Merge branch 'nixidy' of gitlab.com:oceanbox/manifests into nixidy

apps/prod-atlantis.yaml

@@ -1,7 +1,7 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: preprod-atlantis
+  name: prod-atlantis
   namespace: argocd
   annotations:
     argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
@@ -25,7 +25,7 @@ spec:
       - name: env
         string: prod
       - name: hostname
-        string: maps.beta.oceanbox.io
+        string: maps.oceanbox.io
   - repoURL: https://charts.bitnami.com/bitnami
     targetRevision: 20.1.7
     chart: redis
@@ -40,7 +40,7 @@ spec:
         - '.metadata.labels'
         - '.metadata.annotations'
     - kind: Secret
-      name: preprod-atlantis-rabbitmq
+      name: prod-atlantis-rabbitmq
       jqPathExpressions:
         - '.data'
         - '.metadata.labels'

apps/prod-sorcerer.yaml

@@ -3,18 +3,21 @@ kind: Application
 metadata:
   name: prod-sorcerer
   namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
 spec:
-  template:
-    metadata:
-      name: prod-sorcerer
-    spec:
-      project: atlantis
   destination:
-        namespace: sorcerer
+    namespace: prod-sorcerer
     server: https://10.255.241.99:4443
+  project: atlantis
   sources:
   - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: main
+    targetRevision: nixidy
+    ref: values
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
     path: values/sorcerer
     plugin:
       name: kustomize-helm-with-rewrite
@@ -23,9 +26,29 @@ spec:
         string: prod
       - name: hostname
         string: sorcerer.data.oceanbox.io
-  templatePatch: |
+  - repoURL: https://charts.bitnami.com/bitnami
-    spec:
+    targetRevision: 20.1.7
+    chart: redis
+    helm:
+      valueFiles:
+      - $values/values/sorcerer/prod/redis.yaml
+  ignoreDifferences:
+    - kind: Secret
+      name: azure-keyvault
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-atlantis-rabbitmq
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
   syncPolicy:
-        automated:
+    syncOptions:
-          prune: true
+      - CreateNamespace=true
-          selfHeal: false
+      - ApplyOutOfSyncOnly=true
+    # automated:
+    #   prune: true
+    #   selfHeal: false

charts/atlantis/templates/secrets.yaml

@@ -11,6 +11,7 @@ data:
   username:
   password:
 {{- else }}
+{{- if .Values.cluster.bootstrap.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -34,3 +35,4 @@ data:
   ca.crt: ""
   ca.key: ""
 {{- end }}
+{{- end }}

policies/oceanbox/kyverno/sync-archmaester-secrets.yaml

@@ -1,46 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: sync-prod-archmaester-replication-secrets
-spec:
-  background: true
-  generateExisting: false
-  rules:
-  - name: sync-archmaester-ca
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: prod-archmeister-ca
-      namespace: '{{ request.object.metadata.namespace }}'
-      synchronize: true
-      clone:
-        namespace: atlantis
-        name: prod-archmeister-ca
-    match:
-     any:
-     - resources:
-         kinds:
-         - Secret
-         names:
-         - prod-archmeister-ca
-         annotations:
-           kyverno/clone: "true"
-  - name: sync-archmaester-replication
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: prod-archmeister-replication
-      namespace: '{{ request.object.metadata.namespace }}'
-      synchronize: true
-      clone:
-        namespace: atlantis
-        name: prod-archmeister-replication
-    match:
-     any:
-     - resources:
-         kinds:
-         - Secret
-         names:
-         - prod-archmeister-replication
-         annotations:
-           kyverno/clone: "true"

policies/oceanbox/kyverno/sync-atlantis-secrets.yaml

@@ -128,3 +128,41 @@ spec:
       - resources:
           annotations:
             vcluster.loft.sh/controlled-by: secret/v1/GenericImport
+  - name: sync-atlantis-db-ca
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: prod-atlantis-db-ca
+      namespace: '{{ request.object.metadata.namespace }}'
+      synchronize: true
+      clone:
+        namespace: prod-atlantis
+        name: prod-atlantis-db-ca
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - prod-atlantis-db-ca
+         annotations:
+           kyverno/clone: "true"
+  - name: sync-atlantis-db-replication
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: prod-atlantis-db-replication
+      namespace: '{{ request.object.metadata.namespace }}'
+      synchronize: true
+      clone:
+        namespace: prod-atlantis
+        name: prod-atlantis-db-replication
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - prod-atlantis-db-replication
+         annotations:
+           kyverno/clone: "true"

values/atlantis/prod/appsettings.json

@@ -53,10 +53,10 @@
             "roles": [ "admin" ]
         }
     ],
-    "redis": "preprod-atlantis-redis-master:6379",
+    "redis": "prod-atlantis-redis-master:6379",
     "objectStore": "https://atlantis.blob.core.windows.net",
     "connString": "Username=postgres;Password=secret;Host=localhost;Port=5432;Database=app;Pooling=true;",
-    "sorcerer" : "https://sorcerer.ekman.oceanbox.io",
+    "sorcerer" : "https://sorcerer.data.oceanbox.io",
     "allowedOrigins": [
         "https://maps.oceanbox.io",
         "https://maps.beta.oceanbox.io",

values/atlantis/prod/bindings.yaml

@@ -8,10 +8,10 @@ spec:
   metadata:
   - name: host
     secretKeyRef:
-      name: preprod-atlantis-rabbitmq
+      name: prod-atlantis-rabbitmq
       key:  connString
   - name: queueName
-    value: preprod-slurm-job-events
+    value: prod-slurm-job-events
   - name: durable
     value: true
   - name: contentType
@@ -19,4 +19,4 @@ spec:
   - name: route
     value: /events/slurm
 scopes:
-  - preprod-atlantis
+  - prod-atlantis

values/atlantis/prod/configurations.yaml

@@ -7,14 +7,14 @@ spec:
   version: v1
   metadata:
   - name: redisHost
-    value: preprod-atlantis-redis-master:6379
+    value: prod-atlantis-redis-master:6379
   - name: redisUsername
     value: default
   - name: redisPassword
     secretKeyRef:
-      name: preprod-atlantis-redis
+      name: prod-atlantis-redis
       key:  redis-password
   - name: redisDB
     value: "1"
 scopes:
-  - preprod-atlantis
+  - prod-atlantis

values/atlantis/prod/kustomization.yaml

@@ -1,7 +1,7 @@
 generatorOptions:
   disableNameSuffixHash: true
 configMapGenerator:
-- name: preprod-atlantis-appsettings
+- name: prod-atlantis-appsettings
   files:
     - appsettings.json
 patches:

values/atlantis/prod/pubsub.yaml

@@ -12,7 +12,7 @@ spec:
     value: user
   - name: password
     secretKeyRef:
-      name: preprod-atlantis-rabbitmq
+      name: prod-atlantis-rabbitmq
       key:  rabbitmq-password
   - name: protocol
     value: amqp

values/atlantis/prod/rbac.yaml

@@ -1,13 +1,13 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: preprod-atlantis
+  name: prod-atlantis
   namespace: prod-atlantis
 rules:
 - apiGroups:
   - ""
   resourceNames:
-  - preprod-atlantis-appsettings
+  - prod-atlantis-appsettings
   resources:
   - configmaps
   verbs:
@@ -17,7 +17,7 @@ rules:
   - ""
   resourceNames:
   - azure-keyvault
-  - preprod-atlantis-redis
+  - prod-atlantis-redis
   resources:
   - secrets
   verbs:
@@ -27,13 +27,13 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: preprod-atlantis
+  name: prod-atlantis
   namespace: prod-atlantis
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: preprod-atlantis
+  name: prod-atlantis
 subjects:
 - kind: ServiceAccount
-  name: preprod-atlantis
+  name: prod-atlantis
   namespace: prod-atlantis

values/atlantis/prod/redis.yaml

@@ -9,7 +9,7 @@ auth:
   password: ""
   usePasswordFiles: false
   existingSecretPasswordKey: ""
-  existingSecret: preprod-atlantis-redis
+  existingSecret: prod-atlantis-redis
 
 master:
   resources:

values/atlantis/prod/secrets.yaml

@@ -4,6 +4,6 @@ metadata:
   annotations:
     kyverno/clone: "true"
     kyverno/env: "prod"
-  name: preprod-atlantis-rabbitmq
+  name: prod-atlantis-rabbitmq
 type: Opaque
 data:

values/atlantis/prod/statestore.yaml

@@ -7,16 +7,16 @@ spec:
   version: v1
   metadata:
   - name: redisHost
-    value: preprod-atlantis-redis-master:6379
+    value: prod-atlantis-redis-master:6379
   - name: redisUsername
     value: default
   - name: redisPassword
     secretKeyRef:
-      name: preprod-atlantis-redis
+      name: prod-atlantis-redis
       key:  redis-password
   - name: actorStateStore
     value: "true"
   - name: redisDB
     value: "0"
 scopes:
-  - preprod-atlantis
+  - prod-atlantis

