chore(deps): update dependency fluxcd/flux2 to v2.4.0

Reviewed-on: #37

README.md

@@ -18,23 +18,25 @@
 
 ### Infrastructure
 
-- ![Kubernetes][k8s]
-- ![Helm][helm]
-- ![Traefik][traefik]
-- ![Cert Manager][cert-manager]
-- ![Metallb][metallb]
-- ![NFS][nfs]
-- ![FluxCD][fluxcd]
+- [Kubernetes][k8s] - Isn't it obvious?
+- [Helm][helm] - Easily deploy and manage Kubernetes applications
+- [Traefik][traefik] - Web reverse proxy
+- [Cert Manager][cert-manager] - Generates LetsEncrypt certificates
+- [Metallb][metallb] - Load Balancer
+- [NFS][nfs] - Remote Storage for PVs
+- [FluxCD][fluxcd] - GitOps
+- [Spegel][spegel] - Local Docker registry cache
+- [Eraser][eraser] - Automated cleanup of old docker images
 
 ### Services
 
-See [services](./apps/production/) for a list of services that I use in my homelab.
+See [services](./kubernetes/apps/production/) for a list of services that I use in my homelab.
 
 <!-- TODO -->
 
 ## Todo
 
-Nothing !
+- [ ] Setup Grafana and Traefik metrics
 
 ### Backlog
 
@@ -60,10 +62,12 @@ Don't forget to give the project a star! Thanks again!
 <!-- MARKDOWN LINKS & IMAGES -->
 <!-- https://www.markdownguide.org/basic-syntax/#reference-style-links -->
 
-[fluxcd]: https://fluxcd.io
-[k8s]: https://kubernetes.io
-[helm]: https://helm.sh
-[traefik]: https://traefik.io
-[cert-manager]: https://cert-manager.io
-[metallb]: https://metallb.org
-[nfs]: https://nfs.fascinated.cc
+[fluxcd]: https://fluxcd.io/
+[k8s]: https://kubernetes.io/
+[helm]: https://helm.sh/
+[traefik]: https://traefik.io/
+[cert-manager]: https://cert-manager.io/
+[metallb]: https://metallb.org/
+[nfs]: https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner/
+[spegel]: https://github.com/spegel-org/spegel/
+[eraser]: https://github.com/eraser-dev/eraser/

kubernetes/apps/disabled/drone/server/ingress.yaml

@@ -15,6 +15,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: drone-service
           port: 80

kubernetes/apps/disabled/searxng/ingress.yaml

@@ -14,6 +14,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: searxng-service
           port: 8080

kubernetes/apps/production/flyimg/deployment.yaml

@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
         - name: flyimg-container
-          image: flyimg/flyimg:1.4.12
+          image: flyimg/flyimg:1.4.13
           securityContext:
             allowPrivilegeEscalation: false
           ports:

kubernetes/apps/production/flyimg/ingress.yaml

@@ -14,6 +14,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: flyimg-service
           port: 80

kubernetes/clusters/production/apps.yaml

@@ -5,7 +5,7 @@ metadata:
   name: apps
   namespace: flux-system
 spec:
-  interval: 1m0s
+  interval: 5m0s
   dependsOn:
     - name: infrastructure
   sourceRef:

kubernetes/clusters/production/infrastructure.yaml

@@ -5,7 +5,7 @@ metadata:
   name: infrastructure
   namespace: flux-system
 spec:
-  interval: 1m0s
+  interval: 5m0s
   sourceRef:
     kind: GitRepository
     name: flux-system

kubernetes/infrastructure/backup/volsync.yaml

@@ -5,7 +5,7 @@ metadata:
   name: volsync-repository
   namespace: backups
 spec:
-  interval: 12h
+  interval: 5m0s
   url: https://backube.github.io/helm-charts/
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2

kubernetes/infrastructure/capacitor/ingress.yaml

@@ -14,6 +14,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: capacitor
           port: 9000

kubernetes/infrastructure/cert-manager/cert-manager.yaml

@@ -5,7 +5,7 @@ metadata:
   name: cert-manager
   namespace: cert-manager
 spec:
-  interval: 12h
+  interval: 5m0s
   url: https://charts.jetstack.io
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2

kubernetes/infrastructure/crds/traefik.crds.yaml

@@ -8,7 +8,7 @@ spec:
   interval: 30m
   url: https://github.com/traefik/traefik-helm-chart.git
   ref:
-    tag: v31.1.1
+    tag: v32.0.0
   ignore: |
     # exclude all
     /*

