fix: make cilium s3 policies global

apps/sys/values.yaml

@@ -0,0 +1,356 @@
+cluster_config:
+  manifests: https://gitlab.com/oceanbox/manifests.git
+  policies: policies/sys
+  resources: resources/sys
+  distro: "" #[nixos, talos]
+  env: "" #[dev, test, staging, prod]
+  initca: ""
+  domain: "itpartner.no"
+  apiserver: ""
+  apiserverip: ""
+  etcd_nodes: []
+  k8s_nodes: []
+  cluster: ""
+  ingress_nodes: []
+  ingress_replica_count: 3
+  fileserver: ""
+  acme_email: ""
+  nodenames: []
+  nodes: []
+  ingress_clusterissuer: "letsencrypt-production"
+  ingress_whitelist_ips:
+    - 10.0.0.0/8
+    - 172.16.0.0/12
+    - 192.168.0.0/16
+    - 172.19.255.0/24
+  external_kubectl_access:
+    enabled: false
+    admin_group: ""
+  external_access:
+    enabled: false
+    admin_group: ""
+    groups: []
+    #- group_id:
+    #    - "<group-id>"
+    #  name: <argocd project name>
+    #  namespaces:
+    #    - <namespaces access>
+  oidc: []
+  #- name: azure-oidc
+  #  provider: azuread
+  #  tenant: "https://login.microsoftonline.com/<tenant>/oauth2/v2.0"
+  #  secret_ref:
+  #    name: azure-oidc
+  #  group_id: "<group_id>"
+  #- name: github-oidc
+  #  provider: github
+  #  secret_ref:
+  #    name: github-oidc
+  #  allowed_organizations: <org>
+  #  allowed_teams: <team-id>
+argocd:
+  autosync: true
+  version: 7.5.2
+  ingress:
+    enabled: true
+  adminLogin: false
+  anyNamespaces:
+    enabled: false
+  kustomizeHelmSupport: false
+  applicationset_webhook:
+    enabled: false
+  additional_rbac_settings: []
+  resources:
+    controller:
+      memory: ""
+  repoServer:
+    cmp:
+      enabled: false
+      name: ""
+      image: ""
+      imagePullSecret: []
+      helmTokenSecret: ""
+argocd_apps:
+  autosync: true
+  version: 0.0.1
+argo_workflows:
+  enabled: false
+  autosync: true
+  version: 0.45.0
+  metrics:
+    enabled: false
+  allowed_namespaces: []
+argo_rollouts:
+  enabled: false
+  autosync: true
+  version: 2.35.2
+  metrics:
+    enabled: false
+  dashboard_enabled: false
+actions_runner_controller:
+  enabled: false
+  autosync: true
+  version: 0.23.7
+cilium:
+  enabled: false
+  autosync: true
+  version: 1.16.2
+  spire:
+    enabled: false
+  policyAuditMode: false
+  encryption:
+    enabled: true
+    type: ipsec
+  endpointStatus:
+    enabled: true
+  kubeProxyReplacement: false
+  k8sServiceHost: localhost
+  k8sServicePort: 7445
+  nodePort:
+    enabled: false
+  # NOTE: requires that ingressconroller is also enabled (bug)
+  gatewayAPI:
+    enabled: false
+  ingressController:
+    enabled: false
+    defaultClass: false
+    loadbalancerMode: shared
+  l2announcement:
+    enabled: false
+  k8sClientRateLimit:
+    qps: 10
+    burst: 3
+  loadbalancerPool:
+    enabled: false
+    cidr: []
+  envoy:
+    enabled: false
+  hubble:
+    ui: true
+  upgradeCompatability: ""
+linkerd:
+  enabled: true
+  autosync: true
+  version: 1.9.3
+  trustAnchorPEM: |
+    -----BEGIN CERTIFICATE-----
+    -----END CERTIFICATE-----
+  webhookPEM: |
+    -----BEGIN CERTIFICATE-----
+    -----END CERTIFICATE-----
+  identyIssuerPEM: ""
+  secretScheme: kubernetes.io/tls
+  crds:
+    version: 1.4.0
+  multicluster:
+    version: 30.2.0
+    enabled: false
+  viz:
+    enabled: false
+  jaeger:
+    enabled: false
+thanos:
+  enabled: false
+  autosync: true
+  version: 8.3.0
+  pagerdutyRoutingKey: ""
+prometheus:
+  enabled: true
+  autosync: true
+  version: 62.7.0
+  # Helm chart version, and app version is different. CRD version MUST be equals to chart's APP version
+  crd_version: 14.0.0
+  certRenewCronEnabled: true
+  snitchUrl: ""
+  oncallUrl: ""
+  pagerdutyRoutingKey: ""
+  fullname: ""
+  # https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/values.yaml#L47
+  defaultRules: {}
+  additionalScrapeConfigs: []
+  additionalDataSources: []
+  enableFeatures: []
+  storage:
+    size: 50Gi
+  grafana:
+    defaultDashboardsEnabled: true
+    persistence: false
+    disable_login_form: true
+    plugins: []
+  coredns:
+    targetPort: ""
+  etcd:
+    targetPort: ""
+  scheduler:
+    targetPort: ""
+  kubelet:
+    enabled: false
+    https: false
+  thanos:
+    enabled: false
+    datasource:
+      enabled: false
+nfs_provisioner:
+  enabled: true
+  autosync: true
+  version: 4.0.13
+  archiveOnDelete: true
+  defaultClass: true
+  extraMountOpts: []
+cert_manager:
+  autosync: true
+  version: 1.12.13
+kubernetes_dashboard:
+  enabled: false
+  autosync: true
+  version: v2.3.1
+gitlab_runner:
+  enabled: true
+  autosync: true
+  version: 0.39.0
+  createCertSecret: true
+  tag: "obx"
+  s3:
+    server: ""
+    access_key: ""
+    secret_key: ""
+postgres_operator:
+  enabled: true
+  autosync: true
+  version: 0.18.2
+rabbitmq_operator:
+  enabled: false
+  autosync: true
+  version: 4.3.27
+metrics_server:
+  autosync: true
+  version: 3.8.2
+  ignoreTLS: false
+nginx:
+  enabled: true
+  autosync: true
+  version: 4.8.3
+  pdb:
+    minAvailable: 1
+  resources:
+    controller:
+      cpu: "100m"
+      memory: "100Mi"
+jaeger_operator:
+  enabled: false
+  autosync: true
+  version: 1.38.0
+kyverno:
+  enabled: false
+  autosync: true
+  metrics: false
+  version: 3.2.5
+  resources:
+    cleanupController:
+      memory: "64Mi"
+    reportsController:
+      memory: "64Mi"
+    backgroundController:
+      memory: "64Mi"
+velero:
+  enabled: true
+  autosync: true
+  version: 6.0.0
+  kubeletRootDir: "/var/lib/kubernetes/pods"
+  bucket: velero-backup
+  bsl: default
+  # Opt-in or opt-out pvc backup
+  # https://velero.io/docs/main/file-system-backup/#to-back-up
+  backupAllVolumes: true
+  credentials:
+    secretName: "s3-credentials"
+  s3:
+    region: us-east-1
+    url: "https://nutanix-obj-s3.kube-system"
+    insecureSkipTLSVerify: true
+  resources:
+    velero:
+      request:
+        cpu: 500m
+        memory: 1Gi
+      limit:
+        memory: 2Gi
+    nodeAgent:
+      request:
+        cpu: 500m
+        memory: 1Gi
+      limit:
+        memory: 2Gi
+loki:
+  enabled: false
+  autosync: true
+  version: 6.12.0
+  compactor: false
+  s3:
+    endpoint: ""
+    region: ""
+    insecure_skip_verify: false
+  secret:
+    name: ""
+    access_key: ""
+    access_secret: ""
+  buckets:
+    chunks: ""
+    ruler: ""
+    admin: ""
+tempo:
+  enabled: false
+  autosync: true
+  version: 1.14.0
+  s3:
+    endpoint: ""
+    region: ""
+    insecure_skip_verify: false
+  secret:
+    name: ""
+    access_key: ""
+    access_secret: ""
+  bucketName: ""
+otel:
+  enabled: false
+  autosync: true
+  version: 0.107.0
+promtail:
+  enabled: false
+  autosync: true
+  version: 6.6.1
+x509_exporter:
+  enabled: true
+  autosync: true
+  alerts: true
+  version: 3.6.0
+mariadb_operator:
+  enabled: false
+  autosync: true
+  version: 0.30.0
+chartmuseum:
+  enabled: false
+  autosync: true
+  version: 3.10.2
+  storage:
+    size: 8Gi
+  ingress:
+    enabled: true
+downscaler:
+  enabled: false
+  autosync: true
+  version: 0.2.12
+  extraConfig: |
+    DEFAULT_UPTIME: "Mon-Fri 07:00-20:00 Europe/Berlin"
+  excludedNamespaces:
+    - py-kube-downscaler
+    - kube-downscaler
+    - kube-system
+clickhouse_operator:
+  enabled: false
+  autosync: true
+  version: 0.24.4
+oncall:
+  enabled: false
+  externalGrafana:
+    url: ""