From af81bd1588426d35e124123623bd5faa5e3cccee Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 3 Dec 2025 00:02:56 +0000 Subject: [PATCH 01/14] Update searxng/searxng Docker digest to 277cb4b --- clusters/default/tools/searxng/searxng.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/default/tools/searxng/searxng.yml b/clusters/default/tools/searxng/searxng.yml index 2f7a820..26a686d 100644 --- a/clusters/default/tools/searxng/searxng.yml +++ b/clusters/default/tools/searxng/searxng.yml @@ -18,7 +18,7 @@ spec: spec: containers: - name: searxng - image: searxng/searxng@sha256:faa7118f9167c2c1e09a3fbb9bd87eee0905d76456d297e62e815646afc97037 + image: searxng/searxng@sha256:277cb4b82fbdd69d88812089a5755860d379de907f09fb511443ff03d35191af ports: - containerPort: 8080 env: From b406a80e0414baf5721e40073f4ebdaf6e6a5a55 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 3 Dec 2025 00:02:59 +0000 Subject: [PATCH 02/14] Update docker Docker tag to v29.1.1 --- clusters/default/git-ops/gitea-act/gitea-act.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/default/git-ops/gitea-act/gitea-act.yml b/clusters/default/git-ops/gitea-act/gitea-act.yml index a0011f4..6162f70 100644 --- a/clusters/default/git-ops/gitea-act/gitea-act.yml +++ b/clusters/default/git-ops/gitea-act/gitea-act.yml @@ -67,7 +67,7 @@ spec: - name: runner-data mountPath: /data - name: daemon - image: docker:29.0.4-dind + image: docker:29.1.1-dind env: - name: DOCKER_TLS_CERTDIR value: /certs From cbda7f9a797c8308db6b6b6f5998e26118cd2276 Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 12:05:05 +0530 Subject: [PATCH 03/14] add kubeconform action --- .gitea/workflows/kubeconform.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .gitea/workflows/kubeconform.yml diff --git a/.gitea/workflows/kubeconform.yml b/.gitea/workflows/kubeconform.yml new file mode 100644 index 0000000..3dc16c1 --- /dev/null +++ b/.gitea/workflows/kubeconform.yml @@ -0,0 +1,18 @@ +name: Validate Kubernetes Manifests + +on: + pull_request: + branches: [ main] + +jobs: + kubeconform: + runs-on: ubuntu-latest + container: + image: ghcr.io/yannh/kubeconform:latest + steps: + - name: Checkout code + run: | + git clone https://gitea.akshun-lab.cc/aggarwalakshun/k3s.git /mnt + - name: Validate Manifests + run: | + /kubeconform -verbose -summary -schema-location default -kinds '*' /mnt/**/*.yml From fec651cc0aebbf1c038351b52639b99f08b5e572 Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 12:11:35 +0530 Subject: [PATCH 04/14] update kubeconform workflow to use Arch Linux container and install kubeconform --- .gitea/workflows/kubeconform.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/kubeconform.yml b/.gitea/workflows/kubeconform.yml index 3dc16c1..1f0c34f 100644 --- a/.gitea/workflows/kubeconform.yml +++ b/.gitea/workflows/kubeconform.yml @@ -8,11 +8,14 @@ jobs: kubeconform: runs-on: ubuntu-latest container: - image: ghcr.io/yannh/kubeconform:latest + image: docker.io/archlinux/archlinux:latest steps: + - name: Setup environment + run: | + pacman -Syu --noconfirm kubeconform git - name: Checkout code run: | git clone https://gitea.akshun-lab.cc/aggarwalakshun/k3s.git /mnt - name: Validate Manifests run: | - /kubeconform -verbose -summary -schema-location default -kinds '*' /mnt/**/*.yml + kubeconform -verbose -summary -schema-location default -kinds '*' /mnt/**/*.yml From 6700fd5efca8e47c7f880e696d4136da88ac6036 Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 12:17:07 +0530 Subject: [PATCH 05/14] remove -kinds --- .gitea/workflows/kubeconform.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitea/workflows/kubeconform.yml b/.gitea/workflows/kubeconform.yml index 1f0c34f..027450e 100644 --- a/.gitea/workflows/kubeconform.yml +++ b/.gitea/workflows/kubeconform.yml @@ -18,4 +18,4 @@ jobs: git clone https://gitea.akshun-lab.cc/aggarwalakshun/k3s.git /mnt - name: Validate Manifests run: | - kubeconform -verbose -summary -schema-location default -kinds '*' /mnt/**/*.yml + kubeconform -verbose -summary -schema-location default /mnt/**/*.yml From 8cf09a25a3acda7e1ab1146e9eb825f898c372da Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 12:22:47 +0530 Subject: [PATCH 06/14] update kubeconform workflow to install findutils and improve manifest validation command --- .gitea/workflows/kubeconform.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/kubeconform.yml b/.gitea/workflows/kubeconform.yml index 027450e..feec6b6 100644 --- a/.gitea/workflows/kubeconform.yml +++ b/.gitea/workflows/kubeconform.yml @@ -12,10 +12,10 @@ jobs: steps: - name: Setup environment run: | - pacman -Syu --noconfirm kubeconform git + pacman -Syu --noconfirm kubeconform git findutils - name: Checkout code run: | git clone https://gitea.akshun-lab.cc/aggarwalakshun/k3s.git /mnt - name: Validate Manifests run: | - kubeconform -verbose -summary -schema-location default /mnt/**/*.yml + find /mnt -type f \( -iname "*.yml" -o -iname "*.yaml" \) -print0 | xargs -0 --no-run-if-empty kubeconform -verbose -summary -schema-location default From 4b10b0cda6715f028edf8bbafb2f9a001dcc0b02 Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 12:31:09 +0530 Subject: [PATCH 07/14] remove '*.yaml' and add schemas --- .gitea/workflows/kubeconform.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitea/workflows/kubeconform.yml b/.gitea/workflows/kubeconform.yml index feec6b6..0f34633 100644 --- a/.gitea/workflows/kubeconform.yml +++ b/.gitea/workflows/kubeconform.yml @@ -18,4 +18,4 @@ jobs: git clone https://gitea.akshun-lab.cc/aggarwalakshun/k3s.git /mnt - name: Validate Manifests run: | - find /mnt -type f \( -iname "*.yml" -o -iname "*.yaml" \) -print0 | xargs -0 --no-run-if-empty kubeconform -verbose -summary -schema-location default + find /mnt -type f \( -iname "*.yml" \) -print0 | xargs -0 --no-run-if-empty kubeconform -verbose -summary -schema-location default -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/bitnami.com/sealedsecret_v1alpha1.json' -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json' From dad9ac0a27719a988d2d5d04076d7b9220098b54 Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 12:46:53 +0530 Subject: [PATCH 08/14] add more schemas --- .gitea/workflows/kubeconform.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/kubeconform.yml b/.gitea/workflows/kubeconform.yml index 0f34633..bf441b2 100644 --- a/.gitea/workflows/kubeconform.yml +++ b/.gitea/workflows/kubeconform.yml @@ -18,4 +18,11 @@ jobs: git clone https://gitea.akshun-lab.cc/aggarwalakshun/k3s.git /mnt - name: Validate Manifests run: | - find /mnt -type f \( -iname "*.yml" \) -print0 | xargs -0 --no-run-if-empty kubeconform -verbose -summary -schema-location default -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/bitnami.com/sealedsecret_v1alpha1.json' -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json' + find /mnt -type f \( -iname "*.yml" \) -print0 \ + | xargs -0 --no-run-if-empty kubeconform -verbose -summary \ + -schema-location default \ + -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/bitnami.com/sealedsecret_v1alpha1.json' \ + -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json' + -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/metallb.io/ipaddresspool_v1beta1.json' \ + -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/metallb.io/l2advertisement_v1beta1.json' \ + -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json' From 6ab97bba0cfbf9c568f7f7c61addc40f5650d7ee Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 12:47:21 +0530 Subject: [PATCH 09/14] update system-upgrade-plan to use yaml instead of yml --- .../{system-upgrade-plan.yml => system-upgrade-plan.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename clusters/default/system-upgrade/{system-upgrade-plan.yml => system-upgrade-plan.yaml} (100%) diff --git a/clusters/default/system-upgrade/system-upgrade-plan.yml b/clusters/default/system-upgrade/system-upgrade-plan.yaml similarity index 100% rename from clusters/default/system-upgrade/system-upgrade-plan.yml rename to clusters/default/system-upgrade/system-upgrade-plan.yaml From f3996fc6325e252143106f7b255f4363f515647c Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 12:59:11 +0530 Subject: [PATCH 10/14] exclude actions folder and add missing \ --- .gitea/workflows/kubeconform.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.gitea/workflows/kubeconform.yml b/.gitea/workflows/kubeconform.yml index bf441b2..a8374d3 100644 --- a/.gitea/workflows/kubeconform.yml +++ b/.gitea/workflows/kubeconform.yml @@ -18,11 +18,14 @@ jobs: git clone https://gitea.akshun-lab.cc/aggarwalakshun/k3s.git /mnt - name: Validate Manifests run: | - find /mnt -type f \( -iname "*.yml" \) -print0 \ - | xargs -0 --no-run-if-empty kubeconform -verbose -summary \ + find /mnt -type f \( -name "*.yml" -o -name "*.yaml" \) \ + -not -path "*/.gitea/*" \ + -print0 | xargs -0 --no-run-if-empty kubeconform \ + -verbose \ + -summary \ -schema-location default \ -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/bitnami.com/sealedsecret_v1alpha1.json' \ - -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json' + -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json' \ -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/metallb.io/ipaddresspool_v1beta1.json' \ -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/metallb.io/l2advertisement_v1beta1.json' \ -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json' From bb6b1680ec245da71b003db1291d256868458843 Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 13:01:24 +0530 Subject: [PATCH 11/14] exclude .yaml files --- .gitea/workflows/kubeconform.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitea/workflows/kubeconform.yml b/.gitea/workflows/kubeconform.yml index a8374d3..3e760a7 100644 --- a/.gitea/workflows/kubeconform.yml +++ b/.gitea/workflows/kubeconform.yml @@ -18,7 +18,7 @@ jobs: git clone https://gitea.akshun-lab.cc/aggarwalakshun/k3s.git /mnt - name: Validate Manifests run: | - find /mnt -type f \( -name "*.yml" -o -name "*.yaml" \) \ + find /mnt -type f \( -name "*.yml" \) \ -not -path "*/.gitea/*" \ -print0 | xargs -0 --no-run-if-empty kubeconform \ -verbose \ From c65fef70ff8da4f16ab103a123e1a842b27dc46a Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 13:07:22 +0530 Subject: [PATCH 12/14] refactor --- .gitea/workflows/kubeconform.yml | 76 ++++++++++++++++++++++++++------ 1 file changed, 62 insertions(+), 14 deletions(-) diff --git a/.gitea/workflows/kubeconform.yml b/.gitea/workflows/kubeconform.yml index 3e760a7..ee0cb9e 100644 --- a/.gitea/workflows/kubeconform.yml +++ b/.gitea/workflows/kubeconform.yml @@ -2,7 +2,7 @@ name: Validate Kubernetes Manifests on: pull_request: - branches: [ main] + branches: [main] jobs: kubeconform: @@ -12,20 +12,68 @@ jobs: steps: - name: Setup environment run: | - pacman -Syu --noconfirm kubeconform git findutils + pacman -Syu --noconfirm kubeconform git yq nodejs npm + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Create kubeconform configuration run: | - git clone https://gitea.akshun-lab.cc/aggarwalakshun/k3s.git /mnt + cat > /tmp/kubeconform-config.yaml << 'EOF' + schema_location: + - default + - "https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/{{ .ResourceKind }}_{{ .ResourceAPIVersion }}.json" + EOF + - name: Validate Manifests run: | - find /mnt -type f \( -name "*.yml" \) \ - -not -path "*/.gitea/*" \ - -print0 | xargs -0 --no-run-if-empty kubeconform \ - -verbose \ - -summary \ - -schema-location default \ - -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/bitnami.com/sealedsecret_v1alpha1.json' \ - -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json' \ - -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/metallb.io/ipaddresspool_v1beta1.json' \ - -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/metallb.io/l2advertisement_v1beta1.json' \ - -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json' + # Create a cache directory for schemas + mkdir -p /tmp/kubeconform-cache + + # Validate manifests with proper schema resolution + find . -type f \( -name "*.yml" \) \ + -not -path "./.gitea/*" \ + -exec sh -c ' + for file do + echo "=== Validating: $file ===" + if yq -e "select(.kind == \"HelmRelease\")" "$file" >/dev/null 2>&1; then + echo "Found HelmRelease - using fluxcd schema" + kubeconform \ + -schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/helm.toolkit.fluxcd.io/helmrelease_v2.json" \ + -output json \ + "$file" + elif yq -e "select(.kind == \"HelmRepository\")" "$file" >/dev/null 2>&1; then + echo "Found HelmRepository - using fluxcd schema" + kubeconform \ + -schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/source.toolkit.fluxcd.io/helmrepository_v1.json" \ + -output json \ + "$file" + elif yq -e "select(.kind == \"L2Advertisement\")" "$file" >/dev/null 2>&1; then + echo "Found L2Advertisement - using metallb schema" + kubeconform \ + -schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/metallb.io/l2advertisement_v1beta1.json" \ + -output json \ + "$file" + elif yq -e "select(.kind == \"IPAddressPool\")" "$file" >/dev/null 2>&1; then + echo "Found IPAddressPool - using metallb schema" + kubeconform \ + -schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/metallb.io/ipaddresspool_v1beta1.json" \ + -output json \ + "$file" + elif yq -e "select(.kind == \"SealedSecret\")" "$file" >/dev/null 2>&1; then + echo "Found SealedSecret - using bitnami schema" + kubeconform \ + -schema-location "https://raw.githubusercontent.com/datreeio/CRDs-catalog/refs/heads/main/bitnami.com/sealedsecret_v1alpha1.json" \ + -output json \ + "$file" + else + echo "Validating with default schemas" + kubeconform \ + -schema-location default \ + -output json \ + "$file" + fi + done + ' sh {} + From 60a0827608fb6c295048ccd555523b8af3c2a640 Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 13:11:45 +0530 Subject: [PATCH 13/14] exclude system-upgrade --- .gitea/workflows/kubeconform.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitea/workflows/kubeconform.yml b/.gitea/workflows/kubeconform.yml index ee0cb9e..2225880 100644 --- a/.gitea/workflows/kubeconform.yml +++ b/.gitea/workflows/kubeconform.yml @@ -35,6 +35,7 @@ jobs: # Validate manifests with proper schema resolution find . -type f \( -name "*.yml" \) \ -not -path "./.gitea/*" \ + -not -path "./clusters/default/system-upgrade/*" \ -exec sh -c ' for file do echo "=== Validating: $file ===" From 9ccf1ae286cf3ba5a2fc55984bd0cc3355806986 Mon Sep 17 00:00:00 2001 From: aggarwalakshun Date: Wed, 3 Dec 2025 13:22:23 +0530 Subject: [PATCH 14/14] ignore .gitea/workflows/ for renovate --- renovate.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index 4ce48a5..fe210d7 100644 --- a/renovate.json +++ b/renovate.json @@ -5,7 +5,8 @@ ], "prHourlyLimit": 0, "ignorePaths": [ - "**/disabled/**" + "**/disabled/**", + "**/.gitea/workflows/**" ], "flux": { "managerFilePatterns": [