diff --git a/.envrc b/.envrc index fc056953..3e095197 100644 --- a/.envrc +++ b/.envrc @@ -1,14 +1,9 @@ #!/usr/bin/env bash # the shebang is ignored, but nice for editors -watch_file lon.lock +watch_file nix/sources.json # Load .env file if it exists dotenv_if_exists # Activate development shell -if type -P lorri &>/dev/null; then - eval "$(lorri direnv)" -else - echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]' - use nix -fi +use nix diff --git a/charts/atlantis/Chart.yaml b/charts/atlantis/Chart.yaml index 92e7a1b9..28c68829 100644 --- a/charts/atlantis/Chart.yaml +++ b/charts/atlantis/Chart.yaml @@ -4,7 +4,7 @@ description: Atlantis map and simulation service type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: v1.27.0 +version: v1.30.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. -appVersion: v1.27.0 +appVersion: v1.30.1 diff --git a/charts/atlantis/templates/redis.yaml b/charts/atlantis/templates/redis.yaml index 4b3e83fa..dcff5019 100644 --- a/charts/atlantis/templates/redis.yaml +++ b/charts/atlantis/templates/redis.yaml @@ -1,45 +1,54 @@ {{- if .Values.redis.enabled -}} -apiVersion: redis.redis.opstreelabs.in/v1beta2 -kind: Redis +apiVersion: dragonflydb.io/v1alpha1 +kind: Dragonfly metadata: name: {{ include "Atlantis.fullname" . }}-redis namespace: {{ .Release.Namespace }} annotations: linkerd.io/inject: disabled labels: + app.kubernetes.io/created-by: dragonfly-operator + app.kubernetes.io/instance: dragonfly {{- include "Atlantis.labels" . | nindent 4 }} spec: - kubernetesConfig: - image: quay.io/opstree/redis:v7.2.6 - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 101m - memory: 128Mi - limits: - memory: 256Mi - redisSecret: + args: + - --maxmemory=$(MAX_MEMORY)Mi # Graceful memory management (90% of limit) + - --proactor_threads=1 # Auto-detect CPU cores (optimal threading) + - --cluster_mode=emulated + env: + - name: MAX_MEMORY + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: 1Mi + replicas: {{ .Values.redis.replicas | default "1" }} + resources: + requests: + cpu: 150m + limits: + memory: 256Mi + authentication: + passwordFromSecret: name: {{ .Values.redis.secret.name | quote }} key: {{ .Values.redis.secret.key | quote }} - serviceMonitor: + metrics: enabled: {{ .Values.redis.metrics.enabled | default false }} - redisExporter: - enabled: {{ .Values.redis.exporterEnabled | default false }} - image: quay.io/opstree/redis-exporter:v1.44.0 - imagePullPolicy: Always - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - memory: 256Mi + port: 6379 storage: - volumeClaimTemplate: - spec: - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: {{ .Values.cluster.size | default "1Gi" }} + requests: + storage: {{ .Values.redis.size | default "1Gi" }} + {{- if .Values.redis.backup.enabled }} + snapshot: + dir: /data # Change to s3://redis/prod-atlantis-redis + cron: "0 3 * * *" # Default: every day at 03:00 + enableOnMasterOnly: false + persistentVolumeClaimSpec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.redis.size | default "1Gi" }} + {{- end }} podSecurityContext: runAsUser: 1000 fsGroup: 1000 diff --git a/charts/atlantis/values.yaml b/charts/atlantis/values.yaml index d67fc53d..168c92cc 100644 --- a/charts/atlantis/values.yaml +++ b/charts/atlantis/values.yaml @@ -1,11 +1,10 @@ # Default values for Atlantis. # This is a YAML-formatted file. # Declare variables to be passed into your templates. - replicaCount: 1 image: repository: registry.gitlab.com/oceanbox/poseidon/atlantis - tag: v1.27.0 + tag: v1.30.1 pullPolicy: IfNotPresent init: enabled: false @@ -78,8 +77,9 @@ redis: instances: 1 metrics: enabled: false + backup: + enabled: false size: 1Gi - exporterEnabled: false cluster: enabled: true instances: 1 diff --git a/charts/plume/templates/redis.yaml b/charts/plume/templates/redis.yaml new file mode 100644 index 00000000..58c2fcf9 --- /dev/null +++ b/charts/plume/templates/redis.yaml @@ -0,0 +1,55 @@ +{{- if .Values.redis.enabled -}} +apiVersion: dragonflydb.io/v1alpha1 +kind: Dragonfly +metadata: + name: {{ include "Plume.fullname" . }}-redis + namespace: {{ .Release.Namespace }} + annotations: + linkerd.io/inject: disabled + labels: + app.kubernetes.io/created-by: dragonfly-operator + app.kubernetes.io/instance: dragonfly + {{- include "Plume.labels" . | nindent 4 }} +spec: + args: + - --maxmemory=$(MAX_MEMORY)Mi # Graceful memory management (90% of limit) + - --proactor_threads=1 # Auto-detect CPU cores (optimal threading) + - --cluster_mode=emulated + env: + - name: MAX_MEMORY + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: 1Mi + replicas: {{ .Values.redis.replicas | default "1" }} + resources: + requests: + cpu: 150m + limits: + memory: 256Mi + authentication: + passwordFromSecret: + name: {{ .Values.redis.secret.name | quote }} + key: {{ .Values.redis.secret.key | quote }} + metrics: + enabled: {{ .Values.redis.metrics.enabled | default false }} + port: 6379 + storage: + requests: + storage: {{ .Values.redis.size | default "1Gi" }} + {{- if .Values.redis.backup.enabled }} + snapshot: + dir: /data # Change to s3://redis/prod-atlantis-redis + cron: "0 3 * * *" # Default: every day at 03:00 + enableOnMasterOnly: false + persistentVolumeClaimSpec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.redis.size | default "1Gi" }} + {{- end }} + podSecurityContext: + runAsUser: 1000 + fsGroup: 1000 +{{- end}} diff --git a/charts/plume/values.yaml b/charts/plume/values.yaml index a48c102f..b49e1ac7 100644 --- a/charts/plume/values.yaml +++ b/charts/plume/values.yaml @@ -59,6 +59,14 @@ cluster: backupEnabled: true backupRetention: 60d size: 5Gi +redis: + enabled: false + instances: 1 + metrics: + enabled: false + backup: + enabled: false + size: 1Gi resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little diff --git a/charts/sorcerer/Chart.yaml b/charts/sorcerer/Chart.yaml index 6cb3b8f0..c480534c 100644 --- a/charts/sorcerer/Chart.yaml +++ b/charts/sorcerer/Chart.yaml @@ -4,7 +4,7 @@ description: A Helm chart for Kubernetes type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: v1.27.0 +version: v1.30.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. -appVersion: v1.27.0 +appVersion: v1.30.1 diff --git a/charts/sorcerer/templates/redis.yaml b/charts/sorcerer/templates/redis.yaml index 0486ce14..2aeeed59 100644 --- a/charts/sorcerer/templates/redis.yaml +++ b/charts/sorcerer/templates/redis.yaml @@ -1,46 +1,52 @@ {{- if .Values.redis.enabled -}} -apiVersion: redis.redis.opstreelabs.in/v1beta2 -kind: Redis +apiVersion: dragonflydb.io/v1alpha1 +kind: Dragonfly metadata: name: {{ include "Sorcerer.fullname" . }}-redis namespace: {{ .Release.Namespace }} annotations: linkerd.io/inject: disabled labels: + app.kubernetes.io/created-by: dragonfly-operator {{- include "Sorcerer.labels" . | nindent 4 }} spec: - kubernetesConfig: - image: quay.io/opstree/redis:v7.2.6 - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 101m - memory: 128Mi - limits: - memory: 256Mi - redisSecret: + args: + - --dbfilename=dump # Static filename prevents disk exhaustion + - --maxmemory=$(MAX_MEMORY)Mi # Graceful memory management (90% of limit) + - --proactor_threads=1 # Auto-detect CPU cores (optimal threading) + - --cluster_mode=emulated + - --logtostderr + - --save_schedule= # Disable continuous saves (cron snapshots only) + env: + - name: MAX_MEMORY + valueFrom: + resourceFieldRef: + resource: limits.memory + divisor: 1Mi + replicas: {{ .Values.redis.replicas | default "1" }} + resources: + requests: + cpu: {{ .Values.redis.resources.cpu | default "150m" }} + memory: {{ .Values.redis.resources.memory | default "256Mi"}} + limits: + memory: {{ .Values.redis.resources.memory | default "256Mi"}} + authentication: + passwordFromSecret: name: {{ .Values.redis.secret.name | quote }} key: {{ .Values.redis.secret.key | quote }} - serviceMonitor: - enabled: {{ .Values.redis.metrics.enabled | default false }} - redisExporter: - enabled: {{ .Values.redis.exporterEnabled | default false }} - image: quay.io/opstree/redis-exporter:v1.44.0 - imagePullPolicy: Always - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - memory: 256Mi - storage: - volumeClaimTemplate: - spec: - accessModes: ["ReadWriteOnce"] - resources: - requests: - storage: {{ .Values.cluster.size | default "1Gi" }} - podSecurityContext: - runAsUser: 1000 - fsGroup: 1000 + # metrics: + # enabled: {{ .Values.redis.metrics.enabled | default false }} + # port: 6379 + {{- if .Values.redis.backup.enabled }} + snapshot: + dir: /data # Change to s3://redis/prod-atlantis-redis + cron: "0 3 * * *" # Default: every day at 03:00 + enableOnMasterOnly: false + persistentVolumeClaimSpec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.redis.size | default "1Gi" }} + {{- end }} {{- end}} diff --git a/charts/sorcerer/values.yaml b/charts/sorcerer/values.yaml index d8a7abda..c45a46d8 100644 --- a/charts/sorcerer/values.yaml +++ b/charts/sorcerer/values.yaml @@ -5,7 +5,7 @@ replicaCount: 1 image: repository: registry.gitlab.com/oceanbox/poseidon/sorcerer - tag: v1.27.0 + tag: v1.30.1 pullPolicy: IfNotPresent init: enabled: false @@ -64,6 +64,7 @@ ingress: - hosts: - sorcerer.srv.oceanbox.io secretName: sorcerer-tls + persistence: enabled: true existingClaim: oceanbox-archives @@ -72,17 +73,20 @@ persistence: # accessMode: ReadWriteMany redis: enabled: false + instances: 1 metrics: enabled: false - instances: 1 + backup: + enabled: false size: 1Gi - exporterEnabled: false + cluster: enabled: false instances: 2 backupEnabled: true backupRetention: 60d size: 5Gi + resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little diff --git a/helmfile.d/dragonfly.yaml.gotmpl b/helmfile.d/dragonfly.yaml.gotmpl new file mode 100644 index 00000000..317676de --- /dev/null +++ b/helmfile.d/dragonfly.yaml.gotmpl @@ -0,0 +1,44 @@ +bases: + - ../envs/environments.yaml.gotmpl + +repositories: +- name: dragonfly + oci: true + url: ghcr.io/dragonflydb/dragonfly-operator/helm + +commonLabels: + tier: system + +releases: +- name: dragonfly + namespace: dragonfly + chart: dragonfly/dragonfly-operator + version: v1.3.0 + condition: dragonfly.enabled + values: + - ../values/dragonfly/values/dragonfly.yaml.gotmpl + - ../values/dragonfly/values/dragonfly-{{ .Environment.Name }}.yaml.gotmpl + postRenderer: ../bin/kustomizer + postRendererArgs: + - ../values/dragonfly/kustomize/{{ .Environment.Name }} + missingFileHandler: Info +- name: manifests + namespace: dragonfly + chart: manifests + condition: dragonfly.enabled + missingFileHandler: Info + values: + - ../values/env.yaml + - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml + - ../values/dragonfly/env.yaml.gotmpl + - ../values/dragonfly/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl + hooks: + - events: [ prepare, cleanup ] + showlogs: true + command: ../bin/helmify + args: + - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}' + - '{{`{{ .Release.Chart }}`}}' + - '{{`{{ .Environment.Name }}`}}' + - ../values/dragonfly/manifests + - manifests diff --git a/helmfile.d/openfga.yaml.gotmpl b/helmfile.d/openfga.yaml.gotmpl index 1291d3e1..85e7def3 100644 --- a/helmfile.d/openfga.yaml.gotmpl +++ b/helmfile.d/openfga.yaml.gotmpl @@ -10,7 +10,11 @@ commonLabels: releases: - name: {{ .Environment.Name }}-openfga + {{- if eq .Environment.Name "prod" }} namespace: openfga + {{- else }} + namespace: {{ .Environment.Name }}-openfga + {{- end }} chart: openfga/openfga version: 0.2.45 condition: openfga.enabled @@ -22,7 +26,11 @@ releases: - ../values/openfga/kustomize/{{ .Environment.Name }} missingFileHandler: Info - name: manifests + {{- if eq .Environment.Name "prod" }} namespace: openfga + {{- else }} + namespace: {{ .Environment.Name }}-openfga + {{- end }} chart: manifests condition: openfga.enabled missingFileHandler: Info diff --git a/helmfile.d/redis-operator.yaml.gotmpl b/helmfile.d/redis-operator.yaml.gotmpl deleted file mode 100644 index 9650fba9..00000000 --- a/helmfile.d/redis-operator.yaml.gotmpl +++ /dev/null @@ -1,43 +0,0 @@ -bases: - - ../envs/environments.yaml.gotmpl - -repositories: -- name: redis-operator - url: 'https://ot-container-kit.github.io/helm-charts' - -commonLabels: - tier: system - -releases: -- name: redis-operator - namespace: redis-operator - chart: redis-operator/redis-operator - version: 0.22.1 - condition: redis_operator.enabled - values: - - ../values/redis-operator/values/redis-operator.yaml.gotmpl - - ../values/redis-operator/values/redis-operator-{{ .Environment.Name }}.yaml.gotmpl - postRenderer: ../bin/kustomizer - postRendererArgs: - - ../values/redis-operator/kustomize/{{ .Environment.Name }} - missingFileHandler: Info -- name: manifests - namespace: redis-operator - chart: manifests - condition: redis_operator.enabled - missingFileHandler: Info - values: - - ../values/env.yaml - - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml - - ../values/redis-operator/env.yaml.gotmpl - - ../values/redis-operator/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl - hooks: - - events: [ prepare, cleanup ] - showlogs: true - command: ../bin/helmify - args: - - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}' - - '{{`{{ .Release.Chart }}`}}' - - '{{`{{ .Environment.Name }}`}}' - - ../values/redis-operator/manifests - - manifests diff --git a/helmfile.d/spegel.yaml.gotmpl b/helmfile.d/spegel.yaml.gotmpl new file mode 100644 index 00000000..0df71970 --- /dev/null +++ b/helmfile.d/spegel.yaml.gotmpl @@ -0,0 +1,44 @@ +bases: + - ../envs/environments.yaml.gotmpl + +repositories: +- name: spegel + oci: true + url: ghcr.io/spegel-org/helm-charts + +commonLabels: + tier: system + +releases: +- name: spegel + namespace: spegel + chart: spegel/spegel + version: 0.5.1 + condition: spegel.enabled + values: + - ../values/spegel/values/spegel.yaml.gotmpl + - ../values/spegel/values/spegel-{{ .Environment.Name }}.yaml.gotmpl + postRenderer: ../bin/kustomizer + postRendererArgs: + - ../values/spegel/kustomize/{{ .Environment.Name }} + missingFileHandler: Info +- name: manifests + namespace: spegel + chart: manifests + condition: spegel.enabled + missingFileHandler: Info + values: + - ../values/env.yaml + - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml + - ../values/spegel/env.yaml.gotmpl + - ../values/spegel/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl + hooks: + - events: [ prepare, cleanup ] + showlogs: true + command: ../bin/helmify + args: + - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}' + - '{{`{{ .Release.Chart }}`}}' + - '{{`{{ .Environment.Name }}`}}' + - ../values/spegel/manifests + - manifests diff --git a/helmfile.d/umami.yaml.gotmpl b/helmfile.d/umami.yaml.gotmpl index 56c33bdf..415150a0 100644 --- a/helmfile.d/umami.yaml.gotmpl +++ b/helmfile.d/umami.yaml.gotmpl @@ -14,7 +14,7 @@ releases: - name: umami namespace: analytics chart: umami/umami - version: 5.0.11 + version: 6.0.1 condition: umami.enabled values: - ../values/umami/values/values.yaml diff --git a/shell.nix b/shell.nix index 31ab8cc1..3997e065 100644 --- a/shell.nix +++ b/shell.nix @@ -36,6 +36,6 @@ pkgs.mkShellNoCC { dapr-cli ]; - ARGOCD_ENV_CLUSTER_NAME = "oceanbox"; + ARGOCD_ENV_CLUSTER_NAME = "ekman"; HELM_GIT_ACCESS_TOKEN = "glpat-xxx"; } diff --git a/values/argo/env.yaml.gotmpl b/values/argo/env.yaml.gotmpl index ce91e055..9e70b222 100644 --- a/values/argo/env.yaml.gotmpl +++ b/values/argo/env.yaml.gotmpl @@ -5,7 +5,7 @@ argo: rollouts: enabled: false workflows: - enabled: true + enabled: false argocd: autosync: true diff --git a/values/argo/manifests/sys-project.yaml b/values/argo/manifests/sys-project.yaml index b0add1e1..95108076 100644 --- a/values/argo/manifests/sys-project.yaml +++ b/values/argo/manifests/sys-project.yaml @@ -52,7 +52,7 @@ spec: server: https://kubernetes.default.svc - namespace: mariadb-operator server: https://kubernetes.default.svc - - namespace: redis-operator + - namespace: dragonfly server: https://kubernetes.default.svc - namespace: cilium-spire server: https://kubernetes.default.svc @@ -62,6 +62,8 @@ spec: server: https://kubernetes.default.svc - namespace: openfga server: https://kubernetes.default.svc + - namespace: staging-openfga + server: https://kubernetes.default.svc - namespace: dapr-system server: https://kubernetes.default.svc - namespace: rook-ceph @@ -80,6 +82,8 @@ spec: server: https://kubernetes.default.svc - namespace: slurm server: https://kubernetes.default.svc + - namespace: spegel + server: https://kubernetes.default.svc sourceRepos: - https://argoproj.github.io/argo-helm - https://kubernetes-sigs.github.io/metrics-server/ @@ -113,6 +117,8 @@ spec: - ghcr.io/slinkyproject/charts - ghcr.io/slinkyproject/charts/slurm-operator - ghcr.io/slinkyproject/charts/slurm-operator-crds + - ghcr.io/spegel-org/helm-charts + - ghcr.io/dragonflydb/dragonfly-operator/helm/dragonfly-operator - https://operator.mariadb.com/mariadb-enterprise-operator - https://operator.mariadb.com - https://ot-container-kit.github.io/helm-charts diff --git a/values/argo/values/argocd.yaml.gotmpl b/values/argo/values/argocd.yaml.gotmpl index 724c0b68..0d024567 100644 --- a/values/argo/values/argocd.yaml.gotmpl +++ b/values/argo/values/argocd.yaml.gotmpl @@ -43,7 +43,7 @@ configs: connectors: {{- with .Values.clusterConfig.oidc }} {{- range . }} - {{- if eq .provider "azuread" }} + {{- if eq .group "devel" }} - type: oidc id: {{ .name }} name: {{ .name }} @@ -61,20 +61,6 @@ configs: - profile - email - groups - {{- else if eq .provider "github" }} - - type: github - id: {{ .name }} - name: {{ .name }} - config: - clientID: ${{ .name | replace "-" "_" }}_client_id - clientSecret: ${{ .name | replace "-" "_" }}_client_secret - redirectURI: https://argocd.{{ $.Values.clusterConfig.domain }}/api/dex/callback - orgs: - - name: {{ .allowed_organizations }} - loadAllGroups: true - teamNameField: slug - useLoginAsID: false - {{- end }} staticClients: - id: ${{ .name | replace "-" "_" }}_client_id name: Kubernetes @@ -87,6 +73,7 @@ configs: secret: 8d52926efe879ee505391b75f4b046cf {{- end }} {{- end }} + {{- end }} admin.enabled: false rbac: # NOTE(kai): dd2aa2d6 ... is ID for azure kubernetes_operator group @@ -150,6 +137,7 @@ dex: {{- with .Values.clusterConfig.oidc }} env: {{- range . }} + {{- if eq .group "devel" }} - name: {{ .name | replace "-" "_" }}_client_secret valueFrom: secretKeyRef: @@ -162,6 +150,7 @@ dex: key: client_id {{- end }} {{- end }} + {{- end }} redis: metrics: diff --git a/values/atlantis/values/values-staging.yaml.gotmpl b/values/atlantis/values/values-staging.yaml.gotmpl index 161cb870..91ca5c13 100644 --- a/values/atlantis/values/values-staging.yaml.gotmpl +++ b/values/atlantis/values/values-staging.yaml.gotmpl @@ -1,6 +1,6 @@ replicaCount: 1 image: - tag: e9c21c12-debug + tag: f8940c92-debug podAnnotations: dapr.io/app-id: "staging-atlantis" env: diff --git a/values/cert-manager/manifests/policies/allow-remote-node-webhook.yaml b/values/cert-manager/manifests/policies/allow-remote-node-webhook.yaml new file mode 100644 index 00000000..2a8bac65 --- /dev/null +++ b/values/cert-manager/manifests/policies/allow-remote-node-webhook.yaml @@ -0,0 +1,18 @@ +{{- if .Values.clusterConfig.cilium.enabled }} +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-remote-node-webhooks + namespace: cert-manager +spec: + endpointSelector: + matchLabels: {} + ingress: + - fromEntities: + - kube-apiserver + - remote-node + - toPorts: + - ports: + - port: "8443" + protocol: TCP +{{- end }} diff --git a/values/redis-operator/env-ekman.yaml.gotmpl b/values/dragonfly/env-ekman.yaml.gotmpl similarity index 68% rename from values/redis-operator/env-ekman.yaml.gotmpl rename to values/dragonfly/env-ekman.yaml.gotmpl index f87f0124..c5b125d9 100644 --- a/values/redis-operator/env-ekman.yaml.gotmpl +++ b/values/dragonfly/env-ekman.yaml.gotmpl @@ -1,3 +1,3 @@ -redis_operator: +dragonfly: enabled: true autosync: false diff --git a/values/redis-operator/env-oceanbox.yaml.gotmpl b/values/dragonfly/env-oceanbox.yaml.gotmpl similarity index 68% rename from values/redis-operator/env-oceanbox.yaml.gotmpl rename to values/dragonfly/env-oceanbox.yaml.gotmpl index f87f0124..c5b125d9 100644 --- a/values/redis-operator/env-oceanbox.yaml.gotmpl +++ b/values/dragonfly/env-oceanbox.yaml.gotmpl @@ -1,3 +1,3 @@ -redis_operator: +dragonfly: enabled: true autosync: false diff --git a/values/redis-operator/env.yaml.gotmpl b/values/dragonfly/env.yaml.gotmpl similarity index 68% rename from values/redis-operator/env.yaml.gotmpl rename to values/dragonfly/env.yaml.gotmpl index 5d7833c9..59c1b6ed 100644 --- a/values/redis-operator/env.yaml.gotmpl +++ b/values/dragonfly/env.yaml.gotmpl @@ -1,3 +1,3 @@ -redis_operator: +dragonfly: enabled: false autosync: false diff --git a/values/redis-operator/manifests/redis-operator.yaml b/values/dragonfly/manifests/dragonfly.yaml similarity index 85% rename from values/redis-operator/manifests/redis-operator.yaml rename to values/dragonfly/manifests/dragonfly.yaml index 66126931..262f5c24 100644 --- a/values/redis-operator/manifests/redis-operator.yaml +++ b/values/dragonfly/manifests/dragonfly.yaml @@ -2,11 +2,11 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: redis-operator + name: dragonfly namespace: argocd spec: destination: - namespace: redis-operator + namespace: dragonfly server: 'https://kubernetes.default.svc' sources: - repoURL: {{ .Values.clusterConfig.manifests }} @@ -20,7 +20,7 @@ spec: - name: HELMFILE_ENVIRONMENT value: default - name: HELMFILE_FILE_PATH - value: redis-operator.yaml.gotmpl + value: dragonfly.yaml.gotmpl project: sys syncPolicy: managedNamespaceMetadata: @@ -30,7 +30,7 @@ spec: - CreateNamespace=true - ApplyOutOfSyncOnly=true - ServerSideApply=true - {{- if .Values.redis_operator.autosync }} + {{- if .Values.dragonfly}} automated: prune: true # selfHeal: false diff --git a/values/redis-operator/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml b/values/dragonfly/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml similarity index 75% rename from values/redis-operator/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml rename to values/dragonfly/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml index c2180393..f60658ce 100644 --- a/values/redis-operator/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml +++ b/values/dragonfly/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml @@ -3,12 +3,12 @@ apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: allow-api-server - namespace: redis-operator + namespace: dragonfly spec: egress: - toEntities: - kube-apiserver endpointSelector: matchLabels: - app.kubernetes.io/instance: redis-operator + app.kubernetes.io/instance: dragonfly-operator {{- end}} diff --git a/values/redis-operator/manifests/policies/CiliumNetworkPolicy-allow-host-to-redis.yaml b/values/dragonfly/manifests/policies/CiliumNetworkPolicy-allow-host-to-dragonfly.yaml similarity index 65% rename from values/redis-operator/manifests/policies/CiliumNetworkPolicy-allow-host-to-redis.yaml rename to values/dragonfly/manifests/policies/CiliumNetworkPolicy-allow-host-to-dragonfly.yaml index a78637a1..8a75baf0 100644 --- a/values/redis-operator/manifests/policies/CiliumNetworkPolicy-allow-host-to-redis.yaml +++ b/values/dragonfly/manifests/policies/CiliumNetworkPolicy-allow-host-to-dragonfly.yaml @@ -2,12 +2,12 @@ apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: - name: allow-host-to-redis - namespace: redis-operator + name: allow-host-to-dragonfly + namespace: dragonfly spec: endpointSelector: matchLabels: - app.kubernetes.io/instance: redis-operator + app.kubernetes.io/instance: dragonfly-operator ingress: - fromEntities: - host diff --git a/values/redis-operator/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml b/values/dragonfly/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml similarity index 83% rename from values/redis-operator/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml rename to values/dragonfly/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml index 1f83cc1a..6f48b913 100644 --- a/values/redis-operator/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml +++ b/values/dragonfly/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml @@ -3,11 +3,11 @@ apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: allow-prometheus-metrics - namespace: redis-operator + namespace: dragonfly spec: endpointSelector: matchLabels: - app.kubernetes.io/instance: redis-operator + app.kubernetes.io/instance: dragonfly-operator ingress: - fromEndpoints: - matchLabels: diff --git a/values/redis-operator/manifests/policies/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml b/values/dragonfly/manifests/policies/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml similarity index 93% rename from values/redis-operator/manifests/policies/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml rename to values/dragonfly/manifests/policies/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml index 027d06a0..ce87f14c 100644 --- a/values/redis-operator/manifests/policies/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml +++ b/values/dragonfly/manifests/policies/CiliumNetworkPolicy-allow-remote-node-webhooks.yaml @@ -3,7 +3,7 @@ apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: allow-remote-node-webhooks - namespace: redis-operator + namespace: dragonfly spec: endpointSelector: matchLabels: {} diff --git a/values/dragonfly/values/dragonfly.yaml.gotmpl b/values/dragonfly/values/dragonfly.yaml.gotmpl new file mode 100644 index 00000000..f686c053 --- /dev/null +++ b/values/dragonfly/values/dragonfly.yaml.gotmpl @@ -0,0 +1,2 @@ +serviceMonitor: + enabled: true diff --git a/values/env-ekman.yaml b/values/env-ekman.yaml index d10da337..da948a87 100644 --- a/values/env-ekman.yaml +++ b/values/env-ekman.yaml @@ -8,22 +8,15 @@ clusterConfig: initca: "/var/lib/kubernetes/secrets" apiserver: "ekman-manage" apiserverip: "10.255.241.99" - etcd_nodes: [ "10.255.241.80, 10.255.241.90, 10.255.241.99" ] - k8s_nodes: [ "10.255.241.80, 10.255.241.90, 10.255.241.99, 10.255.241.100, 10.255.241.101, 10.255.241.102, 10.255.241.103, 10.255.241.104, 10.255.241.105, 10.255.241.106, 10.255.241.107, 10.255.241.108, 10.255.241.109, 10.255.241.110, 10.255.241.111, 10.255.241.112, 10.255.241.113, 10.255.241.114, 10.255.241.116, 10.255.241.121, 10.255.241.122, 10.255.241.123, 10.255.241.124, 10.255.241.125, 10.255.241.126, 10.255.241.127, 10.255.241.128" ] + etcd_nodes: ["10.255.241.80, 10.255.241.90, 10.255.241.99"] + k8s_nodes: + [ + "10.255.241.80, 10.255.241.90, 10.255.241.99, 10.255.241.100, 10.255.241.101, 10.255.241.102, 10.255.241.103, 10.255.241.104, 10.255.241.105, 10.255.241.106, 10.255.241.107, 10.255.241.108, 10.255.241.109, 10.255.241.110, 10.255.241.111, 10.255.241.112, 10.255.241.113, 10.255.241.114, 10.255.241.116, 10.255.241.121, 10.255.241.122, 10.255.241.123, 10.255.241.124, 10.255.241.125, 10.255.241.126, 10.255.241.127, 10.255.241.128", + ] cluster: "ekman" - ingress_nodes: ["ekman , ekman-manage" ] + ingress_nodes: ["ekman , ekman-manage"] ingress_replica_count: 2 fileserver: "10.255.241.100" - acme: - email: "acme@oceanbox.io" - dns01: "namecheap-apikey" - oidc: - - name: oceanbox - provider: azuread - tenant: "3f737008-e9a0-4485-9d27-40329d288089" - secret_ref: - name: oceanbox-oidc - group_id: "eb17a659-4ce6-41bc-9153-d9b117c44479" nodes: - name: ekman-manage taints: [] diff --git a/values/env-oceanbox.yaml b/values/env-oceanbox.yaml index c78b15b6..c914218c 100644 --- a/values/env-oceanbox.yaml +++ b/values/env-oceanbox.yaml @@ -6,22 +6,15 @@ clusterConfig: initca: "" apiserver: "" apiserverip: "" - etcd_nodes: [ "10.255.241.201, 10.255.241.202, 10.255.241.203" ] - k8s_nodes: [ "" ] + etcd_nodes: ["10.255.241.201, 10.255.241.202, 10.255.241.203"] + k8s_nodes: [""] cluster: "oceanbox" - ingress_nodes: ["oceanbox-controlplane-1, oceanbox-controlplane-2, oceanbox-controlplane-3" ] + ingress_nodes: + [ + "oceanbox-controlplane-1, oceanbox-controlplane-2, oceanbox-controlplane-3", + ] ingress_replica_count: 3 fileserver: "10.255.241.210" - acme: - email: "acme@oceanbox.io" - dns01: "namecheap-apikey" - oidc: - - name: oceanbox - provider: azuread - tenant: "3f737008-e9a0-4485-9d27-40329d288089" - secret_ref: - name: oceanbox-oidc - group_id: "eb17a659-4ce6-41bc-9153-d9b117c44479" s3: hosts: [] patterns: [] diff --git a/values/env-rossby.yaml b/values/env-rossby.yaml index 32a3d6e8..4cff020d 100644 --- a/values/env-rossby.yaml +++ b/values/env-rossby.yaml @@ -8,28 +8,21 @@ clusterConfig: initca: "/var/lib/kubernetes/secrets" apiserver: "rossby-manage" apiserverip: "172.16.239.221" - etcd_nodes: [ "172.16.239.221, 172.16.239.222, 172.16.239.210" ] - k8s_nodes: [ "172.16.239.221, 172.16.239.222, 172.16.239.210, 172.16.239.111, 172.16.239.112, 172.16.239.113, 172.16.239.114, 172.16.239.115, 172.16.239.116, 172.16.239.117, 172.16.239.118, 172.16.239.119, 172.16.239.120, 172.16.239.121, 172.16.239.122, 172.16.239.123, 172.16.239.124, 172.16.239.125, 172.16.239.126, 172.16.239.127, 172.16.239.128, 172.16.239.129, 172.16.239.130" ] + etcd_nodes: ["172.16.239.221, 172.16.239.222, 172.16.239.210"] + k8s_nodes: + [ + "172.16.239.221, 172.16.239.222, 172.16.239.210, 172.16.239.111, 172.16.239.112, 172.16.239.113, 172.16.239.114, 172.16.239.115, 172.16.239.116, 172.16.239.117, 172.16.239.118, 172.16.239.119, 172.16.239.120, 172.16.239.121, 172.16.239.122, 172.16.239.123, 172.16.239.124, 172.16.239.125, 172.16.239.126, 172.16.239.127, 172.16.239.128, 172.16.239.129, 172.16.239.130", + ] cluster: "rossby" - ingress_nodes: ["rossby, rossby-manage" ] + ingress_nodes: ["rossby, rossby-manage"] ingress_replica_count: 2 ingress_clusterissuer: ca-issuer ingress_whitelist: - - 0.0.0.0/0 + - 0.0.0.0/0 ingress_hostnetwork: true ingress_hostport: false ingress_nodeport: false fileserver: "172.16.239.222" - acme: - email: "acme@oceanbox.io" - dns01: "namecheap-apikey" - oidc: - - name: oceanbox - provider: azuread - tenant: "3f737008-e9a0-4485-9d27-40329d288089" - secret_ref: - name: oceanbox-oidc - group_id: "eb17a659-4ce6-41bc-9153-d9b117c44479" nodes: - name: rossby-manage taints: [] diff --git a/values/env.yaml b/values/env.yaml index 9024d27f..450980ba 100644 --- a/values/env.yaml +++ b/values/env.yaml @@ -11,9 +11,6 @@ clusterConfig: ingress_nodes: [] ingress_replica_count: 3 fileserver: "" - acme: - email: "acme@oceanbox.io" - dns01: "" nodenames: [] nodes: [] ingress_clusterissuer: "letsencrypt-production" @@ -26,19 +23,31 @@ clusterConfig: ingress_hostnetwork: false ingress_hostport: false ingress_nodeport: true - oidc: [] - #- name: azure - # provider: azuread - # tenant: "https://login.microsoftonline.com//oauth2/v2.0" - # secret_ref: - # name: azure-oidc - # group_id: "" - #- name: github - # provider: github - # secret_ref: - # name: github-oidc - # allowed_organizations: - # allowed_teams: + acme: + email: "acme@oceanbox.io" + dns01: "namecheap-apikey" + oidc: + - group: admin + name: oceanbox + provider: azuread + tenant: "3f737008-e9a0-4485-9d27-40329d288089" + secret_ref: + name: oceanbox-oidc + group_id: "eb17a659-4ce6-41bc-9153-d9b117c44479" + - group: devel + name: oceanbox + provider: azuread + tenant: "3f737008-e9a0-4485-9d27-40329d288089" + secret_ref: + name: oceanbox-oidc + group_id: "" + - group: analytics + name: oceanbox + provider: azuread + tenant: "3f737008-e9a0-4485-9d27-40329d288089" + secret_ref: + name: oceanbox-oidc + group_id: "52bb4c7e-549c-4aed-bd95-9dcedf716f9f" s3: hosts: [] patterns: [] diff --git a/values/headscale/values/values.yaml b/values/headscale/values/values.yaml index a942b06b..ce2e521b 100644 --- a/values/headscale/values/values.yaml +++ b/values/headscale/values/values.yaml @@ -314,6 +314,7 @@ configMaps: { "name": "jonas-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "jonas-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, + { "name": "jonas-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, { "name": "stig-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "stig-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, { "name": "stig-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, @@ -323,8 +324,10 @@ configMaps: { "name": "mrtz-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, { "name": "mrtz-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, { "name": "simkir-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" }, + { "name": "simkir-user-portal.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "simkir-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, { "name": "simkir-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, { "name": "ole-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" }, - { "name": "ole-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" } + { "name": "ole-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, + { "name": "ole-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" } ] diff --git a/values/makai/values/values-staging.yaml b/values/makai/values/values-staging.yaml index 4b4fc8c6..e5a5753b 100644 --- a/values/makai/values/values-staging.yaml +++ b/values/makai/values/values-staging.yaml @@ -1,6 +1,6 @@ replicaCount: 1 image: - tag: "6efcdecb-debug" + tag: "2592c5b2-debug" env: - name: APP_VERSION value: "0.0.0-staging" diff --git a/values/openfga/env-oceanbox.yaml.gotmpl b/values/openfga/env-oceanbox.yaml.gotmpl index 7ac9dc0d..f6d6a9d1 100644 --- a/values/openfga/env-oceanbox.yaml.gotmpl +++ b/values/openfga/env-oceanbox.yaml.gotmpl @@ -1,3 +1,2 @@ openfga: enabled: true - env: prod diff --git a/values/openfga/env.yaml.gotmpl b/values/openfga/env.yaml.gotmpl index 67361e6f..158b7661 100644 --- a/values/openfga/env.yaml.gotmpl +++ b/values/openfga/env.yaml.gotmpl @@ -1,4 +1,4 @@ openfga: enabled: false autosync: false - env: prod + env: {{ .Environment.Name }} diff --git a/values/openfga/manifests/openfga.yaml b/values/openfga/manifests/openfga.yaml index d3df295c..f64e3afe 100644 --- a/values/openfga/manifests/openfga.yaml +++ b/values/openfga/manifests/openfga.yaml @@ -10,7 +10,11 @@ metadata: - resources-finalizer.argocd.argoproj.io spec: destination: + {{- if eq .Values.openfga.env "prod" }} namespace: openfga + {{- else }} + namespace: {{ .Values.openfga.env }}-openfga + {{- end }} server: https://kubernetes.default.svc project: sys sources: diff --git a/values/openfga/postgres-secret.yaml b/values/openfga/postgres-secret.yaml index 0a0ad2f7..25812c4c 100644 --- a/values/openfga/postgres-secret.yaml +++ b/values/openfga/postgres-secret.yaml @@ -10,10 +10,9 @@ type: Opaque --- apiVersion: v1 stringData: - postgres-password: iAnMHs3eEuQM0D4jeAP1dwEoLWUBSwNXwhBuPDOgmfoeZ58iV0zogQ77U3GNUbwa - uri: postgres://postgres:iAnMHs3eEuQM0D4jeAP1dwEoLWUBSwNXwhBuPDOgmfoeZ58iV0zogQ77U3GNUbwa@staging-openfga-rw.openfga.svc.cluster.local:5432/postgres?sslmode=disable + uri: postgres://staging-openfga-db-rw.staging-openfga.svc.cluster.local:5432/app?sslmode=disable kind: Secret metadata: name: staging-openfga-postgresql - namespace: openfga + namespace: staging-openfga type: Opaque diff --git a/values/openfga/values/values-staging.yaml b/values/openfga/values/values-staging.yaml index f64b98de..7a6536e8 100644 --- a/values/openfga/values/values-staging.yaml +++ b/values/openfga/values/values-staging.yaml @@ -2,8 +2,12 @@ replicaCount: 1 datastore: engine: postgres - uriSecret: staging-openfga-db-superuser migrationType: initContainer + uriSecret: staging-openfga-postgresql + existingSecret: staging-openfga-db-superuser + secretKeys: + usernameKey: username + passwordKey: password ingress: enabled: true @@ -27,7 +31,7 @@ extraObjects: kind: Cluster metadata: name: staging-openfga-db - namespace: openfga + namespace: staging-openfga spec: instances: 1 imageName: ghcr.io/cloudnative-pg/postgresql:17-bookworm diff --git a/values/plume/values/values-staging.yaml b/values/plume/values/values-staging.yaml index 6d9a0bcf..a46522f1 100644 --- a/values/plume/values/values-staging.yaml +++ b/values/plume/values/values-staging.yaml @@ -1,6 +1,6 @@ replicaCount: 1 image: - tag: 544657c0-debug + tag: 121f49c9-debug podAnnotations: dapr.io/enabled: "true" dapr.io/app-id: "staging-plume" diff --git a/values/prometheus/values/prometheus.yaml.gotmpl b/values/prometheus/values/prometheus.yaml.gotmpl index 45024145..923c395f 100644 --- a/values/prometheus/values/prometheus.yaml.gotmpl +++ b/values/prometheus/values/prometheus.yaml.gotmpl @@ -122,7 +122,7 @@ grafana: users: auto_assign_org_role: "Admin" {{- range .Values.clusterConfig.oidc }} - {{- if eq .provider "azuread" }} + {{- if eq .group "analytics" }} auth.{{ .provider }}: enabled: true name: {{ .name }} @@ -135,32 +135,34 @@ grafana: allow_sign_up: true role_attribute_strict: false allow_assign_grafana_admin: true - {{- else if eq .provider "github" }} - auth.{{ .provider }}: - name: {{ .name }} - enabled: true - client_id: $__file{/etc/secrets/oauth/{{ .name }}/client_id} - client_secret: $__file{/etc/secrets/oauth/{{ .name }}/client_secret} - allowed_organizations: {{ .allowed_organizations }} - {{- if .allowed_teams }} - allowed_teams: "{{ .allowed_teams }}" - {{- end }} - scopes: user:email,read:org - auth_url: https://github.com/login/oauth/authorize - token_url: https://github.com/login/oauth/access_token - allow_sign_up: true - role_attribute_strict: false - allow_assign_grafana_admin: true + #{{- else if eq .provider "github" }} + #auth.{{ .provider }}: + # name: {{ .name }} + # enabled: true + # client_id: $__file{/etc/secrets/oauth/{{ .name }}/client_id} + # client_secret: $__file{/etc/secrets/oauth/{{ .name }}/client_secret} + # allowed_organizations: {{ .allowed_organizations }} + # {{- if .allowed_teams }} + # allowed_teams: "{{ .allowed_teams }}" + # {{- end }} + # scopes: user:email,read:org + # auth_url: https://github.com/login/oauth/authorize + # token_url: https://github.com/login/oauth/access_token + # allow_sign_up: true + # role_attribute_strict: false + # allow_assign_grafana_admin: true {{- end }} {{- end }} extraSecretMounts: {{- range .Values.clusterConfig.oidc }} + {{- if eq .group "analytics" }} - name: {{ .name }} secretName: {{ .secret_ref.name }} defaultMode: 0440 mountPath: /etc/secrets/oauth/{{ .name }} readOnly: true {{- end }} + {{- end }} {{- if .Values.prometheus.grafana.persistence }} persistence: @@ -173,6 +175,9 @@ grafana: annotations: cert-manager.io/cluster-issuer: {{ .Values.clusterConfig.ingress_clusterissuer }} nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/proxy-read-timeout: "600" + nginx.ingress.kubernetes.io/proxy-send-timeout: "600" {{- with .Values.clusterConfig.ingress_whitelist}} nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }} {{- end }} @@ -458,6 +463,9 @@ prometheus: annotations: cert-manager.io/cluster-issuer: {{ .Values.clusterConfig.ingress_clusterissuer }} nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "0" + nginx.ingress.kubernetes.io/proxy-read-timeout: "600" + nginx.ingress.kubernetes.io/proxy-send-timeout: "600" {{- with .Values.clusterConfig.ingress_whitelist }} nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }} {{- end }} diff --git a/values/redis-operator/values/redis-operator.yaml.gotmpl b/values/redis-operator/values/redis-operator.yaml.gotmpl deleted file mode 100644 index 63bc90a6..00000000 --- a/values/redis-operator/values/redis-operator.yaml.gotmpl +++ /dev/null @@ -1,25 +0,0 @@ -certmanager: - enabled: true - -redisOperator: - webhook: true - -# issuer: - # create: true - # kind: ClusterIssuer - # name: - -# ha: -# enabled: false -# metrics: -# enabled: true -# serviceMonitor: -# additionalLabels: -# release: prometheus -# enabled: true -# webhook: -# certificate: -# certManager: false -# serviceMonitor: -# additionalLabels: -# release: prometehus diff --git a/values/sorcerer/kustomize/staging/appsettings.json b/values/sorcerer/kustomize/staging/appsettings.json index 168e88e1..26c2c244 100644 --- a/values/sorcerer/kustomize/staging/appsettings.json +++ b/values/sorcerer/kustomize/staging/appsettings.json @@ -48,7 +48,7 @@ "modelId": "01JKTZYMCZZBVSBG66W27XMW0A" }, "sentryUrl": "https://5e6e3584098dc006de18038cf85d2cbe@o4509530141622272.ingest.de.sentry.io/4509547350065232", - "redis": "localhost:6379,user=default,password=secret", + "redis": "staging-sorcerer-redis:6379,user=default,password=secret", "allowedOrigins": [ "http://localhost:8085", "http://localhost:8080", diff --git a/values/sorcerer/kustomize/staging/configurations.yaml b/values/sorcerer/kustomize/staging/configurations.yaml index 9ae7b291..c8c1a4b6 100644 --- a/values/sorcerer/kustomize/staging/configurations.yaml +++ b/values/sorcerer/kustomize/staging/configurations.yaml @@ -7,7 +7,7 @@ spec: version: v1 metadata: - name: redisHost - value: staging-sorcerer-redis-master:6379 + value: staging-sorcerer-redis:6379 - name: redisUsername value: default - name: redisPassword diff --git a/values/sorcerer/kustomize/staging/statestore.yaml b/values/sorcerer/kustomize/staging/statestore.yaml index 61079a33..3f1ef29e 100644 --- a/values/sorcerer/kustomize/staging/statestore.yaml +++ b/values/sorcerer/kustomize/staging/statestore.yaml @@ -7,7 +7,7 @@ spec: version: v1 metadata: - name: redisHost - value: staging-sorcerer-redis-master:6379 + value: staging-sorcerer-redis:6379 - name: redisUsername value: default - name: redisPassword diff --git a/values/sorcerer/values/redis-prod.yaml b/values/sorcerer/values/redis-prod.yaml index f5a82dfe..269f358b 100644 --- a/values/sorcerer/values/redis-prod.yaml +++ b/values/sorcerer/values/redis-prod.yaml @@ -20,4 +20,3 @@ master: cpu: 150m ephemeral-storage: 50Mi memory: 128Mi - diff --git a/values/sorcerer/values/values-prod.yaml b/values/sorcerer/values/values-prod.yaml index 21ce0022..6d82dc19 100644 --- a/values/sorcerer/values/values-prod.yaml +++ b/values/sorcerer/values/values-prod.yaml @@ -78,6 +78,19 @@ persistence: # operator: Equal # value: compute # effect: NoSchedule +redis: + enabled: true + replicas: 3 + size: 2Gi + backup: + enabled: true + secret: + name: "prod-sorcerer-redis" + key: "redis-password" + resources: + cpu: 150m + memory: 256Mi + affinity: nodeAffinity: diff --git a/values/sorcerer/values/values-staging.yaml b/values/sorcerer/values/values-staging.yaml index 881dfc3a..6a24b9ed 100644 --- a/values/sorcerer/values/values-staging.yaml +++ b/values/sorcerer/values/values-staging.yaml @@ -1,6 +1,8 @@ replicaCount: 1 + image: - tag: e9c21c12-debug + tag: 9566bce0-debug + podAnnotations: dapr.io/enabled: "true" dapr.io/app-id: "staging-sorcerer" @@ -13,6 +15,7 @@ podAnnotations: dapr.io/sidecar-memory-request: "50Mi" # dapr.io/sidecar-cpu-limit: "300m" # dapr.io/sidecar-memory-limit: "1000Mi" + env: - name: APP_VERSION value: "0.0.0-staging" @@ -30,6 +33,7 @@ env: secretKeyRef: name: dapr-api-token key: token + ingress: enabled: true annotations: @@ -62,11 +66,24 @@ ingress: - hosts: - sorcerer.ekman.oceanbox.io secretName: staging-sorcerer-tls + persistence: enabled: true existingClaim: staging-sorcerer-ceph-archives # existingClaim: staging-oceanbox-backup-archives # +redis: + enabled: true + size: 2Gi + backup: + enabled: true + secret: + name: "staging-sorcerer-redis" + key: "redis-password" + resources: + cpu: 150m + memory: 256Mi + # nodeSelector: # node-role.kubernetes.io/srv: "" # kubernetes.io/hostname: fs-backup @@ -77,6 +94,7 @@ persistence: # operator: Equal # value: compute # effect: NoSchedule + affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: diff --git a/values/spegel/env-ekman.yaml.gotmpl b/values/spegel/env-ekman.yaml.gotmpl new file mode 100644 index 00000000..5fd08e5b --- /dev/null +++ b/values/spegel/env-ekman.yaml.gotmpl @@ -0,0 +1,3 @@ +spegel: + enabled: true + autosync: false diff --git a/values/spegel/env-oceanbox.yaml.gotmpl b/values/spegel/env-oceanbox.yaml.gotmpl new file mode 100644 index 00000000..5fd08e5b --- /dev/null +++ b/values/spegel/env-oceanbox.yaml.gotmpl @@ -0,0 +1,3 @@ +spegel: + enabled: true + autosync: false diff --git a/values/spegel/env.yaml.gotmpl b/values/spegel/env.yaml.gotmpl new file mode 100644 index 00000000..42baaa22 --- /dev/null +++ b/values/spegel/env.yaml.gotmpl @@ -0,0 +1,3 @@ +spegel: + enabled: false + autosync: false diff --git a/values/spegel/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml b/values/spegel/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml new file mode 100644 index 00000000..5145c28c --- /dev/null +++ b/values/spegel/manifests/policies/CiliumNetworkPolicy-allow-api-server.yaml @@ -0,0 +1,14 @@ +{{- if .Values.clusterConfig.cilium.enabled }} +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-api-server + namespace: spegel +spec: + egress: + - toEntities: + - kube-apiserver + endpointSelector: + matchLabels: + app.kubernetes.io/instance: spegel +{{- end}} diff --git a/values/spegel/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml b/values/spegel/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml new file mode 100644 index 00000000..97f7abca --- /dev/null +++ b/values/spegel/manifests/policies/CiliumNetworkPolicy-allow-prometheus-metrics.yaml @@ -0,0 +1,19 @@ +{{- if .Values.clusterConfig.cilium.enabled }} +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-prometheus-metrics + namespace: spegel +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/instance: spegel + ingress: + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: prometheus + toPorts: + - ports: + - port: "8080" + protocol: TCP +{{- end}} diff --git a/values/spegel/manifests/policies/CiliumNetworkPolicy-allow-remote-node.yaml b/values/spegel/manifests/policies/CiliumNetworkPolicy-allow-remote-node.yaml new file mode 100644 index 00000000..7bb26906 --- /dev/null +++ b/values/spegel/manifests/policies/CiliumNetworkPolicy-allow-remote-node.yaml @@ -0,0 +1,18 @@ +{{- if .Values.clusterConfig.cilium.enabled }} +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-remote-node + namespace: spegel +spec: + endpointSelector: + matchLabels: {} + ingress: + - fromEntities: + - kube-apiserver + - remote-node + toPorts: + - ports: + - port: "5000" + protocol: TCP +{{- end}} diff --git a/values/spegel/manifests/policies/CiliumNetworkPolicy-allow-world.yaml b/values/spegel/manifests/policies/CiliumNetworkPolicy-allow-world.yaml new file mode 100644 index 00000000..2682f0b6 --- /dev/null +++ b/values/spegel/manifests/policies/CiliumNetworkPolicy-allow-world.yaml @@ -0,0 +1,17 @@ +{{- if .Values.clusterConfig.cilium.enabled }} +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-world-dns + namespace: spegel +spec: + description: Allow DNS world + egress: + - toPorts: + - ports: + - port: "5001" + protocol: TCP + endpointSelector: + matchLabels: + app.kubernetes.io/name: spegel +{{- end }} diff --git a/values/spegel/manifests/spegel.yaml b/values/spegel/manifests/spegel.yaml new file mode 100644 index 00000000..c59d91ca --- /dev/null +++ b/values/spegel/manifests/spegel.yaml @@ -0,0 +1,38 @@ +{{- if .Values.clusterConfig.argo.enabled }} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: spegel + namespace: argocd +spec: + destination: + namespace: spegel + server: 'https://kubernetes.default.svc' + sources: + - repoURL: {{ .Values.clusterConfig.manifests }} + targetRevision: HEAD + path: helmfile.d + plugin: + name: helmfile-cmp + env: + - name: CLUSTER_NAME + value: {{ .Values.clusterConfig.cluster }} + - name: HELMFILE_ENVIRONMENT + value: default + - name: HELMFILE_FILE_PATH + value: spegel.yaml.gotmpl + project: sys + syncPolicy: + managedNamespaceMetadata: + labels: + component: sys + syncOptions: + - CreateNamespace=true + - ApplyOutOfSyncOnly=true + - ServerSideApply=true + {{- if .Values.spegel.autosync }} + automated: + prune: true + # selfHeal: false + {{- end }} +{{- end }} diff --git a/values/spegel/values/spegel.yaml.gotmpl b/values/spegel/values/spegel.yaml.gotmpl new file mode 100644 index 00000000..5580611e --- /dev/null +++ b/values/spegel/values/spegel.yaml.gotmpl @@ -0,0 +1,4 @@ +spegel: + containerdRegistryConfigPath: /etc/cri/conf.d/hosts + registryFilters: + - "^yolo-registry.dev.oceanbox\\.io/" diff --git a/values/umami/values/values-prod.yaml b/values/umami/values/values-prod.yaml index d846505a..b2a7abc5 100644 --- a/values/umami/values/values-prod.yaml +++ b/values/umami/values/values-prod.yaml @@ -6,7 +6,7 @@ image: # -- image pull policy # pullPolicy: # -- Overrides the image tag - tag: "postgresql-v2.19.0" + tag: "3.0" replicaCount: 1 @@ -17,11 +17,11 @@ resources: limits: # cpu: 100m # ephemeral-storage: 2Gi - memory: 750Mi + memory: 500Mi requests: - cpu: 500m + cpu: 100m # ephemeral-storage: 50Mi - memory: 750Mi + memory: 500Mi securityContext: runAsGroup: 65533