Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-05-04 15:53:25

This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.

README.md

@@ -18,7 +18,6 @@ ArgoCD homelab project
 | **external-secrets** | [![external-secrets](https://ag.hexor.cy/api/badge?name=external-secrets&revision=true)](https://ag.hexor.cy/applications/argocd/external-secrets) |
 | **gpu** | [![gpu](https://ag.hexor.cy/api/badge?name=gpu&revision=true)](https://ag.hexor.cy/applications/argocd/gpu) |
 | **kanidm** | [![kanidm](https://ag.hexor.cy/api/badge?name=kanidm&revision=true)](https://ag.hexor.cy/applications/argocd/kanidm) |
-| **keycloak** | [![keycloak](https://ag.hexor.cy/api/badge?name=keycloak&revision=true)](https://ag.hexor.cy/applications/argocd/keycloak) |
 | **kube-system-custom** | [![kube-system-custom](https://ag.hexor.cy/api/badge?name=kube-system-custom&revision=true)](https://ag.hexor.cy/applications/argocd/kube-system-custom) |
 | **kubernetes-dashboard** | [![kubernetes-dashboard](https://ag.hexor.cy/api/badge?name=kubernetes-dashboard&revision=true)](https://ag.hexor.cy/applications/argocd/kubernetes-dashboard) |
 | **longhorn** | [![longhorn](https://ag.hexor.cy/api/badge?name=longhorn&revision=true)](https://ag.hexor.cy/applications/argocd/longhorn) |

k8s/core/kanidm/configmap.yaml

@@ -5,6 +5,7 @@ metadata:
   name: kanidm-config
 data:
   server.toml: |
+    version = "2"
     bindaddress = "[::]:443"
     db_path = "/data/kanidm.db"
     tls_chain = "/certs/tls.crt"

k8s/core/kanidm/ingress.yaml

@@ -1,20 +1,25 @@
 ---
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
+apiVersion: networking.k8s.io/v1
+kind: Ingress
 metadata:
   name: kanidm
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+    traefik.ingress.kubernetes.io/service.serversscheme: https
 spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`auth.hexor.cy`)
-      kind: Rule
-      services:
-        - name: kanidm
-          port: 443
-          scheme: https
-          serversTransport: kanidm-transport
   tls:
+    - hosts:
+        - auth.hexor.cy
       secretName: kanidm-ingress-tls
+  rules:
+    - host: auth.hexor.cy
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: kanidm
+                port:
+                  number: 443

k8s/core/kanidm/kustomization.yaml

@@ -8,4 +8,3 @@ resources:
   - statefulset.yaml
   - service.yaml
   - ingress.yaml
-  - servers-transport.yaml

k8s/core/kanidm/servers-transport.yaml

@@ -1,7 +0,0 @@
----
-apiVersion: traefik.io/v1alpha1
-kind: ServersTransport
-metadata:
-  name: kanidm-transport
-spec:
-  insecureSkipVerify: true

k8s/core/kanidm/statefulset.yaml

@@ -16,13 +16,9 @@ spec:
       labels:
         app: kanidm
     spec:
-      securityContext:
-        runAsUser: 1000
-        runAsGroup: 1000
-        fsGroup: 1000
       containers:
         - name: kanidm
-          image: kanidm/server:1.9.3
+          image: kanidm/server:1.5.0
           ports:
             - containerPort: 443
               name: https

k8s/core/keycloak/app.yaml

@@ -1,21 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: keycloak
-  namespace: argocd
-spec:
-  project: core
-  destination:
-    namespace: keycloak
-    server: https://kubernetes.default.svc
-  source:
-    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
-    targetRevision: HEAD
-    path: k8s/core/keycloak
-  syncPolicy:
-    automated:
-      selfHeal: true
-      prune: true
-    syncOptions:
-      - CreateNamespace=true
-      - ServerSideApply=true

k8s/core/keycloak/external-secrets.yaml

@@ -1,41 +0,0 @@
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: keycloak-creds
-spec:
-  target:
-    name: keycloak-creds
-    deletionPolicy: Delete
-    template:
-      type: Opaque
-      data:
-        KC_DB_USERNAME: keycloak
-        KC_DB_PASSWORD: |-
-          {{ .db_password }}
-        KC_BOOTSTRAP_ADMIN_USERNAME: admin
-        KC_BOOTSTRAP_ADMIN_PASSWORD: |-
-          {{ .admin_password }}
-  data:
-    - secretKey: db_password
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: 2a9deb39-ef22-433e-a1be-df1555625e22
-        property: fields[18].value
-    - secretKey: admin_password
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: 9422b636-a91d-40e4-bf98-925b2a3f831d
-        property: login.password

k8s/core/keycloak/kustomization.yaml

@@ -1,14 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-  - app.yaml
-  - external-secrets.yaml
-
-helmCharts:
-  - name: keycloakx
-    repo: https://codecentric.github.io/helm-charts
-    version: 7.1.11
-    releaseName: keycloak
-    namespace: keycloak
-    valuesFile: values.yaml

k8s/core/keycloak/values.yaml

@@ -1,81 +0,0 @@
-replicas: 1
-
-image:
-  repository: quay.io/keycloak/keycloak
-  tag: "26.5.6"
-
-command:
-  - "/opt/keycloak/bin/kc.sh"
-  - "start"
-  - "--http-port=8080"
-  - "--hostname-strict=false"
-  - "--proxy-headers=xforwarded"
-
-extraEnvFrom: |
-  - secretRef:
-      name: keycloak-creds
-
-extraEnv: |
-  - name: KC_DB
-    value: postgres
-  - name: KC_DB_URL_HOST
-    value: psql.psql.svc
-  - name: KC_DB_URL_PORT
-    value: "5432"
-  - name: KC_DB_URL_DATABASE
-    value: keycloak
-  - name: KC_HOSTNAME
-    value: auth.hexor.cy
-  - name: KC_HTTP_ENABLED
-    value: "true"
-  - name: KC_HEALTH_ENABLED
-    value: "true"
-  - name: KC_METRICS_ENABLED
-    value: "true"
-  - name: JAVA_OPTS_APPEND
-    value: "-Djgroups.dns.query=keycloak-headless.keycloak.svc"
-
-dbchecker:
-  enabled: true
-
-database:
-  vendor: postgres
-  hostname: psql.psql.svc
-  port: 5432
-  database: keycloak
-  existingSecret: keycloak-creds
-  existingSecretKey: KC_DB_PASSWORD
-
-service:
-  type: ClusterIP
-
-ingress:
-  enabled: true
-  ingressClassName: traefik
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt
-    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
-  rules:
-    - host: auth.hexor.cy
-      paths:
-        - path: /
-          pathType: Prefix
-  tls:
-    - secretName: keycloak-tls
-      hosts:
-        - auth.hexor.cy
-
-resources:
-  requests:
-    cpu: 200m
-    memory: 512Mi
-  limits:
-    cpu: "1"
-    memory: 1Gi
-
-nodeSelector:
-  kubernetes.io/hostname: master.tail2fe2d.ts.net
-
-tolerations:
-  - key: node-role.kubernetes.io/master
-    effect: NoSchedule

k8s/core/postgresql/external-secrets.yaml

@@ -135,8 +135,6 @@ spec:
           {{ .furumi }}
         USER_furumi_dev: |-
           {{ .furumi_dev }}
-        USER_keycloak: |-
-          {{ .keycloak }}
   data:
     - secretKey: authentik
       sourceRef:
@@ -325,14 +323,4 @@ spec:
         metadataPolicy: None
         key: 2a9deb39-ef22-433e-a1be-df1555625e22
         property: fields[17].value
-    - secretKey: keycloak
-      sourceRef:
-        storeRef:
-          name: vaultwarden-login
-          kind: ClusterSecretStore
-      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        metadataPolicy: None
-        key: 2a9deb39-ef22-433e-a1be-df1555625e22
-        property: fields[18].value
+