From ad351b3a76d6dc0d2aa08a5d95b27dffc70395df Mon Sep 17 00:00:00 2001
From: Patrick Hermann <patrick.hermann@sva.de>
Date: Thu, 11 Dec 2025 09:18:14 +0000
Subject: [PATCH 1/2] feat: feat/update-infra

---
 apps/rancher.yaml.gotmpl        | 2 +-
 infra/README.md                 | 6 ++++++
 infra/cert-manager.yaml.gotmpl  | 2 +-
 infra/ingress-nginx.yaml.gotmpl | 2 +-
 4 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/apps/rancher.yaml.gotmpl b/apps/rancher.yaml.gotmpl
index 8cab1550..a20ac047 100644
--- a/apps/rancher.yaml.gotmpl
+++ b/apps/rancher.yaml.gotmpl
@@ -9,7 +9,7 @@ environments:
       - issuerKind: ClusterIssuer
       - issuerName: vault-approle
       - cacerts: ""
-      - bootstrapPassword: "Adminpassword!123"
+      - bootstrapPassword: "Adminpassword!123" # pragma: allowlist secret
       - ingressClass: nginx
       - privateCA: true
 ---
diff --git a/infra/README.md b/infra/README.md
index 0f2d7f6f..b5f88ffc 100644
--- a/infra/README.md
+++ b/infra/README.md
@@ -70,6 +70,12 @@ EOF
 
 ### w/ SELF-SIGNED
 
+```bash
+kubectl apply -k https://github.com/stuttgart-things/helm/infra/crds/cert-manager
+
+helmfile apply -f git::https://github.com/stuttgart-things/helm.git@infra/cert-manager.yaml.gotmpl --state-values-set  installCrds=false
+```
+
 ```bash
 cat <<EOF > cert-manager-selfsigned.yaml
 ---
diff --git a/infra/cert-manager.yaml.gotmpl b/infra/cert-manager.yaml.gotmpl
index cb440250..1cbbdc7e 100644
--- a/infra/cert-manager.yaml.gotmpl
+++ b/infra/cert-manager.yaml.gotmpl
@@ -3,7 +3,7 @@ environments:
   default:
     values:
       - namespace: cert-manager
-      - version: v1.19.1
+      - version: v1.19.2
       - config: selfsigned
       - installCrds: true
 ---
diff --git a/infra/ingress-nginx.yaml.gotmpl b/infra/ingress-nginx.yaml.gotmpl
index 012bb10b..6b42709f 100644
--- a/infra/ingress-nginx.yaml.gotmpl
+++ b/infra/ingress-nginx.yaml.gotmpl
@@ -3,7 +3,7 @@ environments:
   default:
     values:
       - namespace: ingress-nginx
-      - version: 4.13.0
+      - version: 4.14.1
       - enableHostPort: false
 ---
 releases:

From abdfb027d918d8498fdb3875d99c57fb15097e34 Mon Sep 17 00:00:00 2001
From: Patrick Hermann <patrick.hermann@sva.de>
Date: Thu, 11 Dec 2025 10:16:01 +0000
Subject: [PATCH 2/2] feat: feat/update-infra

---
 apps/README.md                                |  5 +++--
 infra/README.md                               |  2 +-
 infra/ingress-nginx.yaml.gotmpl               |  3 ++-
 infra/values/ingress-nginx.values.yaml.gotmpl | 21 ++++++++++++++++++-
 4 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/apps/README.md b/apps/README.md
index 7a09da93..123207ef 100644
--- a/apps/README.md
+++ b/apps/README.md
@@ -13,9 +13,10 @@ App Helmfile templates.
 export RANCHER_PASSWORD=<REPLACE-ME>
 
 helmfile apply -f \
-git::https://github.com/stuttgart-things/helm.git@apps/apps/homerun-base-stack.yaml.gotmpl \
+git::https://github.com/stuttgart-things/helm.git@apps/apps/rancher.yaml.gotmpl \
 --state-values-set issuerName=cluster-issuer-approle \
---state-values-set domain=demo-infra.sthings-vsphere.labul.sva.de \ --state-values-set bootstrapPassword={{ env "RANCHER_PASSWORD" | default "hall01234R@ncher" }} \
+--state-values-set domain=demo-infra.sthings-vsphere.labul.sva.de \
+--state-values-set bootstrapPassword={{ env "RANCHER_PASSWORD" | default "hall01234R@ncher" }} \
 --state-values-set cacerts=LS0tLS1CRUdJTiBDRV#..
 ```
 
diff --git a/infra/README.md b/infra/README.md
index b5f88ffc..1947c8d3 100644
--- a/infra/README.md
+++ b/infra/README.md
@@ -73,7 +73,7 @@ EOF
 ```bash
 kubectl apply -k https://github.com/stuttgart-things/helm/infra/crds/cert-manager
 
-helmfile apply -f git::https://github.com/stuttgart-things/helm.git@infra/cert-manager.yaml.gotmpl --state-values-set  installCrds=false
+helmfile apply -f git::https://github.com/stuttgart-things/helm.git@infra/cert-manager.yaml.gotmpl --state-values-set installCrds=false
 ```
 
 ```bash
diff --git a/infra/ingress-nginx.yaml.gotmpl b/infra/ingress-nginx.yaml.gotmpl
index 6b42709f..81ecff36 100644
--- a/infra/ingress-nginx.yaml.gotmpl
+++ b/infra/ingress-nginx.yaml.gotmpl
@@ -4,7 +4,8 @@ environments:
     values:
       - namespace: ingress-nginx
       - version: 4.14.1
-      - enableHostPort: false
+      - enableKindHostPort: false
+      - enableNodePort: false
 ---
 releases:
   - name: ingress-nginx
diff --git a/infra/values/ingress-nginx.values.yaml.gotmpl b/infra/values/ingress-nginx.values.yaml.gotmpl
index cbadfc83..82cbefed 100644
--- a/infra/values/ingress-nginx.values.yaml.gotmpl
+++ b/infra/values/ingress-nginx.values.yaml.gotmpl
@@ -1,4 +1,4 @@
-{{- if .Values.enableHostPort }}
+{{- if .Values.enableKindHostPort }}
 ---
 controller:
   nodeSelector:
@@ -16,3 +16,22 @@ controller:
   hostPort:
     enabled: true  # Enables direct binding to host ports
 {{- end }}
+
+
+{{- if .Values.enableNodePort }}
+---
+controller:
+  nodeSelector:
+    ingress-ready: "true"
+    node-role.kubernetes.io/control-plane: "true"  # Matches real node
+  tolerations:
+    - key: "node-role.kubernetes.io/control-plane"
+      operator: "Exists"
+      effect: "NoSchedule"
+  service:
+    type: NodePort
+  admissionWebhooks:
+    enabled: false
+  hostPort:
+    enabled: true
+{{- end }}