gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Helm chart versions across multiple components to latest stable releases, including Argo CD (9.5.14), cert-manager (v1.20.2), Cilium (1.19.4), kube-prometheus-stack (85.0.3), Loki (7.0.0), Fluent Bit (0.57.5), Headlamp (0.42.0), Traefik (40.2.0), and Kyverno (3.8.0). Adjusted related documentation and values files to reflect these changes for improved deployment consistency and compatibility.

Browse Source
This commit is contained in:
Nikholas Pcenicni
2026-05-14 18:55:18 -04:00
parent 95b1866144
commit 2321209626
43 changed files with 97 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
clusters/noble/bootstrap/argocd/README.md
View File

@@ -10,7 +10,7 @@ helm repo update
helm upgrade --install argocd argo/argo-cd \
--namespace argocd \
--create-namespace \
--version 9.4.17 \
--version 9.5.14 \
-f clusters/noble/bootstrap/argocd/values.yaml \
--wait
```
@@ -43,7 +43,7 @@ If **`helm upgrade --wait`** fails with *Secret was previously issued by `letsen
kubectl -n argocd delete certificate argocd-server --ignore-not-found
kubectl -n argocd delete secret argocd-server-tls --ignore-not-found
helm upgrade --install argocd argo/argo-cd -n argocd --create-namespace \
--version 9.4.17 -f clusters/noble/bootstrap/argocd/values.yaml --wait
--version 9.5.14 -f clusters/noble/bootstrap/argocd/values.yaml --wait
```
## 3. Register this repo (if private)
@@ -112,4 +112,4 @@ After **`noble-bootstrap-root`** is automated and leaf apps are synced, **git**
## Versions
Pinned in **`values.yaml`** comments (chart **9.4.17** / Argo CD **v3.3.6** at time of writing). Bump **`--version`** when upgrading.
Pinned in **`values.yaml`** comments (chart **9.5.14** / Argo CD **v3.4.2** at time of writing). Bump **`--version`** when upgrading.

2
clusters/noble/bootstrap/argocd/app-of-apps/cert-manager-application.yaml
View File

@@ -14,7 +14,7 @@ spec:
path: clusters/noble/bootstrap/cert-manager
- repoURL: https://charts.jetstack.io
chart: cert-manager
targetRevision: v1.20.0
targetRevision: v1.20.2
helm:
releaseName: cert-manager
valueFiles:

2
clusters/noble/bootstrap/argocd/app-of-apps/cilium-application.yaml
View File

@@ -11,7 +11,7 @@ spec:
sources:
- repoURL: https://helm.cilium.io/
chart: cilium
targetRevision: 1.16.6
targetRevision: 1.19.4
helm:
releaseName: cilium
valueFiles:

2
clusters/noble/bootstrap/argocd/app-of-apps/fluent-bit-application.yaml
View File

@@ -11,7 +11,7 @@ spec:
sources:
- repoURL: https://fluent.github.io/helm-charts
chart: fluent-bit
targetRevision: 0.56.0
targetRevision: 0.57.5
helm:
releaseName: fluent-bit
valueFiles:

2
clusters/noble/bootstrap/argocd/app-of-apps/headlamp-application.yaml
View File

@@ -11,7 +11,7 @@ spec:
sources:
- repoURL: https://kubernetes-sigs.github.io/headlamp/
chart: headlamp
targetRevision: 0.40.1
targetRevision: 0.42.0
helm:
releaseName: headlamp
valueFiles:

2
clusters/noble/bootstrap/argocd/app-of-apps/kube-prometheus-application.yaml
View File

@@ -11,7 +11,7 @@ spec:
sources:
- repoURL: https://prometheus-community.github.io/helm-charts
chart: kube-prometheus-stack
targetRevision: 82.15.1
targetRevision: 85.0.3
helm:
skipCrds: true
releaseName: kube-prometheus

2
clusters/noble/bootstrap/argocd/app-of-apps/kyverno-application.yaml
View File

@@ -11,7 +11,7 @@ spec:
sources:
- repoURL: https://kyverno.github.io/kyverno/
chart: kyverno
targetRevision: 3.7.1
targetRevision: 3.8.0
helm:
releaseName: kyverno
valueFiles:

2
clusters/noble/bootstrap/argocd/app-of-apps/kyverno-policies-application.yaml
View File

@@ -11,7 +11,7 @@ spec:
sources:
- repoURL: https://kyverno.github.io/kyverno/
chart: kyverno-policies
targetRevision: 3.7.1
targetRevision: 3.8.0
helm:
releaseName: kyverno-policies
valueFiles:

2
clusters/noble/bootstrap/argocd/app-of-apps/loki-application.yaml
View File

@@ -11,7 +11,7 @@ spec:
sources:
- repoURL: https://grafana.github.io/helm-charts
chart: loki
targetRevision: 6.55.0
targetRevision: 7.0.0
helm:
releaseName: loki
valueFiles:

2
clusters/noble/bootstrap/argocd/app-of-apps/traefik-application.yaml
View File

@@ -11,7 +11,7 @@ spec:
sources:
- repoURL: https://traefik.github.io/charts
chart: traefik
targetRevision: 39.0.6
targetRevision: 40.2.0
helm:
releaseName: traefik
valueFiles:

4
clusters/noble/bootstrap/argocd/values.yaml
View File

@@ -1,13 +1,13 @@
# Argo CD — noble lab (GitOps)
#
# Chart: argo/argo-cd — pin version on the helm command (e.g. 9.4.17).
# Chart: argo/argo-cd — pin version on the helm command (e.g. 9.5.14).
# UI/API: **Ingress** via **Traefik** at **argo.apps.noble.lab.pcenicni.dev** (TLS: cert-manager
# ClusterIssuer + **`server.insecure`** so TLS terminates at Traefik).
# DNS: **`argo.apps.noble.lab.pcenicni.dev`** → Traefik LB **192.168.50.211** (same wildcard as apps).
#
# helm repo add argo https://argoproj.github.io/argo-helm
# helm upgrade --install argocd argo/argo-cd -n argocd --create-namespace \
# --version 9.4.17 -f clusters/noble/bootstrap/argocd/values.yaml --wait
# --version 9.5.14 -f clusters/noble/bootstrap/argocd/values.yaml --wait
#
# Initial admin password: kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d
#

2
clusters/noble/bootstrap/cert-manager/README.md
View File

@@ -29,7 +29,7 @@ Without this Secret, **`ClusterIssuer`** will not complete certificate orders.
helm repo update
helm upgrade --install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--version v1.20.0 \
--version v1.20.2 \
-f clusters/noble/bootstrap/cert-manager/values.yaml \
--wait
```

4
clusters/noble/bootstrap/cert-manager/values.yaml
View File

@@ -1,12 +1,12 @@
# cert-manager — noble lab
#
# Chart: jetstack/cert-manager — pin version on the helm command (e.g. v1.20.0).
# Chart: jetstack/cert-manager — pin version on the helm command (e.g. v1.20.2).
#
# kubectl apply -f clusters/noble/bootstrap/cert-manager/namespace.yaml
# helm repo add jetstack https://charts.jetstack.io
# helm repo update
# helm upgrade --install cert-manager jetstack/cert-manager -n cert-manager \
# --version v1.20.0 -f clusters/noble/bootstrap/cert-manager/values.yaml --wait
# --version v1.20.2 -f clusters/noble/bootstrap/cert-manager/values.yaml --wait
#
# kubectl apply -k clusters/noble/bootstrap/cert-manager

2
clusters/noble/bootstrap/cilium/README.md
View File

@@ -13,7 +13,7 @@ helm repo add cilium https://helm.cilium.io/
helm repo update
helm upgrade --install cilium cilium/cilium \
--namespace kube-system \
--version 1.16.6 \
--version 1.19.4 \
-f clusters/noble/bootstrap/cilium/values.yaml \
--wait
```

2
clusters/noble/bootstrap/cilium/values.yaml
View File

@@ -1,7 +1,7 @@
# Cilium on Talos — phase 1: bring up CNI while kube-proxy still runs.
# See README.md for install order (before MetalLB scheduling) and optional kube-proxy replacement.
#
# Chart: cilium/cilium — pin version in helm command (e.g. 1.16.6).
# Chart: cilium/cilium — pin version in helm command (e.g. 1.19.4).
# Ref: https://www.talos.dev/latest/kubernetes-guides/network/deploying-cilium/
ipam:

4
clusters/noble/bootstrap/fluent-bit/values.yaml
View File

@@ -1,6 +1,6 @@
# Fluent Bit — noble lab (DaemonSet; ship Kubernetes container logs to Loki gateway).
#
# Chart: fluent/fluent-bit — pin version on install (e.g. 0.56.0).
# Chart: fluent/fluent-bit — pin version on install (e.g. 0.57.5).
# Install **after** Loki so `loki-gateway.loki.svc` exists.
#
# Talos: only **tail** `/var/log/containers` (no host **systemd** input — journal layout differs from typical Linux).
@@ -9,7 +9,7 @@
# helm repo add fluent https://fluent.github.io/helm-charts
# helm repo update
# helm upgrade --install fluent-bit fluent/fluent-bit -n logging \
# --version 0.56.0 -f clusters/noble/bootstrap/fluent-bit/values.yaml --wait --timeout 15m
# --version 0.57.5 -f clusters/noble/bootstrap/fluent-bit/values.yaml --wait --timeout 15m
config:
inputs: |

4
clusters/noble/bootstrap/headlamp/README.md
View File

@@ -2,7 +2,7 @@
[Headlamp](https://headlamp.dev/) web UI for the cluster. Exposed on **`https://headlamp.apps.noble.lab.pcenicni.dev`** via **Traefik** + **cert-manager** (`letsencrypt-prod`), same pattern as Grafana.
- **Chart:** `headlamp/headlamp` **0.40.1** (`config.sessionTTL: null` avoids chart/binary mismatch — [issue #4883](https://github.com/kubernetes-sigs/headlamp/issues/4883))
- **Chart:** `headlamp/headlamp` **0.42.0** (`config.sessionTTL: null` still omits **`-session-ttl`** if needed — [issue #4883](https://github.com/kubernetes-sigs/headlamp/issues/4883))
- **Namespace:** `headlamp`
## Install
@@ -12,7 +12,7 @@ helm repo add headlamp https://kubernetes-sigs.github.io/headlamp/
helm repo update
kubectl apply -f clusters/noble/bootstrap/headlamp/namespace.yaml
helm upgrade --install headlamp headlamp/headlamp -n headlamp \
--version 0.40.1 -f clusters/noble/bootstrap/headlamp/values.yaml --wait --timeout 10m
--version 0.42.0 -f clusters/noble/bootstrap/headlamp/values.yaml --wait --timeout 10m
```
Sign-in uses a **ServiceAccount token** (Headlamp docs: create a limited SA for day-to-day use). This repo binds the Headlamp workload SA to the built-in **`edit`** ClusterRole (**`clusterRoleBinding.clusterRoleName: edit`** in **`values.yaml`**) — not **`cluster-admin`**. For cluster-scoped admin work, use **`kubectl`** with your admin kubeconfig. Optional **OIDC** in **`config.oidc`** replaces token login for SSO. **In-cluster OIDC requires kube-apiserver OIDC** (same Authentik app issuer + **`oidc-client-id: headlamp`**) or proxied K8s calls return **401** while **`/me`** still returns 200 — see **`talos/talconfig.yaml`**, **`oidc-noble-admins-clusterrolebinding.yaml`**, and **`ansible/roles/noble_authentik/README.md`** troubleshooting.

5
clusters/noble/bootstrap/headlamp/values.yaml
View File

@@ -4,7 +4,7 @@
# helm repo update
# kubectl apply -f clusters/noble/bootstrap/headlamp/namespace.yaml
# helm upgrade --install headlamp headlamp/headlamp -n headlamp \
# --version 0.40.1 -f clusters/noble/bootstrap/headlamp/values.yaml --wait --timeout 10m
# --version 0.42.0 -f clusters/noble/bootstrap/headlamp/values.yaml --wait --timeout 10m
#
# DNS: headlamp.apps.noble.lab.pcenicni.dev → Traefik LB (see talos/CLUSTER-BUILD.md).
# Default chart RBAC is broad — restrict for production (Phase G).
@@ -16,8 +16,7 @@
clusterRoleBinding:
clusterRoleName: edit
#
# Chart 0.40.1 passes -session-ttl but the v0.40.1 binary does not define it — omit the flag:
# https://github.com/kubernetes-sigs/headlamp/issues/4883
# Optional: set **config.sessionTTL** (seconds) or **null** to omit **-session-ttl** (see headlamp#4883 for older chart/binary mismatches).
config:
sessionTTL: null

4
clusters/noble/bootstrap/kube-prometheus-stack/values.yaml
View File

@@ -1,13 +1,13 @@
# kube-prometheus-stack — noble lab (Prometheus Operator + Grafana + Alertmanager + exporters)
#
# Chart: prometheus-community/kube-prometheus-stack — pin version on install (e.g. 82.15.1).
# Chart: prometheus-community/kube-prometheus-stack — pin version on install (e.g. 85.0.3).
#
# Install (use one terminal; chain with && so `helm upgrade` always runs after `helm repo update`):
#
# kubectl apply -f clusters/noble/bootstrap/kube-prometheus-stack/namespace.yaml
# helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
# helm repo update && helm upgrade --install kube-prometheus prometheus-community/kube-prometheus-stack -n monitoring \
# --version 82.15.1 -f clusters/noble/bootstrap/kube-prometheus-stack/values.yaml --wait --timeout 60m
# --version 85.0.3 -f clusters/noble/bootstrap/kube-prometheus-stack/values.yaml --wait --timeout 60m
#
# Why it looks "stalled": with --wait, Helm prints almost nothing until the release finishes (can be many minutes).
# Do not use --timeout 5m for first install — Longhorn PVCs + StatefulSets often need 3060m. To watch progress,

2
clusters/noble/bootstrap/kube-vip/vip-daemonset.yaml
View File

@@ -35,7 +35,7 @@ spec:
effect: NoExecute
containers:
- name: kube-vip
image: ghcr.io/kube-vip/kube-vip:v0.8.3
image: ghcr.io/kube-vip/kube-vip:v0.8.10
imagePullPolicy: IfNotPresent
args:
- manager

6
clusters/noble/bootstrap/kyverno/README.md
View File

@@ -2,7 +2,7 @@
Admission policies using [Kyverno](https://kyverno.io/). The main chart installs controllers and CRDs; **`kyverno-policies`** installs **Pod Security Standard** rules matching the **`baseline`** profile in **`Audit`** mode (violations are visible in policy reports; workloads are not denied).
- **Charts:** `kyverno/kyverno` **3.7.1** (app **v1.17.1**), `kyverno/kyverno-policies` **3.7.1**
- **Charts:** `kyverno/kyverno` **3.8.0** (app **v1.18.0**), `kyverno/kyverno-policies` **3.8.0**
- **Namespace:** `kyverno`
## Install
@@ -12,9 +12,9 @@ helm repo add kyverno https://kyverno.github.io/kyverno/
helm repo update
kubectl apply -f clusters/noble/bootstrap/kyverno/namespace.yaml
helm upgrade --install kyverno kyverno/kyverno -n kyverno \
--version 3.7.1 -f clusters/noble/bootstrap/kyverno/values.yaml --wait --timeout 15m
--version 3.8.0 -f clusters/noble/bootstrap/kyverno/values.yaml --wait --timeout 15m
helm upgrade --install kyverno-policies kyverno/kyverno-policies -n kyverno \
--version 3.7.1 -f clusters/noble/bootstrap/kyverno/policies-values.yaml --wait --timeout 10m
--version 3.8.0 -f clusters/noble/bootstrap/kyverno/policies-values.yaml --wait --timeout 10m
```
Verify:

2
clusters/noble/bootstrap/kyverno/policies-values.yaml
View File

@@ -1,7 +1,7 @@
# kyverno/kyverno-policies — Pod Security Standards as Kyverno ClusterPolicies
#
# helm upgrade --install kyverno-policies kyverno/kyverno-policies -n kyverno \
# --version 3.7.1 -f clusters/noble/bootstrap/kyverno/policies-values.yaml --wait --timeout 10m
# --version 3.8.0 -f clusters/noble/bootstrap/kyverno/policies-values.yaml --wait --timeout 10m
#
# Default profile is baseline; validationFailureAction is Audit so existing privileged
# workloads are not blocked. Kyverno still emits PolicyReports for matches — Headlamp

2
clusters/noble/bootstrap/kyverno/values.yaml
View File

@@ -4,7 +4,7 @@
# helm repo update
# kubectl apply -f clusters/noble/bootstrap/kyverno/namespace.yaml
# helm upgrade --install kyverno kyverno/kyverno -n kyverno \
# --version 3.7.1 -f clusters/noble/bootstrap/kyverno/values.yaml --wait --timeout 15m
# --version 3.8.0 -f clusters/noble/bootstrap/kyverno/values.yaml --wait --timeout 15m
#
# Baseline Pod Security policies (separate chart): see policies-values.yaml + README.md
#

4
clusters/noble/bootstrap/loki/values.yaml
View File

@@ -1,12 +1,12 @@
# Grafana Loki — noble lab (SingleBinary, filesystem on Longhorn; no MinIO/S3).
#
# Chart: grafana/loki — pin version on install (e.g. 6.55.0).
# Chart: grafana/loki — pin version on install (e.g. 7.0.0).
#
# kubectl apply -f clusters/noble/bootstrap/loki/namespace.yaml
# helm repo add grafana https://grafana.github.io/helm-charts
# helm repo update
# helm upgrade --install loki grafana/loki -n loki \
# --version 6.55.0 -f clusters/noble/bootstrap/loki/values.yaml --wait --timeout 30m
# --version 7.0.0 -f clusters/noble/bootstrap/loki/values.yaml --wait --timeout 30m
#
# Query/push URL for Grafana + Fluent Bit: http://loki-gateway.loki.svc.cluster.local:80
#

2
clusters/noble/bootstrap/newt/README.md
View File

@@ -41,7 +41,7 @@ helm repo add fossorial https://charts.fossorial.io
helm repo update
helm upgrade --install newt fossorial/newt \
--namespace newt \
--version 1.2.0 \
--version 1.5.0 \
-f clusters/noble/bootstrap/newt/values.yaml \
--wait
```

2
clusters/noble/bootstrap/newt/values.yaml
View File

@@ -10,7 +10,7 @@
#
# helm repo add fossorial https://charts.fossorial.io
# helm upgrade --install newt fossorial/newt -n newt \
# --version 1.2.0 -f clusters/noble/bootstrap/newt/values.yaml --wait
# --version 1.5.0 -f clusters/noble/bootstrap/newt/values.yaml --wait
#
# See README.md for Pangolin Integration API (domains + HTTP resources + CNAME).

2
clusters/noble/bootstrap/traefik/README.md
View File

@@ -15,7 +15,7 @@
helm repo update
helm upgrade --install traefik traefik/traefik \
--namespace traefik \
--version 39.0.6 \
--version 40.2.0 \
-f clusters/noble/bootstrap/traefik/values.yaml \
--wait
```

4
clusters/noble/bootstrap/traefik/values.yaml
View File

@@ -1,12 +1,12 @@
# Traefik ingress controller — noble lab
#
# Chart: traefik/traefik — pin version on the helm command (e.g. 39.0.6).
# Chart: traefik/traefik — pin version on the helm command (e.g. 40.2.0).
# DNS: point *.apps.noble.lab.pcenicni.dev to the LoadBalancer IP below.
#
# kubectl apply -f clusters/noble/bootstrap/traefik/namespace.yaml
# helm repo add traefik https://traefik.github.io/charts
# helm upgrade --install traefik traefik/traefik -n traefik \
# --version 39.0.6 -f clusters/noble/bootstrap/traefik/values.yaml --wait
# --version 40.2.0 -f clusters/noble/bootstrap/traefik/values.yaml --wait
service:
type: LoadBalancer

4
clusters/noble/bootstrap/velero/README.md
View File

@@ -5,7 +5,7 @@ Ansible-managed core stack — **not** reconciled by Argo CD (`clusters/noble/ap
## What you get
- **No web UI** — Velero is operated with the **`velero`** CLI and **`kubectl`** (Backup, Schedule, Restore CRDs). Metrics are exposed for Prometheus; there is no first-party dashboard in this chart.
- **vmware-tanzu/velero** Helm chart (**12.0.0** → Velero **1.18.0**) in namespace **`velero`**
- **vmware-tanzu/velero** Helm chart (**12.0.1** → Velero **1.18.0**) in namespace **`velero`**
- **AWS plugin** init container for **S3-compatible** object storage (`velero/velero-plugin-for-aws:v1.14.0`)
- **CSI snapshots** via Veleros built-in CSI support (`EnableCSI`) and **VolumeSnapshotLocation** `velero.io/csi` (no separate CSI plugin image for Velero ≥ 1.14)
- **Prometheus** scraping: **ServiceMonitor** labeled for **kube-prometheus** (`release: kube-prometheus`)
@@ -99,7 +99,7 @@ From repo root:
kubectl apply -f clusters/noble/bootstrap/velero/namespace.yaml
# Create velero-cloud-credentials (see above), then:
helm repo add vmware-tanzu https://vmware-tanzu.github.io/helm-charts && helm repo update
helm upgrade --install velero vmware-tanzu/velero -n velero --version 12.0.0 \
helm upgrade --install velero vmware-tanzu/velero -n velero --version 12.0.1 \
-f clusters/noble/bootstrap/velero/values.yaml \
--set-string configuration.backupStorageLocation[0].bucket=YOUR_BUCKET \
--set-string configuration.backupStorageLocation[0].config.s3Url=https://YOUR-S3-ENDPOINT \

4
clusters/noble/bootstrap/velero/values.yaml
View File

@@ -2,10 +2,10 @@
# Install: **ansible/playbooks/noble.yml** role **noble_velero** (override S3 settings via **noble_velero_*** vars).
# Requires Secret **velero/velero-cloud-credentials** key **cloud** (INI for AWS plugin — see README).
#
# Chart: vmware-tanzu/velero — pin version on install (e.g. 12.0.0 / Velero 1.18.0).
# Chart: vmware-tanzu/velero — pin version on install (e.g. 12.0.1 / Velero 1.18.0).
# helm repo add vmware-tanzu https://vmware-tanzu.github.io/helm-charts && helm repo update
# kubectl apply -f clusters/noble/bootstrap/velero/namespace.yaml
# helm upgrade --install velero vmware-tanzu/velero -n velero --version 12.0.0 -f clusters/noble/bootstrap/velero/values.yaml
# helm upgrade --install velero vmware-tanzu/velero -n velero --version 12.0.1 -f clusters/noble/bootstrap/velero/values.yaml
initContainers:
- name: velero-plugin-for-aws

2
clusters/noble/wip/eclipse-che/application-operator.yaml
View File

@@ -13,7 +13,7 @@ spec:
source:
repoURL: https://eclipse-che.github.io/che-operator/charts
chart: eclipse-che
targetRevision: 7.116.0
targetRevision: 7.117.0
helm:
releaseName: eclipse-che
destination: