From 7b046c343f3a6944097ca1daf4d50f615d09feea Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@itpartner.no>
Date: Sat, 28 Sep 2024 12:58:51 +0200
Subject: [PATCH 01/13] fix: add APP_NAME and APP_NAMESPACE to default env

---
 charts/archmeister/values.yaml | 11 +++++++++++
 charts/atlantis/values.yaml    |  8 ++++++++
 charts/hipster/values.yaml     | 11 +++++++++++
 charts/petimeter/values.yaml   | 11 +++++++++++
 charts/sorcerer/values.yaml    | 11 +++++++++++
 5 files changed, 52 insertions(+)

diff --git a/charts/archmeister/values.yaml b/charts/archmeister/values.yaml
index b81bda5d..fc111412 100644
--- a/charts/archmeister/values.yaml
+++ b/charts/archmeister/values.yaml
@@ -11,6 +11,17 @@ init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""
diff --git a/charts/atlantis/values.yaml b/charts/atlantis/values.yaml
index 6c247583..c0400c85 100644
--- a/charts/atlantis/values.yaml
+++ b/charts/atlantis/values.yaml
@@ -14,6 +14,14 @@ init:
 env:
   - name: LOG_LEVEL
     value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""
diff --git a/charts/hipster/values.yaml b/charts/hipster/values.yaml
index d49471e4..66f2ece3 100644
--- a/charts/hipster/values.yaml
+++ b/charts/hipster/values.yaml
@@ -11,6 +11,17 @@ init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""
diff --git a/charts/petimeter/values.yaml b/charts/petimeter/values.yaml
index b02e2cef..8f4fcf6b 100644
--- a/charts/petimeter/values.yaml
+++ b/charts/petimeter/values.yaml
@@ -11,6 +11,17 @@ init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""
diff --git a/charts/sorcerer/values.yaml b/charts/sorcerer/values.yaml
index 6b11f35e..a8b789c6 100644
--- a/charts/sorcerer/values.yaml
+++ b/charts/sorcerer/values.yaml
@@ -11,6 +11,17 @@ init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""

From 15dae312ef815bd058c92eb4391baf771b84766f Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@itpartner.no>
Date: Tue, 8 Oct 2024 09:39:46 +0200
Subject: [PATCH 02/13] fix: add hubocean group

---
 kustomizations/petimeter/manifests/acl.json | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/kustomizations/petimeter/manifests/acl.json b/kustomizations/petimeter/manifests/acl.json
index 53dafc0e..a15e533f 100644
--- a/kustomizations/petimeter/manifests/acl.json
+++ b/kustomizations/petimeter/manifests/acl.json
@@ -277,6 +277,20 @@
             }
         ]
     },
+    {
+        "domain": "oceandata.earth",
+        "access": [
+            {
+                "matching": ".*@oceandata.earth",
+                "group": "/hubocean",
+                "roles": [ "user" ],
+                "capabilities": [
+                    "run:transport",
+                    "run:sedimentation"
+                ]
+            }
+        ]
+    },
     {
         "domain": "gmail.com",
         "access": [

From ef6282ca17bf2b7cc93e09959c1094504fd2f573 Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@itpartner.no>
Date: Wed, 30 Oct 2024 12:02:21 +0100
Subject: [PATCH 03/13] fix: upgrade keycloak

---
 applications/keycloak.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/applications/keycloak.yaml b/applications/keycloak.yaml
index 3c6e2706..1af2ed81 100644
--- a/applications/keycloak.yaml
+++ b/applications/keycloak.yaml
@@ -10,7 +10,7 @@ spec:
     namespace: idp
   sources:
   - repoURL: https://charts.bitnami.com/bitnami
-    targetRevision: 18.3.4
+    targetRevision: 24.0.2
     chart: keycloak
     helm:
       valueFiles:

From 01b9bc4465f2ec40cae7447479e32ff8862322b7 Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@oceanbox.io>
Date: Thu, 31 Oct 2024 12:56:22 +0100
Subject: [PATCH 04/13] =?UTF-8?q?fix:=20add=20M=C3=A5s=C3=B8val?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 kustomizations/petimeter/manifests/acl.json | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/kustomizations/petimeter/manifests/acl.json b/kustomizations/petimeter/manifests/acl.json
index a15e533f..bd89d80b 100644
--- a/kustomizations/petimeter/manifests/acl.json
+++ b/kustomizations/petimeter/manifests/acl.json
@@ -291,6 +291,20 @@
             }
         ]
     },
+    {
+        "domain": "masoval.no",
+        "access": [
+            {
+                "matching": ".*@masoval.no",
+                "group": "/masoval",
+                "roles": [ "user" ],
+                "capabilities": [
+                    "run:transport",
+                    "run:sedimentation"
+                ]
+            }
+        ]
+    },
     {
         "domain": "gmail.com",
         "access": [

From a8da4c1198af857ae5459796b0baa651b7566e9b Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@itpartner.no>
Date: Thu, 14 Nov 2024 14:37:53 +0100
Subject: [PATCH 05/13] fix: fix otel url typo

---
 resources/atlantis/manifests/base/dapr-tracing.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/atlantis/manifests/base/dapr-tracing.yaml b/resources/atlantis/manifests/base/dapr-tracing.yaml
index 7ded938d..f30cff54 100644
--- a/resources/atlantis/manifests/base/dapr-tracing.yaml
+++ b/resources/atlantis/manifests/base/dapr-tracing.yaml
@@ -7,5 +7,5 @@ spec:
   tracing:
     samplingRate: "1"
     zipkin:
-      endpointAddress: " http://opentelemetry-collector.otel.svc:9411/api/v2/spans"
+      endpointAddress: "http://opentelemetry-collector.otel.svc:9411/api/v2/spans"
 

From 50bf3814a5f48db44cb92f5d41382ebd1366444e Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@itpartner.no>
Date: Fri, 15 Nov 2024 09:36:39 +0100
Subject: [PATCH 06/13] fix: add all known leroys

---
 kustomizations/petimeter/manifests/acl.json | 42 +++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/kustomizations/petimeter/manifests/acl.json b/kustomizations/petimeter/manifests/acl.json
index bd89d80b..0eebf006 100644
--- a/kustomizations/petimeter/manifests/acl.json
+++ b/kustomizations/petimeter/manifests/acl.json
@@ -46,6 +46,48 @@
             }
         ]
     },
+    {
+        "domain": "leroyseafood.com",
+        "access": [
+            {
+                "matching": ".*@leroyseafood.com",
+                "group": "/leroy",
+                "roles": [ "user" ],
+                "capabilities": [
+                    "run:transport",
+                    "run:sedimentation"
+                ]
+            }
+        ]
+    },
+    {
+        "domain": "leroyaurora.no",
+        "access": [
+            {
+                "matching": ".*@leroyaurora.no",
+                "group": "/leroy",
+                "roles": [ "user" ],
+                "capabilities": [
+                    "run:transport",
+                    "run:sedimentation"
+                ]
+            }
+        ]
+    },
+    {
+        "domain": "leroymidt.no",
+        "access": [
+            {
+                "matching": ".*@leroymidt.no",
+                "group": "/leroy",
+                "roles": [ "user" ],
+                "capabilities": [
+                    "run:transport",
+                    "run:sedimentation"
+                ]
+            }
+        ]
+    },
     {
         "domain": "serit.no",
         "access": [

From f8d82f4f460364848b5f77e1b79d65c0622e96ca Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@itpartner.no>
Date: Fri, 15 Nov 2024 11:49:00 +0100
Subject: [PATCH 07/13] fix: fix sorcerer local redirect url

---
 kustomizations/dex/base/config.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kustomizations/dex/base/config.yaml b/kustomizations/dex/base/config.yaml
index 0b9e5e31..ca1fe382 100644
--- a/kustomizations/dex/base/config.yaml
+++ b/kustomizations/dex/base/config.yaml
@@ -119,6 +119,7 @@ staticClients:
       - 'https://jonas-sorcerer.ekman.oceanbox.io/signin-oidc'
       - 'https://stig-sorcerer.ekman.oceanbox.io/signin-oidc'
       - 'https://simkir-sorcerer.ekman.oceanbox.io/signin-oidc'
+      - 'https://sorcerer.local.oceanbox.io:8080/signin-oidc'
     name: 'Sorcerer dev'
     secret: cyrgDr1UzhQrJn8nRVqEt9BJ9mLk3OBy
   - id: archmeister

From 77ed76758e7baa1e2f01f5b62bad7d042186111d Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@oceanbox.io>
Date: Sat, 16 Nov 2024 08:13:59 +0100
Subject: [PATCH 08/13] fix: add port 8085 to local atlantis and sorcerer

---
 kustomizations/dex/base/config.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kustomizations/dex/base/config.yaml b/kustomizations/dex/base/config.yaml
index ca1fe382..0411856c 100644
--- a/kustomizations/dex/base/config.yaml
+++ b/kustomizations/dex/base/config.yaml
@@ -91,6 +91,7 @@ staticClients:
       - 'https://stig-atlantis.dev.oceanbox.io/signin-oidc'
       - 'https://simkir-atlantis.dev.oceanbox.io/signin-oidc'
       - 'https://atlantis.local.oceanbox.io:8080/signin-oidc'
+      - 'https://atlantis.local.oceanbox.io:8085/signin-oidc'
     name: 'Atlantis dev'
     secret: 3QjfSPmAemjn34XVA2o1fvoS7I4gKvOR
   - id: petimeter
@@ -120,6 +121,7 @@ staticClients:
       - 'https://stig-sorcerer.ekman.oceanbox.io/signin-oidc'
       - 'https://simkir-sorcerer.ekman.oceanbox.io/signin-oidc'
       - 'https://sorcerer.local.oceanbox.io:8080/signin-oidc'
+      - 'https://sorcerer.local.oceanbox.io:8085/signin-oidc'
     name: 'Sorcerer dev'
     secret: cyrgDr1UzhQrJn8nRVqEt9BJ9mLk3OBy
   - id: archmeister

From 8510a9b8a2cadf30fa15bdb785b4019fac6176e8 Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@oceanbox.io>
Date: Sat, 16 Nov 2024 10:06:05 +0100
Subject: [PATCH 09/13] fix: add zipkin path to otel collector

---
 applications/opentelemetry-collector.yaml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/applications/opentelemetry-collector.yaml b/applications/opentelemetry-collector.yaml
index 96a5e054..14355b74 100644
--- a/applications/opentelemetry-collector.yaml
+++ b/applications/opentelemetry-collector.yaml
@@ -93,14 +93,19 @@ spec:
               cert-manager.io/cluster-issuer: letsencrypt-staging
               nginx.ingress.kubernetes.io/ssl-redirect: "true"
               atlantis.oceanbox.io/expose: internal
+              nginx.ingress.kubernetes.io/use-regex: "true"
+              nginx.ingress.kubernetes.io/rewrite-target: /$1
           ingressClassName: nginx
           hosts:
-            - host: collector.adm.oceanbox.io
+            - host: opentelemetry-collector.adm.oceanbox.io
               paths:
                 - path: /
                   pathType: Prefix
                   port: 4318
+                - path: /zipkin/(.*)
+                  pathType: Prefix
+                  port: 9411
           tls:
             - secretName: collector-tls
               hosts:
-                - collector.adm.oceanbox.io
+                - opentelemetry-collector.adm.oceanbox.io

From 5c044cbbfefd9accc3da1ae215c3ded333b5dee4 Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@oceanbox.io>
Date: Mon, 18 Nov 2024 08:34:19 +0100
Subject: [PATCH 10/13] fix: disable zipkin ingress on otel collector

---
 applications/opentelemetry-collector.yaml | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/applications/opentelemetry-collector.yaml b/applications/opentelemetry-collector.yaml
index 14355b74..b919a36d 100644
--- a/applications/opentelemetry-collector.yaml
+++ b/applications/opentelemetry-collector.yaml
@@ -90,11 +90,9 @@ spec:
         ingress:
           enabled: true
           annotations:
-              cert-manager.io/cluster-issuer: letsencrypt-staging
+              cert-manager.io/cluster-issuer: letsencrypt-production
               nginx.ingress.kubernetes.io/ssl-redirect: "true"
               atlantis.oceanbox.io/expose: internal
-              nginx.ingress.kubernetes.io/use-regex: "true"
-              nginx.ingress.kubernetes.io/rewrite-target: /$1
           ingressClassName: nginx
           hosts:
             - host: opentelemetry-collector.adm.oceanbox.io
@@ -102,9 +100,6 @@ spec:
                 - path: /
                   pathType: Prefix
                   port: 4318
-                - path: /zipkin/(.*)
-                  pathType: Prefix
-                  port: 9411
           tls:
             - secretName: collector-tls
               hosts:

From 414c993fe1addbdc401a4c70f371e601ca1646c5 Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@oceanbox.io>
Date: Mon, 18 Nov 2024 10:33:34 +0100
Subject: [PATCH 11/13] feat: add cpol to sync azure keyvault credentials

---
 .../sync-keyvault-secret.yaml                 | 32 +++++++++++++++++++
 .../sync-keyvault-secret.yaml                 | 32 +++++++++++++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 resources/ekman-cluster/kyverno-policies/sync-keyvault-secret.yaml
 create mode 100644 resources/oceanbox-cluster/kyverno-policies/sync-keyvault-secret.yaml

diff --git a/resources/ekman-cluster/kyverno-policies/sync-keyvault-secret.yaml b/resources/ekman-cluster/kyverno-policies/sync-keyvault-secret.yaml
new file mode 100644
index 00000000..48f0277e
--- /dev/null
+++ b/resources/ekman-cluster/kyverno-policies/sync-keyvault-secret.yaml
@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/description: 'Access dataprotection keys from Azure Key Vault'
+  creationTimestamp: "2024-01-15T11:58:24Z"
+  name: sync-keyvault-secrets
+spec:
+  admission: true
+  background: true
+  generateExisting: true
+  rules:
+  - generate:
+      apiVersion: v1
+      clone:
+        name: azure-keyvault
+        namespace: sorcerer
+      kind: Secret
+      name: azure-keyvault
+      namespace: '{{request.object.metadata.name}}'
+      synchronize: true
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+          names:
+          - "*-sorcerer"
+    name: sync-keyvault-secrets
+
+
diff --git a/resources/oceanbox-cluster/kyverno-policies/sync-keyvault-secret.yaml b/resources/oceanbox-cluster/kyverno-policies/sync-keyvault-secret.yaml
new file mode 100644
index 00000000..eb6ec222
--- /dev/null
+++ b/resources/oceanbox-cluster/kyverno-policies/sync-keyvault-secret.yaml
@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/description: 'Access dataprotection keys from Azure Key Vault'
+  creationTimestamp: "2024-01-15T11:58:24Z"
+  name: sync-keyvault-secrets
+spec:
+  admission: true
+  background: true
+  generateExisting: true
+  rules:
+  - generate:
+      apiVersion: v1
+      clone:
+        name: azure-keyvault
+        namespace: atlantis
+      kind: Secret
+      name: azure-keyvault
+      namespace: '{{request.object.metadata.name}}'
+      synchronize: true
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+          names:
+          - "*-atlantis"
+    name: sync-keyvault-secrets
+
+

From b45432c82694bdb0a45cfb4b1d2c6f8541d7c2f4 Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@oceanbox.io>
Date: Mon, 18 Nov 2024 10:34:29 +0100
Subject: [PATCH 12/13] fix: make sorcerer honor env: in values

---
 charts/sorcerer/templates/deployment.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/charts/sorcerer/templates/deployment.yaml b/charts/sorcerer/templates/deployment.yaml
index a2630a54..bdb675ba 100644
--- a/charts/sorcerer/templates/deployment.yaml
+++ b/charts/sorcerer/templates/deployment.yaml
@@ -38,8 +38,7 @@ spec:
               containerPort: {{ .Values.service.port }}
               protocol: TCP
           env:
-            - name: LOG_LEVEL
-              value: "3"
+            {{- toYaml .Values.env | nindent 12 }}
           livenessProbe:
             httpGet:
               path: /

From 993612f3bd1efa75cc0131f164c2eaf98b535d16 Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@oceanbox.io>
Date: Mon, 18 Nov 2024 10:35:37 +0100
Subject: [PATCH 13/13] feat: add cpol to sync regcreds

---
 .../sync-oceanbox-regcred.yaml                | 44 +++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 resources/ekman-cluster/kyverno-policies/sync-oceanbox-regcred.yaml

diff --git a/resources/ekman-cluster/kyverno-policies/sync-oceanbox-regcred.yaml b/resources/ekman-cluster/kyverno-policies/sync-oceanbox-regcred.yaml
new file mode 100644
index 00000000..26a3514a
--- /dev/null
+++ b/resources/ekman-cluster/kyverno-policies/sync-oceanbox-regcred.yaml
@@ -0,0 +1,44 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/description: 'Secrets like registry credentials often need
+      to exist in multiple Namespaces so Pods there have access. Manually duplicating
+      those Secrets is time consuming and error prone. This policy will copy a Secret
+      called `regcred` which exists in the `default` Namespace to new Namespaces when
+      they are created. It will also push updates to the copied Secrets should the
+      source Secret be changed.            '
+  creationTimestamp: "2024-01-15T11:58:24Z"
+  name: sync-oceanbox-regcred
+spec:
+  admission: true
+  background: true
+  generateExisting: true
+  rules:
+  - generate:
+      apiVersion: v1
+      clone:
+        # name: oceanbox-regcred
+        name: gitlab-pull-secret
+        namespace: default
+      kind: Secret
+      # name: oceanbox-regcred
+      name: gitlab-pull-secret
+      namespace: '{{request.object.metadata.name}}'
+      synchronize: true
+    exclude:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+          names:
+          - "vcluster-*"
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    name: sync-oceanbox-regcred
+
+