diff --git a/values/sorcerer/base/deployment_patch.yaml b/values/sorcerer/base/deployment_patch.yaml index c8368399..a042d0c6 100644 --- a/values/sorcerer/base/deployment_patch.yaml +++ b/values/sorcerer/base/deployment_patch.yaml @@ -1,9 +1,11 @@ - op: replace path: /spec/template/spec/containers/0/livenessProbe/httpGet/path value: /healthz + - op: replace path: /spec/template/spec/containers/0/readinessProbe/httpGet/path value: /healthz + - op: add path: /spec/template/spec/containers/0/envFrom - value: [] + value: [] \ No newline at end of file diff --git a/values/sorcerer/base/kustomization.yaml b/values/sorcerer/base/kustomization.yaml index 5c9e9679..aaf4a779 100644 --- a/values/sorcerer/base/kustomization.yaml +++ b/values/sorcerer/base/kustomization.yaml @@ -7,4 +7,4 @@ patches: kind: Deployment path: deployment_patch.yaml resources: - - _manifest.yaml + - _manifest.yaml \ No newline at end of file diff --git a/values/sorcerer/prod/appsettings.json b/values/sorcerer/prod/appsettings.json index 1cea0a95..565ff172 100644 --- a/values/sorcerer/prod/appsettings.json +++ b/values/sorcerer/prod/appsettings.json @@ -1,28 +1,58 @@ { + "oidc": { + "issuer": "https://idp.oceanbox.io/dex", + "authorization_endpoint": "https://idp.oceanbox.io/dex/auth", + "token_endpoint": "https://idp.oceanbox.io/dex/token", + "jwks_uri": "https://idp.oceanbox.io/dex/keys", + "userinfo_endpoint": "https://idp.oceanbox.io/dex/userinfo", + "device_authorization_endpoint": "https://idp.oceanbox.io/dex/device/code", + "clientId": "sorcerer", + "clientSecret": "", + "scopes": [ + "openid", + "email", + "offline_access", + "profile" + ] + }, "sso": { "cookieDomain": ".oceanbox.io", + "cookieName": ".obx.prod", "signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html", - "redis": "10.255.241.201:30379,user=default,password=secret", - "appDomain": "atlantis", - "dataProtectionKeys": "DataProtection-Keys" + "realm": "atlantis", + "environment": "prod", + "keyStore": "azure", + "certStore": "https://atlantis.blob.core.windows.net", + "dataProtectionKeys": "https://atlantisvault.vault.azure.net/keys/dataprotection" }, + "plainAuthUsers": [], + "fga": { + "apiUrl": "https://openfga.srv.oceanbox.io", + "apiKey": "", + "storeId": "01J6C1NBX36E1B928HFSB123XQ", + "modelId": "01JEK1NC93GXA8TKGK6FB5CG3X" + }, + "redis": "localhost:6379,user=default,password=secret", "allowedOrigins": [ "http://localhost:8085", "http://localhost:8080", "https://localhost:8080", + "https://sorcerer.local.oceanbox.io:8080", + "https://atlantis.local.oceanbox.io:8080", "https://maps.oceanbox.io", "https://atlantis.srv.oceanbox.io", - "https://maps.relic.oceanbox.io", - "https://atlantis.beta.oceanbox.io", - "https://atlantis.dev.oceanbox.io", - "https://atlantis.local.oceanbox.io:8080", "https://jonas-atlantis.dev.oceanbox.io", "https://stig-atlantis.dev.oceanbox.io", - "https://simkir-atlantis.dev.oceanbox.io" + "https://sorcerer.data.oceanbox.io", + "http://sorcerer.data.oceanbox.io" ], - "archiveSvc": "https://archmeister.srv.oceanbox.io", + "appName": "sorcerer", + "appEnv": "prod", + "appNamespace": "prod-sorcerer", + "appVersion": "0.0.0", + "otelCollector": "http://10.255.241.12:4317", + "archiveSvc": "https://maps.oceanbox.io", + "dataDir": "/data/archives", "cacheDir": "/data/archives/cache", - "logService" : "https://seq.adm.oceanbox.io", - "logApiKey": "", - "deployEnv": "prod" + "authDomain": "prod" } diff --git a/values/sorcerer/prod/archives-ceph-volume.yaml b/values/sorcerer/prod/archives-ceph-volume.yaml deleted file mode 100644 index c958850f..00000000 --- a/values/sorcerer/prod/archives-ceph-volume.