From 83a025cdcfb45e8743fc231fbeeb8b34943f2ece Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@oceanbox.io>
Date: Thu, 19 Dec 2024 16:39:16 +0100
Subject: [PATCH 1/6] fix: fix yet another typo

---
 values/atlantis/values-staging.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/values/atlantis/values-staging.yaml b/values/atlantis/values-staging.yaml
index 5ae4f446..f2583bf8 100644
--- a/values/atlantis/values-staging.yaml
+++ b/values/atlantis/values-staging.yaml
@@ -65,7 +65,7 @@ ingress:
         - path: /job
           pathType: ImplementationSpecific
         - path: /events
-          pathType: Implementationspecific
+          pathType: ImplementationSpecific
         - path: /metrics
           pathType: ImplementationSpecific
     - host: atlas.oceanbox.io

From 903fbdbaa87ed0326122af60ef5e603e282fd926 Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@oceanbox.io>
Date: Thu, 19 Dec 2024 17:44:12 +0100
Subject: [PATCH 2/6] fix: update openfga values

---
 values/openfga/values-prod.yaml    | 42 ++++++++++++++++----
 values/openfga/values-staging.yaml | 61 +++++++++++++++++++++++++++---
 2 files changed, 89 insertions(+), 14 deletions(-)

diff --git a/values/openfga/values-prod.yaml b/values/openfga/values-prod.yaml
index 12aa9583..ef260f43 100644
--- a/values/openfga/values-prod.yaml
+++ b/values/openfga/values-prod.yaml
@@ -3,16 +3,28 @@ replicaCount: 2
 datastore:
   engine: postgres
   uriSecret: prod-openfga-postgresql
+  migrationType: initContainer
 
 postgresql:
-  enabled: true
-  auth:
-    existingSecret: prod-openfga-postgresql
-    secretKeys:
-       userPasswordKey: postgres-password
+  enabled: false
+
+playground:
+  enabled: false
+
+telemetry:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+    enableRPCHistograms: true
+  trace:
+    enabled: true
+    otlp:
+      endpoint: opentelemetry-collector.otel.svc.cluster.local:4317
+    sampleRatio: 0.1
 
 ingress:
-  enabled: true
+  enabled: false
   className: nginx
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-staging
@@ -24,8 +36,22 @@ ingress:
         - path: /
           pathType: ImplementationSpecific
   tls:
-   - secretName: staging-openfga-tls
+   - secretName: prod-openfga-tls
      hosts:
        - openfga.srv.oceanbox.io
 
-
+extraObjects:
+  - apiVersion: postgresql.cnpg.io/v1
+    kind: Cluster
+    metadata:
+      name: prod-openfga
+      namespace: openfga
+    spec:
+      instances: 1
+      # imageName: ghcr.io/cloudnative-pg/postgres:15-3.3
+      storage:
+        resizeInUseVolumes: true
+        size: 10Gi
+      backup:
+        retentionPolicy: 60d
+        target: prefer-standby
diff --git a/values/openfga/values-staging.yaml b/values/openfga/values-staging.yaml
index d506c3a3..feed5475 100644
--- a/values/openfga/values-staging.yaml
+++ b/values/openfga/values-staging.yaml
@@ -3,16 +3,28 @@ replicaCount: 1
 datastore:
   engine: postgres
   uriSecret: staging-openfga-postgresql
+  migrationType: initContainer
 
 postgresql:
-  enabled: true
-  auth:
-    existingSecret: staging-openfga-postgresql
-    secretKeys:
-       userPasswordKey: postgres-password
+  enabled: false
+
+playground:
+  enabled: false
+
+telemetry:
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+    enableRPCHistograms: true
+  trace:
+    enabled: true
+    otlp:
+      endpoint: opentelemetry-collector.otel.svc.cluster.local:4317
+    sampleRatio: 0.1
 
