refactor: refactor and gitopify

archmeister/review/appsettings.json

@@ -1,43 +0,0 @@
-{
-    "connString": "Username=app;Password=123;Host=x-review-archmeister-rw;Port=5432;Database=app;Pooling=true;",
-    "oidc": {
-        "issuer": "https://idp.oceanbox.io/dex",
-        "authorization_endpoint": "https://idp.oceanbox.io/dex/auth",
-        "token_endpoint": "https://idp.oceanbox.io/dex/token",
-        "jwks_uri": "https://idp.oceanbox.io/dex/keys",
-        "userinfo_endpoint": "https://idp.oceanbox.io/dex/userinfo",
-        "device_authorization_endpoint": "https://idp.oceanbox.io/dex/device/code",
-        "clientId": "archmeister_dev",
-        "clientSecret": "Dae1eekeedeuKaoCiesh1Jei6aishe8I",
-        "scopes": [
-            "openid",
-            "email",
-            "offline_access",
-            "profile"
-        ]
-    },
-    "sso": {
-        "cookieDomain": ".oceanbox.io",
-        "signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html",
-        "redis": "redis-master,user=default,password=JICkoUKD0Y",
-        "appDomain": "atlantis",
-        "dataProtectionKeys": "DataProtection-Keys"
-    },
-    "allowedOrigins": [
-        "https://beta.sorcerer.ekman.oceanbox.io",
-        "https://sorcerer.ekman.oceanbox.io",
-        "https://sorcerer.hpc.oceanbox.io",
-        "https://s.local.oceanbox.io:8080",
-        "https://maps.oceanbox.io",
-        "https://atlantis.beta.oceanbox.io",
-        "https://jonas-atlantis.beta.oceanbox.io",
-        "https://stig-atlantis.beta.oceanbox.io",
-        "https://simkir-atlantis.beta.oceanbox.io",
-        "https://atlantis.local.oceanbox.io:8080"
-    ],
-    "logService" : "https://seq.oceanbox.io",
-    "logApiKey": "WmZplDeFoxIHpJQ5BiDk",
-    "cliUsers": [
-        "admin:en-to-tre-fire"
-    ]
-}

archmeister/review/cluster_patch.yaml

@@ -1,22 +0,0 @@
-- op: add
-  path: /spec/bootstrap
-  value:
-    pg_basebackup:
-      source: staging-archmeister
-- op: add
-  path: /spec/externalClusters
-  value:
-    - name: staging-archmeister
-      connectionParameters:
-        host: staging-archmeister-rw.oceanbox
-        user: streaming_replica
-        sslmode: verify-full
-      sslKey:
-        name: staging-archmeister-replication
-        key: tls.key
-      sslCert:
-        name: staging-archmeister-replication
-        key: tls.crt
-      sslRootCert:
-        name: staging-archmeister-ca
-        key: ca.crt

archmeister/review/deployment_patch.yaml

@@ -1,33 +0,0 @@
-- op: add
-  path: /spec/template/metadata/annotations
-  value:
-    dapr.io/enabled: "true"
-    dapr.io/app-id: "x-review-archmeister"
-    dapr.io/app-port: "8000"
-    dapr.io/config: "tracing"
-- op: replace
-  path: /spec/template/spec/containers/0/env/0
-  value:
-    name: LOG_LEVEL
-    value: "4"
-- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: DB_PASSWORD
-    valueFrom:
-      secretKeyRef:
-        name: staging-archmeister-app
-        key: password
-- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: DB_USERNAME
-    valueFrom:
-      secretKeyRef:
-        name: staging-archmeister-app
-        key: username
-- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: DB_HOST
-    value: x-review-archmeister-rw

archmeister/review/kustomization.yaml

@@ -1,24 +0,0 @@
-namePrefix: x-review-
-generatorOptions:
-  disableNameSuffixHash: true
-secretGenerator:
-- files:
-  - appsettings.json
-  name: archmeister-appsettings
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-- ../base
-patches:
-- path: deployment_patch.yaml
-  target:
-    group: apps
-    kind: Deployment
-    name: archmeister
-    version: v1
-- path: cluster_patch.yaml
-  target:
-    group: postgresql.cnpg.io
-    kind: Cluster
-    name: archmeister
-    version: v1

atlantis-resources/atlantis-host-resources.yaml

@@ -0,0 +1,15 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: atlantis-host-resrources
+  namespace: argocd
+spec:
+  project: atlantis
+  destination:
+    server: https://kubernetes.default.svc
+    # namespace:
+  source:
+    repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: HEAD
+    path: atlantis-resources/host-manifests
+

atlantis-resources/atlantis-resources.yaml

@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: atlantis-resources
+  namespace: argocd
+spec:
+  generators:
+  - list:
+      elements:
+      - cluster: https://kubernetes.default.svc
+        env: prod
+      - cluster: https://kubernetes.default.svc
+        env: staging
+  template:
+    metadata:
+      name: '{{ env }}-atlantis-resources'
+    spec:
+      project: atlantis
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: atlantis
+      sources:
+      - repoURL: https://gitlab.com/oceanbox/manifests.git
+        targetRevision: HEAD
+        path: atlantis-resources/manifests

atlantis-resources/host-manifests/allow-loft-analytics.yaml

@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-loft-analytics
+  namespace: atlantis
+spec:
+  egress:
+  - toFQDNs:
+    - matchName: analytics.loft.rocks
+  endpointSelector:
+    matchLabels:
+      app: vcluster

atlantis-resources/manifests/allow-external-s3.yaml

@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-external-s3
+  namespace: atlantis
+spec:
+  egress:
+  - toFQDNs:
+    - matchName: s3.k1.itpartner.no
+  endpointSelector:
+    matchLabels: {}
+

atlantis-resources/manifests/allow-external-services.yaml

@@ -0,0 +1,12 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-external-services
+spec:
+  egress:
+  - toFQDNs:
+    - matchName: gitlab.com
+    - matchPattern: '*.gitlab.com'
+    - matchName: api.github.com
+  endpointSelector:
+    matchLabels: {}

atlantis-resources/manifests/dapr-tracing.yaml

@@ -7,7 +7,7 @@ spec:
   ingress:
     enabled: false
   allInOne:
-    image: jaegertracing/all-in-one:1.13
+    image: jaegertracing/all-in-one:1.22
     options:
       query:
         base-path: /jaeger

dex/application.yaml

@@ -11,5 +11,5 @@ spec:
   source:
     repoURL: https://gitlab.com/oceanbox/manifests.git
     targetRevision: HEAD
-    path: dex/app
+    path: dex/manifests
 

dex/config/config.yaml

@@ -0,0 +1,137 @@
+issuer: https://idp.oceanbox.io/dex
+storage:
+  type: postgres
+  config:
+    host: dexdb-rw
+    port: 5432
+    database: dex_db
+    user: dex
+    password: crafter keenness gilled sprinkled
+    ssl:
+      mode: disable
+web:
+  http: 127.0.0.1:5556
+telemetry:
+  http: 127.0.0.1:5558
+grpc:
+  addr: 127.0.0.1:5557
+frontend:
+  dir: /srv/dex/web
+  issuer: oceanbox
+  extra:
+    client_logo_url: "../theme/client-logo.png"
+# enablePasswordDB: true
+# staticPasswords:
+#   - email: "admin@oceanbox.io"
+#     hash: "$2y$12$2AUaWnDEpHxsfFyRzTwx8e8WtJtnhGJOujPjP3BXVVCJe3c.k2PjC"
+#     username: "admin"
+#     userID: "9a15441c-4d66-4b26-a0f6-4e619535ee8f"
+oauth2:
+  responseTypes: [ "code" ]
+  skipApprovalScreen: true
+  alwaysShowLoginScreen: false
+connectors:
+- type: microsoft
+  id: oceanbox
+  name: oceanbox.io
+  config:
+    clientID: 43667ac0-37e1-422f-99fc-50a699bb255c
+    clientSecret: p1c8Q~H5LsnhUzVGhHxVzqompiC7949QpIqJrcNB
+    tenant: 3f737008-e9a0-4485-9d27-40329d288089
+    redirectURI: https://idp.oceanbox.io/dex/callback
+    onlySecurityGroups: true
+    groups:
+      - atlantis
+- type: microsoft
+  id: salmar
+  name: salmar.no
+  config:
+    clientID: 3f6f1153-e5da-40eb-a2dd-ede6c7bf6058
+    clientSecret: rzC8Q~fc9ex6hBglFPAKCU4KJ1o82AQCQYdb~cI2
+    tenant: de10159d-2c09-4762-966c-e841d3391feb
+    redirectURI: https://idp.oceanbox.io/dex/callback
+    onlySecurityGroups: true
+    groups:
+      - Azure-Grp-App-Cloud-Oceanbox
+- type: microsoft
+  id: aqua-kompetanse
+  name: aqua-kompetanse.no
+  config:
+    clientID: 9fd83910-1a21-4869-8a30-19fc32722ee2
+    clientSecret: Uer8Q~8LKuDNQVt1vHaMVXAzKSLssvVduH.2HcNC
+    tenant: 6cd538cc-6cba-463f-9d22-1e0eda9695e3
+    redirectURI: https://idp.oceanbox.io/dex/callback
+    onlySecurityGroups: true
+    groups:
+      - Oceanbox
+- type: oidc
+  id: keycloak
+  name: default
+  config:
+    issuer: https://keycloak.dev.oceanbox.io/realms/Oceanbox
+    clientID: dex
+    clientSecret: 9c9LAMh7feQRNgHGYaUiASuZBd0JpQC4
+    redirectURI: https://idp.oceanbox.io/dex/callback
+    promptType: login
+staticClients:
+  - id: atlantis
+    redirectURIs:
+      - 'https://maps.oceanbox.io/signin-oidc'
+      - 'https://maps.relic.oceanbox.io/signin-oidc'
+    name: 'Atlantis'
+    secret: KOJ6bDHzE5vdyfSrzgwLjtM5PzA809Zm
+  - id: atlantis_dev
+    redirectURIs:
+      - 'https://atlantis.dev.oceanbox.io/signin-oidc'
+      - 'https://jonas-tilt-atlantis.dev.oceanbox.io/signin-oidc'
+      - 'https://stig-tilt-atlantis.dev.oceanbox.io/signin-oidc'
+      - 'https://simkir-tilt-atlantis.dev.oceanbox.io/signin-oidc'
+      - 'https://atlantis.local.oceanbox.io:8080/signin-oidc'
+    name: 'Atlantis dev'
+    secret: 3QjfSPmAemjn34XVA2o1fvoS7I4gKvOR
+  - id: petimeter
+    redirectURIs:
+      - 'https://petimeter.svc.oceanbox.io/signin-oidc'
+    name: 'Petimeter dev'
+    secret: kkrKo3mmmseMnorf9qw3eklefkoOKFNs
+  - id: petimeter_dev
+    redirectURIs:
+      - 'https://petimeter.dev.oceanbox.io/signin-oidc'
+      - 'https://jonas-tilt-petimeter.dev.oceanbox.io/signin-oidc'
+      - 'https://stig-tilt-petimeter.dev.oceanbox.io/signin-oidc'
+      - 'https://simkir-tilt-petimeter.dev.oceanbox.io/signin-oidc'
+      - 'https://petimeter.local.oceanbox.io:8080/signin-oidc'
+    name: 'Petimeter dev'
+    secret: kfngKJF9EKVBnnvgkdmPfs0qw3rmjslk
+  - id: sorcerer
+    redirectURIs:
+      - 'https://sorcerer.ekman.oceanbox.io/signin-oidc'
+      - 'https://sorcerer.hpc.oceanbox.io/signin-oidc'
+    name: 'Sorcerer'
+    secret: sIUXxSQLaTJiLCQ9AqBhmEbAL9lubHGB
+  - id: sorcerer_dev
+    redirectURIs:
+      - 'https://dev.sorcerer.ekman.oceanbox.io/signin-oidc'
+      - 'https://sorcerer.ekman.oceanbox.io/signin-oidc'
+      - 'https://sorcerer.hpc.oceanbox.io/signin-oidc'
+      - 'https://jonas-tilt-sorcerer.ekman.oceanbox.io/signin-oidc'
+      - 'https://simkir-tilt-sorcerer.ekman.oceanbox.io/signin-oidc'
+      - 'https://s.local.oceanbox.io:11080/signin-oidc'
+      - 'https://sorcerer.local.oceanbox.io:11080/signin-oidc'
+    name: 'Sorcerer dev'
+    secret: cyrgDr1UzhQrJn8nRVqEt9BJ9mLk3OBy
+  - id: archmeister
+    redirectURIs:
+      - 'https://archmeister.svc.oceanbox.io/signin-oidc'
+    name: 'Archmeister'
+    secret: ieK3yak9zoh3yeewee8quahY6seiv7Ro
+  - id: archmeister_dev
+    redirectURIs:
+      - 'https://archmeister.dev.oceanbox.io/signin-oidc'
+      - 'https://jonas-archmeister.dev.oceanbox.io/signin-oidc'
+      - 'https://simkir-archmeister.dev.oceanbox.io/signin-oidc'
+      - 'https://r.local.oceanbox.io:11080/signin-oidc'
+      - 'https://archmeister.local.oceanbox.io:9080/signin-oidc'
+    name: 'Archmeister dev'
+    secret: Dae1eekeedeuKaoCiesh1Jei6aishe8I
+

dex/config/kustomization.yaml

@@ -0,0 +1,7 @@
+# namePrefix: staging-
+generatorOptions:
+  disableNameSuffixHash: true
+configmapGenerator:
+  - name: dex-config
+    files:
+      - config.yaml

dex/manifests/config.yaml

@@ -0,0 +1,27 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: dex
+  namespace: argocd
+spec:
+  generators:
+  - list:
+      elements:
+      - cluster: https://kubernetes.default.svc
+        env: prod
+      - cluster: https://kubernetes.default.svc
+        env: staging
+  template:
+    metadata:
+      name: '{{ env }}-dex-config'
+    spec:
+      project: atlantis
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: idp
+      sources:
+      - repoURL: https://gitlab.com/oceanbox/manifests.git
+        targetRevision: HEAD
+        path: dex/config
+      kustomization:
+        namePrefix: '{{ env }}-'

dex/resources/dex-config.yaml

@@ -1,144 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: dex-config
-type: Opaque
-stringData:
-  config.yaml: |
-    issuer: https://idp.oceanbox.io/dex
-    storage:
-      type: postgres
-      config:
-        host: dexdb-rw
-        port: 5432
-        database: dex_db
-        user: dex
-        password: crafter keenness gilled sprinkled
-        ssl:
-          mode: disable
-    web:
-      http: 127.0.0.1:5556
-    telemetry:
-      http: 127.0.0.1:5558
-    grpc:
-      addr: 127.0.0.1:5557
-    frontend:
-      dir: /srv/dex/web
-      issuer: oceanbox
-      extra:
-        client_logo_url: "../theme/client-logo.png"
-    # enablePasswordDB: true
-    # staticPasswords:
-    #   - email: "admin@oceanbox.io"
-    #     hash: "$2y$12$2AUaWnDEpHxsfFyRzTwx8e8WtJtnhGJOujPjP3BXVVCJe3c.k2PjC"
-    #     username: "admin"
-    #     userID: "9a15441c-4d66-4b26-a0f6-4e619535ee8f"
-    oauth2:
-      responseTypes: [ "code" ]
-      skipApprovalScreen: true
-      alwaysShowLoginScreen: false
-    connectors:
-    - type: microsoft
-      id: oceanbox
-      name: oceanbox.io
-      config:
-        clientID: 43667ac0-37e1-422f-99fc-50a699bb255c
-        clientSecret: p1c8Q~H5LsnhUzVGhHxVzqompiC7949QpIqJrcNB
-        tenant: 3f737008-e9a0-4485-9d27-40329d288089
-        redirectURI: https://idp.oceanbox.io/dex/callback
-        onlySecurityGroups: true
-        groups:
-          - atlantis
-    - type: microsoft
-      id: salmar
-      name: salmar.no
-      config:
-        clientID: 3f6f1153-e5da-40eb-a2dd-ede6c7bf6058
-        clientSecret: rzC8Q~fc9ex6hBglFPAKCU4KJ1o82AQCQYdb~cI2
-        tenant: de10159d-2c09-4762-966c-e841d3391feb
-        redirectURI: https://idp.oceanbox.io/dex/callback
-        onlySecurityGroups: true
-        groups:
-          - Azure-Grp-App-Cloud-Oceanbox
-    - type: microsoft
-      id: aqua-kompetanse
-      name: aqua-kompetanse.no
-      config:
-        clientID: 9fd83910-1a21-4869-8a30-19fc32722ee2
-        clientSecret: Uer8Q~8LKuDNQVt1vHaMVXAzKSLssvVduH.2HcNC
-        tenant: 6cd538cc-6cba-463f-9d22-1e0eda9695e3
-        redirectURI: https://idp.oceanbox.io/dex/callback
-        onlySecurityGroups: true
-        groups:
-          - Oceanbox
-    - type: oidc
-      id: keycloak
-      name: default
-      config:
-        issuer: https://keycloak.dev.oceanbox.io/realms/Oceanbox
-        clientID: dex
-        clientSecret: 9c9LAMh7feQRNgHGYaUiASuZBd0JpQC4
-        redirectURI: https://idp.oceanbox.io/dex/callback
-        promptType: login
-    staticClients:
-      - id: atlantis
-        redirectURIs:
-          - 'https://maps.oceanbox.io/signin-oidc'
-          - 'https://maps.relic.oceanbox.io/signin-oidc'
-        name: 'Atlantis'
-        secret: KOJ6bDHzE5vdyfSrzgwLjtM5PzA809Zm
-      - id: atlantis_dev
-        redirectURIs:
-          - 'https://atlantis.dev.oceanbox.io/signin-oidc'
-          - 'https://jonas-tilt-atlantis.dev.oceanbox.io/signin-oidc'
-          - 'https://stig-tilt-atlantis.dev.oceanbox.io/signin-oidc'
-          - 'https://simkir-tilt-atlantis.dev.oceanbox.io/signin-oidc'
-          - 'https://atlantis.local.oceanbox.io:8080/signin-oidc'
-        name: 'Atlantis dev'
-        secret: 3QjfSPmAemjn34XVA2o1fvoS7I4gKvOR
-      - id: petimeter
-        redirectURIs:
-          - 'https://petimeter.svc.oceanbox.io/signin-oidc'
-        name: 'Petimeter dev'
-        secret: kkrKo3mmmseMnorf9qw3eklefkoOKFNs
-      - id: petimeter_dev
-        redirectURIs:
-          - 'https://petimeter.dev.oceanbox.io/signin-oidc'
-          - 'https://jonas-tilt-petimeter.dev.oceanbox.io/signin-oidc'
-          - 'https://stig-tilt-petimeter.dev.oceanbox.io/signin-oidc'
-          - 'https://simkir-tilt-petimeter.dev.oceanbox.io/signin-oidc'
-          - 'https://petimeter.local.oceanbox.io:8080/signin-oidc'
-        name: 'Petimeter dev'
-        secret: kfngKJF9EKVBnnvgkdmPfs0qw3rmjslk
-      - id: sorcerer
-        redirectURIs:
-          - 'https://sorcerer.ekman.oceanbox.io/signin-oidc'
-          - 'https://sorcerer.hpc.oceanbox.io/signin-oidc'
-        name: 'Sorcerer'
-        secret: sIUXxSQLaTJiLCQ9AqBhmEbAL9lubHGB
-      - id: sorcerer_dev
-        redirectURIs:
-          - 'https://dev.sorcerer.ekman.oceanbox.io/signin-oidc'
-          - 'https://sorcerer.ekman.oceanbox.io/signin-oidc'
-          - 'https://sorcerer.hpc.oceanbox.io/signin-oidc'
-          - 'https://jonas-tilt-sorcerer.ekman.oceanbox.io/signin-oidc'
-          - 'https://simkir-tilt-sorcerer.ekman.oceanbox.io/signin-oidc'
-          - 'https://s.local.oceanbox.io:11080/signin-oidc'
-          - 'https://sorcerer.local.oceanbox.io:11080/signin-oidc'
-        name: 'Sorcerer dev'
-        secret: cyrgDr1UzhQrJn8nRVqEt9BJ9mLk3OBy
-      - id: archmeister
-        redirectURIs:
-          - 'https://archmeister.svc.oceanbox.io/signin-oidc'
-        name: 'Archmeister'
-        secret: ieK3yak9zoh3yeewee8quahY6seiv7Ro
-      - id: archmeister_dev
-        redirectURIs:
-          - 'https://archmeister.dev.oceanbox.io/signin-oidc'
-          - 'https://jonas-archmeister.dev.oceanbox.io/signin-oidc'
-          - 'https://simkir-archmeister.dev.oceanbox.io/signin-oidc'
-          - 'https://r.local.oceanbox.io:11080/signin-oidc'
-          - 'https://archmeister.local.oceanbox.io:9080/signin-oidc'
-        name: 'Archmeister dev'
-        secret: Dae1eekeedeuKaoCiesh1Jei6aishe8I
-