Add prod codex

values/codex/kustomize/prod/appsettings.json

@@ -0,0 +1,67 @@
+{
+    "Logging": {
+        "LogLevel": {
+            "Default": "Information",
+            "Microsoft": "Warning",
+            "Microsoft.Hosting": "Error"
+        }
+    },
+    "Debug": {
+        "LogLevel": {
+            "Default": "Debug"
+        }
+    },
+    "Console": {
+        "IncludeScopes": true,
+        "LogLevel": {
+            "Default": "Debug"
+        }
+    },
+    "OIDC": {
+        "issuer": "https://auth.oceanbox.io/realms/oceanbox",
+        "authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth",
+        "token_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/token",
+        "jwks_uri": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/certs",
+        "userinfo_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/userinfo",
+        "end_session_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/logout",
+        "device_authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth/device",
+        "clientId": "atlantis",
+        "clientSecret": "",
+        "scopes": [
+            "openid",
+            "email",
+            "offline_access",
+            "profile"
+        ],
+        "audiences": [
+            "atlantis"
+        ]
+    },
+    "SSO": {
+        "cookieDomain": ".oceanbox.io",
+        "cookieName": ".obx.prod",
+        "ttl": 12.0,
+        "signedOutRedirectUri": "https://maps.oceanbox.io/",
+        "realm": "atlantis",
+        "environment": "prod",
+        "keyStore": {
+            "kind": "azure",
+            "uri": "https://atlantis.blob.core.windows.net",
+            "key": "dataprotection-keys"
+        },
+        "keyVault": {
+            "kind": "azure",
+            "uri": "https://atlantisvault.vault.azure.net",
+            "key": "dataencryption-keys"
+        }
+    },
+    "plainAuthUsers": [
+        {
+            "username": "admin",
+            "password": "en-to-tre-fire",
+            "groups": [ "/oceanbox" ],
+            "roles": [ "admin" ]
+        }
+    ]
+}
+

values/codex/kustomize/prod/deployment_patch.yaml

@@ -0,0 +1,64 @@
+- op: add
+  path: /spec/template/spec/containers/0/envFrom
+  value:
+    - secretRef:
+        name: azure-keyvault
+- op: add
+  path: /spec/template/spec/containers/0/env
+  value:
+    - name: APP_NAMESPACE
+      value: prod-atlantis
+    - name: DOTNET_ENVIRONMENT
+      value: Production
+    - name: ASPNETCORE_ENVIRONMENT
+      value: Production
+    - name: DB_HOST
+      valueFrom:
+        secretKeyRef:
+          name: prod-atlantis-db-app
+          key: host
+    - name: DB_PORT
+      valueFrom:
+        secretKeyRef:
+          name: prod-atlantis-db-app
+          key: port
+    - name: DB_DATABASE
+      valueFrom:
+        secretKeyRef:
+          name: prod-atlantis-db-app
+          key: dbname
+    - name: DB_USER
+      valueFrom:
+        secretKeyRef:
+          name: prod-atlantis-db-app
+          key: user
+    - name: DB_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: prod-atlantis-db-app
+          key: password
+    - name: FGA_DB_HOST
+      valueFrom:
+        secretKeyRef:
+          name: prod-openfga-db-app
+          key: host
+    - name: FGA_DB_PORT
+      valueFrom:
+        secretKeyRef:
+          name: prod-openfga-db-app
+          key: port
+    - name: FGA_DB_DATABASE
+      valueFrom:
+        secretKeyRef:
+          name: prod-openfga-db-app
+          key: dbname
+    - name: FGA_DB_USER
+      valueFrom:
+        secretKeyRef:
+          name: prod-openfga-db-app
+          key: user
+    - name: FGA_DB_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: prod-openfga-db-app
+          key: password

values/codex/kustomize/prod/kustomization.yaml

@@ -0,0 +1,15 @@
+generatorOptions:
+  disableNameSuffixHash: true
+configMapGenerator:
+- name: prod-codex-appsettings
+  files:
+    - appsettings.json
+patches:
+  - target:
+      group: apps
+      version: v1
+      kind: Deployment
+    path: deployment_patch.yaml
+resources:
+  - ../base
+

values/codex/kustomize/staging/deployment_patch.yaml

@@ -62,4 +62,3 @@
         secretKeyRef:
           name: staging-openfga-db-app
           key: password
-  name: azure-keyvault

values/codex/manifests/network/allow-external-services.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-external-services
+  namespace: {{ .Release.Namespace }}
+spec:
+  egress:
+  - toFQDNs:
+    - matchName: cacerts.digicert.com
+  endpointSelector:
+    matchLabels: {}
+{{- end }}
+

values/codex/values/values-prod.yaml

@@ -0,0 +1,29 @@
+replicaCount: 1
+image:
+  tag: 0.0.0-alpha.1
+ingress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+    nginx.ingress.kubernetes.io/backend-protocol: HTTP
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    oceanbox.io/expose: internal
+  hosts:
+    - host: codex.oceanbox.io
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls:
+    - hosts:
+        - codex.oceanbox.io
+      secretName: staging-codex-tls
+volumes:
+  - name: appsettings
+    configMap:
+      name: staging-codex-appsettings
+volumeMounts:
+  - name: appsettings
+    mountPath: "/app/appsettings.Development.json"
+    readOnly: true
+    subPath: appsettings.json