diff --git a/apps/prod-atlantis.yaml b/apps/prod-atlantis.yaml index 66c3fab4..41cabaa2 100644 --- a/apps/prod-atlantis.yaml +++ b/apps/prod-atlantis.yaml @@ -1,7 +1,7 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: preprod-atlantis + name: prod-atlantis namespace: argocd annotations: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true @@ -25,7 +25,7 @@ spec: - name: env string: prod - name: hostname - string: maps.beta.oceanbox.io + string: maps.oceanbox.io - repoURL: https://charts.bitnami.com/bitnami targetRevision: 20.1.7 chart: redis @@ -40,7 +40,7 @@ spec: - '.metadata.labels' - '.metadata.annotations' - kind: Secret - name: preprod-atlantis-rabbitmq + name: prod-atlantis-rabbitmq jqPathExpressions: - '.data' - '.metadata.labels' diff --git a/apps/prod-sorcerer.yaml b/apps/prod-sorcerer.yaml index 8dc712bf..cab87c45 100644 --- a/apps/prod-sorcerer.yaml +++ b/apps/prod-sorcerer.yaml @@ -3,29 +3,52 @@ kind: Application metadata: name: prod-sorcerer namespace: argocd + annotations: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + finalizers: + - resources-finalizer.argocd.argoproj.io spec: - template: - metadata: - name: prod-sorcerer - spec: - project: atlantis - destination: - namespace: sorcerer - server: https://10.255.241.99:4443 - sources: - - repoURL: https://gitlab.com/oceanbox/manifests.git - targetRevision: main - path: values/sorcerer - plugin: - name: kustomize-helm-with-rewrite - parameters: - - name: env - string: prod - - name: hostname - string: sorcerer.data.oceanbox.io - templatePatch: | - spec: - syncPolicy: - automated: - prune: true - selfHeal: false + destination: + namespace: prod-sorcerer + server: https://10.255.241.99:4443 + project: atlantis + sources: + - repoURL: https://gitlab.com/oceanbox/manifests.git + targetRevision: nixidy + ref: values + - repoURL: https://gitlab.com/oceanbox/manifests.git + targetRevision: nixidy + path: values/sorcerer + plugin: + name: kustomize-helm-with-rewrite + parameters: + - name: env + string: prod + - name: hostname + string: sorcerer.data.oceanbox.io + - repoURL: https://charts.bitnami.com/bitnami + targetRevision: 20.1.7 + chart: redis + helm: + valueFiles: + - $values/values/sorcerer/prod/redis.yaml + ignoreDifferences: + - kind: Secret + name: azure-keyvault + jqPathExpressions: + - '.data' + - '.metadata.labels' + - '.metadata.annotations' + - kind: Secret + name: prod-atlantis-rabbitmq + jqPathExpressions: + - '.data' + - '.metadata.labels' + - '.metadata.annotations' + syncPolicy: + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true + # automated: + # prune: true + # selfHeal: false diff --git a/charts/atlantis/templates/secrets.yaml b/charts/atlantis/templates/secrets.yaml index fe4d73e8..b4d61baf 100644 --- a/charts/atlantis/templates/secrets.yaml +++ b/charts/atlantis/templates/secrets.yaml @@ -11,6 +11,7 @@ data: username: password: {{- else }} +{{- if .Values.cluster.bootstrap.enabled }} apiVersion: v1 kind: Secret metadata: @@ -34,3 +35,4 @@ data: ca.crt: "" ca.key: "" {{- end }} +{{- end }} diff --git a/policies/oceanbox/kyverno/sync-archmaester-secrets.yaml b/policies/oceanbox/kyverno/sync-archmaester-secrets.yaml deleted file mode 100644 index 2689a3d3..00000000 --- a/policies/oceanbox/kyverno/sync-archmaester-secrets.yaml +++ /dev/null @@ -1,46 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: sync-prod-archmaester-replication-secrets -spec: - background: true - generateExisting: false - rules: - - name: sync-archmaester-ca - generate: - apiVersion: v1 - kind: Secret - name: prod-archmeister-ca - namespace: '{{ request.object.metadata.namespace }}' - synchronize: true - clone: - namespace: atlantis - name: prod-archmeister-ca - match: - any: - - resources: - kinds: - - Secret - names: - - prod-archmeister-ca - annotations: - kyverno/clone: "true" - - name: sync-archmaester-replication - generate: - apiVersion: v1 - kind: Secret - name: prod-archmeister-replication - namespace: '{{ request.object.metadata.namespace }}' - synchronize: true - clone: - namespace: atlantis - name: prod-archmeister-replication - match: - any: - - resources: - kinds: - - Secret - names: - - prod-archmeister-replication - annotations: - kyverno/clone: "true" diff --git a/policies/oceanbox/kyverno/sync-atlantis-secrets.yaml b/policies/oceanbox/kyverno/sync-atlantis-secrets.yaml index d826ec93..02cc15f6 100644 --- a/policies/oceanbox/kyverno/sync-atlantis-secrets.yaml +++ b/policies/oceanbox/kyverno/sync-atlantis-secrets.yaml @@ -128,3 +128,41 @@ spec: - resources: annotations: vcluster.loft.sh/controlled-by: secret/v1/GenericImport + - name: sync-atlantis-db-ca + generate: + apiVersion: v1 + kind: Secret + name: prod-atlantis-db-ca + namespace: '{{ request.object.metadata.namespace }}' + synchronize: true + clone: + namespace: prod-atlantis + name: prod-atlantis-db-ca + match: + any: + - resources: + kinds: + - Secret + names: + - prod-atlantis-db-ca + annotations: + kyverno/clone: "true" + - name: sync-atlantis-db-replication + generate: + apiVersion: v1 + kind: Secret + name: prod-atlantis-db-replication + namespace: '{{ request.object.metadata.namespace }}' + synchronize: true + clone: + namespace: prod-atlantis + name: prod-atlantis-db-replication + match: + any: + - resources: + kinds: + - Secret + names: + - prod-atlantis-db-replication + annotations: + kyverno/clone: "true" diff --git a/values/atlantis/prod/appsettings.json b/values/atlantis/prod/appsettings.json index 64381872..3df02419 100644 --- a/values/atlantis/prod/appsettings.json +++ b/values/atlantis/prod/appsettings.json @@ -53,10 +53,10 @@ "roles": [ "admin" ] } ], - "redis": "preprod-atlantis-redis-master:6379", + "redis": "prod-atlantis-redis-master:6379", "objectStore": "https://atlantis.blob.core.windows.net", "connString": "Username=postgres;Password=secret;Host=localhost;Port=5432;Database=app;Pooling=true;", - "sorcerer" : "https://sorcerer.ekman.oceanbox.io", + "sorcerer" : "https://sorcerer.data.oceanbox.io", "allowedOrigins": [ "https://maps.oceanbox.io", "https://maps.beta.oceanbox.io", diff --git a/values/atlantis/prod/bindings.yaml b/values/atlantis/prod/bindings.yaml index be8d0355..8a95c563 100644 --- a/values/atlantis/prod/bindings.yaml +++ b/values/atlantis/prod/bindings.yaml @@ -8,10 +8,10 @@ spec: metadata: - name: host secretKeyRef: - name: preprod-atlantis-rabbitmq + name: prod-atlantis-rabbitmq key: connString - name: queueName - value: preprod-slurm-job-events + value: prod-slurm-job-events - name: durable value: true - name: contentType @@ -19,4 +19,4 @@ spec: - name: route value: /events/slurm scopes: - - preprod-atlantis + - prod-atlantis diff --git a/values/atlantis/prod/configurations.yaml b/values/atlantis/prod/configurations.yaml index b5ffeb47..705e1b48 100644 --- a/values/atlantis/prod/configurations.yaml +++ b/values/atlantis/prod/configurations.yaml @@ -7,14 +7,14 @@ spec: version: v1 metadata: - name: redisHost - value: preprod-atlantis-redis-master:6379 + value: prod-atlantis-redis-master:6379 - name: redisUsername value: default - name: redisPassword secretKeyRef: - name: preprod-atlantis-redis + name: prod-atlantis-redis key: redis-password - name: redisDB value: "1" scopes: - - preprod-atlantis + - prod-atlantis diff --git a/values/atlantis/prod/kustomization.yaml b/values/atlantis/prod/kustomization.yaml index 95fe2fdd..f0e148c2 100644 --- a/values/atlantis/prod/kustomization.yaml +++ b/values/atlantis/prod/kustomization.yaml @@ -1,7 +1,7 @@ generatorOptions: disableNameSuffixHash: true configMapGenerator: -- name: preprod-atlantis-appsettings +- name: prod-atlantis-appsettings files: - appsettings.json patches: diff --git a/values/atlantis/prod/pubsub.yaml b/values/atlantis/prod/pubsub.yaml index 201a17f5..b7aeda01 100644 --- a/values/atlantis/prod/pubsub.yaml +++ b/values/atlantis/prod/pubsub.yaml @@ -12,7 +12,7 @@ spec: value: user - name: password secretKeyRef: - name: preprod-atlantis-rabbitmq + name: prod-atlantis-rabbitmq key: rabbitmq-password - name: protocol value: amqp diff --git a/values/atlantis/prod/rbac.yaml b/values/atlantis/prod/rbac.yaml index 47492b73..772c7a95 100644 --- a/values/atlantis/prod/rbac.yaml +++ b/values/atlantis/prod/rbac.yaml @@ -1,13 +1,13 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: preprod-atlantis + name: prod-atlantis namespace: prod-atlantis rules: - apiGroups: - "" resourceNames: - - preprod-atlantis-appsettings + - prod-atlantis-appsettings resources: - configmaps verbs: @@ -17,7 +17,7 @@ rules: - "" resourceNames: - azure-keyvault - - preprod-atlantis-redis + - prod-atlantis-redis resources: - secrets verbs: @@ -27,13 +27,13 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: preprod-atlantis + name: prod-atlantis namespace: prod-atlantis roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: preprod-atlantis + name: prod-atlantis subjects: - kind: ServiceAccount - name: preprod-atlantis + name: prod-atlantis namespace: prod-atlantis diff --git a/values/atlantis/prod/redis.yaml b/values/atlantis/prod/redis.yaml index 74968ac1..f9ca65a9 100644 --- a/values/atlantis/prod/redis.yaml +++ b/values/atlantis/prod/redis.yaml @@ -9,7 +9,7 @@ auth: password: "" usePasswordFiles: false existingSecretPasswordKey: "" - existingSecret: preprod-atlantis-redis + existingSecret: prod-atlantis-redis master: resources: diff --git a/values/atlantis/prod/secrets.yaml b/values/atlantis/prod/secrets.yaml index fbf3b560..a956c207 100644 --- a/values/atlantis/prod/secrets.yaml +++ b/values/atlantis/prod/secrets.yaml @@ -4,6 +4,6 @@ metadata: annotations: kyverno/clone: "true" kyverno/env: "prod" - name: preprod-atlantis-rabbitmq + name: prod-atlantis-rabbitmq type: Opaque data: diff --git a/values/atlantis/prod/statestore.yaml b/values/atlantis/prod/statestore.yaml index 34145fe5..beb6ee64 100644 --- a/values/atlantis/prod/statestore.yaml +++ b/values/atlantis/prod/statestore.yaml @@ -7,16 +7,16 @@ spec: version: v1 metadata: - name: redisHost - value: preprod-atlantis-redis-master:6379 + value: prod-atlantis-redis-master:6379 - name: redisUsername value: default - name: redisPassword secretKeyRef: - name: preprod-atlantis-redis + name: prod-atlantis-redis key: redis-password - name: actorStateStore value: "true" - name: redisDB value: "0" scopes: - - preprod-atlantis + - prod-atlantis diff --git a/values/atlantis/prod/subscriptions.yaml b/values/atlantis/prod/subscriptions.yaml index 102e4809..d0d0dcce 100644 --- a/values/atlantis/prod/subscriptions.yaml +++ b/values/atlantis/prod/subscriptions.yaml @@ -10,7 +10,7 @@ spec: metadata: queueType: quorum scopes: -- preprod-atlantis +- prod-atlantis --- apiVersion: dapr.io/v2alpha1 kind: Subscription @@ -24,4 +24,4 @@ spec: metadata: queueType: quorum scopes: -- preprod-atlantis +- prod-atlantis diff --git a/values/atlantis/values-prod.yaml b/values/atlantis/values-prod.yaml index b2766650..03b77b94 100644 --- a/values/atlantis/values-prod.yaml +++ b/values/atlantis/values-prod.yaml @@ -1,16 +1,16 @@ -replicaCount: 1 +replicaCount: 2 image: - tag: v2.97.0 + tag: v2.97.5 podAnnotations: - dapr.io/app-id: "preprod-atlantis" + dapr.io/app-id: "prod-atlantis" env: - name: APP_NAMESPACE value: prod-atlantis - name: APP_VERSION - value: "2.94.0" + value: "2.97.4" - name: LOG_LEVEL value: "2" - name: REDIS_USER @@ -18,22 +18,21 @@ env: - name: REDIS_PASSWORD valueFrom: secretKeyRef: - name: preprod-atlantis-redis + name: prod-atlantis-redis key: redis-password - name: DB_HOST - value: prod-archmeister-rw.atlantis - #value: preprod-atlantis-db-rw + value: prod-atlantis-db-rw - name: DB_PORT value: "5432" - name: DB_USER valueFrom: secretKeyRef: - name: preprod-atlantis-db-superuser + name: prod-atlantis-db-superuser key: username - name: DB_PASSWORD valueFrom: secretKeyRef: - name: preprod-atlantis-db-superuser + name: prod-atlantis-db-superuser key: password - name: DAPR_API_TOKEN valueFrom: @@ -47,7 +46,7 @@ ingress: cert-manager.io/cluster-issuer: letsencrypt-production nginx.ingress.kubernetes.io/proxy-buffer-size: 128k hosts: - - host: maps.beta.oceanbox.io + - host: maps.oceanbox.io paths: - path: / pathType: ImplementationSpecific @@ -66,16 +65,16 @@ ingress: pathType: ImplementationSpecific tls: - hosts: - - maps.beta.oceanbox.io + - maps.oceanbox.io secretName: prod-atlantis-tls cluster: instances: 2 bootstrap: - enabled: true + enabled: false source: - db: prod-archmeister - namespace: atlantis + db: prod-atlantis-db + namespace: prod-atlantis resources: limits: diff --git a/values/sorcerer/prod/appsettings.json b/values/sorcerer/prod/appsettings.json index 44c6815d..25e9e5c4 100644 --- a/values/sorcerer/prod/appsettings.json +++ b/values/sorcerer/prod/appsettings.json @@ -1,11 +1,12 @@ { "oidc": { - "issuer": "https://idp.oceanbox.io/dex", - "authorization_endpoint": "https://idp.oceanbox.io/dex/auth", - "token_endpoint": "https://idp.oceanbox.io/dex/token", - "jwks_uri": "https://idp.oceanbox.io/dex/keys", - "userinfo_endpoint": "https://idp.oceanbox.io/dex/userinfo", - "device_authorization_endpoint": "https://idp.oceanbox.io/dex/device/code", + "issuer": "https://auth.oceanbox.io/realms/oceanbox", + "authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth", + "token_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/token", + "jwks_uri": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/certs", + "userinfo_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/userinfo", + "end_session_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/logout", + "device_authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth/device", "clientId": "sorcerer", "clientSecret": "", "scopes": [ @@ -24,33 +25,43 @@ "sso": { "cookieDomain": ".oceanbox.io", "cookieName": ".obx.prod", - "signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html", + "signedOutRedirectUri": "https://maps.oceanbox.io", "realm": "atlantis", "environment": "prod", - "keyStore": "azure", - "certStore": "https://atlantis.blob.core.windows.net", - "dataProtectionKeys": "https://atlantisvault.vault.azure.net/keys/dataprotection" + "keyStore": { + "kind": "azure", + "uri": "https://atlantis.blob.core.windows.net", + "key": "dataprotection-keys" + }, + "keyVault": { + "kind": "azure", + "uri": "https://atlantisvault.vault.azure.net", + "key": "dataencryption-keys" + } }, "plainAuthUsers": [], "fga": { "apiUrl": "https://openfga.srv.oceanbox.io", "apiKey": "", - "storeId": "01J6C1NBX36E1B928HFSB123XQ", - "modelId": "01JHMSEB0WJGHGNAZ47NVW8Z3A" + "storeId": "01JH65JAW80D06GYBN7A8TBZRG", + "modelId": "" }, "redis": "localhost:6379,user=default,password=secret", "allowedOrigins": [ "http://localhost:8085", "http://localhost:8080", "https://localhost:8080", + "https://sorcerer.data.oceanbox.io", + "https://sorcerer.ekman.oceanbox.io", "https://sorcerer.local.oceanbox.io:8080", "https://atlantis.local.oceanbox.io:8080", "https://maps.oceanbox.io", - "https://atlantis.srv.oceanbox.io", + "https://maps.beta.oceanbox.io", + "https://atlantis.beta.oceanbox.io", "https://jonas-atlantis.dev.oceanbox.io", "https://stig-atlantis.dev.oceanbox.io", - "https://sorcerer.data.oceanbox.io", - "http://sorcerer.data.oceanbox.io" + "https://prod-sorcerer.ekman.oceanbox.io", + "http://prod-sorcerer.ekman.oceanbox.io" ], "appName": "sorcerer", "appEnv": "prod", @@ -59,6 +70,5 @@ "otelCollector": "http://10.255.241.12:4317", "archiveSvc": "https://maps.oceanbox.io", "dataDir": "/data/archives", - "cacheDir": "/data/archives/cache", - "authDomain": "prod" + "cacheDir": "/data/archives/cache" } diff --git a/values/sorcerer/prod/redis.yaml b/values/sorcerer/prod/redis.yaml new file mode 100644 index 00000000..f5a82dfe --- /dev/null +++ b/values/sorcerer/prod/redis.yaml @@ -0,0 +1,23 @@ +architecture: replication + +replica: + replicaCount: 2 + +auth: + enabled: true + sentinel: true + password: "" + usePasswordFiles: false + existingSecretPasswordKey: "" + existingSecret: prod-sorcerer-redis + +master: + resources: + limits: + ephemeral-storage: 1024Mi + memory: 192Mi + requests: + cpu: 150m + ephemeral-storage: 50Mi + memory: 128Mi + diff --git a/values/sorcerer/prod/secrets.yaml b/values/sorcerer/prod/secrets.yaml index 6b60d6a2..37307c3e 100644 --- a/values/sorcerer/prod/secrets.yaml +++ b/values/sorcerer/prod/secrets.yaml @@ -1,11 +1,9 @@ -# apiVersion: v1 -# kind: Secret -# metadata: -# annotations: -# kyverno/clone: "true" -# name: prod-sorcerer-env -# type: Opaque -# data: +apiVersion: v1 +kind: Secret +metadata: + name: prod-sorcerer-env +type: Opaque +data: --- apiVersion: v1 kind: Secret diff --git a/values/sorcerer/prod/tracing.yaml b/values/sorcerer/prod/tracing.yaml index e76aa937..4c4c318c 100644 --- a/values/sorcerer/prod/tracing.yaml +++ b/values/sorcerer/prod/tracing.yaml @@ -8,4 +8,4 @@ spec: otel: endpointAddress: "10.255.241.12:4317" protocol: grpc - isSecure: false \ No newline at end of file + isSecure: false diff --git a/values/sorcerer/values-prod.yaml b/values/sorcerer/values-prod.yaml index 1dbb091c..6903162a 100644 --- a/values/sorcerer/values-prod.yaml +++ b/values/sorcerer/values-prod.yaml @@ -1,7 +1,7 @@ -replicaCount: 1 +replicaCount: 2 image: - tag: latest + tag: v4.16.3 podAnnotations: dapr.io/enabled: "true" @@ -18,7 +18,7 @@ podAnnotations: env: - name: APP_VERSION - value: "0.0.0" + value: "4.16.3" - name: LOG_LEVEL value: "2" - name: REDIS_USER @@ -26,7 +26,7 @@ env: - name: REDIS_PASSWORD valueFrom: secretKeyRef: - name: prod-redis + name: prod-sorcerer-redis key: redis-password - name: DAPR_API_TOKEN valueFrom: @@ -42,7 +42,6 @@ ingress: nginx.ingress.kubernetes.io/session-cookie-name: "http-affinity" nginx.ingress.kubernetes.io/session-cookie-expires: "86400" nginx.ingress.kubernetes.io/session-cookie-max-age: "86400" - atlantis.oceanbox.io/expose: internal hosts: - host: sorcerer.data.oceanbox.io paths: