FAForever · renovate · Apr 20, 2026 · May 4, 2026 · May 7, 2026 · May 9, 2026
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -21,6 +21,16 @@ jobs:
       - name: Create k8s Kind Cluster
         run: ctlptl create cluster kind --registry=ctlptl-registry
 
+      - name: Cache Helm Output
+        id: cache-helm-ooutput
+        uses: actions/cache@v5
+        with:
+          path: .helm-cache
+          key: ${{ github.ref_name }}
+          restore-keys: |
+            develop
+            ${{ github.base_ref }}
+
       - name: Test Using Local Config
         run: tilt ci --timeout "5m"
 

diff --git a/Tiltfile b/Tiltfile
@@ -8,6 +8,7 @@ config.define_string("faf-data-dir", args=False, usage="Directory where the FAF
 config.define_string("base-domain", args=False, usage="Base Domain to use for all faf services. Defaults to faforever.localhost")
 config.define_string_list("local-services", args=False, usage="Names of services that you intend to run locally")
 cfg = config.parse()
+is_ci = os.getenv("CI", False)
 windows_bash_path = cfg.get("windows-bash-path", "C:\\Program Files\\Git\\bin\\bash.exe")
 host_ip = cfg.get("host-ip", "")
 local_services = cfg.get("local-services", [])
@@ -102,18 +103,24 @@ def helm_with_build_cache(chart, namespace="", values=[], set=[], specifier = ""
     command.extend(value_flags)
     command.extend(set_flags)
     command.extend(["--set", "baseDomain=" + base_domain])
-
-    deps = [chart]
-    deps.extend(values)
-    agnostic_local_resource(name=chart_resource + "-helm", cmd=command, labels=["helm"], deps=deps, allow_parallel=True)
 
-    if not os.path.exists(cached_yaml):
+    if is_ci:
         agnostic_local(command)
+        objects = read_yaml_stream(cached_yaml)
+        if not objects:
+            fail("No objects found for chart " + chart)
+    else:
+        deps = [chart]
+        deps.extend(values)
+        agnostic_local_resource(name=chart_resource + "-helm", cmd=command, labels=["helm"], deps=deps, allow_parallel=True)
+
+        if not os.path.exists(cached_yaml):
+            agnostic_local(command)
 
-    objects = read_yaml_stream(cached_yaml)
-    if not objects:
-        agnostic_local(command)
         objects = read_yaml_stream(cached_yaml)
+        if not objects:
+            agnostic_local(command)
+            objects = read_yaml_stream(cached_yaml)
 
     watch_file(cached_yaml)
 
@@ -144,7 +151,7 @@ def helm_with_build_cache(chart, namespace="", values=[], set=[], specifier = ""
             entryPoints = spec["entryPoints"]
             if "websecure" in entryPoints:
                 entryPoints.append("web")
-        if containers or job_template_containers:
+        if not is_ci and (containers or job_template_containers):
             metadata = object["metadata"]
             if "annotations" not in metadata or not metadata["annotations"]:
                 metadata["annotations"] = {}
@@ -245,8 +252,9 @@ k8s_resource(new_name="namespaces", objects=["faf-infra:namespace", "faf-apps:na
 k8s_resource(new_name="clusterroles", objects=["read-cm-secrets:clusterrole"], labels=["core"])
 k8s_resource(new_name="init-apps", objects=["init-apps:serviceaccount:faf-infra", "init-apps:serviceaccount:faf-apps", "allow-init-apps-read-app-config-infra:rolebinding", "allow-init-apps-read-app-config-apps:rolebinding"], resource_deps=["clusterroles"], labels=["core"])
 
-k8s_yaml(helm_with_build_cache("disabled/reloader", namespace="faf-ops", values=["config/local.yaml"]))
-k8s_resource(workload="release-name-reloader", new_name="reloader", objects=["release-name-reloader:serviceaccount", "release-name-reloader-metadata-role:role", "release-name-reloader-role:clusterrole", "release-name-reloader-metadata-role-binding:rolebinding", "release-name-reloader-role-binding:clusterrolebinding"], resource_deps=["namespaces"], labels=["core"])
+if not is_ci:
+    k8s_yaml(helm_with_build_cache("disabled/reloader", namespace="faf-ops", values=["config/local.yaml"]))
+    k8s_resource(workload="release-name-reloader", new_name="reloader", objects=["release-name-reloader:serviceaccount", "release-name-reloader-metadata-role:role", "release-name-reloader-role:clusterrole", "release-name-reloader-metadata-role-binding:rolebinding", "release-name-reloader-role-binding:clusterrolebinding"], resource_deps=["namespaces"], labels=["core"])
 
 storage_yaml = helm_with_build_cache("cluster/storage", values=["config/local.yaml"], set=["dataPath="+data_absolute_path])
 storage_yaml = to_hostpath_storage(storage_yaml, use_named_volumes=use_named_volumes)
@@ -409,4 +417,4 @@ proxy_local_service_if_set(service_name="faf-ws-bridge", service_chart="apps/faf
 icebreaker_deps = ["faf-db-migrations", "ory-hydra"] + rabbitmq_setup_resources
 icebreaker_labels = ["api"]
 icebreaker_patch = {"HYDRA_URL": "http://ory-hydra:4444", "XIRSYS_ENABLED": "false", "XIRSYS_TURN_ENABLED": "false", "CLOUDFLARE_ENABLED": "false"}
-proxy_local_service_if_set(service_name="faf-icebreaker", service_chart="apps/faf-icebreaker", service_namespace="faf-apps", service_deps=icebreaker_deps, service_labels=icebreaker_labels, config_patch=icebreaker_patch)
+proxy_local_service_if_set(service_name="faf-icebreaker", service_chart="apps/faf-icebreaker", service_namespace="faf-apps", service_deps=icebreaker_deps, service_labels=icebreaker_labels, additional_values=["apps/faf-icebreaker/values-prod.yaml"], config_patch=icebreaker_patch)
diff --git a/apps/faf-icebreaker/templates/deployment.yaml b/apps/faf-icebreaker/templates/deployment.yaml
@@ -32,7 +32,7 @@ spec:
             - name: geolite-db
               mountPath: /usr/share/GeoIP
       containers:
-        - image: faforever/faf-icebreaker:1.1.9
+        - image: "faforever/faf-icebreaker:{{ .Values.image.tag }}"
           imagePullPolicy: Always
           name: faf-icebreaker
           envFrom:

diff --git a/apps/faf-icebreaker/values-prod.yaml b/apps/faf-icebreaker/values-prod.yaml
@@ -0,0 +1,2 @@
+image:
+  tag: 1.1.9
diff --git a/apps/faf-icebreaker/values-test.yaml b/apps/faf-icebreaker/values-test.yaml
@@ -0,0 +1,2 @@
+image:
+  tag: main
diff --git a/apps/faf-user-service/templates/ingress.yaml b/apps/faf-user-service/templates/ingress.yaml
@@ -1,3 +1,25 @@
+{{- if .Values.cors.enabled }}
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: faf-user-service-cors
+spec:
+  headers:
+    accessControlAllowMethods:
+      - "GET"
+      - "POST"
+      - "OPTIONS"
+    accessControlAllowHeaders:
+      - "Content-Type"
+      - "Authorization"
+      - "X-HMAC"
+    accessControlAllowOriginListRegex:
+      {{- toYaml .Values.cors.allowOriginListRegex | nindent 6 }}
+    accessControlAllowCredentials: true
+    accessControlMaxAge: 600
+    addVaryHeader: true
+---
+{{- end }}
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
@@ -11,3 +33,7 @@ spec:
       services:
         - name: faf-user-service
           port: 8080
+      {{- if .Values.cors.enabled }}
+      middlewares:
+        - name: faf-user-service-cors
+      {{- end }}
diff --git a/apps/faf-user-service/templates/local-secret.yaml b/apps/faf-user-service/templates/local-secret.yaml
@@ -11,4 +11,5 @@ stringData:
   JWT_HMAC_SECRET: "banana"
   LOBBY_SECRET: "banana"
   REPLAY_SECRET: "banana"
+  ALTCHA_HMAC_KEY: "bananabananabananabanana"
 {{- end}}
diff --git a/apps/faf-user-service/values-test.yaml b/apps/faf-user-service/values-test.yaml
@@ -0,0 +1,5 @@
+cors:
+  enabled: true
+  allowOriginListRegex:
+    - "^https?://localhost(:[0-9]+)?$"
+    - "^https?://127\\.0\\.0\\.1(:[0-9]+)?$"
diff --git a/apps/faf-user-service/values.yaml b/apps/faf-user-service/values.yaml
@@ -1,2 +1,5 @@
 infisical-secret:
   name: faf-user-service
+cors:
+  enabled: false
+  allowOriginListRegex: []
diff --git a/apps/ory-hydra/templates/ingress.yaml b/apps/ory-hydra/templates/ingress.yaml
@@ -1,3 +1,24 @@
+{{- if .Values.cors.enabled }}
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: ory-hydra-cors
+spec:
+  headers:
+    accessControlAllowMethods:
+      - "GET"
+      - "POST"
+      - "OPTIONS"
+    accessControlAllowHeaders:
+      - "Content-Type"
+      - "Authorization"
+      - "X-HMAC"
+    accessControlAllowOriginListRegex:
+      {{- toYaml .Values.cors.allowOriginListRegex | nindent 6 }}
+    accessControlMaxAge: 600
+    addVaryHeader: true
+---
+{{- end }}
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
@@ -11,3 +32,7 @@ spec:
       services:
         - name: ory-hydra
           port: 4444
+      {{- if .Values.cors.enabled }}
+      middlewares:
+        - name: ory-hydra-cors
+      {{- end }}
diff --git a/apps/ory-hydra/values-test.yaml b/apps/ory-hydra/values-test.yaml
@@ -0,0 +1,5 @@
+cors:
+  enabled: true
+  allowOriginListRegex:
+    - "^https?://localhost(:[0-9]+)?$"
+    - "^https?://127\\.0\\.0\\.1(:[0-9]+)?$"
diff --git a/apps/ory-hydra/values.yaml b/apps/ory-hydra/values.yaml
@@ -3,6 +3,9 @@ image:
   tag: "v25.4.0"
 infisical-secret:
   name: ory-hydra
+cors:
+  enabled: false
+  allowOriginListRegex: []
 clients:
   - name: "FAF Client"
     id: "2e8808cf-5889-469b-b2c3-01f0cc58c4af"

diff --git a/disabled/grafana-cloud/Chart.yaml b/disabled/grafana-cloud/Chart.yaml
@@ -3,5 +3,5 @@ name: grafana-cloud
 version: 1.0.0
 dependencies:
 - name: k8s-monitoring
-  version: 4.0.1
+  version: 4.1.1
   repository: https://grafana.github.io/helm-charts
diff --git a/ops/monitoring/Chart.yaml b/ops/monitoring/Chart.yaml
@@ -9,5 +9,5 @@ dependencies:
   version: 6.55.0
   repository: https://grafana.github.io/helm-charts
 - name: k8s-monitoring
-  version: 4.0.1
+  version: 4.1.1
   repository: https://grafana.github.io/helm-charts