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: PersistentVolume -metadata: - name: pv-prod-ceph-archives -spec: - accessModes: - - ReadWriteMany - capacity: - storage: 1Gi - csi: - driver: rook-ceph.cephfs.csi.ceph.com - nodeStageSecretRef: - name: rook-csi-cephfs-node - namespace: rook-ceph - volumeAttributes: - fsName: data - clusterID: rook-ceph - staticVolume: "true" - rootPath: / - volumeHandle: pv-prod-ceph-archives - persistentVolumeReclaimPolicy: Retain - volumeMode: Filesystem ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: prod-ceph-archives - namespace: sorcerer -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi - storageClassName: "" - volumeMode: Filesystem - volumeName: pv-prod-ceph-archives diff --git a/values/sorcerer/prod/configurations.yaml b/values/sorcerer/prod/configurations.yaml new file mode 100644 index 00000000..8b567bc1 --- /dev/null +++ b/values/sorcerer/prod/configurations.yaml @@ -0,0 +1,20 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: configstore +spec: + type: configuration.redis + version: v1 + metadata: + - name: redisHost + value: prod-redis-master:6379 + - name: redisUsername + value: default + - name: redisPassword + secretKeyRef: + name: prod-redis + key: redis-password + - name: redisDB + value: "2" +scopes: + - sorcerer \ No newline at end of file diff --git a/values/sorcerer/prod/deployment_patch.yaml b/values/sorcerer/prod/deployment_patch.yaml index ff47fa63..679c9494 100644 --- a/values/sorcerer/prod/deployment_patch.yaml +++ b/values/sorcerer/prod/deployment_patch.yaml @@ -2,42 +2,12 @@ path: /spec/template/spec/containers/0/volumeMounts/0/mountPath value: /data - op: add - path: /spec/template/spec/containers/0/volumeMounts/- + path: /spec/template/spec/containers/0/envFrom/- value: - mountPath: /backup/archives - name: backup -- op: add - path: /spec/template/spec/volumes/- - value: - name: backup - persistentVolumeClaim: - claimName: prod-oceanbox-backup-archives -- op: replace - path: /spec/template/spec/containers/0/env/0 - value: - name: LOG_LEVEL - value: "3" -- op: add - path: /spec/template/spec/containers/0/env/- - value: - name: REDIS_USER - value: default -- op: add - path: /spec/template/spec/containers/0/env/- - value: - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: prod-redis - key: redis-password -- op: add - path: /spec/template/spec/containers/0/env/- - value: - name: ARCHMEISTER_AUTH - value: "admin:en-to-tre-fire" + secretRef: + name: azure-keyvault - op: add path: /spec/template/spec/containers/0/envFrom/- value: secretRef: - name: prod-sorcerer-env - + name: prod-sorcerer-env \ No newline at end of file diff --git a/values/sorcerer/prod/keyvault.yaml b/values/sorcerer/prod/keyvault.yaml new file mode 100644 index 00000000..a8b2ce2a --- /dev/null +++ b/values/sorcerer/prod/keyvault.yaml @@ -0,0 +1,22 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: azure-keyvault +spec: + type: secretstores.azure.keyvault + version: v1 + metadata: + - name: vaultName + value: atlantisvault + - name: azureTenantId + secretKeyRef: + name: azure-keyvault + key: AZURE_TENANT_ID + - name: azureClientId + secretKeyRef: + name: azure-keyvault + key: AZURE_CLIENT_ID + - name: azureClientSecret + secretKeyRef: + name: azure-keyvault + key: AZURE_CLIENT_SECRET \ No newline at end of file diff --git a/values/sorcerer/prod/kustomization.yaml b/values/sorcerer/prod/kustomization.yaml index 72f4e964..1bb40a9a 100644 --- a/values/sorcerer/prod/kustomization.yaml +++ b/values/sorcerer/prod/kustomization.yaml @@ -4,10 +4,6 @@ configMapGenerator: - name: prod-sorcerer-appsettings files: - appsettings.json -secretGenerator: -- name: prod-sorcerer-env - envs: - - default.env patches: - target: group: apps @@ -15,6 +11,13 @@ patches: kind: Deployment path: deployment_patch.yaml resources: -- archives-ceph-volume.yaml -- archives-backup-volume.yaml - ../base +- pv.yaml +- pvc.yaml +- secrets.yaml +- configurations.yaml +- keyvault.yaml +- rbac.yaml +- secretstore.yaml +- statestore.yaml +- tracing.yaml \ No newline at end of file diff --git a/values/sorcerer/prod/pv.yaml b/values/sorcerer/prod/pv.yaml index d33c9b63..65a11379 100644 --- a/values/sorcerer/prod/pv.yaml +++ b/values/sorcerer/prod/pv.yaml @@ -1,40 +1,22 @@ -# apiVersion: v1 -# kind: PersistentVolume -# metadata: -# name: pv-prod-oceanbox-archives -# spec: -# accessModes: -# - ReadWriteMany -# capacity: -# storage: 300T -# mountOptions: -# - vers=4.2 -# - rdma -# - soft -# nfs: -# path: /data/archives -# server: 10.255.243.80 -# persistentVolumeReclaimPolicy: Retain -# volumeMode: Filesystem ---- apiVersion: v1 kind: PersistentVolume metadata: - name: pv-prod-backup-archives + name: pv-prod-sorcerer-ceph-archives spec: accessModes: - - ReadOnlyMany + - ReadWriteMany capacity: - storage: 400T - local: - path: /backup/archives + storage: 1Gi + csi: + driver: rook-ceph.cephfs.csi.ceph.com + nodeStageSecretRef: + name: rook-csi-cephfs-node + namespace: rook-ceph + volumeAttributes: + clusterID: rook-ceph + fsName: data + rootPath: / + staticVolume: "true" + volumeHandle: pv-prod-sorcerer-ceph-archives persistentVolumeReclaimPolicy: Retain - volumeMode: Filesystem - nodeAffinity: - required: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/hostname - operator: In - values: - - fs-backup + volumeMode: Filesystem \ No newline at end of file diff --git a/values/sorcerer/prod/pvc.yaml b/values/sorcerer/prod/pvc.yaml index 6ecae545..fb3cc905 100644 --- a/values/sorcerer/prod/pvc.yaml +++ b/values/sorcerer/prod/pvc.yaml @@ -1,32 +1,18 @@ -# apiVersion: v1 -# kind: PersistentVolumeClaim -# metadata: -# name: prod-oceanbox-archives -# spec: -# accessModes: -# - ReadWriteMany -# resources: -# requests: -# storage: 300T -# storageClassName: "" -# volumeMode: Filesystem -# volumeName: pv-prod-oceanbox-archives -# status: -# accessModes: -# - ReadWriteMany -# capacity: -# storage: 300T ---- apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: prod-oceanbox-backup-archives + name: prod-sorcerer-ceph-archives spec: accessModes: - - ReadOnlyMany + - ReadWriteMany resources: requests: - storage: 400T + storage: 1Gi storageClassName: "" volumeMode: Filesystem - volumeName: pv-prod-backup-archives + volumeName: pv-prod-sorcerer-ceph-archives +status: + accessModes: + - ReadWriteMany + capacity: + storage: 1Gi \ No newline at end of file diff --git a/values/sorcerer/prod/rbac.yaml b/values/sorcerer/prod/rbac.yaml new file mode 100644 index 00000000..1b06262f --- /dev/null +++ b/values/sorcerer/prod/rbac.yaml @@ -0,0 +1,39 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: prod-sorcerer + namespace: prod +rules: +- apiGroups: + - "" + resourceNames: + - prod-sorcerer-appsettings + resources: + - configmaps + verbs: + - get + - watch +- apiGroups: + - "" + resourceNames: + - azure-keyvault + - prod-redis + resources: + - secrets + verbs: + - get + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: prod-sorcerer + namespace: prod +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: prod-sorcerer +subjects: +- kind: ServiceAccount + name: prod-sorcerer + namespace: prod \ No newline at end of file diff --git a/values/sorcerer/prod/secrets.yaml b/values/sorcerer/prod/secrets.yaml new file mode 100644 index 00000000..c531c4da --- /dev/null +++ b/values/sorcerer/prod/secrets.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + annotations: + kyverno/clone: "true" + name: prod-sorcerer-env +type: Opaque +data: +--- +apiVersion: v1 +kind: Secret +metadata: + annotations: + kyverno/clone: "true" + name: azure-keyvault +type: Opaque +data: \ No newline at end of file diff --git a/values/sorcerer/prod/secretstore.yaml b/values/sorcerer/prod/secretstore.yaml new file mode 100644 index 00000000..06559c56 --- /dev/null +++ b/values/sorcerer/prod/secretstore.yaml @@ -0,0 +1,10 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: secretstore +spec: + type: secretstores.kubernetes + version: v1 + metadata: + - name: defaultNamespace + value: prod-sorcerer \ No newline at end of file diff --git a/values/sorcerer/prod/statestore.yaml b/values/sorcerer/prod/statestore.yaml new file mode 100644 index 00000000..9ff1325b --- /dev/null +++ b/values/sorcerer/prod/statestore.yaml @@ -0,0 +1,22 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: statestore +spec: + type: state.redis + version: v1 + metadata: + - name: redisHost + value: prod-redis-master:6379 + - name: redisUsername + value: default + - name: redisPassword + secretKeyRef: + name: prod-redis + key: redis-password + - name: actorStateStore + value: "true" + - name: redisDB + value: "1" +scopes: + - sorcerer \ No newline at end of file diff --git a/values/sorcerer/prod/tracing.yaml b/values/sorcerer/prod/tracing.yaml new file mode 100644 index 00000000..e76aa937 --- /dev/null +++ b/values/sorcerer/prod/tracing.yaml @@ -0,0 +1,11 @@ +apiVersion: dapr.io/v1alpha1 +kind: Configuration +metadata: + name: tracing +spec: + tracing: + samplingRate: "1" + otel: + endpointAddress: "10.255.241.12:4317" + protocol: grpc + isSecure: false \ No newline at end of file diff --git a/values/sorcerer/staging/appsettings.json b/values/sorcerer/staging/appsettings.json index e31e0ec6..3bde9889 100644 --- a/values/sorcerer/staging/appsettings.json +++ b/values/sorcerer/staging/appsettings.json @@ -1,28 +1,57 @@ { + "oidc": { + "issuer": "https://idp.oceanbox.io/dex", + "authorization_endpoint": "https://idp.oceanbox.io/dex/auth", + "token_endpoint": "https://idp.oceanbox.io/dex/token", + "jwks_uri": "https://idp.oceanbox.io/dex/keys", + "userinfo_endpoint": "https://idp.oceanbox.io/dex/userinfo", + "device_authorization_endpoint": "https://idp.oceanbox.io/dex/device/code", + "clientId": "sorcerer_dev", + "clientSecret": "", + "scopes": [ + "openid", + "email", + "offline_access", + "profile" + ] + }, "sso": { "cookieDomain": ".oceanbox.io", + "cookieName": ".obx.staging", "signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html", - "redis": "10.255.241.201:31379,user=default,password=secret", - "appDomain": "atlantis", - "dataProtectionKeys": "DataProtection-Keys" + "realm": "atlantis", + "environment": "staging", + "keyStore": "azure", + "certStore": "https://atlantis.blob.core.windows.net", + "dataProtectionKeys": "https://atlantisvault.vault.azure.net/keys/dataprotection" }, + "plainAuthUsers": [], + "fga": { + "apiUrl": "https://openfga.dev.oceanbox.io", + "apiKey": "", + "storeId": "01J6C1NBX36E1B928HFSB123XQ", + "modelId": "01JEK1NC93GXA8TKGK6FB5CG3X" + }, + "redis": "localhost:6379,user=default,password=secret", "allowedOrigins": [ "http://localhost:8085", "http://localhost:8080", "https://localhost:8080", - "https://maps.oceanbox.io", - "https://atlantis.srv.oceanbox.io", - "https://atlantis.dev.oceanbox.io", - "https://atlantis.beta.oceanbox.io", + "https://sorcerer.local.oceanbox.io:8080", "https://atlantis.local.oceanbox.io:8080", + "https://atlantis.beta.oceanbox.io", "https://jonas-atlantis.dev.oceanbox.io", "https://stig-atlantis.dev.oceanbox.io", - "https://simkir-atlantis.dev.oceanbox.io" - + "https://staging-sorcerer.ekman.oceanbox.io", + "http://staging-sorcerer.ekman.oceanbox.io" ], - "archiveSvc": "https://archmeister.beta.oceanbox.io", + "appName": "sorcerer", + "appEnv": "staging", + "appNamespace": "staging-sorcerer", + "appVersion": "0.0.0", + "otelCollector": "http://10.255.241.12:4317", + "archiveSvc": "https://atlantis.beta.oceanbox.io", + "dataDir": "/data/archives", "cacheDir": "/data/archives/cache", - "logService" : "https://seq.adm.oceanbox.io", - "logApiKey": "", - "deployEnv": "staging" + "authDomain": "staging" } diff --git a/values/sorcerer/staging/archives-ceph-volume.yaml b/values/sorcerer/staging/archives-ceph-volume.yaml deleted file mode 100644 index 86cc517b..00000000 --- a/values/sorcerer/staging/archives-ceph-volume.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: PersistentVolume -metadata: - name: pv-staging-ceph-archives -spec: - accessModes: - - ReadWriteMany - capacity: - storage: 1Gi - csi: - driver: rook-ceph.cephfs.csi.ceph.com - nodeStageSecretRef: - name: rook-csi-cephfs-node - namespace: rook-ceph - volumeAttributes: - fsName: data - clusterID: rook-ceph - staticVolume: "true" - rootPath: / - volumeHandle: pv-staging-ceph-archives - persistentVolumeReclaimPolicy: Retain - volumeMode: Filesystem ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: staging-ceph-archives - namespace: sorcerer -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi - storageClassName: "" - volumeMode: Filesystem - volumeName: pv-staging-ceph-archives diff --git a/values/sorcerer/staging/configurations.yaml b/values/sorcerer/staging/configurations.yaml new file mode 100644 index 00000000..17aa52bd --- /dev/null +++ b/values/sorcerer/staging/configurations.yaml @@ -0,0 +1,20 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: configstore +spec: + type: configuration.redis + version: v1 + metadata: + - name: redisHost + value: staging-redis-master:6379 + - name: redisUsername + value: default + - name: redisPassword + secretKeyRef: + name: staging-redis + key: redis-password + - name: redisDB + value: "2" +scopes: + - sorcerer \ No newline at end of file diff --git a/values/sorcerer/staging/default.env b/values/sorcerer/staging/default.env deleted file mode 100644 index 2dfb0bd0..00000000 --- a/values/sorcerer/staging/default.env +++ /dev/null @@ -1 +0,0 @@ -SEQ_APIKEY=7iIXHJukYjSLQDix6CnZ diff --git a/values/sorcerer/staging/deployment_patch.yaml b/values/sorcerer/staging/deployment_patch.yaml index 338805e7..2dbbe044 100644 --- a/values/sorcerer/staging/deployment_patch.yaml +++ b/values/sorcerer/staging/deployment_patch.yaml @@ -2,42 +2,12 @@ path: /spec/template/spec/containers/0/volumeMounts/0/mountPath value: /data - op: add - path: /spec/template/spec/containers/0/volumeMounts/- + path: /spec/template/spec/containers/0/envFrom/- value: - mountPath: /backup/archives - name: backup -- op: add - path: /spec/template/spec/volumes/- - value: - name: backup - persistentVolumeClaim: - claimName: staging-oceanbox-backup-archives -- op: replace - path: /spec/template/spec/containers/0/env/0 - value: - name: LOG_LEVEL - value: "4" -- op: add - path: /spec/template/spec/containers/0/env/- - value: - name: REDIS_USER - value: default -- op: add - path: /spec/template/spec/containers/0/env/- - value: - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: staging-redis - key: redis-password -- op: add - path: /spec/template/spec/containers/0/env/- - value: - name: ARCHMEISTER_AUTH - value: "admin:en-to-tre-fire" + secretRef: + name: azure-keyvault - op: add path: /spec/template/spec/containers/0/envFrom/- value: secretRef: - name: staging-sorcerer-env - + name: staging-sorcerer-env \ No newline at end of file diff --git a/values/sorcerer/staging/keyvault.yaml b/values/sorcerer/staging/keyvault.yaml new file mode 100644 index 00000000..a8b2ce2a --- /dev/null +++ b/values/sorcerer/staging/keyvault.yaml @@ -0,0 +1,22 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: azure-keyvault +spec: + type: secretstores.azure.keyvault + version: v1 + metadata: + - name: vaultName + value: atlantisvault + - name: azureTenantId + secretKeyRef: + name: azure-keyvault + key: AZURE_TENANT_ID + - name: azureClientId + secretKeyRef: + name: azure-keyvault + key: AZURE_CLIENT_ID + - name: azureClientSecret + secretKeyRef: + name: azure-keyvault + key: AZURE_CLIENT_SECRET \ No newline at end of file diff --git a/values/sorcerer/staging/kustomization.yaml b/values/sorcerer/staging/kustomization.yaml index df82396b..73a0eee5 100644 --- a/values/sorcerer/staging/kustomization.yaml +++ b/values/sorcerer/staging/kustomization.yaml @@ -4,10 +4,6 @@ configMapGenerator: - name: staging-sorcerer-appsettings files: - appsettings.json -secretGenerator: -- name: staging-sorcerer-env - envs: - - default.env patches: - target: group: apps @@ -15,6 +11,13 @@ patches: kind: Deployment path: deployment_patch.yaml resources: -- archives-ceph-volume.yaml -- archives-backup-volume.yaml - ../base +- pv.yaml +- pvc.yaml +- secrets.yaml +- configurations.yaml +- keyvault.yaml +- rbac.yaml +- secretstore.yaml +- statestore.yaml +- tracing.yaml \ No newline at end of file diff --git a/values/sorcerer/staging/pv.yaml b/values/sorcerer/staging/pv.yaml index 50aa6d10..32754745 100644 --- a/values/sorcerer/staging/pv.yaml +++ b/values/sorcerer/staging/pv.yaml @@ -1,41 +1,22 @@ -# apiVersion: v1 -# kind: PersistentVolume -# metadata: -# name: pv-staging-oceanbox-archives -# spec: -# accessModes: -# - ReadWriteMany -# capacity: -# storage: 300T -# mountOptions: -# - vers=4.2 -# - rdma -# - soft -# nfs: -# path: /data/archives -# server: 10.255.243.80 -# persistentVolumeReclaimPolicy: Retain -# volumeMode: Filesystem ---- apiVersion: v1 kind: PersistentVolume metadata: - name: pv-staging-backup-archives + name: pv-staging-sorcerer-ceph-archives spec: accessModes: - ReadWriteMany capacity: - storage: 400T - local: - path: /backup/archives + storage: 1Gi + csi: + driver: rook-ceph.cephfs.csi.ceph.com + nodeStageSecretRef: + name: rook-csi-cephfs-node + namespace: rook-ceph + volumeAttributes: + clusterID: rook-ceph + fsName: data + rootPath: / + staticVolume: "true" + volumeHandle: pv-staging-sorcerer-ceph-archives persistentVolumeReclaimPolicy: Retain - volumeMode: Filesystem - nodeAffinity: - required: - nodeSelectorTerms: - - matchExpressions: - - key: kubernetes.io/hostname - operator: In - values: - - fs2 - + volumeMode: Filesystem \ No newline at end of file diff --git a/values/sorcerer/staging/pvc.yaml b/values/sorcerer/staging/pvc.yaml index ccf4510d..2ec9f2e9 100644 --- a/values/sorcerer/staging/pvc.yaml +++ b/values/sorcerer/staging/pvc.yaml @@ -1,32 +1,18 @@ -# apiVersion: v1 -# kind: PersistentVolumeClaim -# metadata: -# name: staging-oceanbox-archives -# spec: -# accessModes: -# - ReadWriteMany -# resources: -# requests: -# storage: 300T -# storageClassName: "" -# volumeMode: Filesystem -# volumeName: pv-staging-oceanbox-archives -# status: -# accessModes: -# - ReadWriteMany -# capacity: -# storage: 300T -# --- apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: staging-oceanbox-backup-archives + name: staging-sorcerer-ceph-archives spec: accessModes: - ReadWriteMany resources: requests: - storage: 400T + storage: 1Gi storageClassName: "" volumeMode: Filesystem - volumeName: pv-staging-backup-archives + volumeName: pv-staging-sorcerer-ceph-archives +status: + accessModes: + - ReadWriteMany + capacity: + storage: 1Gi \ No newline at end of file diff --git a/values/sorcerer/staging/rbac.yaml b/values/sorcerer/staging/rbac.yaml new file mode 100644 index 00000000..8a4affbd --- /dev/null +++ b/values/sorcerer/staging/rbac.yaml @@ -0,0 +1,39 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: staging-sorcerer + namespace: staging +rules: +- apiGroups: + - "" + resourceNames: + - staging-sorcerer-appsettings + resources: + - configmaps + verbs: + - get + - watch +- apiGroups: + - "" + resourceNames: + - azure-keyvault + - staging-redis + resources: + - secrets + verbs: + - get + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: staging-sorcerer + namespace: staging +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: staging-sorcerer +subjects: +- kind: ServiceAccount + name: staging-sorcerer + namespace: staging \ No newline at end of file diff --git a/values/sorcerer/staging/secrets.yaml b/values/sorcerer/staging/secrets.yaml new file mode 100644 index 00000000..cff0018a --- /dev/null +++ b/values/sorcerer/staging/secrets.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Secret +metadata: + annotations: + kyverno/clone: "true" + name: staging-sorcerer-env +type: Opaque +data: +--- +apiVersion: v1 +kind: Secret +metadata: + annotations: + kyverno/clone: "true" + name: azure-keyvault +type: Opaque +data: \ No newline at end of file diff --git a/values/sorcerer/staging/secretstore.yaml b/values/sorcerer/staging/secretstore.yaml new file mode 100644 index 00000000..b1853e99 --- /dev/null +++ b/values/sorcerer/staging/secretstore.yaml @@ -0,0 +1,10 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: secretstore +spec: + type: secretstores.kubernetes + version: v1 + metadata: + - name: defaultNamespace + value: staging-sorcerer \ No newline at end of file diff --git a/values/sorcerer/staging/statestore.yaml b/values/sorcerer/staging/statestore.yaml new file mode 100644 index 00000000..1d5beb50 --- /dev/null +++ b/values/sorcerer/staging/statestore.yaml @@ -0,0 +1,22 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: statestore +spec: + type: state.redis + version: v1 + metadata: + - name: redisHost + value: staging-redis-master:6379 + - name: redisUsername + value: default + - name: redisPassword + secretKeyRef: + name: staging-redis + key: redis-password + - name: actorStateStore + value: "true" + - name: redisDB + value: "1" +scopes: + - sorcerer \ No newline at end of file diff --git a/values/sorcerer/staging/tracing.yaml b/values/sorcerer/staging/tracing.yaml new file mode 100644 index 00000000..e76aa937 --- /dev/null +++ b/values/sorcerer/staging/tracing.yaml @@ -0,0 +1,11 @@ +apiVersion: dapr.io/v1alpha1 +kind: Configuration +metadata: + name: tracing +spec: + tracing: + samplingRate: "1" + otel: + endpointAddress: "10.255.241.12:4317" + protocol: grpc + isSecure: false \ No newline at end of file diff --git a/values/sorcerer/values-staging.yaml b/values/sorcerer/values-staging.yaml index 538476cf..c8454a64 100644 --- a/values/sorcerer/values-staging.yaml +++ b/values/sorcerer/values-staging.yaml @@ -1,6 +1,8 @@ replicaCount: 1 + image: tag: 183dec97-debug + ingress: annotations: cert-manager.io/cluster-issuer: letsencrypt-production @@ -19,10 +21,12 @@ ingress: - hosts: - sorcerer.ekman.oceanbox.io secretName: staging-sorcerer-tls + persistence: enabled: true existingClaim: staging-ceph-archives # existingClaim: staging-oceanbox-backup-archives + # nodeSelector: topology.kubernetes.io/group: login # kubernetes.io/hostname: fs-backup