Merge branch 'nixidy' of gitlab.com:oceanbox/manifests into nixidy

2025-02-04 15:43:37 +01:00
parent dd7e28c2e2 6976ea8d93
commit 6663fc2cc5
21 changed files with 188 additions and 142 deletions
@@ -1,7 +1,7 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: preprod-atlantis
+  name: prod-atlantis
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
@@ -25,7 +25,7 @@ spec:
      - name: env
        string: prod
      - name: hostname
-        string: maps.beta.oceanbox.io
+        string: maps.oceanbox.io
  - repoURL: https://charts.bitnami.com/bitnami
    targetRevision: 20.1.7
    chart: redis
@@ -40,7 +40,7 @@ spec:
        - '.metadata.labels'
        - '.metadata.annotations'
    - kind: Secret
-      name: preprod-atlantis-rabbitmq
+      name: prod-atlantis-rabbitmq
      jqPathExpressions:
        - '.data'
        - '.metadata.labels'
@@ -3,29 +3,52 @@ kind: Application
 metadata:
  name: prod-sorcerer
  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
 spec:
-  template:
-    metadata:
-      name: prod-sorcerer
-    spec:
-      project: atlantis
-      destination:
-        namespace: sorcerer
-        server: https://10.255.241.99:4443
-      sources:
-      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: main
-        path: values/sorcerer
-        plugin:
-          name: kustomize-helm-with-rewrite
-          parameters:
-          - name: env
-            string: prod
-          - name: hostname
-            string: sorcerer.data.oceanbox.io
-  templatePatch: |
-    spec:
-      syncPolicy:
-        automated:
-          prune: true
-          selfHeal: false
+  destination:
+    namespace: prod-sorcerer
+    server: https://10.255.241.99:4443
+  project: atlantis
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    path: values/sorcerer
+    plugin:
+      name: kustomize-helm-with-rewrite
+      parameters:
+      - name: env
+        string: prod
+      - name: hostname
+        string: sorcerer.data.oceanbox.io
+  - repoURL: https://charts.bitnami.com/bitnami
+    targetRevision: 20.1.7
+    chart: redis
+    helm:
+      valueFiles:
+      - $values/values/sorcerer/prod/redis.yaml
+  ignoreDifferences:
+    - kind: Secret
+      name: azure-keyvault
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-atlantis-rabbitmq
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    # automated:
+    #   prune: true
+    #   selfHeal: false
@@ -11,6 +11,7 @@ data:
  username:
  password:
 {{- else }}
+{{- if .Values.cluster.bootstrap.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -34,3 +35,4 @@ data:
  ca.crt: ""
  ca.key: ""
 {{- end }}
+{{- end }}
@@ -1,46 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: sync-prod-archmaester-replication-secrets
-spec:
-  background: true
-  generateExisting: false
-  rules:
-  - name: sync-archmaester-ca
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: prod-archmeister-ca
-      namespace: '{{ request.object.metadata.namespace }}'
-      synchronize: true
-      clone:
-        namespace: atlantis
-        name: prod-archmeister-ca
-    match:
-     any:
-     - resources:
-         kinds:
-         - Secret
-         names:
-         - prod-archmeister-ca
-         annotations:
-           kyverno/clone: "true"
-  - name: sync-archmaester-replication
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: prod-archmeister-replication
-      namespace: '{{ request.object.metadata.namespace }}'
-      synchronize: true
-      clone:
-        namespace: atlantis
-        name: prod-archmeister-replication
-    match:
-     any:
-     - resources:
-         kinds:
-         - Secret
-         names:
-         - prod-archmeister-replication
-         annotations:
-           kyverno/clone: "true"
@@ -128,3 +128,41 @@ spec:
      - resources:
          annotations:
            vcluster.loft.sh/controlled-by: secret/v1/GenericImport
+  - name: sync-atlantis-db-ca
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: prod-atlantis-db-ca
+      namespace: '{{ request.object.metadata.namespace }}'
+      synchronize: true
+      clone:
+        namespace: prod-atlantis
+        name: prod-atlantis-db-ca
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - prod-atlantis-db-ca
+         annotations:
+           kyverno/clone: "true"
+  - name: sync-atlantis-db-replication
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: prod-atlantis-db-replication
+      namespace: '{{ request.object.metadata.namespace }}'
+      synchronize: true
+      clone:
+        namespace: prod-atlantis
+        name: prod-atlantis-db-replication
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - prod-atlantis-db-replication
+         annotations:
+           kyverno/clone: "true"
@@ -53,10 +53,10 @@
            "roles": [ "admin" ]
        }
    ],
-    "redis": "preprod-atlantis-redis-master:6379",
+    "redis": "prod-atlantis-redis-master:6379",
    "objectStore": "https://atlantis.blob.core.windows.net",
    "connString": "Username=postgres;Password=secret;Host=localhost;Port=5432;Database=app;Pooling=true;",
-    "sorcerer" : "https://sorcerer.ekman.oceanbox.io",
+    "sorcerer" : "https://sorcerer.data.oceanbox.io",
    "allowedOrigins": [
        "https://maps.oceanbox.io",
        "https://maps.beta.oceanbox.io",
@@ -8,10 +8,10 @@ spec:
  metadata:
  - name: host
    secretKeyRef:
-      name: preprod-atlantis-rabbitmq
+      name: prod-atlantis-rabbitmq
      key:  connString
  - name: queueName
-    value: preprod-slurm-job-events
+    value: prod-slurm-job-events
  - name: durable
    value: true
  - name: contentType
@@ -19,4 +19,4 @@ spec:
  - name: route
    value: /events/slurm
 scopes:
-  - preprod-atlantis
+  - prod-atlantis
@@ -7,14 +7,14 @@ spec:
  version: v1
  metadata:
  - name: redisHost
-    value: preprod-atlantis-redis-master:6379
+    value: prod-atlantis-redis-master:6379
  - name: redisUsername
    value: default
  - name: redisPassword
    secretKeyRef:
-      name: preprod-atlantis-redis
+      name: prod-atlantis-redis
      key:  redis-password
  - name: redisDB
    value: "1"
 scopes:
-  - preprod-atlantis
+  - prod-atlantis
@@ -1,7 +1,7 @@
 generatorOptions:
  disableNameSuffixHash: true
 configMapGenerator:
- name: preprod-atlantis-appsettings
+- name: prod-atlantis-appsettings
  files:
    - appsettings.json
 patches:
@@ -12,7 +12,7 @@ spec:
    value: user
  - name: password
    secretKeyRef:
-      name: preprod-atlantis-rabbitmq
+      name: prod-atlantis-rabbitmq
      key:  rabbitmq-password
  - name: protocol
    value: amqp
@@ -1,13 +1,13 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: preprod-atlantis
+  name: prod-atlantis
  namespace: prod-atlantis
 rules:
 - apiGroups:
  - ""
  resourceNames:
-  - preprod-atlantis-appsettings
+  - prod-atlantis-appsettings
  resources:
  - configmaps
  verbs:
@@ -17,7 +17,7 @@ rules:
  - ""
  resourceNames:
  - azure-keyvault
-  - preprod-atlantis-redis
+  - prod-atlantis-redis
  resources:
  - secrets
  verbs:
@@ -27,13 +27,13 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: preprod-atlantis
+  name: prod-atlantis
  namespace: prod-atlantis
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
-  name: preprod-atlantis
+  name: prod-atlantis
 subjects:
 - kind: ServiceAccount
-  name: preprod-atlantis
+  name: prod-atlantis
  namespace: prod-atlantis
@@ -9,7 +9,7 @@ auth:
  password: ""
  usePasswordFiles: false
  existingSecretPasswordKey: ""
-  existingSecret: preprod-atlantis-redis
+  existingSecret: prod-atlantis-redis

 master:
  resources:
@@ -4,6 +4,6 @@ metadata:
  annotations:
    kyverno/clone: "true"
    kyverno/env: "prod"
-  name: preprod-atlantis-rabbitmq
+  name: prod-atlantis-rabbitmq
 type: Opaque
 data:
@@ -7,16 +7,16 @@ spec:
  version: v1
  metadata:
  - name: redisHost
-    value: preprod-atlantis-redis-master:6379
+    value: prod-atlantis-redis-master:6379
  - name: redisUsername
    value: default
  - name: redisPassword
    secretKeyRef:
-      name: preprod-atlantis-redis
+      name: prod-atlantis-redis
      key:  redis-password
  - name: actorStateStore
    value: "true"
  - name: redisDB
    value: "0"
 scopes:
-  - preprod-atlantis
+  - prod-atlantis
@@ -10,7 +10,7 @@ spec:
  metadata:
    queueType: quorum
 scopes:
- preprod-atlantis
+- prod-atlantis
 ---
 apiVersion: dapr.io/v2alpha1
 kind: Subscription
@@ -24,4 +24,4 @@ spec:
  metadata:
    queueType: quorum
 scopes:
- preprod-atlantis
+- prod-atlantis
@@ -1,16 +1,16 @@
-replicaCount: 1
+replicaCount: 2

 image:
-  tag: v2.97.0
+  tag: v2.97.5

 podAnnotations:
-  dapr.io/app-id: "preprod-atlantis"
+  dapr.io/app-id: "prod-atlantis"

 env:
  - name: APP_NAMESPACE
    value: prod-atlantis
  - name: APP_VERSION
-    value: "2.94.0"
+    value: "2.97.4"
  - name: LOG_LEVEL
    value: "2"
  - name: REDIS_USER
@@ -18,22 +18,21 @@ env:
  - name: REDIS_PASSWORD
    valueFrom:
      secretKeyRef:
-        name: preprod-atlantis-redis
+        name: prod-atlantis-redis
        key: redis-password
  - name: DB_HOST
-    value: prod-archmeister-rw.atlantis
-    #value: preprod-atlantis-db-rw
+    value: prod-atlantis-db-rw
  - name: DB_PORT
    value: "5432"
  - name: DB_USER
    valueFrom:
      secretKeyRef:
-        name: preprod-atlantis-db-superuser
+        name: prod-atlantis-db-superuser
        key: username
  - name: DB_PASSWORD
    valueFrom:
      secretKeyRef:
-        name: preprod-atlantis-db-superuser
+        name: prod-atlantis-db-superuser
        key: password
  - name: DAPR_API_TOKEN
    valueFrom:
@@ -47,7 +46,7 @@ ingress:
    cert-manager.io/cluster-issuer: letsencrypt-production
    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
  hosts:
-    - host: maps.beta.oceanbox.io
+    - host: maps.oceanbox.io
      paths:
        - path: /
          pathType: ImplementationSpecific
@@ -66,16 +65,16 @@ ingress:
          pathType: ImplementationSpecific
  tls:
    - hosts:
-       - maps.beta.oceanbox.io
+       - maps.oceanbox.io
      secretName: prod-atlantis-tls

 cluster:
  instances: 2
  bootstrap:
-    enabled: true
+    enabled: false
    source:
-      db: prod-archmeister
-      namespace: atlantis
+      db: prod-atlantis-db
+      namespace: prod-atlantis

 resources:
  limits:
@@ -1,11 +1,12 @@
 {
    "oidc": {
-        "issuer": "https://idp.oceanbox.io/dex",
-        "authorization_endpoint": "https://idp.oceanbox.io/dex/auth",
-        "token_endpoint": "https://idp.oceanbox.io/dex/token",
-        "jwks_uri": "https://idp.oceanbox.io/dex/keys",
-        "userinfo_endpoint": "https://idp.oceanbox.io/dex/userinfo",
-        "device_authorization_endpoint": "https://idp.oceanbox.io/dex/device/code",
+        "issuer": "https://auth.oceanbox.io/realms/oceanbox",
+        "authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth",
+        "token_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/token",
+        "jwks_uri": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/certs",
+        "userinfo_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/userinfo",
+        "end_session_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/logout",
+        "device_authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth/device",
        "clientId": "sorcerer",
        "clientSecret": "",
        "scopes": [
@@ -24,33 +25,43 @@
    "sso": {
        "cookieDomain": ".oceanbox.io",
        "cookieName": ".obx.prod",
-        "signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html",
+        "signedOutRedirectUri": "https://maps.oceanbox.io",
        "realm": "atlantis",
        "environment": "prod",
-        "keyStore": "azure",
-        "certStore": "https://atlantis.blob.core.windows.net",
-        "dataProtectionKeys": "https://atlantisvault.vault.azure.net/keys/dataprotection"
+        "keyStore": {
+            "kind": "azure",
+            "uri": "https://atlantis.blob.core.windows.net",
+            "key": "dataprotection-keys"
+        },
+        "keyVault": {
+            "kind": "azure",
+            "uri": "https://atlantisvault.vault.azure.net",
+            "key": "dataencryption-keys"
+        }
    },
    "plainAuthUsers": [],
    "fga": {
      "apiUrl": "https://openfga.srv.oceanbox.io",
      "apiKey": "",
-      "storeId": "01J6C1NBX36E1B928HFSB123XQ",
-      "modelId": "01JHMSEB0WJGHGNAZ47NVW8Z3A"
+      "storeId": "01JH65JAW80D06GYBN7A8TBZRG",
+      "modelId": ""
    },
    "redis": "localhost:6379,user=default,password=secret",
    "allowedOrigins": [
        "http://localhost:8085",
        "http://localhost:8080",
        "https://localhost:8080",
+        "https://sorcerer.data.oceanbox.io",
+        "https://sorcerer.ekman.oceanbox.io",
        "https://sorcerer.local.oceanbox.io:8080",
        "https://atlantis.local.oceanbox.io:8080",
        "https://maps.oceanbox.io",
-        "https://atlantis.srv.oceanbox.io",
+        "https://maps.beta.oceanbox.io",
+        "https://atlantis.beta.oceanbox.io",
        "https://jonas-atlantis.dev.oceanbox.io",
        "https://stig-atlantis.dev.oceanbox.io",
-        "https://sorcerer.data.oceanbox.io",
-        "http://sorcerer.data.oceanbox.io"
+        "https://prod-sorcerer.ekman.oceanbox.io",
+        "http://prod-sorcerer.ekman.oceanbox.io"
    ],
    "appName": "sorcerer",
    "appEnv": "prod",
@@ -59,6 +70,5 @@
    "otelCollector": "http://10.255.241.12:4317",
    "archiveSvc": "https://maps.oceanbox.io",
    "dataDir": "/data/archives",
-    "cacheDir": "/data/archives/cache",
-    "authDomain": "prod"
+    "cacheDir": "/data/archives/cache"
 }
@@ -0,0 +1,23 @@
+architecture: replication
+
+replica:
+  replicaCount: 2
+
+auth:
+  enabled: true
+  sentinel: true
+  password: ""
+  usePasswordFiles: false
+  existingSecretPasswordKey: ""
+  existingSecret: prod-sorcerer-redis
+
+master:
+  resources:
+    limits:
+      ephemeral-storage: 1024Mi
+      memory: 192Mi
+    requests:
+      cpu: 150m
+      ephemeral-storage: 50Mi
+      memory: 128Mi
+
@@ -1,11 +1,9 @@
-# apiVersion: v1
-# kind: Secret
-# metadata:
-#   annotations:
-#     kyverno/clone: "true"
-#   name: prod-sorcerer-env
-# type: Opaque
-# data:
+apiVersion: v1
+kind: Secret
+metadata:
+  name: prod-sorcerer-env
+type: Opaque
+data:
 ---
 apiVersion: v1
 kind: Secret
@@ -8,4 +8,4 @@ spec:
    otel:
      endpointAddress: "10.255.241.12:4317"
      protocol: grpc
-      isSecure: false
+      isSecure: false
@@ -1,7 +1,7 @@
-replicaCount: 1
+replicaCount: 2

 image:
-  tag: latest
+  tag: v4.16.3

 podAnnotations:
  dapr.io/enabled: "true"
@@ -18,7 +18,7 @@ podAnnotations:

 env:
  - name: APP_VERSION
-    value: "0.0.0"
+    value: "4.16.3"
  - name: LOG_LEVEL
    value: "2"
  - name: REDIS_USER
@@ -26,7 +26,7 @@ env:
  - name: REDIS_PASSWORD
    valueFrom:
      secretKeyRef:
-        name: prod-redis
+        name: prod-sorcerer-redis
        key: redis-password
  - name: DAPR_API_TOKEN
    valueFrom:
@@ -42,7 +42,6 @@ ingress:
    nginx.ingress.kubernetes.io/session-cookie-name: "http-affinity"
    nginx.ingress.kubernetes.io/session-cookie-expires: "86400"
    nginx.ingress.kubernetes.io/session-cookie-max-age: "86400"
-    atlantis.oceanbox.io/expose: internal
  hosts:
    - host: sorcerer.data.oceanbox.io
      paths: