caddy: fix external ip annotation

docker/home/zigbee2mqtt/docker-compose.yml

@@ -2,7 +2,7 @@ services:
   zigbee2mqtt:
     container_name: zigbee2mqtt
     restart: unless-stopped
-    image: koenkk/zigbee2mqtt:2.10.1
+    image: koenkk/zigbee2mqtt:2.9.2
     networks:
       - default
       - proxy

kubernetes/system/caddy/caddyfile.yaml

@@ -37,14 +37,30 @@ data:
 
         @umami       host umami.vhaudiquet.fr
 
-        handle @authentik   { reverse_proxy traefik.traefik.svc.cluster.local:80 }
-        handle @auth-nook   { reverse_proxy traefik.traefik.svc.cluster.local:80 }
-        handle @nook-mg     { reverse_proxy traefik.traefik.svc.cluster.local:80 }
-        handle @nook        { reverse_proxy traefik.traefik.svc.cluster.local:80 }
-        handle @sse-nook    { reverse_proxy traefik.traefik.svc.cluster.local:80 }
-        handle @gitea       { reverse_proxy traefik.traefik.svc.cluster.local:80 }
-        handle @flux-wh     { reverse_proxy traefik.traefik.svc.cluster.local:80 }
-        handle @umami       { reverse_proxy traefik.traefik.svc.cluster.local:80 }
+        handle @authentik {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @auth-nook {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @nook-mg {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @nook {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @sse-nook {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @gitea {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @flux-wh {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
+        handle @umami {
+            reverse_proxy traefik.traefik.svc.cluster.local:80
+        }
 
         # Docker VM services (via Traefik)
         @alexscript     host alexscript.vhaudiquet.fr
@@ -52,10 +68,18 @@ data:
         @jellyfin       host flix.vhaudiquet.fr
         @mail           host mail.vhaudiquet.fr
 
-        handle @alexscript      { reverse_proxy 10.1.2.212:80 }
-        handle @clips           { reverse_proxy 10.1.2.212:80 }
-        handle @jellyfin        { reverse_proxy 10.1.2.212:80 }
-        handle @mail            { reverse_proxy 10.1.2.212:80 }
+        handle @alexscript {
+            reverse_proxy 10.1.2.212:80
+        }
+        handle @clips {
+            reverse_proxy 10.1.2.212:80
+        }
+        handle @jellyfin {
+            reverse_proxy 10.1.2.212:80
+        }
+        handle @mail {
+            reverse_proxy 10.1.2.212:80
+        }
     }
 
     semery.fr {

kubernetes/system/caddy/release.yaml

@@ -17,3 +17,14 @@ spec:
   valuesFrom:
     - kind: Secret
       name: caddy-values
+  # Patch the Service to add loadBalancerIP since the chart doesn't support it
+  postRenderers:
+    - kustomize:
+        patches:
+          - target:
+              kind: Service
+              name: caddy
+            patch: |
+              - op: add
+                path: /spec/loadBalancerIP
+                value: "10.1.2.152"

