chore(deps): update registry.k8s.io/sig-storage/csi-provisioner docker tag to v5

argocd/kustomization.yaml

@@ -13,7 +13,7 @@ resources:
 images:
   - name: argocd
     newName: code.icb4dc0.de/infrastructure/images/argocd
-    newTag: v2.12.2
+    newTag: v2.13.3
 
 labels:
 - includeSelectors: true
@@ -26,7 +26,7 @@ helmCharts:
     repo: https://argoproj.github.io/argo-helm
     releaseName: argo-cd
     namespace: argo-system
-    version: "7.4.5"
+    version: "7.7.16"
     valuesFile: config/values.argo-cd.yaml
     apiVersions:
       - monitoring.coreos.com/v1

blog/.gitattributes

@@ -0,0 +1 @@
+config/* filter=age diff=age merge=age -text

blog/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: blog
+
+resources:
+  - resources/namespace.yaml
+  - https://github.com/spinkube/spin-operator/releases/download/v0.3.0/spin-operator.shim-executor.yaml
+  - resources/spinapp.yaml
+  - resources/routes.yaml

blog/resources/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: blog

blog/resources/routes.yaml

@@ -0,0 +1,15 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: blog-https
+spec:
+  parentRefs:
+    - name: contour
+      sectionName: https
+      namespace: projectcontour
+  hostnames:
+    - "www.icb4dc0.de"
+  rules:
+    - backendRefs:
+        - name: spin-proxy
+          port: 80

blog/resources/spinapp.yaml

@@ -0,0 +1,11 @@
+apiVersion: core.spinkube.dev/v1alpha1
+kind: SpinApp
+metadata:
+  name: spin-proxy
+spec:
+  image: "code.icb4dc0.de/prskr/spin-proxy:latest"
+  executor: containerd-shim-spin
+  replicas: 2
+  variables:
+    - name: domain_mapping
+      value: '{"www.icb4dc0.de":"1661580-blog.fsn1.your-objectstorage.com"}'

cert-manager/config/values.cert-manager.yaml

@@ -1,2 +1,4 @@
-extraArgs:
- - --feature-gates=ExperimentalGatewayAPISupport=true
+config:
+  kind: ControllerConfiguration
+  apiVersion: "controller.config.cert-manager.io/v1alpha1"
+  enableGatewayAPI: true

cert-manager/kustomization.yaml

@@ -12,7 +12,7 @@ resources:
 helmCharts:
   - name: cert-manager
     repo: https://charts.jetstack.io
-    version: "v1.15.3"
+    version: "v1.16.3"
     releaseName: cert-manager
     namespace: kube-system
     valuesFile: config/values.cert-manager.yaml

clickhouse/kustomization.yaml

@@ -0,0 +1,32 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: clickhouse-system
+
+resources:
+  - resources/namespace.yaml
+  - https://raw.githubusercontent.com/Altinity/clickhouse-operator/master/deploy/operator/clickhouse-operator-install-bundle.yaml
+
+patches:
+  - patch: |-
+      - op: add
+        path: /metadata/labels
+        value:
+          prometheus: default
+    target:
+      group: core
+      kind: Namespace
+      name: clickhouse-operator
+      version: v1
+
+  - patch: |-
+      - op: add
+        path: /spec/template/spec/containers/0/env/-
+        value:
+          name: WATCH_NAMESPACES
+          value: "plausible"
+    target:
+      group: apps
+      version: v1
+      kind: Deployment
+      name: clickhouse-operator

clickhouse/resources/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: clickhouse
+  labels:
+    prometheus: default

cnpg/cluster/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - resources/secrets/cnpg-backup-creds.yaml
+  - resources/secrets/ext-pgo-admin.yaml
+  - resources/cluster.yaml
+  - resources/backup.yaml
+  - resources/pool.yaml

cnpg/cluster/resources/backup.yaml

@@ -5,7 +5,7 @@ metadata:
   name: daily-backup
   namespace: postgres
 spec:
-  schedule: "0 1 * * *"
+  schedule: "0 0 */6 * * *"
   backupOwnerReference: self
   cluster:
-    name: app-cluster
+    name: app-cluster

cnpg/cluster/resources/cluster.yaml

@@ -29,8 +29,8 @@ spec:
 
   backup:
     barmanObjectStore:
-      destinationPath: "s3://cnpg/app-cluster/"
-      endpointURL: "http://garage.garage.svc:3900"
+      destinationPath: "s3://1661580-backup/cnpg/gen2/"
+      endpointURL: "https://fsn1.your-objectstorage.com"
       s3Credentials:
         accessKeyId:
           name: cnpg-backup-creds
@@ -43,7 +43,7 @@ spec:
           key: AWS_REGION
       wal:
         compression: snappy
-    retentionPolicy: "30d"
+    retentionPolicy: "7d"
 
   resources:
     requests:

cnpg/cluster/resources/pool.yaml

@@ -14,5 +14,6 @@ spec:
     parameters:
       max_client_conn: "1000"
       default_pool_size: "10"
+      ignore_startup_parameters: "search_path"
   monitoring:
-    enablePodMonitor: true
+    enablePodMonitor: true

cnpg/cluster/resources/secrets/cnpg-backup-creds.yaml

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> X25519 BsI1yprcAPepOsRWaihi/lrhaD12WLvt5p8cA3AZLgk
+QyW7iOBgMW8RiXxm42izLX1Ku9KC7N7sSP9zIFKMFG8
+-> X25519 XLB4V4p+Z6Gf0gkpNj4MiP8ExA1fTUxKlCL9JN0W8mc
+6+y7aNi6zoqi+B8ISRTYjvoqrRgZSBdUoj8j3ux/KW4
+--- GGkdAmteXdRO/0IREqgLbxEa+yZ/epxxlgdotdPeExw
+&ª÷>¦n¸}8wëÔ¿¡5éÂùà1ÿœ~Ödý±¹úK‹â4éy ±„`¿iܧŸÀB½kVF˜üFÓg£ÒÈ
^R<>ñu}¿³qpòûò*
20w7u¯áµõµŒøðöR$
"k-c„Ϭ˜ñò–íd°!xÅ_=ò¶´pBÙ0û¶øŸ/»Á›KG©9Ô«2h	uЯ]ÓVÅÏã°;×ê…<*Ý×'|Š5«Ò“éc[Çâ AÂ~‘VŒªki}ßÒžï|(‚=é®MáÚ°¨”VSUô6°JÃÇk¢¾{ì"xD|šò‰&6V¸Œ¹iðW+‡„ñ.§
+¯¼…?

cnpg/hack/migrate.yaml

@@ -0,0 +1,42 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: pgpass-migration
+type: Opaque
+stringData:
+  .pgpass: |
+    default-cluster-primary.postgres.svc:5432:umami:postgres:(g>_lO9v|?(B.4xiYt0}/+m)
+    app-cluster-pooler-rw.postgres.svc:5432:umami:umami-ciWvqZ:aDvAwEWR7HZz8Ab
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: migrate
+  namespace: postgres
+spec:
+  template:
+    spec:
+      containers:
+      - name: postgres
+        image: postgres:16-alpine
+        command:
+          - /bin/ash
+          - -c
+          - pg_dump --create --clean --no-owner --no-privileges -h default-cluster-primary.postgres.svc -U postgres "${DB_NAME}" | psql -h app-cluster-pooler-rw.postgres.svc -U "${TARGET_USER}" "${DB_NAME}"
+        env:
+          - name: DB_NAME
+            value: umami
+          - name: TARGET_USER
+            value: umami-ciWvqZ
+        volumeMounts:
+          - name: pgpass
+            readOnly: true
+            mountPath: /root/
+      restartPolicy: Never
+      volumes:
+        - name: pgpass
+          secret:
+            defaultMode: 0700
+            secretName: pgpass-migration
+  backoffLimit: 4

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: cluster
+  repository: https://cloudnative-pg.github.io/grafana-dashboards
+  version: 0.0.2
+digest: sha256:fcf16ad357c17be3dd79c138723e78e9e101fecc5d07d9371299c32b9f85dbd9
+generated: "2024-04-25T12:32:36.61779032-04:00"

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/Chart.yaml

@@ -0,0 +1,25 @@
+apiVersion: v2
+appVersion: 1.24.0
+dependencies:
+- alias: monitoring
+  condition: monitoring.grafanaDashboard.create
+  name: cluster
+  repository: https://cloudnative-pg.github.io/grafana-dashboards
+  version: "0.0"
+description: CloudNativePG Operator Helm Chart
+home: https://cloudnative-pg.io
+icon: https://raw.githubusercontent.com/cloudnative-pg/artwork/main/cloudnativepg-logo.svg
+keywords:
+- operator
+- controller
+- postgresql
+- postgres
+- database
+maintainers:
+- email: p.scorsolini@gmail.com
+  name: phisco
+name: cloudnative-pg
+sources:
+- https://github.com/cloudnative-pg/charts
+type: application
+version: 0.22.0

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/charts/cluster/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/charts/cluster/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+appVersion: 1.16.0
+description: CloudNativePG Grafana Cluster Dashboard.
+name: cluster
+type: application
+version: 0.0.2

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/charts/cluster/README.md

@@ -0,0 +1,59 @@
+<!-- THIS FILE IS AUTOMATICALLY GENERATED. Make changes to README.md.gotmpl instead. -->
+
+# cluster
+
+![Version: 0.0.2](https://img.shields.io/badge/Version-0.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.16.0](https://img.shields.io/badge/AppVersion-1.16.0-informational?style=flat-square)
+
+![Grafana CloudNativePG Cluster Overview](../../images/overview.png)
+
+Getting Started
+---------------
+
+_**Note,** this dashboard is already included in the [CloudNativePG Operator Helm Chart][operator]._
+
+There are 4 ways to use the CloudNativePG Grafana Cluster Dashboard:
+
+0. Install the [CloudNativePG Operator Helm Chart][operator]
+
+1. Install manually via [Grafana.com](https://grafana.com/grafana/dashboards/20417-cloudnativepg/).
+
+2. Install manually via the [Grafana JSON](https://github.com/cloudnative-pg/grafana-dashboards/blob/main/charts/cluster/grafana-dashboard.json):
+
+```
+https://raw.githubusercontent.com/cloudnative-pg/grafana-dashboards/main/charts/cluster/grafana-dashboard.json
+```
+
+3. Install directly in your cluster as a Helm Chart:
+
+```bash
+helm repo add cnpg-grafana https://cloudnative-pg.github.io/grafana-dashboards
+helm upgrade
+  --install \
+  --namespace monitoring \
+  cnpg-grafana-cluster cnpg-grafana/cluster
+```
+
+2. As as a dependency to an existing chart:
+
+```yaml
+dependencies:
+  - name: cluster
+    alias: cnpg-grafana-cluster-dashboard
+    version: "0.0"
+    repository: https://cloudnative-pg.github.io/grafana-dashboards
+```
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| fullnameOverride | string | `""` |  |
+| grafanaDashboard.annotations | object | `{}` | Annotations that ConfigMaps can have to get configured in Grafana. |
+| grafanaDashboard.configMapName | string | `"cnpg-grafana-dashboard"` | The name of the ConfigMap containing the dashboard. |
+| grafanaDashboard.labels | object | `{}` | Labels that ConfigMaps should have to get configured in Grafana. |
+| grafanaDashboard.namespace | string | `""` | Allows overriding the namespace where the ConfigMap will be created, defaulting to the same one as the Release. |
+| grafanaDashboard.sidecarLabel | string | `"grafana_dashboard"` | Label that ConfigMaps should have to be loaded as dashboards. DEPRECATED: Use labels instead. |
+| grafanaDashboard.sidecarLabelValue | string | `"1"` | Label value that ConfigMaps should have to be loaded as dashboards. DEPRECATED: Use labels instead. |
+| nameOverride | string | `""` |  |
+
+[operator]: https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/charts/cluster/README.md.gotmpl

