🚀 update github workflows

.github/renovate.json5

@@ -8,9 +8,9 @@
     ":enablePreCommit",
     ":automergeDigest",
     ":automergeBranchPush",
+    "github>auricom/home-ops//.github/renovate/allowedVersions.json5",
     "github>auricom/home-ops//.github/renovate/autoMerge.json5",
     "github>auricom/home-ops//.github/renovate/commitMessage.json5",
-    "github>auricom/home-ops//.github/renovate/disabledDatasources.json5",
     "github>auricom/home-ops//.github/renovate/groups.json5",
     "github>auricom/home-ops//.github/renovate/labels.json5"
   ],
@@ -19,7 +19,7 @@
   "repositories": ["auricom/home-ops"],
   "assignees": ["auricom"],
   "onboarding": false,
-  "requireConfig": false,
+  "requireConfig": "optional",
   "gitAuthor": "feisar-bot <feisar-bot[bot]@users.noreply.github.com>",
   "dependencyDashboardTitle": "Renovate Dashboard 🤖",
   "suppressNotifications": ["prIgnoreNotification"],
@@ -27,10 +27,6 @@
   "commitBodyTable": true,
   "commitMessagePrefix": "⬆️",
   "ignorePaths": [],
-  // set up renovate managers
-  "docker-compose": {
-    "fileMatch": ["ansible/.+/docker-compose.*\\.ya?ml(\\.j2)?$"]
-  },
   "flux": {
     "fileMatch": ["kubernetes/.+\\.ya?ml$"]
   },
@@ -42,20 +38,9 @@
   },
   "regexManagers": [
     {
-      "description": "Process CRD dependencies",
-      "fileMatch": ["kubernetes/.+\\.ya?ml$"],
-      "matchStrings": [
-        // GitRepository where 'Git release/tag' matches 'Helm' version
-        "registryUrl=(?<registryUrl>\\S+) chart=(?<depName>\\S+)\n.*?(?<currentValue>[^-\\s]*)\n",
-        // Kustomization where 'GitHub release artifact URL' matches 'Docker image' version
-        "datasource=(?<datasource>\\S+) image=(?<depName>\\S+)\n.*?-\\s(.*?)/(?<currentValue>[^/]+)/[^/]+\n"
-      ],
-      "datasourceTemplate": "{{#if datasource}}{{{datasource}}}{{else}}helm{{/if}}"
-    },
-    {
-      "description": "Process various dependencies",
+      "description": "Process custom dependencies",
       "fileMatch": [
-        "infrastructure/ansible/.+\\.ya?ml$",
+        "ansible/.+\\.ya?ml$",
         "kubernetes/.+\\.ya?ml$"
       ],
       "matchStrings": [
@@ -63,15 +48,6 @@
       ],
       "datasourceTemplate": "{{#if datasource}}{{{datasource}}}{{else}}github-releases{{/if}}",
       "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}"
-    },
-    {
-      "description": "Process raw GitHub URLs",
-      "fileMatch": ["kubernetes/.+\\.ya?ml$"],
-      "matchStrings": [
-        "https:\\/\\/raw.githubusercontent.com\\/(?<depName>[\\w\\d\\-_]+\\/[\\w\\d\\-_]+)\\/(?<currentValue>[\\w\\d\\.\\-_]+)\\/.*"
-      ],
-      "datasourceTemplate": "github-releases",
-      "versioningTemplate": "semver"
     }
   ],
   "packageRules": [

.github/renovate/allowedVersions.json5

@@ -0,0 +1,9 @@
+{
+  "packageRules": [
+    {
+      "matchDatasources": ["docker"],
+      "matchPackagePatterns": ["kopia"],
+      "allowedVersions": "<10"
+    }
+  ]
+}

.github/renovate/autoMerge.json5

@@ -29,15 +29,12 @@
     },
     {
       "description": "Auto merge GitHub Actions",
+      "matchManagers": ["github-actions"],
       "matchDatasources": ["github-tags"],
       "automerge": true,
       "automergeType": "branch",
       "requiredStatusChecks": null,
-      "matchUpdateTypes": ["minor", "patch"],
-      "matchPackageNames": [
-        "lycheeverse/lychee-action",
-        "renovatebot/github-action"
-      ]
+      "matchUpdateTypes": ["minor", "patch"]
     }
   ]
 }

.github/renovate/commitMessage.json5

@@ -1,15 +1,15 @@
 {
-  commitMessageTopic: "{{depName}}",
-  commitMessageExtra: "to {{newVersion}}",
-  commitMessageSuffix: "",
-  packageRules: [
+  "commitMessageTopic": "{{depName}}",
+  "commitMessageExtra": "to {{newVersion}}",
+  "commitMessageSuffix": "",
+  "packageRules": [
     {
-      matchDatasources: ["helm"],
-      commitMessageTopic: "chart {{depName}}",
+      "matchDatasources": ["helm"],
+      "commitMessageTopic": "chart {{depName}}"
     },
     {
-      matchDatasources: ["docker"],
-      commitMessageTopic: "image {{depName}}",
-    },
-  ],
+      "matchDatasources": ["docker"],
+      "commitMessageTopic": "image {{depName}}"
+    }
+  ]
 }

.github/renovate/disabledDatasources.json5

@@ -1,10 +0,0 @@
-{
-    "packageRules": [
-      {
-        "description": "Disable kubernetes-api",
-        "matchManagers": ["kubernetes"],
-        "matchDatasources": ["kubernetes-api"],
-        "enabled": false
-      }
-    ]
-  }

.github/renovate/groups.json5

@@ -11,7 +11,7 @@
     {
       "description": "Flux Helm Chart",
       "groupName": "Flux",
-      "matchPackagePatterns": ["fluxcd/flux2", "snapshot-controller"],
+      "matchPackagePatterns": ["fluxcd/flux2"],
       "matchDatasources": ["helm", "kustomization"],
       "group": { "commitMessageTopic": "{{{groupName}}} group" },
       "separateMinorPatch": true

.github/renovate/labels.json5

@@ -35,6 +35,10 @@
     {
       "matchManagers": ["github-actions"],
       "addLabels": ["renovate/github-action"]
+    },
+    {
+      "matchDatasources": ["pypi"],
+      "addLabels": ["renovate/pip"]
     }
   ]
 }

.github/scripts/container-parser.sh

@@ -1,124 +0,0 @@
-#!/usr/bin/env bash
-
-# shellcheck source=/dev/null
-source "$(dirname "${0}")/lib/functions.sh"
-
-set -o errexit
-set -o nounset
-set -o pipefail
-shopt -s lastpipe
-
-show_help() {
-cat << EOF
-Usage: $(basename "$0") <options>
-    -h, --help               Display help
-    -f, --file               File to scan for container images
-    --nothing                Enable nothing mode
-EOF
-}
-
-main() {
-    local file=
-    local nothing=
-    parse_command_line "$@"
-    check "jo"
-    check "jq"
-    check "yq"
-    entry
-}
-
-parse_command_line() {
-    while :; do
-        case "${1:-}" in
-            -h|--help)
-                show_help
-                exit
-                ;;
-            -f|--file)
-                if [[ -n "${2:-}" ]]; then
-                    file="$2"
-                    shift
-                else
-                    echo "ERROR: '-f|--file' cannot be empty." >&2
-                    show_help
-                    exit 1
-                fi
-                ;;
-            --nothing)
-                nothing=1
-                ;;
-            *)
-                break
-                ;;
-        esac
-        shift
-    done
-
-    if [[ -z "$file" ]]; then
-        echo "ERROR: '-f|--file' is required." >&2
-        show_help
-        exit 1
-    fi
-
-    if [[ -z "$nothing" ]]; then
-        nothing=0
-    fi
-}
-
-entry() {
-    # create new array to hold the images
-    images=()
-
-    # look in hydrated flux helm releases
-    chart_registry_url=$(chart_registry_url "${file}")
-    chart_name=$(yq eval-all .spec.chart.spec.chart "${file}" 2>/dev/null)
-    if [[ -n ${chart_registry_url} && -n "${chart_name}" && ! "${chart_name}" =~ "null" ]]; then
-        chart_version=$(yq eval .spec.chart.spec.version "${file}" 2>/dev/null)
-        chart_values=$(yq eval .spec.values "${file}" 2>/dev/null)
-        pushd "$(mktemp -d)" > /dev/null 2>&1
-        helm repo add main "${chart_registry_url}" > /dev/null 2>&1
-        helm pull "main/${chart_name}" --untar --version "${chart_version}"
-        resources=$(echo "${chart_values}" | helm template "${chart_name}" "${chart_name}" --version "${chart_version}" -f -)
-        popd > /dev/null 2>&1
-        images+=("$(echo "${resources}" | yq eval-all '.spec.template.spec.containers.[].image' -)")
-        helm repo remove main > /dev/null 2>&1
-    fi
-
-    # look in helm values
-    images+=("$(yq eval-all '[.. | select(has("repository")) | select(has("tag"))] | .[] | .repository + ":" + .tag' "${file}" 2>/dev/null)")
-
-    # look in kubernetes deployments, statefulsets and daemonsets
-    images+=("$(yq eval-all '.spec.template.spec.containers.[].image' "${file}" 2>/dev/null)")
-
-    # look in kubernetes pods
-    images+=("$(yq eval-all '.spec.containers.[].image' "${file}" 2>/dev/null)")
-
-    # look in kubernetes cronjobs
-    images+=("$(yq eval-all '.spec.jobTemplate.spec.template.spec.containers.[].image' "${file}" 2>/dev/null)")
-
-    # look in docker compose
-    images+=("$(yq eval-all '.services.*.image' "${file}" 2>/dev/null)")
-
-    # remove duplicate values xD
-    IFS=" " read -r -a images <<< "$(tr ' ' '\n' <<< "${images[@]}" | sort -u | tr '\n' ' ')"
-
-    # create new array to hold the parsed images
-    parsed_images=()
-    # loop thru the images removing any invalid items
-    for i in "${images[@]}"; do
-        # loop thru each image and split on new lines (for when yq finds multiple containers in the same file)
-        for b in ${i//\\n/ }; do
-            if [[ -z "${b}" || "${b}" == "null" || "${b}" == "---" ]]; then
-                continue
-            fi
-            parsed_images+=("${b}")
-        done
-    done
-    # check if parsed_images array has items
-    if (( ${#parsed_images[@]} )); then
-        # convert the bash array to json and wrap array in an containers object
-        jo -a "${parsed_images[@]}" | jq -c '{containers: [(.[])]}'
-    fi
-}
-
-main "$@"

.github/scripts/helm-release-differ.sh

@@ -1,175 +0,0 @@
-#!/usr/bin/env bash
-
-# shellcheck source=/dev/null
-source "$(dirname "${0}")/lib/functions.sh"
-
-set -o errexit
-set -o nounset
-set -o pipefail
-shopt -s lastpipe
-
-show_help() {
-cat << EOF
-Usage: $(basename "$0") <options>
-    -h, --help                      Display help
-    --source-file                   Original helm release
-    --target-file                   New helm release
-    --remove-common-labels          Remove common labels from manifests
-EOF
-}
-
-main() {
-    local source_file=
-    local target_file=
-    local remove_common_labels=
-    parse_command_line "$@"
-    check "helm"
-    check "yq"
-    entry
-}
-
-parse_command_line() {
-    while :; do
-        case "${1:-}" in
-            -h|--help)
-                show_help
-                exit
-                ;;
-            --source-file)
-                if [[ -n "${2:-}" ]]; then
-                    source_file="$2"
-                    shift
-                else
-                    echo "ERROR: '--source-file' cannot be empty." >&2
-                    show_help
-                    exit 1
-                fi
-                ;;
-            --target-file)
-                if [[ -n "${2:-}" ]]; then
-                    target_file="$2"
-                    shift
-                else
-                    echo "ERROR: '--target-file' cannot be empty." >&2
-                    show_help
-                    exit 1
-                fi
-                ;;
-            --remove-common-labels)
-                remove_common_labels=true
-                ;;
-            *)
-                break
-                ;;
-        esac
-        shift
-    done
-
-    if [[ -z "${source_file}" ]]; then
-        echo "ERROR: '--source-file' is required." >&2
-        show_help
-        exit 1
-    fi
-
-    if  [[ $(yq eval .kind "${source_file}" 2>/dev/null) != "HelmRelease" ]]; then
-        echo "ERROR: '--source-file' is not a HelmRelease"
-        show_help
-        exit 1
-    fi
-
-    if [[ -z "${target_file}" ]]; then
-        echo "ERROR: '--target-file' is required." >&2
-        show_help
-        exit 1
-    fi
-
-    if  [[ $(yq eval .kind "${target_file}" 2>/dev/null) != "HelmRelease" ]]; then
-        echo "ERROR: '--target-file' is not a HelmRelease"
-        show_help
-        exit 1
-    fi
-
-    if [[ -z "$remove_common_labels" ]]; then
-        remove_common_labels=false
-    fi
-}
-
-_resources() {
-    local chart_name=${1}
-    local chart_version=${2}
-    local chart_registry_url=${3}
-    local chart_values=${4}
-    local resources=
-
-    helm repo add main "${chart_registry_url}" > /dev/null 2>&1
-    pushd "$(mktemp -d)" > /dev/null 2>&1
-    helm pull "main/${chart_name}" --untar --version "${chart_version}"
-    resources=$(echo "${chart_values}" | helm template "${chart_name}" "${chart_name}" --version "${chart_version}" -f -)
-    if [[ "${remove_common_labels}" == "true" ]]; then
-        labels='.metadata.labels."helm.sh/chart"'
-        labels+=',.metadata.labels.chart'
-        labels+=',.metadata.labels."app.kubernetes.io/version"'
-        labels+=',.spec.template.metadata.labels."helm.sh/chart"'
-        labels+=',.spec.template.metadata.labels.chart'
-        labels+=',.spec.template.metadata.labels."app.kubernetes.io/version"'
-        echo "${resources}" | yq eval "del($labels)" -
-    else
-        echo "${resources}"
-    fi
-    popd > /dev/null 2>&1
-    helm repo remove main > /dev/null 2>&1
-}
-
-entry() {
-    local comments=
-
-    source_chart_name=$(chart_name "${source_file}")
-    source_chart_version=$(chart_version "${source_file}")
-    source_chart_registry_url=$(chart_registry_url "${source_file}")
-    source_chart_values=$(chart_values "${source_file}")
-    source_resources=$(_resources "${source_chart_name}" "${source_chart_version}" "${source_chart_registry_url}" "${source_chart_values}")
-    echo "${source_resources}" > /tmp/source_resources
-
-    target_chart_version=$(chart_version "${target_file}")
-    target_chart_name=$(chart_name "${target_file}")
-    target_chart_registry_url=$(chart_registry_url "${target_file}")
-    target_chart_values=$(chart_values "${target_file}")
-    target_resources=$(_resources "${target_chart_name}" "${target_chart_version}" "${target_chart_registry_url}" "${target_chart_values}")
-    echo "${target_resources}" > /tmp/target_resources
-
-    # Diff the files and always return true
-    diff -u /tmp/source_resources /tmp/target_resources > /tmp/diff || true
-    # Remove the filenames
-    sed -i -e '1,2d' /tmp/diff
-
-    # Store the comment in an array
-    comments=()
-
-    # shellcheck disable=SC2016
-    comments+=( "$(printf 'Path: `%s`' "${target_file}")" )
-    if [[ "${source_chart_name}" != "${target_chart_name}" ]]; then
-        # shellcheck disable=SC2016
-        comments+=( "$(printf 'Chart: `%s` -> `%s`' "${source_chart_name}" "${target_chart_name}")" )
-    fi
-    if [[ "${source_chart_version}" != "${target_chart_version}" ]]; then
-        # shellcheck disable=SC2016
-        comments+=( "$(printf 'Version: `%s` -> `%s`' "${source_chart_version}" "${target_chart_version}")" )
-    fi
-    if [[ "${source_chart_registry_url}" != "${target_chart_registry_url}" ]]; then
-        # shellcheck disable=SC2016
-        comments+=( "$(printf 'Registry URL: `%s` -> `%s`' "${source_chart_registry_url}" "${target_chart_registry_url}")" )
-    fi
-    comments+=( "$(printf '\n\n')" )
-    if [[ -f /tmp/diff && -s /tmp/diff ]]; then
-        # shellcheck disable=SC2016
-        comments+=( "$(printf '```diff\n%s\n```' "$(cat /tmp/diff)")" )
-    else
-        # shellcheck disable=SC2016
-        comments+=( "$(printf '```\nNo changes in detected in resources\n```')" )
-    fi
-
-    # Join the array with a new line and print it
-    printf "%s\n" "${comments[@]}"
-}
-
-main "$@"

