Merge branch 'main' of gitlab.com:oceanbox/manifests

2025-11-13 09:13:26 +01:00
parent a83c8d1a5c ae93d09ecc
commit d8c4cd045c
59 changed files with 549 additions and 275 deletions
@@ -1,14 +1,9 @@
 #!/usr/bin/env bash
 # the shebang is ignored, but nice for editors
-watch_file lon.lock
+watch_file nix/sources.json
 # Load .env file if it exists
 dotenv_if_exists
 # Activate development shell
-if type -P lorri &>/dev/null; then
+use nix
  eval "$(lorri direnv)"
 else
  echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]'
  use nix
 fi
@@ -4,7 +4,7 @@ description: Atlantis map and simulation service
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v1.27.0
+version: v1.30.1
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v1.27.0
+appVersion: v1.30.1
@@ -1,45 +1,54 @@
 {{- if .Values.redis.enabled -}}
-apiVersion: redis.redis.opstreelabs.in/v1beta2
+apiVersion: dragonflydb.io/v1alpha1
-kind: Redis
+kind: Dragonfly
 metadata:
  name: {{ include "Atlantis.fullname" . }}-redis
  namespace: {{ .Release.Namespace }}
  annotations:
    linkerd.io/inject: disabled
  labels:
    app.kubernetes.io/created-by: dragonfly-operator
    app.kubernetes.io/instance: dragonfly
    {{- include "Atlantis.labels" . | nindent 4 }}
 spec:
-  kubernetesConfig:
+  args:
-    image: quay.io/opstree/redis:v7.2.6
+    - --maxmemory=$(MAX_MEMORY)Mi # Graceful memory management (90% of limit)
-    imagePullPolicy: IfNotPresent
+    - --proactor_threads=1 # Auto-detect CPU cores (optimal threading)
    - --cluster_mode=emulated
  env:
    - name: MAX_MEMORY
      valueFrom:
        resourceFieldRef:
          resource: limits.memory
          divisor: 1Mi
  replicas: {{ .Values.redis.replicas | default "1" }}
  resources:
    requests:
-        cpu: 101m
+      cpu: 150m
        memory: 128Mi
    limits:
      memory: 256Mi
-    redisSecret:
+  authentication:
    passwordFromSecret:
      name: {{ .Values.redis.secret.name | quote }}
      key: {{ .Values.redis.secret.key | quote }}
-  serviceMonitor:
+  metrics:
    enabled: {{ .Values.redis.metrics.enabled | default false }}
-  redisExporter:
+    port: 6379
    enabled: {{ .Values.redis.exporterEnabled | default false }}
    image: quay.io/opstree/redis-exporter:v1.44.0
    imagePullPolicy: Always
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
      limits:
        memory: 256Mi
  storage:
-    volumeClaimTemplate:
+    requests:
-      spec:
+      storage: {{ .Values.redis.size | default "1Gi" }}
-        accessModes: ["ReadWriteOnce"]
+  {{- if .Values.redis.backup.enabled }}
  snapshot:
    dir: /data # Change to s3://redis/prod-atlantis-redis
    cron: "0 3 * * *" # Default: every day at 03:00
    enableOnMasterOnly: false
    persistentVolumeClaimSpec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
-            storage: {{ .Values.cluster.size | default "1Gi" }}
+          storage: {{ .Values.redis.size | default "1Gi" }}
  {{- end }}
  podSecurityContext:
    runAsUser: 1000
    fsGroup: 1000
@@ -1,11 +1,10 @@
 # Default values for Atlantis.
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 replicaCount: 1
 image:
  repository: registry.gitlab.com/oceanbox/poseidon/atlantis
-  tag: v1.27.0
+  tag: v1.30.1
  pullPolicy: IfNotPresent
 init:
  enabled: false
@@ -78,8 +77,9 @@ redis:
  instances: 1
  metrics:
    enabled: false
  backup:
    enabled: false
  size: 1Gi
  exporterEnabled: false
 cluster:
  enabled: true
  instances: 1
@@ -0,0 +1,55 @@
 {{- if .Values.redis.enabled -}}
 apiVersion: dragonflydb.io/v1alpha1
 kind: Dragonfly
 metadata:
  name: {{ include "Plume.fullname" . }}-redis
  namespace: {{ .Release.Namespace }}
  annotations:
    linkerd.io/inject: disabled
  labels:
    app.kubernetes.io/created-by: dragonfly-operator
    app.kubernetes.io/instance: dragonfly
    {{- include "Plume.labels" . | nindent 4 }}
 spec:
  args:
    - --maxmemory=$(MAX_MEMORY)Mi # Graceful memory management (90% of limit)
    - --proactor_threads=1 # Auto-detect CPU cores (optimal threading)
    - --cluster_mode=emulated
  env:
    - name: MAX_MEMORY
      valueFrom:
        resourceFieldRef:
          resource: limits.memory
          divisor: 1Mi
  replicas: {{ .Values.redis.replicas | default "1" }}
  resources:
    requests:
      cpu: 150m
    limits:
      memory: 256Mi
  authentication:
    passwordFromSecret:
      name: {{ .Values.redis.secret.name | quote }}
      key: {{ .Values.redis.secret.key | quote }}
  metrics:
    enabled: {{ .Values.redis.metrics.enabled | default false }}
    port: 6379
  storage:
    requests:
      storage: {{ .Values.redis.size | default "1Gi" }}
  {{- if .Values.redis.backup.enabled }}
  snapshot:
    dir: /data # Change to s3://redis/prod-atlantis-redis
    cron: "0 3 * * *" # Default: every day at 03:00
    enableOnMasterOnly: false
    persistentVolumeClaimSpec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: {{ .Values.redis.size | default "1Gi" }}
  {{- end }}
  podSecurityContext:
    runAsUser: 1000
    fsGroup: 1000
 {{- end}}
@@ -59,6 +59,14 @@ cluster:
  backupEnabled: true
  backupRetention: 60d
  size: 5Gi
 redis:
  enabled: false
  instances: 1
  metrics:
    enabled: false
  backup:
    enabled: false
  size: 1Gi
 resources: {}
 # We usually recommend not to specify default resources and to leave this as a conscious
 # choice for the user. This also increases chances charts run on environments with little
@@ -4,7 +4,7 @@ description: A Helm chart for Kubernetes
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v1.27.0
+version: v1.30.1
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v1.27.0
+appVersion: v1.30.1
@@ -1,46 +1,52 @@
 {{- if .Values.redis.enabled -}}
-apiVersion: redis.redis.opstreelabs.in/v1beta2
+apiVersion: dragonflydb.io/v1alpha1
-kind: Redis
+kind: Dragonfly
 metadata:
  name: {{ include "Sorcerer.fullname" . }}-redis
  namespace: {{ .Release.Namespace }}
  annotations:
    linkerd.io/inject: disabled
  labels:
    app.kubernetes.io/created-by: dragonfly-operator
    {{- include "Sorcerer.labels" . | nindent 4 }}
 spec:
-  kubernetesConfig:
+  args:
-    image: quay.io/opstree/redis:v7.2.6
+    - --dbfilename=dump           # Static filename prevents disk exhaustion
-    imagePullPolicy: IfNotPresent
+    - --maxmemory=$(MAX_MEMORY)Mi # Graceful memory management (90% of limit)
    - --proactor_threads=1        # Auto-detect CPU cores (optimal threading)
    - --cluster_mode=emulated
    - --logtostderr
    - --save_schedule=            # Disable continuous saves (cron snapshots only)
  env:
    - name: MAX_MEMORY
      valueFrom:
        resourceFieldRef:
          resource: limits.memory
          divisor: 1Mi
  replicas: {{ .Values.redis.replicas | default "1" }}
  resources:
    requests:
-        cpu: 101m
+      cpu: {{ .Values.redis.resources.cpu | default "150m" }}
-        memory: 128Mi
+      memory: {{ .Values.redis.resources.memory | default "256Mi"}}
    limits:
-        memory: 256Mi
+      memory: {{ .Values.redis.resources.memory | default "256Mi"}}
-    redisSecret:
+  authentication:
    passwordFromSecret:
      name: {{ .Values.redis.secret.name | quote }}
      key: {{ .Values.redis.secret.key | quote }}
-  serviceMonitor:
+  # metrics:
-    enabled: {{ .Values.redis.metrics.enabled | default false }}
+  #   enabled: {{ .Values.redis.metrics.enabled | default false }}
-  redisExporter:
+  #   port: 6379
-    enabled: {{ .Values.redis.exporterEnabled | default false }}
+  {{- if .Values.redis.backup.enabled }}
-    image: quay.io/opstree/redis-exporter:v1.44.0
+  snapshot:
-    imagePullPolicy: Always
+    dir: /data # Change to s3://redis/prod-atlantis-redis
    cron: "0 3 * * *" # Default: every day at 03:00
    enableOnMasterOnly: false
    persistentVolumeClaimSpec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
-        cpu: 100m
+          storage: {{ .Values.redis.size | default "1Gi" }}
-        memory: 128Mi
+  {{- end }}
      limits:
        memory: 256Mi
  storage:
    volumeClaimTemplate:
      spec:
        accessModes: ["ReadWriteOnce"]
        resources:
          requests:
            storage: {{ .Values.cluster.size | default "1Gi" }}
  podSecurityContext:
    runAsUser: 1000
    fsGroup: 1000
 {{- end}}
@@ -5,7 +5,7 @@
 replicaCount: 1
 image:
  repository: registry.gitlab.com/oceanbox/poseidon/sorcerer
-  tag: v1.27.0
+  tag: v1.30.1
  pullPolicy: IfNotPresent
 init:
  enabled: false
@@ -64,6 +64,7 @@ ingress:
    - hosts:
        - sorcerer.srv.oceanbox.io
      secretName: sorcerer-tls
 persistence:
  enabled: true
  existingClaim: oceanbox-archives
@@ -72,17 +73,20 @@ persistence:
  # accessMode: ReadWriteMany
 redis:
  enabled: false
  instances: 1
  metrics:
    enabled: false
-  instances: 1
+  backup:
    enabled: false
  size: 1Gi
-  exporterEnabled: false
+
 cluster:
  enabled: false
  instances: 2
  backupEnabled: true
  backupRetention: 60d
  size: 5Gi
 resources: {}
 # We usually recommend not to specify default resources and to leave this as a conscious
 # choice for the user. This also increases chances charts run on environments with little
@@ -0,0 +1,44 @@
 bases:
 - ../envs/environments.yaml.gotmpl
 repositories:
 - name: dragonfly
  oci: true
  url: ghcr.io/dragonflydb/dragonfly-operator/helm
 commonLabels:
  tier: system
 releases:
 - name: dragonfly
  namespace: dragonfly
  chart: dragonfly/dragonfly-operator
  version: v1.3.0
  condition: dragonfly.enabled
  values:
  - ../values/dragonfly/values/dragonfly.yaml.gotmpl
  - ../values/dragonfly/values/dragonfly-{{ .Environment.Name }}.yaml.gotmpl
  postRenderer: ../bin/kustomizer
  postRendererArgs:
  - ../values/dragonfly/kustomize/{{ .Environment.Name }}
  missingFileHandler: Info
 - name: manifests
  namespace: dragonfly
  chart: manifests
  condition: dragonfly.enabled
  missingFileHandler: Info
  values:
  - ../values/env.yaml
  - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
  - ../values/dragonfly/env.yaml.gotmpl
  - ../values/dragonfly/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
  hooks:
  - events: [ prepare, cleanup ]
    showlogs: true
    command: ../bin/helmify
    args:
    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
    - '{{`{{ .Release.Chart }}`}}'
    - '{{`{{ .Environment.Name }}`}}'
    - ../values/dragonfly/manifests
    - manifests
@@ -10,7 +10,11 @@ commonLabels:
 releases:
 - name: {{ .Environment.Name }}-openfga
  {{- if eq .Environment.Name "prod" }}
  namespace: openfga
  {{- else }}
  namespace: {{ .Environment.Name }}-openfga
  {{- end }}
  chart: openfga/openfga
  version: 0.2.45
  condition: openfga.enabled
@@ -22,7 +26,11 @@ releases:
  - ../values/openfga/kustomize/{{ .Environment.Name }}
  missingFileHandler: Info
 - name: manifests
  {{- if eq .Environment.Name "prod" }}
  namespace: openfga
  {{- else }}
  namespace: {{ .Environment.Name }}-openfga
  {{- end }}
  chart: manifests
  condition: openfga.enabled
  missingFileHandler: Info
@@ -1,43 +0,0 @@
 bases:
 - ../envs/environments.yaml.gotmpl
 repositories:
 - name: redis-operator
  url: 'https://ot-container-kit.github.io/helm-charts'
 commonLabels:
  tier: system
 releases:
 - name: redis-operator
  namespace: redis-operator
  chart: redis-operator/redis-operator
  version: 0.22.1
  condition: redis_operator.enabled
  values:
  - ../values/redis-operator/values/redis-operator.yaml.gotmpl
  - ../values/redis-operator/values/redis-operator-{{ .Environment.Name }}.yaml.gotmpl
  postRenderer: ../bin/kustomizer
  postRendererArgs:
  - ../values/redis-operator/kustomize/{{ .Environment.Name }}
  missingFileHandler: Info
 - name: manifests
  namespace: redis-operator
  chart: manifests
  condition: redis_operator.enabled
  missingFileHandler: Info
  values:
  - ../values/env.yaml
  - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
  - ../values/redis-operator/env.yaml.gotmpl
  - ../values/redis-operator/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
  hooks:
  - events: [ prepare, cleanup ]
    showlogs: true
    command: ../bin/helmify
    args:
    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
    - '{{`{{ .Release.Chart }}`}}'
    - '{{`{{ .Environment.Name }}`}}'
    - ../values/redis-operator/manifests
    - manifests
@@ -0,0 +1,44 @@
 bases:
 - ../envs/environments.yaml.gotmpl
 repositories:
 - name: spegel
  oci: true
  url: ghcr.io/spegel-org/helm-charts
 commonLabels:
  tier: system
 releases:
 - name: spegel
  namespace: spegel
  chart: spegel/spegel
  version: 0.5.1
  condition: spegel.enabled
  values:
  - ../values/spegel/values/spegel.yaml.gotmpl
  - ../values/spegel/values/spegel-{{ .Environment.Name }}.yaml.gotmpl
  postRenderer: ../bin/kustomizer
  postRendererArgs:
  - ../values/spegel/kustomize/{{ .Environment.Name }}
  missingFileHandler: Info
 - name: manifests
  namespace: spegel
  chart: manifests
  condition: spegel.enabled
  missingFileHandler: Info
  values:
  - ../values/env.yaml
  - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
  - ../values/spegel/env.yaml.gotmpl
  - ../values/spegel/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
  hooks:
  - events: [ prepare, cleanup ]
    showlogs: true
    command: ../bin/helmify
    args:
    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
    - '{{`{{ .Release.Chart }}`}}'
    - '{{`{{ .Environment.Name }}`}}'
    - ../values/spegel/manifests
    - manifests
@@ -14,7 +14,7 @@ releases:
 - name: umami
  namespace: analytics
  chart: umami/umami
-  version: 5.0.11
+  version: 6.0.1
  condition: umami.enabled
  values:
  - ../values/umami/values/values.yaml
@@ -36,6 +36,6 @@ pkgs.mkShellNoCC {
    dapr-cli
  ];
-  ARGOCD_ENV_CLUSTER_NAME = "oceanbox";
+  ARGOCD_ENV_CLUSTER_NAME = "ekman";
  HELM_GIT_ACCESS_TOKEN = "glpat-xxx";
 }
@@ -5,7 +5,7 @@ argo:
  rollouts:
    enabled: false
  workflows:
-    enabled: true
+    enabled: false
 argocd:
  autosync: true
@@ -52,7 +52,7 @@ spec:
    server: https://kubernetes.default.svc
  - namespace: mariadb-operator
    server: https://kubernetes.default.svc
-  - namespace: redis-operator
+  - namespace: dragonfly
    server: https://kubernetes.default.svc
  - namespace: cilium-spire
    server: https://kubernetes.default.svc
@@ -62,6 +62,8 @@ spec:
    server: https://kubernetes.default.svc
  - namespace: openfga
    server: https://kubernetes.default.svc
  - namespace: staging-openfga
    server: https://kubernetes.default.svc
  - namespace: dapr-system
    server: https://kubernetes.default.svc
  - namespace: rook-ceph
@@ -80,6 +82,8 @@ spec:
    server: https://kubernetes.default.svc
  - namespace: slurm
    server: https://kubernetes.default.svc
  - namespace: spegel
    server: https://kubernetes.default.svc
  sourceRepos:
  - https://argoproj.github.io/argo-helm
  - https://kubernetes-sigs.github.io/metrics-server/
@@ -113,6 +117,8 @@ spec:
  - ghcr.io/slinkyproject/charts
  - ghcr.io/slinkyproject/charts/slurm-operator
  - ghcr.io/slinkyproject/charts/slurm-operator-crds
  - ghcr.io/spegel-org/helm-charts
  - ghcr.io/dragonflydb/dragonfly-operator/helm/dragonfly-operator
  - https://operator.mariadb.com/mariadb-enterprise-operator
  - https://operator.mariadb.com
  - https://ot-container-kit.github.io/helm-charts
@@ -43,7 +43,7 @@ configs:
      connectors:
      {{- with .Values.clusterConfig.oidc }}
      {{- range . }}
-      {{- if eq .provider "azuread" }}
+      {{- if eq .group "devel" }}
      - type: oidc
        id: {{ .name }}
        name: {{ .name }}
@@ -61,20 +61,6 @@ configs:
            - profile
            - email
            - groups
      {{- else if eq .provider "github" }}
      - type: github
        id: {{ .name }}
        name: {{ .name }}
        config:
          clientID: ${{ .name | replace "-" "_" }}_client_id
          clientSecret: ${{ .name | replace "-" "_" }}_client_secret
          redirectURI: https://argocd.{{ $.Values.clusterConfig.domain }}/api/dex/callback
          orgs:
          - name: {{ .allowed_organizations }}
          loadAllGroups: true
          teamNameField: slug
          useLoginAsID: false
      {{- end }}
      staticClients:
      - id: ${{ .name | replace "-" "_" }}_client_id
        name: Kubernetes
@@ -87,6 +73,7 @@ configs:
        secret: 8d52926efe879ee505391b75f4b046cf
      {{- end }}
      {{- end }}
      {{- end }}
    admin.enabled: false
  rbac:
    # NOTE(kai): dd2aa2d6 ... is ID for azure kubernetes_operator group
@@ -150,6 +137,7 @@ dex:
  {{- with .Values.clusterConfig.oidc }}
  env:
  {{- range . }}
  {{- if eq .group "devel" }}
  - name: {{ .name | replace "-" "_" }}_client_secret
    valueFrom:
      secretKeyRef:
@@ -162,6 +150,7 @@ dex:
        key: client_id
  {{- end }}
  {{- end }}
  {{- end }}
 redis:
  metrics:
@@ -1,6 +1,6 @@
 replicaCount: 1
 image:
-  tag: e9c21c12-debug
+  tag: f8940c92-debug
 podAnnotations:
  dapr.io/app-id: "staging-atlantis"
 env:
@@ -0,0 +1,18 @@
 {{- if .Values.clusterConfig.cilium.enabled }}
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: allow-remote-node-webhooks
  namespace: cert-manager
 spec:
  endpointSelector:
    matchLabels: {}
  ingress:
  - fromEntities:
    - kube-apiserver
    - remote-node
  - toPorts:
    - ports:
      - port: "8443"
        protocol: TCP
 {{- end }}
@@ -1,3 +1,3 @@
-redis_operator:
+dragonfly:
  enabled: true
  autosync: false
@@ -1,3 +1,3 @@
-redis_operator:
+dragonfly:
  enabled: true
  autosync: false
@@ -1,3 +1,3 @@
-redis_operator:
+dragonfly:
  enabled: false
  autosync: false
@@ -2,11 +2,11 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: redis-operator
+  name: dragonfly
  namespace: argocd
 spec:
  destination:
-    namespace: redis-operator
+    namespace: dragonfly
    server: 'https://kubernetes.default.svc'
  sources:
  - repoURL: {{ .Values.clusterConfig.manifests }}
@@ -20,7 +20,7 @@ spec:
      - name: HELMFILE_ENVIRONMENT
        value: default
      - name: HELMFILE_FILE_PATH
-        value: redis-operator.yaml.gotmpl
+        value: dragonfly.yaml.gotmpl
  project: sys
  syncPolicy:
    managedNamespaceMetadata:
@@ -30,7 +30,7 @@ spec:
      - CreateNamespace=true
      - ApplyOutOfSyncOnly=true
      - ServerSideApply=true
-    {{- if .Values.redis_operator.autosync }}
+    {{- if .Values.dragonfly}}
    automated:
      prune: true
      # selfHeal: false
@@ -3,12 +3,12 @@ apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: allow-api-server
-  namespace: redis-operator
+  namespace: dragonfly
 spec:
  egress:
    - toEntities:
        - kube-apiserver
  endpointSelector:
    matchLabels:
-      app.kubernetes.io/instance: redis-operator
+      app.kubernetes.io/instance: dragonfly-operator
 {{- end}}
@@ -2,12 +2,12 @@
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
-  name: allow-host-to-redis
+  name: allow-host-to-dragonfly
-  namespace: redis-operator
+  namespace: dragonfly
 spec:
  endpointSelector:
    matchLabels:
-      app.kubernetes.io/instance: redis-operator
+      app.kubernetes.io/instance: dragonfly-operator
  ingress:
    - fromEntities:
        - host
@@ -3,11 +3,11 @@ apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: allow-prometheus-metrics
-  namespace: redis-operator
+  namespace: dragonfly
 spec:
  endpointSelector:
    matchLabels:
-      app.kubernetes.io/instance: redis-operator
+      app.kubernetes.io/instance: dragonfly-operator
  ingress:
    - fromEndpoints:
        - matchLabels:
@@ -3,7 +3,7 @@ apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: allow-remote-node-webhooks
-  namespace: redis-operator
+  namespace: dragonfly
 spec:
  endpointSelector:
    matchLabels: {}
@@ -0,0 +1,2 @@
 serviceMonitor:
 enabled: true
@@ -8,22 +8,15 @@ clusterConfig:
  initca: "/var/lib/kubernetes/secrets"
  apiserver: "ekman-manage"
  apiserverip: "10.255.241.99"
-  etcd_nodes: [ "10.255.241.80, 10.255.241.90, 10.255.241.99" ]
+  etcd_nodes: ["10.255.241.80, 10.255.241.90, 10.255.241.99"]
-  k8s_nodes: [ "10.255.241.80, 10.255.241.90, 10.255.241.99, 10.255.241.100, 10.255.241.101, 10.255.241.102, 10.255.241.103, 10.255.241.104, 10.255.241.105, 10.255.241.106, 10.255.241.107, 10.255.241.108, 10.255.241.109, 10.255.241.110, 10.255.241.111, 10.255.241.112, 10.255.241.113, 10.255.241.114, 10.255.241.116, 10.255.241.121, 10.255.241.122, 10.255.241.123, 10.255.241.124, 10.255.241.125, 10.255.241.126, 10.255.241.127, 10.255.241.128" ]
+  k8s_nodes:
    [
      "10.255.241.80, 10.255.241.90, 10.255.241.99, 10.255.241.100, 10.255.241.101, 10.255.241.102, 10.255.241.103, 10.255.241.104, 10.255.241.105, 10.255.241.106, 10.255.241.107, 10.255.241.108, 10.255.241.109, 10.255.241.110, 10.255.241.111, 10.255.241.112, 10.255.241.113, 10.255.241.114, 10.255.241.116, 10.255.241.121, 10.255.241.122, 10.255.241.123, 10.255.241.124, 10.255.241.125, 10.255.241.126, 10.255.241.127, 10.255.241.128",
    ]
  cluster: "ekman"
-  ingress_nodes: ["ekman , ekman-manage" ]
+  ingress_nodes: ["ekman , ekman-manage"]
  ingress_replica_count: 2
  fileserver: "10.255.241.100"
  acme:
    email: "acme@oceanbox.io"
    dns01: "namecheap-apikey"
  oidc:
  - name: oceanbox
    provider: azuread
    tenant: "3f737008-e9a0-4485-9d27-40329d288089"
    secret_ref:
      name: oceanbox-oidc
    group_id: "eb17a659-4ce6-41bc-9153-d9b117c44479"
  nodes:
    - name: ekman-manage
      taints: []
@@ -6,22 +6,15 @@ clusterConfig:
  initca: ""
  apiserver: ""
  apiserverip: ""
-  etcd_nodes: [ "10.255.241.201, 10.255.241.202, 10.255.241.203" ]
+  etcd_nodes: ["10.255.241.201, 10.255.241.202, 10.255.241.203"]
-  k8s_nodes: [ "" ]
+  k8s_nodes: [""]
  cluster: "oceanbox"
-  ingress_nodes: ["oceanbox-controlplane-1, oceanbox-controlplane-2, oceanbox-controlplane-3" ]
+  ingress_nodes:
    [
      "oceanbox-controlplane-1, oceanbox-controlplane-2, oceanbox-controlplane-3",
    ]
  ingress_replica_count: 3
  fileserver: "10.255.241.210"
  acme:
    email: "acme@oceanbox.io"
    dns01: "namecheap-apikey"
  oidc:
  - name: oceanbox
    provider: azuread
    tenant: "3f737008-e9a0-4485-9d27-40329d288089"
    secret_ref:
      name: oceanbox-oidc
    group_id: "eb17a659-4ce6-41bc-9153-d9b117c44479"
  s3:
    hosts: []
    patterns: []
@@ -8,10 +8,13 @@ clusterConfig:
  initca: "/var/lib/kubernetes/secrets"
  apiserver: "rossby-manage"
  apiserverip: "172.16.239.221"
-  etcd_nodes: [ "172.16.239.221, 172.16.239.222, 172.16.239.210" ]
+  etcd_nodes: ["172.16.239.221, 172.16.239.222, 172.16.239.210"]
-  k8s_nodes: [ "172.16.239.221, 172.16.239.222, 172.16.239.210, 172.16.239.111, 172.16.239.112, 172.16.239.113, 172.16.239.114, 172.16.239.115, 172.16.239.116, 172.16.239.117, 172.16.239.118, 172.16.239.119, 172.16.239.120, 172.16.239.121, 172.16.239.122, 172.16.239.123, 172.16.239.124, 172.16.239.125, 172.16.239.126, 172.16.239.127, 172.16.239.128, 172.16.239.129, 172.16.239.130" ]
+  k8s_nodes:
    [
      "172.16.239.221, 172.16.239.222, 172.16.239.210, 172.16.239.111, 172.16.239.112, 172.16.239.113, 172.16.239.114, 172.16.239.115, 172.16.239.116, 172.16.239.117, 172.16.239.118, 172.16.239.119, 172.16.239.120, 172.16.239.121, 172.16.239.122, 172.16.239.123, 172.16.239.124, 172.16.239.125, 172.16.239.126, 172.16.239.127, 172.16.239.128, 172.16.239.129, 172.16.239.130",
    ]
  cluster: "rossby"
-  ingress_nodes: ["rossby, rossby-manage" ]
+  ingress_nodes: ["rossby, rossby-manage"]
  ingress_replica_count: 2
  ingress_clusterissuer: ca-issuer
  ingress_whitelist:
@@ -20,16 +23,6 @@ clusterConfig:
  ingress_hostport: false
  ingress_nodeport: false
  fileserver: "172.16.239.222"
  acme:
    email: "acme@oceanbox.io"
    dns01: "namecheap-apikey"
  oidc:
  - name: oceanbox
    provider: azuread
    tenant: "3f737008-e9a0-4485-9d27-40329d288089"
    secret_ref:
      name: oceanbox-oidc
    group_id: "eb17a659-4ce6-41bc-9153-d9b117c44479"
  nodes:
    - name: rossby-manage
      taints: []
@@ -11,9 +11,6 @@ clusterConfig:
  ingress_nodes: []
  ingress_replica_count: 3
  fileserver: ""
  acme:
    email: "acme@oceanbox.io"
    dns01: ""
  nodenames: []
  nodes: []
  ingress_clusterissuer: "letsencrypt-production"
@@ -26,19 +23,31 @@ clusterConfig:
  ingress_hostnetwork: false
  ingress_hostport: false
  ingress_nodeport: true
-  oidc: []
+  acme:
-    #- name: azure
+    email: "acme@oceanbox.io"
-    #  provider: azuread
+    dns01: "namecheap-apikey"
-    #  tenant: "https://login.microsoftonline.com/<tenant>/oauth2/v2.0"
+  oidc:
-    #  secret_ref:
+    - group: admin
-    #    name: azure-oidc
+      name: oceanbox
-    #  group_id: "<group_id>"
+      provider: azuread
-    #- name: github
+      tenant: "3f737008-e9a0-4485-9d27-40329d288089"
-    #  provider: github
+      secret_ref:
-    #  secret_ref:
+        name: oceanbox-oidc
-    #    name: github-oidc
+      group_id: "eb17a659-4ce6-41bc-9153-d9b117c44479"
-    #  allowed_organizations: <org>
+    - group: devel
-    #  allowed_teams: <team-id>
+      name: oceanbox
      provider: azuread
      tenant: "3f737008-e9a0-4485-9d27-40329d288089"
      secret_ref:
        name: oceanbox-oidc
      group_id: ""
    - group: analytics
      name: oceanbox
      provider: azuread
      tenant: "3f737008-e9a0-4485-9d27-40329d288089"
      secret_ref:
        name: oceanbox-oidc
      group_id: "52bb4c7e-549c-4aed-bd95-9dcedf716f9f"
  s3:
    hosts: []
    patterns: []
@@ -314,6 +314,7 @@ configMaps:
           { "name": "jonas-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
           { "name": "jonas-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
           { "name": "jonas-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
           { "name": "stig-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
           { "name": "stig-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
           { "name": "stig-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
@@ -323,8 +324,10 @@ configMaps:
           { "name": "mrtz-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
           { "name": "mrtz-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
           { "name": "simkir-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
           { "name": "simkir-user-portal.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
           { "name": "simkir-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
           { "name": "simkir-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
           { "name": "ole-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
-           { "name": "ole-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }
+           { "name": "ole-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
           { "name": "ole-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }
        ]
@@ -1,6 +1,6 @@
 replicaCount: 1
 image:
-  tag: "6efcdecb-debug"
+  tag: "2592c5b2-debug"
 env:
  - name: APP_VERSION
    value: "0.0.0-staging"
@@ -1,3 +1,2 @@
 openfga:
  enabled: true
  env: prod
@@ -1,4 +1,4 @@
 openfga:
  enabled: false
  autosync: false
-  env: prod
+  env: {{ .Environment.Name }}
@@ -10,7 +10,11 @@ metadata:
  - resources-finalizer.argocd.argoproj.io
 spec:
  destination:
    {{- if eq .Values.openfga.env "prod" }}
    namespace: openfga
    {{- else }}
    namespace: {{ .Values.openfga.env }}-openfga
    {{- end }}
    server: https://kubernetes.default.svc
  project: sys
  sources:
@@ -10,10 +10,9 @@ type: Opaque
 ---
 apiVersion: v1
 stringData:
-  postgres-password: iAnMHs3eEuQM0D4jeAP1dwEoLWUBSwNXwhBuPDOgmfoeZ58iV0zogQ77U3GNUbwa
+  uri:  postgres://staging-openfga-db-rw.staging-openfga.svc.cluster.local:5432/app?sslmode=disable
  uri:  postgres://postgres:iAnMHs3eEuQM0D4jeAP1dwEoLWUBSwNXwhBuPDOgmfoeZ58iV0zogQ77U3GNUbwa@staging-openfga-rw.openfga.svc.cluster.local:5432/postgres?sslmode=disable
 kind: Secret
 metadata:
  name: staging-openfga-postgresql
-  namespace: openfga
+  namespace: staging-openfga
 type: Opaque
@@ -2,8 +2,12 @@ replicaCount: 1
 datastore:
  engine: postgres
  uriSecret: staging-openfga-db-superuser
  migrationType: initContainer
  uriSecret: staging-openfga-postgresql
  existingSecret: staging-openfga-db-superuser 
  secretKeys:
    usernameKey: username
    passwordKey: password
 ingress:
  enabled: true
@@ -27,7 +31,7 @@ extraObjects:
    kind: Cluster
    metadata:
      name: staging-openfga-db
-      namespace: openfga
+      namespace: staging-openfga
    spec:
      instances: 1
      imageName: ghcr.io/cloudnative-pg/postgresql:17-bookworm
@@ -1,6 +1,6 @@
 replicaCount: 1
 image:
-  tag: 544657c0-debug
+  tag: 121f49c9-debug
 podAnnotations:
  dapr.io/enabled: "true"
  dapr.io/app-id: "staging-plume"
@@ -122,7 +122,7 @@ grafana:
    users:
      auto_assign_org_role: "Admin"
    {{- range .Values.clusterConfig.oidc }}
-    {{- if eq .provider "azuread" }}
+    {{- if eq .group "analytics" }}
    auth.{{ .provider }}:
      enabled: true
      name: {{ .name }}
@@ -135,32 +135,34 @@ grafana:
      allow_sign_up: true
      role_attribute_strict: false
      allow_assign_grafana_admin: true
-    {{- else if eq .provider "github" }}
+    #{{- else if eq .provider "github" }}
-    auth.{{ .provider }}:
+    #auth.{{ .provider }}:
-      name: {{ .name }}
+    #  name: {{ .name }}
-      enabled: true
+    #  enabled: true
-      client_id: $__file{/etc/secrets/oauth/{{ .name }}/client_id}
+    #  client_id: $__file{/etc/secrets/oauth/{{ .name }}/client_id}
-      client_secret: $__file{/etc/secrets/oauth/{{ .name }}/client_secret}
+    #  client_secret: $__file{/etc/secrets/oauth/{{ .name }}/client_secret}
-      allowed_organizations: {{ .allowed_organizations }}
+    #  allowed_organizations: {{ .allowed_organizations }}
-      {{- if .allowed_teams }}
+    #  {{- if .allowed_teams }}
-      allowed_teams: "{{ .allowed_teams }}"
+    #  allowed_teams: "{{ .allowed_teams }}"
-      {{- end }}
+    #  {{- end }}
-      scopes: user:email,read:org
+    #  scopes: user:email,read:org
-      auth_url: https://github.com/login/oauth/authorize
+    #  auth_url: https://github.com/login/oauth/authorize
-      token_url: https://github.com/login/oauth/access_token
+    #  token_url: https://github.com/login/oauth/access_token
-      allow_sign_up: true
+    #  allow_sign_up: true
-      role_attribute_strict: false
+    #  role_attribute_strict: false
-      allow_assign_grafana_admin: true
+    #  allow_assign_grafana_admin: true
    {{- end }}
    {{- end }}
  extraSecretMounts:
  {{- range .Values.clusterConfig.oidc }}
  {{- if eq .group "analytics" }}
  - name: {{ .name }}
    secretName: {{ .secret_ref.name }}
    defaultMode: 0440
    mountPath: /etc/secrets/oauth/{{ .name }}
    readOnly: true
  {{- end }}
  {{- end }}
  {{- if .Values.prometheus.grafana.persistence }}
  persistence:
@@ -173,6 +175,9 @@ grafana:
    annotations:
      cert-manager.io/cluster-issuer: {{ .Values.clusterConfig.ingress_clusterissuer }}
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
      nginx.ingress.kubernetes.io/proxy-body-size: "0"
      nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
      nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
      {{- with .Values.clusterConfig.ingress_whitelist}}
      nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
      {{- end }}
@@ -458,6 +463,9 @@ prometheus:
    annotations:
      cert-manager.io/cluster-issuer: {{ .Values.clusterConfig.ingress_clusterissuer }}
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
      nginx.ingress.kubernetes.io/proxy-body-size: "0"
      nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
      nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
      {{- with .Values.clusterConfig.ingress_whitelist }}
      nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }}
      {{- end }}
@@ -1,25 +0,0 @@
 certmanager:
 enabled: true
 redisOperator:
 webhook: true
 # issuer:
 # create: true
 # kind: ClusterIssuer
 # name:
 # ha:
 #   enabled: false
 # metrics:
 #   enabled: true
 #   serviceMonitor:
 #     additionalLabels:
 #       release: prometheus
 #     enabled: true
 # webhook:
 #   certificate:
 #     certManager: false
 #   serviceMonitor:
 #     additionalLabels:
 #       release: prometehus
@@ -48,7 +48,7 @@
      "modelId": "01JKTZYMCZZBVSBG66W27XMW0A"
    },
    "sentryUrl": "https://5e6e3584098dc006de18038cf85d2cbe@o4509530141622272.ingest.de.sentry.io/4509547350065232",
-    "redis": "localhost:6379,user=default,password=secret",
+    "redis": "staging-sorcerer-redis:6379,user=default,password=secret",
    "allowedOrigins": [
        "http://localhost:8085",
        "http://localhost:8080",
@@ -7,7 +7,7 @@ spec:
  version: v1
  metadata:
  - name: redisHost
-    value: staging-sorcerer-redis-master:6379
+    value: staging-sorcerer-redis:6379
  - name: redisUsername
    value: default
  - name: redisPassword
@@ -7,7 +7,7 @@ spec:
  version: v1
  metadata:
  - name: redisHost
-    value: staging-sorcerer-redis-master:6379
+    value: staging-sorcerer-redis:6379
  - name: redisUsername
    value: default
  - name: redisPassword
@@ -20,4 +20,3 @@ master:
      cpu: 150m
      ephemeral-storage: 50Mi
      memory: 128Mi
@@ -78,6 +78,19 @@ persistence:
 #     operator: Equal
 #     value: compute
 #     effect: NoSchedule
 redis:
  enabled: true
  replicas: 3
  size: 2Gi
  backup:
    enabled: true
  secret:
    name: "prod-sorcerer-redis"
    key: "redis-password"
  resources:
    cpu: 150m
    memory: 256Mi
 affinity:
  nodeAffinity:
@@ -1,6 +1,8 @@
 replicaCount: 1
 image:
-  tag: e9c21c12-debug
+  tag: 9566bce0-debug
 podAnnotations:
  dapr.io/enabled: "true"
  dapr.io/app-id: "staging-sorcerer"
@@ -13,6 +15,7 @@ podAnnotations:
  dapr.io/sidecar-memory-request: "50Mi"
  # dapr.io/sidecar-cpu-limit: "300m"
  # dapr.io/sidecar-memory-limit: "1000Mi"
 env:
  - name: APP_VERSION
    value: "0.0.0-staging"
@@ -30,6 +33,7 @@ env:
      secretKeyRef:
        name: dapr-api-token
        key: token
 ingress:
  enabled: true
  annotations:
@@ -62,11 +66,24 @@ ingress:
    - hosts:
        - sorcerer.ekman.oceanbox.io
      secretName: staging-sorcerer-tls
 persistence:
  enabled: true
  existingClaim: staging-sorcerer-ceph-archives
  # existingClaim: staging-oceanbox-backup-archives
  #
 redis:
  enabled: true
  size: 2Gi
  backup:
    enabled: true
  secret:
    name: "staging-sorcerer-redis"
    key: "redis-password"
  resources:
    cpu: 150m
    memory: 256Mi
 # nodeSelector:
 #   node-role.kubernetes.io/srv: ""
 #   kubernetes.io/hostname: fs-backup
@@ -77,6 +94,7 @@ persistence:
 #     operator: Equal
 #     value: compute
 #     effect: NoSchedule
 affinity:
  nodeAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
@@ -0,0 +1,3 @@
 spegel:
  enabled: true
  autosync: false
@@ -0,0 +1,3 @@
 spegel:
  enabled: true
  autosync: false
@@ -0,0 +1,3 @@
 spegel:
  enabled: false
  autosync: false
@@ -0,0 +1,14 @@
 {{- if .Values.clusterConfig.cilium.enabled }}
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: allow-api-server
  namespace: spegel
 spec:
  egress:
    - toEntities:
        - kube-apiserver
  endpointSelector:
    matchLabels:
      app.kubernetes.io/instance: spegel
 {{- end}}
@@ -0,0 +1,19 @@
 {{- if .Values.clusterConfig.cilium.enabled }}
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: allow-prometheus-metrics
  namespace: spegel
 spec:
  endpointSelector:
    matchLabels:
      app.kubernetes.io/instance: spegel
  ingress:
    - fromEndpoints:
        - matchLabels:
            io.kubernetes.pod.namespace: prometheus
      toPorts:
        - ports:
            - port: "8080"
              protocol: TCP
 {{- end}}
@@ -0,0 +1,18 @@
 {{- if .Values.clusterConfig.cilium.enabled }}
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: allow-remote-node
  namespace: spegel
 spec:
  endpointSelector:
    matchLabels: {}
  ingress:
    - fromEntities:
        - kube-apiserver
        - remote-node
      toPorts:
        - ports:
            - port: "5000"
              protocol: TCP
 {{- end}}
@@ -0,0 +1,17 @@
 {{- if .Values.clusterConfig.cilium.enabled }}
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: allow-world-dns
  namespace: spegel
 spec:
  description: Allow DNS world
  egress:
    - toPorts:
        - ports:
            - port: "5001"
              protocol: TCP
  endpointSelector:
    matchLabels:
      app.kubernetes.io/name: spegel
 {{- end }}
@@ -0,0 +1,38 @@
 {{- if .Values.clusterConfig.argo.enabled }}
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: spegel
  namespace: argocd
 spec:
  destination:
    namespace: spegel
    server: 'https://kubernetes.default.svc'
  sources:
  - repoURL: {{ .Values.clusterConfig.manifests }}
    targetRevision: HEAD
    path: helmfile.d
    plugin:
      name: helmfile-cmp
      env:
      - name: CLUSTER_NAME
        value: {{ .Values.clusterConfig.cluster }}
      - name: HELMFILE_ENVIRONMENT
        value: default
      - name: HELMFILE_FILE_PATH
        value: spegel.yaml.gotmpl
  project: sys
  syncPolicy:
    managedNamespaceMetadata:
      labels:
        component: sys
    syncOptions:
      - CreateNamespace=true
      - ApplyOutOfSyncOnly=true
      - ServerSideApply=true
    {{- if .Values.spegel.autosync }}
    automated:
      prune: true
      # selfHeal: false
    {{- end }}
 {{- end }}
@@ -0,0 +1,4 @@
 spegel:
  containerdRegistryConfigPath: /etc/cri/conf.d/hosts
  registryFilters:
    - "^yolo-registry.dev.oceanbox\\.io/"
@@ -6,7 +6,7 @@ image:
  # -- image pull policy
  # pullPolicy:
  # -- Overrides the image tag
-  tag: "postgresql-v2.19.0"
+  tag: "3.0"
 replicaCount: 1
@@ -17,11 +17,11 @@ resources:
  limits:
    # cpu: 100m
    # ephemeral-storage: 2Gi
-    memory: 750Mi
+    memory: 500Mi
  requests:
-    cpu: 500m
+    cpu: 100m
    # ephemeral-storage: 50Mi
-    memory: 750Mi
+    memory: 500Mi
 securityContext:
  runAsGroup: 65533