values/atlantis/prod/subscriptions.yaml

@@ -10,7 +10,7 @@ spec:
   metadata:
     queueType: quorum
 scopes:
-- preprod-atlantis
+- prod-atlantis
 ---
 apiVersion: dapr.io/v2alpha1
 kind: Subscription
@@ -24,4 +24,4 @@ spec:
   metadata:
     queueType: quorum
 scopes:
-- preprod-atlantis
+- prod-atlantis

values/atlantis/values-prod.yaml

@@ -1,16 +1,16 @@
-replicaCount: 1
+replicaCount: 2
 
 image:
-  tag: v2.97.0
+  tag: v2.97.5
 
 podAnnotations:
-  dapr.io/app-id: "preprod-atlantis"
+  dapr.io/app-id: "prod-atlantis"
 
 env:
   - name: APP_NAMESPACE
     value: prod-atlantis
   - name: APP_VERSION
-    value: "2.94.0"
+    value: "2.97.4"
   - name: LOG_LEVEL
     value: "2"
   - name: REDIS_USER
@@ -18,22 +18,21 @@ env:
   - name: REDIS_PASSWORD
     valueFrom:
       secretKeyRef:
-        name: preprod-atlantis-redis
+        name: prod-atlantis-redis
         key: redis-password
   - name: DB_HOST
-    value: prod-archmeister-rw.atlantis
+    value: prod-atlantis-db-rw
-    #value: preprod-atlantis-db-rw
   - name: DB_PORT
     value: "5432"
   - name: DB_USER
     valueFrom:
       secretKeyRef:
-        name: preprod-atlantis-db-superuser
+        name: prod-atlantis-db-superuser
         key: username
   - name: DB_PASSWORD
     valueFrom:
       secretKeyRef:
-        name: preprod-atlantis-db-superuser
+        name: prod-atlantis-db-superuser
         key: password
   - name: DAPR_API_TOKEN
     valueFrom:
@@ -47,7 +46,7 @@ ingress:
     cert-manager.io/cluster-issuer: letsencrypt-production
     nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
   hosts:
-    - host: maps.beta.oceanbox.io
+    - host: maps.oceanbox.io
       paths:
         - path: /
           pathType: ImplementationSpecific
@@ -66,16 +65,16 @@ ingress:
           pathType: ImplementationSpecific
   tls:
     - hosts:
-       - maps.beta.oceanbox.io
+       - maps.oceanbox.io
       secretName: prod-atlantis-tls
 
 cluster:
   instances: 2
   bootstrap:
-    enabled: true
+    enabled: false
     source:
-      db: prod-archmeister
+      db: prod-atlantis-db
-      namespace: atlantis
+      namespace: prod-atlantis
 
 resources:
   limits:

values/sorcerer/prod/appsettings.json

@@ -1,11 +1,12 @@
 {
     "oidc": {
-        "issuer": "https://idp.oceanbox.io/dex",
+        "issuer": "https://auth.oceanbox.io/realms/oceanbox",
-        "authorization_endpoint": "https://idp.oceanbox.io/dex/auth",
+        "authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth",
-        "token_endpoint": "https://idp.oceanbox.io/dex/token",
+        "token_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/token",
-        "jwks_uri": "https://idp.oceanbox.io/dex/keys",
+        "jwks_uri": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/certs",
-        "userinfo_endpoint": "https://idp.oceanbox.io/dex/userinfo",
+        "userinfo_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/userinfo",
-        "device_authorization_endpoint": "https://idp.oceanbox.io/dex/device/code",
+        "end_session_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/logout",
+        "device_authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth/device",
         "clientId": "sorcerer",
         "clientSecret": "",
         "scopes": [
@@ -24,33 +25,43 @@
     "sso": {
         "cookieDomain": ".oceanbox.io",
         "cookieName": ".obx.prod",
-        "signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html",
+        "signedOutRedirectUri": "https://maps.oceanbox.io",
         "realm": "atlantis",
         "environment": "prod",
-        "keyStore": "azure",
+        "keyStore": {
-        "certStore": "https://atlantis.blob.core.windows.net",
+            "kind": "azure",
-        "dataProtectionKeys": "https://atlantisvault.vault.azure.net/keys/dataprotection"
+            "uri": "https://atlantis.blob.core.windows.net",
+            "key": "dataprotection-keys"
+        },
+        "keyVault": {
+            "kind": "azure",
+            "uri": "https://atlantisvault.vault.azure.net",
+            "key": "dataencryption-keys"
+        }
     },
     "plainAuthUsers": [],
     "fga": {
       "apiUrl": "https://openfga.srv.oceanbox.io",
       "apiKey": "",
-      "storeId": "01J6C1NBX36E1B928HFSB123XQ",
+      "storeId": "01JH65JAW80D06GYBN7A8TBZRG",
-      "modelId": "01JHMSEB0WJGHGNAZ47NVW8Z3A"
+      "modelId": ""
     },
     "redis": "localhost:6379,user=default,password=secret",
     "allowedOrigins": [
         "http://localhost:8085",
         "http://localhost:8080",
         "https://localhost:8080",
+        "https://sorcerer.data.oceanbox.io",
+        "https://sorcerer.ekman.oceanbox.io",
         "https://sorcerer.local.oceanbox.io:8080",
         "https://atlantis.local.oceanbox.io:8080",
         "https://maps.oceanbox.io",
-        "https://atlantis.srv.oceanbox.io",
+        "https://maps.beta.oceanbox.io",
+        "https://atlantis.beta.oceanbox.io",
         "https://jonas-atlantis.dev.oceanbox.io",
         "https://stig-atlantis.dev.oceanbox.io",
-        "https://sorcerer.data.oceanbox.io",
+        "https://prod-sorcerer.ekman.oceanbox.io",
-        "http://sorcerer.data.oceanbox.io"
+        "http://prod-sorcerer.ekman.oceanbox.io"
     ],
     "appName": "sorcerer",
     "appEnv": "prod",
@@ -59,6 +70,5 @@
     "otelCollector": "http://10.255.241.12:4317",
     "archiveSvc": "https://maps.oceanbox.io",
     "dataDir": "/data/archives",
-    "cacheDir": "/data/archives/cache",
+    "cacheDir": "/data/archives/cache"
-    "authDomain": "prod"
 }

values/sorcerer/prod/redis.yaml

@@ -0,0 +1,23 @@
+architecture: replication
+
+replica:
+  replicaCount: 2
+
+auth:
+  enabled: true
+  sentinel: true
+  password: ""
+  usePasswordFiles: false
+  existingSecretPasswordKey: ""
+  existingSecret: prod-sorcerer-redis
+
+master:
+  resources:
+    limits:
+      ephemeral-storage: 1024Mi
+      memory: 192Mi
+    requests:
+      cpu: 150m
+      ephemeral-storage: 50Mi
+      memory: 128Mi
+

values/sorcerer/prod/secrets.yaml

@@ -1,11 +1,9 @@
-# apiVersion: v1
+apiVersion: v1
-# kind: Secret
+kind: Secret
-# metadata:
+metadata:
-#   annotations:
+  name: prod-sorcerer-env
-#     kyverno/clone: "true"
+type: Opaque
-#   name: prod-sorcerer-env
+data:
-# type: Opaque
-# data:
 ---
 apiVersion: v1
 kind: Secret

values/sorcerer/values-prod.yaml

@@ -1,7 +1,7 @@
-replicaCount: 1
+replicaCount: 2
 
 image:
-  tag: latest
+  tag: v4.16.3
 
 podAnnotations:
   dapr.io/enabled: "true"
@@ -18,7 +18,7 @@ podAnnotations:
 
 env:
   - name: APP_VERSION
-    value: "0.0.0"
+    value: "4.16.3"
   - name: LOG_LEVEL
     value: "2"
   - name: REDIS_USER
@@ -26,7 +26,7 @@ env:
   - name: REDIS_PASSWORD
     valueFrom:
       secretKeyRef:
-        name: prod-redis
+        name: prod-sorcerer-redis
         key: redis-password
   - name: DAPR_API_TOKEN
     valueFrom:
@@ -42,7 +42,6 @@ ingress:
     nginx.ingress.kubernetes.io/session-cookie-name: "http-affinity"
     nginx.ingress.kubernetes.io/session-cookie-expires: "86400"
     nginx.ingress.kubernetes.io/session-cookie-max-age: "86400"
-    atlantis.oceanbox.io/expose: internal
   hosts:
     - host: sorcerer.data.oceanbox.io
       paths: