From 4a6c1355731ca6e62aedf3a581ab98d2f126157e Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@itpartner.no>
Date: Wed, 31 Jan 2024 15:22:05 +0100
Subject: [PATCH] fix: update cerbos manifests

---
 cerbos/application.yaml    | 65 --------------------------------------
 cerbos/applicationset.yaml | 33 +++++++++++++++++++
 cerbos/prod-values.yaml    |  3 ++
 cerbos/staging-values.yaml |  3 ++
 cerbos/values.yaml         | 46 +++++++++++++++++++++++++++
 5 files changed, 85 insertions(+), 65 deletions(-)
 delete mode 100644 cerbos/application.yaml
 create mode 100644 cerbos/applicationset.yaml
 create mode 100644 cerbos/prod-values.yaml
 create mode 100644 cerbos/staging-values.yaml
 create mode 100644 cerbos/values.yaml

diff --git a/cerbos/application.yaml b/cerbos/application.yaml
deleted file mode 100644
index 5247d2f9..00000000
--- a/cerbos/application.yaml
+++ /dev/null
@@ -1,65 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: cerbos
-  namespace: argocd
-spec:
-  project: atlantis
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: atlantis
-  sources:
-    - repoURL: https://download.cerbos.dev/helm-charts
-      targetRevision: 0.33.0
-      chart: cerbos
-      helm:
-        values: |
-          replicaCount: 1
-          autoscaling:
-            enabled: false
-            minReplicas: 1
-            maxReplicas: 100
-            targetCPUUtilizationPercentage: 80
-            # targetMemoryUtilizationPercentage: 80
-
-          # Spec of the cert-manager certificate to create for the Cerbos deployment.
-          # If certSpec is not empty, a cert-manager.io/v1/Certificate resource will be created with its spec populated with values from certSpec.
-          # The certSpec value must be a valid Certificate spec. This Helm chart does not provide any defaults or inject any values into it.
-          # If cerbos.tlsSecretName is defined, it takes precedence over the generated certificate.
-          certManager:
-            certSpec: {}
-
-          # Cerbos service settings.
-          service:
-            type: ClusterIP
-            httpPort: 3592
-            grpcPort: 3593
-            httpNodePort: 13592
-            grpcNodePort: 13593
-            annotations: {}
-
-          envFrom:
-            - secretRef:
-                name: cerbos-gitlab-token
-
-          cerbos:
-            httpPort: 3592
-            grpcPort: 3593
-            tlsSecretName: ""
-            logLevel: INFO
-            config:
-              storage:
-                driver: "git"
-                git:
-                  protocol: https
-                  url: https://gitlab.com/oceanbox/cerbos
-                  branch: main
-                  subDir: policies
-                  checkoutDir: /work
-                  updatePollInterval: 60s
-                  https:
-                    username: cerbos
-                    password: ${GITLAB_TOKEN}
-    - repoURL: https://gitlab.com/oceanbox/manifests
-      targetRevision: HEAD
-      path: cerbos/manifests
diff --git a/cerbos/applicationset.yaml b/cerbos/applicationset.yaml
new file mode 100644
index 00000000..9393ba18
--- /dev/null
+++ b/cerbos/applicationset.yaml
@@ -0,0 +1,33 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: cerbos
+  namespace: argocd
+spec:
+  generators:
+  - list:
+      elements:
+      - cluster: https://kubernetes.default.svc
+        env: prod
+      - cluster: https://kubernetes.default.svc
+        env: staging
+  template:
+    metadata:
+      name: '{{ env }}-cerbox'
+    spec:
+      project: atlantis
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: idp
+      sources:
+        - repoURL: https://download.cerbos.dev/helm-charts
+          targetRevision: 0.33.0
+          chart: cerbos
+          helm:
+            valueFiles:
+              - $values/cerbos/values.yaml
+              - $values/cerbos/{{ env }}-values.yaml
+        - repoURL: https://gitlab.com/oceanbox/manifests.git
+          targetRevision: HEAD
+          path: cerbos/manifests
+          ref: values
diff --git a/cerbos/prod-values.yaml b/cerbos/prod-values.yaml
new file mode 100644
index 00000000..b0dfbdcf
--- /dev/null
+++ b/cerbos/prod-values.yaml
@@ -0,0 +1,3 @@
+service:
+  httpNodePort: 30592
+  grpcNodePort: 30593
diff --git a/cerbos/staging-values.yaml b/cerbos/staging-values.yaml
new file mode 100644
index 00000000..3bf5a00a
--- /dev/null
+++ b/cerbos/staging-values.yaml
@@ -0,0 +1,3 @@
+service:
+  httpNodePort: 31592
+  grpcNodePort: 31593
diff --git a/cerbos/values.yaml b/cerbos/values.yaml
new file mode 100644
index 00000000..23271b0d
--- /dev/null
+++ b/cerbos/values.yaml
@@ -0,0 +1,46 @@
+replicaCount: 1
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+# Spec of the cert-manager certificate to create for the Cerbos deployment.
+# If certSpec is not empty, a cert-manager.io/v1/Certificate resource will be created with its spec populated with values from certSpec.
+# The certSpec value must be a valid Certificate spec. This Helm chart does not provide any defaults or inject any values into it.
+# If cerbos.tlsSecretName is defined, it takes precedence over the generated certificate.
+certManager:
+  certSpec: {}
+
+# Cerbos service settings.
+service:
+  type: ClusterIP
+  httpPort: 3592
+  grpcPort: 3593
+  httpNodePort: 13592
+  grpcNodePort: 13593
+  annotations: {}
+
+envFrom:
+  - secretRef:
+      name: cerbos-gitlab-token
+
+cerbos:
+  httpPort: 3592
+  grpcPort: 3593
+  tlsSecretName: ""
+  logLevel: INFO
+  config:
+    storage:
+      driver: "git"
+      git:
+        protocol: https
+        url: https://gitlab.com/oceanbox/cerbos
+        branch: main
+        subDir: policies
+        checkoutDir: /work
+        updatePollInterval: 60s
+        https:
+          username: cerbos
+          password: ${GITLAB_TOKEN}