diff --git a/archmeister/review/appsettings.json b/archmeister/review/appsettings.json deleted file mode 100644 index 71d81326..00000000 --- a/archmeister/review/appsettings.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "connString": "Username=app;Password=123;Host=x-review-archmeister-rw;Port=5432;Database=app;Pooling=true;", - "oidc": { - "issuer": "https://idp.oceanbox.io/dex", - "authorization_endpoint": "https://idp.oceanbox.io/dex/auth", - "token_endpoint": "https://idp.oceanbox.io/dex/token", - "jwks_uri": "https://idp.oceanbox.io/dex/keys", - "userinfo_endpoint": "https://idp.oceanbox.io/dex/userinfo", - "device_authorization_endpoint": "https://idp.oceanbox.io/dex/device/code", - "clientId": "archmeister_dev", - "clientSecret": "Dae1eekeedeuKaoCiesh1Jei6aishe8I", - "scopes": [ - "openid", - "email", - "offline_access", - "profile" - ] - }, - "sso": { - "cookieDomain": ".oceanbox.io", - "signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html", - "redis": "redis-master,user=default,password=JICkoUKD0Y", - "appDomain": "atlantis", - "dataProtectionKeys": "DataProtection-Keys" - }, - "allowedOrigins": [ - "https://beta.sorcerer.ekman.oceanbox.io", - "https://sorcerer.ekman.oceanbox.io", - "https://sorcerer.hpc.oceanbox.io", - "https://s.local.oceanbox.io:8080", - "https://maps.oceanbox.io", - "https://atlantis.beta.oceanbox.io", - "https://jonas-atlantis.beta.oceanbox.io", - "https://stig-atlantis.beta.oceanbox.io", - "https://simkir-atlantis.beta.oceanbox.io", - "https://atlantis.local.oceanbox.io:8080" - ], - "logService" : "https://seq.oceanbox.io", - "logApiKey": "WmZplDeFoxIHpJQ5BiDk", - "cliUsers": [ - "admin:en-to-tre-fire" - ] -} \ No newline at end of file diff --git a/archmeister/review/cluster_patch.yaml b/archmeister/review/cluster_patch.yaml deleted file mode 100644 index 094e74ed..00000000 --- a/archmeister/review/cluster_patch.yaml +++ /dev/null @@ -1,22 +0,0 @@ -- op: add - path: /spec/bootstrap - value: - pg_basebackup: - source: staging-archmeister -- op: add - path: /spec/externalClusters - value: - - name: staging-archmeister - connectionParameters: - host: staging-archmeister-rw.oceanbox - user: streaming_replica - sslmode: verify-full - sslKey: - name: staging-archmeister-replication - key: tls.key - sslCert: - name: staging-archmeister-replication - key: tls.crt - sslRootCert: - name: staging-archmeister-ca - key: ca.crt diff --git a/archmeister/review/deployment_patch.yaml b/archmeister/review/deployment_patch.yaml deleted file mode 100644 index d1433fd4..00000000 --- a/archmeister/review/deployment_patch.yaml +++ /dev/null @@ -1,33 +0,0 @@ -- op: add - path: /spec/template/metadata/annotations - value: - dapr.io/enabled: "true" - dapr.io/app-id: "x-review-archmeister" - dapr.io/app-port: "8000" - dapr.io/config: "tracing" -- op: replace - path: /spec/template/spec/containers/0/env/0 - value: - name: LOG_LEVEL - value: "4" -- op: add - path: /spec/template/spec/containers/0/env/- - value: - name: DB_PASSWORD - valueFrom: - secretKeyRef: - name: staging-archmeister-app - key: password -- op: add - path: /spec/template/spec/containers/0/env/- - value: - name: DB_USERNAME - valueFrom: - secretKeyRef: - name: staging-archmeister-app - key: username -- op: add - path: /spec/template/spec/containers/0/env/- - value: - name: DB_HOST - value: x-review-archmeister-rw \ No newline at end of file diff --git a/archmeister/review/kustomization.yaml b/archmeister/review/kustomization.yaml deleted file mode 100644 index 91754e9f..00000000 --- a/archmeister/review/kustomization.yaml +++ /dev/null @@ -1,24 +0,0 @@ -namePrefix: x-review- -generatorOptions: - disableNameSuffixHash: true -secretGenerator: -- files: - - appsettings.json - name: archmeister-appsettings -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- ../base -patches: -- path: deployment_patch.yaml - target: - group: apps - kind: Deployment - name: archmeister - version: v1 -- path: cluster_patch.yaml - target: - group: postgresql.cnpg.io - kind: Cluster - name: archmeister - version: v1 diff --git a/atlantis-resources/atlantis-host-resources.yaml b/atlantis-resources/atlantis-host-resources.yaml new file mode 100644 index 00000000..c484bfb6 --- /dev/null +++ b/atlantis-resources/atlantis-host-resources.yaml @@ -0,0 +1,15 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: atlantis-host-resrources + namespace: argocd +spec: + project: atlantis + destination: + server: https://kubernetes.default.svc + # namespace: + source: + repoURL: https://gitlab.com/oceanbox/manifests.git + targetRevision: HEAD + path: atlantis-resources/host-manifests + diff --git a/atlantis-resources/atlantis-resources.yaml b/atlantis-resources/atlantis-resources.yaml new file mode 100644 index 00000000..832cc500 --- /dev/null +++ b/atlantis-resources/atlantis-resources.yaml @@ -0,0 +1,25 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: atlantis-resources + namespace: argocd +spec: + generators: + - list: + elements: + - cluster: https://kubernetes.default.svc + env: prod + - cluster: https://kubernetes.default.svc + env: staging + template: + metadata: + name: '{{ env }}-atlantis-resources' + spec: + project: atlantis + destination: + server: https://kubernetes.default.svc + namespace: atlantis + sources: + - repoURL: https://gitlab.com/oceanbox/manifests.git + targetRevision: HEAD + path: atlantis-resources/manifests diff --git a/atlantis-resources/host-manifests/allow-loft-analytics.yaml b/atlantis-resources/host-manifests/allow-loft-analytics.yaml new file mode 100644 index 00000000..9731785d --- /dev/null +++ b/atlantis-resources/host-manifests/allow-loft-analytics.yaml @@ -0,0 +1,12 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-loft-analytics + namespace: atlantis +spec: + egress: + - toFQDNs: + - matchName: analytics.loft.rocks + endpointSelector: + matchLabels: + app: vcluster diff --git a/resources/sync-atlantis-secrets.yaml b/atlantis-resources/host-manifests/sync-atlantis-secrets.yaml similarity index 100% rename from resources/sync-atlantis-secrets.yaml rename to atlantis-resources/host-manifests/sync-atlantis-secrets.yaml diff --git a/resources/allow-atlantis-services.yaml b/atlantis-resources/manifests/allow-atlantis-services.yaml similarity index 100% rename from resources/allow-atlantis-services.yaml rename to atlantis-resources/manifests/allow-atlantis-services.yaml diff --git a/atlantis-resources/manifests/allow-external-s3.yaml b/atlantis-resources/manifests/allow-external-s3.yaml new file mode 100644 index 00000000..3f1696f2 --- /dev/null +++ b/atlantis-resources/manifests/allow-external-s3.yaml @@ -0,0 +1,12 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-external-s3 + namespace: atlantis +spec: + egress: + - toFQDNs: + - matchName: s3.k1.itpartner.no + endpointSelector: + matchLabels: {} + diff --git a/atlantis-resources/manifests/allow-external-services.yaml b/atlantis-resources/manifests/allow-external-services.yaml new file mode 100644 index 00000000..abc69ebe --- /dev/null +++ b/atlantis-resources/manifests/allow-external-services.yaml @@ -0,0 +1,12 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-external-services +spec: + egress: + - toFQDNs: + - matchName: gitlab.com + - matchPattern: '*.gitlab.com' + - matchName: api.github.com + endpointSelector: + matchLabels: {} diff --git a/resources/dapr-tracing.yaml b/atlantis-resources/manifests/dapr-tracing.yaml similarity index 90% rename from resources/dapr-tracing.yaml rename to atlantis-resources/manifests/dapr-tracing.yaml index 27d43ce2..50aed714 100644 --- a/resources/dapr-tracing.yaml +++ b/atlantis-resources/manifests/dapr-tracing.yaml @@ -7,7 +7,7 @@ spec: ingress: enabled: false allInOne: - image: jaegertracing/all-in-one:1.13 + image: jaegertracing/all-in-one:1.22 options: query: base-path: /jaeger diff --git a/dex/application.yaml b/dex/application.yaml index 732909f8..9c17a4e4 100644 --- a/dex/application.yaml +++ b/dex/application.yaml @@ -11,5 +11,5 @@ spec: source: repoURL: https://gitlab.com/oceanbox/manifests.git targetRevision: HEAD - path: dex/app + path: dex/manifests diff --git a/dex/config/config.yaml b/dex/config/config.yaml new file mode 100644 index 00000000..db8ad17f --- /dev/null +++ b/dex/config/config.yaml @@ -0,0 +1,137 @@ +issuer: https://idp.oceanbox.io/dex +storage: + type: postgres + config: + host: dexdb-rw + port: 5432 + database: dex_db + user: dex + password: crafter keenness gilled sprinkled + ssl: + mode: disable +web: + http: 127.0.0.1:5556 +telemetry: + http: 127.0.0.1:5558 +grpc: + addr: 127.0.0.1:5557 +frontend: + dir: /srv/dex/web + issuer: oceanbox + extra: + client_logo_url: "../theme/client-logo.png" +# enablePasswordDB: true +# staticPasswords: +# - email: "admin@oceanbox.io" +# hash: "$2y$12$2AUaWnDEpHxsfFyRzTwx8e8WtJtnhGJOujPjP3BXVVCJe3c.k2PjC" +# username: "admin" +# userID: "9a15441c-4d66-4b26-a0f6-4e619535ee8f" +oauth2: + responseTypes: [ "code" ] + skipApprovalScreen: true + alwaysShowLoginScreen: false +connectors: +- type: microsoft + id: oceanbox + name: oceanbox.io + config: + clientID: 43667ac0-37e1-422f-99fc-50a699bb255c + clientSecret: p1c8Q~H5LsnhUzVGhHxVzqompiC7949QpIqJrcNB + tenant: 3f737008-e9a0-4485-9d27-40329d288089 + redirectURI: https://idp.oceanbox.io/dex/callback + onlySecurityGroups: true + groups: + - atlantis +- type: microsoft + id: salmar + name: salmar.no + config: + clientID: 3f6f1153-e5da-40eb-a2dd-ede6c7bf6058 + clientSecret: rzC8Q~fc9ex6hBglFPAKCU4KJ1o82AQCQYdb~cI2 + tenant: de10159d-2c09-4762-966c-e841d3391feb + redirectURI: https://idp.oceanbox.io/dex/callback + onlySecurityGroups: true + groups: + - Azure-Grp-App-Cloud-Oceanbox +- type: microsoft + id: aqua-kompetanse + name: aqua-kompetanse.no + config: + clientID: 9fd83910-1a21-4869-8a30-19fc32722ee2 + clientSecret: Uer8Q~8LKuDNQVt1vHaMVXAzKSLssvVduH.2HcNC + tenant: 6cd538cc-6cba-463f-9d22-1e0eda9695e3 + redirectURI: https://idp.oceanbox.io/dex/callback + onlySecurityGroups: true + groups: + - Oceanbox +- type: oidc + id: keycloak + name: default + config: + issuer: https://keycloak.dev.oceanbox.io/realms/Oceanbox + clientID: dex + clientSecret: 9c9LAMh7feQRNgHGYaUiASuZBd0JpQC4 + redirectURI: https://idp.oceanbox.io/dex/callback + promptType: login +staticClients: + - id: atlantis + redirectURIs: + - 'https://maps.oceanbox.io/signin-oidc' + - 'https://maps.relic.oceanbox.io/signin-oidc' + name: 'Atlantis' + secret: KOJ6bDHzE5vdyfSrzgwLjtM5PzA809Zm + - id: atlantis_dev + redirectURIs: + - 'https://atlantis.dev.oceanbox.io/signin-oidc' + - 'https://jonas-tilt-atlantis.dev.oceanbox.io/signin-oidc' + - 'https://stig-tilt-atlantis.dev.oceanbox.io/signin-oidc' + - 'https://simkir-tilt-atlantis.dev.oceanbox.io/signin-oidc' + - 'https://atlantis.local.oceanbox.io:8080/signin-oidc' + name: 'Atlantis dev' + secret: 3QjfSPmAemjn34XVA2o1fvoS7I4gKvOR + - id: petimeter + redirectURIs: + - 'https://petimeter.svc.oceanbox.io/signin-oidc' + name: 'Petimeter dev' + secret: kkrKo3mmmseMnorf9qw3eklefkoOKFNs + - id: petimeter_dev + redirectURIs: + - 'https://petimeter.dev.oceanbox.io/signin-oidc' + - 'https://jonas-tilt-petimeter.dev.oceanbox.io/signin-oidc' + - 'https://stig-tilt-petimeter.dev.oceanbox.io/signin-oidc' + - 'https://simkir-tilt-petimeter.dev.oceanbox.io/signin-oidc' + - 'https://petimeter.local.oceanbox.io:8080/signin-oidc' + name: 'Petimeter dev' + secret: kfngKJF9EKVBnnvgkdmPfs0qw3rmjslk + - id: sorcerer + redirectURIs: + - 'https://sorcerer.ekman.oceanbox.io/signin-oidc' + - 'https://sorcerer.hpc.oceanbox.io/signin-oidc' + name: 'Sorcerer' + secret: sIUXxSQLaTJiLCQ9AqBhmEbAL9lubHGB + - id: sorcerer_dev + redirectURIs: + - 'https://dev.sorcerer.ekman.oceanbox.io/signin-oidc' + - 'https://sorcerer.ekman.oceanbox.io/signin-oidc' + - 'https://sorcerer.hpc.oceanbox.io/signin-oidc' + - 'https://jonas-tilt-sorcerer.ekman.oceanbox.io/signin-oidc' + - 'https://simkir-tilt-sorcerer.ekman.oceanbox.io/signin-oidc' + - 'https://s.local.oceanbox.io:11080/signin-oidc' + - 'https://sorcerer.local.oceanbox.io:11080/signin-oidc' + name: 'Sorcerer dev' + secret: cyrgDr1UzhQrJn8nRVqEt9BJ9mLk3OBy + - id: archmeister + redirectURIs: + - 'https://archmeister.svc.oceanbox.io/signin-oidc' + name: 'Archmeister' + secret: ieK3yak9zoh3yeewee8quahY6seiv7Ro + - id: archmeister_dev + redirectURIs: + - 'https://archmeister.dev.oceanbox.io/signin-oidc' + - 'https://jonas-archmeister.dev.oceanbox.io/signin-oidc' + - 'https://simkir-archmeister.dev.oceanbox.io/signin-oidc' + - 'https://r.local.oceanbox.io:11080/signin-oidc' + - 'https://archmeister.local.oceanbox.io:9080/signin-oidc' + name: 'Archmeister dev' + secret: Dae1eekeedeuKaoCiesh1Jei6aishe8I + diff --git a/dex/config/kustomization.yaml b/dex/config/kustomization.yaml new file mode 100644 index 00000000..78ba84b3 --- /dev/null +++ b/dex/config/kustomization.yaml @@ -0,0 +1,7 @@ +# namePrefix: staging- +generatorOptions: + disableNameSuffixHash: true +configmapGenerator: + - name: dex-config + files: + - config.yaml diff --git a/dex/manifests/config.yaml b/dex/manifests/config.yaml new file mode 100644 index 00000000..12cd9f72 --- /dev/null +++ b/dex/manifests/config.yaml @@ -0,0 +1,27 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: dex + namespace: argocd +spec: + generators: + - list: + elements: + - cluster: https://kubernetes.default.svc + env: prod + - cluster: https://kubernetes.default.svc + env: staging + template: + metadata: + name: '{{ env }}-dex-config' + spec: + project: atlantis + destination: + server: https://kubernetes.default.svc + namespace: idp + sources: + - repoURL: https://gitlab.com/oceanbox/manifests.git + targetRevision: HEAD + path: dex/config + kustomization: + namePrefix: '{{ env }}-' diff --git a/dex/app/dex.yaml b/dex/manifests/dex.yaml similarity index 100% rename from dex/app/dex.yaml rename to dex/manifests/dex.yaml diff --git a/dex/app/resources.yaml b/dex/manifests/resources.yaml similarity index 100% rename from dex/app/resources.yaml rename to dex/manifests/resources.yaml diff --git a/dex/resources/cnp.yaml b/dex/resources/allow-dex-external-access.yaml similarity index 100% rename from dex/resources/cnp.yaml rename to dex/resources/allow-dex-external-access.yaml diff --git a/dex/resources/dex-config.yaml b/dex/resources/dex-config.yaml deleted file mode 100644 index e24b7daa..00000000 --- a/dex/resources/dex-config.yaml +++ /dev/null @@ -1,144 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: dex-config -type: Opaque -stringData: - config.yaml: | - issuer: https://idp.oceanbox.io/dex - storage: - type: postgres - config: - host: dexdb-rw - port: 5432 - database: dex_db - user: dex - password: crafter keenness gilled sprinkled - ssl: - mode: disable - web: - http: 127.0.0.1:5556 - telemetry: - http: 127.0.0.1:5558 - grpc: - addr: 127.0.0.1:5557 - frontend: - dir: /srv/dex/web - issuer: oceanbox - extra: - client_logo_url: "../theme/client-logo.png" - # enablePasswordDB: true - # staticPasswords: - # - email: "admin@oceanbox.io" - # hash: "$2y$12$2AUaWnDEpHxsfFyRzTwx8e8WtJtnhGJOujPjP3BXVVCJe3c.k2PjC" - # username: "admin" - # userID: "9a15441c-4d66-4b26-a0f6-4e619535ee8f" - oauth2: - responseTypes: [ "code" ] - skipApprovalScreen: true - alwaysShowLoginScreen: false - connectors: - - type: microsoft - id: oceanbox - name: oceanbox.io - config: - clientID: 43667ac0-37e1-422f-99fc-50a699bb255c - clientSecret: p1c8Q~H5LsnhUzVGhHxVzqompiC7949QpIqJrcNB - tenant: 3f737008-e9a0-4485-9d27-40329d288089 - redirectURI: https://idp.oceanbox.io/dex/callback - onlySecurityGroups: true - groups: - - atlantis - - type: microsoft - id: salmar - name: salmar.no - config: - clientID: 3f6f1153-e5da-40eb-a2dd-ede6c7bf6058 - clientSecret: rzC8Q~fc9ex6hBglFPAKCU4KJ1o82AQCQYdb~cI2 - tenant: de10159d-2c09-4762-966c-e841d3391feb - redirectURI: https://idp.oceanbox.io/dex/callback - onlySecurityGroups: true - groups: - - Azure-Grp-App-Cloud-Oceanbox - - type: microsoft - id: aqua-kompetanse - name: aqua-kompetanse.no - config: - clientID: 9fd83910-1a21-4869-8a30-19fc32722ee2 - clientSecret: Uer8Q~8LKuDNQVt1vHaMVXAzKSLssvVduH.2HcNC - tenant: 6cd538cc-6cba-463f-9d22-1e0eda9695e3 - redirectURI: https://idp.oceanbox.io/dex/callback - onlySecurityGroups: true - groups: - - Oceanbox - - type: oidc - id: keycloak - name: default - config: - issuer: https://keycloak.dev.oceanbox.io/realms/Oceanbox - clientID: dex - clientSecret: 9c9LAMh7feQRNgHGYaUiASuZBd0JpQC4 - redirectURI: https://idp.oceanbox.io/dex/callback - promptType: login - staticClients: - - id: atlantis - redirectURIs: - - 'https://maps.oceanbox.io/signin-oidc' - - 'https://maps.relic.oceanbox.io/signin-oidc' - name: 'Atlantis' - secret: KOJ6bDHzE5vdyfSrzgwLjtM5PzA809Zm - - id: atlantis_dev - redirectURIs: - - 'https://atlantis.dev.oceanbox.io/signin-oidc' - - 'https://jonas-tilt-atlantis.dev.oceanbox.io/signin-oidc' - - 'https://stig-tilt-atlantis.dev.oceanbox.io/signin-oidc' - - 'https://simkir-tilt-atlantis.dev.oceanbox.io/signin-oidc' - - 'https://atlantis.local.oceanbox.io:8080/signin-oidc' - name: 'Atlantis dev' - secret: 3QjfSPmAemjn34XVA2o1fvoS7I4gKvOR - - id: petimeter - redirectURIs: - - 'https://petimeter.svc.oceanbox.io/signin-oidc' - name: 'Petimeter dev' - secret: kkrKo3mmmseMnorf9qw3eklefkoOKFNs - - id: petimeter_dev - redirectURIs: - - 'https://petimeter.dev.oceanbox.io/signin-oidc' - - 'https://jonas-tilt-petimeter.dev.oceanbox.io/signin-oidc' - - 'https://stig-tilt-petimeter.dev.oceanbox.io/signin-oidc' - - 'https://simkir-tilt-petimeter.dev.oceanbox.io/signin-oidc' - - 'https://petimeter.local.oceanbox.io:8080/signin-oidc' - name: 'Petimeter dev' - secret: kfngKJF9EKVBnnvgkdmPfs0qw3rmjslk - - id: sorcerer - redirectURIs: - - 'https://sorcerer.ekman.oceanbox.io/signin-oidc' - - 'https://sorcerer.hpc.oceanbox.io/signin-oidc' - name: 'Sorcerer' - secret: sIUXxSQLaTJiLCQ9AqBhmEbAL9lubHGB - - id: sorcerer_dev - redirectURIs: - - 'https://dev.sorcerer.ekman.oceanbox.io/signin-oidc' - - 'https://sorcerer.ekman.oceanbox.io/signin-oidc' - - 'https://sorcerer.hpc.oceanbox.io/signin-oidc' - - 'https://jonas-tilt-sorcerer.ekman.oceanbox.io/signin-oidc' - - 'https://simkir-tilt-sorcerer.ekman.oceanbox.io/signin-oidc' - - 'https://s.local.oceanbox.io:11080/signin-oidc' - - 'https://sorcerer.local.oceanbox.io:11080/signin-oidc' - name: 'Sorcerer dev' - secret: cyrgDr1UzhQrJn8nRVqEt9BJ9mLk3OBy - - id: archmeister - redirectURIs: - - 'https://archmeister.svc.oceanbox.io/signin-oidc' - name: 'Archmeister' - secret: ieK3yak9zoh3yeewee8quahY6seiv7Ro - - id: archmeister_dev - redirectURIs: - - 'https://archmeister.dev.oceanbox.io/signin-oidc' - - 'https://jonas-archmeister.dev.oceanbox.io/signin-oidc' - - 'https://simkir-archmeister.dev.oceanbox.io/signin-oidc' - - 'https://r.local.oceanbox.io:11080/signin-oidc' - - 'https://archmeister.local.oceanbox.io:9080/signin-oidc' - name: 'Archmeister dev' - secret: Dae1eekeedeuKaoCiesh1Jei6aishe8I - diff --git a/dex/resources/cluster.yaml b/dex/resources/dexdb-cluster.yaml similarity index 100% rename from dex/resources/cluster.yaml rename to dex/resources/dexdb-cluster.yaml