--- # yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app webhook spec: interval: 1h chartRef: kind: OCIRepository name: app-template install: remediation: retries: -1 upgrade: cleanupOnFail: true remediation: retries: 3 values: controllers: webhook: replicas: 2 strategy: RollingUpdate annotations: reloader.stakater.com/auto: "true" containers: app: image: repository: ghcr.io/home-operations/webhook tag: 2.8.2@sha256:a83bc6517267db655efdef8ebd4a9e6719558f6dadb9bc1e325b7083a83119c7 env: WEBHOOK__PORT: &port 8080 TZ: ${TIMEZONE} envFrom: - secretRef: name: webhook-secret securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: { drop: ["ALL"] } resources: requests: cpu: 100m limits: memory: 256Mi defaultPodOptions: securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 fsGroupChangePolicy: OnRootMismatch service: app: controller: webhook ports: http: port: *port ingress: app: enabled: true className: internal hosts: - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" paths: - path: / service: identifier: app port: *port tls: - hosts: - *host persistence: config: type: configMap name: webhook-configmap defaultMode: 0775 globalMounts: - readOnly: true