feat: update atlantis chart, values and app for spmsa

apps/staging-atlantis.yaml

@@ -0,0 +1,31 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: staging-atlantis
+  namespace: argocd
+spec:
+  template:
+    metadata:
+      name: staging-atlantis
+    spec:
+      project: atlantis
+      destination:
+        namespace: staging-atlantis
+        server: https://kubernetes.default.svc
+      sources:
+      - repoURL: https://gitlab.com/oceanbox/manifests.git
+        targetRevision: nixidy
+        path: values/atlantis
+        plugin:
+          name: kustomize-helm-with-rewrite
+          parameters:
+          - name: env
+            string: staging
+          - name: hostname
+            string: atlantis.beta.oceanbox.io
+  templatePatch: |
+    spec:
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true

values/atlantis/base/deployment_patch.yaml

@@ -6,17 +6,4 @@
   value: /healthz
 - op: add
   path: /spec/template/spec/containers/0/envFrom
-  value: []
-- op: add
-  path: /spec/template/spec/containers/0/volumeMounts/-
-  value:
-    name: acl
-    mountPath: /app/acl.json
-    subPath: acl.json
-    readOnly: true
-- op: add
-  path: /spec/template/spec/volumes/-
-  value:
-    name: acl
-    configMap:
-      name: petimeter-acl
+  value: []

values/atlantis/base/kustomization.yaml

@@ -1,12 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: atlantis
-generatorOptions:
-  disableNameSuffixHash: true
-configmapGenerator:
-- name: petimeter-acl
-  files:
-    - acl.json
 patches:
   - target:
       version: v1

values/atlantis/base/service_patch.yaml

@@ -0,0 +1,7 @@
+- op: add
+  path: /spec/ports/-
+  value:
+    name: intra
+    port: 8000
+    protocol: TCP
+    targetPort: 8000

values/atlantis/prod/appsettings.json

@@ -15,24 +15,45 @@
             "profile"
         ]
     },
-    "redis": "prod-redis-master.redis.svc,user=default,password=secret",
     "sso": {
         "cookieDomain": ".oceanbox.io",
+        "cookieName": ".obx.prod",
         "signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html",
-        "appDomain": "atlantis",
-        "dataProtectionKeys": "DataProtection-Keys"
+        "realm": "atlantis",
+        "environment": "prod",
+        "keyStore": "azure",
+        "certStore": "https://atlantis.blob.core.windows.net",
+        "dataProtectionKeys": "https://atlantisvault.vault.azure.net/keys/dataprotection"
     },
-    "archmeister" : "https://archmeister.srv.oceanbox.io",
-    "sorcerer" : "https://sorcerer.data.oceanbox.io",
+    "fga": {
+      "apiUrl": "https://openfga.dev.oceanbox.io",
+      "apiKey": "",
+      "storeId": "01J6C1NBX36E1B928HFSB123XQ",
+      "modelId": "01JEK1NC93GXA8TKGK6FB5CG3X"
+    },
+    "plainAuthUsers": [
+        {
+            "username": "admin",
+            "password": "en-to-tre-fire",
+            "groups": [ "/oceanbox" ],
+            "roles": [ "admin" ]
+        }
+    ],
+    "redis": "prod-redis-master:6379",
+    "objectStore": "https://atlantis.blob.core.windows.net",
+    "connString": "Username=postgres;Password=secret;Host=localhost;Port=5432;Database=app;Pooling=true;",
+    "sorcerer" : "https://sorcerer.ekman.oceanbox.io",
     "allowedOrigins": [
-        "http://maps.oceanbox.io",
         "https://maps.oceanbox.io",
-        "http://atlantis.srv.oceanbox.io",
         "https://atlantis.srv.oceanbox.io"
     ],
-    "otelCollector": "http://opentelemetry-collector.opentelemetry.svc:4317",
-    "deployEnv": "prod",
-    "deployName": "atlantis",
+    "appName": "atlantis",
+    "appEnv": "prod",
+    "appNamespace": "atlantis",
+    "appVersion": "2.90.0",
+    "otelCollector": "http://opentelemetry-collector.otel.svc:4317",
+    "pubsubName": "pubsub",
+    "pubsubTopic": "hipster-atlantis",
     "slurm": {
         "baseUrl": "https://hipster-slurmrestd.ekman.oceanbox.io/",
         "slurmApi": "slurm/v0.0.38/",
@@ -42,11 +63,7 @@
     },
     "amqp": {
         "auth": "user:bunny",
-        "host": "10.1.8.60:30673"
+        "host": "10.255.241.201:30673"
     },
-    "pubsubName": "pubsub",
-    "pubsubTopic": "hipster-atlantis",
-    "fenceRadius": 1250.0,
-    "cerbosUrl": "http://prod-cerbos.idp.svc:3593",
-    "plainAuthUsers": []
+    "fenceRadius": 1250.0
 }

values/atlantis/prod/bindings.yaml

@@ -11,7 +11,7 @@ spec:
       name: prod-rabbitmq
       key:  connString
   - name: queueName
-    value: prod-hipster-slurm-job-events
+    value: prod-slurm-job-events
   - name: durable
     value: true
   - name: contentType
@@ -19,4 +19,4 @@ spec:
   - name: route
     value: /events/slurm
 scopes:
-  - atlantis
+  - atlantis

values/atlantis/prod/configurations.yaml

@@ -0,0 +1,20 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: configstore
+spec:
+  type: configuration.redis
+  version: v1
+  metadata:
+  - name: redisHost
+    value: prod-redis-master:6379
+  - name: redisUsername
+    value: default
+  - name: redisPassword
+    secretKeyRef:
+      name: prod-redis
+      key:  redis-password
+  - name: redisDB
+    value: "2"
+scopes:
+  - atlantis

values/atlantis/prod/deployment_patch.yaml

@@ -1,10 +1,10 @@
-- op: replace
-  path: /spec/template/spec/containers/0/env/0
-  value:
-    name: LOG_LEVEL
-    value: "4"
 - op: add
   path: /spec/template/spec/containers/0/envFrom/-
   value:
     secretRef:
-      name: prod-atlantis-env
+      name: azure-keyvault
+- op: add
+  path: /spec/template/spec/containers/0/envFrom/-
+  value:
+    secretRef:
+      name: prod-atlantis-env

values/atlantis/prod/keyvault.yaml

@@ -0,0 +1,22 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: azure-keyvault
+spec:
+  type: secretstores.azure.keyvault
+  version: v1
+  metadata:
+  - name: vaultName
+    value: atlantisvault
+  - name: azureTenantId
+    secretKeyRef:
+      name: azure-keyvault
+      key: AZURE_TENANT_ID
+  - name: azureClientId
+    secretKeyRef:
+      name: azure-keyvault
+      key: AZURE_CLIENT_ID
+  - name: azureClientSecret
+    secretKeyRef:
+      name: azure-keyvault
+      key: AZURE_CLIENT_SECRET

values/atlantis/prod/kustomization.yaml

@@ -4,13 +4,6 @@ configMapGenerator:
 - name: prod-atlantis-appsettings
   files:
     - appsettings.json
-secretGenerator:
-- name: prod-atlantis-env
-  envs:
-  - default.env
-- name: prod-atlantis-barentswatch
-  envs:
-  - barentswatch-api.env
 patches:
   - target:
       group: apps
@@ -19,9 +12,13 @@ patches:
     path: deployment_patch.yaml
 resources:
   - ../base
+  - rbac.yaml
   - secrets.yaml
   - tracing.yaml
   - bindings.yaml
   - pubsub.yaml
   - statestore.yaml
   - subscriptions.yaml
+  - configurations.yaml
+  - secretstore.yaml
+  - keyvault.yaml

values/atlantis/prod/pubsub.yaml

@@ -7,7 +7,7 @@ spec:
   type: pubsub.rabbitmq
   metadata:
   - name: hostname
-    value: prod
+    value: prod-rabbitmq.rabbitmq
   - name: username
     value: user
   - name: password
@@ -49,4 +49,4 @@ spec:
   - name: exchangeKind
     value: fanout
   - name: clientName
-    value: "{appID}"
+    value: "{appID}"

values/atlantis/prod/rbac.yaml

@@ -0,0 +1,39 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: prod-atlantis
+  namespace: prod
+rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - prod-atlantis-appsettings
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - azure-keyvault
+  - prod-redis
+  resources:
+  - secrets
+  verbs:
+  - get
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: prod-atlantis
+  namespace: prod
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: prod-atlantis
+subjects:
+- kind: ServiceAccount
+  name: prod-atlantis
+  namespace: prod

