Merge branch 'main' of gitlab.com:oceanbox/manifests

2025-11-13 09:13:26 +01:00
parent a83c8d1a5c ae93d09ecc
commit d8c4cd045c
59 changed files with 549 additions and 275 deletions
@@ -1,14 +1,9 @@
 #!/usr/bin/env bash
 # the shebang is ignored, but nice for editors
-watch_file lon.lock
+watch_file nix/sources.json

 # Load .env file if it exists
 dotenv_if_exists

 # Activate development shell
-if type -P lorri &>/dev/null; then
-  eval "$(lorri direnv)"
-else
-  echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]'
-  use nix
-fi
+use nix
@@ -4,7 +4,7 @@ description: Atlantis map and simulation service
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v1.27.0
+version: v1.30.1
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v1.27.0
+appVersion: v1.30.1
@@ -1,45 +1,54 @@
 {{- if .Values.redis.enabled -}}
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: Redis
+apiVersion: dragonflydb.io/v1alpha1
+kind: Dragonfly
 metadata:
  name: {{ include "Atlantis.fullname" . }}-redis
  namespace: {{ .Release.Namespace }}
  annotations:
    linkerd.io/inject: disabled
  labels:
+    app.kubernetes.io/created-by: dragonfly-operator
+    app.kubernetes.io/instance: dragonfly
    {{- include "Atlantis.labels" . | nindent 4 }}
 spec:
-  kubernetesConfig:
-    image: quay.io/opstree/redis:v7.2.6
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 101m
-        memory: 128Mi
-      limits:
-        memory: 256Mi
-    redisSecret:
+  args:
+    - --maxmemory=$(MAX_MEMORY)Mi # Graceful memory management (90% of limit)
+    - --proactor_threads=1 # Auto-detect CPU cores (optimal threading)
+    - --cluster_mode=emulated
+  env:
+    - name: MAX_MEMORY
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+          divisor: 1Mi
+  replicas: {{ .Values.redis.replicas | default "1" }}
+  resources:
+    requests:
+      cpu: 150m
+    limits:
+      memory: 256Mi
+  authentication:
+    passwordFromSecret:
      name: {{ .Values.redis.secret.name | quote }}
      key: {{ .Values.redis.secret.key | quote }}
-  serviceMonitor:
+  metrics:
    enabled: {{ .Values.redis.metrics.enabled | default false }}
-  redisExporter:
-    enabled: {{ .Values.redis.exporterEnabled | default false }}
-    image: quay.io/opstree/redis-exporter:v1.44.0
-    imagePullPolicy: Always
-    resources:
-      requests:
-        cpu: 100m
-        memory: 128Mi
-      limits:
-        memory: 256Mi
+    port: 6379
  storage:
-    volumeClaimTemplate:
-      spec:
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: {{ .Values.cluster.size | default "1Gi" }}
+    requests:
+      storage: {{ .Values.redis.size | default "1Gi" }}
+  {{- if .Values.redis.backup.enabled }}
+  snapshot:
+    dir: /data # Change to s3://redis/prod-atlantis-redis
+    cron: "0 3 * * *" # Default: every day at 03:00
+    enableOnMasterOnly: false
+    persistentVolumeClaimSpec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: {{ .Values.redis.size | default "1Gi" }}
+  {{- end }}
  podSecurityContext:
    runAsUser: 1000
    fsGroup: 1000
@@ -1,11 +1,10 @@
 # Default values for Atlantis.
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
-
 replicaCount: 1
 image:
  repository: registry.gitlab.com/oceanbox/poseidon/atlantis
-  tag: v1.27.0
+  tag: v1.30.1
  pullPolicy: IfNotPresent
 init:
  enabled: false
@@ -78,8 +77,9 @@ redis:
  instances: 1
  metrics:
    enabled: false
+  backup:
+    enabled: false
  size: 1Gi
-  exporterEnabled: false
 cluster:
  enabled: true
  instances: 1
@@ -0,0 +1,55 @@
+{{- if .Values.redis.enabled -}}
+apiVersion: dragonflydb.io/v1alpha1
+kind: Dragonfly
+metadata:
+  name: {{ include "Plume.fullname" . }}-redis
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    linkerd.io/inject: disabled
+  labels:
+    app.kubernetes.io/created-by: dragonfly-operator
+    app.kubernetes.io/instance: dragonfly
+    {{- include "Plume.labels" . | nindent 4 }}
+spec:
+  args:
+    - --maxmemory=$(MAX_MEMORY)Mi # Graceful memory management (90% of limit)
+    - --proactor_threads=1 # Auto-detect CPU cores (optimal threading)
+    - --cluster_mode=emulated
+  env:
+    - name: MAX_MEMORY
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+          divisor: 1Mi
+  replicas: {{ .Values.redis.replicas | default "1" }}
+  resources:
+    requests:
+      cpu: 150m
+    limits:
+      memory: 256Mi
+  authentication:
+    passwordFromSecret:
+      name: {{ .Values.redis.secret.name | quote }}
+      key: {{ .Values.redis.secret.key | quote }}
+  metrics:
+    enabled: {{ .Values.redis.metrics.enabled | default false }}
+    port: 6379
+  storage:
+    requests:
+      storage: {{ .Values.redis.size | default "1Gi" }}
+  {{- if .Values.redis.backup.enabled }}
+  snapshot:
+    dir: /data # Change to s3://redis/prod-atlantis-redis
+    cron: "0 3 * * *" # Default: every day at 03:00
+    enableOnMasterOnly: false
+    persistentVolumeClaimSpec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: {{ .Values.redis.size | default "1Gi" }}
+  {{- end }}
+  podSecurityContext:
+    runAsUser: 1000
+    fsGroup: 1000
+{{- end}}
@@ -59,6 +59,14 @@ cluster:
  backupEnabled: true
  backupRetention: 60d
  size: 5Gi
+redis:
+  enabled: false
+  instances: 1
+  metrics:
+    enabled: false
