From de5ce17f28cc8d51f8d0a8a404006480deec5a6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20J=C3=B6rg?= Date: Thu, 13 Nov 2025 16:33:08 +0100 Subject: [PATCH] feat(sorcerer): Add beta instance --- .../sorcerer/kustomize/beta/appsettings.json | 76 ++++++++++++ .../beta/archives-backup-volume.yaml | 35 ++++++ .../kustomize/beta/configurations.yaml | 20 +++ values/sorcerer/kustomize/beta/default.env | 1 + .../kustomize/beta/deployment_patch.yaml | 13 ++ values/sorcerer/kustomize/beta/keyvault.yaml | 22 ++++ .../kustomize/beta/kustomization.yaml | 23 ++++ values/sorcerer/kustomize/beta/pv.yaml | 22 ++++ values/sorcerer/kustomize/beta/pvc.yaml | 18 +++ values/sorcerer/kustomize/beta/rbac.yaml | 39 ++++++ values/sorcerer/kustomize/beta/secrets.yaml | 15 +++ .../sorcerer/kustomize/beta/secretstore.yaml | 10 ++ .../sorcerer/kustomize/beta/statestore.yaml | 22 ++++ values/sorcerer/kustomize/beta/tracing.yaml | 11 ++ values/sorcerer/values/values-beta.yaml | 115 ++++++++++++++++++ 15 files changed, 442 insertions(+) create mode 100644 values/sorcerer/kustomize/beta/appsettings.json create mode 100644 values/sorcerer/kustomize/beta/archives-backup-volume.yaml create mode 100644 values/sorcerer/kustomize/beta/configurations.yaml create mode 100644 values/sorcerer/kustomize/beta/default.env create mode 100644 values/sorcerer/kustomize/beta/deployment_patch.yaml create mode 100644 values/sorcerer/kustomize/beta/keyvault.yaml create mode 100644 values/sorcerer/kustomize/beta/kustomization.yaml create mode 100644 values/sorcerer/kustomize/beta/pv.yaml create mode 100644 values/sorcerer/kustomize/beta/pvc.yaml create mode 100644 values/sorcerer/kustomize/beta/rbac.yaml create mode 100644 values/sorcerer/kustomize/beta/secrets.yaml create mode 100644 values/sorcerer/kustomize/beta/secretstore.yaml create mode 100644 values/sorcerer/kustomize/beta/statestore.yaml create mode 100644 values/sorcerer/kustomize/beta/tracing.yaml create mode 100644 values/sorcerer/values/values-beta.yaml diff --git a/values/sorcerer/kustomize/beta/appsettings.json b/values/sorcerer/kustomize/beta/appsettings.json new file mode 100644 index 00000000..2beddb28 --- /dev/null +++ b/values/sorcerer/kustomize/beta/appsettings.json @@ -0,0 +1,76 @@ +{ + "oidc": { + "issuer": "https://auth.oceanbox.io/realms/oceanbox", + "authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth", + "token_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/token", + "jwks_uri": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/certs", + "userinfo_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/userinfo", + "end_session_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/logout", + "device_authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth/device", + "clientId": "sorcerer", + "clientSecret": "", + "scopes": [ + "openid", + "email", + "offline_access", + "profile" + ], + "audiences": [ + "atlantis", + "atlantis_dev", + "sorcerer", + "sorcerer_dev" + ] + }, + "sso": { + "cookieDomain": ".oceanbox.io", + "cookieName": ".obx.beta", + "ttl": 12.0, + "signedOutRedirectUri": "https://maps.beta.oceanbox.io", + "realm": "atlantis", + "environment": "beta", + "keyStore": { + "kind": "azure", + "uri": "https://atlantis.blob.core.windows.net", + "key": "dataprotection-keys" + }, + "keyVault": { + "kind": "azure", + "uri": "https://atlantisvault.vault.azure.net", + "key": "dataencryption-keys" + } + }, + "plainAuthUsers": [], + "fga": { + "apiUrl": "https://openfga.srv.oceanbox.io", + "apiKey": "", + "storeId": "01JKTZXMP7ANN4GG2P5W8Y56M6", + "modelId": "01JKTZYMCZZBVSBG66W27XMW0A" + }, + "sentryUrl": "https://5e6e3584098dc006de18038cf85d2cbe@o4509530141622272.ingest.de.sentry.io/4509547350065232", + "redis": "beta-sorcerer-redis:6379,user=default,password=secret", + "allowedOrigins": [ + "http://localhost:8085", + "http://localhost:8080", + "https://localhost:8080", + "https://sorcerer.data.oceanbox.io", + "https://sorcerer.ekman.oceanbox.io", + "https://sorcerer.local.oceanbox.io:8080", + "https://atlantis.local.oceanbox.io:8080", + "https://maps.oceanbox.io", + "https://maps.beta.oceanbox.io", + "https://atlantis.beta.oceanbox.io", + "https://jonas-atlantis.dev.oceanbox.io", + "https://stig-atlantis.dev.oceanbox.io", + "https://prod-sorcerer.ekman.oceanbox.io", + "http://prod-sorcerer.ekman.oceanbox.io" + ], + "appName": "sorcerer", + "appEnv": "beta", + "appNamespace": "beta-sorcerer", + "appVersion": "0.0.0", + "otelCollector": "http://10.255.241.12:4317", + "archiveSvc": "https://maps.beta.oceanbox.io", + "dataDir": "/data/archives", + "cacheDir": "/data/archives/cache" +} diff --git a/values/sorcerer/kustomize/beta/archives-backup-volume.yaml b/values/sorcerer/kustomize/beta/archives-backup-volume.yaml new file mode 100644 index 00000000..84e20b2c --- /dev/null +++ b/values/sorcerer/kustomize/beta/archives-backup-volume.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: pv-beta-backup-archives +spec: + accessModes: + - ReadWriteMany + capacity: + storage: 400T + local: + path: /backup/archives + persistentVolumeReclaimPolicy: Retain + volumeMode: Filesystem + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - ekman +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: beta-oceanbox-backup-archives +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 400T + storageClassName: "" + volumeMode: Filesystem + volumeName: pv-beta-backup-archives diff --git a/values/sorcerer/kustomize/beta/configurations.yaml b/values/sorcerer/kustomize/beta/configurations.yaml new file mode 100644 index 00000000..3131d2c8 --- /dev/null +++ b/values/sorcerer/kustomize/beta/configurations.yaml @@ -0,0 +1,20 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: configstore +spec: + type: configuration.redis + version: v1 + metadata: + - name: redisHost + value: beta-sorcerer-redis:6379 + - name: redisUsername + value: default + - name: redisPassword + secretKeyRef: + name: beta-sorcerer-redis + key: redis-password + - name: redisDB + value: "1" +scopes: + - beta-sorcerer diff --git a/values/sorcerer/kustomize/beta/default.env b/values/sorcerer/kustomize/beta/default.env new file mode 100644 index 00000000..2dfb0bd0 --- /dev/null +++ b/values/sorcerer/kustomize/beta/default.env @@ -0,0 +1 @@ +SEQ_APIKEY=7iIXHJukYjSLQDix6CnZ diff --git a/values/sorcerer/kustomize/beta/deployment_patch.yaml b/values/sorcerer/kustomize/beta/deployment_patch.yaml new file mode 100644 index 00000000..b5d99932 --- /dev/null +++ b/values/sorcerer/kustomize/beta/deployment_patch.yaml @@ -0,0 +1,13 @@ +- op: replace + path: /spec/template/spec/containers/0/volumeMounts/0/mountPath + value: /data +- op: add + path: /spec/template/spec/containers/0/envFrom/- + value: + secretRef: + name: azure-keyvault +- op: add + path: /spec/template/spec/containers/0/envFrom/- + value: + secretRef: + name: beta-sorcerer-env diff --git a/values/sorcerer/kustomize/beta/keyvault.yaml b/values/sorcerer/kustomize/beta/keyvault.yaml new file mode 100644 index 00000000..a8b2ce2a --- /dev/null +++ b/values/sorcerer/kustomize/beta/keyvault.yaml @@ -0,0 +1,22 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: azure-keyvault +spec: + type: secretstores.azure.keyvault + version: v1 + metadata: + - name: vaultName + value: atlantisvault + - name: azureTenantId + secretKeyRef: + name: azure-keyvault + key: AZURE_TENANT_ID + - name: azureClientId + secretKeyRef: + name: azure-keyvault + key: AZURE_CLIENT_ID + - name: azureClientSecret + secretKeyRef: + name: azure-keyvault + key: AZURE_CLIENT_SECRET \ No newline at end of file diff --git a/values/sorcerer/kustomize/beta/kustomization.yaml b/values/sorcerer/kustomize/beta/kustomization.yaml new file mode 100644 index 00000000..1bb40a9a --- /dev/null +++ b/values/sorcerer/kustomize/beta/kustomization.yaml @@ -0,0 +1,23 @@ +generatorOptions: + disableNameSuffixHash: true +configMapGenerator: +- name: prod-sorcerer-appsettings + files: + - appsettings.json +patches: +- target: + group: apps + version: v1 + kind: Deployment + path: deployment_patch.yaml +resources: +- ../base +- pv.yaml +- pvc.yaml +- secrets.yaml +- configurations.yaml +- keyvault.yaml +- rbac.yaml +- secretstore.yaml +- statestore.yaml +- tracing.yaml \ No newline at end of file diff --git a/values/sorcerer/kustomize/beta/pv.yaml b/values/sorcerer/kustomize/beta/pv.yaml new file mode 100644 index 00000000..8ea2acf6 --- /dev/null +++ b/values/sorcerer/kustomize/beta/pv.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: pv-beta-sorcerer-ceph-archives +spec: + accessModes: + - ReadWriteMany + capacity: + storage: 1Gi + csi: + driver: rook-ceph.cephfs.csi.ceph.com + nodeStageSecretRef: + name: rook-csi-cephfs-node + namespace: rook-ceph + volumeAttributes: + clusterID: rook-ceph + fsName: data + rootPath: / + staticVolume: "true" + volumeHandle: pv-beta-sorcerer-ceph-archives + persistentVolumeReclaimPolicy: Retain + volumeMode: Filesystem diff --git a/values/sorcerer/kustomize/beta/pvc.yaml b/values/sorcerer/kustomize/beta/pvc.yaml new file mode 100644 index 00000000..b949575b --- /dev/null +++ b/values/sorcerer/kustomize/beta/pvc.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: beta-sorcerer-ceph-archives +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + storageClassName: "" + volumeMode: Filesystem + volumeName: pv-beta-sorcerer-ceph-archives +status: + accessModes: + - ReadWriteMany + capacity: + storage: 1Gi diff --git a/values/sorcerer/kustomize/beta/rbac.yaml b/values/sorcerer/kustomize/beta/rbac.yaml new file mode 100644 index 00000000..188ce09a --- /dev/null +++ b/values/sorcerer/kustomize/beta/rbac.yaml @@ -0,0 +1,39 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: beta-sorcerer + namespace: beta-sorcerer +rules: +- apiGroups: + - "" + resourceNames: + - beta-sorcerer-appsettings + resources: + - configmaps + verbs: + - get + - watch +- apiGroups: + - "" + resourceNames: + - azure-keyvault + - beta-sorcerer-redis + resources: + - secrets + verbs: + - get + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: beta-sorcerer + namespace: beta-sorcerer +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: beta-sorcerer +subjects: +- kind: ServiceAccount + name: beta-sorcerer + namespace: beta-sorcerer diff --git a/values/sorcerer/kustomize/beta/secrets.yaml b/values/sorcerer/kustomize/beta/secrets.yaml new file mode 100644 index 00000000..7f187fd9 --- /dev/null +++ b/values/sorcerer/kustomize/beta/secrets.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Secret +metadata: + name: beta-sorcerer-env +type: Opaque +data: +--- +apiVersion: v1 +kind: Secret +metadata: + annotations: + kyverno/clone: "true" + name: azure-keyvault +type: Opaque +data: diff --git a/values/sorcerer/kustomize/beta/secretstore.yaml b/values/sorcerer/kustomize/beta/secretstore.yaml new file mode 100644 index 00000000..c23086e1 --- /dev/null +++ b/values/sorcerer/kustomize/beta/secretstore.yaml @@ -0,0 +1,10 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: secretstore +spec: + type: secretstores.kubernetes + version: v1 + metadata: + - name: defaultNamespace + value: beta-sorcerer diff --git a/values/sorcerer/kustomize/beta/statestore.yaml b/values/sorcerer/kustomize/beta/statestore.yaml new file mode 100644 index 00000000..1a6f2853 --- /dev/null +++ b/values/sorcerer/kustomize/beta/statestore.yaml @@ -0,0 +1,22 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: statestore +spec: + type: state.redis + version: v1 + metadata: + - name: redisHost + value: beta-sorcerer-redis:6379 + - name: redisUsername + value: default + - name: redisPassword + secretKeyRef: + name: beta-sorcerer-redis + key: redis-password + - name: actorStateStore + value: "true" + - name: redisDB + value: "0" +scopes: + - beta-sorcerer diff --git a/values/sorcerer/kustomize/beta/tracing.yaml b/values/sorcerer/kustomize/beta/tracing.yaml new file mode 100644 index 00000000..4c4c318c --- /dev/null +++ b/values/sorcerer/kustomize/beta/tracing.yaml @@ -0,0 +1,11 @@ +apiVersion: dapr.io/v1alpha1 +kind: Configuration +metadata: + name: tracing +spec: + tracing: + samplingRate: "1" + otel: + endpointAddress: "10.255.241.12:4317" + protocol: grpc + isSecure: false diff --git a/values/sorcerer/values/values-beta.yaml b/values/sorcerer/values/values-beta.yaml new file mode 100644 index 00000000..c6d1c9c1 --- /dev/null +++ b/values/sorcerer/values/values-beta.yaml @@ -0,0 +1,115 @@ +replicaCount: 2 + +podAnnotations: + dapr.io/enabled: "true" + dapr.io/app-id: "beta-sorcerer" + dapr.io/app-port: "8085" + dapr.io/api-token-secret: "dapr-api-token" + dapr.io/config: "tracing" + dapr.io/app-protocol: "http" + dapr.io/log-as-json: "true" + dapr.io/sidecar-cpu-request: "10m" + dapr.io/sidecar-memory-request: "50Mi" + # dapr.io/sidecar-cpu-limit: "300m" + # dapr.io/sidecar-memory-limit: "1000Mi" + +env: + - name: APP_VERSION + value: "4.16.3" + - name: LOG_LEVEL + value: "2" + - name: REDIS_USER + value: default + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: beta-sorcerer-redis + key: redis-password + - name: DAPR_API_TOKEN + valueFrom: + secretKeyRef: + name: dapr-api-token + key: token + +ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-betauction + nginx.ingress.kubernetes.io/affinity: "cookie" + nginx.ingress.kubernetes.io/session-cookie-name: "http-affinity" + nginx.ingress.kubernetes.io/session-cookie-expires: "86400" + nginx.ingress.kubernetes.io/session-cookie-max-age: "86400" + hosts: + - host: sorcerer.beta.oceanbox.io + paths: + paths: + - path: / + pathType: ImplementationSpecific + internal: + - path: /internal + pathType: ImplementationSpecific + - path: /dapr + pathType: ImplementationSpecific + - path: /actors + pathType: ImplementationSpecific + - path: /job + pathType: ImplementationSpecific + - path: /events + pathType: ImplementationSpecific + - path: /metrics + pathType: ImplementationSpecific + tls: + - hosts: + - sorcerer.beta.oceanbox.io + secretName: beta-sorcerer-tls + +persistence: + enabled: true + existingClaim: beta-sorcerer-ceph-archives + # existingClaim: beta-oceanbox-backup-archives + +# nodeSelector: +# node-role.kubernetes.io/srv: "" +# kubernetes.io/hostname: fs-backup +# node-role.kubernetes.io/worker: c1-1 + +# tolerations: +# - key: workload +# operator: Equal +# value: compute +# effect: NoSchedule +redis: + enabled: true + replicas: 3 + size: 2Gi + backup: + enabled: true + secret: + name: "beta-sorcerer-redis" + key: "redis-password" + resources: + cpu: 150m + memory: 256Mi + +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: "topology.kubernetes.io/group" + operator: In + values: + - srv + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: "app.kubernetes.io/name" + operator: In + values: + - sorcerer + - key: "app.kubernetes.io/instance" + operator: In + values: + - beta-sorcerer + topologyKey: "kubernetes.io/hostname"