Merge pull request 'Update Immich containers to v1.141.1' (#590) from renovate/immich-app-images into main

Reviewed-on: #590

README.md

@@ -1,7 +1,7 @@
 # Kluster setup and IaaC using argoCD
 
 
-### Initial setup
+### Description
 #### Requirements:
 - A running k3s instance
 - `sealedsecrets` deployed
@@ -27,20 +27,21 @@ The app-of-apps will bootstrap a fully featured cluster with the following compo
     - immich
     - ...
 
-#### Recap
+## Setup instructions
-- install sealedsecrets see [README](./infrastructure/sealedsecrets/README.md)
+1. install sealedsecrets see [README](./infrastructure/sealedsecrets/README.md)
     ```bash
     kubectl apply -k infrastructure/sealedsecrets
     kubectl apply -f infrastructure/sealedsecrets/main.key
     kubectl delete pod -n kube-system -l name=sealed-secrets-controller
     ```
-- install argocd
+1. install argocd and the app-of-apps bundled with it
     ```bash
     kubectl apply -k infrastructure/argocd
     ```
-- wait...
 
 
+> NOTE: The argocd kustomization already mentions some CRDs available only after the full bootstrapping (traefik). You might have to apply the last step twice
+
 ### Adding an application
 todo
 

apps/adguard/kustomization.yaml

@@ -10,7 +10,7 @@ resources:
 images:
   - name: adguard/adguardhome
     newName: adguard/adguardhome
-    newTag: v0.107.63
+    newTag: v0.107.65
 
 namespace: adguard
 

apps/audiobookshelf/kustomization.yaml

@@ -12,4 +12,4 @@ namespace: audiobookshelf
 images:
   - name: audiobookshelf
     newName: ghcr.io/advplyr/audiobookshelf
-    newTag: "2.25.1"
+    newTag: "2.29.0"

apps/files/kustomization.yaml

@@ -13,4 +13,4 @@ namespace: files
 images:
   - name: ocis
     newName: owncloud/ocis
-    newTag: "7.1.3"
+    newTag: "7.2.0"

apps/finance/kustomization.yaml

@@ -14,4 +14,4 @@ resources:
 images:
   - name: actualbudget
     newName: actualbudget/actual-server
-    newTag: 25.6.1
+    newTag: 25.9.0

apps/grafana/kustomization.yaml

@@ -17,5 +17,5 @@ helmCharts:
   - releaseName: grafana
     name: grafana
     repo: https://grafana.github.io/helm-charts
-    version: 9.2.9
+    version: 9.4.5
     valuesFile: grafana.values.yaml

apps/homeassistant/kustomization.yaml

@@ -15,4 +15,4 @@ resources:
 images:
   - name: homeassistant
     newName: homeassistant/home-assistant
-    newTag: "2025.6"
+    newTag: "2025.9"

apps/immich/immich.postgres.yaml

@@ -0,0 +1,39 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: immich-postgresql
+spec:
+  instances: 1
+  imageName: ghcr.io/tensorchord/cloudnative-vectorchord:16-0.3.0
+
+  bootstrap:
+    initdb:
+      owner: immich
+      database: immich
+      secret:
+        name: postgres-password
+      dataChecksums: true
+      postInitApplicationSQL:
+        - ALTER USER immich WITH SUPERUSER;
+        - CREATE EXTENSION IF NOT EXISTS vchord CASCADE;
+        - CREATE EXTENSION IF NOT EXISTS "cube";
+        - CREATE EXTENSION IF NOT EXISTS "earthdistance";
+
+  postgresql:
+    shared_preload_libraries:
+      - "vchord.so"
+
+  storage:
+    size: 5Gi
+    storageClass: nfs-client
+
+  monitoring:
+    enablePodMonitor: true
+
+  resources:
+    limits:
+      cpu: 2
+      memory: 1024Mi
+    requests:
+      cpu: 50m
+      memory: 512Mi

apps/immich/kustomization.yaml

@@ -1,10 +1,10 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-resources: 
+resources:
   - namespace.yaml
   - ingress.yaml
   - pvc.yaml
-  - postgres.yaml
+  - immich.postgres.yaml
   - postgres.sealedsecret.yaml
   - servicemonitor.yaml
 
@@ -22,9 +22,9 @@ helmCharts:
 
 images:
   - name: ghcr.io/immich-app/immich-machine-learning
-    newTag: v1.132.3
+    newTag: v1.141.1
   - name: ghcr.io/immich-app/immich-server
-    newTag: v1.132.3
+    newTag: v1.141.1
 
 
 patches:

apps/immich/values.yaml

@@ -6,8 +6,8 @@
 
 env:
   REDIS_HOSTNAME: '{{ printf "%s-redis-master" .Release.Name }}'
-  DB_HOSTNAME: "immich-postgres-rw"
+  DB_HOSTNAME: "immich-postgresql-rw"
-  DB_USERNAME: 
+  DB_USERNAME:
     valueFrom:
       secretKeyRef:
         name: postgres-password
@@ -56,7 +56,7 @@ machine-learning:
   persistence:
     cache:
       enabled: true
-      size: 10Gi
+      size: 200Gi
       # Optional: Set this to pvc to avoid downloading the ML models every start.
       type: emptyDir
       accessMode: ReadWriteMany

apps/kitchenowl/kustomization.yaml

@@ -14,4 +14,4 @@ namespace: kitchenowl
 images:
   - name: kitchenowl
     newName: tombursch/kitchenowl
-    newTag: v0.7.1
+    newTag: v0.7.3

apps/linkding/kustomization.yaml

@@ -13,4 +13,4 @@ namespace: linkding
 images:
   - name: linkding
     newName: sissbruecker/linkding
-    newTag: "1.41.0"
+    newTag: "1.42.0"

apps/minecraft/job.yaml

@@ -42,7 +42,7 @@ spec:
               name: curseforge-api
               key: key
         - name: CF_PAGE_URL
-          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/5925838"
+          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/6807187"
         - name: VERSION
           value: "1.18.2"
         - name: INIT_MEMORY

apps/minecraft/kustomization.yaml

@@ -21,4 +21,4 @@ images:
     newTag: "3.22"
   - name: rsync
     newName: eeacms/rsync
-    newTag: "2.6"
+    newTag: "2.7"

apps/ntfy/kustomization.yaml

@@ -13,4 +13,4 @@ resources:
 images:
   - name: binwiederhier/ntfy
     newName: binwiederhier/ntfy
-    newTag: v2.12.0
+    newTag: v2.14.0

apps/paperless/kustomization.yaml

@@ -14,14 +14,14 @@ namespace: paperless
 images:
   - name: paperless
     newName: ghcr.io/paperless-ngx/paperless-ngx
-    newTag: "2.17.1"
+    newTag: "2.18.4"
 
 
 helmCharts:
   - name: redis
     releaseName: redis
     repo: https://charts.bitnami.com/bitnami
-    version: 21.2.6
+    version: 22.0.7
     valuesInline:
       auth:
         enabled: false

apps/recipes/kustomization.yaml

@@ -13,5 +13,5 @@ resources:
 
 images:
   - name: mealie
-    newTag: v2.8.0
+    newTag: v3.1.2
     newName: ghcr.io/mealie-recipes/mealie

apps/stump/kustomization.yaml

@@ -14,4 +14,4 @@ namespace: stump
 images:
   - name: stump
     newName: aaronleopold/stump
-    newTag: "0.0.10"
+    newTag: "0.0.11"

infrastructure/argocd/kustomization.yaml

@@ -4,7 +4,7 @@ kind: Kustomization
 namespace: argocd
 resources:
   - namespace.yaml
-  - https://github.com/argoproj/argo-cd//manifests/cluster-install?timeout=120&ref=v3.0.9
+  - https://github.com/argoproj/argo-cd//manifests/cluster-install?timeout=120&ref=v3.0.12
   - ingress.yaml
   - argo-apps.application.yaml
   - bootstrap-repo.sealedsecret.yaml

infrastructure/authelia/kustomization.yaml

@@ -27,6 +27,6 @@ images:
 helmCharts:
   - name: authelia
     releaseName: authelia
-    version: 0.10.34
+    version: 0.10.46
     repo: https://charts.authelia.com
     valuesFile: authelia.values.yaml

infrastructure/external-dns/kustomization.yaml

@@ -11,8 +11,8 @@ resources:
 images:
   - name: octodns
     newName: octodns/octodns # has all plugins
-    newTag: "2025.06"
+    newTag: "2025.07"
 
   - name: git
     newName: alpine/git
-    newTag: "v2.49.0"
+    newTag: "v2.49.1"

infrastructure/gitea/kustomization.yaml

@@ -23,6 +23,6 @@ helmCharts:
   - name: gitea
     namespace: gitea # needs to be set explicitly for svc to be referenced correctly
     releaseName: gitea
-    version: 12.0.0
+    version: 12.2.0
     valuesFile: gitea.values.yaml
     repo: https://dl.gitea.io/charts/

infrastructure/metallb-system/ipaddresspool.yaml

@@ -2,7 +2,6 @@ apiVersion: metallb.io/v1beta1
 kind: IPAddressPool
 metadata:
   name: default
-  namespace: metallb-system
 spec:
   addresses:
     - 192.168.3.0/24
@@ -10,5 +9,8 @@ spec:
 apiVersion: metallb.io/v1beta1
 kind: L2Advertisement
 metadata:
-  name: empty
+  name: default
-  namespace: metallb-system
+# selector is left empty on purpose to match all IPAddressPools
+# spec:
+#   ipAddressPools:
+#   - default

infrastructure/metallb-system/kustomization.yaml

@@ -1,15 +1,12 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-resources: 
-  - namespace.yaml
-  - ipaddresspool.yaml
 
 namespace: metallb-system
 
+resources:
+  # - namespace.yaml
+  # namespace is already included in the remote kustomization
+  # - github.com/metallb/metallb/config/native?ref=v0.15.2
+  - github.com/metallb/metallb/config/frr?ref=v0.15.2
+  - ipaddresspool.yaml
 
-helmCharts:
-  - name: metallb
-    repo: https://metallb.github.io/metallb
-    version: 0.15.2
-    releaseName: metallb
-    valuesFile: values.yaml

infrastructure/metallb-system/namespace.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: placeholder
+  name: metallb-system
-  labels:
+  # labels:
-    pod-security.kubernetes.io/enforce: privileged 
+    # pod-security.kubernetes.io/enforce: privileged

infrastructure/monitoring/kustomization.yaml

@@ -6,7 +6,7 @@ namespace: monitoring
 resources: 
   - namespace.yaml
   # prometheus-operator crds
-  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.83.0
+  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.84.0
   # single prometheus instance with a thanos sidecar
   - prometheus.yaml
   - thanos-store.statefulset.yaml
@@ -17,17 +17,17 @@ resources:
 images:
   - name: thanos
     newName: quay.io/thanos/thanos
-    newTag: v0.39.1
+    newTag: v0.39.2
 
 
 helmCharts:
   - name: loki
     releaseName: loki
     repo: https://grafana.github.io/helm-charts
-    version: 6.30.1
+    version: 6.39.0
     valuesFile: loki.values.yaml
   - name: prometheus-node-exporter
     releaseName: prometheus-node-exporter
     repo: https://prometheus-community.github.io/helm-charts
-    version: 4.47.1
+    version: 4.47.3
     valuesFile: prometheus-node-exporter.values.yaml

infrastructure/monitoring/loki.values.yaml

@@ -30,7 +30,6 @@ loki:
     filesystem:
       chunks_directory: /var/loki/chunks
       rules_directory: /var/loki/rules
-      admin_api_directory: /var/loki/admin
 
 minio:
   enabled: false

infrastructure/sealedsecrets/kustomization.yaml

@@ -9,4 +9,4 @@ resources:
 images:
   - name: controller
     newName: docker.io/bitnami/sealed-secrets-controller
-    newTag: 0.30.0
+    newTag: 0.31.0

infrastructure/traefik-system/configmap.yaml

@@ -5,15 +5,15 @@ metadata:
 data:
   traefik.toml: |
     [ping]
-    
+
     [global]
       checkNewVersion = false
       # renovate does that
       sendAnonymousUsage = false
-    
+
     [log]
       level = "INFO"
-    
+
     [accessLog]
       [accessLog.fields]
         defaultMode = "keep"
@@ -41,17 +41,17 @@ data:
       dashboard = true
       insecure = true
       debug = false
- 
+
     [providers]
       [providers.kubernetesCRD]
         allowCrossNamespace = true
       [providers.kubernetesIngress]
         allowExternalNameServices = true
-        ingressClass = "traefik"    
+        ingressClass = "traefik"
 
     [serversTransport]
       insecureSkipVerify = true
- 
+
     [entryPoints]
       [entryPoints.web]
         address = ":8000"
@@ -66,13 +66,13 @@ data:
         [entryPoints.websecure.forwardedHeaders]
           insecure = true
           # forward ip headers no matter where they come from
-      
+
       [entryPoints.metrics]
         address = ":9100"
-      
+
       [entryPoints.traefik]
-        address = ":9000"
+        address = ":8080"
-      
+
       [entryPoints.dnsovertls]
         address = ":8853"
         # route dns over https to other pods but provide own certificate

infrastructure/traefik-system/kustomization.yaml

@@ -13,6 +13,6 @@ namespace: traefik-system
 helmCharts:
   - name: traefik
     releaseName: traefik
-    version: 36.2.0
+    version: 36.3.0
     valuesFile: values.yaml
     repo: https://traefik.github.io/charts

infrastructure/traefik-system/values.yaml

@@ -23,8 +23,7 @@ ingressClass:
   # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12
   enabled: true
   isDefaultClass: true
-  # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1"
+
-  fallbackApiVersion: ""
 
 # Activate Pilot integration
 pilot:
@@ -67,10 +66,11 @@ providers:
   kubernetesIngress:
     enabled: true
     allowExternalNameServices: true
-    ingressClass: traefik
+    # Ingresses missing the annotation, having an empty value, or the value traefik are processed by default.
+    # ingressClass: traefik
     # labelSelector: environment=production,method=traefik
 
-  
+
 
 # Additional volumeMounts to add to the Traefik container
 additionalVolumeMounts: