chore(deps): update helm charts

[Varashi]

This PR contains the following updates:

Package	Update	Change
authentik (source)	minor	2026.2.3 → 2026.5.0
descheduler	minor	0.35.x → 0.36.x
fluent-bit (source)	patch	0.57.5 → 0.57.6
fluxcd/flux2	patch	v2.8.7 → v2.8.8
ghcr.io/controlplaneio-fluxcd/charts/flux-instance (source)	minor	0.49.0 → 0.50.0
ghcr.io/controlplaneio-fluxcd/charts/flux-operator (source)	minor	0.49.0 → 0.50.0
ghcr.io/home-operations/charts/tuppr	patch	0.1.35 → 0.1.36
ghcr.io/home-operations/gatus-sidecar	patch	0.0.14 → 0.0.18
ghcr.io/spegel-org/helm-charts/spegel	patch	0.7.0 → 0.7.1
netbox (source)	minor	8.2.* → 8.3.*

---

Release Notes

goauthentik/helm (authentik)

v2026.5.0

Compare Source

authentik is an open-source Identity Provider focused on flexibility and versatility

See https://docs.goauthentik.io/releases/2026.5/

What's Changed

• charts/authentik: bump postgresql subchart from 16.7.27 to 18.6.5 by @​renovate[bot] in #​410
• charts/authentik: remove hardcoded AUTHENTIK_LISTEN variables by @​rissson in #​468
• charts/authentik: update docker.io/library/postgres Docker tag to v17.10 by @​renovate[bot] in #​470
• charts/authentik: bump postgresql subchart to v18.6.7 by @​renovate[bot] in #​469
• charts/authentik: bump to 2026.5.0 by @​authentik-automation[bot] in #​471

Full Changelog: goauthentik/helm@authentik-2026.2.3...authentik-2026.5.0

kubernetes-sigs/descheduler (descheduler)

v0.36.0: Descheduler v0.36.0

Compare Source

What's Changed

• fix(ci): pin helm-unittest plugin version and bump chart-testing-action by @​a7i in #​1834
• Update helm RBAC to account for pvc failure on 0.35.0 by @​cayla in #​1836
• Add init containers support to Helm chart by @​kamleshjoshi8102 in #​1826
• Change icon URL in Chart.yaml by @​a7i in #​1838
• fix: resolve detected data races by @​ingvagabund in #​1842
• fix(ci): upgrade codeql-action to v4 and clean up security workflow by @​a7i in #​1847
• update golang semconv dependencies by @​sammedsingalkar09 in #​1848
• Extend PodLifeTime with condition, exit code, owner kind, and transition time filters by @​a7i in #​1844
• security: Update trivy-action to use sha for v0.35.0 by @​Priyankasaggu11929 in #​1854
• security: upgrade grpc and otel sdk dependencies by @​sammedsingalkar09 in #​1859
• evictions: fix missing observability for background evictions by @​tiraboschi in #​1856
• fix(descheduler): reset prometheus usage client at each extension point by @​tiraboschi in #​1862
• fix(.github/workflows/manifests.yaml): pin actions to a sha by @​ingvagabund in #​1868
• cloudbuild: pin gcb-docker-gcloud image by digest by @​Paramesh324 in #​1871
• chart: allow overriding ServiceMonitor apiVersion by @​a7i in #​1837
• ci: pin GitHub Actions to immutable SHAs by @​a7i in #​1875
• evictions: fix assumePod silently dropping success metric on informer race by @​tiraboschi in #​1873
• chore(defaultevictor): add MatchExpressions compatibility to the namespaceselector by @​Fankhauserli in #​1853
• fix(test/setupTestSandbox): wait until initial objects are propagated to informers by @​ingvagabund in #​1878
• [v0.36.0] release prep: bump k8s/go deps, manifests, docs, and CI matrix by @​a7i in #​1874

New Contributors

• @​kamleshjoshi8102 made their first contribution in #​1826
• @​Priyankasaggu11929 made their first contribution in #​1854
• @​Paramesh324 made their first contribution in #​1871
• @​Fankhauserli made their first contribution in #​1853

Full Changelog: kubernetes-sigs/descheduler@v0.35.0...v0.36.0

fluent/helm-charts (fluent-bit)

v0.57.6

Compare Source

Changed

• Update Fluent Bit OCI image to v5.0.6. (#​724) @​stevehipwell

fluxcd/flux2 (fluxcd/flux2)

v2.8.8

Compare Source

Highlights

Flux v2.8.8 is a patch release that includes CVE fixes via go-git v5.19.1 (source-controller, image-automation-controller), reliability fixes in helm-controller and source-controller, the move of Helm back to upstream v4.2.0, support for GCP sovereign cloud artifact registries, and dependency updates. Users are encouraged to upgrade for the best experience.

ℹ️ Please follow the Upgrade Procedure for Flux v2.7+ for a smooth upgrade from Flux v2.6 to the latest version.

Fixes:

• Add a configurable HTTP timeout for artifact fetching, preventing fetches that could block indefinitely and stall reconciliations (helm-controller)
• Fix unbounded memory growth caused by a Kubernetes client transport retry wrapper accumulating on every reconcile (helm-controller)
• Stop force-applying non-CRD objects placed under a chart's crds/ directory (helm-controller)
• Fix the Helm test action failing to find releases with names longer than 53 characters (helm-controller)
• Improve path handling in the source reconcilers (source-controller)
• Support Helm semver build-metadata encoding in OCIRepository tags (source-controller)

Improvements:

• Update go-git to v5.19.1 which fixes CVE-2026-45571 and CVE-2026-45570 (source-controller, image-automation-controller)
• Move Helm back to upstream v4.2.0 (source-controller, helm-controller)
• Add support for GCP sovereign cloud artifact registries (source-controller, image-reflector-controller)
• Upgrade Kubernetes to 1.36.1 (source-controller, helm-controller)
• Update fluxcd/pkg dependencies

Components changelog

• helm-controller v1.5.5
• image-automation-controller v1.1.4
• image-reflector-controller v1.1.2
• source-controller v1.8.5

CLI changelog

• Update toolkit components by @​fluxcdbot in #​5904

Full Changelog: fluxcd/flux2@v2.8.7...v2.8.8

controlplaneio-fluxcd/flux-operator (ghcr.io/controlplaneio-fluxcd/charts/flux-instance)

v0.50.0

Compare Source

What's Changed

• olm: Extend compatibility to OpenShift v4.21 by @​wombat in #​861
• web: set npm min release age to 2 weeks by @​stefanprodan in #​869
• ci: release pipeline hardening by @​stefanprodan in #​870
• operator: change OLM base image to ubi8-micro by @​matheuscscp in #​864
• build(deps): bump the actions group across 1 directory with 3 updates by @​dependabot[bot] in #​872
• Upgrade dependencies by @​matheuscscp in #​873
• build(deps): bump the cli-tools group in /cmd/cli with 2 updates by @​dependabot[bot] in #​866
• Release v0.50.0 by @​matheuscscp in #​874

Full Changelog: controlplaneio-fluxcd/flux-operator@v0.49.0...v0.50.0

home-operations/tuppr (ghcr.io/home-operations/charts/tuppr)

v0.1.36

Compare Source

Bug Fixes

• deps: update module github.com/cosi-project/runtime (v1.16.0 → v1.16.1) (#​291) (c41028e)
• deps: update module github.com/google/go-containerregistry (v0.21.5 → v0.21.6) (#​289) (be6e624)
• mise: update tool aqua:evilmartians/lefthook (2.1.6 → 2.1.7) (e448987)
• mise: update tool aqua:evilmartians/lefthook (2.1.7 → 2.1.8) (35a344f)

Miscellaneous Chores

• add mise lockfile and update hooks (21b77d3)
• consolidation and standardization (75f9603)
• drop strict lockfile mode to unblock Renovate (82db2c9)
• enable strict lockfile mode (cc5c04d)
• extend lefthook from .github and split editorconfig (e6bab2f)
• ignore devcontainers in release-please config (c2621e0)
• ignore mise and github deps in release please (1ad4553)
• ignore self config in release-please config (e11cfb6)
• migrate from makefile to mise (#​290) (29fac8d)
• more standardizing (ca2fd84)
• remove agent / claude file (c3252e8)
• shorten mise tool names and pin to semver (94cbeae)

home-operations/gatus-sidecar (ghcr.io/home-operations/gatus-sidecar)

v0.0.18

Compare Source

Code Refactoring

• tighten hot paths and tidy tests (#​67) (7916c12)

v0.0.17

Compare Source

Features

• per-resource path: directive and --probe-paths flag (#​65) (02f2e31)

v0.0.16

Compare Source

Features

• rewrite, path-aware URLs, name prefixes, multi-value filters (#​62) (8373935)

v0.0.15

Compare Source

Bug Fixes

• deps: update kubernetes monorepo (v0.36.0 → v0.36.1) (#​60) (a6479d3)

Miscellaneous Chores

• add mise lockfile and update hooks (ce2675d)
• add mise, release-please, fix lints (cc51d07)
• consolidation and standardization (8462956)
• extend lefthook from .github and split editorconfig (068665e)
• more standardizing (b1ecb7b)

netbox-community/netbox-chart (netbox)

v8.3.0

Compare Source

IP address management (IPAM) and data center infrastructure management (DCIM) tool

What's Changed

• chore(deps): update valkey docker tag to v6 by @​renovate[bot] in #​1218

Full Changelog: netbox-community/netbox-chart@netbox-operator-1.2.80...netbox-8.3.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

Summary by CodeRabbit

• Chores
  • Updated Flux system components to v2.8.8 with improved source and helm controller versions.
  • Bumped multiple platform component charts: Authentik, descheduler, spegel, fluent-bit, tuppr, NetBox, gatus sidecar, and flux instance/operator configurations to latest versions.

[github-actions]

kustomization diff:

--- cluster-talos/kubernetes/infrastructure/platform/descheduler/app Kustomization: flux-system/descheduler HelmRelease: kube-system/descheduler

+++ cluster-talos/kubernetes/infrastructure/platform/descheduler/app Kustomization: flux-system/descheduler HelmRelease: kube-system/descheduler

@@ -13,13 +13,13 @@

       chart: descheduler
       interval: 1h
       sourceRef:
         kind: HelmRepository
         name: descheduler
         namespace: flux-system
-      version: 0.35.x
+      version: 0.36.x
   install:
     remediation:
       retries: 3
   interval: 1h
   upgrade:
     remediation:
--- cluster-talos/kubernetes/infrastructure/flux-system/flux-operator/app Kustomization: flux-system/flux-operator OCIRepository: flux-system/flux-operator

+++ cluster-talos/kubernetes/infrastructure/flux-system/flux-operator/app Kustomization: flux-system/flux-operator OCIRepository: flux-system/flux-operator

@@ -7,9 +7,9 @@

     kustomize.toolkit.fluxcd.io/namespace: flux-system
   name: flux-operator
   namespace: flux-system
 spec:
   interval: 1h
   ref:
-    tag: 0.49.0
+    tag: 0.50.0
   url: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator
 
--- cluster-talos/kubernetes/bootstrap Kustomization: flux-system/flux-system Deployment: flux-system/source-controller

+++ cluster-talos/kubernetes/bootstrap Kustomization: flux-system/flux-system Deployment: flux-system/source-controller

@@ -47,13 +47,13 @@

           value: /tmp/.sigstore
         - name: GOMEMLIMIT
           valueFrom:
             resourceFieldRef:
               containerName: manager
               resource: limits.memory
-        image: ghcr.io/fluxcd/source-controller:v1.8.4
+        image: ghcr.io/fluxcd/source-controller:v1.8.5
         imagePullPolicy: IfNotPresent
         livenessProbe:
           httpGet:
             path: /healthz
             port: healthz
         name: manager
--- cluster-talos/kubernetes/bootstrap Kustomization: flux-system/flux-system Deployment: flux-system/helm-controller

+++ cluster-talos/kubernetes/bootstrap Kustomization: flux-system/flux-system Deployment: flux-system/helm-controller

@@ -41,13 +41,13 @@

               fieldPath: metadata.namespace
         - name: GOMEMLIMIT
           valueFrom:
             resourceFieldRef:
               containerName: manager
               resource: limits.memory
-        image: ghcr.io/fluxcd/helm-controller:v1.5.4
+        image: ghcr.io/fluxcd/helm-controller:v1.5.5
         imagePullPolicy: IfNotPresent
         livenessProbe:
           httpGet:
             path: /healthz
             port: healthz
         name: manager
--- cluster-talos/kubernetes/infrastructure/platform/spegel/app Kustomization: flux-system/spegel OCIRepository: spegel/spegel

+++ cluster-talos/kubernetes/infrastructure/platform/spegel/app Kustomization: flux-system/spegel OCIRepository: spegel/spegel

@@ -7,9 +7,9 @@

     kustomize.toolkit.fluxcd.io/namespace: flux-system
   name: spegel
   namespace: spegel
 spec:
   interval: 1h
   ref:
-    tag: 0.7.0
+    tag: 0.7.1
   url: oci://ghcr.io/spegel-org/helm-charts/spegel
 
--- cluster-talos/kubernetes/infrastructure/platform/tuppr/app Kustomization: flux-system/tuppr OCIRepository: system-upgrade/tuppr

+++ cluster-talos/kubernetes/infrastructure/platform/tuppr/app Kustomization: flux-system/tuppr OCIRepository: system-upgrade/tuppr

@@ -10,9 +10,9 @@

 spec:
   interval: 1h
   layerSelector:
     mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
     operation: copy
   ref:
-    tag: 0.1.35
+    tag: 0.1.36
   url: oci://ghcr.io/home-operations/charts/tuppr
 
--- cluster-talos/kubernetes/infrastructure/flux-system/flux-instance/app Kustomization: flux-system/flux-instance OCIRepository: flux-system/flux-instance

+++ cluster-talos/kubernetes/infrastructure/flux-system/flux-instance/app Kustomization: flux-system/flux-instance OCIRepository: flux-system/flux-instance

@@ -7,9 +7,9 @@

     kustomize.toolkit.fluxcd.io/namespace: flux-system
   name: flux-instance
   namespace: flux-system
 spec:
   interval: 1h
   ref:
-    tag: 0.49.0
+    tag: 0.50.0
   url: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-instance
 
--- cluster-talos/kubernetes/apps/tools/gatus/app Kustomization: flux-system/gatus HelmRelease: gatus/gatus

+++ cluster-talos/kubernetes/apps/tools/gatus/app Kustomization: flux-system/gatus HelmRelease: gatus/gatus

@@ -121,13 +121,13 @@

           gatus-sidecar:
             args:
             - --enable-httproute
             - --gateway-name=main
             image:
               repository: ghcr.io/home-operations/gatus-sidecar
-              tag: 0.0.14
+              tag: 0.0.18
             resources:
               limits:
                 memory: 64Mi
               requests:
                 cpu: 10m
             restartPolicy: Always
--- cluster-talos/kubernetes/infrastructure/platform/authentik/app Kustomization: flux-system/authentik HelmRelease: authentik/authentik

+++ cluster-talos/kubernetes/infrastructure/platform/authentik/app Kustomization: flux-system/authentik HelmRelease: authentik/authentik

@@ -12,13 +12,13 @@

     spec:
       chart: authentik
       sourceRef:
         kind: HelmRepository
         name: authentik
         namespace: flux-system
-      version: 2026.2.3
+      version: 2026.5.0
   install:
     remediation:
       retries: 3
   interval: 30m
   maxHistory: 2
   upgrade:
--- cluster-talos/kubernetes/apps/tools/netbox/app Kustomization: flux-system/netbox HelmRelease: netbox/netbox

+++ cluster-talos/kubernetes/apps/tools/netbox/app Kustomization: flux-system/netbox HelmRelease: netbox/netbox

@@ -13,13 +13,13 @@

       chart: netbox
       interval: 30m
       sourceRef:
         kind: HelmRepository
         name: netbox
         namespace: flux-system
-      version: 8.2.*
+      version: 8.3.*
   install:
     remediation:
       retries: 3
     timeout: 30m
   interval: 30m
   upgrade:
--- cluster-talos/kubernetes/infrastructure/platform/tanzu-system-logging/app Kustomization: flux-system/tanzu-system-logging HelmRelease: tanzu-system-logging/fluent-bit

+++ cluster-talos/kubernetes/infrastructure/platform/tanzu-system-logging/app Kustomization: flux-system/tanzu-system-logging HelmRelease: tanzu-system-logging/fluent-bit

@@ -12,13 +12,13 @@

     spec:
       chart: fluent-bit
       sourceRef:
         kind: HelmRepository
         name: fluent
         namespace: flux-system
-      version: 0.57.5
+      version: 0.57.6
   install:
     remediation:
       retries: 3
   interval: 30m
   upgrade:
     cleanupOnFail: true

[github-actions]

helmrelease diff:

--- HelmRelease: kube-system/descheduler CronJob: kube-system/descheduler

+++ HelmRelease: kube-system/descheduler CronJob: kube-system/descheduler

@@ -14,13 +14,13 @@

   jobTemplate:
     spec:
       template:
         metadata:
           name: descheduler
           annotations:
-            checksum/config: 06949c487cb1f7034d670f32457845bde01aff000953da5e9c7c0a767c62fc56
+            checksum/config: e708aa3946e6d5ad50737dc7ff199955e96349890183b5310ce114041cc53547
           labels:
             app.kubernetes.io/name: descheduler
             app.kubernetes.io/instance: descheduler
         spec:
           tolerations:
           - effect: NoSchedule
@@ -32,13 +32,13 @@

             value: 'true'
           priorityClassName: system-cluster-critical
           serviceAccountName: descheduler
           restartPolicy: Never
           containers:
           - name: descheduler
-            image: registry.k8s.io/descheduler/descheduler:v0.35.1
+            image: registry.k8s.io/descheduler/descheduler:v0.36.0
             imagePullPolicy: IfNotPresent
             command:
             - /bin/descheduler
             args:
             - --policy-config-file=/policy-dir/policy.yaml
             - --v=3
--- HelmRelease: tanzu-system-logging/fluent-bit DaemonSet: tanzu-system-logging/fluent-bit

+++ HelmRelease: tanzu-system-logging/fluent-bit DaemonSet: tanzu-system-logging/fluent-bit

@@ -21,13 +21,13 @@

     spec:
       serviceAccountName: fluent-bit
       hostNetwork: false
       dnsPolicy: ClusterFirst
       containers:
       - name: fluent-bit
-        image: cr.fluentbit.io/fluent/fluent-bit:5.0.5
+        image: cr.fluentbit.io/fluent/fluent-bit:5.0.6
         imagePullPolicy: IfNotPresent
         command:
         - /fluent-bit/bin/fluent-bit
         args:
         - --workdir=/fluent-bit/etc
         - --config=/fluent-bit/etc/conf/fluent-bit.conf
--- HelmRelease: authentik/authentik Deployment: authentik/authentik-server

