chore(deps-bump): auto bumped helm dependencies

charts/argocd/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: argo-cd
   repository: https://argoproj.github.io/argo-helm
-  version: 8.0.1
-digest: sha256:ba6c49d64851ea12a80e5c30e96ce38ebff712aa90678955595479f613e12089
-generated: "2025-05-14T10:23:53.65818767Z"
+  version: 9.1.4
+digest: sha256:cc401eb6b6d70a7b656a9c6bb6b235204238dcd7f15263e72cfa77f67225d188
+generated: "2025-11-26T10:26:00.694755019Z"

charts/argocd/Chart.yaml

@@ -2,11 +2,11 @@ apiVersion: v2
 name: argocd
 description: A Helm chart for Kubernetes
 type: application
-version: 0.1.3
+version: 0.1.4
 appVersion: "2.14.4"
 dependencies:
   - name: argo-cd
-    version: 8.0.1
+    version: 9.1.4
     repository: "https://argoproj.github.io/argo-helm"
     alias: argocd
 maintainers:

charts/cert-manager/Chart.lock

@@ -1,12 +1,12 @@
 dependencies:
 - name: cert-manager
   repository: https://charts.jetstack.io
-  version: v1.17.2
+  version: v1.19.1
 - name: gcp-workload-identity
   repository: https://edixos.github.io/ekp-helm
   version: 0.1.1
 - name: gcp-iam-policy-members
   repository: https://edixos.github.io/ekp-helm
   version: 0.1.2
-digest: sha256:332d9476ee0ae270e6ab49c0a8474c4a9ded472b0198920ab2f457119509c2f8
-generated: "2025-05-07T10:23:12.154607043Z"
+digest: sha256:da99755d669db105cefe55543db5618f1ef1adaccf4009e3f030bcba665b87f6
+generated: "2025-11-26T10:26:15.933751003Z"

charts/cert-manager/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: cert-manager
 description: A Helm chart for cert-manager
 type: application
-version: 0.1.3
+version: 0.1.4
 appVersion: "1.17.1"
 maintainers:
   - name: wiemaouadi
@@ -13,7 +13,7 @@ maintainers:
     url: https://github.com/smileisak
 dependencies:
   - name: cert-manager
-    version: "v1.17.2"
+    version: "v1.19.1"
     repository: "https://charts.jetstack.io"
     alias: certmanager
   - name: gcp-workload-identity

charts/cert-manager/README.md

@@ -1,6 +1,6 @@
 # cert-manager
 
-![Version: 0.1.3](https://img.shields.io/badge/Version-0.1.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.17.1](https://img.shields.io/badge/AppVersion-1.17.1-informational?style=flat-square)
+![Version: 0.1.4](https://img.shields.io/badge/Version-0.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.17.1](https://img.shields.io/badge/AppVersion-1.17.1-informational?style=flat-square)
 
 ## Prerequisites
 
@@ -11,7 +11,7 @@
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://charts.jetstack.io | certmanager(cert-manager) | v1.17.2 |
+| https://charts.jetstack.io | certmanager(cert-manager) | v1.19.1 |
 | https://edixos.github.io/ekp-helm | iamPolicyMembers(gcp-iam-policy-members) | 0.1.2 |
 | https://edixos.github.io/ekp-helm | workloadIdentity(gcp-workload-identity) | 0.1.1 |
 
@@ -84,6 +84,7 @@ A Helm chart for cert-manager
 | certmanager.global.imagePullSecrets | list | `[]` |  |
 | certmanager.global.leaderElection.namespace | string | `"kube-system"` |  |
 | certmanager.global.logLevel | int | `2` |  |
+| certmanager.global.nodeSelector | object | `{}` |  |
 | certmanager.global.podSecurityPolicy.enabled | bool | `false` |  |
 | certmanager.global.podSecurityPolicy.useAppArmor | bool | `true` |  |
 | certmanager.global.priorityClassName | string | `""` |  |
@@ -124,7 +125,7 @@ A Helm chart for cert-manager
 | certmanager.prometheus.servicemonitor.path | string | `"/metrics"` |  |
 | certmanager.prometheus.servicemonitor.prometheusInstance | string | `"default"` |  |
 | certmanager.prometheus.servicemonitor.scrapeTimeout | string | `"30s"` |  |
-| certmanager.prometheus.servicemonitor.targetPort | int | `9402` |  |
+| certmanager.prometheus.servicemonitor.targetPort | string | `"http-metrics"` |  |
 | certmanager.replicaCount | int | `1` |  |
 | certmanager.resources | object | `{}` |  |
 | certmanager.securityContext.runAsNonRoot | bool | `true` |  |
@@ -196,8 +197,10 @@ A Helm chart for cert-manager
 | certmanager.webhook.networkPolicy.egress[0].ports[4].port | int | `6443` |  |
 | certmanager.webhook.networkPolicy.egress[0].ports[4].protocol | string | `"TCP"` |  |
 | certmanager.webhook.networkPolicy.egress[0].to[0].ipBlock.cidr | string | `"0.0.0.0/0"` |  |
+| certmanager.webhook.networkPolicy.egress[0].to[1].ipBlock.cidr | string | `"::/0"` |  |
 | certmanager.webhook.networkPolicy.enabled | bool | `false` |  |
 | certmanager.webhook.networkPolicy.ingress[0].from[0].ipBlock.cidr | string | `"0.0.0.0/0"` |  |
+| certmanager.webhook.networkPolicy.ingress[0].from[1].ipBlock.cidr | string | `"::/0"` |  |
 | certmanager.webhook.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
 | certmanager.webhook.podDisruptionBudget.enabled | bool | `false` |  |
 | certmanager.webhook.podLabels | object | `{}` |  |
@@ -273,7 +276,7 @@ spec:
 
   source:
     repoURL: "https://edixos.github.io/ekp-helm"
-    targetRevision: "0.1.3"
+    targetRevision: "0.1.4"
     chart: cert-manager
     path: ''
     helm:

charts/cert-manager/values.yaml

@@ -29,6 +29,16 @@ certmanager:
     #    - name: "image-pull-secret"
     imagePullSecrets: []
 
+    # Global node selector
+    #
+    # The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with
+    # matching labels.
+    # For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
+    #
+    # If a component-specific nodeSelector is also set, it will take precedence.
+    # +docs:property
+    nodeSelector: {}
+
     # Labels to apply to all resources.
     # Please note that this does not add labels to the resources created dynamically by the controllers.
     # For these resources, you have to add the labels in the template in the cert-manager custom resource:
@@ -45,6 +55,19 @@ certmanager:
     # The optional priority class to be used for the cert-manager pods.
     priorityClassName: ""
 
+    # Set all pods to run in a user namespace without host access.
+    # Experimental: may be removed once the Kubernetes User Namespaces feature is GA.
+    #
+    # Requirements:
+    #   - Kubernetes ≥ 1.33, or
+    #   - Kubernetes 1.27–1.32 with UserNamespacesSupport feature gate enabled.
+    #
+    # Set to false to run pods in a user namespace without host access.
+    #
+    # See [limitations](https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/#limitations) for details.
+    # +docs:property
+    # hostUsers: false
+
     rbac:
       # Create required ClusterRoles and ClusterRoleBindings for cert-manager.
       create: true
@@ -134,14 +157,14 @@ certmanager:
     enabled: false
 
     # This configures the minimum available pods for disruptions. It can either be set to
-    # an integer (e.g. 1) or a percentage value (e.g. 25%).
+    # an integer (e.g., 1) or a percentage value (e.g., 25%).
     # It cannot be used if `maxUnavailable` is set.
     # +docs:property
     # +docs:type=unknown
     # minAvailable: 1
 
     # This configures the maximum unavailable pods for disruptions. It can either be set to
-    # an integer (e.g. 1) or a percentage value (e.g. 25%).
+    # an integer (e.g., 1) or a percentage value (e.g., 25%).
     # it cannot be used if `minAvailable` is set.
     # +docs:property
     # +docs:type=unknown
@@ -193,7 +216,7 @@ certmanager:
   # Override the "cert-manager.name" value, which is used to annotate some of
   # the resources that are created by this Chart (using "app.kubernetes.io/name").
   # NOTE: There are some inconsistencies in the Helm chart when it comes to
-  # these annotations (some resources use eg. "cainjector.name" which resolves
+  # these annotations (some resources use, e.g., "cainjector.name" which resolves
   # to the value "cainjector").
   # +docs:property
   # nameOverride: "my-cert-manager"
@@ -248,10 +271,10 @@ certmanager:
   #    kubernetesAPIBurst: 9000
   #    numberOfConcurrentWorkers: 200
   #    enableGatewayAPI: true
-  #    # Feature gates as of v1.17.0. Listed with their default values.
+  #    # Feature gates as of v1.18.1. Listed with their default values.
   #    # See https://cert-manager.io/docs/cli/controller/
   #    featureGates:
-  #      AdditionalCertificateOutputFormats: true # BETA - default=true
+  #      AdditionalCertificateOutputFormats: true # GA - default=true
   #      AllAlpha: false # ALPHA - default=false
   #      AllBeta: false # BETA - default=false
   #      ExperimentalCertificateSigningRequestControllers: false # ALPHA - default=false
@@ -263,8 +286,10 @@ certmanager:
   #      ServerSideApply: false # ALPHA - default=false
   #      StableCertificateRequestName: true # BETA - default=true
   #      UseCertificateRequestBasicConstraints: false # ALPHA - default=false
-  #      UseDomainQualifiedFinalizer: true # BETA - default=false
+  #      UseDomainQualifiedFinalizer: true # GA - default=true
   #      ValidateCAA: false # ALPHA - default=false
+  #      DefaultPrivateKeyRotationPolicyAlways: true # BETA - default=true
+  #      ACMEHTTP01IngressPathTypeExact: true # BETA - default=true
   #    # Configure the metrics server for TLS
   #    # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
   #    metricsTLSConfig:
@@ -295,7 +320,7 @@ certmanager:
   # referencing these signer names will be auto-approved by cert-manager. Defaults to just
   # approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty
   # array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval,
-  # because eg. you are using approver-policy, you can enable 'disableAutoApproval'.
+  # because, e.g., you are using approver-policy, you can enable 'disableAutoApproval'.
   # ref: https://cert-manager.io/docs/concepts/certificaterequest/#approval
   # +docs:property
   approveSignerNames:
@@ -451,7 +476,6 @@ certmanager:
   # +docs:property
   # no_proxy: 127.0.0.1,localhost
 
-
   # A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).
   #
   # For example:
@@ -519,7 +543,7 @@ certmanager:
     # ServiceMonitor resource.
     # Otherwise, 'prometheus.io' annotations are added to the cert-manager and
     # cert-manager-webhook Deployments.
-    # Note that you can not enable both PodMonitor and ServiceMonitor as they are
+    # Note that you cannot enable both PodMonitor and ServiceMonitor as they are
     # mutually exclusive. Enabling both will result in an error.
     enabled: true
 
@@ -539,7 +563,8 @@ certmanager:
 
       # The target port to set on the ServiceMonitor. This must match the port that the
       # cert-manager controller is listening on for metrics.
-      targetPort: 9402
+      # +docs:type=string,integer
+      targetPort: http-metrics
 
       # The path to scrape for metrics.
       path: /metrics
@@ -573,7 +598,7 @@ certmanager:
       # +docs:property
       endpointAdditionalProperties: {}
 
-    # Note that you can not enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error.
+    # Note that you cannot enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error.
     podmonitor:
       # Create a PodMonitor to add cert-manager to Prometheus.
       enabled: false
@@ -723,14 +748,14 @@ certmanager:
       enabled: false
 
       # This property configures the minimum available pods for disruptions. Can either be set to
-      # an integer (e.g. 1) or a percentage value (e.g. 25%).
+      # an integer (e.g., 1) or a percentage value (e.g., 25%).
       # It cannot be used if `maxUnavailable` is set.
       # +docs:property
       # +docs:type=unknown
       # minAvailable: 1
 
       # This property configures the maximum unavailable pods for disruptions. Can either be set to
-      # an integer (e.g. 1) or a percentage value (e.g. 25%).
+      # an integer (e.g., 1) or a percentage value (e.g., 25%).
       # It cannot be used if `minAvailable` is set.
       # +docs:property
       # +docs:type=unknown
@@ -976,6 +1001,8 @@ certmanager:
       - from:
         - ipBlock:
             cidr: 0.0.0.0/0
+        - ipBlock:
+            cidr: "::/0"
 
       # Egress rule for the webhook network policy. By default, it allows all
       # outbound traffic to ports 80 and 443, as well as DNS ports.
@@ -997,6 +1024,8 @@ certmanager:
         to:
         - ipBlock:
             cidr: 0.0.0.0/0
+        - ipBlock:
+            cidr: "::/0"
 
     # Additional volumes to add to the cert-manager controller pod.
     volumes: []
@@ -1090,14 +1119,14 @@ certmanager:
       enabled: false
 
       # `minAvailable` configures the minimum available pods for disruptions. It can either be set to
-      # an integer (e.g. 1) or a percentage value (e.g. 25%).
+      # an integer (e.g., 1) or a percentage value (e.g., 25%).
       # Cannot be used if `maxUnavailable` is set.
       # +docs:property
       # +docs:type=unknown
       # minAvailable: 1
 
       # `maxUnavailable` configures the maximum unavailable pods for disruptions. It can either be set to
-      # an integer (e.g. 1) or a percentage value (e.g. 25%).
+      # an integer (e.g., 1) or a percentage value (e.g., 25%).
       # Cannot be used if `minAvailable` is set.
       # +docs:property
       # +docs:type=unknown

charts/dex/Chart.lock

@@ -1,12 +1,12 @@
 dependencies:
 - name: dex
   repository: https://charts.dexidp.io
-  version: 0.23.0
+  version: 0.24.0
 - name: gcp-workload-identity
   repository: https://edixos.github.io/ekp-helm
   version: 0.1.1
 - name: gcp-iam-policy-members
   repository: https://edixos.github.io/ekp-helm
   version: 0.1.2
-digest: sha256:33de3c86abf097766978c659379862374f824ee040c17dd22afac6b98bf07c5c
-generated: "2025-04-28T15:46:20.243117+02:00"
+digest: sha256:ee18d7f42c735677da0e9aba79f1050aa71aad98c79a067c20f2029ee077c5a8
+generated: "2025-11-26T10:27:29.468809248Z"

charts/dex/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: dex
 description: A Helm chart for Dex - OpenID Connect Identity (OIDC) and OAuth 2.0 Provider with Pluggable Connectors
 type: application
-version: 0.1.4
+version: 0.1.5
 appVersion: "2.42.0"
 maintainers:
   - name: wiemaouadi
@@ -13,7 +13,7 @@ maintainers:
     url: https://github.com/smileisak
 dependencies:
   - name: dex
-    version: 0.23.0
+    version: 0.24.0
     repository: https://charts.dexidp.io
     alias: dex
   - name: gcp-workload-identity

charts/dex/README.md

@@ -1,6 +1,6 @@
 # dex
 
-![Version: 0.1.4](https://img.shields.io/badge/Version-0.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.42.0](https://img.shields.io/badge/AppVersion-2.42.0-informational?style=flat-square)
+![Version: 0.1.5](https://img.shields.io/badge/Version-0.1.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.42.0](https://img.shields.io/badge/AppVersion-2.42.0-informational?style=flat-square)
 
 ## Prerequisites
 
@@ -11,7 +11,7 @@
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://charts.dexidp.io | dex(dex) | 0.23.0 |
+| https://charts.dexidp.io | dex(dex) | 0.24.0 |
 | https://edixos.github.io/ekp-helm | iamPolicyMembers(gcp-iam-policy-members) | 0.1.2 |
 | https://edixos.github.io/ekp-helm | workloadIdentity(gcp-workload-identity) | 0.1.1 |
 
@@ -41,10 +41,11 @@ A Helm chart for Dex - OpenID Connect Identity (OIDC) and OAuth 2.0 Provider wit
 | dex.env | object | `{}` | Additional environment variables passed directly to containers. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. |
 | dex.envFrom | list | `[]` | Additional environment variables mounted from [secrets](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables) or [config maps](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables). See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. |
 | dex.envVars | list | `[]` | Similar to env but with support for all possible configurations. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. |
-| dex.fullnameOverride | string | `"test"` | A name to substitute for the full names of resources. |
+| dex.fullnameOverride | string | `""` | A name to substitute for the full names of resources. |
 | dex.grpc.enabled | bool | `false` | Enable the gRPC endpoint. Read more in the [documentation](https://dexidp.io/docs/api/). |
 | dex.hostAliases | list | `[]` | A list of hosts and IPs that will be injected into the pod's hosts file if specified. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#hostname-and-name-resolution) |
 | dex.https.enabled | bool | `false` | Enable the HTTPS endpoint. |
+| dex.image.digest | string | `""` | When digest is set to a non-empty value, images will be pulled by digest (regardless of tag value). |
 | dex.image.pullPolicy | string | `"IfNotPresent"` | [Image pull policy](https://kubernetes.io/docs/concepts/containers/images/#updating-images) for updating already existing images on a node. |
 | dex.image.repository | string | `"ghcr.io/dexidp/dex"` | Name of the image repository to pull the container image from. |
 | dex.image.tag | string | `""` | Image tag override for the default value (chart appVersion). |
@@ -145,7 +146,7 @@ spec:
 
   source:
     repoURL: "https://edixos.github.io/ekp-helm"
-    targetRevision: "0.1.4"
+    targetRevision: "0.1.5"
     chart: dex
     path: ''