feat: simplify charts, resources, kustomizations and applications for atlantis SPMSA

2024-10-08 16:54:58 +02:00
parent 2e00aceed1
commit eb2eebaa34
37 changed files with 136 additions and 428 deletions
@@ -1,2 +1,3 @@
 _manifest.yaml
 _resources.yaml
+*.tgz
@@ -1,36 +1,27 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: atlantis-host-cluster-resources
+  name: atlantis-cluster-resources
  namespace: argocd
  # annotations: # close, but no cigar
  #   argocd.argoproj.io/compare-options: ServerSideDiff=true,IncludeMutationWebhook=true
 spec:
-  project: aux
+  project: atlantis
  destination:
    server: https://kubernetes.default.svc
  syncPolicy:
    automated:
      prune: false
      selfHeal: false
-  ignoreDifferences:
-    - kind: Secret
-      name: prod-rabbitmq
-      jqPathExpressions:
-        - '.data'
-        - '.metadata.annotations.clone'
-        - '.metadata.labels'
-    - kind: Secret
-      name: prod-redis
-      jqPathExpressions:
-        - '.data'
-        - '.metadata.annotations.clone'
-        - '.metadata.labels'
+  # ignoreDifferences:
+  #   - kind: Secret
+  #     name: prod-rabbitmq
+  #     jqPathExpressions:
+  #       - '.data'
+  #       - '.metadata.annotations.clone'
+  #       - '.metadata.labels'
  sources:
  - repoURL: https://gitlab.com/oceanbox/manifests.git
    targetRevision: main
-    path: resources/atlantis/host-manifests
-  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
-    path: 'resources/atlantis/manifests/prod'
+    path: resources/atlantis

@@ -1,6 +1,6 @@
 dependencies:
- name: redis-stack-server
-  repository: https://redis-stack.github.io/helm-redis-stack/
-  version: 0.4.14
-digest: sha256:ed6bf447567c0d92030bffebc947801c67cb4e9b4dd95680c35a0b5f6b23d71f
-generated: "2024-10-04T11:54:47.575418518+02:00"
+- name: redis
+  repository: https://charts.bitnami.com/bitnami
+  version: 20.1.7
+digest: sha256:9c9be148366bb3d50f7394ba5a33e1a00a087b5ed61d2bcf1faec9b369e76582
+generated: "2024-10-08T13:21:10.374993273+02:00"
@@ -5,8 +5,8 @@ type: application
 version: v2.87.1
 appVersion: v2.87.1
 dependencies:
-  - name: redis-stack-server
-    version: 0.4.14
-    repository: https://redis-stack.github.io/helm-redis-stack/
+  - name: redis
+    version: 20.1.7
+    repository: https://charts.bitnami.com/bitnami
    condition: redis.enabled
    alias: redis
@@ -3,6 +3,7 @@ apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
  name: {{ include "Atlantis.fullname" . }}-db
+  namespace: {{ .Release.Namespace }}
  annotations:
    linkerd.io/inject: disabled
  labels:
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "Atlantis.labels" . | nindent 4 }}
 spec:
@@ -3,6 +3,7 @@ apiVersion: autoscaling/v2beta1
 kind: HorizontalPodAutoscaler
 metadata:
  name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "Atlantis.labels" . | nindent 4 }}
 spec:
@@ -16,6 +16,7 @@ apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: {{ $fullName }}
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "Atlantis.labels" . | nindent 4 }}
  {{- with .Values.ingress.annotations }}
@@ -0,0 +1,26 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-atlantis-services
+  namespace: {{ .Release.Namespace }}
+spec:
+  egress:
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: dapr-system
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: {{ .Values.rabbitmq.namespace | default "rabbitmq" }}
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: {{ .Values.tracing.namespace | default "otel" }}
+  - toFQDNs:
+    - matchName: '*.oceanbox.io'
+    - matchName: api.github.com
+    - matchName: dapr.github.io
+    - matchName: gitlab.com
+    - matchPattern: '*.gitlab.com'
+    - matchPattern: "*.k1.itpartner.no"
+    - matchName: analytics.loft.rocks
+  endpointSelector:
+    matchLabels: {}
@@ -2,21 +2,21 @@ apiVersion: dapr.io/v1alpha1
 kind: Component
 metadata:
  name: pubsub
-  namespace: atlantis
+  namespace: {{ .Release.Namespace }}
 spec:
-  type: pubsub.rabbitmq
  version: v1
+  type: pubsub.rabbitmq
  metadata:
  - name: hostname
-    value: prod-rabbitmq.rabbitmq.svc
-  - name: protocol
-    value: amqp
+    value: {{ .Values.rabbitmq.service }}.{{ .Values.rabbitmq.namespace | default "rabbitmq" }}
  - name: username
-    value: user
+    value: {{ .Values.rabbitmq.username }}
  - name: password
    secretKeyRef:
-      name: prod-rabbitmq
+      name: {{ .Values.rabbitmq.secretName | default (printf "%s-rabbitmq" .Release.Name) }}
      key:  rabbitmq-password
+  - name: protocol
+    value: amqp
  - name: durable
    value: true
  - name: deletedWhenUnused
@@ -3,6 +3,7 @@ kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: {{ template "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
 {{- with .Values.persistence.annotations  }}
  annotations:
 {{ toYaml . | indent 4 }}
@@ -4,6 +4,7 @@ metadata:
  annotations:
    kyverno/clone: "true"
  name: {{ .Release.Name }}-rabbitmq
+  namespace: {{ .Release.Namespace }}
 type: Opaque
 data:
 ---
@@ -25,6 +26,7 @@ metadata:
  annotations:
    kyverno/clone: "true"
  name: {{ include "Atlantis.fullname" . }}-db-superuser
+  namespace: {{ .Release.Namespace }}
 type: kubernetes.io/basic-auth
 data:
  username:
@@ -48,6 +50,7 @@ metadata:
  annotations:
    kyverno/clone: "true"
  name: {{ .Values.cluster.bootstrap.source.db }}-ca
+  namespace: {{ .Release.Namespace }}
 data:
  ca.crt: ""
  ca.key: ""
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "Atlantis.labels" . | nindent 4 }}
 spec:
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "Atlantis.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "Atlantis.labels" . | nindent 4 }}
  {{- with .Values.serviceAccount.annotations }}
@@ -2,23 +2,21 @@ apiVersion: dapr.io/v1alpha1
 kind: Component
 metadata:
  name: statestore
-  namespace: atlantis
+  namespace: {{ .Release.Namespace }}
 spec:
  type: state.redis
  version: v1
  metadata:
  - name: redisHost
-    value: prod-redis-master.redis.svc:6379
+    value: {{ .Release.Name }}-redis-master:6379
  - name: redisUsername
    value: default
  - name: redisPassword
    secretKeyRef:
-      name: prod-redis
+      name: {{ .Release.Name }}-redis
      key:  redis-password
  - name: actorStateStore
    value: "true"
 scopes:
-  - prod-atlantis
-  - prod-petimeter
-  - prod-hipster
-  - prod-archmeister
+  - atlantis
+  - {{ .Release.Name }}-atlantis
@@ -2,6 +2,7 @@ apiVersion: dapr.io/v2alpha1
 kind: Subscription
 metadata:
  name: hipster-events
+  namespace: {{ .Release.Namespace }}
 spec:
  topic: hipster
  routes:
@@ -10,12 +11,14 @@ spec:
  metadata:
    queueType: quorum
 scopes:
- staging-atlantis
+- atlantis
+- {{ .Release.Name}}-atlantis
 ---
 apiVersion: dapr.io/v2alpha1
 kind: Subscription
 metadata:
  name: inbox-events
+  namespace: {{ .Release.Namespace }}
 spec:
  topic: inbox
  routes:
@@ -24,4 +27,5 @@ spec:
  metadata:
    queueType: quorum
 scopes:
- staging-atlantis
+- atlantis
+- {{ .Release.Name}}-atlantis
@@ -2,10 +2,10 @@ apiVersion: dapr.io/v1alpha1
 kind: Configuration
 metadata:
  name: tracing
-  namespace: atlantis
+  namespace: {{ .Release.Namespace }}
 spec:
  tracing:
    samplingRate: "1"
    zipkin:
-      endpointAddress: " http://opentelemetry-collector.otel.svc:9411/api/v2/spans"
+      endpointAddress: {{ .Values.tracing.endpoint }}

@@ -3,21 +3,28 @@
 # Declare variables to be passed into your templates.

 replicaCount: 1
+
 image:
  repository: registry.gitlab.com/oceanbox/atlantis
  tag: v2.87.1
  pullPolicy: IfNotPresent
+
 init:
  enabled: false
  image: ubuntu:rolling
  command: ["/bin/sh", "-c", "true"]
+
 env:
  - name: LOG_LEVEL
    value: "3"
+
 imagePullSecrets:
  - name: gitlab-pull-secret
+
 nameOverride: ""
+
 fullnameOverride: ""
+
 serviceAccount:
  create: true
  # Annotations to add to the service account
@@ -25,9 +32,12 @@ serviceAccount:
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""
+
 podAnnotations: {}
+
 podSecurityContext:
  fsGroup: 2000
+
 securityContext:
  capabilities:
    drop:
@@ -35,9 +45,11 @@ securityContext:
  readOnlyRootFilesystem: false
  runAsNonRoot: true
  runAsUser: 1000
+
 service:
  type: ClusterIP
  port: 8085
+
 ingress:
  enabled: false
  className: "nginx"
@@ -53,11 +65,13 @@ ingress:
    - hosts:
        - atlantis.srv.oceanbox.io
      secretName: atlantis-tls
+
 persistence:
  enabled: false
  size: 1G
  storageClass: ""
  accessMode: ReadWriteOnce
+
 cluster:
  enabled: true
  instances: 1
@@ -69,15 +83,53 @@ cluster:
    source:
      db: prod-archmeister
      namespace: atlantis
+
 redis:
  enabled: true
-  name: redis-stack
-  redis_stack_server:
-    image: "redis/redis-stack-server"
-    tag: "7.4.0-v1"
-    replicas: 1
-    storage_class: ceph-rbd
-    storage: 1Gi
+  image:
+    repository: redis/redis-stack-server
+    tag: 7.2.0-v10
+  architecture: standalone
+  replica:
+    replicaCount: 1
+    command:
+      - "/opt/redis-stack/bin/redis-server"
+      - "--loadmodule"
+      - "/opt/redis-stack/lib/redisearch.so"
+      - "MAXSEARCHRESULTS"
+      - "10000"
+      - "MAXAGGREGATERESULTS"
+      - "10000"
+      - "--loadmodule"
+      - "/opt/redis-stack/lib/rejson.so"
+  auth:
+    enabled: true
+    sentinel: true
+    password: ""
+    usePasswordFiles: false
+    existingSecretPasswordKey: ""
+    # existingSecret: staging-redis
+  master:
+    resources:
+      limits:
+        cpu: null
+        ephemeral-storage: 1024Mi
+        memory: 192Mi
+      requests:
+        cpu: 150m
+        ephemeral-storage: 50Mi
+        memory: 128Mi
+
+tracing:
+  namespace: otel
+  endpoint: "http://opentelemetry-collector.otel:9411/api/v2/spans"
+
+rabbitmq:
+  namespace: rabbitmq
+  service: staging-rabbitmq
+  username: user
+  # secretName: staging-rabbitmq
+
 resources: {}
 # We usually recommend not to specify default resources and to leave this as a conscious
 # choice for the user. This also increases chances charts run on environments with little
@@ -96,6 +148,7 @@ autoscaling:
  maxReplicas: 100
  targetCPUUtilizationPercentage: 80
  # targetMemoryUtilizationPercentage: 80
+
 nodeSelector: {}
 tolerations: []
 affinity: {}
@@ -19,4 +19,3 @@ patches:
    path: deployment_patch.yaml
 resources:
  - ../base
-  - subscriptions.yaml
@@ -1,8 +1,7 @@
-apiVersion: cilium.io/v2
+piVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: allow-external-idp
-  namespace: idp
 spec:
  egress:
  - toFQDNs:
@@ -11,8 +10,4 @@ spec:
    - matchName: s3.k1.itpartner.no
    - matchName: telemetry.cerbos.dev
  endpointSelector: {}
-    # matchExpressions:
-    #   - key: app.kubernetes.io/name
-    #     operator: In
-    #     values: [ cerbos, dex ]

@@ -1,40 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: sync-prod-archmeister-replication-secrets
-spec:
-  background: true
-  generateExisting: true
-  rules:
-  - name: sync-archmeister-ca
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: prod-archmeister-ca
-      namespace: '{{request.object.metadata.name}}'
-      synchronize: true
-      clone:
-        namespace: atlantis
-        name: prod-archmeister-ca
-    match:
-      resources:
-        kinds:
-        - Namespace
-        names:
-        - '*-vcluster'
-  - name: sync-archmeister-replication