.github/scripts/helmReleaseDiff.mjs

@@ -0,0 +1,159 @@
+#!/usr/bin/env zx
+$.verbose = false;
+
+/**
+ * * helmReleaseDiff.mjs
+ * * Runs `helm template` with your Helm values and then runs `dyff` across Flux HelmRelease manifests
+ * @param --current-release   The source Flux HelmRelease to compare against the target
+ * @param --incoming-release  The target Flux HelmRelease to compare against the source
+ * @param --kubernetes-dir    The directory containing your Flux manifests including the HelmRepository manifests
+ * * Limitations:
+ * * Does not work with multiple HelmRelease maninfests in the same YAML document
+ */
+const CurrentRelease = argv["current-release"];
+const IncomingRelease = argv["incoming-release"];
+const KubernetesDir = argv["kubernetes-dir"];
+
+const dyff = await which("dyff");
+const helm = await which("helm");
+const kustomize = await which("kustomize");
+
+async function helmRelease(releaseFile) {
+  const helmRelease = await fs.readFile(releaseFile, "utf8");
+  const doc = YAML.parseAllDocuments(helmRelease).map((item) => item.toJS());
+  const release = doc.filter(
+    (item) =>
+      item.apiVersion === "helm.toolkit.fluxcd.io/v2beta1" &&
+      item.kind === "HelmRelease"
+  );
+  return release[0];
+}
+
+async function helmRepositoryUrl(kubernetesDir, releaseName) {
+  const files = await globby([`${kubernetesDir}/**/*.yaml`]);
+  for await (const file of files) {
+    const contents = await fs.readFile(file, "utf8");
+    const doc = YAML.parseAllDocuments(contents).map((item) => item.toJS());
+    if (
+      "apiVersion" in doc[0] &&
+      doc[0].apiVersion === "source.toolkit.fluxcd.io/v1beta2" &&
+      "kind" in doc[0] &&
+      doc[0].kind === "HelmRepository" &&
+      "metadata" in doc[0] &&
+      "name" in doc[0].metadata &&
+      doc[0].metadata.name === releaseName
+    ) {
+      return doc[0].spec.url;
+    }
+  }
+}
+
+async function kustomizeBuild(releaseBaseDir, releaseName) {
+  const build =
+    await $`${kustomize} build --load-restrictor=LoadRestrictionsNone ${releaseBaseDir}`;
+  const docs = YAML.parseAllDocuments(build.stdout).map((item) => item.toJS());
+  const release = docs.filter(
+    (item) =>
+      item.apiVersion === "helm.toolkit.fluxcd.io/v2beta1" &&
+      item.kind === "HelmRelease" &&
+      item.metadata.name === releaseName
+  );
+  return release[0];
+}
+
+async function helmRepoAdd(registryName, registryUrl) {
+  await $`${helm} repo add ${registryName} ${registryUrl}`;
+}
+
+async function helmTemplate(
+  releaseName,
+  registryName,
+  chartName,
+  chartVersion,
+  chartValues
+) {
+  const values = new YAML.Document();
+  values.contents = chartValues;
+  const valuesFile = await $`mktemp`;
+  await fs.writeFile(valuesFile.stdout.trim(), values.toString());
+
+  const manifestsFile = await $`mktemp`;
+  const manifests =
+    await $`${helm} template --kube-version 1.26.0 --release-name ${releaseName} --include-crds=false ${registryName}/${chartName} --version ${chartVersion} --values ${valuesFile.stdout.trim()}`;
+
+  // Remove docs that are CustomResourceDefinition and keys which contain generated fields
+  let documents = YAML.parseAllDocuments(manifests.stdout.trim());
+  documents = documents.filter(
+    (doc) => doc.get("kind") !== "CustomResourceDefinition"
+  );
+  documents.forEach((doc) => {
+    const del = (path) => (doc.hasIn(path) ? doc.deleteIn(path) : false);
+    del(["metadata", "labels", "app.kubernetes.io/version"]);
+    del(["metadata", "labels", "chart"]);
+    del(["metadata", "labels", "helm.sh/chart"]);
+    del([
+      "spec",
+      "template",
+      "metadata",
+      "labels",
+      "app.kubernetes.io/version",
+    ]);
+    del(["spec", "template", "metadata", "labels", "chart"]);
+    del(["spec", "template", "metadata", "labels", "helm.sh/chart"]);
+  });
+
+  await fs.writeFile(
+    manifestsFile.stdout.trim(),
+    documents.map((doc) => doc.toString({ directives: true })).join("\n")
+  );
+  return manifestsFile.stdout.trim();
+}
+
+// Generate current template from Helm values
+const currentRelease = await helmRelease(CurrentRelease);
+const currentBuild = await kustomizeBuild(
+  path.dirname(CurrentRelease),
+  currentRelease.metadata.name
+);
+const currentRepositoryUrl = await helmRepositoryUrl(
+  KubernetesDir,
+  currentBuild.spec.chart.spec.sourceRef.name
+);
+await helmRepoAdd(
+  currentBuild.spec.chart.spec.sourceRef.name,
+  currentRepositoryUrl
+);
+const currentManifests = await helmTemplate(
+  currentBuild.metadata.name,
+  currentBuild.spec.chart.spec.sourceRef.name,
+  currentBuild.spec.chart.spec.chart,
+  currentBuild.spec.chart.spec.version,
+  currentBuild.spec.values
+);
+
+// Generate incoming template from Helm values
+const incomingRelease = await helmRelease(IncomingRelease);
+const incomingBuild = await kustomizeBuild(
+  path.dirname(IncomingRelease),
+  incomingRelease.metadata.name
+);
+const incomingRepositoryUrl = await helmRepositoryUrl(
+  KubernetesDir,
+  incomingBuild.spec.chart.spec.sourceRef.name
+);
+await helmRepoAdd(
+  incomingBuild.spec.chart.spec.sourceRef.name,
+  incomingRepositoryUrl
+);
+const incomingManifests = await helmTemplate(
+  incomingBuild.metadata.name,
+  incomingBuild.spec.chart.spec.sourceRef.name,
+  incomingBuild.spec.chart.spec.chart,
+  incomingBuild.spec.chart.spec.version,
+  incomingBuild.spec.values
+);
+
+// Print diff using dyff
+const diff =
+  await $`${dyff} --color=off --truecolor=off between --omit-header --ignore-order-changes --detect-kubernetes=true --output=human ${currentManifests} ${incomingManifests}`;
+echo(diff.stdout.trim());

.github/scripts/kubeconform.sh

@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+set -o errexit
+
+KUBERNETES_DIR=$1
+SCHEMA_DIR=$2
+KUBE_VERSION="${3:-1.26.0}"
+
+[[ -z "${KUBERNETES_DIR}" ]] && echo "Kubernetes location not specified" && exit 1
+[[ -z "${SCHEMA_DIR}" ]] && echo "Schema location not specified" && exit 1
+
+kustomize_args=("--load-restrictor=LoadRestrictionsNone")
+kustomize_config="kustomization.yaml"
+kubeconform_args=(
+    "-strict"
+    "-ignore-missing-schemas"
+    "-kubernetes-version"
+    "${KUBE_VERSION}"
+    "-skip"
+    "Secret"
+    "-schema-location"
+    "default"
+    "-schema-location"
+    "${SCHEMA_DIR}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
+    "-verbose"
+)
+
+echo "=== Validating standalone manifests in ${KUBERNETES_DIR}/flux ==="
+find "${KUBERNETES_DIR}/flux" -maxdepth 1 -type f -name '*.yaml' -print0 | while IFS= read -r -d $'\0' file;
+  do
+    kubeconform "${kubeconform_args[@]}" "${file}"
+    if [[ ${PIPESTATUS[0]} != 0 ]]; then
+      exit 1
+    fi
+done
+
+echo "=== Validating kustomizations in ${KUBERNETES_DIR}/flux ==="
+find "${KUBERNETES_DIR}/flux" -type f -name $kustomize_config -print0 | while IFS= read -r -d $'\0' file;
+  do
+    echo "=== Validating kustomizations in ${file/%$kustomize_config} ==="
+    kustomize build "${file/%$kustomize_config}" "${kustomize_args[@]}" | \
+      kubeconform "${kubeconform_args[@]}"
+    if [[ ${PIPESTATUS[0]} != 0 ]]; then
+      exit 1
+    fi
+done
+
+echo "=== Validating kustomizations in ${KUBERNETES_DIR}/base ==="
+find "${KUBERNETES_DIR}/base" -type f -name $kustomize_config -print0 | while IFS= read -r -d $'\0' file;
+  do
+    echo "=== Validating kustomizations in ${file/%$kustomize_config} ==="
+    kustomize build "${file/%$kustomize_config}" "${kustomize_args[@]}" | \
+      kubeconform "${kubeconform_args[@]}"
+    if [[ ${PIPESTATUS[0]} != 0 ]]; then
+      exit 1
+    fi
+done
+
+echo "=== Validating kustomizations in ${KUBERNETES_DIR}/cluster-0 ==="
+find "${KUBERNETES_DIR}/cluster-0" -type f -name $kustomize_config -print0 | while IFS= read -r -d $'\0' file;
+  do
+    echo "=== Validating kustomizations in ${file/%$kustomize_config} ==="
+    kustomize build "${file/%$kustomize_config}" "${kustomize_args[@]}" | \
+      kubeconform "${kubeconform_args[@]}"
+    if [[ ${PIPESTATUS[0]} != 0 ]]; then
+      exit 1
+    fi
+done

.github/scripts/lib/functions.sh

@@ -1,47 +0,0 @@
-#!/usr/bin/env bash
-
-set -o errexit
-set -o nounset
-set -o pipefail
-shopt -s lastpipe
-
-check() {
-    command -v "${1}" >/dev/null 2>&1 || {
-        echo >&2 "ERROR: ${1} is not installed or not found in \$PATH" >&2
-        exit 1
-    }
-}
-
-chart_registry_url() {
-    local helm_release=
-    local chart_id=
-    helm_release="${1}"
-    chart_id=$(yq eval .spec.chart.spec.sourceRef.name "${helm_release}" 2>/dev/null)
-    # Discover all HelmRepository
-    find . -iname '*-charts.yaml' -type f -print0 | while IFS= read -r -d '' file; do
-        # Skip non HelmRepository
-        [[ $(yq eval .kind "${file}" 2>/dev/null) != "HelmRepository" ]] && continue
-        # Skip unrelated HelmRepository
-        [[ "${chart_id}" != $(yq eval .metadata.name "${file}" 2>/dev/null) ]] && continue
-        yq eval .spec.url "${file}"
-        break
-    done
-}
-
-chart_name() {
-    local helm_release=
-    helm_release="${1}"
-    yq eval .spec.chart.spec.chart "${helm_release}" 2>/dev/null
-}
-
-chart_version() {
-    local helm_release=
-    helm_release="${1}"
-    yq eval .spec.chart.spec.version "${helm_release}" 2>/dev/null
-}
-
-chart_values() {
-    local helm_release=
-    helm_release="${1}"
-    yq eval .spec.values "${helm_release}" 2>/dev/null
-}

.github/workflows/helm-release-differ.yaml

@@ -1,89 +0,0 @@
----
-name: "Helm Release Differ"
-
-on: # yamllint disable-line rule:truthy
-  pull_request:
-    branches:
-      - main
-    paths:
-      - "cluster/**.yaml"
-
-env:
-  # Currently no way to detect automatically
-  DEFAULT_BRANCH: main
-  BOT_USERNAME: "feisar-bot[bot]"
-
-jobs:
-  detect-file-changes:
-    name: Detect File Changes
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-
-      - name: Filter Helm Releases
-        uses: dorny/paths-filter@v2
-        id: filter
-        with:
-          list-files: json
-          filters: |
-            yaml:
-              - added|modified: "**/helm-release.yaml"
-    outputs:
-      yaml_files: ${{ steps.filter.outputs.yaml_files }}
-
-  helm-release-differ:
-    name: Helm Release Differ
-    runs-on: ubuntu-latest
-    needs: detect-file-changes
-    strategy:
-      matrix:
-        file: ${{ fromJSON(needs.detect-file-changes.outputs.yaml_files) }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-
-      - name: Generate Token
-        uses: tibdex/github-app-token@v1
-        id: generate-token
-        with:
-          app_id: ${{ secrets.BOT_APP_ID }}
-          private_key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
-
-      - name: Checkout default branch
-        uses: actions/checkout@v3
-        with:
-          ref: "${{ env.DEFAULT_BRANCH }}"
-          path: default
-
-      - name: Install Helm
-        uses: azure/setup-helm@v3
-        with:
-          version: latest
-
-      - name: Helm Release Differ
-        id: diff
-        run: |
-          diff=$(.github/scripts/helm-release-differ.sh --source-file "default/${{ matrix.file }}" --target-file "${{ matrix.file }}" --remove-common-labels)
-          echo "${diff}"
-          diff="${diff//'%'/'%25'}"
-          diff="${diff//$'\n'/'%0A'}"
-          diff="${diff//$'\r'/'%0D'}"
-          echo "::set-output name=diff::$(echo ${diff})"
-
-      - name: Find Comment
-        uses: peter-evans/find-comment@v2
-        id: find-comment
-        with:
-          issue-number: "${{ github.event.pull_request.number }}"
-          comment-author: "${{ env.BOT_USERNAME }}"
-          body-includes: "${{ matrix.file }}"
-
-      - name: Create or update comment
-        uses: peter-evans/create-or-update-comment@v2
-        with:
-          token: "${{ steps.generate-token.outputs.token }}"
-          comment-id: "${{ steps.find-comment.outputs.comment-id }}"
-          issue-number: "${{ github.event.pull_request.number }}"
-          body: "${{ steps.diff.outputs.diff }}"
-          edit-mode: replace

.github/workflows/helmrelease-diff.yaml

@@ -0,0 +1,91 @@
+---
+name: "HelmRelease Diff"
+
+on:
+  pull_request:
+    branches: ["main"]
+    paths: ["kubernetes/**/helmrelease.yaml"]
+
+env:
+  BOT_USERNAME: rosey-bot[bot]
+  KUBERNETES_DIR: kubernetes/
+
+jobs:
+  changed-files:
+    name: Detect File Changes
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@0626c3f94002c0a9d7491dd7fed7055bbdff6f92 # v35.1.0
+        with:
+          json: true
+          files: |
+            kubernetes/**/helmrelease.yaml
+      - id: set-matrix
+        run: echo "matrix={\"file\":${{ steps.changed-files.outputs.all_changed_files }}}" >> "${GITHUB_OUTPUT}"
+
+  diff:
+    name: Diff on Helm Releases
+    runs-on: ubuntu-latest
+    needs: [changed-files]
+    strategy:
+      matrix: ${{ fromJSON(needs.changed-files.outputs.matrix) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+
+      - name: Checkout default branch
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          path: default
+
+      - name: Generate Token
+        uses: tibdex/github-app-token@021a2405c7f990db57f5eae5397423dcc554159c # renovate: tag=v1.7.0
+        id: generate-token
+        with:
+          app_id: ${{ secrets.BOT_APP_ID }}
+          private_key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
+
+      - name: Set up Homebrew
+        uses: Homebrew/actions/setup-homebrew@master
+
+      - name: Setup Tools
+        run: |
+          brew install helm homeport/tap/dyff kustomize yq
+      - name: Diff
+        id: diff
+        run: |
+          diff=$(npx zx ./.github/scripts/helmReleaseDiff.mjs \
+            --current-release "default/${{ matrix.file }}" \
+            --incoming-release "${{ matrix.file }}" \
+            --kubernetes-dir ${{ env.KUBERNETES_DIR }})
+          echo "diff<<EOF" >> "${GITHUB_OUTPUT}"
+          echo "${diff}" >> "${GITHUB_OUTPUT}"
+          echo "EOF" >> "${GITHUB_OUTPUT}"
+      - name: Find Comment
+        uses: peter-evans/find-comment@81e2da3af01c92f83cb927cf3ace0e085617c556 # v2.2.0
+        id: find-comment
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-author: ${{ env.BOT_USERNAME }}
+          body-includes: ${{ matrix.file }}
+
+      - name: Create or update comment
+        uses: peter-evans/create-or-update-comment@5adcb0bb0f9fb3f95ef05400558bdb3f329ee808 # renovate: tag=v2.1.0
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+          comment-id: ${{ steps.find-comment.outputs.comment-id }}
+          issue-number: ${{ github.event.pull_request.number }}
+          body: |
+            Helm Release: `${{ matrix.file }}`
+            ```
+            ${{ steps.diff.outputs.diff }}
+            ```
+          edit-mode: replace

.github/workflows/kubeconform.yaml

@@ -0,0 +1,38 @@
+---
+name: "Kubeconform"
+
+on:
+  workflow_dispatch:
+  push:
+    branches: ["main"]
+    paths: ["kubernetes/**"]
+  pull_request:
+    branches: ["main"]
+    paths: ["kubernetes/**"]
+
+env:
+  KUBERNETES_DIR: ./kubernetes
+  SCHEMA_DIR: /home/runner/.datree/crdSchemas
+
+jobs:
+  kubeconform:
+    name: Kubeconform
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+
+      - name: Set up Homebrew
+        uses: Homebrew/actions/setup-homebrew@master
+
+      - name: Setup Tools
+        run: |
+          brew install fluxcd/tap/flux kubeconform kustomize
+      - name: Download CRDs
+        run: |
+          mkdir -p ${{ env.SCHEMA_DIR }}
+          flux pull artifact oci://ghcr.io/onedr0p/cluster-crds-oci:latest \
+              --output=${{ env.SCHEMA_DIR }}
+      - name: Run kubeconform
+        run: |
+          bash ./.github/scripts/kubeconform.sh ${{ env.KUBERNETES_DIR }} ${{ env.SCHEMA_DIR }}

.github/workflows/link-checker.yaml

@@ -1,6 +1,7 @@
-name: "Schedule: Link Checker"
+---
+name: "Link Checker"
 
-on: # yamllint disable-line rule:truthy
+on:
   workflow_dispatch:
   schedule:
     - cron: "0 0 * * *"
@@ -11,31 +12,30 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
 
       - name: Generate Token
-        uses: tibdex/github-app-token@v1
+        uses: tibdex/github-app-token@021a2405c7f990db57f5eae5397423dcc554159c # renovate: tag=v1.7.0
         id: generate-token
         with:
           app_id: "${{ secrets.BOT_APP_ID }}"
           private_key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Link Checker
-        uses: lycheeverse/lychee-action@v1.5.4
+        uses: lycheeverse/lychee-action@4dcb8bee2a0a4531cba1a1f392c54e8375d6dd81 # renovate: tag=v1.5.4
         id: lychee
         env:
           GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}"
 
       - name: Find Link Checker Issue
         id: link-checker-issue
-        uses: micalevisk/last-issue-action@v2
+        uses: micalevisk/last-issue-action@044e1cb7e9a4dde20e22969cb67818bfca0797be # renovate: tag=2.0.0
         with:
           state: open
           labels: |
             link-checker
-
       - name: Update Issue
-        uses: peter-evans/create-issue-from-file@v4
+        uses: peter-evans/create-issue-from-file@433e51abf769039ee20ba1293a088ca19d573b7f # renovate: tag=v4.0.1
         with:
           title: Broken links detected in docs 🔗
           issue-number: "${{ steps.link-checker-issue.outputs.issue-number }}"

.github/workflows/lint.yaml

@@ -1,67 +0,0 @@
----
-name: "Lint"
-
-on: # yamllint disable-line rule:truthy
-  workflow_dispatch:
-  pull_request:
-    branches:
-      - main
-
-concurrency:
-  group: ${{ github.ref }}-${{ github.workflow }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    name: MegaLinter
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Generate Token
-        uses: tibdex/github-app-token@v1
-        id: generate-token
-        with:
-          app_id: "${{ secrets.BOT_APP_ID }}"
-          private_key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
-
-      - name: MegaLinter
-        uses: oxsecurity/megalinter@v6.15.0
-        env:
-          GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}"
-          PRINT_ALPACA: false
-          VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'workflow_dispatch' }}
-          ENABLE_LINTERS: |-
-            ${{
-              join(
-                fromJSON('
-                  [
-                    "ACTION_ACTIONLINT",
-                    "ANSIBLE_ANSIBLE_LINT",
-                    "COPYPASTE_JSCPD",
-                    "KUBERNETES_KUBEVAL",
-                    "MARKDOWN_MARKDOWNLINT",
-                    "REPOSITORY_GIT_DIFF",
-                    "REPOSITORY_SECRETLINT",
-                    "TERRAFORM_TERRAFORM_FMT",
-                    "YAML_PRETTIER",
-                    "YAML_YAMLLINT"
-                  ]
-                '),
-                ','
-              )
-            }}
-          ANSIBLE_DIRECTORY: ansible
-          ANSIBLE_ANSIBLE_LINT_CONFIG_FILE: .ansible-lint
-          COPYPASTE_JSCPD_CONFIG_FILE: .github/linters/.jspcd.json
-          KUBERNETES_DIRECTORY: cluster
-          KUBERNETES_KUBEVAL_ARGUMENTS: --ignore-missing-schemas
-          KUBERNETES_KUBEVAL_FILTER_REGEX_INCLUDE: "(kubernetes)"
-          MARKDOWN_MARKDOWNLINT_CONFIG_FILE: .github/linters/.markdownlint.yaml
-          MARKDOWN_MARKDOWNLINT_RULES_PATH: .github/
-          YAML_YAMLLINT_CONFIG_FILE: .github/linters/.yamllint.yaml
-          YAML_PRETTIER_CONFIG_FILE: .github/linters/.prettierrc.yaml
-          YAML_PRETTIER_FILTER_REGEX_EXCLUDE: "(.*\\.sops\\.ya?ml)"

.github/workflows/meta-label-size.yaml

@@ -1,34 +0,0 @@
----
-name: "Meta: Label Size"
-
-on: # yamllint disable-line rule:truthy
-  pull_request:
-    branches:
-      - main
-
-jobs:
-  label-size:
-    name: Label Size
-    runs-on: ubuntu-latest
-    steps:
-      - name: Generate Token
-        uses: tibdex/github-app-token@v1
-        id: generate-token
-        with:
-          app_id: "${{ secrets.BOT_APP_ID }}"
-          private_key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
-
-      - name: Label Size
-        uses: pascalgn/size-label-action@v0.4.3
-        env:
-          GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}"
-        with:
-          sizes: >
-            {
-              "0": "XS",
-              "20": "S",
-              "50": "M",
-              "200": "L",
-              "800": "XL",
-              "2000": "XXL"
-            }

.github/workflows/meta-labeler.yml

@@ -1,10 +1,9 @@
 ---
-name: "Meta: Labeler"
+name: "Meta Labeler"
 
-on: # yamllint disable-line rule:truthy
+on:
   pull_request:
-    branches:
-      - main
+    branches: ["main"]
 
 jobs:
   labeler:
@@ -12,14 +11,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Generate Token
-        uses: tibdex/github-app-token@v1
+        uses: tibdex/github-app-token@021a2405c7f990db57f5eae5397423dcc554159c # renovate: tag=v1.7.0
         id: generate-token
         with:
           app_id: "${{ secrets.BOT_APP_ID }}"
           private_key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Labeler
-        uses: actions/labeler@v4
+        uses: actions/labeler@5c7539237e04b714afd8ad9b4aed733815b9fab4 # renovate: tag=v4.0.2
         with:
           configuration-path: .github/labeler.yaml
           repo-token: "${{ steps.generate-token.outputs.token }}"

.github/workflows/meta-sync-labels.yaml

@@ -1,12 +1,11 @@
-name: "Meta: Sync labels"
+---
+name: "Meta Sync labels"
 
-on: # yamllint disable-line rule:truthy
+on:
   workflow_dispatch:
   push:
-    branches:
-      - main
-    paths:
-      - ".github/labels.yaml"
+    branches: ["main"]
+    paths: [".github/labels.yaml"]
 
 jobs:
   labels:
@@ -14,17 +13,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
 
       - name: Generate Token
-        uses: tibdex/github-app-token@v1
+        uses: tibdex/github-app-token@021a2405c7f990db57f5eae5397423dcc554159c # renovate: tag=v1.7.0
         id: generate-token
         with:
           app_id: "${{ secrets.BOT_APP_ID }}"
           private_key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
 
       - name: Sync Labels
-        uses: EndBug/label-sync@v2
+        uses: EndBug/label-sync@da00f2c11fdb78e4fae44adac2fdd713778ea3e8 # renovate: tag=v2.3.2
         with:
           config-file: .github/labels.yaml
           token: "${{ steps.generate-token.outputs.token }}"

.github/workflows/renovate.yaml

@@ -1,6 +1,6 @@
-name: "Schedule: Renovate"
+name: "Renovate"
 
-on: # yamllint disable-line rule:truthy
+on:
   workflow_dispatch:
     inputs:
       dryRun:
@@ -14,8 +14,7 @@ on: # yamllint disable-line rule:truthy
   schedule:
     - cron: "0 * * * *"
   push:
-    branches:
-      - main
+    branches: ["main"]
     paths:
       - ".github/renovate.json5"
       - ".github/renovate/**.json5"
@@ -31,10 +30,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
 
       - name: Generate Token
-        uses: tibdex/github-app-token@v1
+        uses: tibdex/github-app-token@021a2405c7f990db57f5eae5397423dcc554159c # renovate: tag=v1.7.0
         id: generate-token
         with:
           app_id: "${{ secrets.BOT_APP_ID }}"
@@ -44,9 +43,8 @@ jobs:
         run: |
           echo "RENOVATE_DRY_RUN=${{ github.event.inputs.dryRun || env.RENOVATE_DRY_RUN }}" >> "${GITHUB_ENV}"
           echo "LOG_LEVEL=${{ github.event.inputs.logLevel || env.LOG_LEVEL }}" >> "${GITHUB_ENV}"
-
       - name: Renovate
-        uses: renovatebot/github-action@v34.66.1
+        uses: renovatebot/github-action@65207aa35d382e44f5152d0482bb5334139ecfc4 # v34.66.1
         with:
           configurationFile: "${{ env.RENOVATE_CONFIG_FILE }}"
           token: "${{ steps.generate-token.outputs.token }}"

kubernetes/cluster-0/apps/authentication/authelia/kustomization.yaml

@@ -4,7 +4,7 @@ kind: Kustomization
 namespace: default
 resources:
   - ./secret.sops.yaml
-  - ./helm-release.yaml
+  - ./helmrelease.yaml
 patchesStrategicMerge:
   - ./patches/env.yaml
   - ./patches/postgres.yaml

kubernetes/cluster-0/apps/authentication/glauth/kustomization.yaml

@@ -3,7 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: default
 resources:
-  - ./helm-release.yaml
+  - ./helmrelease.yaml
 secretGenerator:
   - name: glauth-secret
     files:

kubernetes/cluster-0/apps/databases/pgadmin/kustomization.yaml

@@ -4,4 +4,4 @@ kind: Kustomization
 resources:
   - ./secret.sops.yaml
   - ./volume.yaml
-  - ./helm-release.yaml
+  - ./helmrelease.yaml

kubernetes/cluster-0/apps/databases/postgres/cluster/kustomization.yaml

@@ -3,4 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./secret.sops.yaml
-  - ./helm-release.yaml
+  - ./helmrelease.yaml

kubernetes/cluster-0/apps/databases/postgres/external-backup/kustomization.yaml

@@ -1,7 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./helm-release.yaml
+  - ./helmrelease.yaml
 configMapGenerator:
   - name: postgres-external-backup
     files:

kubernetes/cluster-0/apps/databases/postgres/kustomization.yaml

@@ -2,7 +2,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./helm-release.yaml
+  - ./helmrelease.yaml
   - ./cluster
   - ./external-backup
   - ./scheduled-backup

kubernetes/cluster-0/apps/databases/postgres/scheduled-backup/kustomization.yaml

@@ -3,4 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./secret.sops.yaml
-  - ./helm-release.yaml
+  - ./helmrelease.yaml

kubernetes/cluster-0/apps/databases/redis/kustomization.yaml

@@ -4,4 +4,4 @@ kind: Kustomization
 namespace: default
 resources:
   - ./secret.sops.yaml
-  - ./helm-release.yaml
+  - ./helmrelease.yaml

kubernetes/cluster-0/apps/development/drone/drone-kubernetes-secrets/kustomization.yaml

@@ -2,4 +2,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./helm-release.yaml
+  - ./helmrelease.yaml

kubernetes/cluster-0/apps/development/drone/drone-runner-kube/kustomization.yaml

@@ -2,4 +2,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./helm-release.yaml
+  - ./helmrelease.yaml

kubernetes/cluster-0/apps/development/drone/kustomization.yaml

@@ -4,5 +4,5 @@ kind: Kustomization
 resources:
   - ./drone-kubernetes-secrets
   - ./drone-runner-kube
-  - ./helm-release.yaml
+  - ./helmrelease.yaml
   - ./secret.sops.yaml

kubernetes/cluster-0/apps/development/gitea/external-backup/kustomization.yaml

@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./helm-release.yaml
+  - ./helmrelease.yaml

kubernetes/cluster-0/apps/development/gitea/kustomization.yaml

@@ -3,5 +3,5 @@ kind: Kustomization
 resources:
   - ./secret.sops.yaml
   - ./volume.yaml
-  - ./helm-release.yaml
+  - ./helmrelease.yaml
   - ./external-backup

kubernetes/cluster-0/apps/documentation/outline/kustomization.yaml

@@ -4,7 +4,7 @@ kind: Kustomization
 namespace: default
 resources:
   - ./secret.sops.yaml
-  - ./helm-release.yaml
+  - ./helmrelease.yaml
 patchesStrategicMerge:
   - ./patches/env.yaml
   - ./patches/postgres.yaml

kubernetes/cluster-0/apps/downloaders/flood/kustomization.yaml

@@ -4,4 +4,4 @@ kind: Kustomization
 resources:
   - ./secret.sops.yaml
   - ./volume.yaml
-  - ./helm-release.yaml
+  - ./helmrelease.yaml

kubernetes/cluster-0/apps/downloaders/pyload/kustomization.yaml

@@ -3,4 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./volume.yaml
-  - ./helm-release.yaml
+  - ./helmrelease.yaml

kubernetes/cluster-0/apps/downloaders/qbittorrent/kustomization.yaml

@@ -3,5 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./volume.yaml
-  - ./helm-release.yaml
+  - ./helmrelease.yaml
   - ./upgrade-p2pblocklist

kubernetes/cluster-0/apps/downloaders/qbittorrent/upgrade-p2pblocklist/kustomization.yaml

@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./helm-release.yaml
+  - ./helmrelease.yaml

kubernetes/cluster-0/apps/downloaders/sabnzbd/kustomization.yaml

@@ -4,4 +4,4 @@ kind: Kustomization
 resources:
   - ./secret.sops.yaml
   - ./volume.yaml
-  - ./helm-release.yaml
+  - ./helmrelease.yaml

kubernetes/cluster-0/apps/home-automation/emqx/kustomization.yaml

@@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./secret.sops.yaml
-  - ./helm-release.yaml
+  - ./helmrelease.yaml

kubernetes/cluster-0/apps/home-automation/frigate/kustomization.yaml

@@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./volume.yaml
-  - ./helm-release.yaml
+  - ./helmrelease.yaml
 namespace: default
 configMapGenerator:
   - name: frigate

kubernetes/cluster-0/apps/home-automation/home-assistant-code/kustomization.yaml

@@ -2,4 +2,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./helm-release.yaml
+  - ./helmrelease.yaml

kubernetes/cluster-0/apps/home-automation/home-assistant/kustomization.yaml

@@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./secret.sops.yaml
-  - ./helm-release.yaml
+  - ./helmrelease.yaml
   - ./volume.yaml
   - ./token.sops.yaml
   - ./podmonitor.yaml

kubernetes/cluster-0/apps/home-automation/zigbee2mqtt/kustomization.yaml

@@ -1,7 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./helm-release.yaml
+  - ./helmrelease.yaml
   - ./volume.yaml
   - ./prometheus-rule.yaml
 patchesStrategicMerge:

kubernetes/cluster-0/apps/home-automation/zwavejs2mqtt/kustomization.yaml

@@ -1,5 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./helm-release.yaml
+  - ./helmrelease.yaml
   - ./volume.yaml

kubernetes/cluster-0/apps/kube-tools/descheduler/kustomization.yaml

@@ -2,4 +2,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./helm-release.yaml
+  - ./helmrelease.yaml

kubernetes/cluster-0/apps/kube-tools/intel-gpu-exporter/kustomization.yaml

@@ -2,4 +2,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./helm-release.yaml
+  - ./helmrelease.yaml

kubernetes/cluster-0/apps/kube-tools/intel-gpu-plugin/kustomization.yaml

@@ -2,4 +2,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./helm-release.yaml
+  - ./helmrelease.yaml

kubernetes/cluster-0/apps/kube-tools/kubelet-csr-approver/kustomization.yaml

@@ -2,4 +2,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./helm-release.yaml
+  - ./helmrelease.yaml

kubernetes/cluster-0/apps/kube-tools/kyverno/kustomization.yaml

@@ -2,5 +2,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./helm-release.yaml
-  - ./policies/helm-release.yaml
+  - ./helmrelease.yaml
+  - ./policies/helmrelease.yaml

kubernetes/cluster-0/apps/kube-tools/metrics-server/kustomization.yaml

@@ -2,4 +2,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./helm-release.yaml
+  - ./helmrelease.yaml

kubernetes/cluster-0/apps/kube-tools/node-feature-discovery/kustomization.yaml

@@ -2,4 +2,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./helm-release.yaml
+  - ./helmrelease.yaml

kubernetes/cluster-0/apps/kube-tools/reloader/kustomization.yaml

@@ -2,4 +2,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./helm-release.yaml
+  - ./helmrelease.yaml

kubernetes/cluster-0/apps/logs/loki/kustomization.yaml

@@ -4,4 +4,4 @@ kind: Kustomization
 resources:
   - ./object-bucket-claim.yaml
   - ./config-map.yaml
-  - ./helm-release.yaml
+  - ./helmrelease.yaml

kubernetes/cluster-0/apps/logs/vector/agent/kustomization.yaml

@@ -2,4 +2,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./helm-release.yaml
+  - ./helmrelease.yaml

kubernetes/cluster-0/apps/logs/vector/aggregator/kustomization.yaml

@@ -2,7 +2,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./helm-release.yaml
+  - ./helmrelease.yaml
 configMapGenerator:
   - name: vector-aggregator-configmap
     namespace: monitoring

kubernetes/cluster-0/apps/media-automation/bazarr/kustomization.yaml

@@ -5,4 +5,4 @@ namespace: default
 resources:
   - ./secret.sops.yaml
   - ./volume.yaml
-  - ./helm-release.yaml
+  - ./helmrelease.yaml

kubernetes/cluster-0/apps/media-automation/jellyseerr/kustomization.yaml

@@ -4,4 +4,4 @@ kind: Kustomization
 namespace: default
 resources:
   - ./volume.yaml
-  - ./helm-release.yaml
+  - ./helmrelease.yaml

kubernetes/cluster-0/apps/media-automation/lidarr/kustomization.yaml

@@ -4,4 +4,4 @@ kind: Kustomization
 resources:
   - ./volume.yaml
   - ./secret.sops.yaml
-  - ./helm-release.yaml
+  - ./helmrelease.yaml