@@ -0,0 +1,59 @@
+<!-- THIS FILE IS AUTOMATICALLY GENERATED. Make changes to README.md.gotmpl instead. -->
+
+{{ template "chart.header" . }}
+
+{{ template "chart.deprecationWarning" . }}
+
+{{ template "chart.badgesSection" . }}
+
+![Grafana CloudNativePG Cluster Overview](../../images/overview.png)
+
+Getting Started
+---------------
+
+_**Note,** this dashboard is already included in the [CloudNativePG Operator Helm Chart][operator]._
+
+There are 4 ways to use the CloudNativePG Grafana Cluster Dashboard:
+
+0. Install the [CloudNativePG Operator Helm Chart][operator]
+
+1. Install manually via [Grafana.com](https://grafana.com/grafana/dashboards/20417-cloudnativepg/).
+
+2. Install manually via the [Grafana JSON](https://github.com/cloudnative-pg/grafana-dashboards/blob/main/charts/cluster/grafana-dashboard.json):
+
+```
+https://raw.githubusercontent.com/cloudnative-pg/grafana-dashboards/main/charts/cluster/grafana-dashboard.json
+```
+
+3. Install directly in your cluster as a Helm Chart:
+
+```bash
+helm repo add cnpg-grafana https://cloudnative-pg.github.io/grafana-dashboards
+helm upgrade
+  --install \
+  --namespace monitoring \
+  cnpg-grafana-cluster cnpg-grafana/cluster
+```
+
+2. As as a dependency to an existing chart:
+
+```yaml
+dependencies:
+  - name: cluster
+    alias: cnpg-grafana-cluster-dashboard
+    version: "0.0"
+    repository: https://cloudnative-pg.github.io/grafana-dashboards
+```
+
+
+{{ template "chart.requirementsSection" . }}
+
+
+{{ template "chart.valuesSection" . }}
+
+
+{{ template "chart.maintainersSection" . }}
+
+{{ template "helm-docs.versionFooter" . }}
+
+[operator]: https://github.com/cloudnative-pg/charts/tree/main/charts/cloudnative-pg

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/charts/cluster/templates/NOTES.txt

@@ -0,0 +1,5 @@
+CloudNativePG Grafana Dashboard installed successfully.
+
+{{- if (or .Values.grafanaDashboard.sidecarLabel .Values.grafanaDashboard.sidecarLabelValue) }}
+DEPRECATION NOTICE: The grafanaDashboard.sidecarLabel is deprecated and will be removed in a future release. Use the grafanaDashboard.labels instead.
+{{- end }}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/charts/cluster/templates/sidecar-configmap.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.grafanaDashboard.configMapName }}
+  namespace: {{ default .Release.Namespace .Values.grafanaDashboard.namespace }}
+  {{- if (or .Values.grafanaDashboard.labels .Values.grafanaDashboard.sidecarLabel) }}
+  labels:
+    {{- if .Values.grafanaDashboard.sidecarLabel }}
+    {{ .Values.grafanaDashboard.sidecarLabel }}: {{ .Values.grafanaDashboard.sidecarLabelValue | quote }}
+    {{- end }}
+    {{- with .Values.grafanaDashboard.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- end }}
+  {{- with .Values.grafanaDashboard.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+data:
+    cnp.json: |-
+{{ .Files.Get "grafana-dashboard.json" | indent 6 }}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/charts/cluster/values.schema.json

@@ -0,0 +1,35 @@
+{
+    "$schema": "http://json-schema.org/schema#",
+    "type": "object",
+    "properties": {
+        "fullnameOverride": {
+            "type": "string"
+        },
+        "grafanaDashboard": {
+            "type": "object",
+            "properties": {
+                "annotations": {
+                    "type": "object"
+                },
+                "configMapName": {
+                    "type": "string"
+                },
+                "labels": {
+                    "type": "object"
+                },
+                "namespace": {
+                    "type": "string"
+                },
+                "sidecarLabel": {
+                    "type": "string"
+                },
+                "sidecarLabelValue": {
+                    "type": "string"
+                }
+            }
+        },
+        "nameOverride": {
+            "type": "string"
+        }
+    }
+}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/charts/cluster/values.yaml

@@ -0,0 +1,20 @@
+# Default values for cluster.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+nameOverride: ""
+fullnameOverride: ""
+
+grafanaDashboard:
+  # -- Allows overriding the namespace where the ConfigMap will be created, defaulting to the same one as the Release.
+  namespace: ""
+  # -- The name of the ConfigMap containing the dashboard.
+  configMapName: "cnpg-grafana-dashboard"
+  # -- Label that ConfigMaps should have to be loaded as dashboards. DEPRECATED: Use labels instead.
+  sidecarLabel: "grafana_dashboard"
+  # -- Label value that ConfigMaps should have to be loaded as dashboards. DEPRECATED: Use labels instead.
+  sidecarLabelValue: "1"
+  # -- Labels that ConfigMaps should have to get configured in Grafana.
+  labels: {}
+  # -- Annotations that ConfigMaps can have to get configured in Grafana.
+  annotations: {}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/monitoring/grafana-dashboard.json

@@ -0,0 +1,3 @@
+The JSON file has been moved to a dedicated repository for CloudNativePG dashboards located at:
+
+https://github.com/cloudnative-pg/grafana-dashboards/blob/main/charts/cluster/grafana-dashboard.json

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/templates/NOTES.txt

@@ -0,0 +1,18 @@
+
+CloudNativePG operator should be installed in namespace "{{ .Release.Namespace }}".
+You can now create a PostgreSQL cluster with 3 nodes in the current namespace as follows:
+
+cat <<EOF | kubectl apply -f -
+# Example of PostgreSQL cluster
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: cluster-example
+spec:
+  instances: 3
+  storage:
+    size: 1Gi
+EOF
+
+kubectl get cluster
+

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cloudnative-pg.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "cloudnative-pg.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cloudnative-pg.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "cloudnative-pg.labels" -}}
+helm.sh/chart: {{ include "cloudnative-pg.chart" . }}
+{{ include "cloudnative-pg.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "cloudnative-pg.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "cloudnative-pg.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "cloudnative-pg.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "cloudnative-pg.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/templates/config.yaml

@@ -0,0 +1,45 @@
+#
+# Copyright The CloudNativePG Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+{{- if .Values.config.create }}
+{{- if not .Values.config.secret }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.config.name }}
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+data:
+  {{- toYaml .Values.config.data | nindent 2 }}
+{{- else }}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ .Values.config.name }}
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+stringData:
+  {{- toYaml .Values.config.data | nindent 2 }}
+{{- end }}
+{{- end }}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/templates/deployment.yaml

@@ -0,0 +1,147 @@
+#
+# Copyright The CloudNativePG Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "cloudnative-pg.fullname" . }}
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "cloudnative-pg.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }}
+      {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "cloudnative-pg.selectorLabels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.hostNetwork }}
+      hostNetwork: {{ .Values.hostNetwork }}
+      {{- end }}
+      {{- if .Values.dnsPolicy }}
+      dnsPolicy: {{ .Values.dnsPolicy }}
+      {{- end }}
+      containers:
+      - args:
+        - controller
+        - --leader-elect
+        {{- if .Values.config.name }}
+        {{- if not .Values.config.secret }}
+        - --config-map-name={{ .Values.config.name }}
+        {{- else }}
+        - --secret-name={{ .Values.config.name }}
+        {{- end }}
+        {{- end }}
+        - --webhook-port={{ .Values.webhook.port }}
+        {{- range .Values.additionalArgs }}
+        - {{ . }}
+        {{- end }}
+        command:
+        - /manager
+        env:
+        - name: OPERATOR_IMAGE_NAME
+          value: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        - name: OPERATOR_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: MONITORING_QUERIES_CONFIGMAP
+          value: "{{ .Values.monitoringQueriesConfigMap.name }}"
+        {{- if .Values.additionalEnv }}
+        {{- tpl (.Values.additionalEnv | toYaml) . | nindent 8 }}
+        {{- end }}
+        image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        livenessProbe:
+          httpGet:
+            path: /readyz
+            port: {{ .Values.webhook.port }}
+            scheme: HTTPS
+          {{- if .Values.webhook.livenessProbe.initialDelaySeconds }}
+          initialDelaySeconds: {{ .Values.webhook.livenessProbe.initialDelaySeconds }}
+          {{- end }}
+        name: manager
+        ports:
+        - containerPort: 8080
+          name: metrics
+          protocol: TCP
+        - containerPort: {{ .Values.webhook.port }}
+          name: webhook-server
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: {{ .Values.webhook.port }}
+            scheme: HTTPS
+          {{- if .Values.webhook.readinessProbe.initialDelaySeconds }}
+          initialDelaySeconds: {{ .Values.webhook.readinessProbe.initialDelaySeconds }}
+          {{- end }}
+        resources:
+          {{- toYaml .Values.resources | nindent 10 }}
+        securityContext:
+          {{- toYaml .Values.containerSecurityContext | nindent 10 }}
+        volumeMounts:
+        - mountPath: /controller
+          name: scratch-data
+        - mountPath: /run/secrets/cnpg.io/webhook
+          name: webhook-certificates
+      {{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName }}
+      {{- end }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      serviceAccountName: {{ include "cloudnative-pg.serviceAccountName" . }}
+      terminationGracePeriodSeconds: 10
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+      - emptyDir: {}
+        name: scratch-data
+      - name: webhook-certificates
+        secret:
+          defaultMode: 420
+          optional: true
+          secretName: cnpg-webhook-cert
+
+

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/templates/monitoring-configmap.yaml

@@ -0,0 +1,29 @@
+#
+# Copyright The CloudNativePG Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.monitoringQueriesConfigMap.name }}
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+    cnpg.io/reload: ""
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+data:
+  queries: {{- toYaml .Values.monitoringQueriesConfigMap.queries | nindent 4 }}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/templates/mutatingwebhookconfiguration.yaml

@@ -0,0 +1,92 @@
+#
+# Copyright The CloudNativePG Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+{{- if .Values.webhook.mutating.create }}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: cnpg-mutating-webhook-configuration
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: {{ .Values.service.name }}
+      namespace: {{ .Release.Namespace }}
+      path: /mutate-postgresql-cnpg-io-v1-backup
+      port: {{ .Values.service.port }}
+  failurePolicy: {{ .Values.webhook.mutating.failurePolicy }}
+  name: mbackup.cnpg.io
+  rules:
+  - apiGroups:
+    - postgresql.cnpg.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - backups
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: {{ .Values.service.name }}
+      namespace: {{ .Release.Namespace }}
+      path: /mutate-postgresql-cnpg-io-v1-cluster
+      port: {{ .Values.service.port }}
+  failurePolicy: {{ .Values.webhook.mutating.failurePolicy }}
+  name: mcluster.cnpg.io
+  rules:
+  - apiGroups:
+    - postgresql.cnpg.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - clusters
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: {{ .Values.service.name }}
+      namespace: {{ .Release.Namespace }}
+      path: /mutate-postgresql-cnpg-io-v1-scheduledbackup
+      port: {{ .Values.service.port }}
+  failurePolicy: {{ .Values.webhook.mutating.failurePolicy }}
+  name: mscheduledbackup.cnpg.io
+  rules:
+  - apiGroups:
+    - postgresql.cnpg.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - scheduledbackups
+  sideEffects: None
+{{- end }}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/templates/podmonitor.yaml

@@ -0,0 +1,29 @@
+{{- if .Values.monitoring.podMonitorEnabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: {{ include "cloudnative-pg.fullname" . }}
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+    {{- with .Values.monitoring.podMonitorAdditionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end}}
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "cloudnative-pg.selectorLabels" . | nindent 6 }}
+  podMetricsEndpoints:
+    - port: metrics
+      {{- with .Values.monitoring.podMonitorMetricRelabelings }}
+      metricRelabelings:
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+      {{- with .Values.monitoring.podMonitorRelabelings }}
+      relabelings:
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end }}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/templates/rbac.yaml

@@ -0,0 +1,439 @@
+#
+# Copyright The CloudNativePG Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+{{- if .Values.serviceAccount.create }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "cloudnative-pg.serviceAccountName" . }}
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+
+{{- if .Values.rbac.create }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "cloudnative-pg.fullname" . }}
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumeclaims
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/exec
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/status
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  verbs:
+  - get
+  - patch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - patch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - update
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - podmonitors
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - watch
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - backups
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - backups/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - clusterimagecatalogs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - clusters
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - clusters/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - clusters/status
+  verbs:
+  - get
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - imagecatalogs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - poolers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - poolers/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - poolers/status
+  verbs:
+  - get
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - scheduledbackups
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - scheduledbackups/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshots
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "cloudnative-pg.fullname" . }}
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+  {{- with .Values.commonAnnotations.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "cloudnative-pg.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "cloudnative-pg.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "cloudnative-pg.fullname" . }}-view
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+    {{- if .Values.rbac.aggregateClusterRoles }}
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- end }}
+rules:
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - backups
+  - clusters
+  - poolers
+  - scheduledbackups
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "cloudnative-pg.fullname" . }}-edit
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+    {{- if .Values.rbac.aggregateClusterRoles }}
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- end }}
+rules:
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - backups
+  - clusters
+  - poolers
+  - scheduledbackups
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+---
+{{- end }}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/templates/service.yaml