+  backup:
+    enabled: false
+  size: 1Gi
 resources: {}
 # We usually recommend not to specify default resources and to leave this as a conscious
 # choice for the user. This also increases chances charts run on environments with little
@@ -4,7 +4,7 @@ description: A Helm chart for Kubernetes
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v1.27.0
+version: v1.30.1
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v1.27.0
+appVersion: v1.30.1
@@ -1,46 +1,52 @@
 {{- if .Values.redis.enabled -}}
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: Redis
+apiVersion: dragonflydb.io/v1alpha1
+kind: Dragonfly
 metadata:
  name: {{ include "Sorcerer.fullname" . }}-redis
  namespace: {{ .Release.Namespace }}
  annotations:
    linkerd.io/inject: disabled
  labels:
+    app.kubernetes.io/created-by: dragonfly-operator
    {{- include "Sorcerer.labels" . | nindent 4 }}
 spec:
-  kubernetesConfig:
-    image: quay.io/opstree/redis:v7.2.6
-    imagePullPolicy: IfNotPresent
-    resources:
-      requests:
-        cpu: 101m
-        memory: 128Mi
-      limits:
-        memory: 256Mi
-    redisSecret:
+  args:
+    - --dbfilename=dump           # Static filename prevents disk exhaustion
+    - --maxmemory=$(MAX_MEMORY)Mi # Graceful memory management (90% of limit)
+    - --proactor_threads=1        # Auto-detect CPU cores (optimal threading)
+    - --cluster_mode=emulated
+    - --logtostderr
+    - --save_schedule=            # Disable continuous saves (cron snapshots only)
+  env:
+    - name: MAX_MEMORY
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+          divisor: 1Mi
+  replicas: {{ .Values.redis.replicas | default "1" }}
+  resources:
+    requests:
+      cpu: {{ .Values.redis.resources.cpu | default "150m" }}
+      memory: {{ .Values.redis.resources.memory | default "256Mi"}}
+    limits:
+      memory: {{ .Values.redis.resources.memory | default "256Mi"}}
+  authentication:
+    passwordFromSecret:
      name: {{ .Values.redis.secret.name | quote }}
      key: {{ .Values.redis.secret.key | quote }}
-  serviceMonitor:
-    enabled: {{ .Values.redis.metrics.enabled | default false }}
-  redisExporter:
-    enabled: {{ .Values.redis.exporterEnabled | default false }}
-    image: quay.io/opstree/redis-exporter:v1.44.0
-    imagePullPolicy: Always
-    resources:
-      requests:
-        cpu: 100m
-        memory: 128Mi
-      limits:
-        memory: 256Mi
-  storage:
-    volumeClaimTemplate:
-      spec:
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: {{ .Values.cluster.size | default "1Gi" }}
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
+  # metrics:
+  #   enabled: {{ .Values.redis.metrics.enabled | default false }}
+  #   port: 6379
+  {{- if .Values.redis.backup.enabled }}
+  snapshot:
+    dir: /data # Change to s3://redis/prod-atlantis-redis
+    cron: "0 3 * * *" # Default: every day at 03:00
+    enableOnMasterOnly: false
+    persistentVolumeClaimSpec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: {{ .Values.redis.size | default "1Gi" }}
+  {{- end }}
 {{- end}}
@@ -5,7 +5,7 @@
 replicaCount: 1
 image:
  repository: registry.gitlab.com/oceanbox/poseidon/sorcerer
-  tag: v1.27.0
+  tag: v1.30.1
  pullPolicy: IfNotPresent
 init:
  enabled: false
@@ -64,6 +64,7 @@ ingress:
    - hosts:
        - sorcerer.srv.oceanbox.io
      secretName: sorcerer-tls
+
 persistence:
  enabled: true
  existingClaim: oceanbox-archives
@@ -72,17 +73,20 @@ persistence:
  # accessMode: ReadWriteMany
 redis:
  enabled: false
+  instances: 1
  metrics:
    enabled: false
-  instances: 1
+  backup:
+    enabled: false
  size: 1Gi
-  exporterEnabled: false
+
 cluster:
  enabled: false
  instances: 2
  backupEnabled: true
  backupRetention: 60d
  size: 5Gi
+
 resources: {}
 # We usually recommend not to specify default resources and to leave this as a conscious
 # choice for the user. This also increases chances charts run on environments with little
@@ -0,0 +1,44 @@
+bases:
+ - ../envs/environments.yaml.gotmpl
+
+repositories:
+- name: dragonfly
+  oci: true
+  url: ghcr.io/dragonflydb/dragonfly-operator/helm
+
+commonLabels:
+  tier: system
+
+releases:
+- name: dragonfly
+  namespace: dragonfly
+  chart: dragonfly/dragonfly-operator
+  version: v1.3.0
+  condition: dragonfly.enabled
+  values:
+  - ../values/dragonfly/values/dragonfly.yaml.gotmpl
+  - ../values/dragonfly/values/dragonfly-{{ .Environment.Name }}.yaml.gotmpl
+  postRenderer: ../bin/kustomizer
+  postRendererArgs:
+  - ../values/dragonfly/kustomize/{{ .Environment.Name }}
+  missingFileHandler: Info
+- name: manifests
+  namespace: dragonfly
+  chart: manifests
+  condition: dragonfly.enabled
+  missingFileHandler: Info
+  values:
+  - ../values/env.yaml
+  - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
+  - ../values/dragonfly/env.yaml.gotmpl
+  - ../values/dragonfly/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
+  hooks:
+  - events: [ prepare, cleanup ]
+    showlogs: true
+    command: ../bin/helmify
+    args:
+    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
+    - '{{`{{ .Release.Chart }}`}}'
+    - '{{`{{ .Environment.Name }}`}}'
+    - ../values/dragonfly/manifests
+    - manifests
@@ -10,7 +10,11 @@ commonLabels:

