From 3255430a3b6f6dbab35e922ef60c8c1a8a4b4cc9 Mon Sep 17 00:00:00 2001
From: Simen Kirkvik <simen.kirkvik@oceanbox.io>
Date: Wed, 7 Jan 2026 14:10:49 +0100
Subject: [PATCH] Add prod codex

---
 values/codex/kustomize/prod/appsettings.json  | 67 +++++++++++++++++++
 .../kustomize/prod/deployment_patch.yaml      | 64 ++++++++++++++++++
 .../codex/kustomize/prod/kustomization.yaml   | 15 +++++
 .../kustomize/staging/deployment_patch.yaml   |  1 -
 .../network/allow-external-services.yaml      | 14 ++++
 values/codex/values/values-prod.yaml          | 29 ++++++++
 6 files changed, 189 insertions(+), 1 deletion(-)
 create mode 100644 values/codex/kustomize/prod/appsettings.json
 create mode 100644 values/codex/kustomize/prod/deployment_patch.yaml
 create mode 100644 values/codex/kustomize/prod/kustomization.yaml
 create mode 100644 values/codex/manifests/network/allow-external-services.yaml
 create mode 100644 values/codex/values/values-prod.yaml

diff --git a/values/codex/kustomize/prod/appsettings.json b/values/codex/kustomize/prod/appsettings.json
new file mode 100644
index 00000000..345a95d8
--- /dev/null
+++ b/values/codex/kustomize/prod/appsettings.json
@@ -0,0 +1,67 @@
+{
+    "Logging": {
+        "LogLevel": {
+            "Default": "Information",
+            "Microsoft": "Warning",
+            "Microsoft.Hosting": "Error"
+        }
+    },
+    "Debug": {
+        "LogLevel": {
+            "Default": "Debug"
+        }
+    },
+    "Console": {
+        "IncludeScopes": true,
+        "LogLevel": {
+            "Default": "Debug"
+        }
+    },
+    "OIDC": {
+        "issuer": "https://auth.oceanbox.io/realms/oceanbox",
+        "authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth",
+        "token_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/token",
+        "jwks_uri": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/certs",
+        "userinfo_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/userinfo",
+        "end_session_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/logout",
+        "device_authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth/device",
+        "clientId": "atlantis",
+        "clientSecret": "",
+        "scopes": [
+            "openid",
+            "email",
+            "offline_access",
+            "profile"
+        ],
+        "audiences": [
+            "atlantis"
+        ]
+    },
+    "SSO": {
+        "cookieDomain": ".oceanbox.io",
+        "cookieName": ".obx.prod",
+        "ttl": 12.0,
+        "signedOutRedirectUri": "https://maps.oceanbox.io/",
+        "realm": "atlantis",
+        "environment": "prod",
+        "keyStore": {
+            "kind": "azure",
+            "uri": "https://atlantis.blob.core.windows.net",
+            "key": "dataprotection-keys"
+        },
+        "keyVault": {
+            "kind": "azure",
+            "uri": "https://atlantisvault.vault.azure.net",
+            "key": "dataencryption-keys"
+        }
+    },
+    "plainAuthUsers": [
+        {
+            "username": "admin",
+            "password": "en-to-tre-fire",
+            "groups": [ "/oceanbox" ],
+            "roles": [ "admin" ]
+        }
+    ]
+}
+
diff --git a/values/codex/kustomize/prod/deployment_patch.yaml b/values/codex/kustomize/prod/deployment_patch.yaml
new file mode 100644
index 00000000..6a757bcf
--- /dev/null
+++ b/values/codex/kustomize/prod/deployment_patch.yaml
@@ -0,0 +1,64 @@
+- op: add
+  path: /spec/template/spec/containers/0/envFrom
+  value:
+    - secretRef:
+        name: azure-keyvault
+- op: add
+  path: /spec/template/spec/containers/0/env
+  value:
+    - name: APP_NAMESPACE
+      value: prod-atlantis
+    - name: DOTNET_ENVIRONMENT
+      value: Production
+    - name: ASPNETCORE_ENVIRONMENT
+      value: Production
+    - name: DB_HOST
+      valueFrom:
+        secretKeyRef:
+          name: prod-atlantis-db-app
+          key: host
+    - name: DB_PORT
+      valueFrom:
+        secretKeyRef:
+          name: prod-atlantis-db-app
+          key: port
+    - name: DB_DATABASE
+      valueFrom:
+        secretKeyRef:
+          name: prod-atlantis-db-app
+          key: dbname
+    - name: DB_USER
+      valueFrom:
+        secretKeyRef:
+          name: prod-atlantis-db-app
+          key: user
+    - name: DB_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: prod-atlantis-db-app
+          key: password
+    - name: FGA_DB_HOST
+      valueFrom:
+        secretKeyRef:
+          name: prod-openfga-db-app
+          key: host
+    - name: FGA_DB_PORT
+      valueFrom:
+        secretKeyRef:
+          name: prod-openfga-db-app
+          key: port
+    - name: FGA_DB_DATABASE
+      valueFrom:
+        secretKeyRef:
+          name: prod-openfga-db-app
+          key: dbname
+    - name: FGA_DB_USER
+      valueFrom:
+        secretKeyRef:
+          name: prod-openfga-db-app
+          key: user
+    - name: FGA_DB_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: prod-openfga-db-app
+          key: password
diff --git a/values/codex/kustomize/prod/kustomization.yaml b/values/codex/kustomize/prod/kustomization.yaml
new file mode 100644
index 00000000..54da1e78
--- /dev/null
+++ b/values/codex/kustomize/prod/kustomization.yaml
@@ -0,0 +1,15 @@
+generatorOptions:
+  disableNameSuffixHash: true
+configMapGenerator:
+- name: prod-codex-appsettings
+  files:
+    - appsettings.json
+patches:
+  - target:
+      group: apps
+      version: v1
+      kind: Deployment
+    path: deployment_patch.yaml
+resources:
+  - ../base
+
diff --git a/values/codex/kustomize/staging/deployment_patch.yaml b/values/codex/kustomize/staging/deployment_patch.yaml
index 5eba3f5c..c8d760f3 100644
--- a/values/codex/kustomize/staging/deployment_patch.yaml
+++ b/values/codex/kustomize/staging/deployment_patch.yaml
@@ -62,4 +62,3 @@
         secretKeyRef:
           name: staging-openfga-db-app
           key: password
-  name: azure-keyvault
diff --git a/values/codex/manifests/network/allow-external-services.yaml b/values/codex/manifests/network/allow-external-services.yaml
new file mode 100644
index 00000000..7b0f578c
--- /dev/null
+++ b/values/codex/manifests/network/allow-external-services.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-external-services
+  namespace: {{ .Release.Namespace }}
+spec:
+  egress:
+  - toFQDNs:
+    - matchName: cacerts.digicert.com
+  endpointSelector:
+    matchLabels: {}
+{{- end }}
+
diff --git a/values/codex/values/values-prod.yaml b/values/codex/values/values-prod.yaml
new file mode 100644
index 00000000..c8aaf3cc
--- /dev/null
+++ b/values/codex/values/values-prod.yaml
@@ -0,0 +1,29 @@
+replicaCount: 1
+image:
+  tag: 0.0.0-alpha.1
+ingress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+    nginx.ingress.kubernetes.io/backend-protocol: HTTP
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    oceanbox.io/expose: internal
+  hosts:
+    - host: codex.oceanbox.io
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls:
+    - hosts:
+        - codex.oceanbox.io
+      secretName: staging-codex-tls
+volumes:
+  - name: appsettings
+    configMap:
+      name: staging-codex-appsettings
+volumeMounts:
+  - name: appsettings
+    mountPath: "/app/appsettings.Development.json"
+    readOnly: true
+    subPath: appsettings.json