Merge branch 'main' into renovate/ghcr.io-siderolabs-kubelet-1.x

tyriis · Feb 23, 2025 · 2ec5677 · 2ec5677
2 parents 40f8f1b + 6f84cbd
commit 2ec5677
Show file tree

Hide file tree

Showing 84 changed files with 247 additions and 165 deletions.
diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
@@ -22,7 +22,7 @@ jobs:
     steps:
       # https://github.com/marketplace/actions/harden-runner
       - name: Harden Runner
-        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
         with:
           egress-policy: audit
 

diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml
@@ -22,7 +22,7 @@ jobs:
     steps:
       # https://github.com/marketplace/actions/harden-runner
       - name: Harden Runner
-        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
         with:
           egress-policy: audit
 
@@ -67,7 +67,7 @@ jobs:
     steps:
       # https://github.com/marketplace/actions/create-github-app-token
       - name: Generate Token
-        uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3
+        uses: actions/create-github-app-token@0d564482f06ca65fa9e77e2510873638c82206f2 # v1.11.5
         if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
         id: app-token
         with:

diff --git a/.github/workflows/mega-linter.yaml b/.github/workflows/mega-linter.yaml
@@ -13,7 +13,7 @@ jobs:
     steps:
       # https://github.com/marketplace/actions/harden-runner
       - name: Harden Runner
-        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
         with:
           egress-policy: audit
 
@@ -25,7 +25,7 @@ jobs:
 
       # https://github.com/marketplace/actions/create-github-app-token
       - name: Generate Token
-        uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3
+        uses: actions/create-github-app-token@0d564482f06ca65fa9e77e2510873638c82206f2 # v1.11.5
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"

diff --git a/.github/workflows/pr-labeler.yaml b/.github/workflows/pr-labeler.yaml
@@ -18,13 +18,13 @@ jobs:
     steps:
       # https://github.com/marketplace/actions/harden-runner
       - name: Harden Runner
-        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
         with:
           egress-policy: audit
 
       # https://github.com/marketplace/actions/create-github-app-token
       - name: Generate Token
-        uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3
+        uses: actions/create-github-app-token@0d564482f06ca65fa9e77e2510873638c82206f2 # v1.11.5
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"

diff --git a/.github/workflows/run-trivy.yaml b/.github/workflows/run-trivy.yaml
@@ -15,7 +15,7 @@ jobs:
     steps:
       # https://github.com/marketplace/actions/harden-runner
       - name: Harden Runner
-        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
         with:
           egress-policy: audit
 
@@ -39,6 +39,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard.
       # https://github.com/github/codeql-action
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
         with:
           sarif_file: trivy-results.sarif
diff --git a/.github/workflows/schedule-renovate.yaml b/.github/workflows/schedule-renovate.yaml
@@ -43,7 +43,7 @@ jobs:
 
       # https://github.com/marketplace/actions/create-github-app-token
       - name: Generate Token
-        uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3
+        uses: actions/create-github-app-token@0d564482f06ca65fa9e77e2510873638c82206f2 # v1.11.5
         id: app-token
         with:
           app-id: "${{ secrets.BOT_APP_ID }}"

diff --git a/.github/workflows/scorecards.yaml b/.github/workflows/scorecards.yaml
@@ -37,7 +37,7 @@ jobs:
     steps:
       # https://github.com/marketplace/actions/harden-runner
       - name: Harden Runner
-        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
         with:
           egress-policy: audit
 
@@ -49,7 +49,7 @@ jobs:
 