kubernetes/infrastructure/eraser/eraser.yaml

@@ -0,0 +1,549 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: eraser-system
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.9.0
+  creationTimestamp: null
+  name: imagejobs.eraser.sh
+spec:
+  group: eraser.sh
+  names:
+    kind: ImageJob
+    listKind: ImageJobList
+    plural: imagejobs
+    singular: imagejob
+  scope: Cluster
+  versions:
+    - name: v1
+      schema:
+        openAPIV3Schema:
+          description: ImageJob is the Schema for the imagejobs API.
+          properties:
+            apiVersion:
+              description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
+              type: string
+            kind:
+              description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
+              type: string
+            metadata:
+              type: object
+            status:
+              description: ImageJobStatus defines the observed state of ImageJob.
+              properties:
+                deleteAfter:
+                  description: Time to delay deletion until
+                  format: date-time
+                  type: string
+                desired:
+                  description: desired number of pods
+                  type: integer
+                failed:
+                  description: number of pods that failed
+                  type: integer
+                phase:
+                  description: job running, successfully completed, or failed
+                  type: string
+                skipped:
+                  description: number of nodes that were skipped e.g. because they are not a linux node
+                  type: integer
+                succeeded:
+                  description: number of pods that completed successfully
+                  type: integer
+              required:
+                - desired
+                - failed
+                - phase
+                - skipped
+                - succeeded
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+    - deprecated: true
+      deprecationWarning: v1alpha1 of the eraser API has been deprecated. Please migrate to v1.
+      name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          description: ImageJob is the Schema for the imagejobs API.
+          properties:
+            apiVersion:
+              description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
+              type: string
+            kind:
+              description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
+              type: string
+            metadata:
+              type: object
+            status:
+              description: ImageJobStatus defines the observed state of ImageJob.
+              properties:
+                deleteAfter:
+                  description: Time to delay deletion until
+                  format: date-time
+                  type: string
+                desired:
+                  description: desired number of pods
+                  type: integer
+                failed:
+                  description: number of pods that failed
+                  type: integer
+                phase:
+                  description: job running, successfully completed, or failed
+                  type: string
+                skipped:
+                  description: number of nodes that were skipped e.g. because they are not a linux node
+                  type: integer
+                succeeded:
+                  description: number of pods that completed successfully
+                  type: integer
+              required:
+                - desired
+                - failed
+                - phase
+                - skipped
+                - succeeded
+              type: object
+          type: object
+      served: true
+      storage: false
+      subresources:
+        status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.9.0
+  creationTimestamp: null
+  name: imagelists.eraser.sh
+spec:
+  group: eraser.sh
+  names:
+    kind: ImageList
+    listKind: ImageListList
+    plural: imagelists
+    singular: imagelist
+  scope: Cluster
+  versions:
+    - name: v1
+      schema:
+        openAPIV3Schema:
+          description: ImageList is the Schema for the imagelists API.
+          properties:
+            apiVersion:
+              description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
+              type: string
+            kind:
+              description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: ImageListSpec defines the desired state of ImageList.
+              properties:
+                images:
+                  description: The list of non-compliant images to delete if non-running.
+                  items:
+                    type: string
+                  type: array
+              required:
+                - images
+              type: object
+            status:
+              description: ImageListStatus defines the observed state of ImageList.
+              properties:
+                failed:
+                  description: Number of nodes that failed to run the job
+                  format: int64
+                  type: integer
+                skipped:
+                  description: Number of nodes that were skipped due to a skip selector
+                  format: int64
+                  type: integer
+                success:
+                  description: Number of nodes that successfully ran the job
+                  format: int64
+                  type: integer
+                timestamp:
+                  description: Information when the job was completed.
+                  format: date-time
+                  type: string
+              required:
+                - failed
+                - skipped
+                - success
+                - timestamp
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+    - deprecated: true
+      deprecationWarning: v1alpha1 of the eraser API has been deprecated. Please migrate to v1.
+      name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          description: ImageList is the Schema for the imagelists API.
+          properties:
+            apiVersion:
+              description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
+              type: string
+            kind:
+              description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: ImageListSpec defines the desired state of ImageList.
+              properties:
+                images:
+                  description: The list of non-compliant images to delete if non-running.
+                  items:
+                    type: string
+                  type: array
+              required:
+                - images
+              type: object
+            status:
+              description: ImageListStatus defines the observed state of ImageList.
+              properties:
+                failed:
+                  description: Number of nodes that failed to run the job
+                  format: int64
+                  type: integer
+                skipped:
+                  description: Number of nodes that were skipped due to a skip selector
+                  format: int64
+                  type: integer
+                success:
+                  description: Number of nodes that successfully ran the job
+                  format: int64
+                  type: integer
+                timestamp:
+                  description: Information when the job was completed.
+                  format: date-time
+                  type: string
+              required:
+                - failed
+                - skipped
+                - success
+                - timestamp
+              type: object
+          type: object
+      served: true
+      storage: false
+      subresources:
+        status: {}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: eraser-controller-manager
+  namespace: eraser-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: eraser-imagejob-pods
+  namespace: eraser-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: eraser-imagejob-pods-cluster-role
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: eraser-manager-role
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - podtemplates
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - eraser.sh
+    resources:
+      - imagejobs
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - eraser.sh
+    resources:
+      - imagejobs/status
+    verbs:
+      - get
+      - patch
+      - update
+  - apiGroups:
+      - eraser.sh
+    resources:
+      - imagelists
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - eraser.sh
+    resources:
+      - imagelists/status
+    verbs:
+      - get
+      - patch
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: eraser-imagejob-pods-cluster-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: eraser-imagejob-pods-cluster-role
+subjects:
+  - kind: ServiceAccount
+    name: eraser-imagejob-pods
+    namespace: eraser-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: eraser-manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: eraser-manager-role
+subjects:
+  - kind: ServiceAccount
+    name: eraser-controller-manager
+    namespace: eraser-system
+---
+apiVersion: v1
+data:
+  controller_manager_config.yaml: |
+    apiVersion: eraser.sh/v1alpha3
+    kind: EraserConfig
+    manager:
+      runtime:
+        name: containerd
+        address: unix:///run/containerd/containerd.sock
+      otlpEndpoint: ""
+      logLevel: info
+      scheduling:
+        repeatInterval: 24h
+        beginImmediately: true
+      profile:
+        enabled: false
+        port: 6060
+      imageJob:
+        successRatio: 1.0
+        cleanup:
+          delayOnSuccess: 0s
+          delayOnFailure: 24h
+      pullSecrets: [] # image pull secrets for collector/scanner/eraser
+      priorityClassName: "" # priority class name for collector/scanner/eraser
+      nodeFilter:
+        type: exclude # must be either exclude|include
+        selectors:
+          - eraser.sh/cleanup.filter
+          - kubernetes.io/os=windows
+    components:
+      collector:
+        enabled: true
+        image:
+          repo: ghcr.io/eraser-dev/collector
+          tag: v1.4.0-beta.0
+        request:
+          mem: 25Mi
+          cpu: 7m
+        limit:
+          mem: 500Mi
+          # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#how-pods-with-resource-limits-are-run
+          cpu: 0
+      scanner:
+        enabled: true
+        image:
+          repo: ghcr.io/eraser-dev/eraser-trivy-scanner # supply custom image for custom scanner
+          tag: v1.4.0-beta.0
+        request:
+          mem: 500Mi
+          cpu: 1000m
+        limit:
+          mem: 2Gi
+          # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#how-pods-with-resource-limits-are-run
+          cpu: 0
+        # The config needs to be passed through to the scanner as yaml, as a
+        # single string. Because we allow custom scanner images, the scanner is
+        # responsible for defining a schema, parsing, and validating.
+        config: |
+          # this is the schema for the provided 'trivy-scanner'. custom scanners
+          # will define their own configuration.
+          cacheDir: /var/lib/trivy
+          dbRepo: ghcr.io/aquasecurity/trivy-db
+          deleteFailedImages: true
+          deleteEOLImages: true
+          vulnerabilities:
+            ignoreUnfixed: true
+            types:
+              - os
+              - library
+            securityChecks:
+              - vuln
+            severities:
+              - CRITICAL
+              - HIGH
+              - MEDIUM
+              - LOW
+            ignoredStatuses:
+          timeout:
+            total: 23h
+            perImage: 1h
+      remover:
+        image:
+          repo: ghcr.io/eraser-dev/remover
+          tag: v1.4.0-beta.0
+        request:
+          mem: 25Mi
+          # https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#how-pods-with-resource-limits-are-run
+          cpu: 0
+        limit:
+          mem: 30Mi
+          cpu: 0
+kind: ConfigMap
+metadata:
+  name: eraser-manager-config
+  namespace: eraser-system
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: eraser-controller-manager
+  namespace: eraser-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+  template:
+    metadata:
+      labels:
+        control-plane: controller-manager
+    spec:
+      containers:
+        - args:
+            - --config=/config/controller_manager_config.yaml
+          command:
+            - /manager
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.namespace
+            - name: OTEL_SERVICE_NAME
+              value: eraser-manager
+          image: ghcr.io/eraser-dev/eraser-manager:v1.5.0-beta.0
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
+            initialDelaySeconds: 15
+            periodSeconds: 20
+          name: manager
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: 8081
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            limits:
+              memory: 30Mi
+            requests:
+              cpu: 100m
+              memory: 20Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsGroup: 65532
+            runAsNonRoot: true
+            runAsUser: 65532
+            seccompProfile:
+              type: RuntimeDefault
+          volumeMounts:
+            - mountPath: /config
+              name: manager-config
+      nodeSelector:
+        kubernetes.io/os: linux
+      serviceAccountName: eraser-controller-manager
+      terminationGracePeriodSeconds: 10
+      volumes:
+        - configMap:
+            name: eraser-manager-config
+          name: manager-config