 releases:
 - name: {{ .Environment.Name }}-openfga
+  {{- if eq .Environment.Name "prod" }}
  namespace: openfga
+  {{- else }}
+  namespace: {{ .Environment.Name }}-openfga
+  {{- end }}
  chart: openfga/openfga
  version: 0.2.45
  condition: openfga.enabled
@@ -22,7 +26,11 @@ releases:
  - ../values/openfga/kustomize/{{ .Environment.Name }}
  missingFileHandler: Info
 - name: manifests
+  {{- if eq .Environment.Name "prod" }}
  namespace: openfga
+  {{- else }}
+  namespace: {{ .Environment.Name }}-openfga
+  {{- end }}
  chart: manifests
  condition: openfga.enabled
  missingFileHandler: Info
@@ -1,43 +0,0 @@
-bases:
- - ../envs/environments.yaml.gotmpl
-
-repositories:
- name: redis-operator
-  url: 'https://ot-container-kit.github.io/helm-charts'
-
-commonLabels:
-  tier: system
-
-releases:
- name: redis-operator
-  namespace: redis-operator
-  chart: redis-operator/redis-operator
-  version: 0.22.1
-  condition: redis_operator.enabled
-  values:
-  - ../values/redis-operator/values/redis-operator.yaml.gotmpl
-  - ../values/redis-operator/values/redis-operator-{{ .Environment.Name }}.yaml.gotmpl
-  postRenderer: ../bin/kustomizer
-  postRendererArgs:
-  - ../values/redis-operator/kustomize/{{ .Environment.Name }}
-  missingFileHandler: Info
- name: manifests
-  namespace: redis-operator
-  chart: manifests
-  condition: redis_operator.enabled
-  missingFileHandler: Info
-  values:
-  - ../values/env.yaml
-  - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
-  - ../values/redis-operator/env.yaml.gotmpl
-  - ../values/redis-operator/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
-  hooks:
-  - events: [ prepare, cleanup ]
-    showlogs: true
-    command: ../bin/helmify
-    args:
-    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
-    - '{{`{{ .Release.Chart }}`}}'
-    - '{{`{{ .Environment.Name }}`}}'
-    - ../values/redis-operator/manifests
-    - manifests
@@ -0,0 +1,44 @@
+bases:
+ - ../envs/environments.yaml.gotmpl
+
+repositories:
+- name: spegel
+  oci: true
+  url: ghcr.io/spegel-org/helm-charts
+
+commonLabels:
+  tier: system
+
+releases:
+- name: spegel
+  namespace: spegel
+  chart: spegel/spegel
+  version: 0.5.1
+  condition: spegel.enabled
+  values:
+  - ../values/spegel/values/spegel.yaml.gotmpl
+  - ../values/spegel/values/spegel-{{ .Environment.Name }}.yaml.gotmpl
+  postRenderer: ../bin/kustomizer
+  postRendererArgs:
+  - ../values/spegel/kustomize/{{ .Environment.Name }}
+  missingFileHandler: Info
+- name: manifests
+  namespace: spegel
+  chart: manifests
+  condition: spegel.enabled
+  missingFileHandler: Info
+  values:
+  - ../values/env.yaml
+  - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
+  - ../values/spegel/env.yaml.gotmpl
+  - ../values/spegel/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
+  hooks:
+  - events: [ prepare, cleanup ]
+    showlogs: true
+    command: ../bin/helmify
+    args:
+    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
+    - '{{`{{ .Release.Chart }}`}}'
+    - '{{`{{ .Environment.Name }}`}}'
+    - ../values/spegel/manifests
+    - manifests
@@ -14,7 +14,7 @@ releases:
 - name: umami
  namespace: analytics
  chart: umami/umami
-  version: 5.0.11
+  version: 6.0.1
  condition: umami.enabled
  values:
  - ../values/umami/values/values.yaml
@@ -36,6 +36,6 @@ pkgs.mkShellNoCC {
    dapr-cli
  ];