       # https://github.com/marketplace/actions/ossf-scorecard-action
       - name: Run analysis
-        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
         with:
           results_file: results.sarif
           results_format: sarif
@@ -72,7 +72,7 @@ jobs:
       # format to the repository Actions tab.
       # https://github.com/marketplace/actions/upload-a-build-artifact
       - name: Upload artifact
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: SARIF file
           path: results.sarif
@@ -81,6 +81,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard.
       # https://github.com/github/codeql-action
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/update-flake-lock.yaml b/.github/workflows/update-flake-lock.yaml
@@ -18,7 +18,7 @@ jobs:
     steps:
       # https://github.com/marketplace/actions/create-github-app-token
       - name: Generate Token
-        uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3
+        uses: actions/create-github-app-token@0d564482f06ca65fa9e77e2510873638c82206f2 # v1.11.5
         # if: ${{ github.event.pull_request.head.repo.full_name == github.repository }}
         id: app-token
         with:

diff --git a/.mise.toml b/.mise.toml
@@ -7,9 +7,9 @@ age = "1.2.0"
 # https://direnv.net/
 direnv = "2.35.0"
 # https://fluxcd.io/
-flux2 = "2.4.0"
+flux2 = "2.5.0"
 # https://gitleaks.io/
-gitleaks = "8.23.3"
+gitleaks = "8.24.0"
 # https://helm.sh/
 helm = "3.17.1"
 # https://k9scli.io/
@@ -25,7 +25,7 @@ pre-commit = "4.1.0"
 # https://github.com/mozilla/sops
 sops = "3.9.4"
 # https://github.com/budimanjojo/talhelper
-talhelper = "3.0.13"
+talhelper = "3.0.19"
 # https://www.talos.dev/
 talosctl = "1.7.6"
 # https://taskfile.dev/

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -95,7 +95,7 @@ repos:
           - .markdownlint.yaml
 
   - repo: https://github.com/rbubley/mirrors-prettier
-    rev: v3.5.0
+    rev: v3.5.2
     hooks:
       - id: prettier
         args:
@@ -116,8 +116,8 @@ repos:
             kubernetes/talos-flux/apps/devops/tekton/triggers/release.yaml
           )$()
 
-  - repo: https://github.com/zricethezav/gitleaks
-    rev: v8.23.3
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.24.0
     hooks:
       - id: gitleaks
 
@@ -131,5 +131,6 @@ repos:
             kubernetes/talos-flux/apps/home-automation/esphome/app/config/.+.yaml|
             kubernetes/talos-flux/apps/home-automation/home-assistant/app/patches/db-init.yaml|
             kubernetes/talos-flux/apps/github/actions-runner-controller/.+/helm-release.yaml|
-            kubernetes/talos-flux/apps/github/actions-runner-controller/.+/(jazzlyn|organization|tyriis)/.+.yaml
+            kubernetes/talos-flux/apps/github/actions-runner-controller/.+/(jazzlyn|organization|tyriis)/.+.yaml|
+            kubernetes/talos-flux/apps/atlantis/.+/helm-values.yaml
           )$()
diff --git a/devenv/infra/main.tf b/devenv/infra/main.tf
@@ -7,7 +7,7 @@ terraform {
   required_providers {
     kind = {
       source  = "tehcyx/kind"
-      version = "0.7.0"
+      version = "0.8.0"
     }
     docker = {
       source  = "kreuzwerker/docker"

diff --git a/infra/nixos/flake.lock b/infra/nixos/flake.lock
diff --git a/infra/talos/talconfig.yaml b/infra/talos/talconfig.yaml
@@ -2,7 +2,7 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/budimanjojo/talhelper/master/pkg/config/schemas/talconfig.json
 
 # renovate: depName=ghcr.io/siderolabs/installer datasource=docker
-talosVersion: v1.9.2
+talosVersion: v1.9.4
 # renovate: depName=ghcr.io/siderolabs/kubelet datasource=docker
 kubernetesVersion: v1.32.2
 

diff --git a/...tlantis/atlantis/tyriis/helm-release.yaml → .../base/apps/atlantis/app/helm-release.yaml b/...tlantis/atlantis/tyriis/helm-release.yaml → .../base/apps/atlantis/app/helm-release.yaml
@@ -3,7 +3,7 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
-  name: &app atlantis-tyriis
+  name: &app ${APP}
 spec:
   interval: 30m
   driftDetection:
@@ -77,9 +77,6 @@ spec:
                   periodSeconds: 1
                   failureThreshold: 60
                   httpGet: *httpGet
-            envFrom:
-              - secretRef:
-                  name: atlantis-tyriis-env-secrets
             env:
               # https://www.runatlantis.io/docs/server-configuration.html
               ATLANTIS_ATLANTIS_URL: "https://{{ .Release.Name }}.techtales.io"
@@ -92,7 +89,6 @@ spec:
               ATLANTIS_ENABLE_DIFF_MARKDOWN_FORMAT: "true"
               ATLANTIS_DEFAULT_TF_DISTRIBUTION: terraform
               ATLANTIS_TF_DISTRIBUTION: terraform
-              ATLANTIS_REPO_ALLOWLIST: github.com/tyriis/terraform-github
               ATLANTIS_DISCARD_APPROVAL_ON_PLAN: "true"
               ATLANTIS_PORT: *port
               ATLANTIS_REPO_CONFIG: /etc/atlantis/repos.yaml
@@ -114,7 +110,7 @@ spec:
             resources:
               requests:
                 cpu: 100m
-                memory: 1Gi
+                memory: 100Mi
 
     service:
       main:
@@ -204,15 +200,6 @@ spec:
             app:
               - path: /home/atlantis/scripts
                 readOnly: true
-      allowlist:
-        type: configMap
-        name: atlantis-tyriis-allowlist
-        advancedMounts:
-          main:
-            app:
-              - path: /home/atlantis/.config/allowlist/allowlist.txt
-                subPath: allowlist.txt
-                readOnly: true
       tmp:
         type: emptyDir
       home:

diff --git a/...tlantis/atlantis/tyriis/config/repos.yaml → ...etes/base/apps/atlantis/config/repos.yaml b/...tlantis/atlantis/tyriis/config/repos.yaml → ...etes/base/apps/atlantis/config/repos.yaml
diff --git a/kubernetes/base/apps/atlantis/scripts/allow_list.sh b/kubernetes/base/apps/atlantis/scripts/allow_list.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+ALLOWLIST_FILE="/etc/atlantis/allowlist.txt"
+
+if [ ! -f "$ALLOWLIST_FILE" ]; then
+  echo "Nobody is allowed to run atlantis (missing allowlist)."
+  exit 1
+fi
+
+if grep -Fxq "$USER_NAME" "$ALLOWLIST_FILE"
+then
+  echo "$USER_NAME is allowed to run atlantis."
+  exit 0
+else
+  echo "$USER_NAME is not allowed to run atlantis."
+  exit 1
+fi
diff --git a/kubernetes/kube-nas/apps/bunkerweb-ingress/bunkerweb/app/helm-release.yaml b/kubernetes/kube-nas/apps/bunkerweb-ingress/bunkerweb/app/helm-release.yaml
@@ -37,7 +37,7 @@ spec:
           bunkerweb-controller:
             image:
               repository: bunkerity/bunkerweb-autoconf
-              tag: 1.5.12@sha256:31d2e42d8f3f35bfb8d55d9ff5d8948b660c3b70f608f01c1444982f5b8bbdf0
+              tag: 1.6.0@sha256:0e0d0fbbfa7485e2d9a8d80c7f8e9f8eb405c01c614c0c6f5817e35758989cbe
             env:
               KUBERNETES_MODE: "yes"
             envFrom:
@@ -66,7 +66,7 @@ spec:
                 protocol: TCP
             image:
               repository: bunkerity/bunkerweb
-              tag: 1.5.12@sha256:e38265d66aabd9828c9091803a642205ae07d77572907b82136f4617c34b0750
+              tag: 1.6.0@sha256:96418ca6d754da36d3b2361c89349e7f1a077845a05af78a14f4b78abb29480d
             env:
               KUBERNETES_MODE: "yes"
               DNS_RESOLVER: kube-dns.kube-system.svc.cluster.local
@@ -102,7 +102,7 @@ spec:
           bunkerweb-scheduler:
             image:
               repository: bunkerity/bunkerweb-scheduler
-              tag: 1.5.12@sha256:75760130f48960496497457f86676e54eebc4843b91d16313950e4bcd2c354c7
+              tag: 1.6.0@sha256:6bdf2d59e88cc5c39947242913bf19cdb3393a99a58c2a4f9ec904ca6f8da03e
             env:
               KUBERNETES_MODE: "yes"
             envFrom:
@@ -115,7 +115,7 @@ spec:
           app:
             image:
               repository: bunkerity/bunkerweb-ui
-              tag: 1.5.12@sha256:e4a1d48f72ddb83cf763ffb207902612772a3a5fdbe8473205ced1511bea32b4
+              tag: 1.6.0@sha256:02b02a444c8a9923fc716e39b122d77e146ac21be5d75d7ebecebaf0d1808b11
             env:
               ADMIN_USERNAME: "admin"
               ADMIN_PASSWORD: "Admin1234$"

diff --git a/kubernetes/kube-nas/apps/cert-manager/cert-manager/app/helm-release.yaml b/kubernetes/kube-nas/apps/cert-manager/cert-manager/app/helm-release.yaml
@@ -10,7 +10,7 @@ spec:
   chart:
     spec:
       chart: cert-manager
-      version: v1.17.0
+      version: v1.17.1
       sourceRef:
         kind: HelmRepository
         name: jetstack-charts

diff --git a/kubernetes/kube-nas/apps/database-system/dragonfly/operator/helm-release.yaml b/kubernetes/kube-nas/apps/database-system/dragonfly/operator/helm-release.yaml
@@ -36,7 +36,7 @@ spec:
           app:
             image:
               repository: ghcr.io/dragonflydb/operator
-              tag: v1.1.8@sha256:5e0ebd5d58066499fb19ea4102531972401f2a6100fc9f4dbc45284c4175de82
+              tag: v1.1.9@sha256:a6cc77aa5b2ecd1c6b18e2c91a9c6ca7891ad7fe9c4e60deae660dfac1b33610
             command: ["/manager"]
             args:
               - --health-probe-bind-address=:8081

diff --git a/kubernetes/kube-nas/apps/database-system/dragonfly/operator/kustomization.yaml b/kubernetes/kube-nas/apps/database-system/dragonfly/operator/kustomization.yaml
@@ -4,14 +4,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   # renovate: datasource=github-releases depName=dragonflydb/dragonfly-operator
-  - https://raw.githubusercontent.com/dragonflydb/dragonfly-operator/v1.1.8/manifests/crd.yaml
+  - https://raw.githubusercontent.com/dragonflydb/dragonfly-operator/v1.1.9/manifests/crd.yaml
   - helm-release.yaml
   - rbac.yaml
 configMapGenerator:
   - name: dragonfly-dashboard
     files:
       # renovate: datasource=github-releases depName=dragonflydb/dragonfly-operator
-      - dragonfly-dashboard.json=https://raw.githubusercontent.com/dragonflydb/dragonfly-operator/v1.1.8/monitoring/grafana-dashboard.json
+      - dragonfly-dashboard.json=https://raw.githubusercontent.com/dragonflydb/dragonfly-operator/v1.1.9/monitoring/grafana-dashboard.json
 generatorOptions:
   disableNameSuffixHash: true
   annotations:

diff --git a/kubernetes/kube-nas/apps/kube-system/cilium/app/helm-release.yaml b/kubernetes/kube-nas/apps/kube-system/cilium/app/helm-release.yaml
@@ -10,7 +10,7 @@ spec:
   chart:
     spec:
       chart: cilium
-      version: 1.17.0
+      version: 1.17.1
       sourceRef:
         kind: HelmRepository
         name: cilium-charts