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: prod-archmeister-replication
-      namespace: '{{request.object.metadata.name}}'
-      synchronize: true
-      clone:
-        namespace: atlantis
-        name: prod-archmeister-replication
-    match:
-      resources:
-        kinds:
-        - Namespace
-        names:
-        - '*-vcluster'
@@ -1,77 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: sync-rabbitmq-secrets
-spec:
-  background: true
-  generateExisting: true
-  rules:
-  - name: add-rabbitmq-connstring
-    mutate:
-      patchStrategicMerge:
-        stringData:
-          connString: 'amqp://user:{{ request.object.data."rabbitmq-password" | base64_decode(@) }}@{{ request.object.metadata.labels."app.kubernetes.io/instance" }}.rabbitmq.svc'
-    match:
-     any:
-       - resources:
-           kinds:
-           - Secret
-           names:
-           - prod-rabbitmq
-           - staging-rabbitmq
-           namespaces:
-           - rabbitmq
-  - name: sync-prod-rabbitmq-secret
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: '{{ request.object.metadata.name }}'
-      namespace: '{{ request.object.metadata.namespace }}'
-      synchronize: true
-      clone:
-        name: prod-rabbitmq
-        namespace: rabbitmq
-    match:
-     any:
-     - resources:
-         kinds:
-         - Secret
-         names:
-         - prod-rabbitmq
-         annotations:
-           clone: "true"
-    # exclude:
-    #  any:
-    #  - resources:
-    #      kinds:
-    #      - Secret
-    #      selector:
-    #        matchLabels:
-    #          generate.kyverno.io/clone-source: ""
-  - name: sync-staging-rabbitmq-secret
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: '{{ request.object.metadata.name }}'
-      namespace: '{{ request.object.metadata.namespace }}'
-      synchronize: true
-      clone:
-        name: staging-rabbitmq
-        namespace: rabbitmq
-    match:
-     any:
-     - resources:
-         kinds:
-         - Secret
-         names:
-         - staging-rabbitmq
-         annotations:
-           clone: "true"
-    # exclude:
-    #  any:
-    #  - resources:
-    #      kinds:
-    #      - Secret
-    #      selector:
-    #        matchLabels:
-    #          generate.kyverno.io/clone-source: ""
@@ -1,63 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: sync-redis-secrets
-spec:
-  background: true
-  generateExisting: true
-  rules:
-  - name: sync-prod-redis-secret
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: '{{ request.object.metadata.name }}'
-      namespace: '{{ request.object.metadata.namespace }}'
-      synchronize: true
-      clone:
-        name: prod-redis
-        namespace: redis
-    match:
-     any:
-     - resources:
-         kinds:
-         - Secret
-         names:
-         - prod-redis
-         annotations:
-           clone: "true"
-    # exclude:
-    #  any:
-    #  - resources:
-    #      kinds:
-    #      - Secret
-    #      selector:
-    #        matchLabels:
-    #          generate.kyverno.io/clone-source: ""
-  - name: sync-staging-redis-secret
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: '{{ request.object.metadata.name }}'
-      namespace: '{{ request.object.metadata.namespace }}'
-      synchronize: true
-      clone:
-        name: staging-redis
-        namespace: redis
-    match:
-     any:
-     - resources:
-         kinds:
-         - Secret
-         names:
-         - staging-redis
-         annotations:
-           clone: "true"
-    # exclude:
-    #  any:
-    #  - resources:
-    #      kinds:
-    #      - Secret
-    #      selector:
-    #        matchLabels:
-    #          generate.kyverno.io/clone-source: ""
-
@@ -1,22 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-atlantis-external-services
-  namespace: atlantis
-spec:
-  egress:
-  - toFQDNs:
-    - matchName: idp.oceanbox.io
-    - matchName: idp.srv.oceanbox.io
-    - matchName: idp.beta.oceanbox.io