-  ARGOCD_ENV_CLUSTER_NAME = "oceanbox";
+  ARGOCD_ENV_CLUSTER_NAME = "ekman";
  HELM_GIT_ACCESS_TOKEN = "glpat-xxx";
 }
@@ -5,7 +5,7 @@ argo:
  rollouts:
    enabled: false
  workflows:
-    enabled: true
+    enabled: false

 argocd:
  autosync: true
@@ -52,7 +52,7 @@ spec:
    server: https://kubernetes.default.svc
  - namespace: mariadb-operator
    server: https://kubernetes.default.svc
-  - namespace: redis-operator
+  - namespace: dragonfly
    server: https://kubernetes.default.svc
  - namespace: cilium-spire
    server: https://kubernetes.default.svc
@@ -62,6 +62,8 @@ spec:
    server: https://kubernetes.default.svc
  - namespace: openfga
    server: https://kubernetes.default.svc
+  - namespace: staging-openfga
+    server: https://kubernetes.default.svc
  - namespace: dapr-system
    server: https://kubernetes.default.svc
  - namespace: rook-ceph
@@ -80,6 +82,8 @@ spec:
    server: https://kubernetes.default.svc
  - namespace: slurm
    server: https://kubernetes.default.svc
+  - namespace: spegel
+    server: https://kubernetes.default.svc
  sourceRepos:
  - https://argoproj.github.io/argo-helm
  - https://kubernetes-sigs.github.io/metrics-server/
@@ -113,6 +117,8 @@ spec:
  - ghcr.io/slinkyproject/charts
  - ghcr.io/slinkyproject/charts/slurm-operator
  - ghcr.io/slinkyproject/charts/slurm-operator-crds
+  - ghcr.io/spegel-org/helm-charts
+  - ghcr.io/dragonflydb/dragonfly-operator/helm/dragonfly-operator
  - https://operator.mariadb.com/mariadb-enterprise-operator
  - https://operator.mariadb.com
  - https://ot-container-kit.github.io/helm-charts
@@ -43,7 +43,7 @@ configs:
      connectors:
      {{- with .Values.clusterConfig.oidc }}
      {{- range . }}
-      {{- if eq .provider "azuread" }}
+      {{- if eq .group "devel" }}
      - type: oidc
        id: {{ .name }}
        name: {{ .name }}
@@ -61,20 +61,6 @@ configs:
            - profile
            - email
            - groups
-      {{- else if eq .provider "github" }}
-      - type: github
-        id: {{ .name }}
-        name: {{ .name }}
-        config:
-          clientID: ${{ .name | replace "-" "_" }}_client_id
-          clientSecret: ${{ .name | replace "-" "_" }}_client_secret
-          redirectURI: https://argocd.{{ $.Values.clusterConfig.domain }}/api/dex/callback
-          orgs:
-          - name: {{ .allowed_organizations }}
-          loadAllGroups: true
-          teamNameField: slug
-          useLoginAsID: false
-      {{- end }}
      staticClients:
      - id: ${{ .name | replace "-" "_" }}_client_id
        name: Kubernetes
@@ -87,6 +73,7 @@ configs:
        secret: 8d52926efe879ee505391b75f4b046cf
      {{- end }}
      {{- end }}
+      {{- end }}
    admin.enabled: false
  rbac:
    # NOTE(kai): dd2aa2d6 ... is ID for azure kubernetes_operator group
@@ -150,6 +137,7 @@ dex:
  {{- with .Values.clusterConfig.oidc }}
  env:
  {{- range . }}
+  {{- if eq .group "devel" }}
  - name: {{ .name | replace "-" "_" }}_client_secret
    valueFrom:
      secretKeyRef:
@@ -162,6 +150,7 @@ dex:
        key: client_id
  {{- end }}
  {{- end }}
+  {{- end }}

 redis:
  metrics:
@@ -1,6 +1,6 @@
 replicaCount: 1
 image:
-  tag: e9c21c12-debug
+  tag: f8940c92-debug
 podAnnotations:
  dapr.io/app-id: "staging-atlantis"
 env:
@@ -0,0 +1,18 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-webhooks
+  namespace: cert-manager
+spec:
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+  - fromEntities:
+    - kube-apiserver
+    - remote-node
+  - toPorts:
+    - ports:
+      - port: "8443"
+        protocol: TCP
+{{- end }}
@@ -1,3 +1,3 @@
-redis_operator:
+dragonfly:
  enabled: true
  autosync: false
@@ -1,3 +1,3 @@
-redis_operator:
+dragonfly:
  enabled: true
  autosync: false
@@ -1,3 +1,3 @@
-redis_operator:
+dragonfly:
  enabled: false
  autosync: false
@@ -2,11 +2,11 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: redis-operator
+  name: dragonfly
  namespace: argocd
 spec:
  destination:
-    namespace: redis-operator
+    namespace: dragonfly
    server: 'https://kubernetes.default.svc'
  sources:
  - repoURL: {{ .Values.clusterConfig.manifests }}
@@ -20,7 +20,7 @@ spec:
      - name: HELMFILE_ENVIRONMENT
        value: default
      - name: HELMFILE_FILE_PATH
-        value: redis-operator.yaml.gotmpl
+        value: dragonfly.yaml.gotmpl
  project: sys
  syncPolicy:
    managedNamespaceMetadata:
@@ -30,7 +30,7 @@ spec:
      - CreateNamespace=true
      - ApplyOutOfSyncOnly=true
      - ServerSideApply=true
-    {{- if .Values.redis_operator.autosync }}
+    {{- if .Values.dragonfly}}
    automated:
      prune: true
      # selfHeal: false
@@ -3,12 +3,12 @@ apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: allow-api-server
-  namespace: redis-operator
+  namespace: dragonfly
 spec:
  egress:
    - toEntities:
        - kube-apiserver
  endpointSelector:
    matchLabels:
-      app.kubernetes.io/instance: redis-operator
+      app.kubernetes.io/instance: dragonfly-operator
 {{- end}}
@@ -2,12 +2,12 @@
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
-  name: allow-host-to-redis
-  namespace: redis-operator
+  name: allow-host-to-dragonfly
+  namespace: dragonfly
 spec:
  endpointSelector:
    matchLabels:
-      app.kubernetes.io/instance: redis-operator
+      app.kubernetes.io/instance: dragonfly-operator
  ingress:
    - fromEntities:
        - host
@@ -3,11 +3,11 @@ apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: allow-prometheus-metrics
-  namespace: redis-operator
+  namespace: dragonfly
 spec:
  endpointSelector:
    matchLabels:
-      app.kubernetes.io/instance: redis-operator
+      app.kubernetes.io/instance: dragonfly-operator
  ingress:
    - fromEndpoints:
        - matchLabels:
@@ -3,7 +3,7 @@ apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: allow-remote-node-webhooks
-  namespace: redis-operator
+  namespace: dragonfly
 spec:
  endpointSelector:
    matchLabels: {}
@@ -0,0 +1,2 @@
+serviceMonitor:
+ enabled: true
@@ -8,22 +8,15 @@ clusterConfig:
  initca: "/var/lib/kubernetes/secrets"
  apiserver: "ekman-manage"
  apiserverip: "10.255.241.99"
-  etcd_nodes: [ "10.255.241.80, 10.255.241.90, 10.255.241.99" ]
-  k8s_nodes: [ "10.255.241.80, 10.255.241.90, 10.255.241.99, 10.255.241.100, 10.255.241.101, 10.255.241.102, 10.255.241.103, 10.255.241.104, 10.255.241.105, 10.255.241.106, 10.255.241.107, 10.255.241.108, 10.255.241.109, 10.255.241.110, 10.255.241.111, 10.255.241.112, 10.255.241.113, 10.255.241.114, 10.255.241.116, 10.255.241.121, 10.255.241.122, 10.255.241.123, 10.255.241.124, 10.255.241.125, 10.255.241.126, 10.255.241.127, 10.255.241.128" ]
+  etcd_nodes: ["10.255.241.80, 10.255.241.90, 10.255.241.99"]
+  k8s_nodes:
+    [
+      "10.255.241.80, 10.255.241.90, 10.255.241.99, 10.255.241.100, 10.255.241.101, 10.255.241.102, 10.255.241.103, 10.255.241.104, 10.255.241.105, 10.255.241.106, 10.255.241.107, 10.255.241.108, 10.255.241.109, 10.255.241.110, 10.255.241.111, 10.255.241.112, 10.255.241.113, 10.255.241.114, 10.255.241.116, 10.255.241.121, 10.255.241.122, 10.255.241.123, 10.255.241.124, 10.255.241.125, 10.255.241.126, 10.255.241.127, 10.255.241.128",
+    ]
  cluster: "ekman"
-  ingress_nodes: ["ekman , ekman-manage" ]
+  ingress_nodes: ["ekman , ekman-manage"]
  ingress_replica_count: 2
  fileserver: "10.255.241.100"
-  acme:
-    email: "acme@oceanbox.io"
-    dns01: "namecheap-apikey"
-  oidc:
-  - name: oceanbox
-    provider: azuread
-    tenant: "3f737008-e9a0-4485-9d27-40329d288089"
-    secret_ref:
-      name: oceanbox-oidc
-    group_id: "eb17a659-4ce6-41bc-9153-d9b117c44479"
  nodes:
    - name: ekman-manage
      taints: []
@@ -6,22 +6,15 @@ clusterConfig:
  initca: ""
  apiserver: ""
  apiserverip: ""
-  etcd_nodes: [ "10.255.241.201, 10.255.241.202, 10.255.241.203" ]
-  k8s_nodes: [ "" ]
+  etcd_nodes: ["10.255.241.201, 10.255.241.202, 10.255.241.203"]
+  k8s_nodes: [""]
  cluster: "oceanbox"
-  ingress_nodes: ["oceanbox-controlplane-1, oceanbox-controlplane-2, oceanbox-controlplane-3" ]
+  ingress_nodes:
+    [
+      "oceanbox-controlplane-1, oceanbox-controlplane-2, oceanbox-controlplane-3",
+    ]
  ingress_replica_count: 3
  fileserver: "10.255.241.210"
-  acme:
-    email: "acme@oceanbox.io"
-    dns01: "namecheap-apikey"
-  oidc:
-  - name: oceanbox
-    provider: azuread
-    tenant: "3f737008-e9a0-4485-9d27-40329d288089"
-    secret_ref:
-      name: oceanbox-oidc
-    group_id: "eb17a659-4ce6-41bc-9153-d9b117c44479"
  s3:
    hosts: []
    patterns: []
@@ -8,28 +8,21 @@ clusterConfig:
  initca: "/var/lib/kubernetes/secrets"
  apiserver: "rossby-manage"
  apiserverip: "172.16.239.221"
-  etcd_nodes: [ "172.16.239.221, 172.16.239.222, 172.16.239.210" ]
-  k8s_nodes: [ "172.16.239.221, 172.16.239.222, 172.16.239.210, 172.16.239.111, 172.16.239.112, 172.16.239.113, 172.16.239.114, 172.16.239.115, 172.16.239.116, 172.16.239.117, 172.16.239.118, 172.16.239.119, 172.16.239.120, 172.16.239.121, 172.16.239.122, 172.16.239.123, 172.16.239.124, 172.16.239.125, 172.16.239.126, 172.16.239.127, 172.16.239.128, 172.16.239.129, 172.16.239.130" ]
+  etcd_nodes: ["172.16.239.221, 172.16.239.222, 172.16.239.210"]
+  k8s_nodes:
+    [
+      "172.16.239.221, 172.16.239.222, 172.16.239.210, 172.16.239.111, 172.16.239.112, 172.16.239.113, 172.16.239.114, 172.16.239.115, 172.16.239.116, 172.16.239.117, 172.16.239.118, 172.16.239.119, 172.16.239.120, 172.16.239.121, 172.16.239.122, 172.16.239.123, 172.16.239.124, 172.16.239.125, 172.16.239.126, 172.16.239.127, 172.16.239.128, 172.16.239.129, 172.16.239.130",
+    ]
  cluster: "rossby"
-  ingress_nodes: ["rossby, rossby-manage" ]
+  ingress_nodes: ["rossby, rossby-manage"]
  ingress_replica_count: 2
  ingress_clusterissuer: ca-issuer
  ingress_whitelist:
-   - 0.0.0.0/0
+    - 0.0.0.0/0
  ingress_hostnetwork: true
  ingress_hostport: false
  ingress_nodeport: false
  fileserver: "172.16.239.222"
-  acme:
-    email: "acme@oceanbox.io"
-    dns01: "namecheap-apikey"
-  oidc:
-  - name: oceanbox
-    provider: azuread
-    tenant: "3f737008-e9a0-4485-9d27-40329d288089"
-    secret_ref:
-      name: oceanbox-oidc
-    group_id: "eb17a659-4ce6-41bc-9153-d9b117c44479"
  nodes:
    - name: rossby-manage
      taints: []
@@ -11,9 +11,6 @@ clusterConfig:
  ingress_nodes: []
  ingress_replica_count: 3
  fileserver: ""
-  acme:
-    email: "acme@oceanbox.io"
-    dns01: ""
  nodenames: []
  nodes: []
  ingress_clusterissuer: "letsencrypt-production"
@@ -26,19 +23,31 @@ clusterConfig:
  ingress_hostnetwork: false
  ingress_hostport: false
  ingress_nodeport: true
-  oidc: []
-    #- name: azure
-    #  provider: azuread
-    #  tenant: "https://login.microsoftonline.com/<tenant>/oauth2/v2.0"
-    #  secret_ref:
-    #    name: azure-oidc
-    #  group_id: "<group_id>"
-    #- name: github
-    #  provider: github
-    #  secret_ref:
-    #    name: github-oidc
-    #  allowed_organizations: <org>
-    #  allowed_teams: <team-id>
+  acme:
+    email: "acme@oceanbox.io"
+    dns01: "namecheap-apikey"
+  oidc:
+    - group: admin
+      name: oceanbox
+      provider: azuread
+      tenant: "3f737008-e9a0-4485-9d27-40329d288089"
+      secret_ref:
+        name: oceanbox-oidc
+      group_id: "eb17a659-4ce6-41bc-9153-d9b117c44479"
+    - group: devel
+      name: oceanbox
+      provider: azuread
+      tenant: "3f737008-e9a0-4485-9d27-40329d288089"
+      secret_ref:
+        name: oceanbox-oidc
+      group_id: ""
+    - group: analytics
+      name: oceanbox
+      provider: azuread
+      tenant: "3f737008-e9a0-4485-9d27-40329d288089"
+      secret_ref:
+        name: oceanbox-oidc
+      group_id: "52bb4c7e-549c-4aed-bd95-9dcedf716f9f"
  s3:
    hosts: []
    patterns: []
@@ -314,6 +314,7 @@ configMaps:

           { "name": "jonas-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
           { "name": "jonas-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
+           { "name": "jonas-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
           { "name": "stig-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
           { "name": "stig-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
           { "name": "stig-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
@@ -323,8 +324,10 @@ configMaps:
           { "name": "mrtz-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
           { "name": "mrtz-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
           { "name": "simkir-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
+           { "name": "simkir-user-portal.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
           { "name": "simkir-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
           { "name": "simkir-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
           { "name": "ole-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
-           { "name": "ole-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }
+           { "name": "ole-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
+           { "name": "ole-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }
        ]
@@ -1,6 +1,6 @@
 replicaCount: 1
 image:
-  tag: "6efcdecb-debug"
+  tag: "2592c5b2-debug"
 env:
  - name: APP_VERSION
    value: "0.0.0-staging"
@@ -1,3 +1,2 @@
 openfga:
  enabled: true
-  env: prod
@@ -1,4 +1,4 @@
 openfga:
  enabled: false
  autosync: false
-  env: prod
+  env: {{ .Environment.Name }}
@@ -10,7 +10,11 @@ metadata:
  - resources-finalizer.argocd.argoproj.io
 spec:
  destination:
+    {{- if eq .Values.openfga.env "prod" }}
    namespace: openfga
+    {{- else }}
+    namespace: {{ .Values.openfga.env }}-openfga
+    {{- end }}
    server: https://kubernetes.default.svc
  project: sys
  sources:
@@ -10,10 +10,9 @@ type: Opaque
 ---
 apiVersion: v1
 stringData:
-  postgres-password: iAnMHs3eEuQM0D4jeAP1dwEoLWUBSwNXwhBuPDOgmfoeZ58iV0zogQ77U3GNUbwa
-  uri:  postgres://postgres:iAnMHs3eEuQM0D4jeAP1dwEoLWUBSwNXwhBuPDOgmfoeZ58iV0zogQ77U3GNUbwa@staging-openfga-rw.openfga.svc.cluster.local:5432/postgres?sslmode=disable
+  uri:  postgres://staging-openfga-db-rw.staging-openfga.svc.cluster.local:5432/app?sslmode=disable
 kind: Secret
 metadata:
  name: staging-openfga-postgresql
-  namespace: openfga
+  namespace: staging-openfga
 type: Opaque
@@ -2,8 +2,12 @@ replicaCount: 1

 datastore:
  engine: postgres
-  uriSecret: staging-openfga-db-superuser
  migrationType: initContainer
+  uriSecret: staging-openfga-postgresql
+  existingSecret: staging-openfga-db-superuser 
+  secretKeys:
+    usernameKey: username
+    passwordKey: password

 ingress:
  enabled: true
@@ -27,7 +31,7 @@ extraObjects:
    kind: Cluster
    metadata:
      name: staging-openfga-db
-      namespace: openfga
+      namespace: staging-openfga
    spec:
      instances: 1
      imageName: ghcr.io/cloudnative-pg/postgresql:17-bookworm
@@ -1,6 +1,6 @@
 replicaCount: 1
 image:
-  tag: 544657c0-debug
+  tag: 121f49c9-debug
 podAnnotations:
  dapr.io/enabled: "true"
  dapr.io/app-id: "staging-plume"
@@ -122,7 +122,7 @@ grafana:
    users:
      auto_assign_org_role: "Admin"
    {{- range .Values.clusterConfig.oidc }}
-    {{- if eq .provider "azuread" }}
+    {{- if eq .group "analytics" }}
    auth.{{ .provider }}:
      enabled: true
      name: {{ .name }}
@@ -135,32 +135,34 @@ grafana:
      allow_sign_up: true
      role_attribute_strict: false
      allow_assign_grafana_admin: true
-    {{- else if eq .provider "github" }}
-    auth.{{ .provider }}:
-      name: {{ .name }}
-      enabled: true
-      client_id: $__file{/etc/secrets/oauth/{{ .name }}/client_id}
-      client_secret: $__file{/etc/secrets/oauth/{{ .name }}/client_secret}
-      allowed_organizations: {{ .allowed_organizations }}
-      {{- if .allowed_teams }}
-      allowed_teams: "{{ .allowed_teams }}"
-      {{- end }}
-      scopes: user:email,read:org
-      auth_url: https://github.com/login/oauth/authorize
-      token_url: https://github.com/login/oauth/access_token
-      allow_sign_up: true
-      role_attribute_strict: false
-      allow_assign_grafana_admin: true
+    #{{- else if eq .provider "github" }}
+    #auth.{{ .provider }}:
+    #  name: {{ .name }}
+    #  enabled: true
+    #  client_id: $__file{/etc/secrets/oauth/{{ .name }}/client_id}
+    #  client_secret: $__file{/etc/secrets/oauth/{{ .name }}/client_secret}
+    #  allowed_organizations: {{ .allowed_organizations }}
+    #  {{- if .allowed_teams }}
+    #  allowed_teams: "{{ .allowed_teams }}"
+    #  {{- end }}
+    #  scopes: user:email,read:org
+    #  auth_url: https://github.com/login/oauth/authorize
+    #  token_url: https://github.com/login/oauth/access_token
+    #  allow_sign_up: true
+    #  role_attribute_strict: false
+    #  allow_assign_grafana_admin: true
    {{- end }}
    {{- end }}
  extraSecretMounts:
  {{- range .Values.clusterConfig.oidc }}
+  {{- if eq .group "analytics" }}
  - name: {{ .name }}
    secretName: {{ .secret_ref.name }}
    defaultMode: 0440
    mountPath: /etc/secrets/oauth/{{ .name }}
    readOnly: true
  {{- end }}
+  {{- end }}

  {{- if .Values.prometheus.grafana.persistence }}
  persistence:
@@ -173,6 +175,9 @@ grafana:
    annotations:
      cert-manager.io/cluster-issuer: {{ .Values.clusterConfig.ingress_clusterissuer }}
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
+      nginx.ingress.kubernetes.io/proxy-body-size: "0"
+      nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+      nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
      {{- with .Values.clusterConfig.ingress_whitelist}}
      nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
      {{- end }}
@@ -458,6 +463,9 @@ prometheus:
    annotations:
      cert-manager.io/cluster-issuer: {{ .Values.clusterConfig.ingress_clusterissuer }}
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
+      nginx.ingress.kubernetes.io/proxy-body-size: "0"
+      nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+      nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
      {{- with .Values.clusterConfig.ingress_whitelist }}
      nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
      {{- end }}
@@ -1,25 +0,0 @@
-certmanager:
- enabled: true
-
-redisOperator:
- webhook: true
-
-# issuer:
- # create: true
- # kind: ClusterIssuer
- # name:
-
-# ha:
-#   enabled: false
-# metrics:
-#   enabled: true
-#   serviceMonitor:
-#     additionalLabels:
-#       release: prometheus
-#     enabled: true
-# webhook:
-#   certificate:
-#     certManager: false
-#   serviceMonitor:
-#     additionalLabels:
-#       release: prometehus
@@ -48,7 +48,7 @@
      "modelId": "01JKTZYMCZZBVSBG66W27XMW0A"
    },
    "sentryUrl": "https://5e6e3584098dc006de18038cf85d2cbe@o4509530141622272.ingest.de.sentry.io/4509547350065232",
-    "redis": "localhost:6379,user=default,password=secret",
+    "redis": "staging-sorcerer-redis:6379,user=default,password=secret",
    "allowedOrigins": [
        "http://localhost:8085",
        "http://localhost:8080",
@@ -7,7 +7,7 @@ spec:
  version: v1
  metadata:
  - name: redisHost
-    value: staging-sorcerer-redis-master:6379
+    value: staging-sorcerer-redis:6379
  - name: redisUsername
    value: default
  - name: redisPassword
@@ -7,7 +7,7 @@ spec:
  version: v1
  metadata:
  - name: redisHost
-    value: staging-sorcerer-redis-master:6379
+    value: staging-sorcerer-redis:6379
  - name: redisUsername
    value: default
  - name: redisPassword
@@ -20,4 +20,3 @@ master:
      cpu: 150m
      ephemeral-storage: 50Mi
      memory: 128Mi
-
@@ -78,6 +78,19 @@ persistence:
 #     operator: Equal
 #     value: compute
 #     effect: NoSchedule
+redis:
+  enabled: true
+  replicas: 3
+  size: 2Gi
+  backup:
+    enabled: true
+  secret:
+    name: "prod-sorcerer-redis"
+    key: "redis-password"
+  resources:
+    cpu: 150m
+    memory: 256Mi
+

 affinity:
  nodeAffinity:
@@ -1,6 +1,8 @@
 replicaCount: 1
+
 image:
-  tag: e9c21c12-debug
+  tag: 9566bce0-debug
+
 podAnnotations:
  dapr.io/enabled: "true"
  dapr.io/app-id: "staging-sorcerer"
@@ -13,6 +15,7 @@ podAnnotations:
  dapr.io/sidecar-memory-request: "50Mi"
  # dapr.io/sidecar-cpu-limit: "300m"
  # dapr.io/sidecar-memory-limit: "1000Mi"
+
 env:
  - name: APP_VERSION
    value: "0.0.0-staging"
@@ -30,6 +33,7 @@ env:
      secretKeyRef:
        name: dapr-api-token
        key: token
+
 ingress:
  enabled: true
  annotations:
@@ -62,11 +66,24 @@ ingress:
    - hosts:
        - sorcerer.ekman.oceanbox.io
      secretName: staging-sorcerer-tls
+
 persistence:
  enabled: true
  existingClaim: staging-sorcerer-ceph-archives
  # existingClaim: staging-oceanbox-backup-archives
  #
+redis:
+  enabled: true
+  size: 2Gi
+  backup:
+    enabled: true
+  secret:
+    name: "staging-sorcerer-redis"
+    key: "redis-password"
+  resources:
+    cpu: 150m
+    memory: 256Mi
+
 # nodeSelector:
 #   node-role.kubernetes.io/srv: ""
 #   kubernetes.io/hostname: fs-backup
@@ -77,6 +94,7 @@ persistence:
 #     operator: Equal
 #     value: compute
 #     effect: NoSchedule
+
 affinity:
  nodeAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
@@ -0,0 +1,3 @@
+spegel:
+  enabled: true
+  autosync: false
@@ -0,0 +1,3 @@
+spegel:
+  enabled: true
+  autosync: false
@@ -0,0 +1,3 @@
+spegel:
+  enabled: false
+  autosync: false
@@ -0,0 +1,14 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-api-server
+  namespace: spegel
+spec:
+  egress:
+    - toEntities:
+        - kube-apiserver
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: spegel
+{{- end}}
@@ -0,0 +1,19 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-metrics
+  namespace: spegel
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: spegel
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+      toPorts:
+        - ports:
+            - port: "8080"
+              protocol: TCP
+{{- end}}
@@ -0,0 +1,18 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node
+  namespace: spegel
+spec:
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+    - fromEntities:
+        - kube-apiserver
+        - remote-node
+      toPorts:
+        - ports:
+            - port: "5000"
+              protocol: TCP
+{{- end}}
@@ -0,0 +1,17 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-world-dns
+  namespace: spegel
+spec:
+  description: Allow DNS world
+  egress:
+    - toPorts:
+        - ports:
+            - port: "5001"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: spegel
+{{- end }}
@@ -0,0 +1,38 @@
+{{- if .Values.clusterConfig.argo.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: spegel
+  namespace: argocd
+spec:
+  destination:
+    namespace: spegel
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.clusterConfig.manifests }}
+    targetRevision: HEAD
+    path: helmfile.d
+    plugin:
+      name: helmfile-cmp
+      env:
+      - name: CLUSTER_NAME
+        value: {{ .Values.clusterConfig.cluster }}
+      - name: HELMFILE_ENVIRONMENT
+        value: default
+      - name: HELMFILE_FILE_PATH
+        value: spegel.yaml.gotmpl
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      - ServerSideApply=true
+    {{- if .Values.spegel.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+{{- end }}
@@ -0,0 +1,4 @@
+spegel:
+  containerdRegistryConfigPath: /etc/cri/conf.d/hosts
+  registryFilters:
+    - "^yolo-registry.dev.oceanbox\\.io/"
@@ -6,7 +6,7 @@ image:
  # -- image pull policy
  # pullPolicy:
  # -- Overrides the image tag
-  tag: "postgresql-v2.19.0"
+  tag: "3.0"

 replicaCount: 1

@@ -17,11 +17,11 @@ resources:
  limits:
    # cpu: 100m
    # ephemeral-storage: 2Gi
-    memory: 750Mi
+    memory: 500Mi
  requests:
-    cpu: 500m
+    cpu: 100m
    # ephemeral-storage: 50Mi
-    memory: 750Mi
+    memory: 500Mi

 securityContext:
  runAsGroup: 65533