diff --git a/envs/environments.yaml.gotmpl b/envs/environments.yaml.gotmpl index 2c44b21c..2099caa5 100644 --- a/envs/environments.yaml.gotmpl +++ b/envs/environments.yaml.gotmpl @@ -20,4 +20,11 @@ environments: - ../values/*/env.yaml.gotmpl - ../values/*/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl missingFileHandler: Info + beta: + values: + - ../values/env.yaml + - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml + - ../values/*/env.yaml.gotmpl + - ../values/*/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl + missingFileHandler: Info diff --git a/shell.nix b/shell.nix index c3f3b907..5523d063 100644 --- a/shell.nix +++ b/shell.nix @@ -31,6 +31,7 @@ pkgs.mkShellNoCC { kubectl-graph kubectl-klock graphviz + hubble # other tools activate when needed # step-cli @@ -46,7 +47,7 @@ pkgs.mkShellNoCC { ++ checks.enabledPackages; # Environment variables - ARGOCD_ENV_CLUSTER_NAME = "ekman"; + ARGOCD_ENV_CLUSTER_NAME = "oceanbox"; HELM_GIT_ACCESS_TOKEN = "glpat-xxx"; shellHook = builtins.concatStringsSep "\n" [ diff --git a/values/atlantis/env-beta-ekman.yaml.gotmpl b/values/atlantis/env-beta-ekman.yaml.gotmpl new file mode 100644 index 00000000..1eddc942 --- /dev/null +++ b/values/atlantis/env-beta-ekman.yaml.gotmpl @@ -0,0 +1,2 @@ +atlantis: + enabled: true \ No newline at end of file diff --git a/values/atlantis/kustomize/beta/appsettings.json b/values/atlantis/kustomize/beta/appsettings.json new file mode 100644 index 00000000..2103d189 --- /dev/null +++ b/values/atlantis/kustomize/beta/appsettings.json @@ -0,0 +1,96 @@ +{ + "oidc": { + "issuer": "https://auth.oceanbox.io/realms/oceanbox", + "authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth", + "token_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/token", + "jwks_uri": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/certs", + "userinfo_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/userinfo", + "end_session_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/logout", + "device_authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth/device", + "clientId": "atlantis", + "clientSecret": "", + "scopes": [ + "openid", + "email", + "offline_access", + "profile" + ], + "audiences": [ + "atlantis", + "atlantis_dev", + "sorcerer", + "sorcerer_dev" + ] + }, + "sso": { + "cookieDomain": ".oceanbox.io", + "cookieName": ".obx.beta", + "ttl": 12.0, + "signedOutRedirectUri": "https://maps.beta.oceanbox.io", + "realm": "atlantis", + "environment": "prod", + "keyStore": { + "kind": "azure", + "uri": "https://atlantis.blob.core.windows.net", + "key": "dataprotection-keys" + }, + "keyVault": { + "kind": "azure", + "uri": "https://atlantisvault.vault.azure.net", + "key": "dataencryption-keys" + } + }, + "fga": { + "apiUrl": "http://prod-openfga.openfga.svc.cluster.local:8080", + "apiKey": "", + "storeId": "01JKTZXMP7ANN4GG2P5W8Y56M6", + "modelId": "01JKTZYMCZZBVSBG66W27XMW0A" + }, + "sentryUrl": "https://b6e03cfc8e247297b89217b09341b4cb@o4509530141622272.ingest.de.sentry.io/4509530195492944", + "plainAuthUsers": [ + { + "username": "admin", + "password": "en-to-tre-fire", + "groups": [ "/oceanbox" ], + "roles": [ "admin" ] + }, + { + "username": "sorcerer", + "password": "fire tre to en", + "groups": [ "/oceanbox" ], + "roles": [ "admin" ] + }, + { + "username": "archivist", + "password": "en-to-tre-fire", + "groups": [ "/oceanbox" ], + "roles": [ "admin" ] + } + ], + "plume": "plume.data.oceanbox.io", + "redis": "beta-atlantis-redis-master:6379", + "objectStore": "https://atlantis.blob.core.windows.net", + "connString": "Username=postgres;Password=secret;Host=localhost;Port=5432;Database=app;Pooling=true;", + "sorcerer" : "https://sorcerer.data.oceanbox.io", + "allowedOrigins": [ + "https://maps.beta.oceanbox.io" + ], + "appName": "atlantis", + "appEnv": "prod", + "appNamespace": "atlantis", + "appVersion": "2.95.1", + "otelCollector": "http://opentelemetry-collector.otel.svc:4317", + "pubsubName": "pubsub", + "pubsubTopic": "hipster-atlantis", + "slurm": { + "baseUrl": "https://slurmrestd.ekman.oceanbox.io/", + "slurmApi": "slurm/v0.0.42/", + "dbdApi": "slurmdbd/v0.0.42/", + "accessToken": "" + }, + "amqp": { + "auth": "user:hunny-bunny", + "host": "10.255.241.201:30673" + }, + "fenceRadius": 1250.0 +} diff --git a/values/atlantis/kustomize/beta/bindings.yaml b/values/atlantis/kustomize/beta/bindings.yaml new file mode 100644 index 00000000..927ad791 --- /dev/null +++ b/values/atlantis/kustomize/beta/bindings.yaml @@ -0,0 +1,22 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: slurm-events +spec: + type: bindings.rabbitmq + version: v1 + metadata: + - name: host + secretKeyRef: + name: prod-atlantis-rabbitmq + key: connString + - name: queueName + value: prod-slurm-job-events + - name: durable + value: true + - name: contentType + value: "application/json" + - name: route + value: /events/slurm +scopes: + - beta-atlantis diff --git a/values/atlantis/kustomize/beta/configurations.yaml b/values/atlantis/kustomize/beta/configurations.yaml new file mode 100644 index 00000000..f75197e4 --- /dev/null +++ b/values/atlantis/kustomize/beta/configurations.yaml @@ -0,0 +1,20 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: configstore +spec: + type: configuration.redis + version: v1 + metadata: + - name: redisHost + value: beta-atlantis-redis-master:6379 + - name: redisUsername + value: default + - name: redisPassword + secretKeyRef: + name: beta-atlantis-redis + key: redis-password + - name: redisDB + value: "1" +scopes: + - beta-atlantis diff --git a/values/atlantis/kustomize/beta/default.env b/values/atlantis/kustomize/beta/default.env new file mode 100644 index 00000000..85c5abe3 --- /dev/null +++ b/values/atlantis/kustomize/beta/default.env @@ -0,0 +1 @@ +OIDC_CLIENT_SECRET=KOJ6bDHzE5vdyfSrzgwLjtM5PzA809Zm diff --git a/values/atlantis/kustomize/beta/deployment_patch.yaml b/values/atlantis/kustomize/beta/deployment_patch.yaml new file mode 100644 index 00000000..dd4c92da --- /dev/null +++ b/values/atlantis/kustomize/beta/deployment_patch.yaml @@ -0,0 +1,10 @@ +- op: add + path: /spec/template/spec/containers/0/envFrom/- + value: + secretRef: + name: azure-keyvault +- op: add + path: /spec/template/spec/containers/0/envFrom/- + value: + secretRef: + name: prod-atlantis-env \ No newline at end of file diff --git a/values/atlantis/kustomize/beta/keyvault.yaml b/values/atlantis/kustomize/beta/keyvault.yaml new file mode 100644 index 00000000..145adf98 --- /dev/null +++ b/values/atlantis/kustomize/beta/keyvault.yaml @@ -0,0 +1,22 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: azure-keyvault +spec: + type: secretstores.azure.keyvault + version: v1 + metadata: + - name: vaultName + value: atlantisvault + - name: azureTenantId + secretKeyRef: + name: azure-keyvault + key: AZURE_TENANT_ID + - name: azureClientId + secretKeyRef: + name: azure-keyvault + key: AZURE_CLIENT_ID + - name: azureClientSecret + secretKeyRef: + name: azure-keyvault + key: AZURE_CLIENT_SECRET diff --git a/values/atlantis/kustomize/beta/kustomization.yaml b/values/atlantis/kustomize/beta/kustomization.yaml new file mode 100644 index 00000000..cdfe45ee --- /dev/null +++ b/values/atlantis/kustomize/beta/kustomization.yaml @@ -0,0 +1,24 @@ +generatorOptions: + disableNameSuffixHash: true +configMapGenerator: +- name: beta-atlantis-appsettings + files: + - appsettings.json +patches: + - target: + group: apps + version: v1 + kind: Deployment + path: deployment_patch.yaml +resources: + - ../base + - rbac.yaml + - secrets.yaml + - tracing.yaml + - bindings.yaml + - pubsub.yaml + - statestore.yaml + - subscriptions.yaml + - configurations.yaml + - secretstore.yaml + - keyvault.yaml \ No newline at end of file diff --git a/values/atlantis/kustomize/beta/pubsub.yaml b/values/atlantis/kustomize/beta/pubsub.yaml new file mode 100644 index 00000000..b7aeda01 --- /dev/null +++ b/values/atlantis/kustomize/beta/pubsub.yaml @@ -0,0 +1,52 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: pubsub +spec: + version: v1 + type: pubsub.rabbitmq + metadata: + - name: hostname + value: prod-rabbitmq.rabbitmq + - name: username + value: user + - name: password + secretKeyRef: + name: prod-atlantis-rabbitmq + key: rabbitmq-password + - name: protocol + value: amqp + - name: durable + value: true + - name: deletedWhenUnused + value: false + - name: autoAck + value: false + - name: deliveryMode + value: 1 + - name: requeueInFailure + value: false + - name: prefetchCount + value: 0 + - name: reconnectWait + value: 0 + - name: concurrencyMode + value: parallel + - name: publisherConfirm + value: false + - name: backOffPolicy + value: exponential + - name: backOffInitialInterval + value: 100 + - name: backOffMaxRetries + value: 16 + - name: enableDeadLetter # Optional enable dead Letter or not + value: true + - name: maxLen # Optional max message count in a queue + value: 3000 + - name: maxLenBytes # Optional maximum length in bytes of a queue. + value: 10485760 + - name: exchangeKind + value: fanout + - name: clientName + value: "{appID}" diff --git a/values/atlantis/kustomize/beta/rbac.yaml b/values/atlantis/kustomize/beta/rbac.yaml new file mode 100644 index 00000000..7f341253 --- /dev/null +++ b/values/atlantis/kustomize/beta/rbac.yaml @@ -0,0 +1,40 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: beta-atlantis + namespace: beta-atlantis +rules: +- apiGroups: + - "" + resourceNames: + - beta-atlantis-appsettings + resources: + - configmaps + verbs: + - get + - watch +- apiGroups: + - "" + resourceNames: + - azure-keyvault + - beta-atlantis-redis + - slurm-access-token + resources: + - secrets + verbs: + - get + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: beta-atlantis + namespace: beta-atlantis +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: beta-atlantis +subjects: +- kind: ServiceAccount + name: beta-atlantis + namespace: beta-atlantis diff --git a/values/atlantis/kustomize/beta/secrets.yaml b/values/atlantis/kustomize/beta/secrets.yaml new file mode 100644 index 00000000..a956c207 --- /dev/null +++ b/values/atlantis/kustomize/beta/secrets.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + annotations: + kyverno/clone: "true" + kyverno/env: "prod" + name: prod-atlantis-rabbitmq +type: Opaque +data: diff --git a/values/atlantis/kustomize/beta/secretstore.yaml b/values/atlantis/kustomize/beta/secretstore.yaml new file mode 100644 index 00000000..49c691a2 --- /dev/null +++ b/values/atlantis/kustomize/beta/secretstore.yaml @@ -0,0 +1,10 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: secretstore +spec: + type: secretstores.kubernetes + version: v1 + metadata: + - name: defaultNamespace + value: beta-atlantis diff --git a/values/atlantis/kustomize/beta/statestore.yaml b/values/atlantis/kustomize/beta/statestore.yaml new file mode 100644 index 00000000..bfce8233 --- /dev/null +++ b/values/atlantis/kustomize/beta/statestore.yaml @@ -0,0 +1,22 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: statestore +spec: + type: state.redis + version: v1 + metadata: + - name: redisHost + value: beta-atlantis-redis:6379 + - name: redisUsername + value: default + - name: redisPassword + secretKeyRef: + name: beta-atlantis-redis + key: redis-password + - name: actorStateStore + value: "true" + - name: redisDB + value: "0" +scopes: + - beta-atlantis \ No newline at end of file diff --git a/values/atlantis/kustomize/beta/subscriptions.yaml b/values/atlantis/kustomize/beta/subscriptions.yaml new file mode 100644 index 00000000..73c982e5 --- /dev/null +++ b/values/atlantis/kustomize/beta/subscriptions.yaml @@ -0,0 +1,27 @@ +apiVersion: dapr.io/v2alpha1 +kind: Subscription +metadata: + name: hipster-events +spec: + topic: hipster + routes: + default: /events/hipster + pubsubname: pubsub + metadata: + queueType: quorum +scopes: +- beta-atlantis +--- +apiVersion: dapr.io/v2alpha1 +kind: Subscription +metadata: + name: inbox-events +spec: + topic: inbox + routes: + default: /events/inbox + pubsubname: pubsub + metadata: + queueType: quorum +scopes: +- beta-atlantis diff --git a/values/atlantis/kustomize/beta/tracing.yaml b/values/atlantis/kustomize/beta/tracing.yaml new file mode 100644 index 00000000..5d9bffd1 --- /dev/null +++ b/values/atlantis/kustomize/beta/tracing.yaml @@ -0,0 +1,11 @@ +apiVersion: dapr.io/v1alpha1 +kind: Configuration +metadata: + name: tracing +spec: + tracing: + samplingRate: "1" + otel: + endpointAddress: "opentelemetry-collector.otel.svc.cluster.local:4317" + protocol: grpc + isSecure: false diff --git a/values/atlantis/manifests/atlantis.yaml b/values/atlantis/manifests/atlantis.yaml index 28df05c8..e2f37b92 100644 --- a/values/atlantis/manifests/atlantis.yaml +++ b/values/atlantis/manifests/atlantis.yaml @@ -67,6 +67,12 @@ spec: - '.data' - '.metadata.labels' - '.metadata.annotations' + - kind: Secret + name: slurm-access-token + jqPathExpressions: + - '.data' + - '.metadata.labels' + - '.metadata.annotations' syncPolicy: syncOptions: - CreateNamespace=true diff --git a/values/atlantis/values/values-beta.yaml.gotmpl b/values/atlantis/values/values-beta.yaml.gotmpl new file mode 100644 index 00000000..a7e07ab1 --- /dev/null +++ b/values/atlantis/values/values-beta.yaml.gotmpl @@ -0,0 +1,98 @@ +replicaCount: 1 + +podAnnotations: + dapr.io/app-id: "beta-atlantis" + +env: + - name: APP_NAMESPACE + value: beta-atlantis + - name: APP_VERSION + value: "2.97.4-beta" + - name: LOG_LEVEL + value: "1" + - name: ANALYTICS_WEB_ID + value: "16e7d807-4db5-45fd-92a9-27393445a153" + - name: REDIS_USER + value: default + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: beta-atlantis-redis + key: redis-password + # Share production database + - name: DB_HOST + value: prod-atlantis-db-rw + - name: DB_PORT + value: "5432" + - name: DB_USER + valueFrom: + secretKeyRef: + name: prod-atlantis-db-superuser + key: username + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: prod-atlantis-db-superuser + key: password + - name: DAPR_API_TOKEN + valueFrom: + secretKeyRef: + name: dapr-api-token + key: token + +ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + nginx.ingress.kubernetes.io/proxy-buffer-size: 128k + hosts: + - host: maps.beta.oceanbox.io + paths: + - path: / + pathType: ImplementationSpecific + internal: + - path: /internal + pathType: ImplementationSpecific + - path: /dapr + pathType: ImplementationSpecific + - path: /actors + pathType: ImplementationSpecific + - path: /job + pathType: ImplementationSpecific + - path: /events + pathType: ImplementationSpecific + - path: /metrics + pathType: ImplementationSpecific + tls: + - hosts: + - maps.beta.oceanbox.io + secretName: beta-atlantis-tls + +cluster: + enabled: false + +redis: + enabled: true + size: 2Gi + secret: + name: beta-atlantis-redis + key: redis-password + backup: + enabled: true + resources: + cpu: 150m + memory: 256Mi + +resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 250m + memory: 512Mi + +diagrid-dashboard: + enabled: false + statestore: + scope: beta-atlantis + redis: beta-atlantis-redis