Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-05-05 13:28:22

This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.

k8s/apps/gitea/deployment.yaml

@@ -70,7 +70,7 @@ kind: Deployment
 metadata:
   name: gitea-runner
 spec:
-  replicas: 1
+  replicas: 2
   selector:
     matchLabels:
       app: gitea-runner
@@ -79,6 +79,10 @@ spec:
       labels:
         app: gitea-runner
     spec:
+      dnsConfig:
+        options:
+          - name: ndots
+            value: "2"
       tolerations:
         - key: workload
           operator: Equal
@@ -93,38 +97,30 @@ spec:
           emptyDir:
             sizeLimit: 30Gi
       affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchLabels:
+                  app: gitea-runner
+              topologyKey: kubernetes.io/hostname
         nodeAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
-          - weight: 100
+          - weight: 5
             preference:
               matchExpressions:
               - key: kubernetes.io/hostname
                 operator: In
                 values:
                 - uk-desktop.tail2fe2d.ts.net
-          - weight: 50
-            preference:
-              matchExpressions:
-              - key: kubernetes.io/hostname
-                operator: In
-                values:
-                - home.homenet
-          - weight: 30
-            preference:
-              matchExpressions:
-              - key: kubernetes.io/hostname
-                operator: In
-                values:
-                - master.tail2fe2d.ts.net
+                - ai.tail2fe2d.ts.net
           - weight: 10
             preference:
               matchExpressions:
               - key: kubernetes.io/hostname
                 operator: In
                 values:
-                - it.tail2fe2d.ts.net
+                - home.homenet
                 - ch.tail2fe2d.ts.net
-                - us.tail2fe2d.ts.net
       containers:
         - name: gitea-runner
           image: gitea/act_runner:nightly
@@ -144,13 +140,18 @@ spec:
               mountPath: /data
           env:
             - name: GITEA_INSTANCE_URL
+              #value: "http://gitea.gitea.svc.cluster.local"
               value: "https://gt.hexor.cy"
             - name: GITEA_RUNNER_REGISTRATION_TOKEN
               valueFrom:
                 secretKeyRef:
                   name: gitea-runner-act-runner-secrets
                   key: token
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
             - name: GITEA_RUNNER_NAME
-              value: "k8s-runner"
+              value: "$(NODE_NAME)"
             - name: GITEA_RUNNER_LABELS
               value: "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest,ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04,ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04"

k8s/apps/mtproxy/secret-reader-ingress.yaml

@@ -1,5 +1,18 @@
 ---
 apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: keycloak-auth
+spec:
+  forwardAuth:
+    address: http://oauth2-proxy.oauth2-proxy.svc:80
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-Auth-Request-User
+      - X-Auth-Request-Email
+      - X-Auth-Request-Groups
+---
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
   name: secret-reader
@@ -13,7 +26,6 @@ spec:
       kind: Rule
       middlewares:
         - name: keycloak-auth
-          namespace: oauth2-proxy
       services:
         - name: secret-reader
           port: 80

k8s/core/oauth2-proxy/external-secrets.yaml

@@ -10,10 +10,10 @@ spec:
     template:
       type: Opaque
       data:
-        client_id: oauth2-proxy
-        client_secret: |-
+        client-id: oauth2-proxy
+        client-secret: |-
           {{ .client_secret }}
-        cookie_secret: |-
+        cookie-secret: |-
           {{ .cookie_secret }}
   data:
     - secretKey: client_secret
@@ -25,7 +25,7 @@ spec:
         conversionStrategy: Default
         decodingStrategy: None
         metadataPolicy: None
-        key: PLACEHOLDER_VAULTWARDEN_ITEM_ID
+        key: e62e8c4d-d538-43b2-a682-9cdf2a5a1165
         property: login.password
     - secretKey: cookie_secret
       sourceRef:
@@ -36,5 +36,5 @@ spec:
         conversionStrategy: Default
         decodingStrategy: None
         metadataPolicy: None
-        key: PLACEHOLDER_VAULTWARDEN_ITEM_ID
+        key: e62e8c4d-d538-43b2-a682-9cdf2a5a1165
         property: fields[0].value

k8s/core/oauth2-proxy/kustomization.yaml

@@ -4,12 +4,11 @@ kind: Kustomization
 resources:
   - app.yaml
   - external-secrets.yaml
-  - middleware.yaml
 
 helmCharts:
   - name: oauth2-proxy
     repo: https://oauth2-proxy.github.io/manifests
-    version: 7.12.6
+    version: 10.4.3
     releaseName: oauth2-proxy
     namespace: oauth2-proxy
     valuesFile: values.yaml

k8s/core/oauth2-proxy/middleware.yaml

@@ -1,15 +1,3 @@
----
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: keycloak-auth
-  namespace: oauth2-proxy
-spec:
-  forwardAuth:
-    address: http://oauth2-proxy.oauth2-proxy.svc:80/oauth2/auth
-    trustForwardHeader: true
-    authResponseHeaders:
-      - X-Auth-Request-User
-      - X-Auth-Request-Email
-      - X-Auth-Request-Groups
-      - Authorization
+# Middleware is deployed per-namespace alongside each IngressRoute
+# because Traefik does not allow cross-namespace middleware references.
+# See k8s/apps/mtproxy/secret-reader-ingress.yaml for example.

k8s/core/oauth2-proxy/values.yaml

@@ -1,6 +1,7 @@
 replicaCount: 1
 
 config:
+  existingSecret: oauth2-proxy-creds
   configFile: |-
     provider = "keycloak-oidc"
     provider_display_name = "Keycloak"
@@ -21,23 +22,6 @@ config:
     code_challenge_method = "S256"
     scope = "openid profile email"
 
-extraEnv:
-  - name: OAUTH2_PROXY_CLIENT_ID
-    valueFrom:
-      secretKeyRef:
-        name: oauth2-proxy-creds
-        key: client_id
-  - name: OAUTH2_PROXY_CLIENT_SECRET
-    valueFrom:
-      secretKeyRef:
-        name: oauth2-proxy-creds
-        key: client_secret
-  - name: OAUTH2_PROXY_COOKIE_SECRET
-    valueFrom:
-      secretKeyRef:
-        name: oauth2-proxy-creds
-        key: cookie_secret
-
 ingress:
   enabled: true
   className: traefik