From 1a84bcc738ed5449bc36fd16995bba80d48cd5fa Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 20 Sep 2024 09:33:04 +0000
Subject: [PATCH 01/10] fix(charts): update helm release traefik to v31.1.1
 (#2983)

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 helm-dependencies.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/helm-dependencies.yaml b/helm-dependencies.yaml
index 39f4bdec9..5e6c1bed7 100644
--- a/helm-dependencies.yaml
+++ b/helm-dependencies.yaml
@@ -105,7 +105,7 @@ dependencies:
     version: v3.28.2
     repository: https://docs.projectcalico.org/charts
   - name: traefik
-    version: 31.1.0
+    version: 31.1.1
     repository: https://helm.traefik.io/traefik
   - name: memcached
     version: 7.4.16

From ad10a9fc0b4677eb5cd7dd46a6783fd0b8b4e4b6 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Mon, 23 Sep 2024 17:00:09 +0000
Subject: [PATCH 02/10] feat(charts): update helm release cluster-autoscaler to
 v9.38.0 (#2984)

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 helm-dependencies.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/helm-dependencies.yaml b/helm-dependencies.yaml
index 5e6c1bed7..ccf5ece58 100644
--- a/helm-dependencies.yaml
+++ b/helm-dependencies.yaml
@@ -30,7 +30,7 @@ dependencies:
     version: v0.10.1
     repository: https://charts.jetstack.io
   - name: cluster-autoscaler
-    version: 9.37.0
+    version: 9.38.0
     repository: https://kubernetes.github.io/autoscaler
   - name: external-dns
     version: 1.15.0

From 2ea88a7f43cbd05353c0e03989882d14ff56d5f4 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 24 Sep 2024 00:36:00 +0000
Subject: [PATCH 03/10] feat(charts): update helm release cluster-autoscaler to
 v9.39.0 (#2985)

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 helm-dependencies.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/helm-dependencies.yaml b/helm-dependencies.yaml
index ccf5ece58..e3113c925 100644
--- a/helm-dependencies.yaml
+++ b/helm-dependencies.yaml
@@ -30,7 +30,7 @@ dependencies:
     version: v0.10.1
     repository: https://charts.jetstack.io
   - name: cluster-autoscaler
-    version: 9.38.0
+    version: 9.39.0
     repository: https://kubernetes.github.io/autoscaler
   - name: external-dns
     version: 1.15.0

From 2ba21bf8e8e712ac5f005276837dcefc18c47217 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 24 Sep 2024 10:06:06 +0000
Subject: [PATCH 04/10] fix(charts): update helm release cluster-autoscaler to
 v9.39.1 (#2986)

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 helm-dependencies.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/helm-dependencies.yaml b/helm-dependencies.yaml
index e3113c925..78edac87d 100644
--- a/helm-dependencies.yaml
+++ b/helm-dependencies.yaml
@@ -30,7 +30,7 @@ dependencies:
     version: v0.10.1
     repository: https://charts.jetstack.io
   - name: cluster-autoscaler
-    version: 9.39.0
+    version: 9.39.1
     repository: https://kubernetes.github.io/autoscaler
   - name: external-dns
     version: 1.15.0

From 70c99106980a5d2789337ae86f558b8c47f2a62b Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Wed, 25 Sep 2024 09:31:41 +0000
Subject: [PATCH 05/10] feat(charts): update helm release cluster-autoscaler to
 v9.40.0 (#2987)

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 helm-dependencies.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/helm-dependencies.yaml b/helm-dependencies.yaml
index 78edac87d..d4017ac5d 100644
--- a/helm-dependencies.yaml
+++ b/helm-dependencies.yaml
@@ -30,7 +30,7 @@ dependencies:
     version: v0.10.1
     repository: https://charts.jetstack.io
   - name: cluster-autoscaler
-    version: 9.39.1
+    version: 9.40.0
     repository: https://kubernetes.github.io/autoscaler
   - name: external-dns
     version: 1.15.0

From 517ae532cf74e3e41b13c30f246a9f4ee5b50dbd Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 26 Sep 2024 08:03:43 +0000
Subject: [PATCH 06/10] fix(charts): update karpenter docker tag to v1.0.3
 (#2989)

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 helm-dependencies.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/helm-dependencies.yaml b/helm-dependencies.yaml
index d4017ac5d..44f0d90e0 100644
--- a/helm-dependencies.yaml
+++ b/helm-dependencies.yaml
@@ -48,7 +48,7 @@ dependencies:
     version: 1.7.2
     repository: https://charts.helm.sh/stable
   - name: karpenter
-    version: 1.0.2
+    version: 1.0.3
     repository: oci://public.ecr.aws/karpenter
   - name: keda
     version: 2.15.1

From 75a08a8bdc11adc3a67aef3fc2ccb1fdcf881c82 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Thu, 26 Sep 2024 14:22:54 +0000
Subject: [PATCH 07/10] feat(charts): update helm release kong to v2.42.0
 (#2990)

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 helm-dependencies.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/helm-dependencies.yaml b/helm-dependencies.yaml
index 44f0d90e0..2c6697262 100644
--- a/helm-dependencies.yaml
+++ b/helm-dependencies.yaml
@@ -54,7 +54,7 @@ dependencies:
     version: 2.15.1
     repository: https://kedacore.github.io/charts
   - name: kong
-    version: 2.41.1
+    version: 2.42.0
     repository: https://charts.konghq.com
   - name: kube-prometheus-stack
     version: 62.7.0

From 4a383c51e129944486f7aaa16fea43c49b8c989b Mon Sep 17 00:00:00 2001
From: "Thomas P." <TPXP@users.noreply.github.com>
Date: Thu, 26 Sep 2024 19:37:15 +0200
Subject: [PATCH 08/10] feat(google): add velero support (#2988)

Signed-off-by: Thomas P. <TPXP@users.noreply.github.com>
---
 modules/google/README.md |  12 ++
 modules/google/velero.tf | 273 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 285 insertions(+)
 create mode 100644 modules/google/velero.tf

diff --git a/modules/google/README.md b/modules/google/README.md
index f01b4e00e..a0089edc5 100644
--- a/modules/google/README.md
+++ b/modules/google/README.md
@@ -66,6 +66,7 @@ Provides various Kubernetes addons that are often used on Kubernetes with GCP
 | <a name="module_thanos-storegateway_bucket_iam"></a> [thanos-storegateway\_bucket\_iam](#module\_thanos-storegateway\_bucket\_iam) | terraform-google-modules/iam/google//modules/storage_buckets_iam | ~> 8.0 |
 | <a name="module_thanos_bucket"></a> [thanos\_bucket](#module\_thanos\_bucket) | terraform-google-modules/cloud-storage/google//modules/simple_bucket | ~> 6.0 |
 | <a name="module_thanos_kms_bucket"></a> [thanos\_kms\_bucket](#module\_thanos\_kms\_bucket) | terraform-google-modules/kms/google | ~> 3.0 |
+| <a name="module_velero_bucket"></a> [velero\_bucket](#module\_velero\_bucket) | github.com/terraform-google-modules/terraform-google-cloud-storage//modules/simple_bucket | v6.1.0 |
 
 ## Resources
 
@@ -77,6 +78,10 @@ Provides various Kubernetes addons that are often used on Kubernetes with GCP
 | [github_repository_deploy_key.main](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository_deploy_key) | resource |
 | [google_dns_managed_zone_iam_member.cert_manager_cloud_dns_iam_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone_iam_member) | resource |
 | [google_dns_managed_zone_iam_member.external_dns_cloud_dns_iam_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone_iam_member) | resource |
+| [google_project_iam_custom_role.velero](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_custom_role) | resource |
+| [google_project_iam_member.velero](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
+| [google_service_account.velero](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_service_account_iam_policy.admin-account-iam](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_policy) | resource |
 | [google_storage_bucket_iam_member.kube_prometheus_stack_thanos_bucket_objectAdmin_iam_permission](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
 | [google_storage_bucket_iam_member.kube_prometheus_stack_thanos_bucket_objectViewer_iam_permission](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
 | [google_storage_bucket_iam_member.thanos_compactor_gcs_iam_legacyBucketWriter_permissions](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam_member) | resource |
@@ -111,6 +116,7 @@ Provides various Kubernetes addons that are often used on Kubernetes with GCP
 | [helm_release.thanos-storegateway](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.thanos-tls-querier](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.traefik](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [helm_release.velero](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [kubectl_manifest.cert-manager_cluster_issuers](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.ip_masq_agent](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
@@ -118,6 +124,7 @@ Provides various Kubernetes addons that are often used on Kubernetes with GCP
 | [kubectl_manifest.linkerd-viz](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
 | [kubectl_manifest.prometheus-operator_crds](https://registry.terraform.io/providers/alekc/kubectl/latest/docs/resources/manifest) | resource |
 | [kubernetes_config_map.loki-stack_grafana_ds](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/config_map) | resource |
+| [kubernetes_manifest.velero_snapshot_class](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/manifest) | resource |
 | [kubernetes_namespace.admiralty](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.cert-manager](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.external-dns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
@@ -139,6 +146,7 @@ Provides various Kubernetes addons that are often used on Kubernetes with GCP
 | [kubernetes_namespace.secrets-store-csi-driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.thanos](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.traefik](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
+| [kubernetes_namespace.velero](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_namespace.victoria-metrics-k8s-stack](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_network_policy.admiralty_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.admiralty_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
@@ -193,6 +201,9 @@ Provides various Kubernetes addons that are often used on Kubernetes with GCP
 | [kubernetes_network_policy.traefik_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.traefik_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.traefik_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.velero_allow_monitoring](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.velero_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
+| [kubernetes_network_policy.velero_default_deny](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_control_plane](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_ingress](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
 | [kubernetes_network_policy.victoria-metrics-k8s-stack_allow_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy) | resource |
@@ -223,6 +234,7 @@ Provides various Kubernetes addons that are often used on Kubernetes with GCP
 | [tls_self_signed_cert.thanos-tls-querier-ca-cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
 | [tls_self_signed_cert.webhook_issuer_tls](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
 | [github_repository.main](https://registry.terraform.io/providers/integrations/github/latest/docs/data-sources/repository) | data source |
+| [google_iam_policy.velero](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/iam_policy) | data source |
 | [google_project.current](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
 | [http_http.prometheus-operator_crds](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
 | [http_http.prometheus-operator_version](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
diff --git a/modules/google/velero.tf b/modules/google/velero.tf
new file mode 100644
index 000000000..f3e1943dd
--- /dev/null
+++ b/modules/google/velero.tf
@@ -0,0 +1,273 @@
+locals {
+  velero = merge(
+    local.helm_defaults,
+    {
+      name                    = local.helm_dependencies[index(local.helm_dependencies.*.name, "velero")].name
+      chart                   = local.helm_dependencies[index(local.helm_dependencies.*.name, "velero")].name
+      repository              = local.helm_dependencies[index(local.helm_dependencies.*.name, "velero")].repository
+      chart_version           = local.helm_dependencies[index(local.helm_dependencies.*.name, "velero")].version
+      namespace               = "velero"
+      service_account_name    = "velero"
+      enabled                 = false
+      create_iam_account      = true
+      iam_account_name        = "gke-${substr(var.cluster-name, 0, 18)}-velero"
+      create_bucket           = true
+      bucket                  = "${var.cluster-name}-velero"
+      bucket_location         = "eu"
+      bucket_force_destroy    = false
+      bucket_versioning       = false
+      allowed_cidrs           = ["0.0.0.0/0"]
+      default_network_policy  = true
+      kms_key_arn_access_list = []
+      name_prefix             = "${var.cluster-name}-velero"
+      snapshot_location       = "eu"
+      create_snapshot_class   = true
+    },
+    var.velero
+  )
+
+  values_velero = <<VALUES
+metrics:
+  serviceMonitor:
+    enabled: ${local.kube-prometheus-stack["enabled"] || local.victoria-metrics-k8s-stack["enabled"]}
+configuration:
+  namespace: ${local.velero["namespace"]}
+  features: EnableCSI
+  backupStorageLocation:
+    - name: gcp
+      provider: velero.io/gcp
+      bucket: ${local.velero["bucket"]}
+      default: true
+      config:
+        serviceAccount: ${local.velero["create_iam_account"] ? google_service_account.velero[0].email : "@@SETTHIS@@"}
+  volumeSnapshotLocation:
+    - name: gcp
+      provider: velero.io/gcp
+      snapshotLocation: ${local.velero["snapshot_location"]}
+serviceAccount:
+  server:
+    name: ${local.velero["service_account_name"]}
+    create: true
+    annotations:
+      iam.gke.io/gcp-service-account: ${local.velero["create_iam_account"] ? google_service_account.velero[0].email : ""}
+priorityClassName: ${local.priority-class-ds["create"] ? kubernetes_priority_class.kubernetes_addons_ds[0].metadata[0].name : ""}
+credentials:
+  useSecret: false
+initContainers:
+  - name: velero-plugin-for-gcp
+    image: velero/velero-plugin-for-gcp:v1.10.1
+    imagePullPolicy: IfNotPresent
+    volumeMounts:
+      - mountPath: /target
+        name: plugins
+VALUES
+
+}
+
+resource "google_project_iam_custom_role" "velero" {
+  count       = (local.velero["enabled"] && local.velero["create_iam_account"]) ? 1 : 0
+  role_id     = replace(local.velero["iam_account_name"], "-", "_")
+  title       = "${var.cluster-name} - velero"
+  description = "IAM role used by velero on ${var.cluster-name} to perform backup operations"
+  permissions = [
+    # https://github.com/vmware-tanzu/velero-plugin-for-gcp/blob/main/README.md#create-custom-role-with-permissions-for-the-velero-gsa
+    "compute.disks.get",
+    "compute.disks.create",
+    "compute.disks.createSnapshot",
+    "compute.projects.get",
+    "compute.snapshots.get",
+    "compute.snapshots.create",
+    "compute.snapshots.useReadOnly",
+    "compute.snapshots.delete",
+    "compute.zones.get",
+    # We set these privileges on the bucket directly
+    # "storage.objects.create",
+    # "storage.objects.delete",
+    # "storage.objects.get",
+    # "storage.objects.list",
+    "iam.serviceAccounts.signBlob",
+  ]
+}
+
+resource "google_service_account" "velero" {
+  count        = (local.velero["enabled"] && local.velero["create_iam_account"]) ? 1 : 0
+  account_id   = local.velero["iam_account_name"]
+  display_name = "Velero on GKE ${var.cluster-name}"
+  description  = "Service account for Velero on GKE cluster ${var.cluster-name}"
+}
+
+resource "google_project_iam_member" "velero" {
+  count   = (local.velero["enabled"] && local.velero["create_iam_account"]) ? 1 : 0
+  project = data.google_project.current.project_id
+  role    = google_project_iam_custom_role.velero[0].id
+  member  = google_service_account.velero[0].member
+}
+
+data "google_iam_policy" "velero" {
+  binding {
+    role = "roles/iam.workloadIdentityUser"
+
+    members = [
+      "serviceAccount:${data.google_project.current.project_id}.svc.id.goog[${local.velero["namespace"]}/${local.velero["service_account_name"]}]",
+    ]
+  }
+}
+
+resource "google_service_account_iam_policy" "admin-account-iam" {
+  count              = (local.velero["enabled"] && local.velero["create_iam_account"]) ? 1 : 0
+  service_account_id = google_service_account.velero[0].name
+  policy_data        = data.google_iam_policy.velero.policy_data
+}
+
+module "velero_bucket" {
+  count  = (local.velero["enabled"] && local.velero["create_bucket"]) ? 1 : 0
+  source = "github.com/terraform-google-modules/terraform-google-cloud-storage//modules/simple_bucket?ref=v6.1.0"
+
+  name       = local.velero["name_prefix"]
+  project_id = data.google_project.current.project_id
+
+  versioning = local.velero["bucket_versioning"]
+  location   = local.velero["bucket_location"]
+
+  force_destroy = local.velero["bucket_force_destroy"]
+
+  iam_members = [
+    {
+      role   = "roles/storage.objectUser"
+      member = "serviceAccount:${local.velero["iam_account_name"]}@${data.google_project.current.project_id}.iam.gserviceaccount.com" # This should be google_service_account.velero[0].member, but it's included in a loop so we have to determine it before apply
+    }
+  ]
+  depends_on = [google_service_account.velero]
+}
+
+resource "kubernetes_namespace" "velero" {
+  count = local.velero["enabled"] ? 1 : 0
+
+  metadata {
+    labels = {
+      name = local.velero["namespace"]
+    }
+
+    name = local.velero["namespace"]
+  }
+}
+
+resource "helm_release" "velero" {
+  count                 = local.velero["enabled"] ? 1 : 0
+  repository            = local.velero["repository"]
+  name                  = local.velero["name"]
+  chart                 = local.velero["chart"]
+  version               = local.velero["chart_version"]
+  timeout               = local.velero["timeout"]
+  force_update          = local.velero["force_update"]
+  recreate_pods         = local.velero["recreate_pods"]
+  wait                  = local.velero["wait"]
+  atomic                = local.velero["atomic"]
+  cleanup_on_fail       = local.velero["cleanup_on_fail"]
+  dependency_update     = local.velero["dependency_update"]
+  disable_crd_hooks     = local.velero["disable_crd_hooks"]
+  disable_webhooks      = local.velero["disable_webhooks"]
+  render_subchart_notes = local.velero["render_subchart_notes"]
+  replace               = local.velero["replace"]
+  reset_values          = local.velero["reset_values"]
+  reuse_values          = local.velero["reuse_values"]
+  skip_crds             = local.velero["skip_crds"]
+  verify                = local.velero["verify"]
+  values = compact([
+    local.values_velero,
+    local.velero["extra_values"]
+  ])
+  namespace = kubernetes_namespace.velero.*.metadata.0.name[count.index]
+
+  depends_on = [
+    kubectl_manifest.prometheus-operator_crds
+  ]
+}
+
+resource "kubernetes_network_policy" "velero_default_deny" {
+  count = local.velero["enabled"] && local.velero["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.velero.*.metadata.0.name[count.index]}-default-deny"
+    namespace = kubernetes_namespace.velero.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+    policy_types = ["Ingress"]
+  }
+}
+
+resource "kubernetes_network_policy" "velero_allow_namespace" {
+  count = local.velero["enabled"] && local.velero["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.velero.*.metadata.0.name[count.index]}-allow-namespace"
+    namespace = kubernetes_namespace.velero.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+
+    ingress {
+      from {
+        namespace_selector {
+          match_labels = {
+            name = kubernetes_namespace.velero.*.metadata.0.name[count.index]
+          }
+        }
+      }
+    }
+
+    policy_types = ["Ingress"]
+  }
+}
+
+resource "kubernetes_network_policy" "velero_allow_monitoring" {
+  count = local.velero["enabled"] && local.velero["default_network_policy"] ? 1 : 0
+
+  metadata {
+    name      = "${kubernetes_namespace.velero.*.metadata.0.name[count.index]}-allow-monitoring"
+    namespace = kubernetes_namespace.velero.*.metadata.0.name[count.index]
+  }
+
+  spec {
+    pod_selector {
+    }
+
+    ingress {
+      ports {
+        port     = "8085"
+        protocol = "TCP"
+      }
+
+      from {
+        namespace_selector {
+          match_labels = {
+            "${local.labels_prefix}/component" = "monitoring"
+          }
+        }
+      }
+    }
+
+    policy_types = ["Ingress"]
+  }
+}
+
+resource "kubernetes_manifest" "velero_snapshot_class" {
+  count = (local.velero["enabled"] && local.velero["create_snapshot_class"]) ? 1 : 0
+  manifest = {
+    apiVersion = "snapshot.storage.k8s.io/v1"
+    kind       = "VolumeSnapshotClass"
+    metadata = {
+      name = "default"
+      labels = {
+        "velero.io/csi-volumesnapshot-class" = "true"
+      }
+    }
+    driver         = "pd.csi.storage.gke.io"
+    deletionPolicy = "Delete"
+  }
+}

From 130533259e12abd46fb4236bc17da1e953ef248d Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 27 Sep 2024 00:44:02 +0000
Subject: [PATCH 09/10] feat(charts): update helm release loki to v6.15.0
 (#2992)

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 helm-dependencies.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/helm-dependencies.yaml b/helm-dependencies.yaml
index 2c6697262..7995ca32d 100644
--- a/helm-dependencies.yaml
+++ b/helm-dependencies.yaml
@@ -72,7 +72,7 @@ dependencies:
     version: 30.12.11
     repository: https://helm.linkerd.io/stable
   - name: loki
-    version: 6.12.0
+    version: 6.15.0
     repository: https://grafana.github.io/helm-charts
   - name: promtail
     version: 6.16.6

From 56d5bdccdb7a0683586312f8862c8e2b9bf2adab Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 27 Sep 2024 10:40:29 +0200
Subject: [PATCH 10/10] feat(charts): update helm release kube-prometheus-stack
 to v63 (#2991)

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
 helm-dependencies.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/helm-dependencies.yaml b/helm-dependencies.yaml
index 7995ca32d..ef3de6d0d 100644
--- a/helm-dependencies.yaml
+++ b/helm-dependencies.yaml
@@ -57,7 +57,7 @@ dependencies:
     version: 2.42.0
     repository: https://charts.konghq.com
   - name: kube-prometheus-stack
-    version: 62.7.0
+    version: 63.0.0
     repository: https://prometheus-community.github.io/helm-charts
   - name: linkerd2-cni
     version: 30.12.2