@@ -0,0 +1,34 @@
+#
+# Copyright The CloudNativePG Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.service.name }}
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+  {{- with .Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+  - port: {{ .Values.service.port }}
+    targetPort: webhook-server
+    name: webhook-server
+  selector:
+    {{- include "cloudnative-pg.selectorLabels" . | nindent 4 }}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/templates/validatingwebhookconfiguration.yaml

@@ -0,0 +1,113 @@
+#
+# Copyright The CloudNativePG Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+{{- if .Values.webhook.validating.create }}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: cnpg-validating-webhook-configuration
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+  {{- with .Values.rbac.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: {{ .Values.service.name }}
+      namespace: {{ .Release.Namespace }}
+      path: /validate-postgresql-cnpg-io-v1-backup
+      port: {{ .Values.service.port }}
+  failurePolicy: {{ .Values.webhook.validating.failurePolicy }}
+  name: vbackup.cnpg.io
+  rules:
+  - apiGroups:
+    - postgresql.cnpg.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - backups
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: {{ .Values.service.name }}
+      namespace: {{ .Release.Namespace }}
+      path: /validate-postgresql-cnpg-io-v1-cluster
+      port: {{ .Values.service.port }}
+  failurePolicy: {{ .Values.webhook.validating.failurePolicy }}
+  name: vcluster.cnpg.io
+  rules:
+  - apiGroups:
+    - postgresql.cnpg.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - clusters
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: {{ .Values.service.name }}
+      namespace: {{ .Release.Namespace }}
+      path: /validate-postgresql-cnpg-io-v1-scheduledbackup
+      port: {{ .Values.service.port }}
+  failurePolicy: {{ .Values.webhook.validating.failurePolicy }}
+  name: vscheduledbackup.cnpg.io
+  rules:
+  - apiGroups:
+    - postgresql.cnpg.io
+    apiVersions:
+    - v1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - scheduledbackups
+  sideEffects: None
+- admissionReviewVersions:
+    - v1
+  clientConfig:
+    service:
+      name: {{ .Values.service.name }}
+      namespace: {{ .Release.Namespace }}
+      path: /validate-postgresql-cnpg-io-v1-pooler
+      port: {{ .Values.service.port }}
+  failurePolicy: {{ .Values.webhook.validating.failurePolicy }}
+  name: vpooler.cnpg.io
+  rules:
+    - apiGroups:
+        - postgresql.cnpg.io
+      apiVersions:
+        - v1
+      operations:
+        - CREATE
+        - UPDATE
+      resources:
+        - poolers
+  sideEffects: None
+{{- end }}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/values.schema.json

@@ -0,0 +1,281 @@
+{
+    "$schema": "http://json-schema.org/schema#",
+    "type": "object",
+    "properties": {
+        "additionalArgs": {
+            "type": "array"
+        },
+        "additionalEnv": {
+            "type": "array"
+        },
+        "affinity": {
+            "type": "object"
+        },
+        "commonAnnotations": {
+            "type": "object"
+        },
+        "config": {
+            "type": "object",
+            "properties": {
+                "create": {
+                    "type": "boolean"
+                },
+                "data": {
+                    "type": "object"
+                },
+                "name": {
+                    "type": "string"
+                },
+                "secret": {
+                    "type": "boolean"
+                }
+            }
+        },
+        "containerSecurityContext": {
+            "type": "object",
+            "properties": {
+                "allowPrivilegeEscalation": {
+                    "type": "boolean"
+                },
+                "capabilities": {
+                    "type": "object",
+                    "properties": {
+                        "drop": {
+                            "type": "array",
+                            "items": {
+                                "type": "string"
+                            }
+                        }
+                    }
+                },
+                "readOnlyRootFilesystem": {
+                    "type": "boolean"
+                },
+                "runAsGroup": {
+                    "type": "integer"
+                },
+                "runAsUser": {
+                    "type": "integer"
+                },
+                "seccompProfile": {
+                    "type": "object",
+                    "properties": {
+                        "type": {
+                            "type": "string"
+                        }
+                    }
+                }
+            }
+        },
+        "crds": {
+            "type": "object",
+            "properties": {
+                "create": {
+                    "type": "boolean"
+                }
+            }
+        },
+        "dnsPolicy": {
+            "type": "string"
+        },
+        "fullnameOverride": {
+            "type": "string"
+        },
+        "hostNetwork": {
+            "type": "boolean"
+        },
+        "image": {
+            "type": "object",
+            "properties": {
+                "pullPolicy": {
+                    "type": "string"
+                },
+                "repository": {
+                    "type": "string"
+                },
+                "tag": {
+                    "type": "string"
+                }
+            }
+        },
+        "imagePullSecrets": {
+            "type": "array"
+        },
+        "monitoring": {
+            "type": "object",
+            "properties": {
+                "grafanaDashboard": {
+                    "type": "object",
+                    "properties": {
+                        "annotations": {
+                            "type": "object"
+                        },
+                        "configMapName": {
+                            "type": "string"
+                        },
+                        "create": {
+                            "type": "boolean"
+                        },
+                        "labels": {
+                            "type": "object"
+                        },
+                        "namespace": {
+                            "type": "string"
+                        },
+                        "sidecarLabel": {
+                            "type": "string"
+                        },
+                        "sidecarLabelValue": {
+                            "type": "string"
+                        }
+                    }
+                },
+                "podMonitorAdditionalLabels": {
+                    "type": "object"
+                },
+                "podMonitorEnabled": {
+                    "type": "boolean"
+                },
+                "podMonitorMetricRelabelings": {
+                    "type": "array"
+                },
+                "podMonitorRelabelings": {
+                    "type": "array"
+                }
+            }
+        },
+        "monitoringQueriesConfigMap": {
+            "type": "object",
+            "properties": {
+                "name": {
+                    "type": "string"
+                },
+                "queries": {
+                    "type": "string"
+                }
+            }
+        },
+        "nameOverride": {
+            "type": "string"
+        },
+        "nodeSelector": {
+            "type": "object"
+        },
+        "podAnnotations": {
+            "type": "object"
+        },
+        "podLabels": {
+            "type": "object"
+        },
+        "podSecurityContext": {
+            "type": "object",
+            "properties": {
+                "runAsNonRoot": {
+                    "type": "boolean"
+                },
+                "seccompProfile": {
+                    "type": "object",
+                    "properties": {
+                        "type": {
+                            "type": "string"
+                        }
+                    }
+                }
+            }
+        },
+        "priorityClassName": {
+            "type": "string"
+        },
+        "rbac": {
+            "type": "object",
+            "properties": {
+                "aggregateClusterRoles": {
+                    "type": "boolean"
+                },
+                "create": {
+                    "type": "boolean"
+                }
+            }
+        },
+        "replicaCount": {
+            "type": "integer"
+        },
+        "resources": {
+            "type": "object"
+        },
+        "service": {
+            "type": "object",
+            "properties": {
+                "name": {
+                    "type": "string"
+                },
+                "port": {
+                    "type": "integer"
+                },
+                "type": {
+                    "type": "string"
+                }
+            }
+        },
+        "serviceAccount": {
+            "type": "object",
+            "properties": {
+                "create": {
+                    "type": "boolean"
+                },
+                "name": {
+                    "type": "string"
+                }
+            }
+        },
+        "tolerations": {
+            "type": "array"
+        },
+        "webhook": {
+            "type": "object",
+            "properties": {
+                "livenessProbe": {
+                    "type": "object",
+                    "properties": {
+                        "initialDelaySeconds": {
+                            "type": "integer"
+                        }
+                    }
+                },
+                "mutating": {
+                    "type": "object",
+                    "properties": {
+                        "create": {
+                            "type": "boolean"
+                        },
+                        "failurePolicy": {
+                            "type": "string"
+                        }
+                    }
+                },
+                "port": {
+                    "type": "integer"
+                },
+                "readinessProbe": {
+                    "type": "object",
+                    "properties": {
+                        "initialDelaySeconds": {
+                            "type": "integer"
+                        }
+                    }
+                },
+                "validating": {
+                    "type": "object",
+                    "properties": {
+                        "create": {
+                            "type": "boolean"
+                        },
+                        "failurePolicy": {
+                            "type": "string"
+                        }
+                    }
+                }
+            }
+        }
+    }
+}

cnpg/operators/charts/cloudnative-pg-0.22.0/cloudnative-pg/values.yaml

@@ -0,0 +1,628 @@
+#
+# Copyright The CloudNativePG Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Default values for CloudNativePG.
+# This is a YAML-formatted file.
+# Please declare variables to be passed to your templates.
+
+replicaCount: 1
+
+image:
+  repository: ghcr.io/cloudnative-pg/cloudnative-pg
+  pullPolicy: IfNotPresent
+  # -- Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+hostNetwork: false
+dnsPolicy: ""
+
+crds:
+  # -- Specifies whether the CRDs should be created when installing the chart.
+  create: true
+
+# -- The webhook configuration.
+webhook:
+  port: 9443
+  mutating:
+    create: true
+    failurePolicy: Fail
+  validating:
+    create: true
+    failurePolicy: Fail
+  livenessProbe:
+    initialDelaySeconds: 3
+  readinessProbe:
+    initialDelaySeconds: 3
+
+# -- Operator configuration.
+config:
+  # -- Specifies whether the secret should be created.
+  create: true
+  # -- The name of the configmap/secret to use.
+  name: cnpg-controller-manager-config
+  # -- Specifies whether it should be stored in a secret, instead of a configmap.
+  secret: false
+  # -- The content of the configmap/secret, see
+  # https://cloudnative-pg.io/documentation/current/operator_conf/#available-options
+  # for all the available options.
+  data: {}
+  # INHERITED_ANNOTATIONS: categories
+  # INHERITED_LABELS: environment, workload, app
+  # WATCH_NAMESPACE: namespace-a,namespace-b
+
+# -- Additinal arguments to be added to the operator's args list.
+additionalArgs: []
+
+# -- Array containing extra environment variables which can be templated.
+# For example:
+#  - name: RELEASE_NAME
+#    value: "{{ .Release.Name }}"
+#  - name: MY_VAR
+#    value: "mySpecialKey"
+additionalEnv: []
+
+serviceAccount:
+  # -- Specifies whether the service account should be created.
+  create: true
+  # -- The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template.
+  name: ""
+
+rbac:
+  # -- Specifies whether ClusterRole and ClusterRoleBinding should be created.
+  create: true
+  # -- Aggregate ClusterRoles to Kubernetes default user-facing roles.
+  # Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
+  aggregateClusterRoles: false
+
+# -- Annotations to be added to all other resources.
+commonAnnotations: {}
+# -- Annotations to be added to the pod.
+podAnnotations: {}
+# -- Labels to be added to the pod.
+podLabels: {}
+
+# -- Container Security Context.
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  runAsUser: 10001
+  runAsGroup: 10001
+  seccompProfile:
+    type: RuntimeDefault
+  capabilities:
+    drop:
+      - "ALL"
+
+# -- Security Context for the whole pod.
+podSecurityContext:
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
+  # fsGroup: 2000
+
+# -- Priority indicates the importance of a Pod relative to other Pods.
+priorityClassName: ""
+
+service:
+  type: ClusterIP
+  # -- DO NOT CHANGE THE SERVICE NAME as it is currently used to generate the certificate
+  # and can not be configured
+  name: cnpg-webhook-service
+  port: 443
+
+resources: {}
+  # If you want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  #
+  # limits:
+  #   cpu: 100m
+  #   memory: 200Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 100Mi
+
+# -- Nodeselector for the operator to be installed.
+nodeSelector: {}
+
+# -- Tolerations for the operator to be installed.
+tolerations: []
+
+# -- Affinity for the operator to be installed.
+affinity: {}
+
+monitoring:
+
+  # -- Specifies whether the monitoring should be enabled. Requires Prometheus Operator CRDs.
+  podMonitorEnabled: false
+  # -- Metrics relabel configurations to apply to samples before ingestion.
+  podMonitorMetricRelabelings: []
+  # -- Relabel configurations to apply to samples before scraping.
+  podMonitorRelabelings: []
+  # -- Additional labels for the podMonitor
+  podMonitorAdditionalLabels: {}
+
+  grafanaDashboard:
+    create: false
+    # -- Allows overriding the namespace where the ConfigMap will be created, defaulting to the same one as the Release.
+    namespace: ""
+    # -- The name of the ConfigMap containing the dashboard.
+    configMapName: "cnpg-grafana-dashboard"
+    # -- Label that ConfigMaps should have to be loaded as dashboards.  DEPRECATED: Use labels instead.
+    sidecarLabel: "grafana_dashboard"
+    # -- Label value that ConfigMaps should have to be loaded as dashboards.  DEPRECATED: Use labels instead.
+    sidecarLabelValue: "1"
+    # -- Labels that ConfigMaps should have to get configured in Grafana.
+    labels: {}
+    # -- Annotations that ConfigMaps can have to get configured in Grafana.
+    annotations: {}
+
+# Default monitoring queries
+monitoringQueriesConfigMap:
+  # -- The name of the default monitoring configmap.
+  name: cnpg-default-monitoring
+  # -- A string representation of a YAML defining monitoring queries.
+  queries: |
+    backends:
+      query: |
+       SELECT sa.datname
+           , sa.usename
+           , sa.application_name
+           , states.state
+           , COALESCE(sa.count, 0) AS total
+           , COALESCE(sa.max_tx_secs, 0) AS max_tx_duration_seconds
+           FROM ( VALUES ('active')
+               , ('idle')
+               , ('idle in transaction')
+               , ('idle in transaction (aborted)')
+               , ('fastpath function call')
+               , ('disabled')
+               ) AS states(state)
+           LEFT JOIN (
+               SELECT datname
+                   , state
+                   , usename
+                   , COALESCE(application_name, '') AS application_name
+                   , COUNT(*)
+                   , COALESCE(EXTRACT (EPOCH FROM (max(now() - xact_start))), 0) AS max_tx_secs
+               FROM pg_catalog.pg_stat_activity
+               GROUP BY datname, state, usename, application_name
+           ) sa ON states.state = sa.state
+           WHERE sa.usename IS NOT NULL
+      metrics:
+        - datname:
+            usage: "LABEL"
+            description: "Name of the database"
+        - usename:
+            usage: "LABEL"
+            description: "Name of the user"
+        - application_name:
+            usage: "LABEL"
+            description: "Name of the application"
+        - state:
+            usage: "LABEL"
+            description: "State of the backend"
+        - total:
+            usage: "GAUGE"
+            description: "Number of backends"
+        - max_tx_duration_seconds:
+            usage: "GAUGE"
+            description: "Maximum duration of a transaction in seconds"
+
+    backends_waiting:
+      query: |
+       SELECT count(*) AS total
+       FROM pg_catalog.pg_locks blocked_locks
+       JOIN pg_catalog.pg_locks blocking_locks
+         ON blocking_locks.locktype = blocked_locks.locktype
+         AND blocking_locks.database IS NOT DISTINCT FROM blocked_locks.database
+         AND blocking_locks.relation IS NOT DISTINCT FROM blocked_locks.relation
+         AND blocking_locks.page IS NOT DISTINCT FROM blocked_locks.page
+         AND blocking_locks.tuple IS NOT DISTINCT FROM blocked_locks.tuple
+         AND blocking_locks.virtualxid IS NOT DISTINCT FROM blocked_locks.virtualxid
+         AND blocking_locks.transactionid IS NOT DISTINCT FROM blocked_locks.transactionid
+         AND blocking_locks.classid IS NOT DISTINCT FROM blocked_locks.classid
+         AND blocking_locks.objid IS NOT DISTINCT FROM blocked_locks.objid
+         AND blocking_locks.objsubid IS NOT DISTINCT FROM blocked_locks.objsubid
+         AND blocking_locks.pid != blocked_locks.pid
+       JOIN pg_catalog.pg_stat_activity blocking_activity ON blocking_activity.pid = blocking_locks.pid
+       WHERE NOT blocked_locks.granted
+      metrics:
+        - total:
+            usage: "GAUGE"
+            description: "Total number of backends that are currently waiting on other queries"
+
+    pg_database:
+      query: |
+        SELECT datname
+          , pg_catalog.pg_database_size(datname) AS size_bytes
+          , pg_catalog.age(datfrozenxid) AS xid_age
+          , pg_catalog.mxid_age(datminmxid) AS mxid_age
+        FROM pg_catalog.pg_database
+        WHERE datallowconn
+      metrics:
+        - datname:
+            usage: "LABEL"
+            description: "Name of the database"
+        - size_bytes:
+            usage: "GAUGE"
+            description: "Disk space used by the database"
+        - xid_age:
+            usage: "GAUGE"
+            description: "Number of transactions from the frozen XID to the current one"
+        - mxid_age:
+            usage: "GAUGE"
+            description: "Number of multiple transactions (Multixact) from the frozen XID to the current one"
+
+    pg_postmaster:
+      query: |
+        SELECT EXTRACT(EPOCH FROM pg_postmaster_start_time) AS start_time
+        FROM pg_catalog.pg_postmaster_start_time()
+      metrics:
+        - start_time:
+            usage: "GAUGE"
+            description: "Time at which postgres started (based on epoch)"
+
+    pg_replication:
+      query: "SELECT CASE WHEN (
+                NOT pg_catalog.pg_is_in_recovery()
+                OR pg_catalog.pg_last_wal_receive_lsn() = pg_catalog.pg_last_wal_replay_lsn())
+              THEN 0
+              ELSE GREATEST (0,
+                EXTRACT(EPOCH FROM (now() - pg_catalog.pg_last_xact_replay_timestamp())))
+              END AS lag,
+              pg_catalog.pg_is_in_recovery() AS in_recovery,
+              EXISTS (TABLE pg_stat_wal_receiver) AS is_wal_receiver_up,
+              (SELECT count(*) FROM pg_catalog.pg_stat_replication) AS streaming_replicas"
+      metrics:
+        - lag:
+            usage: "GAUGE"
+            description: "Replication lag behind primary in seconds"
+        - in_recovery:
+            usage: "GAUGE"
+            description: "Whether the instance is in recovery"
+        - is_wal_receiver_up:
+            usage: "GAUGE"
+            description: "Whether the instance wal_receiver is up"
+        - streaming_replicas:
+            usage: "GAUGE"
+            description: "Number of streaming replicas connected to the instance"
+
+    pg_replication_slots:
+      query: |
+        SELECT slot_name,
+          slot_type,
+          database,
+          active,
+          (CASE pg_catalog.pg_is_in_recovery()
+            WHEN TRUE THEN pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_last_wal_receive_lsn(), restart_lsn)
+            ELSE pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), restart_lsn)
+          END) as pg_wal_lsn_diff
+        FROM pg_catalog.pg_replication_slots
+        WHERE NOT temporary
+      metrics:
+        - slot_name:
+            usage: "LABEL"
+            description: "Name of the replication slot"
+        - slot_type:
+            usage: "LABEL"
+            description: "Type of the replication slot"
+        - database:
+            usage: "LABEL"
+            description: "Name of the database"
+        - active:
+            usage: "GAUGE"
+            description: "Flag indicating whether the slot is active"
+        - pg_wal_lsn_diff:
+            usage: "GAUGE"
+            description: "Replication lag in bytes"
+
+    pg_stat_archiver:
+      query: |
+        SELECT archived_count
+          , failed_count
+          , COALESCE(EXTRACT(EPOCH FROM (now() - last_archived_time)), -1) AS seconds_since_last_archival
+          , COALESCE(EXTRACT(EPOCH FROM (now() - last_failed_time)), -1) AS seconds_since_last_failure
+          , COALESCE(EXTRACT(EPOCH FROM last_archived_time), -1) AS last_archived_time
+          , COALESCE(EXTRACT(EPOCH FROM last_failed_time), -1) AS last_failed_time
+          , COALESCE(CAST(CAST('x'||pg_catalog.right(pg_catalog.split_part(last_archived_wal, '.', 1), 16) AS pg_catalog.bit(64)) AS pg_catalog.int8), -1) AS last_archived_wal_start_lsn
+          , COALESCE(CAST(CAST('x'||pg_catalog.right(pg_catalog.split_part(last_failed_wal, '.', 1), 16) AS pg_catalog.bit(64)) AS pg_catalog.int8), -1) AS last_failed_wal_start_lsn
+          , EXTRACT(EPOCH FROM stats_reset) AS stats_reset_time
+        FROM pg_catalog.pg_stat_archiver
+      metrics:
+        - archived_count:
+            usage: "COUNTER"
+            description: "Number of WAL files that have been successfully archived"
+        - failed_count:
+            usage: "COUNTER"
+            description: "Number of failed attempts for archiving WAL files"
+        - seconds_since_last_archival:
+            usage: "GAUGE"
+            description: "Seconds since the last successful archival operation"
+        - seconds_since_last_failure:
+            usage: "GAUGE"
+            description: "Seconds since the last failed archival operation"
+        - last_archived_time:
+            usage: "GAUGE"
+            description: "Epoch of the last time WAL archiving succeeded"
+        - last_failed_time:
+            usage: "GAUGE"
+            description: "Epoch of the last time WAL archiving failed"
+        - last_archived_wal_start_lsn:
+            usage: "GAUGE"
+            description: "Archived WAL start LSN"
+        - last_failed_wal_start_lsn:
+            usage: "GAUGE"
+            description: "Last failed WAL LSN"
+        - stats_reset_time:
+            usage: "GAUGE"
+            description: "Time at which these statistics were last reset"
+
+    pg_stat_bgwriter:
+      runonserver: "<17.0.0"
+      query: |
+        SELECT checkpoints_timed
+          , checkpoints_req
+          , checkpoint_write_time
+          , checkpoint_sync_time
+          , buffers_checkpoint
+          , buffers_clean
+          , maxwritten_clean
+          , buffers_backend
+          , buffers_backend_fsync
+          , buffers_alloc
+        FROM pg_catalog.pg_stat_bgwriter
+      metrics:
+        - checkpoints_timed:
+            usage: "COUNTER"
+            description: "Number of scheduled checkpoints that have been performed"
+        - checkpoints_req:
+            usage: "COUNTER"
+            description: "Number of requested checkpoints that have been performed"
+        - checkpoint_write_time:
+            usage: "COUNTER"
+            description: "Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk, in milliseconds"
+        - checkpoint_sync_time:
+            usage: "COUNTER"
+            description: "Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk, in milliseconds"
+        - buffers_checkpoint:
+            usage: "COUNTER"
+            description: "Number of buffers written during checkpoints"
+        - buffers_clean:
+            usage: "COUNTER"
+            description: "Number of buffers written by the background writer"
+        - maxwritten_clean:
+            usage: "COUNTER"
+            description: "Number of times the background writer stopped a cleaning scan because it had written too many buffers"
+        - buffers_backend:
+            usage: "COUNTER"
+            description: "Number of buffers written directly by a backend"
+        - buffers_backend_fsync:
+            usage: "COUNTER"
+            description: "Number of times a backend had to execute its own fsync call (normally the background writer handles those even when the backend does its own write)"
+        - buffers_alloc:
+            usage: "COUNTER"
+            description: "Number of buffers allocated"
+
+    pg_stat_bgwriter_17:
+      runonserver: ">=17.0.0"
+      name: pg_stat_bgwriter
+      query: |
+        SELECT buffers_clean
+          , maxwritten_clean
+          , buffers_alloc
+          , EXTRACT(EPOCH FROM stats_reset) AS stats_reset_time
+        FROM pg_catalog.pg_stat_bgwriter
+      metrics:
+        - buffers_clean:
+            usage: "COUNTER"
+            description: "Number of buffers written by the background writer"
+        - maxwritten_clean:
+            usage: "COUNTER"
+            description: "Number of times the background writer stopped a cleaning scan because it had written too many buffers"
+        - buffers_alloc:
+            usage: "COUNTER"
+            description: "Number of buffers allocated"
+        - stats_reset_time:
+            usage: "GAUGE"
+            description: "Time at which these statistics were last reset"
+
+    pg_stat_checkpointer:
+      runonserver: ">=17.0.0"
+      query: |
+        SELECT num_timed AS checkpoints_timed
+          , num_requested AS checkpoints_req
+          , restartpoints_timed
+          , restartpoints_req
+          , restartpoints_done
+          , write_time
+          , sync_time
+          , buffers_written
+          , EXTRACT(EPOCH FROM stats_reset) AS stats_reset_time
+        FROM pg_catalog.pg_stat_checkpointer
+      metrics:
+        - checkpoints_timed:
+            usage: "COUNTER"
+            description: "Number of scheduled checkpoints that have been performed"
+        - checkpoints_req:
+            usage: "COUNTER"
+            description: "Number of requested checkpoints that have been performed"
+        - restartpoints_timed:
+            usage: "COUNTER"
+            description: "Number of scheduled restartpoints due to timeout or after a failed attempt to perform it"
+        - restartpoints_req:
+            usage: "COUNTER"
+            description: "Number of requested restartpoints that have been performed"
+        - restartpoints_done:
+            usage: "COUNTER"
+            description: "Number of restartpoints that have been performed"
+        - write_time:
+            usage: "COUNTER"
+            description: "Total amount of time that has been spent in the portion of processing checkpoints and restartpoints where files are written to disk, in milliseconds"
+        - sync_time:
+            usage: "COUNTER"
+            description: "Total amount of time that has been spent in the portion of processing checkpoints and restartpoints where files are synchronized to disk, in milliseconds"
+        - buffers_written:
+            usage: "COUNTER"
+            description: "Number of buffers written during checkpoints and restartpoints"
+        - stats_reset_time:
+            usage: "GAUGE"
+            description: "Time at which these statistics were last reset"
+
+    pg_stat_database:
+      query: |
+        SELECT datname
+          , xact_commit
+          , xact_rollback
+          , blks_read
+          , blks_hit
+          , tup_returned
+          , tup_fetched
+          , tup_inserted
+          , tup_updated
+          , tup_deleted
+          , conflicts
+          , temp_files
+          , temp_bytes
+          , deadlocks
+          , blk_read_time
+          , blk_write_time
+        FROM pg_catalog.pg_stat_database
+      metrics:
+        - datname:
+            usage: "LABEL"
+            description: "Name of this database"
+        - xact_commit:
+            usage: "COUNTER"
+            description: "Number of transactions in this database that have been committed"
+        - xact_rollback:
+            usage: "COUNTER"
+            description: "Number of transactions in this database that have been rolled back"
+        - blks_read:
+            usage: "COUNTER"
+            description: "Number of disk blocks read in this database"
+        - blks_hit:
+            usage: "COUNTER"
+            description: "Number of times disk blocks were found already in the buffer cache, so that a read was not necessary (this only includes hits in the PostgreSQL buffer cache, not the operating system's file system cache)"
+        - tup_returned:
+            usage: "COUNTER"
+            description: "Number of rows returned by queries in this database"
+        - tup_fetched:
+            usage: "COUNTER"
+            description: "Number of rows fetched by queries in this database"
+        - tup_inserted:
+            usage: "COUNTER"
+            description: "Number of rows inserted by queries in this database"
+        - tup_updated:
+            usage: "COUNTER"
+            description: "Number of rows updated by queries in this database"
+        - tup_deleted:
+            usage: "COUNTER"
+            description: "Number of rows deleted by queries in this database"
+        - conflicts:
+            usage: "COUNTER"
+            description: "Number of queries canceled due to conflicts with recovery in this database"
+        - temp_files:
+            usage: "COUNTER"
+            description: "Number of temporary files created by queries in this database"
+        - temp_bytes:
+            usage: "COUNTER"
+            description: "Total amount of data written to temporary files by queries in this database"
+        - deadlocks:
+            usage: "COUNTER"
+            description: "Number of deadlocks detected in this database"
+        - blk_read_time:
+            usage: "COUNTER"
+            description: "Time spent reading data file blocks by backends in this database, in milliseconds"
+        - blk_write_time:
+            usage: "COUNTER"
+            description: "Time spent writing data file blocks by backends in this database, in milliseconds"
+
+    pg_stat_replication:
+      primary: true
+      query: |
+       SELECT usename
+         , COALESCE(application_name, '') AS application_name
+         , COALESCE(client_addr::text, '') AS client_addr
+         , COALESCE(client_port::text, '') AS client_port
+         , EXTRACT(EPOCH FROM backend_start) AS backend_start
+         , COALESCE(pg_catalog.age(backend_xmin), 0) AS backend_xmin_age
+         , pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), sent_lsn) AS sent_diff_bytes
+         , pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), write_lsn) AS write_diff_bytes
+         , pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), flush_lsn) AS flush_diff_bytes
+         , COALESCE(pg_catalog.pg_wal_lsn_diff(pg_catalog.pg_current_wal_lsn(), replay_lsn),0) AS replay_diff_bytes
+         , COALESCE((EXTRACT(EPOCH FROM write_lag)),0)::float AS write_lag_seconds
+         , COALESCE((EXTRACT(EPOCH FROM flush_lag)),0)::float AS flush_lag_seconds
+         , COALESCE((EXTRACT(EPOCH FROM replay_lag)),0)::float AS replay_lag_seconds
+       FROM pg_catalog.pg_stat_replication
+      metrics:
+        - usename:
+            usage: "LABEL"
+            description: "Name of the replication user"
+        - application_name:
+            usage: "LABEL"
+            description: "Name of the application"
+        - client_addr:
+            usage: "LABEL"
+            description: "Client IP address"
+        - client_port:
+            usage: "LABEL"
+            description: "Client TCP port"
+        - backend_start:
+            usage: "COUNTER"
+            description: "Time when this process was started"
+        - backend_xmin_age:
+            usage: "COUNTER"
+            description: "The age of this standby's xmin horizon"
+        - sent_diff_bytes:
+            usage: "GAUGE"
+            description: "Difference in bytes from the last write-ahead log location sent on this connection"
+        - write_diff_bytes:
+            usage: "GAUGE"
+            description: "Difference in bytes from the last write-ahead log location written to disk by this standby server"
+        - flush_diff_bytes:
+            usage: "GAUGE"
+            description: "Difference in bytes from the last write-ahead log location flushed to disk by this standby server"
+        - replay_diff_bytes:
+            usage: "GAUGE"
+            description: "Difference in bytes from the last write-ahead log location replayed into the database on this standby server"
+        - write_lag_seconds:
+            usage: "GAUGE"
+            description: "Time elapsed between flushing recent WAL locally and receiving notification that this standby server has written it"
+        - flush_lag_seconds:
+            usage: "GAUGE"
+            description: "Time elapsed between flushing recent WAL locally and receiving notification that this standby server has written and flushed it"
+        - replay_lag_seconds:
+            usage: "GAUGE"
+            description: "Time elapsed between flushing recent WAL locally and receiving notification that this standby server has written, flushed and applied it"
+
+    pg_settings:
+      query: |
+        SELECT name,
+        CASE setting WHEN 'on' THEN '1' WHEN 'off' THEN '0' ELSE setting END AS setting
+        FROM pg_catalog.pg_settings
+        WHERE vartype IN ('integer', 'real', 'bool')
+        ORDER BY 1
+      metrics:
+        - name:
+            usage: "LABEL"
+            description: "Name of the setting"
+        - setting:
+            usage: "GAUGE"
+            description: "Setting value"

cnpg/operators/charts/ext-postgres-operator-1.2.6/ext-postgres-operator/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

cnpg/operators/charts/ext-postgres-operator-1.2.6/ext-postgres-operator/Chart.yaml

@@ -0,0 +1,8 @@
+apiVersion: v2
+appVersion: 1.3.3
+description: 'A Helm chart for the External Postgres operator  helm repo add ext-postgres-operator
+  https://movetokube.github.io/postgres-operator/ helm upgrade --install -n operators
+  ext-postgres-operator  ext-postgres-operator/ext-postgres-operator --version 1.2.3 '
+name: ext-postgres-operator
+type: application
+version: 1.2.6

cnpg/operators/charts/ext-postgres-operator-1.2.6/ext-postgres-operator/crds/db.movetokube.com_postgres_crd.yaml

@@ -0,0 +1,90 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: postgres.db.movetokube.com
+spec:
+  group: db.movetokube.com
+  names:
+    kind: Postgres
+    listKind: PostgresList
+    plural: postgres
+    singular: postgres
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: Postgres is the Schema for the postgres API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: PostgresSpec defines the desired state of Postgres
+            properties:
+              database:
+                type: string
+              dropOnDelete:
+                type: boolean
+              extensions:
+                items:
+                  type: string
+                type: array
+                x-kubernetes-list-type: set
+              masterRole:
+                type: string
+              schemas:
+                items:
+                  type: string
+                type: array
+                x-kubernetes-list-type: set
+            required:
+            - database
+            type: object
+          status:
+            description: PostgresStatus defines the observed state of Postgres
+            properties:
+              extensions:
+                items:
+                  type: string
+                type: array
+                x-kubernetes-list-type: set
+              roles:
+                description: PostgresRoles stores the different group roles for database
+                properties:
+                  owner:
+                    type: string
+                  reader:
+                    type: string
+                  writer:
+                    type: string
+                required:
+                - owner
+                - reader
+                - writer
+                type: object
+              schemas:
+                items:
+                  type: string
+                type: array
+                x-kubernetes-list-type: set
+              succeeded:
+                type: boolean
+            required:
+            - roles
+            - succeeded
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

cnpg/operators/charts/ext-postgres-operator-1.2.6/ext-postgres-operator/crds/db.movetokube.com_postgresusers_crd.yaml

@@ -0,0 +1,79 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: postgresusers.db.movetokube.com
+spec:
+  group: db.movetokube.com
+  names:
+    kind: PostgresUser
+    listKind: PostgresUserList
+    plural: postgresusers
+    singular: postgresuser
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: PostgresUser is the Schema for the postgresusers API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: PostgresUserSpec defines the desired state of PostgresUser
+            properties:
+              annotations:
+                additionalProperties:
+                  type: string
+                type: object
+              database:
+                type: string
+              privileges:
+                type: string
+              role:
+                type: string
+              secretName:
+                type: string
+              secretTemplate:
+                additionalProperties:
+                  type: string
+                type: object
+            required:
+            - database
+            - role
+            - secretName
+            type: object
+          status:
+            description: PostgresUserStatus defines the observed state of PostgresUser
+            properties:
+              databaseName:
+                type: string
+              postgresGroup:
+                type: string
+              postgresLogin:
+                type: string
+              postgresRole:
+                type: string
+              succeeded:
+                type: boolean
+            required:
+            - databaseName
+            - postgresGroup
+            - postgresLogin
+            - postgresRole
+            - succeeded
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

cnpg/operators/charts/ext-postgres-operator-1.2.6/ext-postgres-operator/templates/_helpers.tpl

@@ -0,0 +1,63 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "chart.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "chart.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "chart.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "chart.labels" -}}
+helm.sh/chart: {{ include "chart.chart" . }}
+{{ include "chart.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "chart.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "chart.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{- define "chart.selectorLabelsDev" -}}
+app.kubernetes.io/name: {{ include "chart.name" . }}-dev
+app.kubernetes.io/instance: {{ .Release.Name }}-dev
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "chart.serviceAccountName" -}}
+{{- default (include "chart.fullname" .) .Values.serviceAccount.name }}
+{{- end }}

cnpg/operators/charts/ext-postgres-operator-1.2.6/ext-postgres-operator/templates/operator.yaml

@@ -0,0 +1,67 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "chart.fullname" . }}
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "chart.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "chart.selectorLabels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      serviceAccountName: {{ include "chart.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          command:
+          - postgres-operator
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          envFrom:
+            - secretRef:
+                {{- if .Values.existingSecret }}
+                name: {{ .Values.existingSecret }}
+                {{- else }}
+                name: {{ include "chart.fullname" . }}
+                {{- end }}
+          env:
+            - name: WATCH_NAMESPACE
+              value: {{ .Values.watchNamespace | default "" }}
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: OPERATOR_NAME
+              value: {{ include "chart.fullname" . }}
+            {{- range $key, $value := .Values.env }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+            {{- end }}
+          {{- if .Values.volumeMounts }}
+          volumeMounts:
+            {{- toYaml .Values.volumeMounts | nindent 12 }}
+          {{- end }}
+      {{- if .Values.volumes }}
+      volumes:
+        {{- toYaml .Values.volumes | nindent 8 }}
+      {{- end }}
+      nodeSelector:
+        {{- toYaml .Values.nodeSelector | nindent 8 }}
+      tolerations:
+        {{- toYaml .Values.tolerations | nindent 8 }}

cnpg/operators/charts/ext-postgres-operator-1.2.6/ext-postgres-operator/templates/role.yaml

@@ -0,0 +1,42 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "chart.fullname" . }}
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - services
+  - endpoints
+  - persistentvolumeclaims
+  - events
+  - configmaps
+  - secrets
+  verbs:
+  - '*'
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - daemonsets
+  - replicasets
+  - statefulsets
+  verbs:
+  - '*'
+- apiGroups:
+  - apps
+  resourceNames:
+  - ext-postgres-operator
+  resources:
+  - deployments/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - db.movetokube.com
+  resources:
+  - '*'
+  verbs:
+  - '*'

cnpg/operators/charts/ext-postgres-operator-1.2.6/ext-postgres-operator/templates/role_binding.yaml

@@ -0,0 +1,14 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "chart.fullname" . }}
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "chart.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "chart.serviceAccountName" . }}
+  apiGroup: rbac.authorization.k8s.io

cnpg/operators/charts/ext-postgres-operator-1.2.6/ext-postgres-operator/templates/secret.yaml

@@ -0,0 +1,20 @@
+{{- if (not .Values.existingSecret) }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    "helm.sh/resource-policy": keep
+  name: {{ include "chart.fullname" . }}
+  namespace: {{ .Release.namespace }}
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+type: Opaque
+data:
+  POSTGRES_HOST: {{ .Values.postgres.host | b64enc | quote }}
+  POSTGRES_USER: {{ .Values.postgres.user | b64enc | quote }}
+  POSTGRES_PASS: {{ .Values.postgres.password | b64enc | quote }}
+  POSTGRES_URI_ARGS: {{ .Values.postgres.uri_args | b64enc | quote }}
+  POSTGRES_CLOUD_PROVIDER: {{ .Values.postgres.cloud_provider | b64enc | quote }}
+  POSTGRES_DEFAULT_DATABASE: {{ .Values.postgres.default_database | b64enc | quote }}
+{{- end }}

cnpg/operators/charts/ext-postgres-operator-1.2.6/ext-postgres-operator/templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "chart.serviceAccountName" . }}
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  namespace: {{ .Release.Namespace }}
+

cnpg/operators/charts/ext-postgres-operator-1.2.6/ext-postgres-operator/values.yaml

@@ -0,0 +1,77 @@
+# Default values for chart.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  repository: ghcr.io/movetokube/postgres-operator
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+
+# Override chart name, defaults to Chart.name
+nameOverride: ""
+# Full chart name override
+fullnameOverride: ""
+
+serviceAccount:
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+# Additionnal labels to add to the pod.
+podLabels: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+# Which namespace to watch in kubernetes, empty string means all namespaces
+watchNamespace: ""
+
+# Define connection to postgres database server
+postgres:
+  # postgres hostname
+  host: "localhost"
+  # postgres admin user and password
+  user: "admin"
+  password: "password"
+  # additional connection args to pg driver
+  uri_args: ""
+  # postgres cloud provider, could be AWS, Azure, GCP or empty (default)
+  cloud_provider: ""
+  # default database to use
+  default_database: "postgres"
+
+# Volumes to add to the pod.
+volumes: []
+
+# Volumes to mount onto the pod.
+volumeMounts: []
+
+# Existing secret where values to connect to Postgres are defined.
+# If not set a new secret will be created, filled with information under the postgres key above.
+existingSecret: ""
+
+# Additionnal environment variables to add to the pod (map of key / value)
+env: {}
+
+nodeSelector: {}
+
+tolerations: []

cnpg/operators/kustomization.yaml

@@ -2,18 +2,15 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
+  - resources/namespace.yaml
   - resources/secrets/ext-pgo-creds.yaml
   - resources/secrets/ext-pgo-admin.yaml
-  - resources/secrets/cnpg-backup-creds.yaml
-  - resources/cluster.yaml
-  - resources/backup.yaml
-  - resources/pool.yaml
 
 helmCharts:
   - releaseName: cnpg
     name: cloudnative-pg
     repo: https://cloudnative-pg.github.io/charts
-    version: 0.22.0
+    version: 0.23.0
     valuesFile: config/values.cnpg.yaml
     namespace: postgres-system
     includeCRDs: true
@@ -23,5 +20,5 @@ helmCharts:
     repo: https://movetokube.github.io/postgres-operator/
     version: 1.2.6
     valuesFile: config/values.ext-pgo.yaml
-    namespace: postgres
+    namespace: postgres-system
     includeCRDs: true

cnpg/operators/resources/namespace.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: postgres-system
+  labels:
+    prometheus: default
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: postgres
+  labels:
+    prometheus: default

cnpg/resources/secrets/ext-pgo-admin.yaml

@@ -1,8 +0,0 @@
-age-encryption.org/v1
--> X25519 SQkKLcgCsGBZ6FM800HldDftkLV/u53xliCGnGU6Gz0
-TvQkvxIdoIydgUshJXYai2pJjo/GsEklyGfba/zj31Y
--> X25519 V60zpoLahYcT/dGVnixvv471qCE8xAOP+LoAdq04ryM
-q7iTcIfP6xgpJaQZJuW0kpY9dEwbwsleyyorsFK4atA
---- W40yHxyT9ZMPvnQ0WYg7K1sG0qd4loHmyW6HYZL5zBM
-#Wøü5+D`é‚H‹UŠdNSÆ<53>f.vC]uÎö•ù"¼ègÙÝüfp:¬<C2AC>ϬNB”æ<E2809D>vúõè¢	O%3cÖòQü9m(ÓEäùØKµ×4ÞÌùgÜžo&€vztëPÞˆþñ2	ºª––
<02>æð>&Z{Î'<27>§QôÉj<C389>Ä:ƒ¡¶ø܈‡
	ƒæ"Céœk‹¤£ÚÄ)Þ‰V1åÎÏV]
-¥å·õñÄ'°s¨w±~ÊoEƒûæ•F¾hÍS	7¤‘}'&[–ÞlÍÝÖUM×îÃ=ÿwŽ

coder/kustomization.yaml

@@ -15,6 +15,6 @@ helmCharts:
     repo: https://helm.coder.com/v2
     releaseName: coder
     namespace: coder
-    version: "2.14.2"
+    version: "2.18.3"
     valuesFile: config/values.coder.yml
     skipTests: true

contour/kustomization.yaml

@@ -6,7 +6,7 @@ namespace: projectcontour
 images:
 - name: contour
   newName: ghcr.io/projectcontour/contour
-  newTag: v1.30.0
+  newTag: v1.30.2
 
 resources:
   - crds/contour.yaml

contour/resources/default_gateway.yaml

@@ -9,13 +9,12 @@ metadata:
 spec:
   gatewayClassName: contour
   listeners:
-
     - name: snips-ssh
       protocol: TCP
       port: 2222
       allowedRoutes:
         kinds:
-        - kind: TCPRoute
+          - kind: TCPRoute
         namespaces:
           from: All
 
@@ -52,12 +51,13 @@ spec:
         mode: Terminate
         certificateRefs:
           - name: forgejo-tls
+
     - name: ssh
       protocol: TCP
       port: 22
       allowedRoutes:
         kinds:
-        - kind: TCPRoute
+          - kind: TCPRoute
         namespaces:
           from: Selector
           selector:
@@ -109,21 +109,6 @@ spec:
         certificateRefs:
           - name: coder-port-forwards-tls
 
-    - name: garage-s3-subdomains
-      hostname: "*.s3.icb4dc0.de"
-      port: 443
-      protocol: HTTPS
-      allowedRoutes:
-        namespaces:
-          from: Selector
-          selector:
-            matchLabels:
-              kubernetes.io/metadata.name: garage
-      tls:
-        mode: Terminate
-        certificateRefs:
-          - name: garage-s3-subdomains-tls
-
     - name: buildr-fider-community
       hostname: community.buildr.icb4dc0.de
       port: 443
@@ -169,8 +154,8 @@ spec:
         certificateRefs:
           - name: fider-login-tls
 
-    - name: git-age-docs
-      hostname: "docs.git-age.icb4dc0.de"
+    - name: supabase-operator-docs
+      hostname: "docs.supabase-operator.icb4dc0.de"
       port: 443
       protocol: HTTPS
       allowedRoutes:
@@ -178,8 +163,8 @@ spec:
           from: Selector
           selector:
             matchLabels:
-              kubernetes.io/metadata.name: garage
+              kubernetes.io/metadata.name: functions
       tls:
         mode: Terminate
         certificateRefs:
-          - name: git-age-docs-tls
+          - name: supabase-operator-docs-tls

descheduler/config/policy.yaml

@@ -0,0 +1,26 @@
+apiVersion: "descheduler/v1alpha2"
+kind: "DeschedulerPolicy"
+profiles:
+  - name: ProfileName
+    pluginConfig:
+      - name: "DefaultEvictor"
+      - name: "RemovePodsViolatingInterPodAntiAffinity"
+      - name: "RemoveDuplicates"
+      - name: "LowNodeUtilization"
+        args:
+          thresholds:
+            "cpu": 30
+            "memory": 30
+            "pods": 30
+          targetThresholds:
+            "cpu": 60
+            "memory": 60
+            "pods": 60
+    plugins:
+      balance:
+        enabled:
+          - "LowNodeUtilization"
+          - "RemoveDuplicates"
+      deschedule:
+        enabled:
+          - "RemovePodsViolatingInterPodAntiAffinity"

descheduler/kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: kube-system
+
+resources:
+  - https://github.com/kubernetes-sigs/descheduler/kubernetes/deployment?ref=v0.32.1
+
+configMapGenerator:
+  - name: descheduler-policy-configmap
+    namespace: kube-system
+    behavior: merge
+    options:
+      disableNameSuffixHash: true
+    files:
+      - config/policy.yaml

dragonfly-operator/kustomization.yaml

@@ -9,7 +9,7 @@ images:
   newTag: v0.16.0
 - name: dragonfly-operator
   newName: docker.dragonflydb.io/dragonflydb/operator
-  newTag: v1.1.7
+  newTag: v1.1.8
 
 
 resources:

ente/config/bucket-cors-policy.json

@@ -0,0 +1,16 @@
+{
+  "CORSRules": [
+    {
+      "AllowedOrigins": ["*"],
+      "AllowedMethods": ["GET", "PUT", "POST"],
+      "AllowedHeaders": ["*"],
+      "ExposeHeaders": [
+        "x-amz-server-side-encryption",
+        "x-amz-request-id",
+        "x-amz-id-2",
+        "ETag"
+      ],
+      "MaxAgeSeconds": 600
+    }
+  ]
+}

ente/config/museum.yaml

@@ -1,77 +1,80 @@
-log-file: "/var/log/ente/museum.log"
+# log-file: "/var/log/ente/museum.log"
 
 # HTTP connection parameters
 http:
-    # If true, bind to 443 and use TLS.
-    # By default, this is false, and museum will bind to 8080 without TLS.
-    # use-tls: true
+  # If true, bind to 443 and use TLS.
+  # By default, this is false, and museum will bind to 8080 without TLS.
+  # use-tls: true
 
 # Specify the base endpoints for various apps
 apps:
-    # Default is https://albums.ente.io
-    #
-    # If you're running a self hosted instance and wish to serve public links,
-    # set this to the URL where your albums web app is running.
-    public-albums: https://albums.ente.icb4dc0.de
+  # Default is https://albums.ente.io
+  #
+  # If you're running a self hosted instance and wish to serve public links,
+  # set this to the URL where your albums web app is running.
+  public-albums: https://albums.ente.icb4dc0.de
 
+cache:
+  type: redis
+  connectionString: redis://ente-musuem-cache:6379/0
 
 # Various low-level configuration options
 internal:
-    # If false (the default), then museum will notify the external world of
-    # various events. E.g, email users about their storage being full, send
-    # alerts to Discord, etc.
-    #
-    # It can be set to true when running a "read only" instance like a backup
-    # restoration test, where we want to be able to access data but otherwise
-    # minimize external side effects.
-    silent: false
-    # If provided, this external healthcheck url is periodically pinged.
-    health-check-url:
-    # Hardcoded verification codes, useful for logging in when developing.
-    #
-    # Uncomment this and set these to your email ID or domain so that you don't
-    # need to peek into the server logs for obtaining the OTP when trying to log
-    # into an instance you're developing on.
-    # hardcoded-ott:
-    #     emails:
-    #         - "example@example.org,123456"
-    #     # When running in a local environment, hardcode the verification code to
-    #     # 123456 for email addresses ending with @example.org
-    #     local-domain-suffix: "@example.org"
-    #     local-domain-value: 123456
-    # List of user IDs that can use the admin API endpoints.
-    admins:
-        - 1580559962386438
+  # If false (the default), then museum will notify the external world of
+  # various events. E.g, email users about their storage being full, send
+  # alerts to Discord, etc.
+  #
+  # It can be set to true when running a "read only" instance like a backup
+  # restoration test, where we want to be able to access data but otherwise
+  # minimize external side effects.
+  silent: false
+  # If provided, this external healthcheck url is periodically pinged.
+  health-check-url:
+  # Hardcoded verification codes, useful for logging in when developing.
+  #
+  # Uncomment this and set these to your email ID or domain so that you don't
+  # need to peek into the server logs for obtaining the OTP when trying to log
+  # into an instance you're developing on.
+  # hardcoded-ott:
+  #     emails:
+  #         - "example@example.org,123456"
+  #     # When running in a local environment, hardcode the verification code to
+  #     # 123456 for email addresses ending with @example.org
+  #     local-domain-suffix: "@example.org"
+  #     local-domain-value: 123456
+  # List of user IDs that can use the admin API endpoints.
+  admins:
+    - 1580559962386438
 
 # Replication config
 #
 # If enabled, replicate each file to 2 other data centers after it gets
 # successfully uploaded to the primary hot storage.
 replication:
-    enabled: false
-    # The Cloudflare worker to use to download files from the primary hot
-    # bucket. Must be specified if replication is enabled.
-    worker-url:
-    # Number of go routines to spawn for replication
-    # This is not related to the worker-url above.
-    # Optional, default value is indicated here.
-    worker-count: 6
-    # Where to store temporary objects during replication v3
-    # Optional, default value is indicated here.
-    tmp-storage: tmp/replication
+  enabled: false
+  # The Cloudflare worker to use to download files from the primary hot
+  # bucket. Must be specified if replication is enabled.
+  worker-url:
+  # Number of go routines to spawn for replication
+  # This is not related to the worker-url above.
+  # Optional, default value is indicated here.
+  worker-count: 6
+  # Where to store temporary objects during replication v3
+  # Optional, default value is indicated here.
+  tmp-storage: tmp/replication
 
 # Configuration for various background / cron jobs.
 jobs:
-    cron:
-        # Instances run various cleanup, sending emails and other cron jobs. Use
-        # this flag to disable all these cron jobs.
-        skip: false
-    remove-unreported-objects:
-        # Number of go routines to spawn for object cleanup
-        # Optional, default value is indicated here.
-        worker-count: 1
-    clear-orphan-objects:
-        # By default, this job is disabled.
-        enabled: false
-        # If provided, only objects that begin with this prefix are pruned.
-        prefix: ""
+  cron:
+    # Instances run various cleanup, sending emails and other cron jobs. Use
+    # this flag to disable all these cron jobs.
+    skip: false
+  remove-unreported-objects:
+    # Number of go routines to spawn for object cleanup
+    # Optional, default value is indicated here.
+    worker-count: 1
+  clear-orphan-objects:
+    # By default, this job is disabled.
+    enabled: false
+    # If provided, only objects that begin with this prefix are pruned.
+    prefix: ""

ente/kustomization.yaml

@@ -5,33 +5,38 @@ namespace: ente
 namePrefix: ente-
 
 images:
+  # - name: museum
+  #   newName: ghcr.io/ente-io/server
+  #   newTag: cdbf8c5f0971cb383df03c6b2f72ffb85387beef
   - name: museum
-    newName: ghcr.io/ente-io/server
-    newTag: cdbf8c5f0971cb383df03c6b2f72ffb85387beef
+    newName: code.icb4dc0.de/infrastructure/images/ente/musuem
+    newTag: latest
+    digest: sha256:08b6fd823efc15a38592a808840012a7ad13cccb645f88dfe981c50fcca8798a
   - name: photos
     newName: code.icb4dc0.de/infrastructure/images/ente/photos
-    newTag: v0.9.27
+    newTag: v0.9.81
   - name: cast
     newName: code.icb4dc0.de/infrastructure/images/ente/cast
-    newTag: v0.9.27
+    newTag: v0.9.81
 
 labels:
-- includeSelectors: true
-  pairs:
-    app.kubernetes.io/instance: ente
-    app.kubernetes.io/managed-by: kustomize
+  - includeSelectors: true
+    pairs:
+      app.kubernetes.io/instance: ente
+      app.kubernetes.io/managed-by: kustomize
 
 resources:
-- resources/namespace.yaml
-- resources/museum/db/db.yaml
-- resources/museum/db/user.yaml
-- resources/museum/deployment.yaml
-- resources/museum/service.yaml
-- resources/photos/deployment.yaml
-- resources/photos/service.yaml
-- resources/cast/deployment.yaml
-- resources/cast/service.yaml
-- resources/http_routes.yaml
+  - resources/namespace.yaml
+  - resources/museum/db/db.yaml
+  - resources/museum/db/user.yaml
+  - resources/museum/cache.yaml
+  - resources/museum/deployment.yaml
+  - resources/museum/service.yaml
+  - resources/photos/deployment.yaml
+  - resources/photos/service.yaml
+  - resources/cast/deployment.yaml
+  - resources/cast/service.yaml
+  - resources/http_routes.yaml
 
 configMapGenerator:
   - name: museum-config

ente/resources/cast/deployment.yaml

@@ -5,6 +5,7 @@ metadata:
   name: cast
 spec:
   replicas: 2
+  revisionHistoryLimit: 3
   selector:
     matchLabels:
       app.kubernetes.io/name: cast

ente/resources/http_routes.yaml

@@ -5,20 +5,36 @@ metadata:
   name: http
 spec:
   parentRefs:
-  - name: contour
-    sectionName: http
-    namespace: projectcontour
+    - name: contour
+      sectionName: http
+      namespace: projectcontour
   hostnames:
-  - ente.icb4dc0.de
-  - api.ente.icb4dc0.de
-  - albums.ente.icb4dc0.de
-  - cast.ente.icb4dc0.de
+    - ente.icb4dc0.de
+    - api.ente.icb4dc0.de
+    - albums.ente.icb4dc0.de
+    - cast.ente.icb4dc0.de
   rules:
-  - filters:
-    - type: RequestRedirect
-      requestRedirect:
-        scheme: https
-        statusCode: 301
+    - filters:
+        - type: RequestRedirect
+          requestRedirect:
+            scheme: https
+            statusCode: 301
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: s3-api
+spec:
+  parentRefs:
+    - name: contour
+      sectionName: ente-endpoints
+      namespace: projectcontour
+  hostnames:
+    - s3.ente.icb4dc0.de
+  rules:
+    - backendRefs:
+        - name: ente-s3-cors-proxy
+          port: 80
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
@@ -26,15 +42,15 @@ metadata:
   name: https-api
 spec:
   parentRefs:
-  - name: contour
-    sectionName: ente-endpoints
-    namespace: projectcontour
+    - name: contour
+      sectionName: ente-endpoints
+      namespace: projectcontour
   hostnames:
-  - api.ente.icb4dc0.de
+    - api.ente.icb4dc0.de
   rules:
-  - backendRefs:
-    - name: ente-museum
-      port: 8080
+    - backendRefs:
+        - name: ente-museum
+          port: 8080
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
@@ -42,15 +58,15 @@ metadata:
   name: https-photos
 spec:
   parentRefs:
-  - name: contour
-    sectionName: https
-    namespace: projectcontour
+    - name: contour
+      sectionName: https
+      namespace: projectcontour
   hostnames:
-  - ente.icb4dc0.de
+    - ente.icb4dc0.de
   rules:
-  - backendRefs:
-    - name: ente-photos
-      port: 3000
+    - backendRefs:
+        - name: ente-photos
+          port: 3000
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
@@ -58,15 +74,15 @@ metadata:
   name: https-albums
 spec:
   parentRefs:
-  - name: contour
-    sectionName: ente-endpoints
-    namespace: projectcontour
+    - name: contour
+      sectionName: ente-endpoints
+      namespace: projectcontour
   hostnames:
-  - albums.ente.icb4dc0.de
+    - albums.ente.icb4dc0.de
   rules:
-  - backendRefs:
-    - name: ente-photos
-      port: 3000
+    - backendRefs:
+        - name: ente-photos
+          port: 3000
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
@@ -74,12 +90,12 @@ metadata:
   name: https-cast
 spec:
   parentRefs:
-  - name: contour
-    sectionName: ente-endpoints
-    namespace: projectcontour
+    - name: contour
+      sectionName: ente-endpoints
+      namespace: projectcontour
   hostnames:
-  - cast.ente.icb4dc0.de
+    - cast.ente.icb4dc0.de
   rules:
-  - backendRefs:
-    - name: ente-cast
-      port: 3000
+    - backendRefs:
+        - name: ente-cast
+          port: 3000

ente/resources/museum/cache.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: dragonflydb.io/v1alpha1
+kind: Dragonfly
+metadata:
+  name: musuem-cache
+  labels:
+    app.kubernetes.io/name: museum-cache
+    app.kubernetes.io/instance: museum
+    app.kubernetes.io/part-of: ente
+spec:
+  replicas: 2
+  nodeSelector:
+    kubernetes.io/arch: arm64
+  resources:
+    requests:
+      cpu: 50m
+      memory: 50Mi
+    limits:
+      cpu: 100m
+      memory: 350Mi

ente/resources/museum/deployment.yaml

@@ -4,6 +4,7 @@ metadata:
   name: museum
 spec:
   replicas: 2
+  revisionHistoryLimit: 3
   selector:
     matchLabels:
       app.kubernetes.io/name: museum
@@ -15,62 +16,62 @@ spec:
         app.kubernetes.io/part-of: ente
     spec:
       containers:
-      - name: museum
-        image: museum
-        env:
-          - name: ENTE_CREDENTIALS_FILE
-            value: /credentials.yaml
-          - name: ENTE_DB_HOST
-            valueFrom:
-              secretKeyRef:
-                name: ente-db-credentials-ente-ente
-                key: HOST
-          - name: ENTE_DB_NAME
-            valueFrom:
-              secretKeyRef:
-                name: ente-db-credentials-ente-ente
-                key: DATABASE_NAME
-          - name: ENTE_DB_USER
-            valueFrom:
-              secretKeyRef:
-                name: ente-db-credentials-ente-ente
-                key: LOGIN
-          - name: ENTE_DB_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: ente-db-credentials-ente-ente
-                key: PASSWORD
-          - name: ENTE_DB_SSLMODE
-            value: require
-        resources:
-          requests:
-            memory: "64Mi"
-            cpu: "50m"
-          limits:
-            memory: "128Mi"
-            cpu: "250m"
-        ports:
-        - name: api
-          containerPort: 8080
-        - name: metrics
-          containerPort: 2112
-        readinessProbe:
-          httpGet:
-            path: /ping
-            port: 8080
-        livenessProbe:
-          httpGet:
-            path: /ping
-            port: 8080
-        volumeMounts:
-          - name: logs
-            mountPath: /var/log/ente
-          - name: config
-            mountPath: /museum.yaml
-            subPath: museum.yaml
-          - name: credentials
-            mountPath: /credentials.yaml
-            subPath: credentials.yaml
+        - name: museum
+          image: museum
+          env:
+            - name: ENTE_CREDENTIALS_FILE
+              value: /credentials.yaml
+            - name: ENTE_DB_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: ente-db-credentials-ente-ente
+                  key: HOST
+            - name: ENTE_DB_NAME
+              valueFrom:
+                secretKeyRef:
+                  name: ente-db-credentials-ente-ente
+                  key: DATABASE_NAME
+            - name: ENTE_DB_USER
+              valueFrom:
+                secretKeyRef:
+                  name: ente-db-credentials-ente-ente
+                  key: LOGIN
+            - name: ENTE_DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: ente-db-credentials-ente-ente
+                  key: PASSWORD
+            - name: ENTE_DB_SSLMODE
+              value: require
+          resources:
+            requests:
+              memory: "64Mi"
+              cpu: "50m"
+            limits:
+              memory: "128Mi"
+              cpu: "250m"
+          ports:
+            - name: api
+              containerPort: 8080
+            - name: metrics
+              containerPort: 2112
+          readinessProbe:
+            httpGet:
+              path: /ping
+              port: 8080
+          livenessProbe:
+            httpGet:
+              path: /ping
+              port: 8080
+          volumeMounts:
+            - name: logs
+              mountPath: /var/log/ente
+            - name: config
+              mountPath: /museum.yaml
+              subPath: museum.yaml
+            - name: credentials
+              mountPath: /credentials.yaml
+              subPath: credentials.yaml
       volumes:
         - name: logs
           emptyDir: {}
@@ -87,4 +88,4 @@ spec:
               - key: credentials.yaml
                 path: credentials.yaml
       nodeSelector:
-        kubernetes.io/arch: arm64
+        kubernetes.io/arch: arm64

ente/resources/photos/deployment.yaml

@@ -5,6 +5,7 @@ metadata:
   name: photos
 spec:
   replicas: 2
+  revisionHistoryLimit: 3
   selector:
     matchLabels:
       app.kubernetes.io/name: photos

external-dns/kustomization.yaml

@@ -12,7 +12,7 @@ labels:
 images:
   - name: external-dns
     newName: registry.k8s.io/external-dns/external-dns
-    newTag: v0.14.2
+    newTag: v0.15.1
 
 resources:
   - resources/rbac/service_account.yaml

forgejo/config/values.forgejo.yaml

@@ -50,29 +50,29 @@ gitea:
       DOMAIN: code.icb4dc0.de
       PROTOCOL: http
       ROOT_URL: https://code.icb4dc0.de/
-      LFS_START_SERVER: 'true'
+      LFS_START_SERVER: "true"
       LANDING_PAGE: explore
-      ENABLE_GZIP: 'true'
-      ENABLE_PPROF: 'true'
+      ENABLE_GZIP: "true"
+      ENABLE_PPROF: "true"
       SSH_LISTEN_PORT: 2222
     service:
-      DISABLE_REGISTRATION: 'true'
-      DEFAULT_KEEP_EMAIL_PRIVATE: 'true'
-      DEFAULT_ALLOW_CREATE_ORGANIZATION: 'false'
-      DEFAULT_USER_IS_RESTRICTED: 'true'
+      DISABLE_REGISTRATION: "true"
+      DEFAULT_KEEP_EMAIL_PRIVATE: "true"
+      DEFAULT_ALLOW_CREATE_ORGANIZATION: "false"
+      DEFAULT_USER_IS_RESTRICTED: "true"
     session:
       PROVIDER: redis
       PROVIDER_CONFIG: redis://forgejo-session.forgejo.svc:6379/0?pool_size=100&idle_timeout=180s&
     storage:
       STORAGE_TYPE: minio
-      MINIO_ENDPOINT: garage.garage.svc:3900
-      MINIO_BUCKET: forgejo
-      MINIO_LOCATION: hel1
-      MINIO_USE_SSL: 'false'
+      MINIO_ENDPOINT: fsn1.your-objectstorage.com:443
+      MINIO_BUCKET: 1661580-forgejo
+      MINIO_LOCATION: fsn1
+      MINIO_USE_SSL: "true"
     indexer:
       ISSUE_INDEXER_TYPE: meilisearch
       ISSUE_INDEXER_NAME: gitea_issues
-      REPO_INDEXER_ENABLED: 'true'
+      REPO_INDEXER_ENABLED: "true"
       REPO_INDEXER_REPO_TYPES: sources,forks,mirrors,templates
       REPO_INDEXER_TYPE: bleve
       REPO_INDEXER_PATH: indexers/repos.bleve
@@ -81,19 +81,19 @@ gitea:
       MAX_SIZE: 30
       MAX_FILES: 15
       STORAGE_TYPE: minio
-      MINIO_ENDPOINT: garage.garage.svc:3900
-      MINIO_BUCKET: forgejo
-      MINIO_LOCATION: hel1
-      MINIO_USE_SSL: 'false'
+      MINIO_ENDPOINT: fsn1.your-objectstorage.com:443
+      MINIO_BUCKET: 1661580-forgejo
+      MINIO_LOCATION: fsn1
+      MINIO_USE_SSL: "true"
     actions:
-      ENABLED: 'true'
+      ENABLED: "true"
       DEFAULT_ACTIONS_URL: github
       STORAGE_TYPE: minio
     database:
       DB_TYPE: postgres
       HOST: app-cluster-pooler-rw.postgres.svc
       NAME: forgejo
-      USER: forgejo-6a95jj
+      USER: forgejo-Dkh0h3
       SSL_MODE: require
       log_sql: "false"
     cache:
@@ -121,7 +121,7 @@ affinity:
       - weight: 1
         preference:
           matchExpressions:
-          - key: kubernetes.io/arch
-            operator: In
-            values:
-            - arm64
+            - key: kubernetes.io/arch
+              operator: In
+              values:
+                - arm64

forgejo/kustomization.yaml

@@ -4,18 +4,18 @@ kind: Kustomization
 namespace: forgejo
 
 labels:
-- includeSelectors: true
-  pairs:
-    app.kubernetes.io/managed-by: kustomize
-    app.kubernetes.io/part-of: forgejo
+  - includeSelectors: true
+    pairs:
+      app.kubernetes.io/managed-by: kustomize
+      app.kubernetes.io/part-of: forgejo
 
 images:
   - name: act_runner
     newName: code.forgejo.org/forgejo/runner
-    newTag: "3.5.1"
+    newTag: "6.0.1"
   - name: dind
     newName: docker
-    newTag: 27.1.2-dind
+    newTag: 27.5.0-dind
 
 resources:
   - resources/db/db.yaml
@@ -33,22 +33,22 @@ resources:
   - resources/runners/act-cache-svc.yaml
 
 configMapGenerator:
-- name: act-runner-config-arm64
-  files:
-  - config.yaml=config/runners/config-arm64.yaml
-  - daemon.json=config/runners/daemon.arm64.json
+  - name: act-runner-config-arm64
+    files:
+      - config.yaml=config/runners/config-arm64.yaml
+      - daemon.json=config/runners/daemon.arm64.json
 
-- name: act-runner-config-amd64
-  files:
-  - config.yaml=config/runners/config-amd64.yaml
-  - daemon.json=config/runners/daemon.amd64.json
+  - name: act-runner-config-amd64
+    files:
+      - config.yaml=config/runners/config-amd64.yaml
+      - daemon.json=config/runners/daemon.amd64.json
 
 helmCharts:
   - name: forgejo
     repo: oci://codeberg.org/forgejo-contrib
     releaseName: forgejo
     namespace: forgejo
-    version: "8.2.0"
+    version: "11.0.1"
     valuesFile: config/values.forgejo.yaml
     skipTests: true
     apiVersions:
@@ -57,6 +57,6 @@ helmCharts:
     repo: https://meilisearch.github.io/meilisearch-kubernetes
     releaseName: forgejo-indexer
     namespace: forgejo
-    version: "0.9.1"
+    version: "0.10.2"
     valuesFile: config/values.meilisearch.yaml
-    skipTests: true
+    skipTests: true

forgejo/resources/runners/act-cache.yaml

@@ -7,6 +7,7 @@ metadata:
     app.kubernetes.io/name: act-runner-cache
 spec:
   replicas: 2
+  revisionHistoryLimit: 3
   selector:
     matchLabels:
       app.kubernetes.io/name: act-runner-cache

forgejo/resources/runners/act-runner-amd64.yaml

@@ -9,6 +9,7 @@ spec:
       app.kubernetes.io/name: act-runner
       app.kubernetes.io/instance: amd64
   replicas: 1
+  revisionHistoryLimit: 3
   strategy:
     type: Recreate
   template:

forgejo/resources/runners/act-runner-arm64.yaml

@@ -9,6 +9,7 @@ spec:
       app.kubernetes.io/name: act-runner
       app.kubernetes.io/instance: arm64
   replicas: 2
+  revisionHistoryLimit: 3
   strategy:
     type: Recreate
   template:

forgejo/resources/runners/cache-pvc.yaml

@@ -4,7 +4,7 @@ kind: PersistentVolumeClaim
 metadata:
   name: act-runner-cache
 spec:
-  storageClassName: storage-box
+  storageClassName: hcloud-blob
   resources:
     requests:
       storage: 50Gi

garage/backup/kustomization.yaml

@@ -6,7 +6,7 @@ namespace: garage
 images:
   - name: rclone
     newName: rclone/rclone
-    newTag: "1.67"
+    newTag: "1.69"
 
 resources:
 - resources/cronjob.yaml

garage/kustomization.yaml

@@ -6,7 +6,7 @@ namespace: garage
 images:
   - name: garage
     newName: dxflrs/garage
-    newTag: v1.0.0
+    newTag: v1.0.1
 
 labels:
 - includeSelectors: true

garage/migrate/resources/job.migrate.yaml

@@ -2,29 +2,29 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: sync-garage-snips
+  name: sync-garage-csi
   namespace: garage
 spec:
   ttlSecondsAfterFinished: 100
   template:
     spec:
       containers:
-      - name: rclone
-        image: rclone/rclone
-        args:
-          - sync
-          - -P
-          - --update
-          - --no-update-modtime
-          - --no-update-dir-modtime
-          - --ignore-errors
-          - -s3-upload-concurrency 64
-          - -v
-          - r2:backup/snips
-          - garage:backup/snips
-        volumeMounts:
-          - name: rclone-config
-            mountPath: /config/rclone
+        - name: rclone
+          image: rclone/rclone
+          args:
+            - sync
+            - -P
+            - --update
+            - --no-update-modtime
+            - --no-update-dir-modtime
+            - --ignore-errors
+            - -s3-upload-concurrency 64
+            - -v
+            - garage:csi
+            - hcloud:1661580-csi
+          volumeMounts:
+            - name: rclone-config
+              mountPath: /config/rclone
       restartPolicy: Never
       volumes:
         - name: rclone-config

garage/resources/workload.yaml

@@ -16,53 +16,45 @@ spec:
       serviceAccountName: garage
       priorityClassName: system-cluster-critical
       containers:
-      - name: garage
-        image: garage
-        env:
-          - name: GARAGE_ADMIN_TOKEN
-            valueFrom:
-              secretKeyRef:
-                name: garage-secrets
-                key: admin-token
-          - name: GARAGE_RPC_SECRET
-            valueFrom:
-              secretKeyRef:
-                name: garage-secrets
-                key: rpc-secret
-        ports:
-        - containerPort: 3900
-          name: s3-api
-        - containerPort: 3902
-          name: s3-web
-        - containerPort: 3903
-          name: metrics
-        volumeMounts:
-        - name: garage-data
-          mountPath: /srv/garage
-        - name: garage-config
-          mountPath: /etc/garage.toml
-          subPath: garage.toml
-          readOnly: true
-        resources:
-          requests:
-            cpu: 300m
-            memory: 280Mi
-          limits:
-            cpu: 750m
-            memory: 500Mi
-        readinessProbe:
-          httpGet:
-            port: 3903
-            path: /health
-        livenessProbe:
-          httpGet:
-            port: 3903
-            path: /health
-        securityContext:
-          capabilities:
-            drop:
-              - ALL
-          readOnlyRootFilesystem: true
+        - name: garage
+          image: garage
+          env:
+            - name: GARAGE_ADMIN_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: garage-secrets
+                  key: admin-token
+            - name: GARAGE_RPC_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: garage-secrets
+                  key: rpc-secret
+          ports:
+            - containerPort: 3900
+              name: s3-api
+            - containerPort: 3902
+              name: s3-web
+            - containerPort: 3903
+              name: metrics
+          volumeMounts:
+            - name: garage-data
+              mountPath: /srv/garage
+            - name: garage-config
+              mountPath: /etc/garage.toml
+              subPath: garage.toml
+              readOnly: true
+          resources:
+            requests:
+              cpu: 300m
+              memory: 280Mi
+            limits:
+              cpu: 750m
+              memory: 500Mi
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
       nodeSelector:
         k8s.icb4dc0.de/storage-node: "true"
       affinity:
@@ -77,15 +69,15 @@ spec:
                       - arm64
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
-          - weight: 100
-            podAffinityTerm:
-              labelSelector:
-                matchExpressions:
-                - key: app.kubernetes.io/name
-                  operator: In
-                  values:
-                  - fider
-              topologyKey: topology.kubernetes.io/zone
+            - weight: 100
+              podAffinityTerm:
+                labelSelector:
+                  matchExpressions:
+                    - key: app.kubernetes.io/name
+                      operator: In
+                      values:
+                        - fider
+                topologyKey: topology.kubernetes.io/zone
       securityContext:
         runAsUser: 1000
         runAsGroup: 1000
@@ -99,11 +91,11 @@ spec:
               - key: garage.toml
                 path: garage.toml
   volumeClaimTemplates:
-  - metadata:
-      name: garage-data
-    spec:
-      accessModes: [ "ReadWriteOnce" ]
-      storageClassName: hcloud-volumes-xfs
-      resources:
-        requests:
-          storage: 20Gi
+    - metadata:
+        name: garage-data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        storageClassName: hcloud-volumes-xfs
+        resources:
+          requests:
+            storage: 20Gi

hcloud/kustomization.yaml

@@ -12,12 +12,12 @@ helmCharts:
     repo: https://charts.hetzner.cloud
     releaseName: hccm
     namespace: kube-system
-    version: "1.20.0"
+    version: "1.22.0"
     valuesFile: config/values.ccm.yaml
 
   - name: hcloud-csi
     repo: https://charts.hetzner.cloud
     releaseName: hcloud-csi-driver
     namespace: kube-system
-    version: "2.9.0"
+    version: "2.11.0"
     valuesFile: config/values.csi.yaml

hedgedoc/kustomization.yaml

@@ -6,7 +6,7 @@ namespace: hedgedoc
 images:
 - name: hedgedoc
   newName: quay.io/hedgedoc/hedgedoc
-  newTag: "1.9.9"
+  newTag: "1.10.0"
 
 labels:
 - includeSelectors: true

kube-prometheus/kustomization.yaml

@@ -17,5 +17,5 @@ helmCharts:
     includeCRDs: true
     namespace: observability-system
     releaseName: prometheus
-    version: "62.3.0"
+    version: "68.3.0"
     valuesFile: config/values.prometheus.yaml