-    - matchName: auth.srv.oceanbox.io
-    - matchName: auth.oceanbox.io
-    - matchName: hipster-slurmrestd.ekman.oceanbox.io
-    - matchName: api.github.com
-    - matchName: dapr.github.io
-    - matchName: gitlab.com
-    - matchPattern: '*.gitlab.com'
-    - matchPattern: "*.k1.itpartner.no"
-    - matchName: analytics.loft.rocks
-  endpointSelector:
-    matchLabels: {}
@@ -1,21 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-atlantis-services
-  namespace: atlantis
-spec:
-  egress:
-  - toEndpoints:
-    - matchLabels:
-        k8s:io.kubernetes.pod.namespace: dapr-system
-  - toEndpoints:
-    - matchLabels:
-        k8s:io.kubernetes.pod.namespace: redis
-  - toEndpoints:
-    - matchLabels:
-        k8s:io.kubernetes.pod.namespace: rabbitmq
-  - toEndpoints:
-    - matchLabels:
-        k8s:io.kubernetes.pod.namespace: otel
-  endpointSelector:
-    matchLabels: {}
@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - allow-atlantis-external-services.yaml
-  - allow-atlantis-services.yaml
-  - dapr-tracing.yaml
@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - secrets.yaml
-  - pubsub-rabbitmq.yaml
-  - state-redis.yaml
-  - ../base/
@@ -1,17 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    clone: "true"
-  name: prod-redis
-  namespace: atlantis
-type: Opaque
---
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    clone: "true"
-  name: prod-rabbitmq
-  namespace: atlantis
-type: Opaque
@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - secrets.yaml
-  - pubsub-rabbitmq.yaml
-  - state-redis.yaml
-  - ../base/
@@ -1,53 +0,0 @@
-apiVersion: dapr.io/v1alpha1
-kind: Component
-metadata:
-  name: pubsub
-  namespace: atlantis
-spec:
-  type: pubsub.rabbitmq
-  version: v1
-  metadata:
-  - name: hostname
-    value: staging-rabbitmq.rabbitmq.svc
-  - name: protocol
-    value: amqp
-  - name: username
-    value: user
-  - name: password
-    secretKeyRef:
-      name: staging-rabbitmq
-      key:  rabbitmq-password
-  - name: durable
-    value: true
-  - name: deletedWhenUnused
-    value: false
-  - name: autoAck
-    value: false
-  - name: deliveryMode
-    value: 1
-  - name: requeueInFailure
-    value: false
-  - name: prefetchCount
-    value: 0
-  - name: reconnectWait
-    value: 0
-  - name: concurrencyMode
-    value: parallel
-  - name: publisherConfirm
-    value: false
-  - name: backOffPolicy
-    value: exponential
-  - name: backOffInitialInterval
-    value: 100
-  - name: backOffMaxRetries
-    value: 16
-  - name: enableDeadLetter # Optional enable dead Letter or not
-    value: true
-  - name: maxLen # Optional max message count in a queue
-    value: 3000
-  - name: maxLenBytes # Optional maximum length in bytes of a queue.
-    value: 10485760
-  - name: exchangeKind
-    value: fanout
-  - name: clientName
-    value: "{appID}"
@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    clone: "true"
-  name: staging-redis
-  namespace: atlantis
-type: Opaque
-data:
---
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    clone: "true"
-  name: staging-rabbitmq
-  namespace: atlantis
-type: Opaque
-data:
@@ -1,24 +0,0 @@
-apiVersion: dapr.io/v1alpha1
-kind: Component
-metadata:
-  name: statestore
-  namespace: atlantis
-spec:
-  type: state.redis
-  version: v1
-  metadata:
-  - name: redisHost
-    value: staging-redis-master.redis.svc:6379
-  - name: redisUsername
-    value: default
-  - name: redisPassword
-    secretKeyRef:
-      name: staging-redis
-      key:  redis-password
-  - name: actorStateStore
-    value: "true"
-# scopes:
-#   - staging-atlantis
-#   - staging-petimeter
-#   - staging-hipster
-#   - staging-archmeister
@@ -1,13 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-hubble-oidc-login
-  namespace: kube-system
-spec:
-  endpointSelector:
-    matchLabels:
-      k8s-app: oauth2-proxy
-  egress:
-  - toFQDNs:
-    - matchName: login.microsoftonline.com
-    - matchPattern: '*.microsoftonline.com'