kubernetes/infrastructure/eraser/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: eraser-system
+resources:
+  - eraser.yaml

kubernetes/infrastructure/fluxci/notification/ingress.yaml

@@ -15,6 +15,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: notification-controller
           port: 80

kubernetes/infrastructure/kustomization.yaml

@@ -13,4 +13,6 @@ resources:
   - capacitor
   - monitoring
   - alerting/flux
+  - eraser
+  - spegel
   #- backup

kubernetes/infrastructure/monitoring/ingress.yaml

@@ -14,6 +14,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: kube-prometheus-stack-grafana
           port: 80

kubernetes/infrastructure/monitoring/kube-prometheus-stack.yaml

@@ -5,7 +5,7 @@ metadata:
   name: monitoring
   namespace: monitoring
 spec:
-  interval: 12h
+  interval: 5m0s
   url: https://prometheus-community.github.io/helm-charts
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
@@ -18,7 +18,7 @@ spec:
   chart:
     spec:
       chart: kube-prometheus-stack
-      version: "62.7.0"
+      version: "63.1.0"
       sourceRef:
         kind: HelmRepository
         name: monitoring
@@ -56,3 +56,20 @@ spec:
               resources:
                 requests:
                   storage: 50Gi
+
+    # ServiceMonitor configurations
+    serviceMonitors:
+      node-exporter:
+        metricRelabelings:
+          - action: replace
+            regex: (.*)
+            replacement: $1
+            sourceLabels:
+              - __meta_kubernetes_pod_node_name
+            targetLabel: kubernetes_node
+      kubelet:
+        metricRelabelings:
+          - action: replace
+            sourceLabels:
+              - node
+            targetLabel: instance

kubernetes/infrastructure/nfs/nfs-driver.yaml

@@ -5,7 +5,7 @@ metadata:
   name: csi-driver-nfs
   namespace: kube-system
 spec:
-  interval: 12h
+  interval: 5m0s
   url: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2

kubernetes/infrastructure/sealed-secrets/sealed-secrets.yaml

@@ -5,7 +5,7 @@ metadata:
   name: sealed-secrets
   namespace: kube-system
 spec:
-  interval: 12h
+  interval: 5m0s
   url: https://bitnami-labs.github.io/sealed-secrets
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2

kubernetes/infrastructure/spegel/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: spegel
+resources:
+  - namespace.yaml
+  - spegel.yaml

kubernetes/infrastructure/spegel/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: spegel
+  labels:
+    pod-security.kubernetes.io/enforce: privileged

kubernetes/infrastructure/spegel/spegel.yaml

@@ -0,0 +1,42 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: spegel
+  namespace: spegel
+spec:
+  type: "oci"
+  interval: 5m0s
+  url: oci://ghcr.io/spegel-org/helm-charts
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: spegel
+  namespace: spegel
+spec:
+  interval: 1m
+  chart:
+    spec:
+      chart: spegel
+      version: "v0.0.24"
+      interval: 5m
+      sourceRef:
+        kind: HelmRepository
+        name: spegel
+  values:
+    spegel:
+      containerdRegistryConfigPath: /etc/cri/conf.d/hosts
+      registries:
+        [
+          "https://cgr.dev",
+          "https://docker.io",
+          "https://ghcr.io",
+          "https://quay.io",
+          "https://mcr.microsoft.com",
+          "https://public.ecr.aws",
+          "https://gcr.io",
+          "https://registry.k8s.io",
+          "https://k8s.gcr.io",
+          "https://lscr.io",
+          "https://git.fascinated.cc",
+        ]

kubernetes/infrastructure/traefik/external-services/aetheria-grafana.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: aetheria-grafana-external
           port: 3000

kubernetes/infrastructure/traefik/external-services/aetheria-influx.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: aetheria-influx-external
           port: 8086

kubernetes/infrastructure/traefik/external-services/analytics.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: analytics-external
           port: 8000

kubernetes/infrastructure/traefik/external-services/api.mcutils.xyz.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: mc-utils-api-external
           port: 80

kubernetes/infrastructure/traefik/external-services/azure-metrics.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: azure-metrics-external
           port: 3000

kubernetes/infrastructure/traefik/external-services/azure-phpma.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: azure-phpma-external
           port: 8080

kubernetes/infrastructure/traefik/external-services/bitmagnet.local.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: bitmagnet-local-external
           port: 3333

kubernetes/infrastructure/traefik/external-services/cdn.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: cdn-external
           port: 8087

kubernetes/infrastructure/traefik/external-services/cloud.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: nextcloud-external
           port: 80

kubernetes/infrastructure/traefik/external-services/docs.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: docs-external
           port: 80

kubernetes/infrastructure/traefik/external-services/fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: main-site-external
           port: 3000

kubernetes/infrastructure/traefik/external-services/git.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: git-external
           port: 3003

kubernetes/infrastructure/traefik/external-services/glitchtip.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: sentry-external
           port: 8000

kubernetes/infrastructure/traefik/external-services/grafana.mcutils.xyz.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: mc-utils-grafana-external
           port: 3000

kubernetes/infrastructure/traefik/external-services/influx.mcutils.xyz.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: mc-utils-influx-external
           port: 8086

kubernetes/infrastructure/traefik/external-services/mastodon.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: mastodon-external
           port: 3000

kubernetes/infrastructure/traefik/external-services/mc-tracker.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: mc-tracker-external
           port: 3000

kubernetes/infrastructure/traefik/external-services/mcutils.xyz.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: mc-utils-external
           port: 80

kubernetes/infrastructure/traefik/external-services/node-hl-01.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: node-hl-01-external
           port: 443

kubernetes/infrastructure/traefik/external-services/obsidian-sync.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: obsidian-sync-external
           port: 5984

kubernetes/infrastructure/traefik/external-services/overseerr.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: overseerr-external
           port: 5055

kubernetes/infrastructure/traefik/external-services/owntracks-web.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: owntracks-web-external
           port: 6969

kubernetes/infrastructure/traefik/external-services/owntracks.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: owntracks-external
           port: 8083

kubernetes/infrastructure/traefik/external-services/panel.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: panel-external
           port: 80

kubernetes/infrastructure/traefik/external-services/paste-grafana.local.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: paste-grafana-local-external
           port: 3035

kubernetes/infrastructure/traefik/external-services/paste.fascinated.cc.yml

@@ -0,0 +1,35 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: paste-external
+  namespace: traefik
+spec:
+  type: ExternalName
+  externalName: 10.0.50.118
+  ports:
+    - name: http
+      port: 8080
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: paste-external-ingress
+  namespace: traefik
+  annotations:
+    kubernetes.io/ingress.class: traefik-external
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`paste.fascinated.cc`)
+      kind: Rule
+      middlewares:
+        - name: default-headers
+          namespace: traefik
+        - name: compress
+          namespace: traefik
+      services:
+        - name: paste-external
+          port: 8080
+  tls:
+    secretName: fascinated-cc

kubernetes/infrastructure/traefik/external-services/plex.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: plex-external
           port: 32400

kubernetes/infrastructure/traefik/external-services/proxmox.local.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: proxmox-luna-local-external
           port: 8006

kubernetes/infrastructure/traefik/external-services/repo.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: repo-external
           port: 8080

kubernetes/infrastructure/traefik/external-services/restic.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: restic-backups-external
           port: 8000

kubernetes/infrastructure/traefik/external-services/s.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: slash-external
           port: 5231

kubernetes/infrastructure/traefik/external-services/sonarr-anime.local.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: sonarr-anime-local-external
           port: 8988

kubernetes/infrastructure/traefik/external-services/sonarr.local.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: sonarr-local-external
           port: 8989

kubernetes/infrastructure/traefik/external-services/ssr-staging.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: ssr-staging-external
           port: 80

kubernetes/infrastructure/traefik/external-services/status.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: status-external
           port: 3001

kubernetes/infrastructure/traefik/external-services/subscriptions.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: subscriptions-external
           port: 8282

kubernetes/infrastructure/traefik/external-services/tautulli.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: tautulli-external
           port: 8181

kubernetes/infrastructure/traefik/external-services/tdarr.local.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: tdarr-local-external
           port: 8265

kubernetes/infrastructure/traefik/external-services/teleport.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: teleport-external
           port: 3080

kubernetes/infrastructure/traefik/external-services/torrent.local.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: torrent-local-external
           port: 8080

kubernetes/infrastructure/traefik/external-services/translate.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: translate-external
           port: 5000

kubernetes/infrastructure/traefik/external-services/trigger.fascinated.cc.yml

@@ -0,0 +1,35 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: trigger-external
+  namespace: traefik
+spec:
+  type: ExternalName
+  externalName: 10.0.50.205
+  ports:
+    - name: http
+      port: 3040
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: trigger-external-ingress
+  namespace: traefik
+  annotations:
+    kubernetes.io/ingress.class: traefik-external
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`trigger.fascinated.cc`)
+      kind: Rule
+      middlewares:
+        - name: default-headers
+          namespace: traefik
+        - name: compress
+          namespace: traefik
+      services:
+        - name: trigger-external
+          port: 3040
+  tls:
+    secretName: fascinated-cc

kubernetes/infrastructure/traefik/external-services/tube.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: tube-external
           port: 8209

kubernetes/infrastructure/traefik/external-services/vaultwarden.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: vaultwarden-external
           port: 4743

kubernetes/infrastructure/traefik/external-services/vencloud.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: vencloud-external
           port: 8080

kubernetes/infrastructure/traefik/external-services/wakatime.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: wakatime-external
           port: 3355

kubernetes/infrastructure/traefik/external-services/wazuh.local.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: wazuh-external
           port: 443

kubernetes/infrastructure/traefik/external-services/wiki.fascinated.cc.yml

@@ -26,6 +26,8 @@ spec:
       middlewares:
         - name: default-headers
           namespace: traefik
+        - name: compress
+          namespace: traefik
       services:
         - name: wiki-external
           port: 80

kubernetes/infrastructure/traefik/kustomization.yaml

@@ -9,5 +9,6 @@ resources:
   - ./certificates/local-fascinated-cc.yaml
   - ./certificates/mcutils-xyz.yaml
   - ./middlewares/default-headers.yaml
+  - ./middlewares/compress.yaml
   #- ./external-services
   # for some stupid fucking reason kustomize doesn't support wildcards or globs?!?!?!??!?

kubernetes/infrastructure/traefik/middlewares/compress.yaml

@@ -0,0 +1,8 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: compress
+  namespace: traefik
+spec:
+  compress:
+    defaultEncoding: br,gzip

kubernetes/infrastructure/traefik/middlewares/default-headers.yaml

@@ -12,7 +12,6 @@ spec:
     stsPreload: true
     stsSeconds: 15552000
     referrerPolicy: no-referrer
-    contentSecurityPolicy: "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; style-src 'self' 'unsafe-inline' https:; img-src 'self' data: https:; font-src 'self' https: data:; connect-src 'self' https:; frame-src 'self' https:; media-src 'self' https:; object-src 'none'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';"
     customFrameOptionsValue: SAMEORIGIN
     customRequestHeaders:
       X-Forwarded-Proto: https

kubernetes/infrastructure/traefik/traefik.yaml

@@ -5,7 +5,7 @@ metadata:
   name: traefik
   namespace: traefik
 spec:
-  interval: 12h
+  interval: 5m0s
   url: https://helm.traefik.io/traefik
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2
@@ -18,7 +18,7 @@ spec:
   chart:
     spec:
       chart: traefik
-      version: "31.1.1"
+      version: "32.0.0"
       sourceRef:
         kind: HelmRepository
         name: traefik

sealed-secrets.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: ssr-secret
+  namespace: public-services
+spec:
+  encryptedData:
+    MONGO_URI: AgBDDZhuphvpFZJZq31CA8OmiTr1J8p5Fy/rcr/zvm2nl64GnpbmVCuYgUiH6PwZPCUa9zcyUeZJO9/Xqe9PbJ8hA82j0Pb+Pcl1Rk3+B6jkDaEzcJKDmXS/zx8Q+JPWFOGVpRNy0HCKxm8azy88A9iyiKseIFsMWWrkJMkEObokRBCB4joD9Mh+aOsE2vaUkoE49ASxwVXU9MnL/34eksqGD6D5/BGpVZGftvY/x5eOuhULtK7z3tcd/orc//21AXUSAlVgWcekstEfZWQovk7Rwl67pgpHYf+KuegY4i+0ybge1qEngjvwt76yObTqfmhrdVQNfrV21FpTfoBeZS6ZoHdli6DBanPZgXJdKU2Ttr3C5EJ8c0Gir20J3wRs11SQ1gaKu6bxL4EH4kAtgdVoD5t6MSqvDzkfovAcJUHfXLA2HPhs1CEcu7Y6Kv/v+aGWSlo9jPVQg8JJ7IPF/+DDbF4JgEnwr34e7M5Z/CKVhwm7mK8Nr1yzgEhkucjZ6fcEVmt91fjx1usxDvtN+mllibc7HS2a/ObMDx3MtfHxXhTpt0wXyNyhXtnKNvKbICR5LGZfosF3viNfuRcEFTGvC2Ak9hlhVrznp0FRUiQJSNWsBQKZUKG5Yd5ckQwJUY8B/OLAjg0Keo26LIkciZ0jZD3JtK+bxU5LntdfSCwuO9+xHgaMgCxY+7plPQOgXL9BAOk9Zerc/6xQXJ7y4Q1PogrNaiPn6xCr368utFH2bA4zOAZCwrngnZtmT4pB6r6C/425JoZiQQw6qVQklpC7UhWpV1SbMvdGrlYgBW9TkT5rJPNIE3Bp3kA=
+    NEXT_PUBLIC_SITE_URL: AgCpMUZ2MFY8mHgQ3fizTzcBImnwFmWzccRCtMAThI0cAIOcDe15Drk2a5a4UjcYgl1F+JrHB3b3IPbflr1E4dNAANKRgiGW+gyI2S7J/oDpb+ANCv/0RJIlfQh9Pcb/E4noKVOoUfe4dg5asq1kQjOob4uOn6MfQXoC5WfgK8u8q0T5tEPcuGxXt2Q1OnyAAWm/0Z7JSLfgQN2sKaAbRbWqKfwfsc4LgjxY98m/+BkXN7x6R7BJmXXMd0cb5ctdgM1ZpU+gYhhwyO0xsxYWURcJb9EsrNZR6OY4DbwXw2tpoagFxA20u5J2ZUhUeVRg2x2R5AdkL7OBIT73Xbh3WxIYVAqGDhs90aRrmlCdr61eBLCLtytC33LJ/6Odq2Pa9DLaKqRlqRX/IWk7+cgHOKfSd8/k5R1roA3A96ShFby9RdXGudGLA2G4dvLtrruLCYVRfxMJB2k3UYtGZB21o+3SAV0jx/83eoYzoBGHM6K8ySCpL1uDCo8ATL2iYJcacgYZGKaGxBumzEjAMBqTLBSUl0Jhx3mr59p6mrYKFtbewa9rJUOkNniYvdCeokLyVntxUMx60Jtrtg05G3vSFaP34Gp6Oq6J0jSzvYi/A3/iSe+cNB1fpNJvJVLRFmJ6f7qyMMoSujIoql5SfIhx/tyUHueiOFQ5KXKTeNhbu6byakY1ZHa2o03+Mooca2ATwUnlNNi73sKluFKhnRysANIiVoRZLDQniLwV
+    NEXT_PUBLIC_TRIGGER_PUBLIC_API_KEY: AgCZwhhUNhSMwuR1pCP5qDY9fD99u78PFq89ej141pc/L/y/UCydLvftFKT62bXzIFhoq77dlU3yFx2FqbApdiDv3sDltZkIQh/afYwySPw3bXxoQoHcAix5qGhWrpDkPFDOi+sJkkPnnZC1OBncrqz8xAwfYAhwOscW9mjugRMJPynqSlnVHS1RdYm6z7eSJpZEMEHIT4tptPnzP+icRwbolgKL66JXFXvuS6SnTZ+ZOtub39L+wpWE9dQ83E5YqtWl3hci2G+rK9KBk89zuBM7Ho+MTpcdcaes64ApMqaUnFPelqJKSk6PK7mEX9DZhCUqNyCu897ktfHKulVZQ5Wy2+pVHXx9e1IBI7YqNph64CbX6N0V6ABfNlO2sS+zFG3dGuEGj/lI9hfSxqQauYOWXR7r8zM86WvNuxWuQFQbO4B1TDd8oofhZ+wwcUfJ0/pZIqyxcINB13opF107wa4MlfoCI6sgB4/adq/bbMP/JO10/GBiuJRhE63NhVJEZovJoRNV2+wBRNSVRfZpEQ9AXSACm1BtqOxhYhAmDnJt6ThF6VDWB2ZoDZfWul/kPUTUiOulGHmsRdn/bzTS8GjhY93G1/FpNmhNSOC8YbO3FDw8vXg2Vy6jpdKOhy08H9R/9UqbiHxnXPyBGyoizbnjP0sDx4jYYXtix03ZPFf6Dxz6iwwy5BbHpk9Ik+3l2iKI7IcxOOS9P8ljlsB0cCivpTax1iuDZ4hlJ7zm
+    TRIGGER_API_KEY: AgARH8DdSu8INQ2OW6I4s2W+HZqHGZHn0i54l02Ui48Oph9koB6pfTvAkYspQ6LI2zh/R/uiAeOHorybTMZ9X0EEwk5GxTuXBUn4f5Ifpd2QkoHeDVWP6MA951PVanfPuXLklwKJm2O70oFKIVE61v52yZbk0L3wAOiYdRTj0igrSEDkmmc9iHorGdbDCI3CkZHpOMMl37zdIwCvbpHaCnSBpKEuQ0PmvRtAw9ydM3FhVpTxNVh3KhTgvGBBYwrGXOZuKOayLGvQ16pYmTSPoN6DNRFSLjmE/BOjwKnYfZU0C0qkpGPlNLSUteuLLvHtzlS8IOSboOspreQJMVaSRpg+Qp1/cV0XGEhmU/CWVTYqkNx5QtfgaxWllrKrQxNW0WMDJmnQI83scsAiweSFUffsfiX8BCMjHkD2nvlXCz6vzUcJ7Zn0bDPoHcv/uG7efZbsJXLie1PxQiGwFYpuyr0b7+A+RVgx0G/WNwKJIUjFC7acI7jY4dGE04zKe1STYhMhoc1gjKGhXe0BG73LAX/O5/x6W4iYUyc4n0HL7gLwlbpfR3zLkvuiiAtzFeKGRr+SF24mj95pfw+MPFoKEi9htLdPgHxTYomfQ+1I8R7Iya0sHtyW2fI/1e5XzJOMHub/tYh5y9h0UqE5n7ByapRMyj0mOrKXXPUoT4btQDz0U6aNRX+MrlwMsuXYjSfUCuXmy30RKQImmT+9vaukIq1CX7WJ2LQ8fHaYACnp
+    TRIGGER_API_URL: AgAOwyGxQEScm5T3Hh1armqqcEcMEo0v5Mwf9JjEf3G+3svlDDPGHlyHdQolcC2YlkX7DhsenEp6rokh1grwyVoruyUc6OmRdRR70+PV5qMgSC3HY6lZ5f2gcGfA0uh9A5sm4qkOw4rliRddpJqKOqDz28zcrcu5RmusPxric+KF6Hcdy+ugqmq0KZl9VU2+D4z3QWkdokHk3WahdLneS4a3bHYC/NIpKyI5SveK6QAaQlU3NXrqKcof6VzDQG20bnCKGo+Y935LgzEIEmWKw2C9lwCV+/RUIjeaK2qzZpeMiZue9zgoq1dyNNjrar9B6zb+rSxcgnbqBolXUAVk1If3+egVNEaB9SjU22n+WoTA6HK1MOSwsaMtf1Tug/8nSQfFHdw1nZzBVtiVaFMtzmg0aKyrUpAYyz4XTn6xn9EhEKgcPSaWINf4zVcmceLOYenOP/y7S3cVx9KHBjUNGf/eDJVmXSiOzeguIJBfdEOla/lqv7Zx2/wvfHeEdurn5ENTkG2aQAekIvWiJ1HzPwrKKR6WcBpNTgjoDRMNxVoMcZ3QB9iJlp3AoLfJW72B2soTVeIikcNlT0Q0S91hiqvEcE+WuE5bDSttzhnb9nvEJXz6gC6AykCKH1VLIJJuiMI6R7V9z8fo7pFVXbQsM10VUph/9vxhib2XZ1c/25YMfj5vaI1+N7UiVDFlEfE2YJQMwd2vj+wTa3wHJz+2KXc/9rhBoaIpznN4LmKR6g==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: ssr-secret
+      namespace: public-services
+    type: Opaque