+++ HelmRelease: authentik/authentik Deployment: authentik/authentik-server

@@ -24,28 +24,22 @@

         app.kubernetes.io/name: authentik
         app.kubernetes.io/instance: authentik
         app.kubernetes.io/component: server
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/part-of: authentik
       annotations:
-        checksum/secret: 9ef9ea8da7260610cc5f31195be7ada2f3b43259481edba21d9c45124db617ec
+        checksum/secret: d7a01bf7431db4170810ec549b2681b3cadd702018ea94cdb4ef9a0186d11203
     spec:
       terminationGracePeriodSeconds: 30
       containers:
       - name: server
-        image: ghcr.io/goauthentik/server:2026.2.3
+        image: ghcr.io/goauthentik/server:2026.5.0
         imagePullPolicy: IfNotPresent
         args:
         - server
-        env:
-        - name: AUTHENTIK_LISTEN__HTTP
-          value: 0.0.0.0:9000
-        - name: AUTHENTIK_LISTEN__HTTPS
-          value: 0.0.0.0:9443
-        - name: AUTHENTIK_LISTEN__METRICS
-          value: 0.0.0.0:9300
+        env: null
         envFrom:
         - secretRef:
             name: authentik
         - secretRef:
             name: authentik-extra-env
         volumeMounts:
--- HelmRelease: authentik/authentik Deployment: authentik/authentik-worker

+++ HelmRelease: authentik/authentik Deployment: authentik/authentik-worker

@@ -24,27 +24,23 @@

         app.kubernetes.io/name: authentik
         app.kubernetes.io/instance: authentik
         app.kubernetes.io/component: worker
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/part-of: authentik
       annotations:
-        checksum/secret: 9ef9ea8da7260610cc5f31195be7ada2f3b43259481edba21d9c45124db617ec
+        checksum/secret: d7a01bf7431db4170810ec549b2681b3cadd702018ea94cdb4ef9a0186d11203
     spec:
       serviceAccountName: authentik
       terminationGracePeriodSeconds: 30
       containers:
       - name: worker
-        image: ghcr.io/goauthentik/server:2026.2.3
+        image: ghcr.io/goauthentik/server:2026.5.0
         imagePullPolicy: IfNotPresent
         args:
         - worker
-        env:
-        - name: AUTHENTIK_LISTEN__HTTP
-          value: 0.0.0.0:9000
-        - name: AUTHENTIK_LISTEN__METRICS
-          value: 0.0.0.0:9300
+        env: null
         envFrom:
         - secretRef:
             name: authentik
         - secretRef:
             name: authentik-extra-env
         ports:
--- HelmRelease: gatus/gatus Deployment: gatus/gatus

+++ HelmRelease: gatus/gatus Deployment: gatus/gatus

@@ -48,13 +48,13 @@

               - key: intel.feature.node.kubernetes.io/gpu
                 operator: DoesNotExist
       initContainers:
       - args:
         - --enable-httproute
         - --gateway-name=main
-        image: ghcr.io/home-operations/gatus-sidecar:0.0.14
+        image: ghcr.io/home-operations/gatus-sidecar:0.0.18
         name: gatus-sidecar
         resources:
           limits:
             memory: 64Mi
           requests:
             cpu: 10m
--- HelmRelease: spegel/spegel DaemonSet: spegel/spegel

+++ HelmRelease: spegel/spegel DaemonSet: spegel/spegel

@@ -26,13 +26,13 @@

     spec:
       serviceAccountName: spegel
       securityContext: {}
       priorityClassName: system-node-critical
       initContainers:
       - name: configuration
-        image: ghcr.io/spegel-org/spegel@sha256:1109b33fabac86809b06f831eef7359b12232f5708554aef39efd036dce40748
+        image: ghcr.io/spegel-org/spegel@sha256:bfb81b01f3cb0512044f7af2f8dd4aae9163ca36a35253a2d91c30c1b5dcf626
         imagePullPolicy: IfNotPresent
         securityContext:
           readOnlyRootFilesystem: true
         args:
         - configuration
         - --log-level=INFO
@@ -55,13 +55,13 @@

             memory: 50Mi
         volumeMounts:
         - name: containerd-config
           mountPath: /etc/cri/conf.d/hosts
       containers:
       - name: registry
-        image: ghcr.io/spegel-org/spegel@sha256:1109b33fabac86809b06f831eef7359b12232f5708554aef39efd036dce40748
+        image: ghcr.io/spegel-org/spegel@sha256:bfb81b01f3cb0512044f7af2f8dd4aae9163ca36a35253a2d91c30c1b5dcf626
         imagePullPolicy: IfNotPresent
         securityContext:
           readOnlyRootFilesystem: true
         args:
         - registry
         - --log-level=INFO
--- HelmRelease: spegel/spegel DaemonSet: spegel/spegel-cleanup

+++ HelmRelease: spegel/spegel DaemonSet: spegel/spegel-cleanup

@@ -27,13 +27,13 @@

         app.kubernetes.io/instance: spegel
     spec:
       securityContext: {}
       priorityClassName: system-node-critical
       containers:
       - name: cleanup
-        image: ghcr.io/spegel-org/spegel@sha256:1109b33fabac86809b06f831eef7359b12232f5708554aef39efd036dce40748
+        image: ghcr.io/spegel-org/spegel@sha256:bfb81b01f3cb0512044f7af2f8dd4aae9163ca36a35253a2d91c30c1b5dcf626
         imagePullPolicy: IfNotPresent
         args:
         - cleanup
         - --containerd-registry-config-path=/etc/cri/conf.d/hosts
         - --addr=:8080
         readinessProbe:
--- HelmRelease: spegel/spegel Pod: spegel/spegel-cleanup-wait

+++ HelmRelease: spegel/spegel Pod: spegel/spegel-cleanup-wait

@@ -13,13 +13,13 @@

     helm.sh/hook: post-delete
     helm.sh/hook-delete-policy: before-hook-creation, hook-succeeded
     helm.sh/hook-weight: '1'
 spec:
   containers:
   - name: cleanup-wait
-    image: ghcr.io/spegel-org/spegel@sha256:1109b33fabac86809b06f831eef7359b12232f5708554aef39efd036dce40748
+    image: ghcr.io/spegel-org/spegel@sha256:bfb81b01f3cb0512044f7af2f8dd4aae9163ca36a35253a2d91c30c1b5dcf626
     imagePullPolicy: IfNotPresent
     args:
     - cleanup-wait
     - --probe-endpoint=spegel-cleanup.spegel.svc.cluster.local.:8080
   restartPolicy: Never
   terminationGracePeriodSeconds: 0
--- HelmRelease: system-upgrade/tuppr Deployment: system-upgrade/tuppr

+++ HelmRelease: system-upgrade/tuppr Deployment: system-upgrade/tuppr

@@ -35,13 +35,13 @@

           capabilities:
             drop:
             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 65532
-        image: ghcr.io/home-operations/tuppr:0.1.35
+        image: ghcr.io/home-operations/tuppr:0.1.36
         imagePullPolicy: IfNotPresent
         command:
         - /manager
         args:
         - --log-level=debug
         - --leader-elect=true
--- HelmRelease: netbox/netbox CronJob: netbox/netbox-housekeeping

+++ HelmRelease: netbox/netbox CronJob: netbox/netbox-housekeeping

@@ -16,25 +16,25 @@

   successfulJobsHistoryLimit: 5
   suspend: false
   jobTemplate:
     metadata:
       labels:
         app.kubernetes.io/name: netbox
-        helm.sh/chart: netbox-8.2.19
+        helm.sh/chart: netbox-8.3.0
         app.kubernetes.io/instance: netbox
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/version: v4.6.1
     spec:
       template:
         metadata:
           labels:
             app.kubernetes.io/instance: netbox
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: netbox
             app.kubernetes.io/version: v4.6.1
-            helm.sh/chart: netbox-8.2.19
+            helm.sh/chart: netbox-8.3.0
             app.kubernetes.io/component: housekeeping
         spec:
           serviceAccountName: netbox
           automountServiceAccountToken: false
           securityContext:
             fsGroup: 1000
--- HelmRelease: flux-system/flux-operator Deployment: flux-system/flux-operator

+++ HelmRelease: flux-system/flux-operator Deployment: flux-system/flux-operator

@@ -44,13 +44,13 @@

             drop:
             - ALL
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           seccompProfile:
             type: RuntimeDefault
-        image: ghcr.io/controlplaneio-fluxcd/flux-operator:v0.49.0
+        image: ghcr.io/controlplaneio-fluxcd/flux-operator:v0.50.0
         imagePullPolicy: IfNotPresent
         ports:
         - name: http-metrics
           containerPort: 8080
           protocol: TCP
         - name: http

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 4a11c2ec-4b14-4667-99ae-00bf05a95fc6

📥 Commits

Reviewing files that changed from the base of the PR and between 0406737 and 34bb6a3.

📒 Files selected for processing (10)

• cluster-talos/kubernetes/apps/tools/gatus/app/helmrelease.yaml
• cluster-talos/kubernetes/apps/tools/netbox/app/helmrelease.yaml
• cluster-talos/kubernetes/bootstrap/flux-system/gotk-components.yaml
• cluster-talos/kubernetes/infrastructure/flux-system/flux-instance/app/ocirepository.yaml
• cluster-talos/kubernetes/infrastructure/flux-system/flux-operator/app/ocirepository.yaml
• cluster-talos/kubernetes/infrastructure/platform/authentik/app/helmrelease.yaml
• cluster-talos/kubernetes/infrastructure/platform/descheduler/app/helmrelease.yaml
• cluster-talos/kubernetes/infrastructure/platform/spegel/app/ocirepository.yaml
• cluster-talos/kubernetes/infrastructure/platform/tanzu-system-logging/app/helmrelease.yaml
• cluster-talos/kubernetes/infrastructure/platform/tuppr/app/ocirepository.yaml

---

📝 Walkthrough

Walkthrough

Flux bootstrap manifests upgraded from v2.8.7 → v2.8.8 with controller label/image updates; Flux OCIRepository tags bumped to 0.50.0; several application HelmRelease/OCIRepository chart and image tags incremented (gatus, netbox, authentik, descheduler, spegel, fluent-bit, tuppr).

Changes

Dependency Version Updates

Layer / File(s)	Summary
Flux bootstrap manifests and controllers cluster-talos/kubernetes/bootstrap/flux-system/gotk-components.yaml	Updated Flux bootstrap manifest and CRD/namespace/workload labels from v2.8.7 → v2.8.8; bumped controller workload image tags (source-controller v1.8.4→v1.8.5, helm-controller v1.5.4→v1.5.5) and updated notification-controller labels.
Flux OCIRepository references cluster-talos/kubernetes/infrastructure/flux-system/flux-instance/app/ocirepository.yaml, cluster-talos/kubernetes/infrastructure/flux-system/flux-operator/app/ocirepository.yaml	Bumped spec.ref.tag for flux-instance and flux-operator OCIRepositories from 0.49.0 → 0.50.0.
Application HelmReleases and OCI references cluster-talos/kubernetes/apps/tools/gatus/app/helmrelease.yaml, cluster-talos/kubernetes/apps/tools/netbox/app/helmrelease.yaml, cluster-talos/kubernetes/infrastructure/platform/authentik/app/helmrelease.yaml, cluster-talos/kubernetes/infrastructure/platform/descheduler/app/helmrelease.yaml, cluster-talos/kubernetes/infrastructure/platform/spegel/app/ocirepository.yaml, cluster-talos/kubernetes/infrastructure/platform/tanzu-system-logging/app/helmrelease.yaml, cluster-talos/kubernetes/infrastructure/platform/tuppr/app/ocirepository.yaml	Updated gatus sidecar initContainer image tag 0.0.14→0.0.18; NetBox chart constraint 8.2.*→8.3.*; authentik chart 2026.2.3→2026.5.0; descheduler chart 0.35.x→0.36.x; spegel OCIRepository 0.7.0→0.7.1; fluent-bit HelmRelease 0.57.5→0.57.6; tuppr OCIRepository 0.1.35→0.1.36.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through YAML fields today,

bumped tags and labels on my way,
Flux and charts now hum in tune,
sidecars, charts — a tiny boon,
the cluster sleeps beneath the moon.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore(deps): update helm charts' accurately reflects the main change in the changeset - multiple Helm chart dependency updates across various applications and infrastructure components.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/helm-charts

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}