 ingress:
-  enabled: true
+  enabled: false
   className: nginx
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-staging
@@ -27,3 +39,40 @@ ingress:
    - secretName: staging-openfga-tls
      hosts:
        - openfga.dev.oceanbox.io
+
+extraObjects:
+  - apiVersion: postgresql.cnpg.io/v1
+    kind: Cluster
+    metadata:
+      name: staging-openfga
+      namespace: openfga
+    spec:
+      instances: 1
+      # imageName: ghcr.io/cloudnative-pg/postgres:15-3.3
+      storage:
+        resizeInUseVolumes: true
+        size: 10Gi
+      backup:
+        retentionPolicy: 60d
+        target: prefer-standby
+      bootstrap:
+        pg_basebackup:
+          database: ""
+          owner: ""
+          source: openfga
+      enableSuperuserAccess: true
+      externalClusters:
+      - name: openfga
+        connectionParameters:
+          host: prod-openfga-rw.openfga.svc.cluster.local
+          sslmode: verify-full
+          user: streaming_replica
+        sslCert:
+          key: tls.crt
+          name: prod-openfga-replication
+        sslKey:
+          key: tls.key
+          name: prodopenfga-replication
+        sslRootCert:
+          key: ca.crt
+          name: prod-openfga-ca

From c31bf79671fbb7a3f75dccc95ff5080de3801b95 Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@oceanbox.io>
Date: Thu, 19 Dec 2024 18:52:23 +0100
Subject: [PATCH 3/6] fix: update openfga

---
 apps/openfga.yaml                   | 43 +++++++++++++++++++++++++++--
 values/openfga/postgres-secret.yaml | 17 ++++++------
 values/openfga/values-staging.yaml  |  2 +-
 values/openfga/values.yaml          |  8 ------
 4 files changed, 50 insertions(+), 20 deletions(-)
 delete mode 100644 values/openfga/values.yaml

diff --git a/apps/openfga.yaml b/apps/openfga.yaml
index 179c9674..bb2272b4 100644
--- a/apps/openfga.yaml
+++ b/apps/openfga.yaml
@@ -1,5 +1,45 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
+metadata:
+  name: prod-openfga
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: openfga
+    server: https://kubernetes.default.svc
+  project: aux
+  # ignoreDifferences:
+  # - group: apps
+  #   kind: StatefulSet
+  #   jsonPointers:
+  #   - /spec/persistentVolumeClaimRetentionPolicy
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: https://openfga.github.io/helm-charts
+    targetRevision: 0.2.19
+    chart: openfga
+    helm:
+      valueFiles:
+      - $values/values/openfga/values-prod.yaml
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
 metadata:
   name: staging-openfga
   namespace: argocd
@@ -33,8 +73,7 @@ spec:
     chart: openfga
     helm:
       valueFiles:
-      - $values/values/openfga/values.yaml
       - $values/values/openfga/values-staging.yaml
   - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
+    targetRevision: nixidy
     ref: values
diff --git a/values/openfga/postgres-secret.yaml b/values/openfga/postgres-secret.yaml
index 6596684d..8a6d2734 100644
--- a/values/openfga/postgres-secret.yaml
+++ b/values/openfga/postgres-secret.yaml
@@ -1,20 +1,19 @@
 apiVersion: v1
 stringData:
-  postgres-password: tidings-guise-sternness-yummy
-  uri:  postgres://postgres:tidings-guise-sternness-yummy@staging-openfga-postgresql.idp.svc.cluster.local:5432/postgres?sslmode=disable
+  postgres-password: blT6zzv37KyFvzb1Ct3bhfAwPxhTG2fBO1EiIASQWI4wnEOB8AOWvmVa2sogGexr
+  uri:  postgres://postgres:blT6zzv37KyFvzb1Ct3bhfAwPxhTG2fBO1EiIASQWI4wnEOB8AOWvmVa2sogGexr@prod-openfga-rw.openfga.svc.cluster.local:5432/postgres?sslmode=disable
 kind: Secret
 metadata:
-  name: staging-openfga-postgresql
-  namespace: idp
+  name: prod-openfga-postgresql
+  namespace: openfga
 type: Opaque
 ---
 apiVersion: v1
 stringData:
-  postgres-password: unaltered-astute-raven-sitter
-  uri:  postgres://postgres:unaltered-astute-raven-sitter@prod-openfga-postgresql.idp.svc.cluster.local:5432/postgres?sslmode=disable
+  postgres-password: tidings-guise-sternness-yummy
+  uri:  postgres://postgres:tidings-guise-sternness-yummy@staging-openfga-rw.openfga.svc.cluster.local:5432/postgres?sslmode=disable
 kind: Secret
 metadata:
-  name: prod-openfga-postgresql
-  namespace: idp
+  name: staging-openfga-postgresql
+  namespace: openfga
 type: Opaque
-
diff --git a/values/openfga/values-staging.yaml b/values/openfga/values-staging.yaml
index feed5475..09c94b3e 100644
--- a/values/openfga/values-staging.yaml
+++ b/values/openfga/values-staging.yaml
@@ -72,7 +72,7 @@ extraObjects:
           name: prod-openfga-replication
         sslKey:
           key: tls.key
-          name: prodopenfga-replication
+          name: prod-openfga-replication
         sslRootCert:
           key: ca.crt
           name: prod-openfga-ca
diff --git a/values/openfga/values.yaml b/values/openfga/values.yaml
deleted file mode 100644
index 8255d381..00000000
--- a/values/openfga/values.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-# fullnameOverride: openfga
-
-playground:
-  enabled: false
-  port: 3000
-
-
-

From 219bc474659160925924feddfbe14d40d1dd5f24 Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@oceanbox.io>
Date: Thu, 19 Dec 2024 18:56:06 +0100
Subject: [PATCH 4/6] fix: update openfga

---
 values/openfga/values-staging.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/values/openfga/values-staging.yaml b/values/openfga/values-staging.yaml
index 09c94b3e..f3492340 100644
--- a/values/openfga/values-staging.yaml
+++ b/values/openfga/values-staging.yaml
@@ -64,7 +64,7 @@ extraObjects:
       externalClusters:
       - name: openfga
         connectionParameters:
-          host: prod-openfga-rw.openfga.svc.cluster.local
+          host: prod-openfga-rw.openfga
           sslmode: verify-full
           user: streaming_replica
         sslCert:

From 675e3299a1838a06d3aa8b882ae3a712ddb0fec2 Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@oceanbox.io>
Date: Thu, 19 Dec 2024 19:26:27 +0100
Subject: [PATCH 5/6] fix: update openfga

---
 apps/prod-openfga.yaml                      | 39 ++++++++++++++++++++
 apps/{openfga.yaml => staging-openfga.yaml} | 40 ---------------------
 values/openfga/postgres-secret.yaml         |  4 +--
 values/openfga/values-prod.yaml             |  2 +-
 values/openfga/values-staging.yaml          |  2 +-
 5 files changed, 43 insertions(+), 44 deletions(-)
 create mode 100644 apps/prod-openfga.yaml
 rename apps/{openfga.yaml => staging-openfga.yaml} (50%)

diff --git a/apps/prod-openfga.yaml b/apps/prod-openfga.yaml
new file mode 100644
index 00000000..77a2c594
--- /dev/null
+++ b/apps/prod-openfga.yaml
@@ -0,0 +1,39 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prod-openfga
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: openfga
+    server: https://kubernetes.default.svc
+  project: aux
+  # ignoreDifferences:
+  # - group: apps
+  #   kind: StatefulSet
+  #   jsonPointers:
+  #   - /spec/persistentVolumeClaimRetentionPolicy
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: https://openfga.github.io/helm-charts
+    targetRevision: 0.2.19
+    chart: openfga
+    helm:
+      valueFiles:
+      - $values/values/openfga/values-prod.yaml
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
diff --git a/apps/openfga.yaml b/apps/staging-openfga.yaml
similarity index 50%
rename from apps/openfga.yaml
rename to apps/staging-openfga.yaml
index bb2272b4..76dcd99e 100644
--- a/apps/openfga.yaml
+++ b/apps/staging-openfga.yaml
@@ -1,45 +1,5 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
-metadata:
-  name: prod-openfga
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  destination:
-    namespace: openfga
-    server: https://kubernetes.default.svc
-  project: aux
-  # ignoreDifferences:
-  # - group: apps
-  #   kind: StatefulSet
-  #   jsonPointers:
-  #   - /spec/persistentVolumeClaimRetentionPolicy
-  syncPolicy:
-    managedNamespaceMetadata:
-      labels:
-        component: aux
-    syncOptions:
-      - CreateNamespace=true
-      - ApplyOutOfSyncOnly=true
-    automated:
-      prune: true
-      selfHeal: true
-  sources:
-  - repoURL: https://openfga.github.io/helm-charts
-    targetRevision: 0.2.19
-    chart: openfga
-    helm:
-      valueFiles:
-      - $values/values/openfga/values-prod.yaml
-  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: nixidy
-    ref: values
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
 metadata:
   name: staging-openfga
   namespace: argocd
diff --git a/values/openfga/postgres-secret.yaml b/values/openfga/postgres-secret.yaml
index 8a6d2734..0a0ad2f7 100644
--- a/values/openfga/postgres-secret.yaml
+++ b/values/openfga/postgres-secret.yaml
@@ -10,8 +10,8 @@ type: Opaque
 ---
 apiVersion: v1
 stringData:
-  postgres-password: tidings-guise-sternness-yummy
-  uri:  postgres://postgres:tidings-guise-sternness-yummy@staging-openfga-rw.openfga.svc.cluster.local:5432/postgres?sslmode=disable
+  postgres-password: iAnMHs3eEuQM0D4jeAP1dwEoLWUBSwNXwhBuPDOgmfoeZ58iV0zogQ77U3GNUbwa
+  uri:  postgres://postgres:iAnMHs3eEuQM0D4jeAP1dwEoLWUBSwNXwhBuPDOgmfoeZ58iV0zogQ77U3GNUbwa@staging-openfga-rw.openfga.svc.cluster.local:5432/postgres?sslmode=disable
 kind: Secret
 metadata:
   name: staging-openfga-postgresql
diff --git a/values/openfga/values-prod.yaml b/values/openfga/values-prod.yaml
index ef260f43..3b4e1e68 100644
--- a/values/openfga/values-prod.yaml
+++ b/values/openfga/values-prod.yaml
@@ -24,7 +24,7 @@ telemetry:
     sampleRatio: 0.1
 
 ingress:
-  enabled: false
+  enabled: true
   className: nginx
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-staging
diff --git a/values/openfga/values-staging.yaml b/values/openfga/values-staging.yaml
index f3492340..690ba934 100644
--- a/values/openfga/values-staging.yaml
+++ b/values/openfga/values-staging.yaml
@@ -24,7 +24,7 @@ telemetry:
     sampleRatio: 0.1
 
 ingress:
-  enabled: false
+  enabled: true
   className: nginx
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-staging

From d69830cc47ccf0cb41c7ab79a20b79fffca65d1c Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@oceanbox.io>
Date: Fri, 20 Dec 2024 06:21:29 +0100
Subject: [PATCH 6/6] fix: fix openfga ingress (use production certs)

---
 values/openfga/values-prod.yaml    | 2 +-
 values/openfga/values-staging.yaml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/values/openfga/values-prod.yaml b/values/openfga/values-prod.yaml
index 3b4e1e68..4f2c4d9c 100644
--- a/values/openfga/values-prod.yaml
+++ b/values/openfga/values-prod.yaml
@@ -27,7 +27,7 @@ ingress:
   enabled: true
   className: nginx
   annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-staging
+    cert-manager.io/cluster-issuer: letsencrypt-production
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
     nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
   hosts:
diff --git a/values/openfga/values-staging.yaml b/values/openfga/values-staging.yaml
index 690ba934..cfaf4b47 100644
--- a/values/openfga/values-staging.yaml
+++ b/values/openfga/values-staging.yaml
@@ -27,7 +27,7 @@ ingress:
   enabled: true
   className: nginx
   annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-staging
+    cert-manager.io/cluster-issuer: letsencrypt-production
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
     nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
   hosts: