Merge branch 'main' of gitlab.com:oceanbox/manifests

2025-11-13 09:13:26 +01:00
parent a83c8d1a5c ae93d09ecc
commit d8c4cd045c
59 changed files with 549 additions and 275 deletions
@@ -5,7 +5,7 @@ argo:
  rollouts:
    enabled: false
  workflows:
-    enabled: true
+    enabled: false

 argocd:
  autosync: true
@@ -52,7 +52,7 @@ spec:
    server: https://kubernetes.default.svc
  - namespace: mariadb-operator
    server: https://kubernetes.default.svc
-  - namespace: redis-operator
+  - namespace: dragonfly
    server: https://kubernetes.default.svc
  - namespace: cilium-spire
    server: https://kubernetes.default.svc
@@ -62,6 +62,8 @@ spec:
    server: https://kubernetes.default.svc
  - namespace: openfga
    server: https://kubernetes.default.svc
+  - namespace: staging-openfga
+    server: https://kubernetes.default.svc
  - namespace: dapr-system
    server: https://kubernetes.default.svc
  - namespace: rook-ceph
@@ -80,6 +82,8 @@ spec:
    server: https://kubernetes.default.svc
  - namespace: slurm
    server: https://kubernetes.default.svc
+  - namespace: spegel
+    server: https://kubernetes.default.svc
  sourceRepos:
  - https://argoproj.github.io/argo-helm
  - https://kubernetes-sigs.github.io/metrics-server/
@@ -113,6 +117,8 @@ spec:
  - ghcr.io/slinkyproject/charts
  - ghcr.io/slinkyproject/charts/slurm-operator
  - ghcr.io/slinkyproject/charts/slurm-operator-crds
+  - ghcr.io/spegel-org/helm-charts
+  - ghcr.io/dragonflydb/dragonfly-operator/helm/dragonfly-operator
  - https://operator.mariadb.com/mariadb-enterprise-operator
  - https://operator.mariadb.com
  - https://ot-container-kit.github.io/helm-charts
@@ -43,7 +43,7 @@ configs:
      connectors:
      {{- with .Values.clusterConfig.oidc }}
      {{- range . }}
-      {{- if eq .provider "azuread" }}
+      {{- if eq .group "devel" }}
      - type: oidc
        id: {{ .name }}
        name: {{ .name }}
@@ -61,20 +61,6 @@ configs:
            - profile
            - email
            - groups
-      {{- else if eq .provider "github" }}
-      - type: github
-        id: {{ .name }}
-        name: {{ .name }}
-        config:
-          clientID: ${{ .name | replace "-" "_" }}_client_id
-          clientSecret: ${{ .name | replace "-" "_" }}_client_secret
-          redirectURI: https://argocd.{{ $.Values.clusterConfig.domain }}/api/dex/callback
-          orgs:
-          - name: {{ .allowed_organizations }}
-          loadAllGroups: true
-          teamNameField: slug
-          useLoginAsID: false
-      {{- end }}
      staticClients:
      - id: ${{ .name | replace "-" "_" }}_client_id
        name: Kubernetes
@@ -87,6 +73,7 @@ configs:
        secret: 8d52926efe879ee505391b75f4b046cf
      {{- end }}
      {{- end }}
+      {{- end }}
    admin.enabled: false
  rbac:
    # NOTE(kai): dd2aa2d6 ... is ID for azure kubernetes_operator group
@@ -150,6 +137,7 @@ dex:
  {{- with .Values.clusterConfig.oidc }}
  env:
  {{- range . }}
+  {{- if eq .group "devel" }}
  - name: {{ .name | replace "-" "_" }}_client_secret
    valueFrom:
      secretKeyRef:
@@ -162,6 +150,7 @@ dex:
        key: client_id
  {{- end }}
  {{- end }}
+  {{- end }}

 redis:
  metrics:
@@ -1,6 +1,6 @@
 replicaCount: 1
 image:
-  tag: e9c21c12-debug
+  tag: f8940c92-debug
 podAnnotations:
  dapr.io/app-id: "staging-atlantis"
 env:
@@ -0,0 +1,18 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-webhooks
+  namespace: cert-manager
+spec:
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+  - fromEntities:
+    - kube-apiserver
+    - remote-node
+  - toPorts:
+    - ports:
+      - port: "8443"
+        protocol: TCP
+{{- end }}
@@ -1,3 +1,3 @@
-redis_operator:
+dragonfly:
  enabled: true
  autosync: false
@@ -1,3 +1,3 @@
-redis_operator:
+dragonfly:
  enabled: true
  autosync: false
@@ -1,3 +1,3 @@
-redis_operator:
+dragonfly:
  enabled: false
  autosync: false
@@ -2,11 +2,11 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: redis-operator
+  name: dragonfly
  namespace: argocd
 spec:
  destination:
-    namespace: redis-operator
+    namespace: dragonfly
    server: 'https://kubernetes.default.svc'
  sources:
  - repoURL: {{ .Values.clusterConfig.manifests }}
@@ -20,7 +20,7 @@ spec:
      - name: HELMFILE_ENVIRONMENT
        value: default
      - name: HELMFILE_FILE_PATH
-        value: redis-operator.yaml.gotmpl
+        value: dragonfly.yaml.gotmpl
  project: sys
  syncPolicy:
    managedNamespaceMetadata:
@@ -30,7 +30,7 @@ spec:
      - CreateNamespace=true
      - ApplyOutOfSyncOnly=true
      - ServerSideApply=true
-    {{- if .Values.redis_operator.autosync }}
+    {{- if .Values.dragonfly}}
    automated:
      prune: true
      # selfHeal: false
@@ -3,12 +3,12 @@ apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: allow-api-server
-  namespace: redis-operator
+  namespace: dragonfly
 spec:
  egress:
    - toEntities:
        - kube-apiserver
  endpointSelector:
    matchLabels:
-      app.kubernetes.io/instance: redis-operator
+      app.kubernetes.io/instance: dragonfly-operator
 {{- end}}
@@ -2,12 +2,12 @@
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
-  name: allow-host-to-redis
-  namespace: redis-operator
+  name: allow-host-to-dragonfly
+  namespace: dragonfly
 spec:
  endpointSelector:
    matchLabels:
-      app.kubernetes.io/instance: redis-operator
+      app.kubernetes.io/instance: dragonfly-operator
  ingress:
    - fromEntities:
        - host
@@ -3,11 +3,11 @@ apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: allow-prometheus-metrics
-  namespace: redis-operator
+  namespace: dragonfly
 spec:
  endpointSelector:
    matchLabels:
-      app.kubernetes.io/instance: redis-operator
+      app.kubernetes.io/instance: dragonfly-operator
  ingress:
    - fromEndpoints:
        - matchLabels:
@@ -3,7 +3,7 @@ apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: allow-remote-node-webhooks
-  namespace: redis-operator
+  namespace: dragonfly
 spec:
  endpointSelector:
    matchLabels: {}
@@ -0,0 +1,2 @@
+serviceMonitor:
+ enabled: true
@@ -8,22 +8,15 @@ clusterConfig:
  initca: "/var/lib/kubernetes/secrets"
  apiserver: "ekman-manage"
  apiserverip: "10.255.241.99"
-  etcd_nodes: [ "10.255.241.80, 10.255.241.90, 10.255.241.99" ]
-  k8s_nodes: [ "10.255.241.80, 10.255.241.90, 10.255.241.99, 10.255.241.100, 10.255.241.101, 10.255.241.102, 10.255.241.103, 10.255.241.104, 10.255.241.105, 10.255.241.106, 10.255.241.107, 10.255.241.108, 10.255.241.109, 10.255.241.110, 10.255.241.111, 10.255.241.112, 10.255.241.113, 10.255.241.114, 10.255.241.116, 10.255.241.121, 10.255.241.122, 10.255.241.123, 10.255.241.124, 10.255.241.125, 10.255.241.126, 10.255.241.127, 10.255.241.128" ]
+  etcd_nodes: ["10.255.241.80, 10.255.241.90, 10.255.241.99"]
+  k8s_nodes:
+    [
+      "10.255.241.80, 10.255.241.90, 10.255.241.99, 10.255.241.100, 10.255.241.101, 10.255.241.102, 10.255.241.103, 10.255.241.104, 10.255.241.105, 10.255.241.106, 10.255.241.107, 10.255.241.108, 10.255.241.109, 10.255.241.110, 10.255.241.111, 10.255.241.112, 10.255.241.113, 10.255.241.114, 10.255.241.116, 10.255.241.121, 10.255.241.122, 10.255.241.123, 10.255.241.124, 10.255.241.125, 10.255.241.126, 10.255.241.127, 10.255.241.128",
+    ]
  cluster: "ekman"
-  ingress_nodes: ["ekman , ekman-manage" ]
+  ingress_nodes: ["ekman , ekman-manage"]
  ingress_replica_count: 2
  fileserver: "10.255.241.100"
-  acme:
-    email: "acme@oceanbox.io"
-    dns01: "namecheap-apikey"
-  oidc:
-  - name: oceanbox
-    provider: azuread
-    tenant: "3f737008-e9a0-4485-9d27-40329d288089"
-    secret_ref:
-      name: oceanbox-oidc
-    group_id: "eb17a659-4ce6-41bc-9153-d9b117c44479"
  nodes:
    - name: ekman-manage
      taints: []
@@ -6,22 +6,15 @@ clusterConfig:
  initca: ""
  apiserver: ""
  apiserverip: ""
-  etcd_nodes: [ "10.255.241.201, 10.255.241.202, 10.255.241.203" ]
-  k8s_nodes: [ "" ]
+  etcd_nodes: ["10.255.241.201, 10.255.241.202, 10.255.241.203"]
+  k8s_nodes: [""]
  cluster: "oceanbox"
-  ingress_nodes: ["oceanbox-controlplane-1, oceanbox-controlplane-2, oceanbox-controlplane-3" ]
+  ingress_nodes:
+    [
+      "oceanbox-controlplane-1, oceanbox-controlplane-2, oceanbox-controlplane-3",
+    ]
  ingress_replica_count: 3
  fileserver: "10.255.241.210"
-  acme:
-    email: "acme@oceanbox.io"
-    dns01: "namecheap-apikey"
-  oidc:
-  - name: oceanbox
-    provider: azuread
-    tenant: "3f737008-e9a0-4485-9d27-40329d288089"
-    secret_ref:
-      name: oceanbox-oidc
-    group_id: "eb17a659-4ce6-41bc-9153-d9b117c44479"
  s3:
    hosts: []
    patterns: []
@@ -8,28 +8,21 @@ clusterConfig:
  initca: "/var/lib/kubernetes/secrets"
  apiserver: "rossby-manage"
  apiserverip: "172.16.239.221"
-  etcd_nodes: [ "172.16.239.221, 172.16.239.222, 172.16.239.210" ]
-  k8s_nodes: [ "172.16.239.221, 172.16.239.222, 172.16.239.210, 172.16.239.111, 172.16.239.112, 172.16.239.113, 172.16.239.114, 172.16.239.115, 172.16.239.116, 172.16.239.117, 172.16.239.118, 172.16.239.119, 172.16.239.120, 172.16.239.121, 172.16.239.122, 172.16.239.123, 172.16.239.124, 172.16.239.125, 172.16.239.126, 172.16.239.127, 172.16.239.128, 172.16.239.129, 172.16.239.130" ]
+  etcd_nodes: ["172.16.239.221, 172.16.239.222, 172.16.239.210"]
+  k8s_nodes:
+    [
+      "172.16.239.221, 172.16.239.222, 172.16.239.210, 172.16.239.111, 172.16.239.112, 172.16.239.113, 172.16.239.114, 172.16.239.115, 172.16.239.116, 172.16.239.117, 172.16.239.118, 172.16.239.119, 172.16.239.120, 172.16.239.121, 172.16.239.122, 172.16.239.123, 172.16.239.124, 172.16.239.125, 172.16.239.126, 172.16.239.127, 172.16.239.128, 172.16.239.129, 172.16.239.130",
+    ]
  cluster: "rossby"
-  ingress_nodes: ["rossby, rossby-manage" ]
+  ingress_nodes: ["rossby, rossby-manage"]
  ingress_replica_count: 2
  ingress_clusterissuer: ca-issuer
  ingress_whitelist:
-   - 0.0.0.0/0
+    - 0.0.0.0/0
  ingress_hostnetwork: true
  ingress_hostport: false
  ingress_nodeport: false
  fileserver: "172.16.239.222"
-  acme:
-    email: "acme@oceanbox.io"
-    dns01: "namecheap-apikey"
-  oidc:
-  - name: oceanbox
-    provider: azuread
-    tenant: "3f737008-e9a0-4485-9d27-40329d288089"
-    secret_ref:
-      name: oceanbox-oidc
-    group_id: "eb17a659-4ce6-41bc-9153-d9b117c44479"
  nodes:
    - name: rossby-manage
      taints: []
@@ -11,9 +11,6 @@ clusterConfig:
  ingress_nodes: []
  ingress_replica_count: 3
  fileserver: ""
-  acme:
-    email: "acme@oceanbox.io"
-    dns01: ""
  nodenames: []
  nodes: []
  ingress_clusterissuer: "letsencrypt-production"
@@ -26,19 +23,31 @@ clusterConfig:
  ingress_hostnetwork: false
  ingress_hostport: false
  ingress_nodeport: true
-  oidc: []
-    #- name: azure
-    #  provider: azuread
-    #  tenant: "https://login.microsoftonline.com/<tenant>/oauth2/v2.0"
-    #  secret_ref:
-    #    name: azure-oidc
-    #  group_id: "<group_id>"
-    #- name: github
-    #  provider: github
-    #  secret_ref:
-    #    name: github-oidc
-    #  allowed_organizations: <org>
-    #  allowed_teams: <team-id>
+  acme:
+    email: "acme@oceanbox.io"
+    dns01: "namecheap-apikey"
+  oidc:
+    - group: admin
+      name: oceanbox
+      provider: azuread
+      tenant: "3f737008-e9a0-4485-9d27-40329d288089"
+      secret_ref:
+        name: oceanbox-oidc
+      group_id: "eb17a659-4ce6-41bc-9153-d9b117c44479"
+    - group: devel
+      name: oceanbox
+      provider: azuread
+      tenant: "3f737008-e9a0-4485-9d27-40329d288089"
+      secret_ref:
+        name: oceanbox-oidc
+      group_id: ""
+    - group: analytics
+      name: oceanbox
+      provider: azuread
+      tenant: "3f737008-e9a0-4485-9d27-40329d288089"
+      secret_ref:
+        name: oceanbox-oidc
+      group_id: "52bb4c7e-549c-4aed-bd95-9dcedf716f9f"
  s3:
    hosts: []
    patterns: []
@@ -314,6 +314,7 @@ configMaps:

           { "name": "jonas-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
           { "name": "jonas-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
+           { "name": "jonas-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
           { "name": "stig-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
           { "name": "stig-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
           { "name": "stig-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
@@ -323,8 +324,10 @@ configMaps:
           { "name": "mrtz-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
           { "name": "mrtz-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
           { "name": "simkir-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
+           { "name": "simkir-user-portal.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
           { "name": "simkir-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
           { "name": "simkir-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
           { "name": "ole-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
-           { "name": "ole-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }
+           { "name": "ole-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
+           { "name": "ole-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }
        ]
@@ -1,6 +1,6 @@
 replicaCount: 1
 image:
-  tag: "6efcdecb-debug"
+  tag: "2592c5b2-debug"
 env:
  - name: APP_VERSION
    value: "0.0.0-staging"
@@ -1,3 +1,2 @@
 openfga:
  enabled: true
-  env: prod
@@ -1,4 +1,4 @@
 openfga:
  enabled: false
  autosync: false
-  env: prod
+  env: {{ .Environment.Name }}
@@ -10,7 +10,11 @@ metadata:
  - resources-finalizer.argocd.argoproj.io
 spec:
  destination:
+    {{- if eq .Values.openfga.env "prod" }}
    namespace: openfga
+    {{- else }}
+    namespace: {{ .Values.openfga.env }}-openfga
+    {{- end }}
    server: https://kubernetes.default.svc
  project: sys
  sources:
@@ -10,10 +10,9 @@ type: Opaque
 ---
 apiVersion: v1
 stringData:
-  postgres-password: iAnMHs3eEuQM0D4jeAP1dwEoLWUBSwNXwhBuPDOgmfoeZ58iV0zogQ77U3GNUbwa
-  uri:  postgres://postgres:iAnMHs3eEuQM0D4jeAP1dwEoLWUBSwNXwhBuPDOgmfoeZ58iV0zogQ77U3GNUbwa@staging-openfga-rw.openfga.svc.cluster.local:5432/postgres?sslmode=disable
+  uri:  postgres://staging-openfga-db-rw.staging-openfga.svc.cluster.local:5432/app?sslmode=disable
 kind: Secret
 metadata:
  name: staging-openfga-postgresql
-  namespace: openfga
+  namespace: staging-openfga
 type: Opaque
@@ -2,8 +2,12 @@ replicaCount: 1

 datastore:
  engine: postgres
-  uriSecret: staging-openfga-db-superuser
  migrationType: initContainer
+  uriSecret: staging-openfga-postgresql
+  existingSecret: staging-openfga-db-superuser 
+  secretKeys:
+    usernameKey: username
+    passwordKey: password

 ingress:
  enabled: true
@@ -27,7 +31,7 @@ extraObjects:
    kind: Cluster
    metadata:
      name: staging-openfga-db
-      namespace: openfga
+      namespace: staging-openfga
    spec:
      instances: 1
      imageName: ghcr.io/cloudnative-pg/postgresql:17-bookworm
@@ -1,6 +1,6 @@
 replicaCount: 1
 image:
-  tag: 544657c0-debug
+  tag: 121f49c9-debug
 podAnnotations:
  dapr.io/enabled: "true"
  dapr.io/app-id: "staging-plume"
@@ -122,7 +122,7 @@ grafana:
    users:
      auto_assign_org_role: "Admin"
    {{- range .Values.clusterConfig.oidc }}
-    {{- if eq .provider "azuread" }}
+    {{- if eq .group "analytics" }}
    auth.{{ .provider }}:
      enabled: true
      name: {{ .name }}
@@ -135,32 +135,34 @@ grafana:
      allow_sign_up: true
      role_attribute_strict: false
      allow_assign_grafana_admin: true
-    {{- else if eq .provider "github" }}
-    auth.{{ .provider }}:
-      name: {{ .name }}
-      enabled: true
-      client_id: $__file{/etc/secrets/oauth/{{ .name }}/client_id}
-      client_secret: $__file{/etc/secrets/oauth/{{ .name }}/client_secret}
-      allowed_organizations: {{ .allowed_organizations }}
-      {{- if .allowed_teams }}
-      allowed_teams: "{{ .allowed_teams }}"
-      {{- end }}
-      scopes: user:email,read:org
-      auth_url: https://github.com/login/oauth/authorize
-      token_url: https://github.com/login/oauth/access_token
-      allow_sign_up: true
-      role_attribute_strict: false
-      allow_assign_grafana_admin: true
+    #{{- else if eq .provider "github" }}
+    #auth.{{ .provider }}:
+    #  name: {{ .name }}
+    #  enabled: true
+    #  client_id: $__file{/etc/secrets/oauth/{{ .name }}/client_id}
+    #  client_secret: $__file{/etc/secrets/oauth/{{ .name }}/client_secret}
+    #  allowed_organizations: {{ .allowed_organizations }}
+    #  {{- if .allowed_teams }}
+    #  allowed_teams: "{{ .allowed_teams }}"
+    #  {{- end }}
+    #  scopes: user:email,read:org
+    #  auth_url: https://github.com/login/oauth/authorize
+    #  token_url: https://github.com/login/oauth/access_token
+    #  allow_sign_up: true
+    #  role_attribute_strict: false
+    #  allow_assign_grafana_admin: true
    {{- end }}
    {{- end }}
  extraSecretMounts:
  {{- range .Values.clusterConfig.oidc }}
+  {{- if eq .group "analytics" }}
  - name: {{ .name }}
    secretName: {{ .secret_ref.name }}
    defaultMode: 0440
    mountPath: /etc/secrets/oauth/{{ .name }}
    readOnly: true
  {{- end }}
+  {{- end }}

  {{- if .Values.prometheus.grafana.persistence }}
  persistence:
@@ -173,6 +175,9 @@ grafana:
    annotations:
      cert-manager.io/cluster-issuer: {{ .Values.clusterConfig.ingress_clusterissuer }}
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
+      nginx.ingress.kubernetes.io/proxy-body-size: "0"
+      nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+      nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
      {{- with .Values.clusterConfig.ingress_whitelist}}
      nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
      {{- end }}
@@ -458,6 +463,9 @@ prometheus:
    annotations:
      cert-manager.io/cluster-issuer: {{ .Values.clusterConfig.ingress_clusterissuer }}
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
+      nginx.ingress.kubernetes.io/proxy-body-size: "0"
+      nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+      nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
      {{- with .Values.clusterConfig.ingress_whitelist }}
      nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
      {{- end }}
@@ -1,25 +0,0 @@
-certmanager:
- enabled: true
-
-redisOperator:
- webhook: true
-
-# issuer:
- # create: true
- # kind: ClusterIssuer
- # name:
-
-# ha:
-#   enabled: false
-# metrics:
-#   enabled: true
-#   serviceMonitor:
-#     additionalLabels:
-#       release: prometheus
-#     enabled: true
-# webhook:
-#   certificate:
-#     certManager: false
-#   serviceMonitor:
-#     additionalLabels:
-#       release: prometehus
@@ -48,7 +48,7 @@
      "modelId": "01JKTZYMCZZBVSBG66W27XMW0A"
    },
    "sentryUrl": "https://5e6e3584098dc006de18038cf85d2cbe@o4509530141622272.ingest.de.sentry.io/4509547350065232",
-    "redis": "localhost:6379,user=default,password=secret",
+    "redis": "staging-sorcerer-redis:6379,user=default,password=secret",
    "allowedOrigins": [
        "http://localhost:8085",
        "http://localhost:8080",
@@ -7,7 +7,7 @@ spec:
  version: v1
  metadata:
  - name: redisHost
-    value: staging-sorcerer-redis-master:6379
+    value: staging-sorcerer-redis:6379
  - name: redisUsername
    value: default
  - name: redisPassword
@@ -7,7 +7,7 @@ spec:
  version: v1
  metadata:
  - name: redisHost
-    value: staging-sorcerer-redis-master:6379
+    value: staging-sorcerer-redis:6379
  - name: redisUsername
    value: default
  - name: redisPassword
@@ -20,4 +20,3 @@ master:
      cpu: 150m
      ephemeral-storage: 50Mi
      memory: 128Mi
-
@@ -78,6 +78,19 @@ persistence:
 #     operator: Equal
 #     value: compute
 #     effect: NoSchedule
+redis:
+  enabled: true
+  replicas: 3
+  size: 2Gi
+  backup:
+    enabled: true
+  secret:
+    name: "prod-sorcerer-redis"
+    key: "redis-password"
+  resources:
+    cpu: 150m
+    memory: 256Mi
+

 affinity:
  nodeAffinity:
@@ -1,6 +1,8 @@
 replicaCount: 1
+
 image:
-  tag: e9c21c12-debug
+  tag: 9566bce0-debug
+
 podAnnotations:
  dapr.io/enabled: "true"
  dapr.io/app-id: "staging-sorcerer"
@@ -13,6 +15,7 @@ podAnnotations:
  dapr.io/sidecar-memory-request: "50Mi"
  # dapr.io/sidecar-cpu-limit: "300m"
  # dapr.io/sidecar-memory-limit: "1000Mi"
+
 env:
  - name: APP_VERSION
    value: "0.0.0-staging"
@@ -30,6 +33,7 @@ env:
      secretKeyRef:
        name: dapr-api-token
        key: token
+
 ingress:
  enabled: true
  annotations:
@@ -62,11 +66,24 @@ ingress:
    - hosts:
        - sorcerer.ekman.oceanbox.io
      secretName: staging-sorcerer-tls
+
 persistence:
  enabled: true
  existingClaim: staging-sorcerer-ceph-archives
  # existingClaim: staging-oceanbox-backup-archives
  #
+redis:
+  enabled: true
+  size: 2Gi
+  backup:
+    enabled: true
+  secret:
+    name: "staging-sorcerer-redis"
+    key: "redis-password"
+  resources:
+    cpu: 150m
+    memory: 256Mi
+
 # nodeSelector:
 #   node-role.kubernetes.io/srv: ""
 #   kubernetes.io/hostname: fs-backup
@@ -77,6 +94,7 @@ persistence:
 #     operator: Equal
 #     value: compute
 #     effect: NoSchedule
+
 affinity:
  nodeAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
@@ -0,0 +1,3 @@
+spegel:
+  enabled: true
+  autosync: false
@@ -0,0 +1,3 @@
+spegel:
+  enabled: true
+  autosync: false
@@ -0,0 +1,3 @@
+spegel:
+  enabled: false
+  autosync: false
@@ -0,0 +1,14 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-api-server
+  namespace: spegel
+spec:
+  egress:
+    - toEntities:
+        - kube-apiserver
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: spegel
+{{- end}}
@@ -0,0 +1,19 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-metrics
+  namespace: spegel
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: spegel
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+      toPorts:
+        - ports:
+            - port: "8080"
+              protocol: TCP
+{{- end}}
@@ -0,0 +1,18 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node
+  namespace: spegel
+spec:
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+    - fromEntities:
+        - kube-apiserver
+        - remote-node
+      toPorts:
+        - ports:
+            - port: "5000"
+              protocol: TCP
+{{- end}}
@@ -0,0 +1,17 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-world-dns
+  namespace: spegel
+spec:
+  description: Allow DNS world
+  egress:
+    - toPorts:
+        - ports:
+            - port: "5001"
+              protocol: TCP
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: spegel
+{{- end }}
@@ -0,0 +1,38 @@
+{{- if .Values.clusterConfig.argo.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: spegel
+  namespace: argocd
+spec:
+  destination:
+    namespace: spegel
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.clusterConfig.manifests }}
+    targetRevision: HEAD
+    path: helmfile.d
+    plugin:
+      name: helmfile-cmp
+      env:
+      - name: CLUSTER_NAME
+        value: {{ .Values.clusterConfig.cluster }}
+      - name: HELMFILE_ENVIRONMENT
+        value: default
+      - name: HELMFILE_FILE_PATH
+        value: spegel.yaml.gotmpl
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      - ServerSideApply=true
+    {{- if .Values.spegel.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+{{- end }}
@@ -0,0 +1,4 @@
+spegel:
+  containerdRegistryConfigPath: /etc/cri/conf.d/hosts
+  registryFilters:
+    - "^yolo-registry.dev.oceanbox\\.io/"
@@ -6,7 +6,7 @@ image:
  # -- image pull policy
  # pullPolicy:
  # -- Overrides the image tag
-  tag: "postgresql-v2.19.0"
+  tag: "3.0"

 replicaCount: 1

@@ -17,11 +17,11 @@ resources:
  limits:
    # cpu: 100m
    # ephemeral-storage: 2Gi
-    memory: 750Mi
+    memory: 500Mi
  requests:
-    cpu: 500m
+    cpu: 100m
    # ephemeral-storage: 50Mi
-    memory: 750Mi
+    memory: 500Mi

 securityContext:
  runAsGroup: 65533