kubernetes/system/caddy/values.yaml

@@ -13,8 +13,6 @@ image:
     tag: 2.11.2
 service:
     type: LoadBalancer
-    annotations:
-        io.cilium/lb-ipam-ips: 10.1.2.152
     externalTrafficPolicy: Local
 # Disable ingress - Caddy IS the edge proxy
 ingress:
@@ -26,17 +24,10 @@ resources:
     limits:
         cpu: 500m
         memory: 256Mi
-podSecurityContext:
-    runAsNonRoot: true
-    runAsUser: 1000
-    runAsGroup: 1000
-    fsGroup: 1000
-securityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-        drop:
-            - ALL
-    readOnlyRootFilesystem: true
+# Caddy needs root to bind to ports 80/443 and write runtime data
+# Using restrictive security context causes "operation not permitted"
+podSecurityContext: {}
+securityContext: {}
 health:
     path: /
     port: 9999
@@ -44,8 +35,8 @@ health:
 volumes:
     - name: certificates
       secret:
-        secretName: ENC[AES256_GCM,data:hpxK4mqVNwVRWutC4ufnqhzu,iv:D/7vhjkr5buSFJ42UeGKicPJA7YxHhv+vmakFFE11Vk=,tag:AExbVZIQu+wrUb5jq86toA==,type:str]
-        optional: ENC[AES256_GCM,data:y19uLw==,iv:S5VEP6p7GspKtXeTDumHy1xJ0yW1qu/t4yqy3bhlZSE=,tag:mkZiVVboLoOhGd1EcE9PaA==,type:bool]
+        secretName: ENC[AES256_GCM,data:1HAy4ntUhnklTlxZgF92RLdT,iv:Vz/nfWy8yie5qre7+yzVzDpO1IW3x4SUJBQIzggGMJY=,tag:+HXDFjKHCJLjE5uW3HsEGQ==,type:str]
+        optional: ENC[AES256_GCM,data:6WPvqQ==,iv:CAxOsnyPZhLLQ4/xfDNFu8mgKVz5keDG0gfopL69v70=,tag:Nta3ov4Zmgu1uwI/1JRsWg==,type:bool]
     - name: routes
       configMap:
         name: caddy-routes
@@ -77,27 +68,27 @@ affinity:
                         app.kubernetes.io/name: caddy
                 topologyKey: kubernetes.io/hostname
 sops:
-    lastmodified: "2026-05-07T22:47:47Z"
-    mac: ENC[AES256_GCM,data:LQqoe/wDLAUJWLiEGoID3CSI4bQmdVaroAkq7Kk9Ullt85X3VmYMOrLXjn1Qew95rpG6gB9Bl7rvv0J7mUDJtewhfkSsSXKTYJAcn4VVoNGZ3PZu9/w5HNvOqDhTkXBWKEgQK4+HMKKEhW8iQ5aJ+oTAEZfKsp9k8+mqgHId100=,iv:E/v+fY9iKM9W9NFSGNtiJV6ZeaAb2Fy2hGDgOBwmFyU=,tag:JOD69j8SUS5339+zrV9L4g==,type:str]
+    lastmodified: "2026-05-08T08:49:14Z"
+    mac: ENC[AES256_GCM,data:pcStIiaO4zwMLYlpA3FZlwtesiXmhOcclk6GdQ5QRziGv/Te2bUuWGVA6EaeGJML6Mo0JG3jfyua6qQbPdVp6MBt34clcqoU51BG1Nxa6li0K2oqnJlo4evuhJqW1QDzPZZWs8XZaga6rEKNtLwp1R2CIKJU4V5wZAInnqGrnh8=,iv:bhGiargUSIvJ7vePYLBiyG/ZmXDjWyG0x55NG7kxSH8=,tag:H2dIz/JrPGg53BLOvz6ikg==,type:str]
     pgp:
-        - created_at: "2026-05-07T22:47:46Z"
+        - created_at: "2026-05-08T08:49:14Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMA7uy4qQr71wiARAAt5P8/X84OYKnWvKc5qRpwHNQwbfqrB/SHkX82oJ8ZlXJ
-            /vlKVDOBrlntePt4cyKT6c3Ubw4xDj/1U3PkvM44AXSRHH8E5dSUI+5T/0+SBlfU
-            6XlkF6cpng/ydMvImTAi3+8bmC3yHE/NEegreldjFj7l2hdFuvfyOp7pmE//Ljox
-            D7tkq9v1/IlvPfeAY0xIEotr1nb41OEhM7OhPQjtGUeufD0eCUhCQaZSo+CjTrf2
-            cG+eE/O2jCLNjWJ33wK1AHtHX1mlyzW8sRkRVgg511G8iquFjD11ZuDZPEIC8Yle
-            idftTlPh0ZTOGXcfDVn5Pq9dgkZ3K6ufhvEb8mw0NrPsysY21PdDaIzLo58b4t2m
-            akJ1xCciwsQDorKfFjpG7gFzV1KvMzw/KjEUFxg5JfKaFGTPhgsf50OiM6VPf4gP
-            cTS5QNewdnbnzHE756PkZqfqdt6Tt9xqji8r72PwTSUy6yaK/lV9owAIZ6V2yTdt
-            l3DckDp0HsU/w98fabiX9CsrJUWeUfioElw2ibXWcXNHmqPoFl1Bf/AbF20t6P9p
-            +1J0vMu6ONsBGv2Flmle2Ya7OQbZF4lQB4dQLUBDKdZArsB5Sspm3Rf+4iP9qUF+
-            Pr/OotbiaOLsEZybIf+L2d5ON4zCbNAU5VbpfWMKH0AsPcIH5Ruw7d/OutAGZOvS
-            XAGAEBjVlZ2IRU6CSPJDG/9TqBHyBHfriV+BoGlKlXbPMoJAZI2wX1o7+M6S65ho
-            aiR70aCo2kIgFvxxBeY1FxtB0DB8Zeoul7ovvhKIq2u9s7X/OSIa0X5dm6sZ
-            =fg1O
+            hQIMA7uy4qQr71wiAQ//VaH0Exxuw7YlBSLJc2UuNPVzDxkd6udLgpfLerMePX1s
+            9HeJslI2vcUG2lN8Pg9ZxTwqOJHsJDhetKNYIhTJ8ig899FWAz0DMG49Pv6QSQiM
+            eS8Mji6FavAhT9AkIgK635HbNqPQewBsYEyMTL3rScz5a2XEsgsNx+rta4HsFp0F
+            yqlXv/AIbxkr22edHbbfnTU+fcdEcprtaaqIg0hi1gUVqOLp+lZgakr+nfbY9KkB
+            5Y6KZFv2fYJ7xLgugT97sTXbk9YkQ+qjUvFVICkRDneTGmLfNocr+9KWe48KMXAN
+            QJ7Kb5rFkZLUko92i6KOnJlk4rbtmD2/pECmDeR1PX1ACZDRmcJMCSO0tdbuLS3C
+            8zEBsyebl5je4b91bncWNMjkXklhaF4FC8U5m2FP0BwQoGYq+9R3rGTv4Nx5ycPk
+            D4KfKY8p8kn7/AnhpBrFRg1E7YGERipMX6BvcXvgBHHUntp3VXdRG5HzHW3Fs1wq
+            w1HRQcm5VZpKfgJ4WoQ/aQB4clXrHBA+JNrrOhJ2LgRAIvayl0IKA/3ZZMahacbc
+            R1B96qr+2v160vDFp1ocZcDo72cWdCZ03t1eNPaaM7NKVsszD5WjYOomRh7ndLh1
+            l+MK3pvuqF6bekfFNmDVDgt9cpSl0UJ7wo2ZreSn5XhOXY88b7neu2BzUQOlU3LS
+            XAGnHhe99cHTE9NnH7egRZUMDhKI5gn1OkCgKCqBIcYp1gDKiPYdAHK7yjv0aJR/
+            j/VDwJzcB97ooiHmTRYrg5GpUEELkeZ6TIrjvZqOySXG9wIU74o8JUIyGtvt
+            =z8ER
             -----END PGP MESSAGE-----
           fp: DC6910268E657FF70BA7EC289974494E76938DDC
     encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$