wip: unify sys and apps

apps/templates/actions-runner-controller.yaml

@@ -0,0 +1,42 @@
+{{ if .Values.actions_runner_controller.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: actions-runner-controller
+  namespace: argocd #TODO move arc to isolated project
+spec:
+  destination:
+    namespace: actions-runner-controller
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: 'https://actions-runner-controller.github.io/actions-runner-controller'
+    targetRevision: {{ .Values.actions_runner_controller.version }}
+    chart: actions-runner-controller
+    helm:
+      values: |
+        replicaCount: 1
+        # Webhook
+        webhookPort: 9443
+        syncPeriod: 1m
+        defaultScaleDownDelay: 10m
+        # Authentication
+        authSecret:
+          enabled: true
+          create: false
+          name: arc-gh-token
+          annotations: {}
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      - ServerSideApply=true
+    {{- if .Values.actions_runner_controller.version }}
+    automated:
+      # selfHeal: false
+      prune: true
+    {{- end }}
+{{ end }}

apps/templates/argo-rollouts.yaml

@@ -0,0 +1,37 @@
+{{- if .Values.argo_rollouts.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argo-rollouts
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+spec:
+  destination:
+    namespace: argocd
+    server: 'https://kubernetes.default.svc'
+  sources:
+  #- repoURL: {{ .Values.cluster_config.manifests }}
+  #  path: {{ .Values.cluster_config.policies }}/argo-rollouts
+  #  targetRevision: HEAD
+  - repoURL: 'https://argoproj.github.io/argo-helm'
+    targetRevision: {{ .Values.argo_rollouts.version }}
+    chart: argo-rollouts
+    helm:
+      values: |
+        dashboard:
+          enabled: {{ .Values.argo_rollouts.dashboard_enabled }}
+        {{- with .Values.argo_rollouts.metrics.enabled }}
+        controller:
+          metrics:
+            enabled: true
+            serviceMonitor:
+              enabled: true
+        {{- end }}
+  project: sys
+  {{- if .Values.argo_rollouts.autosync }}
+  syncPolicy:
+    automated:
+      prune: true
+  {{- end }}
+{{- end }}

apps/templates/argo-workflows.yaml

@@ -0,0 +1,43 @@
+{{- if .Values.argo_workflows.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argo-workflows
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+spec:
+  destination:
+    namespace: argocd
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: 'https://argoproj.github.io/argo-helm'
+    targetRevision: {{ .Values.argo_workflows.version }}
+    chart: argo-workflows
+    helm:
+      values: |
+        controller:
+          workflowNamespaces:
+          {{- .Values.argo_workflows.allowed_namespaces | toYaml  | nindent 10 }}
+          {{- with .Values.argo_workflows.metrics.enabled }}
+          metricsConfig:
+            enabled: true
+          serviceMonitor:
+            enabled: true
+          {{- end }}
+        server:
+          extraArgs:
+          - --auth-mode=server
+        workflow:
+          rbac:
+            create: true
+          serviceAccount:
+            create: true
+            name: argo-workflow
+  project: argo-workflows
+  {{- if .Values.argo_workflows.autosync }}
+  syncPolicy:
+    automated:
+      prune: true
+  {{- end }}
+{{- end }}

apps/templates/argocd-apps.yaml

@@ -0,0 +1,153 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd-apps
+  namespace: argocd
+spec:
+  destination:
+    namespace: argocd
+    server: 'https://kubernetes.default.svc'
+  source:
+    repoURL: 'https://argoproj.github.io/argo-helm'
+    targetRevision: {{ .Values.argocd_apps.version }}
+    chart: argocd-apps
+    helm:
+      values: |
+        projects:
+          # System component project
+          - name: sys
+            namespace: argocd
+            description: sys components project
+            sourceRepos:
+            - '{{ .Values.cluster_config.manifests }}'
+            - 'https://argoproj.github.io/argo-helm'
+            - 'https://kubernetes-sigs.github.io/metrics-server/'
+            - 'https://kubernetes.github.io/ingress-nginx'
+            - 'https://cloudnative-pg.github.io/charts'
+            - 'https://charts.jetstack.io'
+            - 'https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/'
+            - 'https://github.com/kubernetes/dashboard'
+            - 'https://bitnami-labs.github.io/sealed-secrets'
+            - 'https://prometheus-community.github.io/helm-charts'
+            - 'https://github.com/prometheus-community/helm-charts.git'
+            - 'https://charts.gitlab.io/'
+            - 'https://charts.bitnami.com/bitnami'
+            - 'https://helm.linkerd.io/stable'
+            - 'https://github.com/jaegertracing/jaeger-operator'
+            - 'https://kyverno.github.io/kyverno/'
+            - 'https://vmware-tanzu.github.io/helm-charts'
+            - 'https://grafana.github.io/helm-charts'
+            - 'https://charts.enix.io'
+            - 'https://helm.mariadb.com/mariadb-operator'
+            - 'https://helm.cilium.io'
+            - 'https://chartmuseum.github.io/charts'
+            - 'https://open-telemetry.github.io/opentelemetry-helm-charts'
+            - 'https://strimzi.io/charts'
+            - 'https://helm.elastic.co'
+            - 'https://1password.github.io/connect-helm-charts'
+            - 'https://actions-runner-controller.github.io/actions-runner-controller'
+            - 'https://imio.github.io/helm-charts'
+            - 'https://docs.altinity.com/clickhouse-operator'
+
+            destinations:
+            - namespace: argocd
+              server: https://kubernetes.default.svc
+            - namespace: kube-system
+              server: https://kubernetes.default.svc
+            - namespace: ingress-nginx
+              server: https://kubernetes.default.svc
+            - namespace: prometheus
+              server: https://kubernetes.default.svc
+            - namespace: cnpg
+              server: https://kubernetes.default.svc
+            - namespace: cert-manager
+              server: https://kubernetes.default.svc
+            - namespace: kubernetes-dashboard
+              server: https://kubernetes.default.svc
+            - namespace: rabbitmq
+              server: https://kubernetes.default.svc
+            - namespace: sealed-secrets
+              server: https://kubernetes.default.svc
+            - namespace: gitlab
+              server: https://kubernetes.default.svc
+            - namespace: thanos
+              server: https://kubernetes.default.svc
+            - namespace: linkerd
+              server: https://kubernetes.default.svc
+            - namespace: linkerd-multicluster
+              server: https://kubernetes.default.svc
+            - namespace: observability
+              server: https://kubernetes.default.svc
+            - namespace: kyverno
+              server: https://kubernetes.default.svc
+            - namespace: velero
+              server: https://kubernetes.default.svc
+            - namespace: loki
+              server: https://kubernetes.default.svc
+            - namespace: tempo
+              server: https://kubernetes.default.svc
+            - namespace: otel
+              server: https://kubernetes.default.svc
+            - namespace: x509-exporter
+              server: https://kubernetes.default.svc
+            - namespace: mariadb-operator
+              server: https://kubernetes.default.svc
+            - namespace: cilium-spire
+              server: https://kubernetes.default.svc
+            - namespace: cilium-secrets
+              server: https://kubernetes.default.svc
+            - namespace: actions-runner-controller
+              server: https://kubernetes.default.svc
+            - namespace: analytics
+              server: https://kubernetes.default.svc
+            - namespace: clickhouse
+              server: https://kubernetes.default.svc
+            clusterResourceWhitelist:
+            - group: '*'
+              kind: '*'
+
+          {{- if .Values.argo_workflows.enabled }}
+          - name: argo-workflows
+            namespace: argocd
+            description: argo-workflows resources
+            sourceRepos:
+            - 'https://argoproj.github.io/argo-helm'
+            destinations:
+            - namespace: argocd
+              server: https://kubernetes.default.svc
+            {{- range .Values.argo_workflows.allowed_namespaces }}
+            - namespace: {{.}}
+              server: https://kubernetes.default.svc
+            {{- end }}
+            namespaceResourceWhitelist:
+            - group: "rbac.authorization.k8s.io"
+              kind: Role
+            - group: "rbac.authorization.k8s.io"
+              kind: RoleBinding
+            - group: ""
+              kind: ConfigMap
+            - group: ""
+              kind: Secret
+            - group: ""
+              kind: Service
+            - group: ""
+              kind: ServiceAccount
+            - group: apps
+              kind: Deployment
+            - group: "monitoring.coreos.com"
+              kind: ServiceMonitor
+            clusterResourceWhitelist:
+            - group: rbac.authorization.k8s.io
+              kind: ClusterRole
+            - group: rbac.authorization.k8s.io
+              kind: ClusterRoleBinding
+            - group: apiextensions.k8s.io
+              kind: CustomResourceDefinition
+          {{- end }}
+  project: sys
+  syncPolicy:
+    automated: {}
+    syncOptions:
+      - ServerSideApply=true
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true

apps/templates/argocd.yaml

@@ -0,0 +1,325 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+spec:
+  destination:
+    namespace: argocd
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - path: {{ .Values.cluster_config.policies }}/argocd
+    repoURL: {{ .Values.cluster_config.manifests }}
+    targetRevision: HEAD
+  - repoURL: 'https://argoproj.github.io/argo-helm'
+    targetRevision: {{ .Values.argocd.version }}
+    chart: argo-cd
+    helm:
+      values: |
+        global:
+          domain: argocd.{{ .Values.cluster_config.domain }}
+        ## ArgoCD configuration
+        ## Ref: https://github.com/argoproj/argo-cd
+        ##
+        configs:
+          {{- if .Values.argocd.anyNamespaces.enabled }}
+          params:
+            applicationsetcontroller.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}"
+            # TODO(kai): anyapp will disable PR review apps. Look into anyapp settings to fix it
+            applicationsetcontroller.enable.scm.providers: "false"
+            application.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}"
+          {{- end }}
+          cm:
+            application.resourceTrackingMethod: annotation+label
+            application.instanceLabelKey: app.kubernetes.io/instance
+            create: true
+            # NOTE(kai): callback URL for dex
+            url: "https://argocd.{{ .Values.cluster_config.domain }}"
+            resource.compareoptions: |
+              ignoreAggregatedRoles: true
+            resource.exclusions: |
+              - apiGroups:
+                - cilium.io
+                kinds:
+                - CiliumIdentity
+                clusters:
+                - "*"
+              - apiGroups:
+                - kyverno.io
+                kinds:
+                - AdmissionReport
+                - BackgroundScanReport
+                - ClusterAdmissionReport
+                - ClusterBackgroundScanReport
+                clusters:
+                - "*"
+            # dex saml config
+            dex.config: |
+              logger:
+                level: debug
+                format: json
+              connectors:
+              {{- with .Values.cluster_config.oidc }}
+              {{- range . }}
+              {{- if eq .provider "azuread" }}
+              - type: oidc
+                id: {{ .name }}
+                name: {{ .name }}
+                config:
+                  issuer: https://login.microsoftonline.com/{{ .tenant }}/v2.0
+                  clientID: ${{ .name | replace "-" "_" }}_client_id
+                  clientSecret: ${{ .name | replace "-" "_" }}_client_secret
+                  insecureSkipEmailVerified: true
+                  requestedIDTokenClaims:
+                    groups:
+                       essential: true
+                  insecureEnableGroups: true
+                  requestedScopes:
+                    - openid
+                    - profile
+                    - email
+                    - groups
+              {{- else if eq .provider "github" }}
+              - type: github
+                id: {{ .name }}
+                name: {{ .name }}
+                config:
+                  clientID: ${{ .name | replace "-" "_" }}_client_id
+                  clientSecret: ${{ .name | replace "-" "_" }}_client_secret
+                  redirectURI: https://argocd.{{ $.Values.cluster_config.domain }}/api/dex/callback
+                  orgs:
+                  - name: {{ .allowed_organizations }}
+                  loadAllGroups: true
+                  teamNameField: slug
+                  useLoginAsID: false
+              staticClients:
+              - id: ${{ .name | replace "-" "_" }}_client_id
+                name: Kubernetes
+                # These are kubectl oidc plugin internal URLs
+                redirectURIs:
+                  - http://localhost:8000
+                  - http://localhost:18000
+                # Random secret for the user to authenticat dex client
+                secret: 8d52926efe879ee505391b75f4b046cf
+              {{- end }}
+              {{- end }}
+              {{- end }}
+            admin.enabled: '{{ .Values.argocd.adminLogin }}'
+          rbac:
+            # NOTE(kai): dd2aa2d6 ... is ID for azure kubernetes_operator group
+            policy.csv: |
+              p, role:org-admin, applications, *, */*, allow
+              p, role:org-admin, projects, *, *, allow
+              p, role:org-admin, logs, get, *, allow
+              p, role:org-admin, clusters, get, *, allow
+              p, role:org-admin, clusters, update, *, allow
+              p, role:org-admin, repositories, get, *, allow
+              p, role:org-admin, repositories, create, *, allow
+              p, role:org-admin, repositories, update, *, allow
+              p, role:org-admin, repositories, delete, *, allow
+              g, "dd2aa2d6-269d-48fe-90cc-04fd5c08bd29", role:org-admin
+              {{- if .Values.cluster_config.external_access.enabled }}
+              p, role:external-admin, applications, *, sys/*, deny
+              p, role:external-admin, applications, *, oxb/*, deny
+              p, role:external-admin, applications, *, */*, allow
+              p, role:external-admin, projects, *, oxb, deny
+              p, role:external-admin, projects, *, sys, deny
+              p, role:external-admin, projects, get, *, allow
+              p, role:external-admin, logs, get, *, allow
+              p, role:external-admin, clusters, get, *, allow
+              p, role:external-admin, repositories, get, *, allow
+              p, role:external-admin, repositories, create, *, allow
+              p, role:external-admin, repositories, update, *, allow
+              p, role:external-admin, repositories, delete, *, allow
+              g, "{{ .Values.cluster_config.external_access.admin_group }}", role:external-admin
+              {{- end }}
+              {{- if .Values.cluster_config.external_access.enabled }}
+              {{- range .Values.cluster_config.external_access.groups }}
+              {{- "\n" -}}
+                {{- $name := .name }}
+              p, role:{{$name}}, projects, get, {{$name}}, allow
+              p, role:{{$name}}, applications, get, {{$name}}/*, allow
+              p, role:{{$name}}, logs, get, {{$name}}/*, allow
+                {{- range .group_id }}
+              g, {{ . }}, role:{{$name}}
+                  {{- end }}
+                {{- end }}
+              {{- end }}
+              {{- with .Values.argocd.additional_rbac_settings }}
+              {{- range .}}
+              {{ . }}
+              {{- end }}
+              {{- end }}
+          repositories:
+            # Repositories for applications
+            argo-helm:
+              type: helm
+              url: https://argoproj.github.io/argo-helm
+          # UI changes based on env
+          styles: |
+            /* blue, orange, red depending on env */
+            :root {
+              --test-color: #0f2cbd;
+              --dev-color: #33b025;
+              --staging-color: #ebac2f;
+              --prod-color: #ff000d;
+            }
+            .top-bar__breadcrumbs::after {
+              content: "cluster: {{.Values.cluster_config.cluster}},  env: {{.Values.cluster_config.env}} ";
+              color: var(--{{.Values.cluster_config.env}}-color);
+              font-weight: bolder;
+              font-size: larger;
+              position: fixed;
+              left: 50%;
+            }
+
+        controller:
+          metrics:
+            enabled: true
+            serviceMonitor:
+              enabled: true
+          resources:
+            limits:
+              memory: {{ .Values.argocd.resources.controller.memory  | default "1000Mi" }}
+            requests:
+              cpu: {{ .Values.argocd.resources.controller.cpu  | default "250m" }}
+              memory: {{ .Values.argocd.resources.controller.memory  | default "1000Mi" }}
+
+        # Mount azure ca as file for SAML auth
+        dex:
+          metrics:
+            enabled: true
+            serviceMonitor:
+              enabled: true
+          {{- with .Values.cluster_config.oidc }}
+          env:
+          {{- range . }}
+          - name: {{ .name | replace "-" "_" }}_client_secret
+            valueFrom:
+              secretKeyRef:
+                name: {{ .secret_ref.name }}
+                key: client_secret
+          - name: {{ .name | replace "-" "_" }}_client_id
+            valueFrom:
+              secretKeyRef:
+                name: {{ .secret_ref.name }}
+                key: client_id
+          {{- end }}
+          {{- end }}
+
+        redis:
+          metrics:
+            enabled: true
+            serviceMonitor:
+              enabled: true
+
+        repoServer:
+          metrics:
+            enabled: true
+            serviceMonitor:
+              enabled: true
+          {{- if .Values.argocd.repoServer.cmp.enabled }}
+          extraContainers:
+          - command:
+            - /var/run/argocd/argocd-cmp-server
+            image: {{ .Values.argocd.repoServer.cmp.image }}
+            imagePullPolicy: Always
+            name: {{ .Values.argocd.repoServer.cmp.name }}
+            securityContext:
+              runAsNonRoot: true
+              runAsUser: 999
+            terminationMessagePath: /dev/termination-log
+            terminationMessagePolicy: File
+            volumeMounts:
+            - mountPath: /var/run/argocd
+              name: var-files
+            - mountPath: /home/argocd/cmp-server/plugins
+              name: plugins
+            - mountPath: /tmp
+              name: cmp-tmp
+            - mountPath: /helm-working-dir
+              name: helm-working-dir
+          {{- with .Values.argocd.repoServer.cmp.initContainers }}
+          initContainers:
+            {{- toYaml . | nindent 10}}
+          {{- end }}
+          volumes:
+          - name: cmp-tmp
+            emptyDir: {}
+          {{- if .Values.argocd.repoServer.cmp.imagePullSecret }}
+          imagePullSecrets:
+            {{- range .Values.argocd.repoServer.cmp.imagePullSecret}}
+            - name: {{ .name }}
+          {{- end }}
+          {{- end }}
+        {{- end }}
+
+        # Configuration for argocd server instance
+        server:
+          metrics:
+            enabled: true
+            serviceMonitor:
+              enabled: true
+          ingress:
+            enabled: {{ .Values.argocd.ingress.enabled }}
+            ingressClassName: nginx
+            annotations:
+              cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
+              nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+              {{- with .Values.cluster_config.ingress_whitelist_ips }}
+              nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
+              {{- end }}
+            hosts:
+              - "argocd.{{ .Values.cluster_config.domain }}"
+            tls:
+              - secretName: argocd-tls
+                hosts:
+                  - "argocd.{{ .Values.cluster_config.domain }}"
+        applicationSet:
+          metrics:
+            enabled: true
+            serviceMonitor:
+              enabled: true
+          {{- if .Values.argocd.anyNamespaces.enabled }}
+          allowAnyNamespaces: true
+          {{- end }}
+          ingress:
+            enabled: {{ .Values.argocd.applicationset_webhook.enabled }}
+            ingressClassName: nginx
+            annotations:
+              cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
+              # {{- with .Values.cluster_config.ingress_whitelist_ips}}
+              # NOTE(kai): include gitlab and github webhook ranges
+              # nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }},192.30.252.0/22,140.82.112.0/20,34.74.226.27/28,34.74.226.0/24
+              # {{- end }}
+            hostname: "argocd-applicationset.{{ .Values.cluster_config.domain }}"
+            tls:
+              - secretName: argocd-applicationset-tls
+                hosts:
+                  - "argocd-applicationset.{{ .Values.cluster_config.domain }}"
+        notifications:
+          metrics:
+            enabled: true
+            serviceMonitor:
+              enabled: true
+          secret:
+            create: false
+          cm:
+            create: false
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    {{- if .Values.argocd.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}

apps/templates/atlantis.yaml

@@ -0,0 +1,70 @@
+{{ if .Values.atlantis.enabled }}
+{{- range .Values.atlantis.envs }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: {{ . }}-atlantis
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: {{ . }}-atlantis
+    server: https://kubernetes.default.svc
+  project: atlantis
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    ref: values
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    path: values/atlantis
+    plugin:
+      name: kustomize-helm-with-rewrite
+      parameters:
+      - name: env
+        string: {{ . }}
+      - name: hostname
+        string: maps.oceanbox.io
+  - repoURL: https://charts.bitnami.com/bitnami
+    targetRevision: 20.1.7
+    chart: redis
+    helm:
+      valueFiles:
+      - $values/values/atlantis/{{ . }}/redis.yaml
+  ignoreDifferences:
+    - kind: Secret
+      name: azure-keyvault
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: {{ . }}-atlantis-rabbitmq
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: {{ . }}-archmeister-replication
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: {{ . }}-archmeister-ca
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    # automated:
+    #   prune: true
+    #   selfHeal: false
+{{- end }}
+{{- end }}

apps/templates/busynix.yaml

@@ -0,0 +1,23 @@
+{{- if .Values.busynix.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: busynix
+  namespace: argocd
+spec:
+  project: aux
+  destination:
+    namespace: default
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    path: values/busynix
+    plugin:
+      name: kustomize-helm-with-rewrite
+      parameters:
+      - name: env
+        string: staging
+      - name: hostname
+        string: busynix.beta.oceanbox.io
+{{- end }}

apps/templates/cert-manager.yaml

@@ -0,0 +1,36 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager
+  namespace: argocd
+spec:
+  destination:
+    namespace: cert-manager
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.cluster_config.manifests }}
+    path: {{ .Values.cluster_config.policies }}/cert-manager
+    targetRevision: HEAD
+  - repoURL: 'https://charts.jetstack.io'
+    targetRevision: {{ .Values.cert_manager.version }}
+    chart: cert-manager
+    helm:
+      values: |
+        installCRDs: true
+        enableCertificateOwnerRef: true
+        startupapicheck:
+          podAnnotations:
+            linkerd.io/inject: disabled
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    {{- if .Values.cert_manager.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}

apps/templates/chartmuseum.yaml

@@ -0,0 +1,60 @@
+{{- if .Values.chartmuseum.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: chartmuseum
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: argocd
+    server: 'https://kubernetes.default.svc'
+  source:
+    repoURL: 'https://chartmuseum.github.io/charts'
+    targetRevision: {{ .Values.chartmuseum.version }}
+    chart: chartmuseum
+    helm:
+      values: |
+        env:
+          open:
+            ENABLE_METRICS: true
+            DISABLE_API: false
+            ALLOW_OVERWRITE: false
+            CHART_URL: ""
+            AUTH_ANONYMOUS_GET: true
+          existingSecret: chartmuseum-basic-auth
+          existingSecretMappings:
+            BASIC_AUTH_USER: user
+            BASIC_AUTH_PASS: password
+        extraArgs:
+          - --web-template-path=/storage/web
+        serviceMonitor:
+          enabled: false
+        persistence:
+          enabled: true
+          accessMode: ReadWriteOnce
+          size: {{ .Values.chartmuseum.storage.size }}
+          path: /storage
+          storageClass: ""
+        ingress:
+          enabled: {{ .Values.chartmuseum.ingress.enabled }}
+          annotations:
+            {{- with .Values.cluster_config.ingress_whitelist_ips}}
+            nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
+            {{- end }}
+            cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
+          ingressClassName: nginx
+          hosts:
+            - name: charts.{{ .Values.cluster_config.domain }}
+              path: /
+              tls: true
+              tlsSecret: chartmuseum-tls
+  project: sys
+  {{- if .Values.chartmuseum.autosync }}
+  syncPolicy:
+    automated:
+      prune: true
+      # selfHeal: false
+  {{- end }}
+{{- end }}

apps/templates/cilium.yaml

@@ -0,0 +1,165 @@
+{{- if .Values.cilium.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cilium
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+spec:
+  destination:
+    namespace: kube-system
+    server: 'https://kubernetes.default.svc'
+  sources:
+  {{- if .Values.cilium.spire.enabled }}
+  - repoURL: {{ .Values.cluster_config.manifests }}
+    path: {{ .Values.cluster_config.policies }}/cilium-spire
+    targetRevision: HEAD
+  {{- end }}
+  - repoURL: 'https://helm.cilium.io'
+    targetRevision: {{ .Values.cilium.version }}
+    chart: cilium
+    helm:
+      values: |
+        authentication:
+          mutual:
+            spire:
+              enabled: {{ .Values.cilium.spire.enabled }}
+        cgroup:
+          autoMount:
+            enabled: false
+          hostRoot: /sys/fs/cgroup
+        dashboards:
+          enabled: true
+          namespace: prometheus
+        enableXTSocketFallback: false
+        encryption:
+          enabled: {{ .Values.cilium.encryption.enabled }}
+          type: {{ .Values.cilium.encryption.type}}
+        envoy:
+          enabled: {{ .Values.cilium.envoy.enabled }}
+          prometheus:
+            serviceMonitor:
+              enabled: {{ .Values.cilium.envoy.enabled }}
+        extraConfig:
+          enable-envoy-config: "true"
+        hubble:
+          enabled: true
+          tls:
+            auto:
+              method: cronJob
+          metrics:
+            dashboards:
+              enabled: true
+              namespace: prometheus
+            enabled:
+            - dns:query;ignoreAAAA
+            - drop
+            - tcp
+            - flow
+            - icmp
+            - policy:sourceContext=app|workload-name|pod|reserved-identity;destinationContext=app|workload-name|pod|dns|reserved-identity;labelsContext=source_namespace,destination_namespace
+            - httpV2:exemplars=false;labelsContext=source_ip,source_namespace,source_workload,destination_ip,destination_namespace,destination_workload,traffic_direction
+            port: 12304
+            serviceMonitor:
+              enabled: true
+          redact:
+            enabled: true
+          relay:
+            enabled: true
+            prometheus:
+              enabled: true
+              serviceMonitor:
+                enabled: true
+          ui:
+            enabled: {{ .Values.cilium.hubble.ui }}
+        ipam:
+          mode: kubernetes
+        kubeProxyReplacement: {{ .Values.cilium.kubeProxyReplacement }}
+        l2announcements:
+          enabled: {{ .Values.cilium.l2announcement.enabled }}
+        k8sServiceHost: {{ .Values.cilium.k8sServiceHost }}
+        k8sServicePort: {{ .Values.cilium.k8sServicePort }}
+        nodePort:
+          enabled: {{ .Values.cilium.nodePort.enabled }}
+        gatewayAPI:
+          enabled: {{ .Values.cilium.gatewayAPI.enabled }}
+        ingressController:
+          enabled: {{ .Values.cilium.ingressController.enabled }}
+          default: {{ .Values.cilium.ingressController.defaultClass }}
+          loadbalancerMode: {{ .Values.cilium.ingressController.loadbalancerMode }}
+        operator:
+          dashboards:
+            enabled: true
+            namespace: prometheus
+          prometheus:
+            enabled: true
+            port: 12301
+            serviceMointor:
+              enabled: true
+              port: 12302
+          rollOutPods: true
+        policyAuditMode: {{ .Values.cilium.policyAuditMode }}
+        prometheus:
+          enabled: true
+          port: 12300
+          serviceMonitor:
+            enabled: true
+        rollOutCiliumPods: true
+        securityContext:
+          capabilities:
+            ciliumAgent:
+            - CHOWN
+            - KILL
+            - NET_ADMIN
+            - NET_RAW
+            - IPC_LOCK
+            - SYS_ADMIN
+            - SYS_RESOURCE
+            - DAC_OVERRIDE
+            - FOWNER
+            - SETGID
+            - SETUID
+            cleanCiliumState:
+            - NET_ADMIN
+            - SYS_ADMIN
+            - SYS_RESOURCE
+        {{- with .Values.cilium.upgradeCompatability}}
+        upgradeCompatability:  {{ . }}
+        {{- end }}
+  project: sys
+  syncPolicy:
+    syncOptions:
+    - ServerSideApply=true
+    {{- if .Values.cilium.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+  ignoreDifferences:
+    - group: apps
+      jqPathExpressions:
+        - .spec.volumeClaimTemplates
+      kind: StatefulSet
+      name: spire-server
+    - group: monitoring.coreos.com
+      jqPathExpressions:
+        - .spec.endpoints[]?.relabelings[]?.action
+      kind: ServiceMonitor
+    - group: ''
+      jsonPointers:
+        - /data/ca.crt
+      kind: ConfigMap
+      name: hubble-ca-cert
+    - group: ''
+      jsonPointers:
+        - /data/ca.crt
+        - /data/ca.key
+      kind: Secret
+      name: cilium-ca
+    - group: ''
+      jqPathExpressions:
+        - .spec.ports[]?.nodePort
+      kind: Service
+      name: cilium-ingress
+{{- end }}

apps/templates/clickhouse.yaml

@@ -0,0 +1,45 @@
+{{ if .Values.clickhouse_operator.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: clickhouse-operator
+  namespace: argocd
+spec:
+  destination:
+    namespace: clickhouse
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.cluster_config.manifests }}
+    path: {{ .Values.cluster_config.policies }}/clickhouse
+    targetRevision: HEAD
+  - repoURL: 'https://docs.altinity.com/clickhouse-operator'
+    targetRevision: {{ .Values.clickhouse_operator.version }}
+    chart: altinity-clickhouse-operator
+    helm:
+      values: |
+        configs:
+          files:
+            config.yaml:
+              watch:
+                namespaces: ["analytics", "analytics-production"]
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      - ServerSideApply=true
+    {{- if .Values.clickhouse_operator.version }}
+    automated:
+      # selfHeal: false
+      prune: true
+    {{- end }}
+  ignoreDifferences:
+   - group: apps
+     kind: Deployment
+     jqPathExpressions:
+       - .spec.template.spec.containers[].env[].valueFrom.resourceFieldRef.divisor
+       - .spec.template.spec.initContainers[].env[].valueFrom.resourceFieldRef.divisor
+{{ end }}

apps/templates/dapr.yaml

@@ -0,0 +1,35 @@
+{{- if .Values.dapr.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: dapr
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: dapr-system
+    server: https://kubernetes.default.svc
+  project: default
+  syncPolicy:
+    # managedNamespaceMetadata:
+    #   labels:
+    #     component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL:  https://dapr.github.io/helm-charts/
+    targetRevision: 1.14.4
+    chart: dapr
+    helm:
+      values: |
+        global:
+          ha:
+            enabled: true
+{{- end }}

apps/templates/dex.yaml

@@ -0,0 +1,29 @@
+{{ if .Values.dex.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prod-dex
+  namespace: argocd
+spec:
+  project: aux
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: dex
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    path: 'values/dex/prod'
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    path: values/dex/resources
+  - repoURL: https://charts.dexidp.io
+    targetRevision: 0.19.1
+    chart: dex
+    helm:
+      valueFiles:
+        - $values/values/dex/values.yaml
+        - $values/values/dex/values-prod.yaml
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    ref: values
+{{- end }}

apps/templates/downscaler.yaml

@@ -0,0 +1,47 @@
+{{ if .Values.downscaler.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: downscaler
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: kube-downscaler
+    server: 'https://kubernetes.default.svc'
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    {{- if .Values.downscaler.autosync }}
+    automated:
+      prune: true
+      # selfHeal: true
+    {{- end }}
+  sources:
+  - repoURL: '{{ .Values.cluster_config.manifests }}'
+    path: {{ .Values.cluster_config.policies }}/downscaler
+    targetRevision: HEAD
+  - repoURL: 'https://caas-team.github.io/helm-charts/'
+    targetRevision: {{ .Values.downscaler.version }}
+    chart: py-kube-downscaler
+    helm:
+      values: |
+        arguments:
+        - --interval=60
+        - --include-resources=deployments,statefulsets,scaledobjects,cronjobs
+        # Namespaces being excluded from the 'downscale for non-work hours'
+        # DEFAULT_UPTIME: "Mon-Fri 07:30-20:30 CET"
+        {{- with .Values.downscaler.excludedNamespaces }}
+        excludedNamespaces: {{ join "," . }}
+        {{- end }}
+        extraConfig: {{- toYaml .Values.downscaler.extraConfig | nindent 8 }}
+{{ end }}
+

apps/templates/geoserver.yaml

@@ -0,0 +1,27 @@
+{{ if .Values.geoserver.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prod-geoserver
+  namespace: argocd
+spec:
+  project: aux
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: geoserver
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    path: values/geoserver
+    plugin:
+      name: kustomize-helm-with-rewrite
+      parameters:
+      - name: env
+        string: prod
+      - name: hostname
+        string: geoserver.srv.oceanbox.io
+      - name: flags
+        string: "--skip-tests"
+      - name: chart
+        string: ncsa/geoserver
+{{- end }}

apps/templates/gitlab-runner.yaml

@@ -0,0 +1,78 @@
+{{ if .Values.gitlab_runner.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: gitlab-runner
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: gitlab
+    server: 'https://kubernetes.default.svc'
+  source:
+    repoURL: 'https://charts.gitlab.io/'
+    targetRevision: {{ .Values.gitlab_runner.version }}
+    chart: gitlab-runner
+    helm:
+      releaseName: runner-gitlab-runner
+      values: |
+        gitlabUrl: https://gitlab.com/
+        # certsSecretName: cluster-ca
+        # sentryDsn: https://cb9cbeb704c4454fadf0d231602b7abc@o990465.ingest.sentry.io/5996879
+
+        checkInterval: 15
+
+        rbac:
+          create: true
+          clusterWideAccess: true
+
+        service:
+          enabled: true
+
+        metrics:
+          enabled: true
+          serviceMonitor:
+            enabled: true
+
+        runners:
+          tags: kubernetes, {{ .Values.gitlab_runner.tag }}, {{ .Values.cluster_config.cluster }}, {{ .Values.cluster_config.env}}
+          executor: kubernetes
+          cache:
+            secretName: s3access
+          secret: runner-token
+
+          # tpl: https://helm.sh/docs/howto/charts_tips_and_tricks/#using-the-tpl-function
+          # runner configuration: https://docs.gitlab.com/runner/configuration/advanced-configurati>
+          config: |
+            [[runners]]
+              [runners.kubernetes]
+                pull_policy = "always"
+                namespace = "gitlab"
+                image = "ubuntu:24.04"
+                [runners.cache]
+                    Path = ""
+                    Shared = true
+                    Type = "s3"
+                [runners.cache.s3]
+                    BucketLocation = "us-east-1"
+                    AuthenticationType = "access-key"
+                    AccessKey = {{ .Values.gitlab_runner.s3.access_key }}
+                    SecretKey = {{ .Values.gitlab_runner.s3.secret_key }}
+                    ServerAddress = {{ .Values.gitlab_runner.s3.server }}
+                    BucketName = "gitlab-runner"
+                    Insecure = false
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    {{- if .Values.gitlab_runner.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+{{ end }}

apps/templates/headscale.yaml

@@ -0,0 +1,23 @@
+{{- if .Values.headscale.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: headscale
+  namespace: argocd
+spec:
+  project: default
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: headscale
+  sources:
+  - repoURL: https://charts.gabe565.com
+    targetRevision: 0.16.0
+    chart: headscale
+    helm:
+      valueFiles:
+        - $values/values/headscale/values.yaml
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    ref: values
+
+{{- end }}

apps/templates/ingress-nginx.yaml

@@ -0,0 +1,132 @@
+{{- if .Values.nginx.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ingress-nginx
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  destination:
+    namespace: ingress-nginx
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.cluster_config.manifests }}
+    path: {{ .Values.cluster_config.policies }}/ingress-nginx
+    targetRevision: HEAD
+  - repoURL: 'https://kubernetes.github.io/ingress-nginx'
+    targetRevision: {{ .Values.nginx.version }}
+    chart: ingress-nginx
+    helm:
+      values: |
+        ## nginx configuration
+        ## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/index.md
+        ##
+        ## Overrides for generated resource names
+        # See templates/_helpers.tpl
+        # nameOverride:
+        fullnameOverride: main-ingress-nginx
+        controller:
+          resources:
+            limits:
+              memory: {{ .Values.nginx.resources.controller.memory }}
+            requests:
+              cpu: {{ .Values.nginx.resources.controller.cpu }}
+              memory: {{ .Values.nginx.resources.controller.memory }}
+
+          ingressClassResource:
+            default: true
+
+          tolerations:
+           - key: unschedulable
+             operator: Exists
+             effect: NoSchedule
+           - key: node-role.kubernetes.io/control-plane
+             operator: Exists
+             effect: NoSchedule
+
+          affinity:
+            nodeAffinity:
+              requiredDuringSchedulingIgnoredDuringExecution:
+                nodeSelectorTerms:
+                - matchExpressions:
+                  - key: kubernetes.io/hostname
+                    operator: In
+                    values: {{ .Values.cluster_config.ingress_nodes }}
+
+            podAntiAffinity:
+              requiredDuringSchedulingIgnoredDuringExecution:
+              - labelSelector:
+                  matchExpressions:
+                  - key: app.kubernetes.io/instance
+                    operator: In
+                    values:
+                    - ingress-nginx
+                  - key: app.kubernetes.io/component
+                    operator: In
+                    values:
+                    - controller
+                topologyKey: "kubernetes.io/hostname"
+
+          podAnnotations:
+            config.linkerd.io/skip-inbound-ports: 80,443
+
+          replicaCount: {{ .Values.cluster_config.ingress_replica_count }}
+
+          minAvailable: {{ .Values.nginx.pdb.minAvailable }}
+
+          service:
+            externalTrafficPolicy: Local
+            # type: ClusterIP
+            type: NodePort
+            # nodePorts:
+            #   http: 32080
+            #   https: 32443
+            #   tcp:
+            #     8080: 32808
+            nodePorts:
+              http: 30080
+              https: 30443
+              tcp: {}
+              udp: {}
+
+          metrics:
+            enabled: true
+
+            service:
+              annotations:
+                prometheus.io/scrape: "true"
+                prometheus.io/port: "10254"
+
+              servicePort: 9913
+              type: ClusterIP
+
+            serviceMonitor:
+              enabled: true
+
+          admissionWebhooks:
+            enabled: false
+
+        ## Default 404 backend
+        ##
+        defaultBackend:
+          enabled: true
+
+          tolerations:
+           - key: unschedulable
+             operator: Exists
+             effect: NoSchedule
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    {{- if .Values.nginx.autosync}}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+{{- end }}

apps/templates/jaeger-operator.yaml

@@ -0,0 +1,36 @@
+{{ if .Values.jaeger_operator.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: jaeger-operator
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: observability
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.cluster_config.manifests }}
+    path: {{ .Values.cluster_config.policies }}/jaeger-operator
+    targetRevision: HEAD
+  - repoURL: "https://github.com/jaegertracing/jaeger-operator"
+    targetRevision: v{{ .Values.jaeger_operator.version }}
+    path: bundle/manifests
+    directory:
+      # Exclude jaeger-operator clusterserviceversion, as we don't have operator lifecycle manager installed
+      exclude: jaeger-operator.clusterserviceversion.yaml
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    {{- if .Values.jaeger_operator.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+{{ end }}

apps/templates/keycloak.yaml

@@ -0,0 +1,39 @@
+{{ if .Values.keycloak.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prod-keycloak
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: aux
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: keycloak
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    path: values/keycloak/prod
+  - repoURL: https://charts.bitnami.com/bitnami
+    targetRevision: 24.0.2
+    chart: keycloak
+    helm:
+      valueFiles:
+        - $values/values/keycloak/values-prod.yaml
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    ref: values
+{{- end }}

apps/templates/kubernetes-dashboard.yaml

@@ -0,0 +1,30 @@
+{{ if .Values.kubernetes_dashboard.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kubernetes-dashboard
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: kubernetes-dashboard
+    server: 'https://kubernetes.default.svc'
+  source:
+    path: aio/deploy/recommended
+    repoURL: https://github.com/kubernetes/dashboard
+    targetRevision: {{ .Values.kubernetes_dashboard.version }}
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    {{- if .Values.kubernetes_dashboard.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{ end }}
+{{ end }}

apps/templates/kyverno.yaml

@@ -0,0 +1,84 @@
+{{ if .Values.kyverno.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kyverno
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: kyverno
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.cluster_config.manifests }}
+    path: {{ .Values.cluster_config.policies }}/kyverno
+    targetRevision: HEAD
+  - repoURL: 'https://kyverno.github.io/kyverno/'
+    targetRevision: {{ .Values.kyverno.version }}
+    chart: kyverno
+    helm:
+      values: |
+        replicaCount: 3
+        {{ if .Values.kyverno.metrics }}
+        admissionController:
+          serviceMonitor:
+            enabled: true
+          metricsService:
+            create: true
+        backgroundController:
+          serviceMonitor:
+            enabled: true
+          metricsService:
+            create: true
+        cleanupController:
+          serviceMonitor:
+            enabled: true
+          metricsService:
+            create: true
+        reportsController:
+          serviceMonitor:
+            enabled: true
+          metricsService:
+            create: true
+        {{ end }}
+        cleanupController:
+          resources:
+            limits: 
+              memory: {{ .Values.kyverno.resources.cleanupController.memory }}
+            requests:
+              memory: {{ .Values.kyverno.resources.cleanupController.memory }}
+        reportsController:
+          resources:
+            limits: 
+              memory: {{ .Values.kyverno.resources.reportsController.memory }}
+            requests:
+              memory: {{ .Values.kyverno.resources.reportsController.memory }}
+        backgroundController:
+          resources:
+            limits: 
+              memory: {{ .Values.kyverno.resources.backgroundController.memory }}
+            requests:
+              memory: {{ .Values.kyverno.resources.backgroundController.memory }}
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      - ServerSideApply=true
+    {{- if .Values.kyverno.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+  ignoreDifferences:
+  - group: batch
+    kind: CronJob
+    jqPathExpressions:
+    - '.spec.jobTemplate.spec.template.spec.containers[]?.resources'
+{{ end }}

apps/templates/linkerd-crds.yaml

@@ -0,0 +1,35 @@
+{{ if .Values.linkerd.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: linkerd-crds
+  namespace: argocd
+  #finalizers:
+  #- resources-finalizer.argocd.argoproj.io
+spec:
+  ignoreDifferences:
+    - group: apiextensions.k8s.io
+      kind: CustomResourceDefinition
+      jsonPointers:
+        - /spec/names/shortNames
+  destination:
+    namespace: linkerd
+    server: 'https://kubernetes.default.svc'
+  source:
+    repoURL: 'https://helm.linkerd.io/stable'
+    targetRevision: {{ .Values.linkerd.crds.version }}
+    chart: linkerd-crds
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    {{- if .Values.linkerd.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+{{ end }}

apps/templates/linkerd-multicluster.yaml

@@ -0,0 +1,35 @@
+{{ if .Values.linkerd.multicluster.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: linkerd-multicluster
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+  annotations:
+    # Should sync after linkerd (which is wave 0)
+    argocd.argoproj.io/sync-wave: "1"
+spec:
+  destination:
+    namespace: linkerd-multicluster
+    server: 'https://kubernetes.default.svc'
+  source:
+    repoURL: 'https://helm.linkerd.io/stable'
+    targetRevision: {{ .Values.linkerd.multicluster.version }}
+    chart: linkerd-multicluster
+    helm:
+      values: |
+        gateway:
+          serviceType: "NodePort"
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      # selfHeal: false
+{{ end }}

apps/templates/linkerd.yaml

@@ -0,0 +1,100 @@
+{{ if .Values.linkerd.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: linkerd
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "5"
+  #finalizers:
+  #- resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: linkerd
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.cluster_config.manifests }}
+    path: {{ .Values.cluster_config.policies }}/linkerd
+    targetRevision: HEAD
+  - repoURL: 'https://helm.linkerd.io/stable'
+    targetRevision: {{ .Values.linkerd.version }}
+    chart: linkerd-control-plane
+    helm:
+      values: |
+        identityTrustAnchorsPEM: {{- .Values.linkerd.trustAnchorPEM | toYaml | indent 7 }}
+        identity:
+          issuer:
+            scheme: {{ .Values.linkerd.secretScheme }}
+            {{- if .Values.linkerd.identityIssuerPEM }}
+            tls:
+              crtPEM: {{- .Values.linkerd.identityIssuerPEM | toYaml | indent 14 }} 
+            {{- end }}
+        policyValidator:
+          externalSecret: true
+          caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}  
+        proxyInjector:
+          externalSecret: true
+          caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}  
+        profileValidator:
+          externalSecret: true
+          caBundle: {{- .Values.linkerd.webhookPEM | toYaml | indent 9 }}  
+
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    {{- if .Values.linkerd.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+  ignoreDifferences:
+  - group: batch
+    kind: CronJob
+    jsonPointers:
+      - /spec/schedule
+  - kind: Secret
+    name:  linkerd-proxy-injector-k8s-tls
+    jsonPointers:
+    - /data/tls.crt
+    - /data/tls.key
+  - kind: Secret
+    name:  linkerd-sp-validator-k8s-tls
+    jsonPointers:
+    - /data/tls.crt
+    - /data/tls.key
+  - kind: Secret
+    name:  linkerd-tap-k8s-tls
+    jsonPointers:
+    - /data/tls.crt
+    - /data/tls.key
+  - kind: Secret
+    name:  linkerd-policy-validator-k8s-tls
+    jsonPointers:
+    - /data/tls.crt
+    - /data/tls.key
+  - group: admissionregistration.k8s.io
+    kind: MutatingWebhookConfiguration
+    name: linkerd-proxy-injector-webhook-config
+    jqPathExpressions:
+      - '.webhooks[0].clientConfig.caBundle'
+  - group: admissionregistration.k8s.io
+    kind: ValidatingWebhookConfiguration
+    name: linkerd-sp-validator-webhook-config
+    jqPathExpressions:
+      - '.webhooks[0].clientConfig.caBundle'
+  - group: admissionregistration.k8s.io
+    kind: ValidatingWebhookConfiguration
+    name: linkerd-policy-validator-webhook-config
+    jqPathExpressions:
+      - '.webhooks[0].clientConfig.caBundle'
+  - group: apiregistration.k8s.io/v1
+    kind: APIService
+    name: v1alpha1.tap.linkerd.io
+    jsonPointers:
+    - /spec/caBundle
+{{ end }}

apps/templates/loki.yaml

@@ -0,0 +1,145 @@
+{{ if .Values.loki.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: loki
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: loki
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.cluster_config.manifests }}
+    path: {{ .Values.cluster_config.policies }}/loki
+    targetRevision: HEAD
+  - repoURL: 'https://grafana.github.io/helm-charts'
+    targetRevision: {{ .Values.loki.version }}
+    chart: loki
+    helm:
+      values: |
+        loki:
+          auth_enabled: false
+          storage:
+            bucketNames:
+              chunks: {{ .Values.loki.buckets.chunks }}
+              ruler: {{ .Values.loki.buckets.ruler }}
+              admin: {{ .Values.loki.buckets.admin }}
+            s3:
+              endpoint: {{ .Values.loki.s3.endpoint | default "https://s3.production.itpartner.no" }}
+              region: {{ .Values.loki.s3.region | default "us-east-1" }}
+              secretAccessKey: ${S3SECRET}
+              accessKeyId: ${S3KEY}
+              s3ForcePathStyle: true
+              {{- if .Values.loki.s3.insecure_skip_verify }}
+              http_config:
+                insecure_skip_verify: true
+              {{- end }}
+          schemaConfig:
+            configs:
+            - from: "2022-09-28"
+              index:
+                period: 24h
+                prefix: loki_index_
+              object_store: s3
+              schema: v13
+              store: tsdb
+          {{- if .Values.loki.compactor }}
+          compactor:
+            compaction_interval: 10m
+            working_directory: /tmp/loki/compactor
+            retention_enabled: true
+            retention_delete_delay: 2h
+            retention_delete_worker_count: 150
+            delete_request_store: s3
+          {{- end }}
+        write:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.loki.secret.name | default "s3-credentials"}}
+                key: {{ .Values.loki.secret.access_key | default "access_key" }}
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.loki.secret.name | default "s3-credentials"}}
+                key: {{ .Values.loki.secret.access_key | default "access_secret" }}
+          tolerations:
+          - effect: "NoSchedule"
+            operator: "Equal"
+            key: "unschedulable"
+            value: "true"
+        read:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.loki.secret.name | default "s3-credentials"}}
+                key: {{ .Values.loki.secret.access_key | default "access_key" }}
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.loki.secret.name | default "s3-credentials"}}
+                key: {{ .Values.loki.secret.access_key | default "access_secret" }}
+          tolerations:
+          - effect: "NoSchedule"
+            operator: "Equal"
+            key: "unschedulable"
+            value: "true"
+        {{- if .Values.loki.compactor }}
+        compactor:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.loki.secret.name | default "s3-credentials"}}
+                key: {{ .Values.loki.secret.access_key | default "access_key" }}
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.loki.secret.name | default "s3-credentials"}}
+                key: {{ .Values.loki.secret.access_key | default "access_secret" }}
+        {{- end }}
+        backend:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.loki.secret.name | default "s3-credentials"}}
+                key: {{ .Values.loki.secret.access_key | default "access_key" }}
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.loki.secret.name | default "s3-credentials"}}
+                key: {{ .Values.loki.secret.access_key | default "access_secret" }}
+  project: sys
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/persistentVolumeClaimRetentionPolicy
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    {{- if .Values.loki.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+{{ end }}

apps/templates/mariadb-operator.yaml

@@ -0,0 +1,46 @@
+{{- if .Values.mariadb_operator.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: mariadb-operator
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+spec:
+  destination:
+    namespace: mariadb-operator
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.cluster_config.manifests }}
+    path: {{ .Values.cluster_config.policies }}/mariadb-operator
+    targetRevision: HEAD
+  - repoURL: 'https://helm.mariadb.com/mariadb-operator'
+    targetRevision: {{ .Values.mariadb_operator.version }}
+    chart: mariadb-operator
+    helm:
+      values: |
+        ha:
+          enabled: false
+        metrics:
+          enabled: true
+          serviceMonitor:
+            additionalLabels:
+              release: prometheus
+            enabled: true
+        webhook:
+          certificate:
+            certManager: false
+          serviceMonitor:
+            additionalLabels:
+              release: prometehus
+  project: sys
+  syncPolicy:
+    syncOptions:
+    - CreateNamespace=true
+    - ServerSideApply=true
+    {{- if .Values.mariadb_operator.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+{{- end }}

apps/templates/metricserver.yaml

@@ -0,0 +1,39 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: metrics-server
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: kube-system
+    server: 'https://kubernetes.default.svc'
+  source:
+    repoURL: 'https://kubernetes-sigs.github.io/metrics-server/'
+    targetRevision: {{ .Values.metrics_server.version }}
+    chart: metrics-server
+    helm:
+      values: |
+        containerPort: 10250
+        resources: 
+          requests:
+            cpu: 100m
+            memory: 200Mi
+        {{- if .Values.metrics_server.ignoreTLS }}
+        args:
+          - "--kubelet-insecure-tls"
+        {{- end }}
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    {{- if .Values.metrics_server.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}

apps/templates/nfs-provisioner.yaml

@@ -0,0 +1,46 @@
+{{- if .Values.nfs_provisioner.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nfs-provisioner
+  namespace: argocd
+spec:
+  destination:
+    namespace: kube-system
+    server: 'https://kubernetes.default.svc'
+  source:
+  #- repoURL: {{ .Values.cluster_config.manifests }}
+  #  path: {{ .Values.cluster_config.policies }}/nfs-provisioner
+  #  targetRevision: HEAD
+    repoURL: 'https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/'
+    targetRevision: {{ .Values.nfs_provisioner.version }}
+    chart: nfs-subdir-external-provisioner
+    helm:
+      values: |
+        nfs:
+          server: {{ .Values.cluster_config.fileserver }}
+          path: /{{ default (.Values.cluster_config.cluster) .Values.nfs_provisioner.path }}
+          mountOptions:
+            - nfsvers=4.2
+            {{- range .Values.nfs_provisioner.extraMountOpts }}
+            - {{ . }}
+            {{- end }}
+        storageClass:
+          defaultClass: {{ .Values.nfs_provisioner.defaultClass}}
+          name: managed-nfs-storage
+          archiveOnDelete: {{ .Values.nfs_provisioner.archiveOnDelete }}
+        tolerations:
+           - key: unschedulable
+             operator: Exists
+             effect: NoSchedule
+  project: sys
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    {{- if .Values.nfs_provisioner.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+{{- end }}

apps/templates/oncall.yaml

@@ -0,0 +1,104 @@
+{{ if .Values.oncall.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: oncall
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: prometheus
+    server: 'https://kubernetes.default.svc'
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    {{ if .Values.oncall.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{ end }}
+  sources:
+#  - repoURL: {{ .Values.cluster_config.manifests }}
+#    path: {{ .Values.cluster_config.policies }}/oncall
+#    targetRevision: HEAD
+  - repoURL: 'https://grafana.github.io/helm-charts'
+    targetRevision: '{{ .Values.oncall.version }}'
+    chart: oncall
+    helm:
+      values: |
+        base_url: oncall.{{ .Values.cluster_config.domain }}
+        base_url_protocol: https
+        image:
+          repository: grafana/oncall
+          pullPolicy: IfNotPresent
+        ingress-nginx:
+           enabled: false
+        cert-manager:
+           enabled: false
+           installCRDs: false
+        ingress:
+          enabled: true
+          ingressClassName: nginx
+          annotations:
+            cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
+            nginx.ingress.kubernetes.io/ssl-redirect: "true"
+            {{- with .Values.cluster_config.ingress_whitelist_ips }}
+            nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
+            {{- end }}
+          path: /
+          pathType: Prefix
+          hosts:
+            - oncall.{{ .Values.cluster_config.domain }}
+          tls:
+            - secretName: oncall-tls
+              hosts:
+                - oncall.{{ .Values.cluster_config.domain }}
+
+        {{- if .Values.oncall.slack }}
+        oncall:
+          slack:
+            enabled: true
+            clientId: {{ .Values.oncall.slack.clientId }}
+            clientSecret: {{ .Values.oncall.slack.clientSecret }}
+            signingSecret: {{ .Values.oncall.slack.signingSecret }}
+            redirectHost: https://oncall.{{ .Values.cluster_config.domain }}
+        {{- end }}
+
+        {{- if .Values.oncall.smtp }}
+        oncall:
+          smtp:
+            enabled: true
+            host: {{ .Values.oncall.smtp.host }}
+            port: {{ .Values.oncall.smtp.port }}
+            username: {{ .Values.oncall.smtp.username }}
+            password: {{ .Values.oncall.smtp.password }}
+            tls: {{ .Values.oncall.smtp.tls }}
+            fromEmail: {{ .Values.oncall.smtp.fromEmail }}
+        {{- end }}
+        database:
+          type: postgresql
+        postgresql:
+          enabled: true
+          auth:
+            database: oncall
+        mariadb:
+          enabled: false
+        redis:
+          enabled: true
+        broker:
+           type: rabbitmq
+        rabbitmq:
+          enabled: true
+        grafana:
+          enabled: false
+        externalGrafana:
+          url: {{ .Values.oncall.externalGrafana.url }}
+{{- end }}

apps/templates/openfga.yaml

@@ -0,0 +1,43 @@
+{{ if .Values.openfga.enabled }}
+{{- range .Values.atlantis.envs }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prod-openfga
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: openfga
+    server: https://kubernetes.default.svc
+  project: aux
+  # ignoreDifferences:
+  # - group: apps
+  #   kind: StatefulSet
+  #   jsonPointers:
+  #   - /spec/persistentVolumeClaimRetentionPolicy
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: https://openfga.github.io/helm-charts
+    targetRevision: 0.2.21
+    chart: openfga
+    helm:
+      valueFiles:
+      - $values/values/openfga/values-prod.yaml
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    ref: values
+{{- end }}
+{{- end }}

apps/templates/osm-tile-server.yaml

@@ -0,0 +1,36 @@
+{{- if .Values.osm-tile-server.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: osm-tile-server
+  namespace: argocd
+spec:
+  generators:
+  - list:
+      elements:
+      - cluster: https://kubernetes.default.svc
+        env: prod
+        hostname: osm.srv.oceanbox.io
+      - cluster: https://staging-vcluster.staging-vcluster
+        env: staging
+        hostname: osm.beta.oceanbox.io
+  template:
+    metadata:
+      name: '{{- env }}-osm-tile-server'
+    spec:
+      project: aux
+      destination:
+        namespace: oceanbox
+        server: '{{- cluster }}'
+      source:
+        repoURL: https://gitlab.com/oceanbox/manifests.git
+        targetRevision: HEAD
+        path: values/osm-tile-server
+        plugin:
+          name: kustomize-helm-with-rewrite
+          parameters:
+          - name: env
+            string: '{{- env }}'
+          - name: hostname
+            string: '{{- hostname }}'
+{{- end }}

apps/templates/otel-collector.yaml

@@ -0,0 +1,117 @@
+{{ if .Values.otel.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: opentelemetry-collector
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: otel
+    server: 'https://kubernetes.default.svc'
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    {{- if .Values.otel.autosync }}
+    automated:
+      prune: true
+      # selfHeal: true
+    {{- end }}
+  sources:
+  - repoURL: '{{ .Values.cluster_config.manifests }}'
+    path: {{ .Values.cluster_config.policies }}/otel
+    targetRevision: HEAD
+  - repoURL: 'https://open-telemetry.github.io/opentelemetry-helm-charts'
+    targetRevision: {{ .Values.otel.version }}
+    chart: opentelemetry-collector
+    helm:
+      values: |
+        mode: deployment
+        image:
+          repository: otel/opentelemetry-collector-k8s
+        config:
+          receivers:
+            prometheus/collector:
+              config:
+                scrape_configs:
+                  - job_name: 'opentelemetry-collector'
+                    static_configs:
+                      - targets:
+                         - ${env:MY_POD_IP}:8888
+            zipkin:
+              endpoint: ${env:MY_POD_IP}:9411
+          exporters:
+            otlp:
+              endpoint: "tempo.tempo.svc:4317"
+              tls:
+                insecure: true
+            ## 
+            otlphttp/metrics:
+              endpoint: http://prom-prometheus.prometheus:9090/api/v1/otlp
+              tls:
+                insecure: true
+            otlphttp/logs:
+              endpoint: http://loki-write-headless.loki:3100/otlp
+              tls:
+                insecure: true
+            ## Detailed? make toggleable with values
+            debug/metrics:
+              verbosity: detailed
+            debug/traces:
+              verbosity: detailed
+            debug/logs:
+              verbosity: detailed
+          service:
+            telemetry:
+              logs:
+                level: "info"
+            pipelines:
+              traces:
+                receivers: [otlp,zipkin]
+                processors: [batch]
+                exporters: [otlp]
+                # exporters: [otlphttp/traces,debug/traces]
+              metrics:
+                receivers: [otlp,prometheus/collector]
+                processors: [batch]
+                exporters: [otlphttp/metrics]
+                # exporters: [otlphttp/metrics,debug/metrics]
+              logs:
+                receivers: [otlp]
+                processors: [batch]
+                exporters: [otlphttp/logs]
+                # exporters: [otlphttp/logs,debug/logs]
+        ports:
+          metrics:
+            enabled: true
+        # presets:
+        #   logsCollection:
+        #     enabled: true
+        ingress:
+          enabled: true
+          ingressClassName: nginx
+          annotations:
+              cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              {{- with .Values.cluster_config.ingress_whitelist_ips }}
+              nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
+              {{- end }}
+          hosts:
+            - host: opentelemetry-collector.{{ .Values.cluster_config.domain }}
+              paths:
+                - path: /
+                  pathType: Prefix
+                  port: 4318
+          tls:
+            - secretName: collector-tls
+              hosts:
+                - opentelemetry-collector.{{ .Values.cluster_config.domain }}
+{{ end }}

apps/templates/plausible.yaml

@@ -0,0 +1,69 @@
+{{- if .Values.plausible.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: plausible-analytics
+  namespace: argocd
+spec:
+  destination:
+    namespace: plausible
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: 'https://imio.github.io/helm-charts'
+    targetRevision: 0.3.3
+    chart: plausible-analytics
+    helm:
+      values: |
+        baseURL: https://plausible.adm.oceanbox.io
+        databaseURL: postgres://app:password@plausible-db-rw:5432/app
+        postgresql:
+          enabled: false
+        ingress:
+          enabled: true
+          ingressClassName: nginx
+          annotations:
+            cert-manager.io/cluster-issuer: letsencrypt-production
+            nginx.ingress.kubernetes.io/ssl-redirect: "true"
+            nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24,148.122.135.23
+          hosts:
+            - plausible.adm.oceanbox.io
+          paths:
+          - /
+          pathType: ImplementationSpecific
+          tls:
+          - secretName: plausible-tls
+            hosts:
+            - plausible.adm.oceanbox.io
+  project: aux
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  ignoreDifferences:
+    - kind: Secret
+      name: plausible-analytics
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: plausible-db
+  namespace: plausible
+spec:
+  imageName: ghcr.io/cloudnative-pg/postgresql:16.3
+  primaryUpdateStrategy: unsupervised
+  instances: 1
+  monitoring:
+    enablePodMonitor: true
+  storage:
+    size: 10Gi
+{{- end }}

apps/templates/policies/cnpg-add-backup-section.yaml

@@ -0,0 +1,52 @@
+{{- if and (.Values.kyverno.enabled) (.Values.postgres_operator.enabled) (.Values.velero.enabled) }}
+apiVersion : kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: cnpg-add-backup-section
+  annotations:
+    policies.kyverno.io/title: add backup section to cnpg cluster spec
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.6.0
+    policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kubernetes-version: "1.23"
+    policies.kyverno.io/subject: Cluster
+    policies.kyverno.io/description: >-
+      When a CNPG cluster is created, a backup section should be added.
+      The user can then create their own backup or backup schedule.
+spec:
+  background: false
+  rules:
+  - name: cnpg-add-backup-section
+    match:
+      any:
+      - resources:
+          kinds:
+          - Cluster
+    exclude:
+      any:
+      - resources:
+         kinds:
+          - Cluster
+         names:
+           - "review-*"
+    mutate:
+      patchStrategicMerge:
+        spec:
+          backup:
+            barmanObjectStore:
+              destinationPath: s3://{{ .Values.velero.bucket }}/{{ .Values.cluster_config.cluster }}/cnpg-backup
+              serverName: {{` "{{ request.object.metadata.name }}"`}}
+              endpointURL: https://s3.production.itpartner.no
+              s3Credentials:
+                accessKeyId:
+                  key: access_key
+                  name: s3-credentials
+                inheritFromIAMRole: false
+                secretAccessKey:
+                  key: access_secret
+                  name: s3-credentials
+              wal:
+                compression: snappy
+{{- end }}
+

apps/templates/policies/cnpg-clone-secrets.yaml

@@ -0,0 +1,36 @@
+{{- if and (.Values.kyverno.enabled) (.Values.postgres_operator.enabled) (.Values.velero.enabled) }}
+apiVersion : kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: cnpg-clone-s3-credentials
+  annotations:
+    policies.kyverno.io/title: add backup section to cnpg cluster spec
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.6.0
+    policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kubernetes-version: "1.23"
+    policies.kyverno.io/subject: Cluster
+    policies.kyverno.io/description: >-
+      When a CNPG cluster is created, s3 credentials and CA secrets
+      should be synced from the velero namespace
+spec:
+  background: false
+  rules:
+  - name: clone-s3-credentials
+    match:
+      any:
+      - resources:
+          kinds:
+          - Cluster
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: s3-credentials
+      namespace: {{` "{{request.object.metadata.namespace}}" `}}
+      synchronize: true
+      clone:
+        namespace: velero
+        name: s3-credentials
+{{- end }}
+

apps/templates/policies/generate-external-admin-rolebinding.yaml

@@ -0,0 +1,55 @@
+{{- if and (.Values.cluster_config.external_kubectl_access.enabled) (.Values.kyverno.enabled) }}
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: generate-external-admin-rolebinding
+  annotations:
+    policies.kyverno.io/title: Generate cluster-Admin rolebinding customer namespaces
+    policies.kyverno.io/category: other
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Namespace, RoleBinding
+    kyverno.io/kyverno-version: 1.7.0
+    policies.kyverno.io/minversion: 1.7.0
+    kyverno.io/kubernetes-version: "1.23"
+    policies.kyverno.io/description: >-
+      Customers should not have full admin permissions on their own namespaces.  
+      This policy will generate a RoleBinding, binding their group_id to 
+      the Cluster-Admin clusterrole. This will still only apply to the namespace as
+      the resource is a rolebinding, not clusterrolebinding.
+      This policy should not trigger on any namespaces with label component=sys
+spec:
+  generateExistingOnPolicyUpdate: true
+  rules:
+  - name: generate-rolebinding
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    exclude:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+          selector:
+            matchLabels:
+              component: sys
+    generate:
+      apiVersion: rbac.authorization.k8s.io/v1
+      kind: RoleBinding
+      name: external-ns-admin
+      namespace: {{` "{{request.object.metadata.name}}" `}}
+      synchronize: true
+      data:
+        metadata:
+          labels:
+            created-by: kyverno
+        roleRef:
+          apiGroup: rbac.authorization.k8s.io
+          kind: ClusterRole
+          name: cluster-admin
+        subjects:
+        - apiGroup: rbac.authorization.k8s.io
+          kind: Group
+          name: {{ .Values.cluster_config.external_kubectl_access.admin_group }}
+{{- end }}

apps/templates/policies/prometheus-add-folder-to-default-dashboards.yaml

@@ -0,0 +1,32 @@
+{{- if and (.Values.kyverno.enabled) (.Values.prometheus.enabled) }}
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: prometheus-stack-default-dashboard-folder
+  namespace: prometheus
+spec:
+  admission: true
+  background: true
+  mutateExistingOnPolicyUpdate: true
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+          selector:
+            matchLabels:
+              app.kubernetes.io/part-of: kube-prometheus-stack
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            grafana_folder: Prometheus-stack
+      targets:
+      - apiVersion: v1
+        kind: ConfigMap        
+        name: "{{`{{ request.object.metadata.name }}`}}"
+    name: generate-dashboard-folder-annotation
+    skipBackgroundRequests: true
+  validationFailureAction: Audit
+{{- end }}

apps/templates/policies/sync-gitlab.yaml

@@ -0,0 +1,31 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sync-gitlab-secret
+  annotations:
+    policies.kyverno.io/title: Sync Secrets
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/subject: Secret
+    policies.kyverno.io/description: >-
+      Secrets like registry credentials often need to exist in multiple
+      Namespaces so Pods there have access. Manually duplicating those Secrets
+      is time consuming and error prone. This policy will copy a
+      Secret called `regcred` which exists in the `default` Namespace to
+      new Namespaces when they are created. It will also push updates to
+      the copied Secrets should the source Secret be changed.
+spec:
+  rules:
+  - name: sync-image-pull-secret
+    match:
+      resources:
+        kinds:
+        - Namespace
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: regcred
+      namespace: "{{`{{request.object.metadata.name}}`}}"
+      synchronize: true
+      clone:
+        namespace: default
+        name: gitlab-pull-secret

apps/templates/policies/sync-regcred.yaml

@@ -0,0 +1,33 @@
+{{- if .Values.kyverno.enabled }}
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sync-regcred-secret
+  annotations:
+    policies.kyverno.io/title: Sync Secrets
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/subject: Secret
+    policies.kyverno.io/description: >-
+      Secrets like registry credentials often need to exist in multiple
+      Namespaces so Pods there have access. Manually duplicating those Secrets
+      is time consuming and error prone. This policy will copy a
+      Secret called `regcred` which exists in the `default` Namespace to
+      new Namespaces when they are created. It will also push updates to
+      the copied Secrets should the source Secret be changed.            
+spec:
+  rules:
+  - name: sync-image-pull-secret
+    match:
+      resources:
+        kinds:
+        - Namespace
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: regcred
+      namespace: "{{`{{request.object.metadata.name}}`}}"
+      synchronize: true
+      clone:
+        namespace: default
+        name: regcred
+{{- end }}

apps/templates/policies/sync-s3-secret.yaml

@@ -0,0 +1,33 @@
+{{- if .Values.kyverno.enabled }}
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    policies.kyverno.io/description: 'This policy will sync the s3 secret in kube-system namespace across namespaces'
+    policies.kyverno.io/subject: Secret
+    policies.kyverno.io/title: Sync s3 Secrets
+  name: sync-s3-credentials
+spec:
+  generateExistingOnPolicyUpdate: true
+  background: true
+  rules:
+  - generate:
+      apiVersion: v1
+      clone:
+        name: s3-credentials
+        namespace: kube-system
+      kind: Secret
+      name: s3-credentials
+      namespace: '{{`{{request.object.metadata.name}}`}}'
+      synchronize: true
+    match:
+      resources:
+        kinds:
+        - Namespace
+        names:
+        - "velero"
+        - "loki"
+        - "tempo"
+    name: sync-s3-secret
+  validationFailureAction: audit
+{{- end }}

apps/templates/policies/whitelist-internal-ingresses.yaml

@@ -0,0 +1,73 @@
+{{- if .Values.kyverno.enabled }}
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: whitelist-internal-ingresses
+  annotations:
+    policies.kyverno.io/title: Concatenate Ingresss
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Ingress
+    policies.kyverno.io/description: >-
+      Ingresses with the label "internal=true" should be whitelisted. 
+      If no whitelist exists, add the default values, otherwise append 
+      whitelist to the already existing ones
+spec:
+  mutateExistingOnPolicyUpdate: false
+  #precondition: has whitelist annotation or 
+  rules:
+  - name: ensure-nginx-whitelist-exists
+    match:
+      resources:
+        kinds:
+          - Ingress
+        selector:
+          matchLabels:
+            internal: "true"
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            +(nginx.ingress.kubernetes.io/whitelist-source-range): ""
+  - name: append-existing-whitelist
+    match:
+      resources:
+        kinds:
+          - Ingress
+        selector:
+          matchLabels:
+            internal: "true"
+    preconditions:
+      any:
+      - key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"
+        operator: NotEquals
+        value: ""
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            {{- with .Values.cluster_config.ingress_whitelist_ips }}
+            nginx.ingress.kubernetes.io/whitelist-source-range: "{{`{{ @ }}`}},{{ join "," . }}"
+            {{- end }}
+  - name: add-nginx-whitelist
+    match:
+      resources:
+        kinds:
+          - Ingress
+        selector:
+          matchLabels:
+            internal: "true"
+    preconditions:
+      any:
+      - key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"
+        operator: Equals
+        value: ""
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            {{- with .Values.cluster_config.ingress_whitelist_ips }}
+            nginx.ingress.kubernetes.io/whitelist-source-range: "{{ join "," . }}"
+            {{- end }}
+{{- end }}
+

apps/templates/postgres-operator.yaml

@@ -0,0 +1,39 @@
+{{ if .Values.postgres_operator.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: postgres-operator
+  namespace: argocd
+spec:
+  destination:
+    namespace: cnpg
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.cluster_config.manifests }}
+    path: {{ .Values.cluster_config.policies }}/cnpg
+    targetRevision: HEAD
+  - repoURL: 'https://cloudnative-pg.github.io/charts'
+    targetRevision: {{ .Values.postgres_operator.version }}
+    chart: cloudnative-pg
+    helm:
+      values: |
+        additionalArgs: []
+        config:
+          data:
+            INHERITED_ANNOTATIONS: "linkerd.io/*"
+            INHERITED_LABELS: "velero.io/*"
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      - ServerSideApply=true
+    {{- if .Values.postgres_operator.version }}
+    automated:
+      # selfHeal: false
+      prune: true
+    {{- end }}
+{{ end }}

apps/templates/prometheus-thanos.yaml

@@ -0,0 +1,342 @@
+{{ if .Values.thanos.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: thanos
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: thanos
+    server: 'https://kubernetes.default.svc'
+  source:
+    repoURL: 'https://charts.bitnami.com/bitnami'
+    targetRevision: {{ .Values.thanos.version }}
+    chart: thanos
+    helm:
+      values: |
+        ## Handled by sealed secret now, and uses minio root user
+        #objstoreConfig: |-
+        #  type: s3
+        #  config:
+        #    bucket: thanos
+        #    endpoint: thanos-minio.thanos.svc.cluster.local:9000
+        #    access_key: "thanos"
+        #    secret_key: "en to tre fire"
+        #    insecure: true
+
+         ## @param indexCacheConfig The [index cache configuration](https://thanos.io/components/store.md/)
+         ## Specify content for index-cache.yml
+        indexCacheConfig: ""
+         ## @param bucketCacheConfig The [bucket cache configuration](https://thanos.io/components/store.md/)
+         ## Specify content for bucket-cache.yml
+         ##
+        bucketCacheConfig: ""
+         ## @param existingObjstoreSecret Secret with Objstore Configuration
+         ## Note: This will override objstoreConfig
+         ##
+        existingObjstoreSecret: "thanos-objstore-secret"
+        existingObjstoreSecretItems: []
+        existingServiceAccount: ""
+
+        query:
+          enabled: true
+          stores:
+              - {{ .Values.prometheus.fullname | default "prometheus-kube-prometheus" }}-prometheus.prometheus.svc:10901
+              - thanos-envoy:10000
+              - thanos-envoy:10002
+              - thanos-envoy:11000
+          ingress:
+            enabled: true
+            certManager: false
+            hostname: thanos.{{ .Values.cluster_config.domain }}
+            ingressClassName: "nginx"
+            annotations:
+              cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
+              nginx.ingress.kubernetes.io/backend-protocol: HTTP
+              nginx.ingress.kubernetes.io/proxy-body-size: 1024m
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24
+            ## extraHosts:
+            ## - name: thanos.local
+            ##   path: /
+            ##   pathType: ImplementationSpecific
+            ##
+            extraHosts: []
+            extraTls:
+             - hosts:
+                 - thanos.{{ .Values.cluster_config.domain }}
+               secretName: thanos-tls
+
+         ## @section Thanos Query Frontend parameters
+
+        queryFrontend:
+          enabled: true
+          ingress:
+            enabled: true
+            certManager: false
+            hostname: thanos-query.{{ .Values.cluster_config.domain }}
+            ingressClassName: "nginx"
+            annotations:
+              cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
+              nginx.ingress.kubernetes.io/backend-protocol: HTTP
+              nginx.ingress.kubernetes.io/proxy-body-size: 1024m
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24
+            ## extraHosts:
+            ## - name: thanos.local
+            ##   path: /
+            ##   pathType: ImplementationSpecific
+            ##
+            extraHosts: []
+            extraTls:
+             - hosts:
+                 - thanos-query.{{ .Values.cluster_config.domain }}
+               secretName: thanos-query-tls
+
+         ## @section Thanos Bucket Web parameters
+
+        bucketweb:
+          enabled: true
+          ingress:
+            enabled: true
+            certManager: false
+            hostname: thanos-bucketweb.{{ .Values.cluster_config.domain }}
+            ingressClassName: "nginx"
+            annotations:
+              cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
+              nginx.ingress.kubernetes.io/backend-protocol: HTTP
+              nginx.ingress.kubernetes.io/proxy-body-size: 1024m
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24
+            ## extraHosts:
+            ## - name: thanos-bucketweb.local
+            ##   path: /
+            ##   pathType: ImplementationSpecific
+            ##
+            extraHosts: []
+            extraTls:
+             - hosts:
+                 - thanos-bucketweb.{{ .Values.cluster_config.domain }}
+               secretName: thanos-bucketweb-tls
+
+         ## @section Thanos Compactor parameters
+
+        compactor:
+          enabled: true
+          ingress:
+            enabled: true
+            certManager: false
+            hostname: thanos-compactor.{{ .Values.cluster_config.domain }}
+            ingressClassName: "nginx"
+            annotations:
+              cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
+              nginx.ingress.kubernetes.io/backend-protocol: HTTP
+              nginx.ingress.kubernetes.io/proxy-body-size: 1024m
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24
+            ## extraHosts:
+            ## - name: thanos.local
+            ##   path: /
+            ##   pathType: ImplementationSpecific
+            ##
+            extraHosts: []
+            extraTls:
+             - hosts:
+                 - thanos-compactor.{{ .Values.cluster_config.domain }}
+               secretName: thanos-compactor-tls
+          persistence:
+            enabled: true
+            storageClass: "local-storage"
+            accessModes:
+              - ReadWriteOnce
+            size: 8Gi
+
+         ## @section Thanos Store Gateway parameters
+
+        storegateway:
+          enabled: true
+
+          ingress:
+            enabled: true
+            certManager: false
+            hostname: thanos-storage.{{ .Values.cluster_config.domain }}
+            ingressClassName: "nginx"
+            annotations:
+              cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
+              nginx.ingress.kubernetes.io/backend-protocol: HTTP
+              nginx.ingress.kubernetes.io/proxy-body-size: 1024m
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24
+            ## extraHosts:
+            ## - name: thanos.local
+            ##   path: /
+            ##   pathType: ImplementationSpecific
+            ##
+            extraHosts: []
+            extraTls:
+             - hosts:
+                 - thanos-storage.{{ .Values.cluster_config.domain }}
+               secretName: thanos-storage-tls
+          persistence:
+            enabled: true
+            storageClass: "local-storage"
+            accessModes:
+              - ReadWriteOnce
+            size: 8Gi
+
+         ## @section Thanos Ruler parameters
+
+        ruler:
+          enabled: true
+          alertmanagers:
+              - https://alertmanager.k1.itpartner.no
+              - https://alertmanager.k2.itpartner.no
+              - https://alertmanager.k0.itpartner.no
+          config: |-
+            groups:
+              - name: "metamonitoring"
+                rules:
+                  - alert: "PrometheusDown"
+                    expr: absent(up{container="prometheus",job="prometheus-kube-prometheus-prometheus",namespace="prometheus"})
+            global:
+              resolve_timeout: 5m
+            route:
+              receiver: pagerduty
+              group_by:
+              - alertname
+              routes:
+              - receiver: snitch
+                match:
+                  alertname: Watchdog
+                group_wait: 0s
+                group_interval: 1m
+                repeat_interval: 50s
+              group_wait: 60s
+              group_interval: 15m
+              repeat_interval: 24h
+            receivers:
+            - name: pagerduty
+              pagerduty_configs:
+              - routing_key: e67f3a24f11c450ad060128f20ffa5d1
+                url: https://events.pagerduty.com/v2/enqueue
+
+          ingress:
+            enabled: true
+            certManager: false
+            hostname: thanos-ruler.{{ .Values.cluster_config.domain }}
+            ingressClassName: "nginx"
+            annotations:
+              cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
+              nginx.ingress.kubernetes.io/backend-protocol: HTTP
+              nginx.ingress.kubernetes.io/proxy-body-size: 1024m
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24
+            ## extraHosts:
+            ## - name: thanos.local
+            ##   path: /
+            ##   pathType: ImplementationSpecific
+            ##
+            extraHosts: []
+            extraTls:
+             - hosts:
+                 - thanos-ruler.{{ .Values.cluster_config.domain }}
+               secretName: thanos-ruler-tls
+          persistence:
+            enabled: true
+            storageClass: "local-storage"
+            accessModes:
+              - ReadWriteOnce
+            size: 8Gi
+
+         ## @section Thanos Receive parameters
+
+        receive:
+          enabled: false
+          mode: standalone
+          replicationFactor: 1
+          replicaLabel: replica
+          tsdbRetention: 15d
+          config:
+            - endpoints:
+              - "127.0.0.1:10901"
+          ingress:
+            enabled: true
+            certManager: false
+            hostname: thanos-receive.{{ .Values.cluster_config.domain }}
+            ingressClassName: "nginx"
+            annotations:
+              cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
+              nginx.ingress.kubernetes.io/backend-protocol: HTTP
+              nginx.ingress.kubernetes.io/proxy-body-size: 1024m
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24
+            ## extraHosts:
+            ## - name: thanos.local
+            ##   path: /
+            ##   pathType: ImplementationSpecific
+            ##
+            extraHosts: []
+            extraTls:
+             - hosts:
+                 - thanos-receive.{{ .Values.cluster_config.domain }}
+               secretName: thanos-receive-tls
+          persistence:
+            enabled: true
+            storageClass: "local-storage"
+            accessModes:
+              - ReadWriteOnce
+            size: 8Gi
+
+         ## @section Metrics parameters
+
+        metrics:
+          enabled: true
+          serviceMonitor:
+            enabled: true
+
+         ## @section MinIO® chart parameters
+
+        minio:
+          enabled: true
+          accessKey:
+            password: "thanos"
+          secretKey:
+            password: "en to tre fire"
+          defaultBuckets: thanos
+          ingress:
+            enabled: true
+            certManager: false
+            hostname: thanos-minio.{{ .Values.cluster_config.domain }}
+            ingressClassName: "nginx"
+            annotations:
+              cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
+              nginx.ingress.kubernetes.io/backend-protocol: HTTP
+              nginx.ingress.kubernetes.io/proxy-body-size: 1024m
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24
+            ## extraHosts:
+            ## - name: thanos.local
+            ##   path: /
+            ##   pathType: ImplementationSpecific
+            ##
+            extraHosts: []
+            extraTls:
+             - hosts:
+                 - thanos-minio.{{ .Values.cluster_config.domain }}
+               secretName: thanos-minio-tls
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    {{- if .Values.prometheus.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+{{ end }}

apps/templates/prometheus.yaml

@@ -0,0 +1,625 @@
+{{- if .Values.prometheus.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prometheus
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: prometheus
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.cluster_config.manifests }}
+    path: {{ .Values.cluster_config.policies }}/prometheus
+    targetRevision: HEAD
+  - repoURL: 'https://prometheus-community.github.io/helm-charts'
+    targetRevision: '{{ .Values.prometheus.version }}'
+    chart: kube-prometheus-stack
+    helm:
+      skipCrds: true
+      values: |
+        crds:
+          enabled: false
+
+        fullnameOverride: {{ .Values.prometheus.fullname | default "prometheus-kube-prometheus" }}
+
+        {{- with .Values.prometheus.defaultRules }}
+        defaultRules:
+        {{- . | toYaml | nindent 10 }}
+        {{- end}}
+
+        ## Configuration for alertmanager
+        ## ref: https://prometheus.io/docs/alerting/alertmanager/
+        ##
+        alertmanager:
+          config:
+            route:
+              {{- if .Values.prometheus.alert_group_by }}
+              group_by:
+              {{- range .Values.prometheus.alert_group_by }}
+              - {{ . | quote }}
+              {{- end }}
+              {{- else }}
+              group_by: ["alertname"]
+              {{- end }}
+              group_wait: 60s
+              group_interval: 15m
+              repeat_interval: 24h
+              receiver: {{ .Values.prometheus.alert_receiver | default "pagerduty" }}
+              routes:
+              - match:
+                  alertname: Watchdog
+                group_wait: 0s
+                group_interval: 1m
+                repeat_interval: 50s
+                receiver: snitch
+              {{- if .Values.prometheus.oncallUrl}}
+              - match:
+                  alertname: .*
+                receiver: oncall
+                continue: true
+              {{- end }}
+            receivers:
+            - name: pagerduty
+              pagerduty_configs:
+              - routing_key: {{ default "key"  .Values.prometheus.pagerdutyRoutingKey }}
+                url: "https://events.pagerduty.com/v2/enqueue"
+                severity: {{`'{{ if .CommonLabels.severity }}{{ .CommonLabels.severity | toLower }}{{ else }}critical{{ end }}'`}}
+            {{- if .Values.prometheus.snitchUrl}}
+            - name: snitch
+              webhook_configs:
+              - url: "{{ .Values.prometheus.snitchUrl }}"
+                send_resolved: false
+            {{- end }}
+            - name: teams
+              webhook_configs:
+              - url: "https://prometheus-msteams.{{ .Values.cluster_config.domain }}/{{ .Values.cluster_config.cluster }}"
+                http_config:
+                  tls_config:
+                    insecure_skip_verify: true
+            {{- if .Values.prometheus.oncallUrl}}
+            - name: oncall
+              webhook_configs:
+              - url: "{{ .Values.prometheus.oncallUrl }}"
+                send_resolved: true
+            {{- end }}
+
+          storage: {}
+
+          ingress:
+            enabled: true
+            ingressClassName: nginx
+            annotations:
+              cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              {{- with .Values.cluster_config.ingress_whitelist_ips }}
+              nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
+              {{- end }}
+            hosts:
+              - alertmanager.{{ .Values.cluster_config.domain }}
+            paths:
+            - /
+            pathType: ImplementationSpecific
+            tls:
+            - secretName: alertmanager-general-tls
+              hosts:
+              - alertmanager.{{ .Values.cluster_config.domain }}
+
+          ingressPerReplica:
+            pathType: ImplementationSpecific
+
+          alertmanagerSpec:
+            affinity: {}
+              # nodeAffinity:
+              #   requiredDuringSchedulingIgnoredDuringExecution:
+              #     nodeSelectorTerms:
+              #     - matchExpressions:
+              #       - key: kubernetes.io/hostname
+              #         operator: In
+              #         values:
+              #         - {{ .Values.cluster_config.cluster }}-0.itpartner.intern
+
+            tolerations: []
+              # - key: unschedulable
+              #   operator: Exists
+              #   effect: NoSchedule
+
+        grafana:
+          defaultDashboardsEnabled: {{ .Values.prometheus.grafana.defaultDashboardsEnabled }}
+          {{- if .Values.prometheus.grafana.plugins }}
+          plugins:
+          {{- range .Values.prometheus.grafana.plugins }}
+          - {{ . }}
+          {{- end }}
+          {{- end }}
+          grafana.ini:
+            server:
+              root_url: "https://grafana.{{.Values.cluster_config.domain}}:443"
+            security:
+              allow_embedding: "true"
+            auth:
+              disable_login_form: "{{ .Values.prometheus.grafana.disable_login_form }}"
+            users:
+              auto_assign_org_role: "Admin"
+            {{- range .Values.cluster_config.oidc }}
+            {{- if eq .provider "azuread" }}
+            auth.{{ .provider }}:
+              enabled: true
+              name: {{ .name }}
+              client_id: $__file{/etc/secrets/oauth/{{ .name }}/client_id}
+              client_secret: $__file{/etc/secrets/oauth/{{ .name }}/client_secret}
+              scopes: openid email profile
+              auth_url: https://login.microsoftonline.com/{{ .tenant }}/oauth2/v2.0/authorize
+              token_url: https://login.microsoftonline.com/{{ .tenant }}/oauth2/v2.0/token
+              allowed_groups: {{ .group_id }}
+              allow_sign_up: true
+              role_attribute_strict: false
+              allow_assign_grafana_admin: true
+            {{- else if eq .provider "github" }}
+            auth.{{ .provider }}:
+              name: {{ .name }}
+              enabled: true
+              client_id: $__file{/etc/secrets/oauth/{{ .name }}/client_id}
+              client_secret: $__file{/etc/secrets/oauth/{{ .name }}/client_secret}
+              allowed_organizations: {{ .allowed_organizations }}
+              {{- if .allowed_teams }}
+              allowed_teams: "{{ .allowed_teams }}"
+              {{- end }}
+              scopes: user:email,read:org
+              auth_url: https://github.com/login/oauth/authorize
+              token_url: https://github.com/login/oauth/access_token
+              allow_sign_up: true
+              role_attribute_strict: false
+              allow_assign_grafana_admin: true
+            {{- end }}
+            {{- end }}
+          extraSecretMounts:
+          {{- range .Values.cluster_config.oidc }}
+          - name: {{ .name }}
+            secretName: {{ .secret_ref.name }}
+            defaultMode: 0440
+            mountPath: /etc/secrets/oauth/{{ .name }}
+            readOnly: true
+          {{- end }}
+
+          {{- if .Values.prometheus.grafana.persistence }}
+          persistence:
+            enabled: true
+            size: 10Gi
+          {{- end }}
+          ingress:
+            enabled: true
+            ingressClassName: nginx
+            annotations:
+              cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              {{- with .Values.cluster_config.ingress_whitelist_ips}}
+              nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
+              {{- end }}
+            hosts:
+              - grafana.{{ .Values.cluster_config.domain }}
+            path: /
+            tls:
+            - secretName: grafana-general-tls
+              hosts:
+                - grafana.{{ .Values.cluster_config.domain }}
+          sidecar:
+            dashboards:
+              enabled: true
+              label: grafana_dashboard
+              folderAnnotation: grafana_folder
+              annotations: {}
+              multicluster:
+                global:
+                  enabled: true
+                etcd:
+                  enabled: false
+              provider:
+                allowUiUpdates: false
+                foldersFromFilesStructure: true
+            {{- if .Values.prometheus.thanos.datasource.enabled }}
+            datasources:
+              enabled: true
+              defaultDatasourceEnabled: true
+              url: http://thanos-query-frontend.thanos.svc:9090/
+              # defaultDatasourceScrapeInterval: 15s
+              annotations: {}
+
+              ## Create datasource for each Pod of Prometheus StatefulSet;
+              ## this uses headless service `prometheus-operated` which is
+              ## created by Prometheus Operator
+              ## ref: https://git.io/fjaBS
+              createPrometheusReplicasDatasources: false
+              label: grafana_datasource
+            {{ end }}
+          {{- if or .Values.loki.enabled .Values.prometheus.additionalDataSources }}
+          additionalDataSources:
+          {{- end }}
+          {{- if .Values.tempo.enabled }}
+          - name: Tempo
+            type: tempo
+            uid: tempo
+            orgId: 1
+            url: http://tempo.tempo:3100
+            isDefault: false
+            version: 1
+            access: proxy
+            jsonData:
+               nodeGraph:
+                 enabled: true
+               serviceMap:
+                 datasourceUid: 'Prometheus'
+               tracesToLogs:
+                 datasourceUid: loki
+                 filterByTraceID: false
+                 spanEndTimeShift: "500ms"
+                 spanStartTimeShift: "-500ms"
+               timeInterval: 30s
+          {{- end }}
+          {{- if .Values.loki.enabled }}
+          - name: loki
+            type: loki
+            uid: loki
+            access: proxy
+            basicAuth: false
+            editable: false
+            jsonData:
+               tlsSkipVerify: false
+               {{- if .Values.tempo.enabled }}
+               derivedFields:
+               - datasourceUid: tempo
+                 matcherRegex: trace_id
+                 matcherType: label
+                 name: Trace ID
+                 url: $${__value.raw}
+                 urlDisplayLabel: 'Trace ID: $${__value.raw}'
+              {{- end }}
+            orgId: 1
+            url: http://loki-read-headless.loki:3100
+            version: 1
+          {{- end }}
+          {{- with .Values.prometheus.additionalDataSources }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+
+        kubeApiServer:
+          tlsConfig:
+            serverName: kubernetes
+            insecureSkipVerify: true
+
+        kubelet:
+          serviceMonitor:
+            https: {{ .Values.prometheus.kubelet.https }}
+            cAdvisor: true
+
+            # NOTE(simkir): Including throttling seconds by setting this. We use that in some dashboards, and could be useful
+            ## MetricRelabelConfigs to apply to samples after scraping, but before ingestion.
+            ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api-reference/api.md#relabelconfig
+            ##
+            cAdvisorMetricRelabelings:
+              # Drop less useful container CPU metrics.
+              - sourceLabels: [__name__]
+                action: drop
+                regex: 'container_cpu_(load_average_10s|system_seconds_total|user_seconds_total)'
+              # Drop less useful container / always zero filesystem metrics.
+              - sourceLabels: [__name__]
+                action: drop
+                regex: 'container_fs_(io_current|io_time_seconds_total|io_time_weighted_seconds_total|reads_merged_total|sector_reads_total|sector_writes_total|writes_merged_total)'
+              # Drop less useful / always zero container memory metrics.
+              - sourceLabels: [__name__]
+                action: drop
+                regex: 'container_memory_(mapped_file|swap)'
+              # Drop less useful container process metrics.
+              - sourceLabels: [__name__]
+                action: drop
+                regex: 'container_(file_descriptors|tasks_state|threads_max)'
+              # Drop container_memory_failures_total{scope="hierarchy"} metrics,
+              # we only need the container scope.
+              - sourceLabels: [__name__, scope]
+                action: drop
+                regex: 'container_memory_failures_total;hierarchy'
+              # Drop container_network_... metrics that match various interfaces that
+              # correspond to CNI and similar interfaces. This avoids capturing network
+              # metrics for host network containers.
+              - sourceLabels: [__name__, interface]
+                action: drop
+                regex: 'container_network_.*;(cali|cilium|cni|lxc|nodelocaldns|tunl).*'
+              # Drop container spec metrics that overlap with kube-state-metrics.
+              - sourceLabels: [__name__]
+                action: drop
+                regex: 'container_spec.*'
+              # Drop cgroup metrics with no pod.
+              - sourceLabels: [id, pod]
+                action: drop
+                regex: '.+;'
+            # - sourceLabels: [__name__, image]
+            #   separator: ;
+            #   regex: container_([a-z_]+);
+            #   replacement: $1
+            #   action: drop
+            # - sourceLabels: [__name__]
+            #   separator: ;
+            #   regex: container_(network_tcp_usage_total|network_udp_usage_total|tasks_state|cpu_load_average_10s)
+            #   replacement: $1
+            #   action: drop
+
+        kubeControllerManager:
+          enabled: false
+          {{- if .Values.cluster_config.apiserverip }}
+          endpoints:
+          - {{ .Values.cluster_config.apiserverip }}
+          {{- end }}
+          service:
+            port: 10252
+            selector:
+              k8s-app: kube-controller-manager
+          serviceMonitor:
+            enabled: true
+            https: true
+            insecureSkipVerify: true
+
+        coreDns:
+          enabled: true
+          service:
+            targetPort: {{ .Values.prometheus.coredns.targetPort | default 10055 }}
+            selector:
+              k8s-app: kube-dns
+
+        kubeEtcd:
+          enabled: true
+          {{- if .Values.cluster_config.etcd_nodes }}
+          endpoints:  {{ .Values.cluster_config.etcd_nodes }}
+          {{- end }}
+          service:
+            port: {{ .Values.prometheus.etcd.targetPort | default 2379 }}
+            targetPort: {{ .Values.prometheus.etcd.targetPort | default 2379 }}
+          serviceMonitor:
+            enabled: true
+            scheme: https
+            insecureSkipVerify: true
+            caFile: /etc/prometheus/secrets/etcd-client-cert/ca.pem
+            certFile: /etc/prometheus/secrets/etcd-client-cert/etcd.pem
+            keyFile: /etc/prometheus/secrets/etcd-client-cert/etcd-key.pem
+
+        kubeScheduler:
+          enabled: false
+          {{- if .Values.cluster_config.apiserverip }}
+          endpoints:
+          - {{ .Values.cluster_config.apiserverip }}
+          {{- end }}
+          service:
+            port: {{ .Values.prometheus.scheduler.targetPort | default 10251 }}
+            targetPort: {{ .Values.prometheus.scheduler.targetPort | default 10251 }}
+            selector:
+              k8s-app: kube-scheduler
+
+        kubeProxy:
+          enabled: false
+          {{- if .Values.cluster_config.k8s_nodes }}
+          endpoints:  {{ .Values.cluster_config.k8s_nodes }}
+          {{- else }}
+          service:
+            selector:
+              k8s-app: kube-proxy
+          {{- end }}
+
+        prometheusOperator:
+          enabled: true
+
+          admissionWebhooks:
+            certManager:
+              enabled: true
+              issuerRef:
+                name: "ca-issuer"
+                kind: "ClusterIssuer"
+
+          kubeletService:
+            enabled: {{ .Values.prometheus.kubelet.enabled }}
+
+        prometheus:
+          enabled: true
+          {{- if .Values.otel.enabled }}
+          enableRemoteWriteReceiver: true
+          {{- end }}
+
+          thanosService:
+            enabled: false
+            type: ClusterIP
+
+            ## gRPC port config
+            portName: grpc
+            port: 10901
+            targetPort: "grpc"
+
+            ## HTTP port config (for metrics)
+            httpPortName: http
+            httpPort: 10902
+            targetHttpPort: "http"
+
+            # Default is to make this a headless service ("None")
+            # clusterIP: "None"
+
+            ## Port to expose on each node, if service type is NodePort
+            ##
+            nodePort: 30901
+            httpNodePort: 30902
+
+          {{- if .Values.prometheus.thanos.enabled }}
+          # ServiceMonitor to scrape Sidecar metrics
+          # Needs thanosService to be enabled as well
+          thanosServiceMonitor:
+            enabled: true
+            interval: ""
+
+          thanosIngress:
+            enabled: true
+            servicePort: 10901
+            ingressClassName: nginx
+            annotations:
+              cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
+              {{- with .Values.cluster_config.ingress_whitelist_ips }}
+              nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
+              {{- end }}
+              kubernetes.io/ingress.allow-http: "false"
+            hosts:
+              - thanos-gateway.{{ .Values.cluster_config.domain }}
+            paths:
+              - /
+            pathType: ImplementationSpecific
+            tls:
+              - secretName: thanos-gateway-tls
+                hosts:
+                - thanos-gateway.{{ .Values.cluster_config.domain }}
+            {{- end }}
+
+          ingress:
+            enabled: true
+            ingressClassName: nginx
+            annotations:
+              cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              {{- with .Values.cluster_config.ingress_whitelist_ips }}
+              nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
+              {{- end }}
+            hosts:
+              - prometheus.{{ .Values.cluster_config.domain }}
+            paths:
+            - /
+            pathType: ImplementationSpecific
+            tls:
+              - secretName: prometheus-general-tls
+                hosts:
+                  - prometheus.{{ .Values.cluster_config.domain }}
+
+          ingressPerReplica:
+            enabled: false
+            pathType: ImplementationSpecific
+
+          prometheusSpec:
+            tolerations: []
+              # - key: unschedulable
+              #   operator: Exists
+              #   effect: NoSchedule
+            secrets:
+              - etcd-client-cert
+            storageSpec:
+              volumeClaimTemplate:
+                spec:
+                  accessModes: ["ReadWriteOnce"]
+                  resources:
+                    requests:
+                      storage: {{ .Values.prometheus.storage.size }}
+            {{- with .Values.prometheus.enableFeatures}}
+            enableFeatures:
+            {{- range . }}
+            - {{ . }}
+            {{- end }}
+            {{- end }}
+
+            ## External labels to add to any time series or alerts when communicating with external systems
+            ##
+            externalLabels:
+              cluster: {{ .Values.cluster_config.cluster }}
+
+            ## Name of the external label used to denote replica name
+            ##
+            replicaExternalLabelName: ""
+
+            ## If true, the Operator won't add the external label used to denote replica name
+            ##
+            replicaExternalLabelNameClear: true
+
+            ## Name of the external label used to denote Prometheus instance name
+            ##
+            prometheusExternalLabelName: ""
+
+            ## If true, the Operator won't add the external label used to denote Prometheus instance name
+            ##
+            prometheusExternalLabelNameClear: true
+
+            serviceMonitorSelectorNilUsesHelmValues: false
+            podMonitorSelectorNilUsesHelmValues: false
+            ruleSelectorNilUsesHelmValues: false
+
+            ## Thanos configuration allows configuring various aspects of a Prometheus server in a Thanos environment.
+            ## This section is experimental, it may change significantly without deprecation notice in any release.
+            ## This is experimental and may change significantly without backward compatibility in any release.
+            ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#thanosspec
+            ##
+            {{- if .Values.prometheus.thanos.enabled }}
+            thanos:
+              objectStorageConfig:
+                key: thanos.yaml
+                name: thanos-objstore-config
+            {{- end }}
+            # remoteWrite:
+            #  - url: https://thanos-receive.k1.itpartner.no/api/v1/receive
+            #    name: {{ .Values.cluster_config.cluster }}
+            {{- with .Values.prometheus.additionalScrapeConfigs}}
+            additionalScrapeConfigs:
+              {{- toYaml . | nindent 12 }}
+            {{- end }}
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - ServerSideApply=true
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    {{- if .Values.prometheus.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+  ignoreDifferences:
+    - group: apps
+      kind: Deployment
+      jqPathExpressions:
+        - '.spec.template.spec.containers[]?.resources'
+    - group: monitoring.coreos.com
+      kind: ServiceMonitor
+      jqPathExpressions:
+        - '.spec.endpoints[]?.relabelings'
+    - group: admissionregistration.k8s.io
+      kind: MutatingWebhookConfiguration
+      jqPathExpressions:
+        - '.webhooks[]?.clientConfig.caBundle'
+    - group: admissionregistration.k8s.io
+      kind: ValidatingWebhookConfiguration
+      jqPathExpressions:
+        - '.webhooks[]?.clientConfig.caBundle'
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prometheus-crd
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: prometheus
+    server: 'https://kubernetes.default.svc'
+  source:
+    repoURL: 'https://prometheus-community.github.io/helm-charts'
+    targetRevision: '{{ .Values.prometheus.crd_version }}'
+    chart: prometheus-operator-crds
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    automated: {}
+    syncOptions:
+      - ServerSideApply=true
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+{{- end }}

apps/templates/promtail.yaml

@@ -0,0 +1,50 @@
+{{ if .Values.promtail.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: promtail
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: loki
+    server: 'https://kubernetes.default.svc'
+  sources:
+  #- repoURL: {{ .Values.cluster_config.manifests }}
+  #  path: {{ .Values.cluster_config.policies }}/promtail
+  #  targetRevision: HEAD
+  - repoURL: 'https://grafana.github.io/helm-charts'
+    targetRevision: {{ .Values.promtail.version }}
+    chart: promtail
+    helm:
+      values: |
+        config:
+          snippets:
+            pipelineStages:
+            - labelallow:
+              - app
+              - app_kubernetes_io_component
+              - app_kubernetes_io_instance
+              - app_kubernetes_io_version
+              - container
+              - instance
+              - namespace
+              - pod
+              - stream
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    {{- if .Values.promtail.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+{{ end }}

apps/templates/rabbitmq-operator.yaml

@@ -0,0 +1,60 @@
+{{ if .Values.rabbitmq_operator.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: rabbitmq-operator
+  namespace: argocd
+spec:
+  destination:
+    namespace: rabbitmq
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.cluster_config.manifests }}
+    path: {{ .Values.cluster_config.policies }}/rabbitmq
+    targetRevision: HEAD
+  - repoURL: 'https://charts.bitnami.com/bitnami'
+    targetRevision: {{ .Values.rabbitmq_operator.version }}
+    chart: rabbitmq-cluster-operator
+    helm:
+      # NOTE(mrtz): Also add metrics for topology operator?
+      values: |
+        fullnameOverride: rabbitmq-operator
+        additionalArgs: []
+        useCertManager: true
+        {{ if .Values.rabbitmq_operator.metrics }}
+        clusterOperator:
+          metrics:
+            service:
+              enabled: true
+            serviceMonitor:
+              enabled: true
+            podMonitor:
+              enabled: true
+        {{ end }}
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      - ServerSideApply=true
+    {{- if .Values.rabbitmq_operator.version }}
+    automated:
+      prune: true
+      # selfHeal: false
+  ignoreDifferences:
+    - group: ""
+      kind: Secret
+      name: rabbitmq-operator-messaging-topology-operator-webhook
+      jsonPointers:
+      - /data/ca.crt
+      - /data/tls.crt
+      - /data/tls.key
+    - group: admissionregistration.k8s.io
+      kind: ValidatingWebhookConfiguration
+      jqPathExpressions:
+        - '.webhooks[]?.clientConfig.caBundle'
+    {{- end }}
+{{ end }}

apps/templates/rabbitmq.yaml

@@ -0,0 +1,36 @@
+{{- if .Values.rabbitmq.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: rabbitmq
+  namespace: argocd
+spec:
+  generators:
+  - list:
+      elements:
+      - cluster: https://kubernetes.default.svc
+        env: prod
+        hostname: rabbitmq.srv.oceanbox.io
+      - cluster: https://kubernetes.default.svc
+        env: staging
+        hostname: rabbitmq.beta.oceanbox.io
+  template:
+    metadata:
+      name: '{{- env }}-rabbitmq'
+    spec:
+      project: aux
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: rabbitmq
+      sources:
+        - repoURL: https://charts.bitnami.com/bitnami
+          targetRevision: 12.9.0
+          chart: rabbitmq
+          helm:
+            valueFiles:
+              - $values/values/rabbitmq/values-{{- env }}.yaml
+        - repoURL: https://gitlab.com/oceanbox/manifests.git
+          targetRevision: main
+          path: values/rabbitmq/{{- env }}
+          ref: values
+{{- end }}

apps/templates/redis.yaml

@@ -0,0 +1,30 @@
+{{- if .Values.redis.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prod-redis
+  namespace: argocd
+spec:
+  project: aux
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: redis
+  sources:
+    - repoURL: https://charts.bitnami.com/bitnami
+      targetRevision: 19.5.2
+      chart: redis
+      helm:
+        valueFiles:
+          - $values/values/redis/values-prod.yaml
+    - repoURL: https://gitlab.com/oceanbox/manifests.git
+      targetRevision: HEAD
+      ref: values
+    - repoURL: https://gitlab.com/oceanbox/manifests.git
+      targetRevision: main
+      path: values/redis/prod
+  ignoreDifferences:
+    - group: apps
+      kind: StatefulSet
+      jqPathExpressions:
+        - '.spec.template.spec.containers[].resources.limits.cpu'
+{{- end }}

apps/templates/resources/cluster-auth-rbac.yaml

@@ -0,0 +1,47 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cluster-admin
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-admin
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  namespace: kube-system
+  name: cluster-admin
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: 'system:masters'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system-default
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  namespace: kube-system
+  name: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubernetes
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: kubernetes

apps/templates/resources/dashboards/rabbitmq.yaml

@@ -0,0 +1,372 @@
+{{- if .Values.rabbitmq_operator.enabled }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: rabbitmq-overview-dashboard
+  namespace: prometheus
+  labels:
+    grafana_dashboard: "1"
+data:
+  # https://grafana.com/grafana/dashboards/10991
+  rabbitmq-overview-dashboard.json.url: "https://github.com/rabbitmq/rabbitmq-server/raw/e57c579d1a71b283469defdd0d6d45313e6d6daf/deps/rabbitmq_prometheus/docker/grafana/dashboards/RabbitMQ-Overview.json"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: rabbitmq-queue-grafana-dashboard
+  namespace: prometheus
+  labels:
+    grafana_dashboard: "1"
+data:
+  rabbitmq-queue-grafana-dashboard.json: |-
+    {
+      "__inputs":[
+          {
+            "name":"DS_PROMETHEUS",
+            "label":"prometheus",
+            "description":"",
+            "type":"datasource",
+            "pluginId":"prometheus",
+            "pluginName":"Prometheus"
+          }
+      ],
+      "__elements":{
+          
+      },
+      "__requires":[
+          {
+            "type":"grafana",
+            "id":"grafana",
+            "name":"Grafana",
+            "version":"8.3.4"
+          },
+          {
+            "type":"datasource",
+            "id":"prometheus",
+            "name":"Prometheus",
+            "version":"1.0.0"
+          },
+          {
+            "type":"panel",
+            "id":"timeseries",
+            "name":"Time series",
+            "version":""
+          }
+      ],
+      "annotations":{
+          "list":[
+            {
+                "builtIn":1,
+                "datasource":{
+                  "type":"datasource",
+                  "uid":"grafana"
+                },
+                "enable":true,
+                "hide":true,
+                "iconColor":"rgba(0, 211, 255, 1)",
+                "name":"Annotations & Alerts",
+                "target":{
+                  "limit":100,
+                  "matchAny":false,
+                  "tags":[
+                      
+                  ],
+                  "type":"dashboard"
+                },
+                "type":"dashboard"
+            }
+          ]
+      },
+      "editable":true,
+      "fiscalYearStartMonth":0,
+      "graphTooltip":0,
+      "id":null,
+      "links":[
+          
+      ],
+      "liveNow":false,
+      "panels":[
+          {
+            "datasource":{
+                "type":"prometheus",
+                "uid":"${DS_PROMETHEUS}"
+            },
+            "fieldConfig":{
+                "defaults":{
+                  "color":{
+                      "mode":"palette-classic"
+                  },
+                  "custom":{
+                      "axisCenteredZero":false,
+                      "axisColorMode":"text",
+                      "axisLabel":"Messages",
+                      "axisPlacement":"left",
+                      "axisSoftMin":0,
+                      "barAlignment":0,
+                      "drawStyle":"line",
+                      "fillOpacity":0,
+                      "gradientMode":"none",
+                      "hideFrom":{
+                        "graph":false,
+                        "legend":false,
+                        "tooltip":false,
+                        "viz":false
+                      },
+                      "lineInterpolation":"linear",
+                      "lineWidth":1,
+                      "pointSize":5,
+                      "scaleDistribution":{
+                        "type":"linear"
+                      },
+                      "showPoints":"auto",
+                      "spanNulls":false,
+                      "stacking":{
+                        "group":"A",
+                        "mode":"none"
+                      },
+                      "thresholdsStyle":{
+                        "mode":"off"
+                      }
+                  },
+                  "mappings":[
+                      
+                  ],
+                  "thresholds":{
+                      "mode":"absolute",
+                      "steps":[
+                        {
+                            "color":"green",
+                            "value":null
+                        },
+                        {
+                            "color":"red",
+                            "value":80
+                        }
+                      ]
+                  }
+                },
+                "overrides":[
+                  {
+                      "matcher":{
+                        "id":"byName",
+                        "options":"Consumers"
+                      },
+                      "properties":[
+                        {
+                            "id":"custom.axisPlacement",
+                            "value":"right"
+                        },
+                        {
+                            "id":"unit",
+                            "value":"prefix:"
+                        },
+                        {
+                            "id":"custom.axisLabel",
+                            "value":"Consumers"
+                        }
+                      ]
+                  },
+                  {
+                      "matcher":{
+                        "id":"byName",
+                        "options":"Messages"
+                      },
+                      "properties":[
+                        {
+                            "id":"custom.drawStyle",
+                            "value":"line"
+                        },
+                        {
+                            "id":"custom.fillOpacity",
+                            "value":0
+                        }
+                      ]
+                  }
+                ]
+            },
+            "gridPos":{
+                "h":20,
+                "w":24,
+                "x":0,
+                "y":0
+            },
+            "id":2,
+            "options":{
+                "legend":{
+                  "calcs":[
+                      
+                  ],
+                  "displayMode":"list",
+                  "placement":"bottom",
+                  "showLegend":true
+                },
+                "tooltip":{
+                  "mode":"single",
+                  "sort":"none"
+                }
+            },
+            "targets":[
+                {
+                  "datasource":{
+                      "type":"prometheus",
+                      "uid":"${DS_PROMETHEUS}"
+                  },
+                  "editorMode":"code",
+                  "expr":"(rabbitmq_detailed_queue_messages{namespace=\"$namespace\", queue=\"$queue\"} * on (instance, job) rabbitmq_identity_info{namespace=\"$namespace\",rabbitmq_cluster=\"$rabbitmq_cluster\"})",
+                  "legendFormat":"Messages ({{`{{job}}`}} | {{`{{instance}}`}})",
+                  "range":true,
+                  "refId":"A"
+                },
+                {
+                  "datasource":{
+                      "type":"prometheus",
+                      "uid":"${DS_PROMETHEUS}"
+                  },
+                  "editorMode":"code",
+                  "expr":"rabbitmq_detailed_queue_consumers{namespace=\"$namespace\", queue=\"$queue\"} * on (instance, job) rabbitmq_identity_info{namespace=\"$namespace\",rabbitmq_cluster=\"$rabbitmq_cluster\"}",
+                  "legendFormat":"Consumers ({{`{{job}}`}} | {{`{{instance}}`}})",
+                  "range":true,
+                  "refId":"B"
+                }
+            ],
+            "title":"Queue messages and consumers",
+            "type":"timeseries"
+          }
+      ],
+      "refresh":"10s",
+      "revision":1,
+      "schemaVersion":38,
+      "style":"dark",
+      "tags":[
+          "rabbitmq-prometheus"
+      ],
+      "templating":{
+          "list":[
+            {
+                "current":{
+                  "selected":false,
+                  "text":"default",
+                  "value":"default"
+                },
+                "hide":2,
+                "includeAll":false,
+                "label":"datasource",
+                "multi":false,
+                "name":"DS_PROMETHEUS",
+                "options":[
+                  
+                ],
+                "query":"prometheus",
+                "refresh":1,
+                "regex":"",
+                "skipUrlSync":false,
+                "type":"datasource",
+                "datasource":"${DS_PROMETHEUS}"
+            },
+            {
+                "current":{
+                  
+                },
+                "datasource":{
+                  "type":"prometheus",
+                  "uid":"${DS_PROMETHEUS}"
+                },
+                "definition":"label_values(rabbitmq_identity_info, namespace)",
+                "hide":0,
+                "includeAll":false,
+                "label":"Namespace",
+                "multi":false,
+                "name":"namespace",
+                "options":[
+                  
+                ],
+                "query":{
+                  "query":"label_values(rabbitmq_identity_info, namespace)",
+                  "refId":"StandardVariableQuery"
+                },
+                "refresh":2,
+                "regex":"",
+                "skipUrlSync":false,
+                "sort":1,
+                "tagValuesQuery":"",
+                "tagsQuery":"",
+                "type":"query",
+                "useTags":false
+            },
+            {
+                "current":{
+                  
+                },
+                "datasource":{
+                  "type":"prometheus",
+                  "uid":"${DS_PROMETHEUS}"
+                },
+                "definition":"label_values(rabbitmq_identity_info{namespace=\"$namespace\"}, rabbitmq_cluster)",
+                "hide":0,
+                "includeAll":false,
+                "label":"RabbitMQ Cluster",
+                "multi":false,
+                "name":"rabbitmq_cluster",
+                "options":[
+                  
+                ],
+                "query":{
+                  "query":"label_values(rabbitmq_identity_info{namespace=\"$namespace\"}, rabbitmq_cluster)",
+                  "refId":"StandardVariableQuery"
+                },
+                "refresh":2,
+                "regex":"",
+                "skipUrlSync":false,
+                "sort":1,
+                "tagValuesQuery":"",
+                "tagsQuery":"",
+                "type":"query",
+                "useTags":false
+            },
+            {
+                "current":{
+                  
+                },
+                "datasource":{
+                  "type":"prometheus",
+                  "uid":"${DS_PROMETHEUS}"
+                },
+                "definition":"query_result(rabbitmq_detailed_queue_messages{namespace=\"$namespace\"} * on (instance, job) group_left(rabbitmq_cluster) rabbitmq_identity_info{namespace=\"$namespace\"})",
+                "hide":0,
+                "includeAll":false,
+                "label":"Queue",
+                "multi":false,
+                "name":"queue",
+                "options":[
+                  
+                ],
+                "query":{
+                  "query":"query_result(rabbitmq_detailed_queue_messages{namespace=\"$namespace\"} * on (instance, job) group_left(rabbitmq_cluster) rabbitmq_identity_info{namespace=\"$namespace\", rabbitmq_cluster=\"$rabbitmq_cluster\"})",
+                  "refId":"StandardVariableQuery"
+                },
+                "refresh":2,
+                "regex":"/.*queue=\"([^\"]+)\".*/",
+                "skipUrlSync":false,
+                "sort":0,
+                "tagValuesQuery":"",
+                "tagsQuery":"",
+                "type":"query",
+                "useTags":false
+            }
+          ]
+      },
+      "time":{
+          "from":"now-15m",
+          "to":"now"
+      },
+      "timepicker":{
+          
+      },
+      "timezone":"",
+      "title":"RabbitMQ-Queue",
+      "uid":"j9t8vwH7k",
+      "version":3,
+      "weekStart":""
+    }
+{{- end }}

apps/templates/resources/external-clusterrole.yaml

@@ -0,0 +1,209 @@
+{{- if .Values.cluster_config.external_kubectl_access.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: external-access
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - serviceaccounts
+  - namespaces
+  - events
+  - persistentvolumeclaims
+  - persistentvolumes
+  - bindings
+  - componentstatuses
+  - podtemplates
+  - replicationcontrollers
+  - resourcequotas
+  - services
+  - nodes
+  - limitranges
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - create
+  - delete
+- apiGroups:
+  - apiregistration.k8s.io
+  resources:
+  - apiservices
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - controllerrevisions
+  - statefulsets
+  - replicasets
+  - daemonsets
+  - deployments
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - events.k8s.io
+  resources:
+  - events
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - autoscaling
+  resources:
+  - horizontalpodautoscalers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  - cronjobs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - certificates.k8s.io
+  resources:
+  - certificatesigningrequests
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingressclasses
+  - networkpolicies
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  - clusterroles
+  - clusterrolebindings
+  - rolebindings
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - csinodes
+  - storageclasses
+  - csistoragecapacities
+  - volumeattachments
+  - csidrivers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - scheduling.k8s.io
+  resources:
+  - priorityclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - node.k8s.io
+  resources:
+  - runtimeclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - flowcontrol.apiserver.k8s.io
+  resources:
+  - flowschemas
+  - prioritylevelconfigurations
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - talos.dev
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - cilium.io
+  resources:
+  - ciliumexternalworkloads
+  - ciliumnetworkpolicies
+  - ciliumidentities
+  - ciliumnodes
+  - ciliumendpoints
+  - ciliumclusterwidenetworkpolicies
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - metrics.k8s.io
+  resources:
+  - pods
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+{{- end }}

apps/templates/resources/external-clusterrolebinding.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.cluster_config.external_kubectl_access.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: external-access
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: external-access
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: {{ .Values.cluster_config.external_kubectl_access.admin_group }}
+{{- end }}

apps/templates/resources/kube-flannel-rbac.yaml

@@ -0,0 +1,42 @@
+# Create the clusterrole and clusterrolebinding:
+# $ kubectl create -f kube-flannel-rbac.yml
+# Create the pod using the same namespace used by the flannel serviceaccount:
+# $ kubectl create --namespace kube-system -f kube-flannel-legacy.yml
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: flannel-client
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes/status
+    verbs:
+      - patch
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: flannel-client
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: flannel-client
+subjects:
+  - kind: User
+    name: flannel-client
+    apiGroup: rbac.authorization.k8s.io

apps/templates/resources/kube-proxy-rbac.yaml

@@ -0,0 +1,51 @@
+# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kube-proxy
+subjects:
+  - kind: User
+    name: kube-proxy
+    apiGroup: rbac.authorization.k8s.io
+  - kind: ServiceAccount
+    name: kube-proxy
+    namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kube-proxy
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kube-proxy
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+      - events
+      - services
+      - nodes
+    verbs: ["get", "watch", "list"]
+  - nonResourceURLs: ["*"]
+    verbs: ["get", "watch", "list"]
+
+  - apiGroups:
+      - ""
+      - "events.k8s.io"
+    resources:
+      - events
+    verbs: ["*"]
+      
+  - nonResourceURLs: ["*"]
+    verbs: ["*"]
+  - apiGroups:
+    - discovery.k8s.io
+    resources:
+    - endpointslices
+    verbs:
+    - list
+    - watch
+
+

apps/templates/resources/kyverno-cluster-admin.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.kyverno.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kyverno:generate-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: kyverno
+  namespace: kyverno
+- kind: ServiceAccount
+  name: kyverno-background-controller
+  namespace: kyverno
+{{- end }}

apps/templates/resources/kyverno-generate-cilium-network-policies.yaml

@@ -0,0 +1,29 @@
+{{- if and (.Values.kyverno.enabled) (.Values.cilium.enabled) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno:generate-cilium-networkpolicies
+rules:
+- apiGroups:
+  - cilium.io
+  resources:
+  - ciliumnetworkpolicies
+  verbs:
+  - "*"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kyverno:generate-cilium-network-policies
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kyverno:generate-cilium-networkpolicies
+subjects:
+- kind: ServiceAccount
+  name: kyverno
+  namespace: kyverno
+- kind: ServiceAccount
+  name: kyverno-background-controller
+  namespace: kyverno
+{{- end }}

apps/templates/resources/label-and-taint-nodes.yaml

@@ -0,0 +1,96 @@
+{{ if .Values.cluster_config.nodes }}
+
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: label-and-taint-nodes
+  namespace: kube-system
+spec:
+  backoffLimit: 1
+  template:
+    metadata:
+      annotations:
+        linkerd.io/inject: disable
+    spec:
+      restartPolicy: Never
+      serviceAccountName: label-and-taint-nodes
+      securityContext:
+        runAsUser: 12000
+        runAsGroup: 13000
+        fsGroup: 10000
+      affinity:
+      tolerations:
+      - key: unschedulable
+        value: "true"
+        effect: NoSchedule
+      containers:
+      - image: bitnami/kubectl:1.24
+        name: kubectl
+        resources: {}
+        securityContext:
+          allowPrivilegeEscalation: false
+        command:
+        - "/bin/sh"
+        - -c
+        - /tmp/scripts/script.sh
+        volumeMounts:
+          - name: scripts
+            mountPath: /tmp/scripts
+      volumes:
+        - name: scripts
+          configMap:
+            name: label-and-taint-scripts
+            defaultMode: 0755
+---
+apiVersion: v1
+data:
+  script.sh: |
+    #! /bin/bash
+{{- range $node := .Values.cluster_config.nodes }}
+  {{- range .labels }}
+    kubectl label nodes --overwrite=true {{ $node.name }} {{ . | quote }}
+  {{- end }}
+  {{- range .taints }}
+    kubectl taint nodes --overwrite=true {{ $node.name }} {{ . | quote }}
+  {{- end }}
+{{- end }}
+kind: ConfigMap
+metadata:
+  name: label-and-taint-scripts
+  namespace: kube-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: label-and-taint-nodes
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: label-and-taint-nodes
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - update
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: label-and-taint-nodes
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: label-and-taint-nodes
+subjects:
+- kind: ServiceAccount
+  name: label-and-taint-nodes
+  namespace: kube-system
+{{ end }}

apps/templates/resources/operator-role.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: az-kubernetes-operators-cluster-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: dd2aa2d6-269d-48fe-90cc-04fd5c08bd29

apps/templates/resources/pre-cert-manager.yaml

@@ -0,0 +1,225 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: letsencrypt-production
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: {{ .Values.cluster_config.acme_email }}
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-production
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: letsencrypt-staging
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: {{ .Values.cluster_config.acme_email }}
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: ca-issuer
+spec:
+  ca:
+    secretName: cluster-ca
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  name: selfsigning-issuer
+spec:
+  selfSigned: {}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: front-proxy-client
+subjects:
+  - kind: User
+    name: front-proxy-client
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: front-proxy-client
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: front-proxy-client
+rules:
+- apiGroups:
+  - "webhook.cert-manager.io"
+  resources:
+  - mutations
+  - validations
+  verbs: [ "*" ]
+- apiGroups:
+  - metrics.k8s.io
+  resources:
+  - pods
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+---
+
+{{ if .Values.cluster_config.initca }}
+
+# Pod to update certificates from master nodes
+# only runs on control plane nodes (etcd)
+# Mounts cert files rotatet by nixos service.mgr and uses it to update cert-manager secret
+# Always create certs on initial creation,
+# Otherwise, cert creation would not happen until cronJob runs
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: cert-create
+  namespace: cert-manager
+spec:
+  backoffLimit: 1
+  template:
+    metadata:
+      labels:
+        block-egress: "true"
+      annotations:
+        linkerd.io/inject: disabled
+    spec:
+      restartPolicy: Never
+      serviceAccountName: cert-secret-updater
+      securityContext:
+        runAsUser: 12000
+        runAsGroup: 13000
+        fsGroup: 10000
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: node-role.kubernetes.io
+                operator: In
+                values:
+                - control-plane
+      tolerations:
+      - key: unschedulable
+        value: "true"
+        effect: NoSchedule
+      containers:
+      - image: bitnami/kubectl:1.24
+        name: kubectl
+        resources: {}
+        securityContext:
+          allowPrivilegeEscalation: false
+        command: 
+        - "/bin/sh" 
+        - -c
+        - /tmp/renew-certs/renew-certs.sh
+        volumeMounts:
+          - name: ca-pem
+            mountPath: /tmp/ca.pem
+          - name: ca-key-pem
+            mountPath: /tmp/ca-key.pem
+          - name: certs-script
+            mountPath: /tmp/renew-certs
+      volumes:
+        - name: ca-pem
+          hostPath:
+            path: {{.Values.cluster_config.initca}}/ca.pem
+            type: File
+        - name: ca-key-pem
+          hostPath:
+            path: {{.Values.cluster_config.initca}}/ca-key.pem
+            type: File
+        - name: certs-script
+          configMap:
+            name: renew-certs-script
+            defaultMode: 0755
+---
+apiVersion: v1
+data:
+  renew-certs.sh: |
+    #! /bin/bash
+    kubectl create secret tls -n cert-manager cluster-ca --cert=/tmp/ca.pem --key=/tmp/ca-key.pem --dry-run=client -o yaml > /tmp/new-secret.yaml
+    kubectl apply -f /tmp/new-secret.yaml
+kind: ConfigMap
+metadata:
+  name: renew-certs-script
+  namespace: cert-manager
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-secret-updater
+  namespace: cert-manager
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-secret-updater-role
+  namespace: cert-manager
+rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - cluster-ca
+  resources:
+  - secrets
+  verbs:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-secret-updater-rbinding
+  namespace: cert-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-secret-updater-role
+subjects:
+- kind: ServiceAccount
+  name: cert-secret-updater
+  namespace: cert-manager
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-egress
+  namespace: cert-manager
+spec:
+  podSelector: 
+    matchLabels:
+      block-egress: "true"
+  policyTypes:
+  - Egress
+---
+{{ end }}

apps/templates/resources/pre-cilium.yaml

@@ -0,0 +1,23 @@
+{{if and (.Values.cilium.enabled) (.Values.cilium.loadbalancerPool.enabled )}}
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumLoadBalancerIPPool
+metadata:
+  name: "loadbalancer"
+spec:
+  blocks:
+  {{- range .Values.cilium.loadbalancerPool.cidr}}
+  - cidr: {{ . }}
+  {{- end }}
+---
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumL2AnnouncementPolicy
+metadata:
+  name: policy
+spec:
+  nodeSelector:
+    matchExpressions:
+      - key: node-role.kubernetes.io/control-plane
+        operator: DoesNotExist
+  externalIPs: true
+  loadBalancerIPs: true
+{{- end}}

apps/templates/resources/pre-gitlab-runner.yaml

@@ -0,0 +1,128 @@
+{{- if and (.Values.gitlab_runner.enabled) (.Values.gitlab_runner.createCertSecret) }}
+# Pod to update certificates from master nodes
+# only runs on control plane nodes (etcd)
+# Mounts cert files rotatet by nixos service.mgr and uses it to update gitlab secret
+# Always create certs on initial creation,
+# Otherwise, cert creation would not happen until cronJob runs
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: cert-create
+  namespace: gitlab
+spec:
+  template:
+    metadata:
+      labels:
+        block-egress: "true"
+      annotations:
+        linkerd.io/inject: disabled
+    spec:
+      restartPolicy: Never
+      serviceAccountName: cert-secret-updater
+      securityContext:
+        runAsUser: 12000
+        runAsGroup: 13000
+        fsGroup: 10000
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: node-role.kubernetes.io
+                operator: In
+                values:
+                - control-plane
+      tolerations:
+      - key: unschedulable
+        value: "true"
+        effect: NoSchedule
+      containers:
+      - image: bitnami/kubectl:1.24
+        name: kubectl
+        resources: {}
+        securityContext:
+          allowPrivilegeEscalation: false
+        command: 
+        - "/bin/sh" 
+        - -c
+        - /tmp/renew-certs/renew-certs.sh
+        volumeMounts:
+          - name: ca-pem
+            mountPath: /tmp/ca.pem
+          - name: ca-key-pem
+            mountPath: /tmp/ca-key.pem
+          - name: certs-script
+            mountPath: /tmp/renew-certs
+      volumes:
+        - name: ca-pem
+          hostPath:
+            path: {{.Values.cluster_config.initca}}/ca.pem
+            type: File
+        - name: ca-key-pem
+          hostPath:
+            path: {{.Values.cluster_config.initca}}/ca-key.pem
+            type: File
+        - name: certs-script
+          configMap:
+            name: renew-certs-script
+            defaultMode: 0755
+---
+apiVersion: v1
+data:
+  renew-certs.sh: |
+    #! /bin/bash
+    kubectl create secret tls -n gitlab itp-cluster-ca --cert=/tmp/ca.pem --key=/tmp/ca-key.pem --dry-run=client -o yaml > /tmp/new-secret.yaml
+    kubectl apply -f /tmp/new-secret.yaml
+kind: ConfigMap
+metadata:
+  name: renew-certs-script
+  namespace: gitlab
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-secret-updater
+  namespace: gitlab
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-secret-updater-role
+  namespace: gitlab
+rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - itp-cluster-ca
+  resources:
+  - secrets
+  verbs:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-secret-updater-rbinding
+  namespace: gitlab
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cert-secret-updater-role
+subjects:
+- kind: ServiceAccount
+  name: cert-secret-updater
+  namespace: gitlab
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-egress
+  namespace: gitlab
+spec:
+  podSelector: 
+    matchLabels:
+      block-egress: "true"
+  policyTypes:
+  - Egress
+---
+{{- end }}

apps/templates/resources/pre-linkerd.yaml

@@ -0,0 +1,206 @@
+{{ if .Values.linkerd.enabled }}
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    linkerd.io/control-plane-ns: linkerd
+    linkerd.io/is-control-plane: 'true'
+    config.linkerd.io/admission-webhooks: disabled
+  annotations:
+    linkerd.io/inject: disabled
+    argocd.argoproj.io/sync-wave: "-1"
+  name: linkerd
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: linkerd-trust-anchor
+  namespace: linkerd
+spec:
+  ca:
+    secretName: linkerd-trust-anchor
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: linkerd-identity-issuer
+  namespace: linkerd
+spec:
+  revisionHistoryLimit: 5
+  secretName: linkerd-identity-issuer
+  duration: 48h0m0s
+  renewBefore: 25h0m0s
+  issuerRef:
+    name: linkerd-trust-anchor
+    kind: Issuer
+  dnsNames:
+    - identity.linkerd.cluster.local
+  isCA: true
+  privateKey:
+    algorithm: ECDSA
+  usages:
+  - cert sign
+  - crl sign
+  - server auth
+  - client auth
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: webhook-issuer
+  namespace: linkerd
+spec:
+  ca:
+    secretName: webhook-issuer-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: linkerd-policy-validator
+  namespace: linkerd
+spec:
+  revisionHistoryLimit: 5
+  secretName: linkerd-policy-validator-k8s-tls
+  duration: 24h0m0s
+  renewBefore: 1h0m0s
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: linkerd-policy-validator.linkerd.svc
+  dnsNames:
+  - linkerd-policy-validator.linkerd.svc
+  privateKey:
+    algorithm: ECDSA
+    encoding: PKCS8
+  usages:
+  - server auth
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: linkerd-proxy-injector
+  namespace: linkerd
+spec:
+  revisionHistoryLimit: 5
+  secretName: linkerd-proxy-injector-k8s-tls
+  duration: 24h0m0s
+  renewBefore: 1h0m0s
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: linkerd-proxy-injector.linkerd.svc
+  dnsNames:
+  - linkerd-proxy-injector.linkerd.svc
+  privateKey:
+    algorithm: ECDSA
+  usages:
+  - server auth
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: linkerd-sp-validator
+  namespace: linkerd
+spec:
+  revisionHistoryLimit: 5
+  secretName: linkerd-sp-validator-k8s-tls
+  duration: 24h0m0s
+  renewBefore: 1h0m0s
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: linkerd-sp-validator.linkerd.svc
+  dnsNames:
+  - linkerd-sp-validator.linkerd.svc
+  privateKey:
+    algorithm: ECDSA
+  usages:
+  - server auth
+---
+{{ if .Values.linkerd.viz.enabled }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: webhook-issuer
+  namespace: linkerd-viz
+spec:
+  ca:
+    secretName: webhook-issuer-tls
+# ignore if not using the viz extension
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: tap
+  namespace: linkerd-viz
+spec:
+  revisionHistoryLimit: 5
+  secretName: tap-k8s-tls
+  duration: 24h0m0s
+  renewBefore: 1h0m0s
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: tap.linkerd-viz.svc
+  dnsNames:
+  - tap.linkerd-viz.svc
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+  usages:
+  - server auth
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: linkerd-tap-injector
+  namespace: linkerd-viz
+spec:
+  revisionHistoryLimit: 5
+  secretName: tap-injector-k8s-tls
+  duration: 24h0m0s
+  renewBefore: 1h0m0s
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: tap-injector.linkerd-viz.svc
+  dnsNames:
+  - tap-injector.linkerd-viz.svc
+  privateKey:
+    algorithm: ECDSA
+  usages:
+  - server auth
+---
+{{ end }}
+{{ if .Values.linkerd.jaeger.enabled }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: webhook-issuer
+  namespace: linkerd-jaeger
+spec:
+  ca:
+    secretName: webhook-issuer-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: jaeger-injector
+  namespace: linkerd-jaeger
+spec:
+  revisionHistoryLimit: 5
+  secretName: jaeger-injector-k8s-tls
+  duration: 24h0m0s
+  renewBefore: 1h0m0s
+  issuerRef:
+    name: webhook-issuer
+    kind: Issuer
+  commonName: jaeger-injector.linkerd-jaeger.svc
+  dnsNames:
+  - jaeger-injector.linkerd-jaeger.svc
+  privateKey:
+    algorithm: ECDSA
+  usages:
+  - server auth
+{{ end }}
+{{ end }}

apps/templates/resources/x509-certificates.yaml

@@ -0,0 +1,48 @@
+{{- if .Values.x509_exporter.alerts }}
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  labels:
+    # Some labels for various prometheus matching
+    k8s-app: x509-exporter
+    prometheus: k8s
+    role: alert-rules
+  name: x509-exporter-x509-certificate-exporter
+  namespace: x509-exporter
+spec:
+  groups:
+  - name: x509-certificate-exporter.rules
+    rules:
+      - alert: X509ExporterReadErrors
+        annotations:
+          description: Over the last 15 minutes, this x509-certificate-exporter instance has experienced errors reading certificate files or querying the Kubernetes API. This could be caused by a misconfiguration if triggered when the exporter starts.
+          summary: Increasing read errors for x509-certificate-exporter
+        expr: delta(x509_read_errors[15m]) > 0
+        for: 5m
+        labels:
+          severity: warning
+      - alert: CertificateError
+        annotations:
+          description: Certificate could not be decoded {{`{{`}}if $labels.secret_name {{`}}`}} in Kubernetes secret "{{`{{`}} $labels.secret_namespace {{`}}`}}/{{`{{`}} $labels.secret_name {{`}}`}}"{{`{{`}}else{{`}}`}}at location "{{`{{`}} $labels.filepath {{`}}`}}"{{`{{`}}end{{`}}`}}
+          summary: Certificate cannot be decoded
+        expr: x509_cert_error > 0
+        for: 15m
+        labels:
+          severity: warning
+      - alert: CertificateRenewal
+        annotations:
+          description: Certificate for "{{`{{`}} $labels.subject_CN {{`}}`}}" should be renewed {{`{{`}}if $labels.secret_name {{`}}`}}in Kubernetes secret "{{`{{`}} $labels.secret_namespace {{`}}`}}/{{`{{`}} $labels.secret_name {{`}}`}}"{{`{{`}}else{{`}}`}}at location "{{`{{`}} $labels.filepath {{`}}`}}"{{`{{`}}end{{`}}`}}
+          summary: Certificate should be renewed
+        expr: ((x509_cert_not_after{secret_name!="linkerd-identity-issuer", issuer_O="", issuer_CN!="webhook.linkerd.cluster.local"} - time()) / 86400) < 28
+        for: 15m
+        labels:
+          severity: warning
+      - alert: CertificateExpiration
+        annotations:
+          description: Certificate for "{{`{{`}} $labels.subject_CN {{`}}`}}" is about to expire {{`{{`}}if $labels.secret_name {{`}}`}}in Kubernetes secret "{{`{{`}} $labels.secret_namespace {{`}}`}}/{{`{{`}} $labels.secret_name {{`}}`}}"{{`{{`}}else{{`}}`}}at location "{{`{{`}} $labels.filepath {{`}}`}}"{{`{{`}}end{{`}}`}}
+          summary: Certificate is about to expire
+        expr: ((x509_cert_not_after{secret_name!="linkerd-identity-issuer", issuer_O="", issuer_CN!="webhook.linkerd.cluster.local"} - time()) / 86400) < 14
+        for: 15m
+        labels:
+          severity: critical
+{{- end }}

apps/templates/seq.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.seq.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: seq
+  namespace: argocd
+spec:
+  project: aux
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: seq
+  sources:
+  - repoURL: https://helm.datalust.co
+    targetRevision: 2024.1.0
+    chart: seq
+    helm:
+      valueFiles:
+        - $values/values/seq/values.yaml
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    ref: values
+{{- end }}

apps/templates/sorcerer.yaml

@@ -0,0 +1,58 @@
+{{ if .Values.sorcerer.enabled }}
+{{- range .Values.atlantis.envs }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prod-sorcerer
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: prod-sorcerer
+    server: https://10.255.241.99:4443
+  project: atlantis
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    ref: values
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    path: values/sorcerer
+    plugin:
+      name: kustomize-helm-with-rewrite
+      parameters:
+      - name: env
+        string: prod
+      - name: hostname
+        string: sorcerer.data.oceanbox.io
+  - repoURL: https://charts.bitnami.com/bitnami
+    targetRevision: 20.1.7
+    chart: redis
+    helm:
+      valueFiles:
+      - $values/values/sorcerer/prod/redis.yaml
+  ignoreDifferences:
+    - kind: Secret
+      name: azure-keyvault
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-atlantis-rabbitmq
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    # automated:
+    #   prune: true
+    #   selfHeal: false
+{{- end }}
+{{- end }}

apps/templates/tempo.yaml

@@ -0,0 +1,90 @@
+{{ if .Values.tempo.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tempo
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: tempo
+    server: 'https://kubernetes.default.svc'
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    {{ if .Values.tempo.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{ end }}
+  sources:
+  - repoURL: {{ .Values.cluster_config.manifests }}
+    path: {{ .Values.cluster_config.policies }}/tempo
+    targetRevision: HEAD
+  - repoURL: 'https://grafana.github.io/helm-charts'
+    targetRevision: {{ .Values.tempo.version }}
+    chart: tempo
+    helm:
+      values: |
+        tempo:
+          reportingEnabled: false
+          storage:
+            trace:
+              backend: s3
+              s3:
+                bucket: {{ .Values.tempo.bucketName | default "tempo-traces" }}
+                endpoint: {{ .Values.tempo.s3.endpoint | default "https://s3.production.itpartner.no" }}
+                prefix: traces
+                access_key: ${S3KEY}
+                secret_key: ${S3SECRET}
+                forcepathstyle: true
+                region: us-east-1
+                {{- if .Values.tempo.s3.insecure_skip_verify }}
+                tls_insecure_skip_verify: true
+                {{- end }}
+              local:
+                path: /var/tempo/traces
+              wal:
+                path: /var/tempo/wal
+          metricsGenerator:
+            enabled: true
+            remoteWriteUrl: "http://prom-prometheus.prometheus:9090/api/v1/write"
+          extraArgs: { config.expand-env=true }
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.tempo.secret.name | default "s3-credentials"}}
+                key: {{ .Values.tempo.secret.access_key | default "access_key" }}
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.tempo.secret.name | default "s3-credentials"}}
+                key: {{ .Values.tempo.secret.access_key | default "access_secret" }}
+        tempoQuery:
+          ingress:
+            enabled: true
+            ingressClassName: nginx
+            annotations:
+              cert-manager.io/cluster-issuer: {{ .Values.cluster_config.ingress_clusterissuer }}
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              {{- with .Values.cluster_config.ingress_whitelist_ips }}
+              nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
+              {{- end }}
+            path: /
+            pathType: Prefix
+            hosts:
+              - query.tempo.{{ .Values.cluster_config.domain }}
+            tls:
+             - secretName: tempo-query-tls
+               hosts:
+                 - query.tempo.{{ .Values.cluster_config.domain }}
+{{ end }}

apps/templates/velero.yaml

@@ -0,0 +1,109 @@
+{{ if .Values.velero.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: velero
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  destination:
+    namespace: velero
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.cluster_config.manifests }}
+    path: {{ .Values.cluster_config.policies }}/velero
+    targetRevision: HEAD
+  - repoURL: 'https://vmware-tanzu.github.io/helm-charts'
+    targetRevision: {{ .Values.velero.version }}
+    chart: velero
+    helm:
+      values: |
+        initContainers:
+        - name: velero-plugin-for-aws
+          image: velero/velero-plugin-for-aws:v1.9.0
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+          - mountPath: /target
+            name: plugins
+        credentials:
+          useSecret: true
+          existingSecret: {{ .Values.velero.credentials.secretName }}
+        deployNodeAgent: true
+        nodeAgent:
+          podVolumePath:  {{ .Values.velero.kubeletRootDir }}
+          resources:
+            requests:
+              cpu: {{ .Values.velero.resources.nodeAgent.request.cpu | default "500m" }}
+              memory: {{ .Values.velero.resources.nodeAgent.request.memory | default "1Gi" }}
+            limits:
+              memory: {{ .Values.velero.resources.nodeAgent.limit.memory | default "2Gi" }}
+        snapshotsEnabled: false
+        resources:
+          requests:
+            cpu: {{ .Values.velero.resources.velero.request.cpu | default "500m" }}
+            memory: {{ .Values.velero.resources.velero.request.memory | default "1Gi" }}
+          limits:
+            memory: {{ .Values.velero.resources.velero.limit.memory | default "1Gi" }}
+        configuration:
+          uploaderType: kopia
+          # Backup all volumes by default
+          defaultVolumesToFsBackup: {{ .Values.velero.backupAllVolumes }}
+          ## https://velero.io/docs/v1.6/api-types/backupstoragelocation/
+          backupStorageLocation:
+          - name: {{ .Values.velero.bsl }}
+            bucket: {{ .Values.velero.bucket }}
+            provider: aws
+            default: true
+            ## prefix is the directory under which all Velero data should be stored within the bucket. Optional.
+            prefix: {{ .Values.cluster_config.cluster }}/velero
+            accessMode: ReadWrite
+            config:
+              ## ONLY us-east-1 region is supported by nutanix
+              region: {{ .Values.velero.s3.region }}
+              s3ForcePathStyle: "true"
+              s3Url: {{ .Values.velero.s3.url }}
+              {{- if .Values.velero.s3.insecureSkipTLSVerify }}
+              insecureSkipTLSVerify: true
+              {{- end }}
+        metrics:
+          serviceMonitor:
+            enabled: true
+            additionalLabels:
+              k8s-app: "velero"
+              release: "prometheus"
+          prometheusRule:
+            enabled: true
+            # namespace: ""
+            # Rules to be deployed
+            spec:
+             - alert: VeleroBackupPartialFailures
+               annotations:
+                 message: Velero backup {{` {{ $labels.schedule }} `}} has {{` {{$value | humanizePercentage}} `}} partialy failed backups.
+               expr: |-
+                 velero_backup_partial_failure_total{schedule!=""} / velero_backup_attempt_total{schedule!=""} > 0.25
+               for: 15m
+               labels:
+                 severity: critical
+             - alert: VeleroBackupFailures
+               annotations:
+                 message: Velero backup {{` {{$labels.schedule}} `}} has {{` {{$value | humanizePercentage}} `}} failed backups.
+               expr: |-
+                 velero_backup_failure_total{schedule!=""} / velero_backup_attempt_total{schedule!=""} > 0.25
+               for: 15m
+               labels:
+                 severity: critical
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    {{- if .Values.velero.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+{{- end }}

apps/templates/wordpress.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.wordpress.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: www-oceanbox
+  namespace: argocd
+spec:
+  project: default
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: www-oceanbox
+  sources:
+  - repoURL: https://charts.bitnami.com/bitnami
+    targetRevision: 19.2.2
+    chart: wordpress
+    helm:
+      valueFiles:
+        - $values/values/wordpress/values.yaml
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: HEAD
+    ref: values
+{{- end }}

apps/templates/x509-exporter.yaml

@@ -0,0 +1,53 @@
+{{ if .Values.x509_exporter.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: x509-exporter
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: x509-exporter
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.cluster_config.manifests }}
+    path: {{ .Values.cluster_config.policies }}/x509-exporter
+    targetRevision: HEAD
+  - repoURL: 'https://charts.enix.io'
+    targetRevision: {{ .Values.x509_exporter.version }}
+    chart: x509-certificate-exporter
+    helm:
+      values: |
+        secretsExporter:
+          excludeNamespaces:
+            - sealed-secrets
+          excludeLabels:
+            - cert-manager.io/*
+          resources:
+            limits:
+              memory: 100Mi
+            requests:
+              cpu: 20m
+              memory: 100Mi
+        prometheusServiceMonitor:
+          extraLabels:
+            k8s-app: x509-exporter
+        prometheusRules:
+          create: false
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    {{- if .Values.x509_exporter.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+{{ end }}

apps/templates/yolo-dl.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.yolo-dl.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: yolo-dl
+  namespace: argocd
+spec:
+  project: aux
+  destination:
+    server: https://10.255.241.99:4443
+    namespace: oceanbox
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    path: charts/yolo-dl
+{{- end }}

apps/templates/yolo-registry.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.yolo-registry.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: yolo-registry
+  namespace: argocd
+spec:
+  project: aux
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: yolo
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    path: charts/yolo-registry
+{{- end }}