values/atlantis/prod/secrets.yaml

@@ -3,6 +3,15 @@ kind: Secret
 metadata:
   annotations:
     kyverno/clone: "true"
-  name: prod-rabbitmq
+  name: prod-atlantis-env
+type: Opaque
+data:
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: azure-keyvault
 type: Opaque
 data:

values/atlantis/prod/secretstore.yaml

@@ -0,0 +1,10 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: secretstore
+spec:
+  type: secretstores.kubernetes
+  version: v1
+  metadata:
+   - name: defaultNamespace
+     value: prod-atlantis

values/atlantis/prod/statestore.yaml

@@ -7,16 +7,16 @@ spec:
   version: v1
   metadata:
   - name: redisHost
-    value: <x>-redis-master:6379
+    value: prod-redis-master:6379
   - name: redisUsername
     value: default
   - name: redisPassword
     secretKeyRef:
-      name: <x>-redis
+      name: prod-redis
       key:  redis-password
   - name: actorStateStore
     value: "true"
   - name: redisDB
     value: "1"
 scopes:
-  - atlantis
+  - atlantis

values/atlantis/prod/tracing.yaml

@@ -5,5 +5,7 @@ metadata:
 spec:
   tracing:
     samplingRate: "1"
-    zipkin:
-      endpointAddress: "http://opentelemetry-collector.otel.svc.cluster.local:9411/api/v2/spans"
+    otel:
+      endpointAddress: "opentelemetry-collector.otel.svc.cluster.local:4317"
+      protocol: grpc
+      isSecure: false

values/atlantis/staging/appsettings.json

@@ -15,22 +15,46 @@
             "profile"
         ]
     },
-    "redis": "staging-redis-master.redis.svc,user=default,password=secret",
     "sso": {
         "cookieDomain": ".oceanbox.io",
+        "cookieName": ".obx.staging",
         "signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html",
-        "appDomain": "atlantis",
-        "dataProtectionKeys": "DataProtection-Keys"
+        "realm": "atlantis",
+        "environment": "staging",
+        "keyStore": "azure",
+        "certStore": "https://atlantis.blob.core.windows.net",
+        "dataProtectionKeys": "https://atlantisvault.vault.azure.net/keys/dataprotection"
     },
-    "archmeister" : "https://archmeister.beta.oceanbox.io",
+    "fga": {
+      "apiUrl": "https://openfga.dev.oceanbox.io",
+      "apiKey": "",
+      "storeId": "01J6C1NBX36E1B928HFSB123XQ",
+      "modelId": "01JEK1NC93GXA8TKGK6FB5CG3X"
+    },
+    "plainAuthUsers": [
+        {
+            "username": "admin",
+            "password": "en-to-tre-fire",
+            "groups": [ "/oceanbox" ],
+            "roles": [ "admin" ]
+        }
+    ],
+    "redis": "staging-redis-master:6379",
+    "objectStore": "https://atlantis.blob.core.windows.net",
+    "connString": "Username=postgres;Password=secret;Host=localhost;Port=5432;Database=app;Pooling=true;",
     "sorcerer" : "https://sorcerer.ekman.oceanbox.io",
     "allowedOrigins": [
-        "http://atlantis.beta.oceanbox.io",
-        "https://atlantis.beta.oceanbox.io"
+        "https://atlantis.beta.oceanbox.io",
+        "https://atlantis.dev.oceanbox.io",
+        "https://atlantis.local.oceanbox.io:8080"
     ],
-    "otelCollector": "http://opentelemetry-collector.opentelemetry.svc:4317",
-    "deployEnv": "staging",
-    "deployName": "atlantis",
+    "appName": "atlantis",
+    "appEnv": "staging",
+    "appNamespace": "atlantis",
+    "appVersion": "0.0.0",
+    "otelCollector": "http://opentelemetry-collector.otel.svc:4317",
+    "pubsubName": "pubsub",
+    "pubsubTopic": "hipster-atlantis",
     "slurm": {
         "baseUrl": "https://hipster-slurmrestd.ekman.oceanbox.io/",
         "slurmApi": "slurm/v0.0.38/",
@@ -40,11 +64,7 @@
     },
     "amqp": {
         "auth": "user:bunny",
-        "host": "10.1.8.60:30673"
+        "host": "10.255.241.201:31673"
     },
-    "pubsubName": "pubsub",
-    "pubsubTopic": "hipster-atlantis",
-    "fenceRadius": 1250.0,
-    "cerbosUrl": "http://staging-cerbos.idp.svc:3593",
-    "plainAuthUsers": []
+    "fenceRadius": 1250.0
 }

values/atlantis/staging/bindings.yaml

@@ -11,7 +11,7 @@ spec:
       name: staging-rabbitmq
       key:  connString
   - name: queueName
-    value: staging-hipster-slurm-job-events
+    value: staging-slurm-job-events
   - name: durable
     value: true
   - name: contentType

values/atlantis/staging/configurations.yaml

@@ -0,0 +1,20 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: configstore
+spec:
+  type: configuration.redis
+  version: v1
+  metadata:
+  - name: redisHost
+    value: staging-redis-master:6379
+  - name: redisUsername
+    value: default
+  - name: redisPassword
+    secretKeyRef:
+      name: staging-redis
+      key:  redis-password
+  - name: redisDB
+    value: "2"
+scopes:
+  - atlantis

values/atlantis/staging/deployment_patch.yaml

@@ -1,10 +1,10 @@
-- op: replace
-  path: /spec/template/spec/containers/0/env/0
-  value:
-    name: LOG_LEVEL
-    value: "4"
 - op: add
   path: /spec/template/spec/containers/0/envFrom/-
   value:
     secretRef:
-      name: staging-atlantis-env
+      name: azure-keyvault
+- op: add
+  path: /spec/template/spec/containers/0/envFrom/-
+  value:
+    secretRef:
+      name: staging-atlantis-env

values/atlantis/staging/keyvault.yaml

@@ -0,0 +1,22 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: azure-keyvault
+spec:
+  type: secretstores.azure.keyvault
+  version: v1
+  metadata:
+  - name: vaultName
+    value: atlantisvault
+  - name: azureTenantId
+    secretKeyRef:
+      name: azure-keyvault
+      key: AZURE_TENANT_ID
+  - name: azureClientId
+    secretKeyRef:
+      name: azure-keyvault
+      key: AZURE_CLIENT_ID
+  - name: azureClientSecret
+    secretKeyRef:
+      name: azure-keyvault
+      key: AZURE_CLIENT_SECRET

values/atlantis/staging/kustomization.yaml

@@ -4,13 +4,6 @@ configMapGenerator:
 - name: staging-atlantis-appsettings
   files:
     - appsettings.json
-secretGenerator:
-- name: staging-atlantis-env
-  envs:
-  - default.env
-- name: staging-atlantis-barentswatch
-  envs:
-  - barentswatch-api.env
 patches:
   - target:
       group: apps
@@ -19,10 +12,13 @@ patches:
     path: deployment_patch.yaml
 resources:
   - ../base
+  - rbac.yaml
   - secrets.yaml
   - tracing.yaml
   - bindings.yaml
   - pubsub.yaml
   - statestore.yaml
   - subscriptions.yaml
-  - configuration.yaml
+  - configurations.yaml
+  - secretstore.yaml
+  - keyvault.yaml

values/atlantis/staging/pubsub.yaml

@@ -7,7 +7,7 @@ spec:
   type: pubsub.rabbitmq
   metadata:
   - name: hostname
-    value: staging
+    value: staging-rabbitmq.rabbitmq
   - name: username
     value: user
   - name: password
@@ -49,4 +49,4 @@ spec:
   - name: exchangeKind
     value: fanout
   - name: clientName
-    value: "{appID}"
+    value: "{appID}"

values/atlantis/staging/rbac.yaml

@@ -0,0 +1,39 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: staging-atlantis
+  namespace: staging
+rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - staging-atlantis-appsettings
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - azure-keyvault
+  - staging-redis
+  resources:
+  - secrets
+  verbs:
+  - get
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: staging-atlantis
+  namespace: staging
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: staging-atlantis
+subjects:
+- kind: ServiceAccount
+  name: staging-atlantis
+  namespace: staging

values/atlantis/staging/secrets.yaml

@@ -3,6 +3,15 @@ kind: Secret
 metadata:
   annotations:
     kyverno/clone: "true"
-  name: staging-rabbitmq
+  name: staging-atlantis-env
+type: Opaque
+data:
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: azure-keyvault
 type: Opaque
 data:

values/atlantis/staging/secretstore.yaml

@@ -0,0 +1,10 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: secretstore
+spec:
+  type: secretstores.kubernetes
+  version: v1
+  metadata:
+   - name: defaultNamespace
+     value: staging-atlantis

values/atlantis/staging/statestore.yaml

@@ -7,12 +7,12 @@ spec:
   version: v1
   metadata:
   - name: redisHost
-    value: <x>-redis-master:6379
+    value: staging-redis-master:6379
   - name: redisUsername
     value: default
   - name: redisPassword
     secretKeyRef:
-      name: <x>-redis
+      name: staging-redis
       key:  redis-password
   - name: actorStateStore
     value: "true"

values/atlantis/staging/tracing.yaml

@@ -5,5 +5,7 @@ metadata:
 spec:
   tracing:
     samplingRate: "1"
-    zipkin:
-      endpointAddress: "http://opentelemetry-collector.otel:9411/api/v2/spans"
+    otel:
+      endpointAddress: "opentelemetry-collector.otel.svc.cluster.local:4317"
+      protocol: grpc
+      isSecure: false

values/atlantis/values-prod.yaml

@@ -1,7 +1,33 @@
 replicaCount: 2
 
-podAnnotations:
-  dapr.io/app-id: "prod-atlantis"
+env:
+  - name: APP_NAMESPACE
+    value: prod-atlantis
+  - name: APP_VERSION
+    value: "2.87.0"
+  - name: LOG_LEVEL
+    value: "3"
+  - name: REDIS_USER
+    value: default
+  - name: REDIS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: prod-redis
+        key: redis-password
+  - name: DB_HOST
+    value: prod-atlantis-db-rw
+  - name: DB_PORT
+    value: "5432"
+  - name: DB_USER
+    valueFrom:
+      secretKeyRef:
+        name: prod-atlantis-db-superuser
+        key: username
+  - name: DB_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: prod-atlantis-db-superuser
+        key: password
 
 ingress:
   annotations:
@@ -22,27 +48,6 @@ ingress:
        - maps.oceanbox.io
       secretName: atlantis-tls
 
-env:
-  - name: REDIS_USER
-    value: default
-  - name: REDIS_PASSWORD
-    valueFrom:
-      secretKeyRef:
-        name: prod-redis
-        key: redis-password
-  - name: BARENTSWATCH_CLIENT_ID
-    valueFrom:
-      secretKeyRef:
-        name: prod-atlantis-barentswatch
-        key: secret
-        optional: true
-  - name: BARENTSWATCH_SECRET
-    valueFrom:
-      secretKeyRef:
-        name: prod-atlantis-barentswatch
-        key: client-id
-        optional: true
-
 resources:
   limits:
     cpu: 250m

values/atlantis/values-staging.yaml

@@ -1,11 +1,37 @@
 replicaCount: 2
 
-podAnnotations:
-  dapr.io/app-id: "staging-atlantis"
-
 image:
   tag: 7f3512e0-debug
 
+env:
+  - name: APP_NAMESPACE
+    value: staging-atlantis
+  - name: APP_VERSION
+    value: "2.87.0"
+  - name: LOG_LEVEL
+    value: "3"
+  - name: REDIS_USER
+    value: default
+  - name: REDIS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: staging-redis
+        key: redis-password
+  - name: DB_HOST
+    value: staging-atlantis-db-rw
+  - name: DB_PORT
+    value: "5432"
+  - name: DB_USER
+    valueFrom:
+      secretKeyRef:
+        name: staging-atlantis-db-superuser
+        key: username
+  - name: DB_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: staging-atlantis-db-superuser
+        key: password
+
 ingress:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
@@ -35,27 +61,6 @@ ingress:
         - beta.oceanbox.io
       secretName: staging-atlantis-tls
 
-env:
-  - name: REDIS_USER
-    value: default
-  - name: REDIS_PASSWORD
-    valueFrom:
-      secretKeyRef:
-        name: staging-redis
-        key: redis-password
-  - name: BARENTSWATCH_CLIENT_ID
-    valueFrom:
-      secretKeyRef:
-        name: staging-atlantis-barentswatch
-        key: secret
-        optional: true
-  - name: BARENTSWATCH_SECRET
-    valueFrom:
-      secretKeyRef:
-        name: staging-atlantis-barentswatch
-        key: client-id
-        optional: true
-
 resources:
   limits:
     cpu: 250m