Tracked apps
scripts/apps.yaml is the single source of truth for every upstream component we auto-update in this cluster. check-updates.py reads it to report outdated apps; do-updates.py reads it to apply the safe bumps. This page renders the current contents of that file.
This table is stale the moment it's committed
The versions below reflect what was in scripts/apps.yaml at doc-build time. For live status, run:
python3 scripts/check-updates.pyHow an entry works
Each app has a type that decides how it's checked and updated:
| Type | Meaning |
|---|---|
helm | Helm chart. check-updates.py fetches the chart repo's index.yaml; do-updates.py bumps targetRevision in the Application manifest. |
kustomize_manifest | Raw manifest(s) downloaded from a GitHub release. do-updates.py downloads the new file to a versioned directory and rewrites kustomization.yaml to point at it. |
image_tag | A single image tag in an Application manifest. do-updates.py rewrites the tag string. |
manual | Requires human work — do-updates.py prints instructions but doesn't apply. |
Flags you'll see in the Notes column:
skip_major: true— major version bumps are skipped bydo-updates.py(run the major bump as a deliberate human commit).disabled: true— the app is commented out in the cluster and not currently tracked.extra_replacements— a secondary string elsewhere in the manifest needs rewriting too (e.g., a git tag for CRD sources).tag_pattern— when a repo publishes both release tags and chart tags, this regex keeps us on the release tags.
Helm charts
| App | Chart repo | Current | Notes |
|---|---|---|---|
| sealed-secrets | bitnami-labs.github.io/sealed-secrets | 2.18.3 | |
| loki-stack | grafana.github.io/helm-charts | 2.10.3 | |
| longhorn | charts.longhorn.io | 1.11.0 | |
| mariadb-operator | helm.mariadb.com/mariadb-operator | 25.10.4 | |
| cert-manager | charts.jetstack.io | 1.19.4 | |
| traefik | traefik.github.io/charts | 39.0.2 | |
| kube-prometheus-stack | prometheus-community.github.io/helm-charts | 82.4.2 | extra_replacements — CRD source uses matching git tag kube-prometheus-stack-{version} |
| kyverno | kyverno.github.io/kyverno | 3.7.1 | |
| redis-operator | ot-container-kit.github.io/helm-charts | 0.24.0 | |
| remove-empty-ns-operator | rgeraskin.github.io/remove-empty-ns-operator | 1.1.0 | |
| hcloud-cloud-controller-manager | charts.hetzner.cloud | 1.30.1 | Listed as app-kube-system.yaml (bundles HCCM) |
| descheduler | kubernetes-sigs.github.io/descheduler | 0.31.0 | Must match K8s minor version (0.31.x ↔ K8s 1.31) |
| keda | kedacore.github.io/charts | 2.18.3 | CRDs need ServerSideApply=true (exceed annotation size) |
Kustomize manifests
| App | Source (GitHub) | Current | Notes |
|---|---|---|---|
| argocd | argoproj/argo-cd | 3.3.2 | Uses HA manifest (manifests/ha/install.yaml). ArgoCD app itself requires ServerSideApply=true |
| argocd-image-updater | argoproj-labs/argocd-image-updater | 0.12.2 | disabled: true — currently commented out in argocd/kustomization.yaml. Re-enable before bumping |
| reloader | stakater/Reloader | 1.4.13 | tag_pattern: ^v\d+\.\d+ to exclude chart-v* tags |
| kured | kubereboot/kured | 1.21.0 | Asset renamed from *-dockerhub.yaml to *-combined.yaml at 1.21.0 |
| keycloak-operator | keycloak/keycloak | 26.0.7 | type: manual — manifests are Quarkus-generated; extract via docker run --entrypoint cat quay.io/keycloak/keycloak-operator:<version> per the notes in apps.yaml |
| postgres-operator | CrunchyData/postgres-operator | 5.7.2 | skip_major: true — 5.x → 6.x has breaking CRD/API changes; do majors by hand |
| rabbitmq-cluster-operator | rabbitmq/cluster-operator | 2.19.1 | |
| local-path-provisioner | rancher/local-path-provisioner | 0.0.34 | Used by MariaDB + MaxScale pods on DB nodes for NVMe-local storage |
Image tags
| App | GitHub repo | Current | Notes |
|---|---|---|---|
| cloudflared | cloudflare/cloudflared | 2026.2.0 | Image tag bump only — cloudflare/cloudflared:<version>-amd64 |
How to add a new app
- Pick the closest existing entry as a template and copy its shape in
scripts/apps.yaml. - Fill in
name,type,current, and the type-specific fields (helm_repo/helm_chart, orgithub_repo/install_files/kustomization, orapp_yaml/image_old/image_new). - Add
skip_major: trueif the project typically has breaking major bumps. - Run
python3 scripts/check-updates.pyto verify the new entry resolves a latest version correctly. - Commit
scripts/apps.yamlplus any initial Application manifest.
The worked patterns in the file itself are the best reference — pick an existing entry of the same type and mirror it.
Future enhancement
This page is hand-maintained right now, but it wants to be auto-generated at build time from scripts/apps.yaml, the same way docs/tenants/ is generated from the client manifests via scripts/generate-client-docs.py. A small Python script that renders the tables above (and linked Application manifest paths) would remove the staleness problem entirely. For now, treat scripts/apps.yaml as authoritative and this page as a convenience view.
Further reading
- Deploy an update — how the auto-update scripts plug into the commit flow
- Scripts —
check-updates.pyanddo-updates.pyreference scripts/apps.yaml— the actual source of truth