: "bar"  |
 | fullnameOverride | string | `""` |  |
-| image.pullPolicy | string | `"IfNotPresent"` |  |
-| image.registry | string | `"code.forgejo.org"` |  |
-| image.repository | string | `"forgejo/runner"` |  |
-| image.tag | string | `""` |  |
+| global.image.pullPolicy | string | `nil` | if set it will overwrite all pullPolicy |
+| global.image.registry | string | `nil` | if set it will overwrite all registry entries |
+| image.pullPolicy | string | `"IfNotPresent"` | This sets the pull policy for images. (could be overwritten by global.image.pullPolicy) |
+| image.registry | string | `"code.forgejo.org"` | image registry (could be overwritten by global.image.registry) |
+| image.repository | string | `"forgejo/runner"` | image repository |
+| image.tag | string | `""` | image tag - Overrides the image tag whose default is the chart appVersion. |
 | imagePullSecrets | list | `[]` |  |
 | kubectl.image.pullPolicy | string | `"IfNotPresent"` |  |
 | kubectl.image.registry | string | `"docker.io"` |  |
 | kubectl.image.repository | string | `"bitnami/kubectl"` |  |
-| kubectl.image.tag | string | `"1.32.0"` |  |
+| kubectl.image.tag | string | `"1.32.2"` |  |
 | nameOverride | string | `""` |  |
 | nodeSelector | object | `{}` |  |
 | podAnnotations | object | `{}` |  |
 | podLabels | object | `{}` |  |
 | podSecurityContext | object | `{}` |  |
-| replicaCount | int | `1` |  |
-| resources | object | `{}` |  |
+| replicaCount | int | `1` | replicas |
+| resources | object | `{}` | We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits:   cpu: 100m   memory: 128Mi requests:   cpu: 100m   memory: 128Mi |
 | runner.config.create | bool | `true` |  |
 | runner.config.existingSecret | string | `""` | use existingSecret instatt |
 | runner.config.instance | string | `"https://codeberg.org"` |  |

forgejo-runner/templates/deployment.yaml

@@ -32,8 +32,10 @@ spec:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       initContainers:
         - name: make-config-writeable
-          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- with .Values.image }}
+          image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default $.Chart.AppVersion }}"
+          imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
+          {{- end }}
           command: [ "/bin/cp", "/etc/runner/.runner", "/data/.runner" ]
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
@@ -46,8 +48,10 @@ spec:
         - name: runner
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- with .Values.image }}
+          image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default $.Chart.AppVersion }}"
+          imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
+          {{- end }}
           command: 
             - "sh"
             - "-c"
@@ -79,10 +83,16 @@ spec:
         - name: dind
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.dind.image.registry }}/{{ .Values.dind.image.repository }}:{{ .Values.dind.image.tag }}"
-          imagePullPolicy: {{ .Values.dind.image.pullPolicy }}
+          {{- with .Values.dind.image }}
+          image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag }}"
+          imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
+          {{- end }}
           resources:
+            {{- with .Values.dind.resources }}
+            {{- toYaml . | nindent 12 }}
+            {{- else }}
             {{- toYaml .Values.resources | nindent 12 }}
+            {{- end }}
           env:
             - name: DOCKER_TLS_CERTDIR
               value: /certs

forgejo-runner/templates/jobs.yaml

@@ -122,7 +122,10 @@ spec:
               name: data
               readOnly: true
         - name: generate-config
-          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          {{- with .Values.image }}
+          image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default $.Chart.AppVersion }}"
+          imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
+          {{- end }}
           command:
             - sh 
             - -c

forgejo-runner/values.yaml

@@ -1,14 +1,22 @@
-# Default values for forgejo-runner.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
+global:
+  image:
+    # -- if set it will overwrite all registry entries
+    registry:
+    # -- if set it will overwrite all pullPolicy
+    pullPolicy:
 
+
+# -- replicas
 replicaCount: 1
 
 image:
+  # -- image registry (could be overwritten by global.image.registry)
   registry: code.forgejo.org
+  # -- image repository
   repository: forgejo/runner
+  # -- This sets the pull policy for images. (could be overwritten by global.image.pullPolicy)
   pullPolicy: IfNotPresent
-  # Overrides the image tag whose default is the chart appVersion.
+  # -- image tag - Overrides the image tag whose default is the chart appVersion.
   tag: ""
 
 imagePullSecrets: []
@@ -141,16 +149,37 @@ runner:
         workdir_parent:
 dind:
   image:
+    # -- image registry (could be overwritten by global.image.registry)
+    # @section -- Docker in Docker
     registry: docker.io
+    # -- image repository
+    # @section -- Docker in Docker
     repository: library/docker
+    # -- This sets the pull policy for images. (could be overwritten by global.image.pullPolicy)
+    # @section -- Docker in Docker
     pullPolicy: IfNotPresent
-    tag: 27.4.1-dind
+    # -- image tag
+    # @section -- Docker in Docker
+    tag: 28.0.0-dind
+  # -- We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # @section -- Docker in Docker
+  resources: {}
+
 kubectl:
   image:
     registry: docker.io
     repository: bitnami/kubectl
     pullPolicy: IfNotPresent
-    tag: 1.32.0
+    tag: 1.32.2
 
 serviceAccount:
   # Specifies whether a service account should be created
@@ -178,17 +207,17 @@ securityContext:
   # runAsNonRoot: true
   # runAsUser: 1000
 
+# -- We usually recommend not to specify default resources and to leave this as a conscious
+# choice for the user. This also increases chances charts run on environments with little
+# resources, such as Minikube. If you do want to specify resources, uncomment the following
+# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+# limits:
+#   cpu: 100m
+#   memory: 128Mi
+# requests:
+#   cpu: 100m
+#   memory: 128Mi
 resources: {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
 
 autoscaling:
   enabled: false

gotosocial/Chart.yaml

@@ -3,9 +3,9 @@ name: gotosocial
 description: With GoToSocial, you can keep in touch with your friends, post, read, and share images and articles. All without being tracked or advertised to!
 icon: https://docs.gotosocial.org/en/latest/assets/sloth.png
 type: application
-version: "0.2.7"
+version: "0.2.14"
 # renovate: image=docker.io/superseriousbusiness/gotosocial
-appVersion: "0.17.3"
+appVersion: "0.18.1"
 maintainers:
   - name: WrenIX
     url: https://wrenix.eu

gotosocial/README.adoc

@@ -1,567 +0,0 @@
-
-
-= gotosocial
-
-image::https://img.shields.io/badge/Version-0.2.7-informational?style=flat-square[Version: 0.2.7]
-image::https://img.shields.io/badge/Version-application-informational?style=flat-square[Type: application]
-image::https://img.shields.io/badge/AppVersion-0.17.3-informational?style=flat-square[AppVersion: 0.17.3]
-== Maintainers
-
-.Maintainers
-|===
-| Name | Email | Url
-
-| WrenIX
-|
-| <https://wrenix.eu>
-|===
-
-== Usage
-
-Helm must be installed and setup to your kubernetes cluster to use the charts.
-Refer to Helm's https://helm.sh/docs[documentation] to get started.
-Once Helm has been set up correctly, fetch the charts as follows:
-
-[source,bash]
-----
-helm pull oci://codeberg.org/wrenix/helm-charts/gotosocial
-----
-
-You can install a chart release using the following command:
-
-[source,bash]
-----
-helm install gotosocial-release oci://codeberg.org/wrenix/helm-charts/gotosocial --values values.yaml
-----
-
-To uninstall a chart release use `helm`'s delete command:
-
-[source,bash]
-----
-helm uninstall gotosocial-release
-----
-
-== Values
-
-.Values
-|===
-| Key | Type | Default | Description
-
-| affinity
-| object
-| `{}`
-|
-
-| autoscaling.enabled
-| bool
-| `false`
-|
-
-| autoscaling.maxReplicas
-| int
-| `100`
-|
-
-| autoscaling.minReplicas
-| int
-| `1`
-|
-
-| autoscaling.targetCPUUtilizationPercentage
-| int
-| `80`
-|
-
-| fullnameOverride
-| string
-| `""`
-|
-
-| global.image.pullPolicy
-| string
-| `nil`
-| if set it will overwrite all pullPolicy
-
-| global.image.registry
-| string
-| `nil`
-| if set it will overwrite all registry entries
-
-| gotosocial.accountDomain
-| string
-| `""`
-|
-
-| gotosocial.accounts.allowCustomCSS
-| bool
-| `false`
-| Allow accounts on this instance to set custom CSS for their profile pages and statuses. Enabling this setting will allow accounts to upload custom CSS via the /user settings page, which will then be rendered on the web view of the account's profile and statuses.  For instances with public sign ups, it is **HIGHLY RECOMMENDED** to leave this setting on 'false', since setting it to true allows malicious accounts to make their profile pages misleading, unusable or even dangerous to visitors. In other words, you should only enable this setting if you trust the users on your instance not to produce harmful CSS.  Regardless of what this value is set to, any uploaded CSS will not be federated to other instances, it will only be shown on profiles and statuses on *this* instance.
-
-| gotosocial.accounts.approvalRequired
-| bool
-| `true`
-| Do sign up requests require approval from an admin/moderator before an account can sign in/use the server?
-
-| gotosocial.accounts.customCSSLength
-| int
-| `10000`
-| If accounts-allow-custom-css is true, this is the permitted length in characters for CSS uploaded by accounts on this instance. No effect if accounts-allow-custom-css is false.
-
-| gotosocial.accounts.reasonRequired
-| bool
-| `true`
-| Are sign up requests required to submit a reason for the request (eg., an explanation of why they want to join the instance)?
-
-| gotosocial.accounts.registrationOpen
-| bool
-| `true`
-| Do we want people to be able to just submit sign up requests, or do we want invite only?
-
-| gotosocial.applicationName
-| string
-| `"gotosocial"`
-|
-
-| gotosocial.database.address
-| string
-| `""`
-| Database address or parameters. For Postgres, this should be the address or socket at which the database can be reached.
-
-| gotosocial.database.database
-| string
-| `"gotosocial"`
-| Name of the database to use within the provided database type.
-
-| gotosocial.database.password
-| string
-| `""`
-| Password to use for the database connection
-
-| gotosocial.database.port
-| int
-| `5432`
-| Port for database connection.
-
-| gotosocial.database.tlsCACert
-| string
-| `""`
-| Path to a CA certificate on the host machine for db certificate validation. If this is left empty, just the host certificates will be used. If filled in, the certificate will be loaded and added to host certificates.
-
-| gotosocial.database.tlsMode
-| string
-| `"disabled"`
-| Disable, enable, or require SSL/TLS connection to the database. If "disable" then no TLS connection will be attempted. If "enable" then TLS will be tried, but the database certificate won't be checked (for self-signed certs). If "require" then TLS will be required to make a connection, and a valid certificate must be presented.
-
-| gotosocial.database.type
-| string
-| `"sqlite"`
-| Database type. Options: ["postgres","sqlite"]
-
-| gotosocial.database.username
-| string
-| `""`
-| Username for the database connection.
-
-| gotosocial.host
-| string
-| `"localhost"`
-|
-
-| gotosocial.instance.deliverToSharedInboxes
-| bool
-| `true`
-| This flag tweaks whether GoToSocial will deliver ActivityPub messages to the shared inbox of a recipient, if one is available, instead of delivering each message to each actor who should receive a message individually.  Shared inbox delivery can significantly reduce network load when delivering to multiple recipients share an inbox (eg., on large Mastodon instances).  See: https://www.w3.org/TR/activitypub/#shared-inbox-delivery
-
-| gotosocial.instance.expose.peers
-| bool
-| `false`
-| Allow unauthenticated users to make queries to /api/v1/instance/peers?filter=open in order to see a list of instances that this instance 'peers' with. Even if set to 'false', then authenticated users (members of the instance) will still be able to query the endpoint.
-
-| gotosocial.instance.expose.publicTimeline
-| bool
-| `false`
-| This flag tweaks whether GoToSocial will deliver ActivityPub messages to the shared inbox of a recipient, if one is available, instead of delivering each message to each actor who should receive a message individually.  Shared inbox delivery can significantly reduce network load when delivering to multiple recipients share an inbox (eg., on large Mastodon instances).  See: https://www.w3.org/TR/activitypub/#shared-inbox-delivery
-
-| gotosocial.instance.expose.suspended
-| bool
-| `false`
-| Allow unauthenticated users to make queries to /api/v1/instance/peers?filter=suspended in order to see a list of instances that this instance blocks/suspends. Even if set to 'false', then authenticated users (members of the instance) will still be able to query the endpoint.  WARNING: Setting this variable to 'true' may result in your instance being scraped by blocklist scrapers. See: https://docs.gotosocial.org/en/latest/admin/domain_blocks/#block-announce-bots
-
-| gotosocial.instance.expose.suspendedWeb
-| bool
-| `false`
-| Allow unauthenticated users to view /about/suspended, showing the HTML rendered list of instances that this instance blocks/suspends.
-
-| gotosocial.instance.federation.mode
-| string
-| `"blocklist"`
-| Federation mode to use for this instance.  "blocklist" -- open federation by default. Only instances that are explicitly                blocked will be denied (unless they are also explicitly allowed).  "allowlist" -- closed federation by default. Only instances that are explicitly                allowed will be able to interact with this instance.  For more details on blocklist and allowlist modes, check the documentation at: https://docs.gotosocial.org/en/latest/admin/federation_modes  Options: ["blocklist", "allowlist"]
-
-| gotosocial.instance.federation.spamFilter
-| bool
-| `false`
-| Enable spam filtering heuristics for messages entering your instance via the federation API. Regardless of what you set here, basic checks for message relevancy will still be performed, but you can try enabling this setting if you are being spammed with unwanted messages from other instances, and want to more strictly filter out spam messages.  THIS IS CURRENTLY AN EXPERIMENTAL SETTING, AND MAY FILTER OUT LEGITIMATE MESSAGES, OR FAIL TO FILTER OUT SPAMMY MESSAGES. It is recommended to only enable this setting when the fediverse is in the midst of a spam wave, and you need to batten down the hatches to keep your instance usable.  The decision of whether a message counts as spam or not is made based on the following heuristics, in order, where receiver = the account on your instance that received a message in their inbox, and requester = the account on a remote instance that sent the message.  First, basic relevancy checks   1. Receiver follows requester. Return OK.  2. Statusable doesn't mention receiver. Return NotRelevant.  If instance-federation-spam-filter = false, then return OK now. Otherwise check:   3. Receiver is locked and is followed by requester. Return OK.  4. Five or more people are mentioned. Return Spam.  5. Receiver follow (requests) a mentioned account. Return OK.  6. Statusable has a media attachment. Return Spam.  7. Statusable contains non-mention, non-hashtag links. Return Spam.  Messages identified as spam will be dropped from your instance, and not inserted into the database, or into home timelines or notifications.
-
-| gotosocial.instance.injectMastodonVersion
-| bool
-| `false`
-| This flag will inject a Mastodon version into the version field that is included in /api/v1/instance. This version is often used by Mastodon clients to do API feature detection. By injecting a Mastodon compatible version, it is possible to cajole those clients to behave correctly with GoToSocial.
-
-| gotosocial.instance.languages
-| list
-| `[]`
-| BCP47 language tags to indicate preferred languages of users on this instance.  If you provide these, you should provide these in order from most-preferred to least-preferred, but note that leaving out a language from this array doesn't mean it can't be used on this instance, it only means it won't be advertised as a preferred instance language.  It is valid to provide no entries here; your instance will then have no particular preferred language.  See here for commonly-used tags: https://en.wikipedia.org/wiki/IETF_language_tag#List_of_common_primary_language_subtags See here for all current tags: https://www.iana.org/assignments/language-subtag-registry/language-subtag-registry  Example: ["nl", "en-gb", "fr"]
-
-| gotosocial.landingPageUser
-| string
-| `""`
-|
-
-| gotosocial.metrics.auth.enabled
-| bool
-| `false`
-|
-
-| gotosocial.metrics.auth.password
-| string
-| `""`
-|
-
-| gotosocial.metrics.auth.username
-| string
-| `""`
-|
-
-| gotosocial.metrics.enabled
-| bool
-| `true`
-|
-
-| gotosocial.oidc.adminGroups
-| list
-| `["admins"]`
-| If the returned ID token contains a 'groups' claim that matches one of the groups in oidc-admin-groups, then this user will be granted admin rights on the GtS instance
-
-| gotosocial.oidc.clientID
-| string
-| `""`
-| The ID for this client as registered with the OIDC provider.
-
-| gotosocial.oidc.clientSecret
-| string
-| `""`
-| The secret for this client as registered with the OIDC provider.
-
-| gotosocial.oidc.enabled
-| bool
-| `false`
-| Enable authentication with external OIDC provider. If set to true, then the other OIDC options must be set as well. If this is set to false, then the standard internal oauth flow will be used, where users sign in to GtS with username/password.
-
-| gotosocial.oidc.idpName
-| string
-| `""`
-| Name of the oidc idp (identity provider). This will be shown to users when they log in.
-
-| gotosocial.oidc.issuer
-| string
-| `""`
-| The OIDC issuer URI. This is where GtS will redirect users to for login. Typically this will look like a standard web URL.
-
-| gotosocial.oidc.linkExisting
-| bool
-| `false`
-| Link OIDC authenticated users to existing ones based on their email address. This is mostly intended for migration purposes if you were running previous versions of GTS which only correlated users with their email address. Should be set to false for most usecases.
-
-| gotosocial.oidc.scopes
-| list
-| `["openid","email","profile","groups"]`
-| Scopes to request from the OIDC provider. The returned values will be used to populate users created in GtS as a result of the authentication flow. 'openid' and 'email' are required. 'profile' is used to extract a username for the newly created user. 'groups' is optional and can be used to determine if a user is an admin based on oidc-admin-groups.
-
-| gotosocial.oidc.skipVerification
-| bool
-| `false`
-| Skip the normal verification flow of tokens returned from the OIDC provider, ie., don't check the expiry or signature. This should only be used in debugging or testing, never ever in a production environment as it's extremely unsafe!
-
-| gotosocial.smtp.discloseRecipients
-| bool
-| `false`
-| If true, when an email is sent that has multiple recipients, each recipient will be included in the To field, so that each recipient can see who else got the email, and they can 'reply all' to the other recipients if they want to.  If false, email will be sent to Undisclosed Recipients, and each recipient will not be able to see who else received the email.  It might be useful to change this setting to 'true' if you want to be able to discuss new moderation reports with other admins by 'replying-all' to the notification email.
-
-| gotosocial.smtp.from
-| string
-| `""`
-| 'From' address for sent emails.
-
-| gotosocial.smtp.host
-| string
-| `""`
-| The hostname of the smtp server you want to use. If this is not set, smtp will not be used to send emails, and you can ignore the other settings.
-
-| gotosocial.smtp.password
-| string
-| `""`
-| Password to use when authenticating with the smtp server. This should have been provided to you by your smtp host.
-
-| gotosocial.smtp.port
-| int
-| `0`
-| Port to use to connect to the smtp server.
-
-| gotosocial.smtp.username
-| string
-| `""`
-| Username to use when authenticating with the smtp server. This should have been provided to you by your smtp host. This is often, but not always, an email address.
-
-| gotosocial.storage.backend
-| string
-| `"local"`
-| Type of storage backend to use. Examples: ["local", "s3"] Default: "local" (storage on local disk)
-
-| gotosocial.storage.s3.accessKey
-| string
-| `""`
-| Access key part of the S3 credentials. Consider setting this value using environment variables to avoid leaking it via the config file Only required when running with the s3 storage backend.
-
-| gotosocial.storage.s3.bucket
-| string
-| `""`
-| Name of the storage bucket.  If you have already encoded your bucket name in the storage-s3-endpoint, this value will be used as a directory containing your data.  The bucket must exist prior to starting GoToSocial  Only required when running with the s3 storage backend.
-
-| gotosocial.storage.s3.endpoint
-| string
-| `""`
-| API endpoint of the S3 compatible service. Only required when running with the s3 storage backend. GoToSocial uses "DNS-style" when accessing buckets. If you are using Scaleways object storage, please remove the "bucket name" from the endpoint address
-
-| gotosocial.storage.s3.proxy
-| bool
-| `false`
-| If data stored in S3 should be proxied through GoToSocial instead of redirecting to a presigned URL.
-
-| gotosocial.storage.s3.secretKey
-| string
-| `""`
-| Secret key part of the S3 credentials. Consider setting this value using environment variables to avoid leaking it via the config file Only required when running with the s3 storage backend.
-
-| gotosocial.storage.s3.useSSL
-| bool
-| `true`
-| Use SSL for S3 connections.  Only set this to 'false' when testing locally.
-
-| gotosocial.tracing.enabled
-| bool
-| `false`
-| Enable OpenTelemetry based tracing support.
-
-| gotosocial.tracing.endpoint
-| string
-| `""`
-| Endpoint of the trace ingester. When using the gRPC or HTTP based transports, provide the endpoint as a single address/port combination without a protocol scheme.
-
-| gotosocial.tracing.insecureTransport
-| bool
-| `false`
-| Disable TLS for the gRPC and HTTP transport protocols.
-
-| gotosocial.tracing.transport
-| string
-| `"grpc"`
-| Set the transport protocol for the tracing system. Can either be "grpc" for OTLP gRPC, or "http" for OTLP HTTP.
-
-| gotosocial.tz
-| string
-| `"UTC"`
-|
-
-| image.pullPolicy
-| string
-| `"IfNotPresent"`
-|
-
-| image.registry
-| string
-| `"docker.io"`
-|
-
-| image.repository
-| string
-| `"superseriousbusiness/gotosocial"`
-|
-
-| image.tag
-| string
-| `""`
-| Overrides the image tag whose default is the chart appVersion.
-
-| imagePullSecrets
-| list
-| `[]`
-|
-
-| ingress.annotations
-| object
-| `{}`
-|
-
-| ingress.className
-| string
-| `""`
-|
-
-| ingress.enabled
-| bool
-| `false`
-|
-
-| ingress.hosts[0].host
-| string
-| `"chart-example.local"`
-|
-
-| ingress.hosts[0].paths[0].path
-| string
-| `"/"`
-|
-
-| ingress.hosts[0].paths[0].pathType
-| string
-| `"ImplementationSpecific"`
-|
-
-| ingress.tls
-| list
-| `[]`
-|
-
-| nameOverride
-| string
-| `""`
-|
-
-| nodeSelector
-| object
-| `{}`
-|
-
-| persistence.accessMode
-| string
-| `"ReadWriteOnce"`
-| accessMode
-
-| persistence.annotations
-| object
-| `{}`
-|
-
-| persistence.enabled
-| bool
-| `true`
-| Enable persistence using Persistent Volume Claims ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
-
-| persistence.existingClaim
-| string
-| `nil`
-| A manually managed Persistent Volume and Claim Requires persistence.enabled: true If defined, PVC must be created manually before volume will be bound
-
-| persistence.hostPath
-| string
-| `nil`
-| Do not create an PVC, direct use hostPath in Pod
-
-| persistence.size
-| string
-| `"10Gi"`
-| size
-
-| persistence.storageClass
-| string
-| `nil`
-| Persistent Volume Storage Class If defined, storageClassName: <storageClass> If set to "-", storageClassName: "", which disables dynamic provisioning If undefined (the default) or set to null, no storageClassName spec is   set, choosing the default provisioner.  (gp2 on AWS, standard on   GKE, AWS & OpenStack)
-
-| podAnnotations
-| object
-| `{}`
-|
-
-| podLabels
-| object
-| `{}`
-|
-
-| podSecurityContext
-| object
-| `{}`
-|
-
-| prometheus.servicemonitor.enabled
-| bool
-| `false`
-|
-
-| prometheus.servicemonitor.labels
-| object
-| `{}`
-|
-
-| replicaCount
-| int
-| `1`
-|
-
-| resources
-| object
-| `{}`
-|
-
-| securityContext
-| object
-| `{}`
-|
-
-| service.port
-| int
-| `8080`
-|
-
-| service.type
-| string
-| `"ClusterIP"`
-|
-
-| serviceAccount.annotations
-| object
-| `{}`
-| Annotations to add to the service account
-
-| serviceAccount.automount
-| bool
-| `true`
-| Automatically mount a ServiceAccount's API credentials?
-
-| serviceAccount.create
-| bool
-| `false`
-| Specifies whether a service account should be created
-
-| serviceAccount.name
-| string
-| `""`
-| The name of the service account to use.  If not set and create is true, a name is generated using the fullname template
-
-| tolerations
-| list
-| `[]`
-|
-
-| volumeMounts
-| list
-| `[]`
-|
-
-| volumes
-| list
-| `[]`
-|
-|===
-
-Autogenerated from chart metadata using https://github.com/norwoodj/helm-docs[helm-docs]
-

gotosocial/README.md

@@ -7,7 +7,7 @@ description: "With GoToSocial, you can keep in touch with your friends, post, re
 
 # gotosocial
 
-![Version: 0.2.7](https://img.shields.io/badge/Version-0.2.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.17.3](https://img.shields.io/badge/AppVersion-0.17.3-informational?style=flat-square)
+![Version: 0.2.14](https://img.shields.io/badge/Version-0.2.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.18.1](https://img.shields.io/badge/AppVersion-0.18.1-informational?style=flat-square)
 
 With GoToSocial, you can keep in touch with your friends, post, read, and share images and articles. All without being tracked or advertised to!
 
@@ -57,6 +57,8 @@ helm uninstall gotosocial-release
 | gotosocial.accounts.customCSSLength | int | `10000` | If accounts-allow-custom-css is true, this is the permitted length in characters for CSS uploaded by accounts on this instance. No effect if accounts-allow-custom-css is false. |
 | gotosocial.accounts.reasonRequired | bool | `true` | Are sign up requests required to submit a reason for the request (eg., an explanation of why they want to join the instance)? |
 | gotosocial.accounts.registrationOpen | bool | `true` | Do we want people to be able to just submit sign up requests, or do we want invite only? |
+| gotosocial.advancedRateLimitExceptions | list | `[]` |  |
+| gotosocial.advancedRateLimitRequests | int | `300` |  |
 | gotosocial.applicationName | string | `"gotosocial"` |  |
 | gotosocial.database.address | string | `""` | Database address or parameters. For Postgres, this should be the address or socket at which the database can be reached. |
 | gotosocial.database.database | string | `"gotosocial"` | Name of the database to use within the provided database type. |
@@ -107,11 +109,14 @@ helm uninstall gotosocial-release
 | gotosocial.tracing.endpoint | string | `""` | Endpoint of the trace ingester. When using the gRPC or HTTP based transports, provide the endpoint as a single address/port combination without a protocol scheme. |
 | gotosocial.tracing.insecureTransport | bool | `false` | Disable TLS for the gRPC and HTTP transport protocols. |
 | gotosocial.tracing.transport | string | `"grpc"` | Set the transport protocol for the tracing system. Can either be "grpc" for OTLP gRPC, or "http" for OTLP HTTP. |
+| gotosocial.trustedProxies[0] | string | `"10.42.0.0/16"` |  |
+| gotosocial.trustedProxies[1] | string | `"127.0.0.1/32"` |  |
+| gotosocial.trustedProxies[2] | string | `"::1"` |  |
 | gotosocial.tz | string | `"UTC"` |  |
-| image.pullPolicy | string | `"IfNotPresent"` |  |
-| image.registry | string | `"docker.io"` |  |
-| image.repository | string | `"superseriousbusiness/gotosocial"` |  |
-| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
+| image.pullPolicy | string | `"IfNotPresent"` | This sets the pull policy for images. (could be overwritten by global.image.pullPolicy) |
+| image.registry | string | `"docker.io"` | image registry (could be overwritten by global.image.registry) |
+| image.repository | string | `"superseriousbusiness/gotosocial"` | image repository |
+| image.tag | string | `""` | image tag - Overrides the image tag whose default is the chart appVersion. |
 | imagePullSecrets | list | `[]` |  |
 | ingress.annotations | object | `{}` |  |
 | ingress.className | string | `""` |  |
@@ -134,7 +139,7 @@ helm uninstall gotosocial-release
 | podSecurityContext | object | `{}` |  |
 | prometheus.servicemonitor.enabled | bool | `false` |  |
 | prometheus.servicemonitor.labels | object | `{}` |  |
-| replicaCount | int | `1` |  |
+| replicaCount | int | `1` | replicas |
 | resources | object | `{}` |  |
 | securityContext | object | `{}` |  |
 | service.port | int | `8080` |  |

gotosocial/templates/secret.yaml

@@ -17,6 +17,11 @@ data:
   {{- end }}
   GTS_HOST: {{ .host | b64enc }}
   GTS_ACCOUNT_DOMAIN: {{ .accountDomain | b64enc }}
+  GTS_TRUSTED_PROXIES: {{ .trustedProxies | join "," | b64enc }}
+  {{- with .advancedRateLimitExceptions }}
+  GTS_ADVANCED_RATE_LIMIT_EXCEPTIONS: {{ . | join "," | b64enc }}
+  {{- end }}
+  GTS_ADVANCED_RATE_LIMIT_REQUESTS: {{ toYaml .advancedRateLimitRequests | b64enc }}
 
   GTS_DB_TYPE: {{ .database.type | b64enc }}
   {{- if (eq .database.type "sqlite") }}

gotosocial/values.yaml

@@ -1,7 +1,3 @@
-# Default values for gotosocial.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
 global:
   image:
     # -- if set it will overwrite all registry entries
@@ -9,13 +5,17 @@ global:
     # -- if set it will overwrite all pullPolicy
     pullPolicy:
 
+# -- replicas
 replicaCount: 1
 
 image:
+  # -- image registry (could be overwritten by global.image.registry)
   registry: docker.io
+  # -- image repository
   repository: superseriousbusiness/gotosocial
+  # -- This sets the pull policy for images. (could be overwritten by global.image.pullPolicy)
   pullPolicy: IfNotPresent
-  # -- Overrides the image tag whose default is the chart appVersion.
+  # -- image tag - Overrides the image tag whose default is the chart appVersion.
   tag: ""
 
 imagePullSecrets: []
@@ -28,6 +28,13 @@ gotosocial:
   landingPageUser: ""
   host: "localhost"
   accountDomain: ""
+  trustedProxies:
+    - "10.42.0.0/16"
+    - "127.0.0.1/32"
+    - "::1"
+  advancedRateLimitExceptions: []
+  advancedRateLimitRequests: 300
+
   database:
     # -- Database type.
     # Options: ["postgres","sqlite"]

grampsweb/Chart.yaml

@@ -3,9 +3,9 @@ name: grampsweb
 description: A Helm chart for gramps web
 icon: https://raw.githubusercontent.com/gramps-project/Gramps.js/main/images/icon512.png
 type: application
-version: "0.2.6"
+version: "0.2.11"
 # renovate: image=ghcr.io/gramps-project/grampsweb
-appVersion: "24.12.2"
+appVersion: "25.2.0"
 maintainers:
   - name: WrenIX
     url: https://wrenix.eu

grampsweb/README.md

@@ -7,7 +7,7 @@ description: "A Helm chart for gramps web"
 
 # grampsweb
 
-![Version: 0.2.6](https://img.shields.io/badge/Version-0.2.6-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 24.12.2](https://img.shields.io/badge/AppVersion-24.12.2-informational?style=flat-square)
+![Version: 0.2.11](https://img.shields.io/badge/Version-0.2.11-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 25.2.0](https://img.shields.io/badge/AppVersion-25.2.0-informational?style=flat-square)
 
 A Helm chart for gramps web
 
@@ -49,6 +49,8 @@ helm uninstall grampsweb-release
 | autoscaling.minReplicas | int | `1` |  |
 | autoscaling.targetCPUUtilizationPercentage | int | `80` |  |
 | fullnameOverride | string | `""` |  |
+| global.image.pullPolicy | string | `nil` | if set it will overwrite all pullPolicy |
+| global.image.registry | string | `nil` | if set it will overwrite all registry entries |
 | gramps.baseURL | string | `"https://gramps.example.org"` | Base URL where the API can be reached (e.g. https://mygramps.mydomain.com/). This is necessary e.g. to build correct passwort reset links |
 | gramps.mail.from | string | `nil` | "From" address for automated e-mails |
 | gramps.mail.host | string | `nil` | SMTP server host (e.g. for sending password reset e-mails) |
@@ -58,10 +60,10 @@ helm uninstall grampsweb-release
 | gramps.mail.username | string | `nil` | SMTP server username |
 | gramps.mediaPrefixTree | bool | `false` | whether or not to use a separate subfolder for the media files of each tree. Defaults to False, but strongly recommend to use True in a multi-tree setup |
 | gramps.tree | string | `"Gramps Web"` | To enable multi-tree support, the TREE config option must be set to a single asterisk `*` |
-| image.pullPolicy | string | `"IfNotPresent"` |  |
-| image.registry | string | `"ghcr.io"` |  |
-| image.repository | string | `"gramps-project/grampsweb"` |  |
-| image.tag | string | `""` |  |
+| image.pullPolicy | string | `"IfNotPresent"` | This sets the pull policy for images. (could be overwritten by global.image.pullPolicy) |
+| image.registry | string | `"ghcr.io"` | image registry (could be overwritten by global.image.registry) |
+| image.repository | string | `"gramps-project/grampsweb"` | image repository |
+| image.tag | string | `""` | image tag - Overrides the image tag whose default is the chart appVersion. |
 | imagePullSecrets | list | `[]` |  |
 | ingress.annotations | object | `{}` |  |
 | ingress.className | string | `""` |  |
@@ -86,7 +88,7 @@ helm uninstall grampsweb-release
 | podAnnotations | object | `{}` |  |
 | podLabels | object | `{}` |  |
 | podSecurityContext | object | `{}` |  |
-| replicaCount | int | `1` |  |
+| replicaCount | int | `1` | replicas |
 | resources | object | `{}` |  |
 | securityContext | object | `{}` |  |
 | service.port | int | `5000` |  |

grampsweb/templates/deployment.yaml

@@ -19,7 +19,7 @@ spec:
       {{- end }}
       labels:
         {{- include "grampsweb.labels" . | nindent 8 }}
-	{{- with .Values.podLabels }}
+	      {{- with .Values.podLabels }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
@@ -34,8 +34,10 @@ spec:
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- with $.Values.image }}
+          image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default (printf "v%s" $.Chart.AppVersion) }}"
+          imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
+          {{- end }}
           envFrom:
             - secretRef:
                 name: {{ include "grampsweb.fullname" . }}

grampsweb/values.yaml

@@ -1,14 +1,22 @@
-# Default values for grampsweb.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
+global:
+  image:
+    # -- if set it will overwrite all registry entries
+    registry:
+    # -- if set it will overwrite all pullPolicy
+    pullPolicy:
 
+
+# -- replicas
 replicaCount: 1
 
 image:
+  # -- image registry (could be overwritten by global.image.registry)
   registry: ghcr.io
+  # -- image repository
   repository: gramps-project/grampsweb
+  # -- This sets the pull policy for images. (could be overwritten by global.image.pullPolicy)
   pullPolicy: IfNotPresent
-  # Overrides the image tag whose default is the chart appVersion.
+  # -- image tag - Overrides the image tag whose default is the chart appVersion.
   tag: ""
 
 imagePullSecrets: []

headscale-ui/Chart.yaml

@@ -3,9 +3,9 @@ name: headscale-ui
 description: A simple Headscale web UI for small-scale deployments.
 icon: https://raw.githubusercontent.com/gurucomputing/headscale-ui/master/static/favicon.png
 type: application
-version: 0.2.1
+version: 0.2.2
 # renovate: image=ghcr.io/gurucomputing/headscale-ui
-appVersion: "2024.10.10"
+appVersion: "2025.01.20"
 maintainers:
   - name: WrenIX
     url: https://wrenix.eu

headscale-ui/README.md

@@ -7,7 +7,7 @@ description: "A simple Headscale web UI for small-scale deployments."
 
 # headscale-ui
 
-![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2024.10.10](https://img.shields.io/badge/AppVersion-2024.10.10-informational?style=flat-square)
+![Version: 0.2.2](https://img.shields.io/badge/Version-0.2.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2025.01.20](https://img.shields.io/badge/AppVersion-2025.01.20-informational?style=flat-square)
 
 A simple Headscale web UI for small-scale deployments.
 

home-assistant/Chart.yaml

@@ -3,9 +3,9 @@ name: home-assistant
 description: Home Assistant with tooling to run on an k3s pi
 icon: https://www.home-assistant.io/images/favicon-192x192.png
 type: application
-version: 0.2.13
+version: "0.3.9"
 # renovate: image=ghcr.io/home-assistant/home-assistant
-appVersion: "2024.12.5"
+appVersion: "2025.2.5"
 maintainers:
   - name: WrenIX
     url: https://wrenix.eu

home-assistant/README.md

@@ -7,7 +7,7 @@ description: "Home Assistant with tooling to run on an k3s pi"
 
 # home-assistant
 
-![Version: 0.2.13](https://img.shields.io/badge/Version-0.2.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2024.12.5](https://img.shields.io/badge/AppVersion-2024.12.5-informational?style=flat-square)
+![Version: 0.3.9](https://img.shields.io/badge/Version-0.3.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2025.2.5](https://img.shields.io/badge/AppVersion-2025.2.5-informational?style=flat-square)
 
 Home Assistant with tooling to run on an k3s pi
 
@@ -70,7 +70,7 @@ helm uninstall home-assistant-release
 | nats.image.pullPolicy | string | `"IfNotPresent"` |  |
 | nats.image.registry | string | `"docker.io"` |  |
 | nats.image.repository | string | `"library/nats"` |  |
-| nats.image.tag | string | `"2.10.24-scratch"` |  |
+| nats.image.tag | string | `"2.10.25-scratch"` |  |
 | nats.livenessProbe.tcpSocket.port | string | `"nats"` |  |
 | nats.readinessProbe.tcpSocket.port | string | `"nats"` |  |
 | nats.resources.limits.cpu | string | `"100m"` |  |
@@ -106,14 +106,14 @@ helm uninstall home-assistant-release
 | tolerations | list | `[]` |  |
 | volumeMounts | list | `[]` |  |
 | volumes | list | `[]` |  |
-| zigbee2mqtt.config.homeassistant | bool | `true` |  |
+| zigbee2mqtt.config.homeassistant.enabled | bool | `true` |  |
 | zigbee2mqtt.config.serial.port | string | `"/dev/ttyACM0"` |  |
 | zigbee2mqtt.device | string | `"/dev/ttyACM0"` |  |
 | zigbee2mqtt.enabled | bool | `true` |  |
 | zigbee2mqtt.image.pullPolicy | string | `"IfNotPresent"` |  |
 | zigbee2mqtt.image.registry | string | `"docker.io"` |  |
 | zigbee2mqtt.image.repository | string | `"koenkk/zigbee2mqtt"` |  |
-| zigbee2mqtt.image.tag | string | `"1.42.0"` |  |
+| zigbee2mqtt.image.tag | string | `"2.1.1"` |  |
 | zigbee2mqtt.ingress.hosts | list | `[]` |  |
 | zigbee2mqtt.securityContext.privileged | bool | `true` |  |
 

home-assistant/templates/zigbee2mqtt/configmap.yaml

@@ -10,7 +10,9 @@ data:
   ZIGBEE2MQTT_CONFIG_ADVANCED_LOG_OUTPUT: '["console"]'
   {{- with .Values.zigbee2mqtt.config }}
   {{- with .homeassistant }}
-  ZIGBEE2MQTT_CONFIG_HOMEASSISTANT: {{ . | quote }}
+  {{- with .enabled }}
+  ZIGBEE2MQTT_CONFIG_HOMEASSISTANT_ENABLED: {{ . | quote }}
+  {{- end }}
   {{- end }}
   {{- range $key, $value := .serial}}
   ZIGBEE2MQTT_CONFIG_SERIAL_{{ $key | upper }}: {{ $value | quote }}

home-assistant/values.yaml

@@ -24,7 +24,7 @@ nats:
     registry: docker.io
     repository: library/nats
     pullPolicy: IfNotPresent
-    tag: "2.10.24-scratch"
+    tag: "2.10.25-scratch"
   service:
     port:
       nats: 4222
@@ -50,14 +50,15 @@ zigbee2mqtt:
     registry: docker.io
     repository: koenkk/zigbee2mqtt
     pullPolicy: IfNotPresent
-    tag: 1.42.0
+    tag: 2.1.1
   device: /dev/ttyACM0
   securityContext:
     privileged: true
   ingress:
     hosts: []
   config:
-    homeassistant: true
+    homeassistant:
+      enabled: true
     serial:
       port: /dev/ttyACM0
 

jellyfin/Chart.yaml

@@ -3,9 +3,9 @@ name: jellyfin
 description: The Free Software Media System
 icon: https://raw.githubusercontent.com/jellyfin/jellyfin-ux/master/branding/SVG/icon-transparent.svg
 type: application
-version: "0.3.7"
+version: "0.3.10"
 # renovate: image=ghcr.io/jellyfin/jellyfin
-appVersion: "10.10.3"
+appVersion: "10.10.6"
 maintainers:
   - name: WrenIX
     url: https://wrenix.eu

jellyfin/README.adoc

@@ -1,326 +0,0 @@
-
-
-= jellyfin
-
-image::https://img.shields.io/badge/Version-0.3.7-informational?style=flat-square[Version: 0.3.7]
-image::https://img.shields.io/badge/Version-application-informational?style=flat-square[Type: application]
-image::https://img.shields.io/badge/AppVersion-10.10.3-informational?style=flat-square[AppVersion: 10.10.3]
-== Maintainers
-
-.Maintainers
-|===
-| Name | Email | Url
-
-| WrenIX
-|
-| <https://wrenix.eu>
-|===
-
-== Usage
-
-Helm must be installed and setup to your kubernetes cluster to use the charts.
-Refer to Helm's https://helm.sh/docs[documentation] to get started.
-Once Helm has been set up correctly, fetch the charts as follows:
-
-[source,bash]
-----
-helm pull oci://codeberg.org/wrenix/helm-charts/jellyfin
-----
-
-You can install a chart release using the following command:
-
-[source,bash]
-----
-helm install jellyfin-release oci://codeberg.org/wrenix/helm-charts/jellyfin --values values.yaml
-----
-
-To uninstall a chart release use `helm`'s delete command:
-
-[source,bash]
-----
-helm uninstall jellyfin-release
-----
-
-== Values
-
-.Values
-|===
-| Key | Type | Default | Description
-
-| affinity
-| object
-| `{}`
-|
-
-| autoscaling.enabled
-| bool
-| `false`
-|
-
-| autoscaling.maxReplicas
-| int
-| `100`
-|
-
-| autoscaling.minReplicas
-| int
-| `1`
-|
-
-| autoscaling.targetCPUUtilizationPercentage
-| int
-| `80`
-|
-
-| config.enabled
-| bool
-| `false`
-|
-
-| config.image
-| object
-| `{"pullPolicy":"IfNotPresent","registry":"ghcr.io","repository":"tomwright/dasel","tag":"2.8.1"}`
-| image to patch config
-
-| config.metrics
-| bool
-| `false`
-|
-
-| fullnameOverride
-| string
-| `""`
-|
-
-| global.image.pullPolicy
-| string
-| `nil`
-| if set it will overwrite all pullPolicy
-
-| global.image.registry
-| string
-| `nil`
-| if set it will overwrite all registry entries
-
-| grafana.dashboards.annotations
-| object
-| `{}`
-|
-
-| grafana.dashboards.enabled
-| bool
-| `false`
-|
-
-| grafana.dashboards.labels.grafana_dashboard
-| string
-| `"1"`
-|
-
-| image.pullPolicy
-| string
-| `"IfNotPresent"`
-|
-
-| image.registry
-| string
-| `"ghcr.io"`
-|
-
-| image.repository
-| string
-| `"jellyfin/jellyfin"`
-|
-
-| image.tag
-| string
-| `""`
-| Overrides the image tag whose default is the chart appVersion.
-
-| imagePullSecrets
-| list
-| `[]`
-|
-
-| ingress.annotations
-| object
-| `{}`
-|
-
-| ingress.className
-| string
-| `""`
-|
-
-| ingress.enabled
-| bool
-| `false`
-|
-
-| ingress.hosts[0].host
-| string
-| `"chart-example.local"`
-|
-
-| ingress.hosts[0].paths[0].path
-| string
-| `"/"`
-|
-
-| ingress.hosts[0].paths[0].pathType
-| string
-| `"ImplementationSpecific"`
-|
-
-| ingress.tls
-| list
-| `[]`
-|
-
-| nameOverride
-| string
-| `""`
-|
-
-| networkPolicy.egress.enabled
-| bool
-| `true`
-| activate egress no networkpolicy
-
-| networkPolicy.egress.extra
-| list
-| `[]`
-| egress rules
-
-| networkPolicy.enabled
-| bool
-| `false`
-|
-
-| networkPolicy.ingress.http
-| list
-| `[]`
-| ingress for http port (e.g. ingress-controller, prometheus)
-
-| nodeSelector
-| object
-| `{}`
-|
-
-| persistence.config.hostPath
-| string
-| `nil`
-|
-
-| persistence.config.nfs.path
-| string
-| `"/"`
-|
-
-| persistence.config.nfs.server
-| string
-| `nil`
-|
-
-| persistence.config.pvc.enabled
-| bool
-| `false`
-|
-
-| persistence.media.hostPath
-| string
-| `nil`
-|
-
-| persistence.media.nfs.path
-| string
-| `"/"`
-|
-
-| persistence.media.nfs.server
-| string
-| `nil`
-|
-
-| persistence.media.pvc.enabled
-| bool
-| `false`
-|
-
-| persistence.media.readOnly
-| bool
-| `true`
-|
-
-| podAnnotations
-| object
-| `{}`
-|
-
-| podLabels
-| object
-| `{}`
-|
-
-| podSecurityContext
-| object
-| `{}`
-|
-
-| prometheus.servicemonitor.enabled
-| bool
-| `false`
-|
-
-| prometheus.servicemonitor.labels
-| object
-| `{}`
-|
-
-| replicaCount
-| int
-| `1`
-|
-
-| resources
-| object
-| `{}`
-|
-
-| securityContext
-| object
-| `{}`
-|
-
-| service.port
-| int
-| `8096`
-|
-
-| service.type
-| string
-| `"ClusterIP"`
-|
-
-| serviceAccount.annotations
-| object
-| `{}`
-|
-
-| serviceAccount.create
-| bool
-| `true`
-|
-
-| serviceAccount.name
-| string
-| `""`
-|
-
-| tolerations
-| list
-| `[]`
-|
-|===
-
-Autogenerated from chart metadata using https://github.com/norwoodj/helm-docs[helm-docs]

jellyfin/README.md

@@ -7,7 +7,7 @@ description: "The Free Software Media System"
 
 # jellyfin
 
-![Version: 0.3.7](https://img.shields.io/badge/Version-0.3.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 10.10.3](https://img.shields.io/badge/AppVersion-10.10.3-informational?style=flat-square)
+![Version: 0.3.10](https://img.shields.io/badge/Version-0.3.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 10.10.6](https://img.shields.io/badge/AppVersion-10.10.6-informational?style=flat-square)
 
 The Free Software Media System
 

matrix-authentication-service/Chart.yaml

@@ -4,9 +4,9 @@ name: matrix-authentication-service
 description: OAuth2.0 + OpenID Provider for Matrix Homeservers (per MSC3861)
 icon: https://matrix.org/images/matrix-logo.svg
 type: application
-version: "0.0.7"
-# renovate: image=ghcr.io/matrix-org/matrix-authentication-service
-appVersion: "0.11.0"
+version: "0.0.10"
+# renovate: image=ghcr.io/element-hq/matrix-authentication-service
+appVersion: "0.14.1"
 maintainers:
   - name: WrenIX
     url: https://wrenix.eu

matrix-authentication-service/README.adoc

@@ -1,666 +0,0 @@
-
-
-= matrix-authentication-service
-
-image::https://img.shields.io/badge/Version-0.0.7-informational?style=flat-square[Version: 0.0.7]
-image::https://img.shields.io/badge/Version-application-informational?style=flat-square[Type: application]
-image::https://img.shields.io/badge/AppVersion-0.11.0-informational?style=flat-square[AppVersion: 0.11.0]
-== Maintainers
-
-.Maintainers
-|===
-| Name | Email | Url
-
-| WrenIX
-|
-| <https://wrenix.eu>
-|===
-
-== Usage
-
-Helm must be installed and setup to your kubernetes cluster to use the charts.
-Refer to Helm's https://helm.sh/docs[documentation] to get started.
-Once Helm has been set up correctly, fetch the charts as follows:
-
-[source,bash]
-----
-helm pull oci://codeberg.org/wrenix/helm-charts/matrix-authentication-service
-----
-
-You can install a chart release using the following command:
-
-[source,bash]
-----
-helm install matrix-authentication-service-release oci://codeberg.org/wrenix/helm-charts/matrix-authentication-service --values values.yaml
-----
-
-To uninstall a chart release use `helm`'s delete command:
-
-[source,bash]
-----
-helm uninstall matrix-authentication-service-release
-----
-
-== Values
-
-.Values
-|===
-| Key | Type | Default | Description
-
-| affinity
-| object
-| `{}`
-|
-
-| autoscaling.enabled
-| bool
-| `false`
-|
-
-| autoscaling.maxReplicas
-| int
-| `100`
-|
-
-| autoscaling.minReplicas
-| int
-| `1`
-|
-
-| autoscaling.targetCPUUtilizationPercentage
-| int
-| `80`
-|
-
-| config.branding.imprint
-| string
-| `nil`
-|
-
-| config.branding.logo_uri
-| string
-| `nil`
-|
-
-| config.branding.policy_uri
-| string
-| `nil`
-|
-
-| config.branding.service_name
-| string
-| `nil`
-|
-
-| config.branding.tos_uri
-| string
-| `nil`
-|
-
-| config.clients
-| list
-| `[]`
-|
-
-| config.database.connect_timeout
-| int
-| `30`
-|
-
-| config.database.database
-| string
-| `"sliding_sync"`
-|
-
-| config.database.host
-| string
-| `"localhost"`
-|
-
-| config.database.idle_timeout
-| int
-| `600`
-|
-
-| config.database.max_connections
-| int
-| `10`
-|
-
-| config.database.max_lifetime
-| int
-| `1800`
-|
-
-| config.database.min_connections
-| int
-| `0`
-|
-
-| config.database.password
-| string
-| `"secret"`
-|
-
-| config.database.port
-| int
-| `5432`
-|
-
-| config.database.username
-| string
-| `"sliding_sync"`
-|
-
-| config.email.from
-| string
-| `"\"Authentication Service\" <root@localhost>"`
-|
-
-| config.email.reply_to
-| string
-| `"\"Authentication Service\" <root@localhost>"`
-|
-
-| config.email.transport
-| string
-| `"blackhole"`
-|
-
-| config.experimental.access_token_ttl
-| int
-| `300`
-|
-
-| config.experimental.compat_token_ttl
-| int
-| `300`
-|
-
-| config.http.issuer
-| string
-| `"http://[::]:8080/"`
-|
-
-| config.http.listeners[0].binds[0].address
-| string
-| `"[::]:8080"`
-|
-
-| config.http.listeners[0].name
-| string
-| `"http"`
-|
-
-| config.http.listeners[0].proxy_protocol
-| bool
-| `false`
-|
-
-| config.http.listeners[0].resources[0].name
-| string
-| `"discovery"`
-|
-
-| config.http.listeners[0].resources[1].name
-| string
-| `"human"`
-|
-
-| config.http.listeners[0].resources[2].name
-| string
-| `"oauth"`
-|
-
-| config.http.listeners[0].resources[3].name
-| string
-| `"compat"`
-|
-
-| config.http.listeners[0].resources[4].name
-| string
-| `"graphql"`
-|
-
-| config.http.listeners[0].resources[4].playground
-| bool
-| `true`
-|
-
-| config.http.listeners[0].resources[5].name
-| string
-| `"assets"`
-|
-
-| config.http.listeners[0].resources[5].path
-| string
-| `"/usr/local/share/mas-cli/assets/"`
-|
-
-| config.http.listeners[1].binds[0].address
-| string
-| `"[::]:8081"`
-|
-
-| config.http.listeners[1].name
-| string
-| `"internal"`
-|
-
-| config.http.listeners[1].resources[0].name
-| string
-| `"health"`
-|
-
-| config.http.listeners[2].binds[0].address
-| string
-| `"[::]:9100"`
-|
-
-| config.http.listeners[2].name
-| string
-| `"metrics"`
-|
-
-| config.http.listeners[2].resources[0].name
-| string
-| `"prometheus"`
-|
-
-| config.http.public_base
-| string
-| `"http://[::]:8080/"`
-|
-
-| config.http.trusted_proxies[0]
-| string
-| `"192.128.0.0/16"`
-|
-
-| config.http.trusted_proxies[1]
-| string
-| `"172.16.0.0/12"`
-|
-
-| config.http.trusted_proxies[2]
-| string
-| `"10.0.0.0/10"`
-|
-
-| config.http.trusted_proxies[3]
-| string
-| `"127.0.0.1/8"`
-|
-
-| config.http.trusted_proxies[4]
-| string
-| `"fd00::/8"`
-|
-
-| config.http.trusted_proxies[5]
-| string
-| `"::1/128"`
-|
-
-| config.matrix.endpoint
-| string
-| `"http://localhost:8008/"`
-|
-
-| config.matrix.homeserver
-| string
-| `"localhost:8008"`
-|
-
-| config.matrix.secret
-| string
-| `"kPnqGbK9hmSRK41DZTgVJxfKVAiLrY6G"`
-|
-
-| config.passwords.enabled
-| bool
-| `true`
-|
-
-| config.passwords.schemes[0].algorithm
-| string
-| `"argon2id"`
-|
-
-| config.passwords.schemes[0].version
-| int
-| `1`
-|
-
-| config.policy.authorization_grant_entrypoint
-| string
-| `"authorization_grant/violation"`
-|
-
-| config.policy.client_registration_entrypoint
-| string
-| `"client_registration/violation"`
-|
-
-| config.policy.data
-| string
-| `nil`
-|
-
-| config.policy.email_entrypoint
-| string
-| `"email/violation"`
-|
-
-| config.policy.password_entrypoint
-| string
-| `"password/violation"`
-|
-
-| config.policy.register_entrypoint
-| string
-| `"register/violation"`
-|
-
-| config.policy.wasm_module
-| string
-| `"/usr/local/share/mas-cli/policy.wasm"`
-|
-
-| config.secrets.encryption
-| string
-| `nil`
-|
-
-| config.secrets.keys
-| list
-| `[]`
-|
-
-| config.telemetry.metrics.exporter
-| string
-| `"prometheus"`
-|
-
-| config.telemetry.sentry.dsn
-| string
-| `nil`
-|
-
-| config.telemetry.tracing.exporter
-| string
-| `"none"`
-|
-
-| config.telemetry.tracing.propagators
-| list
-| `[]`
-|
-
-| config.templates.assets_manifest
-| string
-| `"/usr/local/share/mas-cli/manifest.json"`
-|
-
-| config.templates.path
-| string
-| `"/usr/local/share/mas-cli/templates/"`
-|
-
-| config.templates.translations_path
-| string
-| `"/usr/local/share/mas-cli/translations/"`
-|
-
-| config.upstream_oauth2.providers
-| list
-| `[]`
-|
-
-| fullnameOverride
-| string
-| `""`
-|
-
-| global.image.pullPolicy
-| string
-| `nil`
-| if set it will overwrite all pullPolicy
-
-| global.image.registry
-| string
-| `nil`
-| if set it will overwrite all registry entries
-
-| image.pullPolicy
-| string
-| `"IfNotPresent"`
-|
-
-| image.registry
-| string
-| `"ghcr.io"`
-|
-
-| image.repository
-| string
-| `"matrix-org/matrix-authentication-service"`
-|
-
-| image.tag
-| string
-| `nil`
-| Overrides the image tag whose default is the chart appVersion.
-
-| imagePullSecrets
-| list
-| `[]`
-|
-
-| ingress.annotations
-| object
-| `{}`
-|
-
-| ingress.className
-| string
-| `""`
-|
-
-| ingress.enabled
-| bool
-| `false`
-|
-
-| ingress.hosts[0].host
-| string
-| `"auth.matrix.chart-example.local"`
-|
-
-| ingress.hosts[0].paths[0].path
-| string
-| `"/l"`
-|
-
-| ingress.hosts[0].paths[0].pathType
-| string
-| `"Prefix"`
-|
-
-| ingress.hosts[1].host
-| string
-| `"matrix.chart-example.local"`
-|
-
-| ingress.hosts[1].paths[0].path
-| string
-| `"/_matrix/client/v3/login"`
-|
-
-| ingress.hosts[1].paths[0].pathType
-| string
-| `"Exact"`
-|
-
-| ingress.hosts[1].paths[1].path
-| string
-| `"/_matrix/client/v3/logout"`
-|
-
-| ingress.hosts[1].paths[1].pathType
-| string
-| `"Exact"`
-|
-
-| ingress.hosts[1].paths[2].path
-| string
-| `"/_matrix/client/v3/refresh"`
-|
-
-| ingress.hosts[1].paths[2].pathType
-| string
-| `"Exact"`
-|
-
-| ingress.tls
-| list
-| `[]`
-|
-
-| livenessProbe.httpGet.path
-| string
-| `"/health"`
-|
-
-| livenessProbe.httpGet.port
-| string
-| `"internal"`
-|
-
-| nameOverride
-| string
-| `""`
-|
-
-| nodeSelector
-| object
-| `{}`
-|
-
-| podAnnotations
-| object
-| `{}`
-|
-
-| podLabels
-| object
-| `{}`
-|
-
-| podSecurityContext.fsGroup
-| int
-| `1000`
-|
-
-| prometheus.servicemonitor.enabled
-| bool
-| `false`
-|
-
-| prometheus.servicemonitor.labels
-| object
-| `{}`
-|
-
-| readinessProbe.httpGet.path
-| string
-| `"/health"`
-|
-
-| readinessProbe.httpGet.port
-| string
-| `"internal"`
-|
-
-| replicaCount
-| int
-| `1`
-|
-
-| resources
-| object
-| `{}`
-|
-
-| securityContext.capabilities.drop[0]
-| string
-| `"ALL"`
-|
-
-| securityContext.readOnlyRootFilesystem
-| bool
-| `true`
-|
-
-| securityContext.runAsNonRoot
-| bool
-| `true`
-|
-
-| securityContext.runAsUser
-| int
-| `1000`
-|
-
-| service.port.http
-| int
-| `8080`
-|
-
-| service.port.metrics
-| int
-| `9100`
-|
-
-| service.type
-| string
-| `"ClusterIP"`
-|
-
-| serviceAccount.annotations
-| object
-| `{}`
-|
-
-| serviceAccount.automount
-| bool
-| `true`
-|
-
-| serviceAccount.create
-| bool
-| `true`
-|
-
-| serviceAccount.name
-| string
-| `""`
-|
-
-| tolerations
-| list
-| `[]`
-|
-
-| volumeMounts
-| list
-| `[]`
-|
-
-| volumes
-| list
-| `[]`
-|
-|===
-
-Autogenerated from chart metadata using https://github.com/norwoodj/helm-docs[helm-docs]

matrix-authentication-service/README.md

@@ -7,7 +7,7 @@ description: "OAuth2.0 + OpenID Provider for Matrix Homeservers (per MSC3861)"
 
 # matrix-authentication-service
 
-![Version: 0.0.7](https://img.shields.io/badge/Version-0.0.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.11.0](https://img.shields.io/badge/AppVersion-0.11.0-informational?style=flat-square)
+![Version: 0.0.10](https://img.shields.io/badge/Version-0.0.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.14.1](https://img.shields.io/badge/AppVersion-0.14.1-informational?style=flat-square)
 
 OAuth2.0 + OpenID Provider for Matrix Homeservers (per MSC3861)
 
@@ -122,7 +122,7 @@ helm uninstall matrix-authentication-service-release
 | global.image.registry | string | `nil` | if set it will overwrite all registry entries |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.registry | string | `"ghcr.io"` |  |
-| image.repository | string | `"matrix-org/matrix-authentication-service"` |  |
+| image.repository | string | `"element-hq/matrix-authentication-service"` |  |
 | image.tag | string | `nil` | Overrides the image tag whose default is the chart appVersion. |
 | imagePullSecrets | list | `[]` |  |
 | ingress.annotations | object | `{}` |  |

matrix-authentication-service/values.yaml

@@ -8,7 +8,7 @@ global:
 
 image:
   registry: ghcr.io
-  repository: matrix-org/matrix-authentication-service
+  repository: element-hq/matrix-authentication-service
   pullPolicy: IfNotPresent
   # -- Overrides the image tag whose default is the chart appVersion.
   tag:

matrix-synapse/Chart.lock

@@ -1,9 +1,9 @@
 dependencies:
 - name: postgresql
   repository: oci://docker.io/bitnamicharts
-  version: 16.3.4
+  version: 16.4.13
 - name: redis
   repository: oci://docker.io/bitnamicharts
-  version: 20.6.1
-digest: sha256:665df7526ab6a366a2d588fd0269eafb28b8b798e16e2df0c61b43095aa97219
-generated: "2024-12-23T12:06:19.941471462+01:00"
+  version: 20.8.0
+digest: sha256:7448610da56aab3367e4c4619ef7f84b5367337477c659ca412cb00f479ddb61
+generated: "2025-02-21T08:31:38.004185879+01:00"

matrix-synapse/Chart.yaml

@@ -4,9 +4,9 @@ name: matrix-synapse
 description: Matrix reference homeserver
 icon: https://matrix.org/images/matrix-logo.svg
 type: application
-version: "1.0.7"
+version: "1.0.16"
 # renovate: image=ghcr.io/element-hq/synapse
-appVersion: 1.121.1
+appVersion: 1.124.0
 maintainers:
   - name: WrenIX
     url: https://wrenix.eu
@@ -17,6 +17,6 @@ dependencies:
     repository: "oci://docker.io/bitnamicharts"
     condition: postgresql.enabled
   - name: redis
-    version: "20.6.1"
+    version: "20.8.0"
     repository: "oci://docker.io/bitnamicharts"
     condition: redis.enabled

matrix-synapse/README.md

@@ -7,7 +7,7 @@ description: "Matrix reference homeserver"
 
 # matrix-synapse
 
-![Version: 1.0.7](https://img.shields.io/badge/Version-1.0.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.121.1](https://img.shields.io/badge/AppVersion-1.121.1-informational?style=flat-square)
+![Version: 1.0.16](https://img.shields.io/badge/Version-1.0.16-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.124.0](https://img.shields.io/badge/AppVersion-1.124.0-informational?style=flat-square)
 
 Matrix reference homeserver
 
@@ -44,7 +44,7 @@ helm uninstall matrix-synapse-release
 | Repository | Name | Version |
 |------------|------|---------|
 | oci://docker.io/bitnamicharts | postgresql | ^16.3.1 |
-| oci://docker.io/bitnamicharts | redis | 20.6.1 |
+| oci://docker.io/bitnamicharts | redis | 20.8.0 |
 
 ## Values
 
@@ -111,11 +111,14 @@ helm uninstall matrix-synapse-release
 | publicServerName | string | `nil` | The public Matrix server name, this will be used for any public URLs in config as well as for client API links in the ingress. |
 | redis.architecture | string | `"standalone"` |  |
 | redis.auth.enabled | bool | `true` |  |
-| redis.auth.password | string | `"synapse"` |  |
+| redis.auth.existingSecret | string | `""` | name of an existing secret with Redis credentials (instead of auth.password), must be created ahead of time |
+| redis.auth.existingSecretPasswordKey | string | `""` | Password key to be retrieved from existing secret |
+| redis.auth.password | string | `"synapse"` | XXX Change me! |
 | redis.enabled | bool | `true` |  |
-| redis.master.kind | string | `"Deployment"` |  |
-| redis.master.persistence.enabled | bool | `false` |  |
+| redis.global.storageClass | string | `""` |  |
+| redis.master.persistence.enabled | bool | `true` |  |
 | redis.master.service.port | int | `6379` |  |
+| redis.replica.persistence.enabled | bool | `true` |  |
 | serverName | string | `nil` | The Matrix domain name, this is what will be used for the domain part in your MXIDs. |
 | service.port | int | `8008` |  |
 | service.targetPort | string | `"http"` |  |
@@ -154,7 +157,7 @@ helm uninstall matrix-synapse-release
 | volumePermissions.image.pullPolicy | string | `"Always"` |  |
 | volumePermissions.image.registry | string | `"docker.io"` |  |
 | volumePermissions.image.repository | string | `"library/alpine"` |  |
-| volumePermissions.image.tag | string | `"3.21.0"` |  |
+| volumePermissions.image.tag | string | `"3.21.3"` |  |
 | volumePermissions.resources | object | `{}` |  |
 | volumePermissions.uid | int | `666` |  |
 | wellknown.affinity | object | `{}` |  |
@@ -166,7 +169,7 @@ helm uninstall matrix-synapse-release
 | wellknown.image.pullPolicy | string | `"IfNotPresent"` |  |
 | wellknown.image.registry | string | `"docker.io"` |  |
 | wellknown.image.repository | string | `"library/nginx"` |  |
-| wellknown.image.tag | string | `"1.27.3"` |  |
+| wellknown.image.tag | string | `"1.27.4"` |  |
 | wellknown.nodeSelector | object | `{}` |  |
 | wellknown.podAnnotations | list | `[]` |  |
 | wellknown.podLabels | object | `{}` |  |

matrix-synapse/values.yaml

@@ -613,7 +613,7 @@ wellknown:
   image:
     registry: docker.io
     repository: library/nginx
-    tag: 1.27.3
+    tag: 1.27.4
     pullPolicy: IfNotPresent
 
   replicaCount: 1
@@ -721,25 +721,24 @@ redis:
 
   auth:
     enabled: true
-    # XXX Change me!
+    # -- XXX Change me!
     password: synapse
-
-    ## Or use existing secret with "redis-password" key
-    ## instead of static password
-    ##
-    # existingSecret: redis-secret
+    # -- name of an existing secret with Redis credentials (instead of auth.password), must be created ahead of time
+    existingSecret: ""
+    # -- Password key to be retrieved from existing secret
+    existingSecretPasswordKey: ""
 
   architecture: standalone
+  global:
+    storageClass: ""
   master:
-    kind: Deployment
     persistence:
-      ## Note that Synapse only uses redis as a synchronization utility, so no
-      ## data will ever need to be persisted.
-      ##
-      enabled: false
+      enabled: true
     service:
       port: 6379
-
+  replica:
+    persistence:
+      enabled: true
 ## An externally configured Redis server to use for workers/sharding.
 ##
 externalRedis:
@@ -794,7 +793,7 @@ volumePermissions:
   image:
     registry: docker.io
     repository: library/alpine
-    tag: 3.21.0
+    tag: 3.21.3
     pullPolicy: Always
 
     ## Optionally specify an array of imagePullSecrets.

mautrix-bridge/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: mautrix-bridge
 description: A Matrix puppeting bridge mautrix.
 type: application
-version: 0.0.15
+version: 0.0.17
 maintainers:
   - name: WrenIX
     url: https://wrenix.eu

mautrix-bridge/README.md

@@ -7,7 +7,7 @@ description: "A Matrix puppeting bridge mautrix."
 
 # mautrix-bridge
 
-![Version: 0.0.15](https://img.shields.io/badge/Version-0.0.15-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.0.17](https://img.shields.io/badge/Version-0.0.17-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 A Matrix puppeting bridge mautrix.
 

mautrix-bridge/bridge-values/signal/values.yaml

@@ -1,6 +1,6 @@
 image:
   repository: mautrix/signal
-  tag: "v0.7.4"
+  tag: "v0.8.0"
 
 config:
   bridge:

mautrix-bridge/values.yaml

@@ -97,7 +97,7 @@ config:
       # This has all the Sender variables available under message_formats (but without the .Sender prefix).
       # Note that you need to manually remove the displayname from message_formats above.
       displayname_format: "{{ .DisambiguatedName }}"
-  
+
     # -- Permissions for using the bridge.
     # Permitted values:
     #    relay - Talk through the relaybot (if enabled), no access otherwise
@@ -160,7 +160,7 @@ config:
     # -- How often should the websocket be pinged? Pinging will be disabled if this is zero.
     ping_interval_seconds: 0
 
-  
+
   # Application service host/registration related details.
   # Changing these values requires regeneration of the registration.
   appservice:
@@ -211,7 +211,7 @@ config:
     # -- Whether or not created rooms should have federation enabled.
     # If false, created portal rooms will never be federated.
     federate_rooms: true
-    
+
   # Settings for provisioning API
   provisioning:
     # -- Prefix for the provisioning API paths.
@@ -274,23 +274,23 @@ config:
     unread_hours_threshold: 720
     # Settings for backfilling threads within other backfills.
     threads:
-        # -- Maximum number of messages to backfill in a new thread.
-        max_initial_messages: 50
+      # -- Maximum number of messages to backfill in a new thread.
+      max_initial_messages: 50
     # Settings for the backwards backfill queue. This only applies when connecting to
     # Beeper as standard Matrix servers don't support inserting messages into history.
     queue:
-        # -- Should the backfill queue be enabled?
-        enabled: false
-        # -- Number of messages to backfill in one batch.
-        batch_size: 100
-        # -- Delay between batches in seconds.
-        batch_delay: 20
-        # -- Maximum number of batches to backfill per portal.
-        # If set to -1, all available messages will be backfilled.
-        max_batches: -1
-        # -- Optional network-specific overrides for max batches.
-        # Interpretation of this field depends on the network connector.
-        max_batches_override: {}
+      # -- Should the backfill queue be enabled?
+      enabled: false
+      # -- Number of messages to backfill in one batch.
+      batch_size: 100
+      # -- Delay between batches in seconds.
+      batch_delay: 20
+      # -- Maximum number of batches to backfill per portal.
+      # If set to -1, all available messages will be backfilled.
+      max_batches: -1
+      # -- Optional network-specific overrides for max batches.
+      # Interpretation of this field depends on the network connector.
+      max_batches_override: {}
 
 
   # Settings for enabling double puppeting

miniserve/Chart.yaml

@@ -3,9 +3,9 @@ name: miniserve
 description: A Helm chart for Kubernetes
 icon: https://raw.githubusercontent.com/svenstaro/miniserve/master/data/logo.svg
 type: application
-version: "0.4.3"
+version: "0.4.4"
 # renovate: image=docker.io/svenstaro/miniserve
-appVersion: "0.28.0"
+appVersion: "0.29.0"
 maintainers:
   - name: WrenIX
     url: https://wrenix.eu

miniserve/README.adoc

@@ -1,411 +0,0 @@
-
-
-= miniserve
-
-image::https://img.shields.io/badge/Version-0.4.3-informational?style=flat-square[Version: 0.4.3]
-image::https://img.shields.io/badge/Version-application-informational?style=flat-square[Type: application]
-image::https://img.shields.io/badge/AppVersion-0.28.0-informational?style=flat-square[AppVersion: 0.28.0]
-== Maintainers
-
-.Maintainers
-|===
-| Name | Email | Url
-
-| WrenIX
-|
-| <https://wrenix.eu>
-|===
-
-== Usage
-
-Helm must be installed and setup to your kubernetes cluster to use the charts.
-Refer to Helm's https://helm.sh/docs[documentation] to get started.
-Once Helm has been set up correctly, fetch the charts as follows:
-
-[source,bash]
-----
-helm pull oci://codeberg.org/wrenix/helm-charts/miniserve
-----
-
-You can install a chart release using the following command:
-
-[source,bash]
-----
-helm install miniserve-release oci://codeberg.org/wrenix/helm-charts/miniserve --values values.yaml
-----
-
-To uninstall a chart release use `helm`'s delete command:
-
-[source,bash]
-----
-helm uninstall miniserve-release
-----
-
-== Values
-
-.Values
-|===
-| Key | Type | Default | Description
-
-| affinity
-| object
-| `{}`
-|
-
-| autoscaling.enabled
-| bool
-| `false`
-|
-
-| autoscaling.maxReplicas
-| int
-| `100`
-|
-
-| autoscaling.minReplicas
-| int
-| `1`
-|
-
-| autoscaling.targetCPUUtilizationPercentage
-| int
-| `80`
-|
-
-| data.args
-| list
-| `[]`
-| used for commandline flags
-
-| data.auth
-| string
-| `""`
-| Set authentication. Currently supported formats: username:password, username:sha256:hash,            username:sha512:hash (e.g. joe:123,            joe:sha256:a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3)
-
-| data.colorScheme
-| string
-| `"squirrel"`
-| Default color scheme
-
-| data.colorSchemeDark
-| string
-| `"archlinux"`
-| Default color scheme
-
-| data.dirsFirst
-| bool
-| `true`
-| List directories first
-
-| data.enable.tar
-| bool
-| `false`
-| Enable uncompressed tar archive generation
-
-| data.enable.tarGZ
-| bool
-| `false`
-| Enable gz-compressed tar archive generation
-
-| data.enable.zip
-| bool
-| `false`
-| Enable zip archive generation WARNING: Zipping large directories can result in out-of-memory exception because zip generation is done in memory and cannot be sent on the fly
-
-| data.hidden
-| bool
-| `false`
-| Show hidden files
-
-| data.hideThemeSelector
-| bool
-| `false`
-| Hide theme selector
-
-| data.hideVersionFooter
-| bool
-| `true`
-| Hide version footer
-
-| data.index
-| string
-| `"index.html"`
-| Normally, when miniserve serves a directory, it creates a listing for that directory. However, if a directory contains this file, miniserve will serve that file instead.
-
-| data.noSymlinks
-| bool
-| `false`
-| Hide symlinks in listing and prevent them from being followed
-
-| data.path
-| string
-| `"/data"`
-| Which path to serve
-
-| data.prettyURLs
-| bool
-| `false`
-| Activate Pretty URLs mode
-
-| data.qrcode
-| bool
-| `false`
-| Enable QR code display
-
-| data.readme
-| bool
-| `false`
-| Enable README.md rendering in directories
-
-| data.routePrefix
-| string
-| `""`
-| Use a specific route prefix
-
-| data.showSymlinkInfo
-| bool
-| `false`
-| Visualize symlinks in directory listing
-
-| data.showWGETFooter
-| bool
-| `true`
-| If enabled, display a wget command to recursively download the current directory
-
-| data.spa
-| bool
-| `false`
-| Activate SPA (Single Page Application) mode
-
-| data.title
-| string
-| `""`
-| Shown instead of host in page title and heading
-
-| data.upload.allowedDir
-| string
-| `""`
-| Enable file uploading (and optionally specify for which directory)
-
-| data.upload.mediaType
-| string
-| `""`
-| Specify uploadable media types: possible values image, audio, video
-
-| data.upload.mkdir
-| bool
-| `false`
-| Enable creating directories
-
-| data.upload.overwriteFiles
-| bool
-| `false`
-| Enable overriding existing files during file upload
-
-| data.upload.rawMediaType
-| string
-| `""`
-| Directly specify the uploadable media type expression
-
-| data.verbose
-| bool
-| `false`
-| Be verbose, includes emitting access logs
-
-| fullnameOverride
-| string
-| `""`
-|
-
-| image.pullPolicy
-| string
-| `"IfNotPresent"`
-|
-
-| image.repository
-| string
-| `"docker.io/svenstaro/miniserve"`
-|
-
-| image.tag
-| string
-| `""`
-|
-
-| imagePullSecrets
-| list
-| `[]`
-|
-
-| ingress.annotations
-| object
-| `{}`
-|
-
-| ingress.className
-| string
-| `""`
-|
-
-| ingress.enabled
-| bool
-| `false`
-|
-
-| ingress.hosts[0].host
-| string
-| `"chart-example.local"`
-|
-
-| ingress.hosts[0].paths[0].path
-| string
-| `"/"`
-|
-
-| ingress.hosts[0].paths[0].pathType
-| string
-| `"ImplementationSpecific"`
-|
-
-| ingress.tls
-| list
-| `[]`
-|
-
-| nameOverride
-| string
-| `""`
-|
-
-| networkPolicy.egress.enabled
-| bool
-| `true`
-| activate egress no networkpolicy
-
-| networkPolicy.egress.extra
-| list
-| `[]`
-| egress rules
-
-| networkPolicy.enabled
-| bool
-| `false`
-|
-
-| networkPolicy.ingress.http
-| list
-| `[]`
-| ingress for http port (e.g. ingress-controller)
-
-| nodeSelector
-| object
-| `{}`
-|
-
-| persistence.accessMode
-| string
-| `"ReadWriteOnce"`
-|
-
-| persistence.annotations
-| object
-| `{}`
-|
-
-| persistence.enabled
-| bool
-| `false`
-|
-
-| persistence.existingClaim
-| string
-| `nil`
-| A manually managed Persistent Volume and Claim Requires persistence.enabled: true If defined, PVC must be created manually before volume will be bound
-
-| persistence.hostPath
-| string
-| `nil`
-|
-
-| persistence.size
-| string
-| `"1Gi"`
-|
-
-| persistence.storageClass
-| string
-| `nil`
-| data Persistent Volume Storage Class If defined, storageClassName: <storageClass> If set to "-", storageClassName: "", which disables dynamic provisioning If undefined (the default) or set to null, no storageClassName spec is   set, choosing the default provisioner.  (gp2 on AWS, standard on   GKE, AWS & OpenStack)
-
-| podAnnotations
-| object
-| `{}`
-|
-
-| podLabels
-| object
-| `{}`
-|
-
-| podSecurityContext
-| object
-| `{}`
-|
-
-| replicaCount
-| int
-| `1`
-|
-
-| resources.limits.memory
-| string
-| `"256Mi"`
-|
-
-| resources.requests.cpu
-| string
-| `"80m"`
-|
-
-| resources.requests.memory
-| string
-| `"128Mi"`
-|
-
-| securityContext
-| object
-| `{}`
-|
-
-| service.port
-| int
-| `8080`
-|
-
-| service.type
-| string
-| `"ClusterIP"`
-|
-
-| serviceAccount.annotations
-| object
-| `{}`
-| Annotations to add to the service account
-
-| serviceAccount.create
-| bool
-| `true`
-| Specifies whether a service account should be created
-
-| serviceAccount.name
-| string
-| `""`
-| If not set and create is true, a name is generated using the fullname template
-
-| tolerations
-| list
-| `[]`
-|
-|===
-
-Autogenerated from chart metadata using https://github.com/norwoodj/helm-docs[helm-docs]

miniserve/README.md

@@ -7,7 +7,7 @@ description: "A Helm chart for Kubernetes"
 
 # miniserve
 
-![Version: 0.4.3](https://img.shields.io/badge/Version-0.4.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.28.0](https://img.shields.io/badge/AppVersion-0.28.0-informational?style=flat-square)
+![Version: 0.4.4](https://img.shields.io/badge/Version-0.4.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.29.0](https://img.shields.io/badge/AppVersion-0.29.0-informational?style=flat-square)
 
 A Helm chart for Kubernetes
 
@@ -76,6 +76,7 @@ helm uninstall miniserve-release
 | data.upload.overwriteFiles | bool | `false` | Enable overriding existing files during file upload |
 | data.upload.rawMediaType | string | `""` | Directly specify the uploadable media type expression |
 | data.verbose | bool | `false` | Be verbose, includes emitting access logs |
+| data.webdav.enabled | bool | `false` | If enabled, respond to WebDAV requests (read-only). |
 | fullnameOverride | string | `""` |  |
 | image.pullPolicy | string | `"IfNotPresent"` |  |
 | image.repository | string | `"docker.io/svenstaro/miniserve"` |  |

miniserve/templates/configmap.yaml

@@ -64,4 +64,9 @@ data:
   # MINISERVE_TLS_CERT:
   # MINISERVE_TLS_KEY:
   MINISERVE_README: {{ .readme | quote }}
+  {{- with .webdav }}
+  {{- if .enabled }}
+  MINISERVE_ENABLE_WEBDAV: "true"
+  {{- end }}
+  {{- end }}
   {{- end}}

miniserve/values.yaml

@@ -74,6 +74,10 @@ data:
   showWGETFooter: true
   # -- Enable README.md rendering in directories
   readme: false
+  webdav:
+    # -- If enabled, respond to WebDAV requests (read-only).
+    enabled: false
+
   # -- used for commandline flags
   args: []
 

ntfy/Chart.yaml

@@ -3,7 +3,7 @@ name: ntfy
 description: A Helm chart for Kubernetes
 icon: https://github.com/binwiederhier/ntfy/raw/main/web/public/static/images/pwa-512x512.png
 type: application
-version: "0.4.8"
+version: "0.4.11"
 # renovate: image=docker.io/binwiederhier/ntfy
 appVersion: "2.11.0"
 maintainers: