From eb2eebaa3486d5180d6c430a693a8d45d56b9d66 Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Tue, 8 Oct 2024 16:54:58 +0200 Subject: [PATCH] feat: simplify charts, resources, kustomizations and applications for atlantis SPMSA --- .gitignore | 1 + applications/atlantis-host-resources.yaml | 29 +++---- charts/atlantis/Chart.lock | 10 +-- charts/atlantis/Chart.yaml | 6 +- .../charts/redis-stack-server-0.4.14.tgz | Bin 1367 -> 0 bytes charts/atlantis/templates/cluster.yaml | 1 + charts/atlantis/templates/deployment.yaml | 1 + charts/atlantis/templates/hpa.yaml | 1 + charts/atlantis/templates/ingress.yaml | 1 + .../atlantis/templates/networkpolicies.yaml | 26 ++++++ .../atlantis/templates/pubsub.yaml | 14 ++-- charts/atlantis/templates/pvc.yaml | 1 + charts/atlantis/templates/secrets.yaml | 3 + charts/atlantis/templates/service.yaml | 1 + charts/atlantis/templates/serviceaccount.yaml | 1 + .../atlantis/templates/statestore.yaml | 12 ++- .../atlantis/templates}/subscriptions.yaml | 8 +- .../atlantis/templates/tracing.yaml | 4 +- charts/atlantis/values.yaml | 67 +++++++++++++-- .../atlantis/staging/kustomization.yaml | 1 - .../add-ingress-whitelist.yaml | 0 .../allow-idp-external-access.yaml | 7 +- .../sync-archmeister-secrets.yaml | 40 --------- .../host-manifests/sync-rabbitmq-secrets.yaml | 77 ------------------ .../host-manifests/sync-redis-secrets.yaml | 63 -------------- .../allow-atlantis-external-services.yaml | 22 ----- .../base/allow-atlantis-services.yaml | 21 ----- .../manifests/base/kustomization.yaml | 6 -- .../manifests/prod/kustomization.yaml | 7 -- .../atlantis/manifests/prod/secrets.yaml | 17 ---- .../manifests/staging/kustomization.yaml | 7 -- .../manifests/staging/pubsub-rabbitmq.yaml | 53 ------------ .../atlantis/manifests/staging/secrets.yaml | 19 ----- .../manifests/staging/state-redis.yaml | 24 ------ .../remove-argocd-tracking-id.yaml | 0 .../sync-atlantis-secrets.yaml | 0 .../network-policies/allow-hubble-oidc.yaml | 13 --- 37 files changed, 136 insertions(+), 428 deletions(-) delete mode 100644 charts/atlantis/charts/redis-stack-server-0.4.14.tgz create mode 100644 charts/atlantis/templates/networkpolicies.yaml rename resources/atlantis/manifests/prod/pubsub-rabbitmq.yaml => charts/atlantis/templates/pubsub.yaml (80%) rename resources/atlantis/manifests/prod/state-redis.yaml => charts/atlantis/templates/statestore.yaml (64%) rename {kustomizations/atlantis/staging => charts/atlantis/templates}/subscriptions.yaml (72%) rename resources/atlantis/manifests/base/dapr-tracing.yaml => charts/atlantis/templates/tracing.yaml (54%) rename resources/atlantis/{host-manifests => }/add-ingress-whitelist.yaml (100%) rename resources/atlantis/{host-manifests => }/allow-idp-external-access.yaml (62%) delete mode 100644 resources/atlantis/host-manifests/sync-archmeister-secrets.yaml delete mode 100644 resources/atlantis/host-manifests/sync-rabbitmq-secrets.yaml delete mode 100644 resources/atlantis/host-manifests/sync-redis-secrets.yaml delete mode 100644 resources/atlantis/manifests/base/allow-atlantis-external-services.yaml delete mode 100644 resources/atlantis/manifests/base/allow-atlantis-services.yaml delete mode 100644 resources/atlantis/manifests/base/kustomization.yaml delete mode 100644 resources/atlantis/manifests/prod/kustomization.yaml delete mode 100644 resources/atlantis/manifests/prod/secrets.yaml delete mode 100644 resources/atlantis/manifests/staging/kustomization.yaml delete mode 100644 resources/atlantis/manifests/staging/pubsub-rabbitmq.yaml delete mode 100644 resources/atlantis/manifests/staging/secrets.yaml delete mode 100644 resources/atlantis/manifests/staging/state-redis.yaml rename resources/atlantis/{host-manifests => }/remove-argocd-tracking-id.yaml (100%) rename resources/atlantis/{host-manifests => }/sync-atlantis-secrets.yaml (100%) delete mode 100644 resources/oceanbox-cluster/network-policies/allow-hubble-oidc.yaml diff --git a/.gitignore b/.gitignore index e332f751..b26c0b08 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ _manifest.yaml _resources.yaml +*.tgz diff --git a/applications/atlantis-host-resources.yaml b/applications/atlantis-host-resources.yaml index 6b6facb2..2b046e83 100644 --- a/applications/atlantis-host-resources.yaml +++ b/applications/atlantis-host-resources.yaml @@ -1,36 +1,27 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: atlantis-host-cluster-resources + name: atlantis-cluster-resources namespace: argocd # annotations: # close, but no cigar # argocd.argoproj.io/compare-options: ServerSideDiff=true,IncludeMutationWebhook=true spec: - project: aux + project: atlantis destination: server: https://kubernetes.default.svc syncPolicy: automated: prune: false selfHeal: false - ignoreDifferences: - - kind: Secret - name: prod-rabbitmq - jqPathExpressions: - - '.data' - - '.metadata.annotations.clone' - - '.metadata.labels' - - kind: Secret - name: prod-redis - jqPathExpressions: - - '.data' - - '.metadata.annotations.clone' - - '.metadata.labels' + # ignoreDifferences: + # - kind: Secret + # name: prod-rabbitmq + # jqPathExpressions: + # - '.data' + # - '.metadata.annotations.clone' + # - '.metadata.labels' sources: - repoURL: https://gitlab.com/oceanbox/manifests.git targetRevision: main - path: resources/atlantis/host-manifests - - repoURL: https://gitlab.com/oceanbox/manifests.git - targetRevision: main - path: 'resources/atlantis/manifests/prod' + path: resources/atlantis diff --git a/charts/atlantis/Chart.lock b/charts/atlantis/Chart.lock index f59631fa..be1c8e99 100644 --- a/charts/atlantis/Chart.lock +++ b/charts/atlantis/Chart.lock @@ -1,6 +1,6 @@ dependencies: -- name: redis-stack-server - repository: https://redis-stack.github.io/helm-redis-stack/ - version: 0.4.14 -digest: sha256:ed6bf447567c0d92030bffebc947801c67cb4e9b4dd95680c35a0b5f6b23d71f -generated: "2024-10-04T11:54:47.575418518+02:00" +- name: redis + repository: https://charts.bitnami.com/bitnami + version: 20.1.7 +digest: sha256:9c9be148366bb3d50f7394ba5a33e1a00a087b5ed61d2bcf1faec9b369e76582 +generated: "2024-10-08T13:21:10.374993273+02:00" diff --git a/charts/atlantis/Chart.yaml b/charts/atlantis/Chart.yaml index 665076d1..9039db31 100644 --- a/charts/atlantis/Chart.yaml +++ b/charts/atlantis/Chart.yaml @@ -5,8 +5,8 @@ type: application version: v2.87.1 appVersion: v2.87.1 dependencies: - - name: redis-stack-server - version: 0.4.14 - repository: https://redis-stack.github.io/helm-redis-stack/ + - name: redis + version: 20.1.7 + repository: https://charts.bitnami.com/bitnami condition: redis.enabled alias: redis diff --git a/charts/atlantis/charts/redis-stack-server-0.4.14.tgz b/charts/atlantis/charts/redis-stack-server-0.4.14.tgz deleted file mode 100644 index 4a9981fd4e5f212fac8f10f6eaef93d74c3dba65..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1367 zcmV-d1*rNTiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PI*_Z`(Ey&$B+oL0EydgJj8e>`uTQf^6u9wQ0}{ErwwTXz3Ia zr6`r8+!~I*`@lbv=)cRW&HMr9xsN#6w$#SBI7d`g50=cHgK z4?|HDMWf-+{64o%_I;%ryc;wbIPfjC$Lx^3&w-dj{H|xRE#K;z3VBm3WW?+ z^*N>Bp8OvS2b=jn9>o1){(lKtEP7A9Uq4oaXP~ACx*kB8n{RW>hu+iPa_KD=0c4m{ zjxPCa%!HcXhhW7)YNjBxJ>-QJ7QV6PiROGYLm_B}a0^P*JcZG~eA42o&U5+^{J;k% z3wfqLJ%jLEAW;aU)sWYW&Eb7b7|khWy1g*iL+>qG*@j!Rf3vQ36Cdp7;IS6D(q;p$Zaz!YYu0Jwk zRKW+z7)%gqsc}jm2E0SN*SVT+-N7_({n<>mK6Na2&L84)CR;f_82ri4hi~c%W9tbk zBz$e%WY;!0*9JckTqP)1Irxuc@JRX_vaHg>Lu~iwTHtkdRA-87VD)aAU3DR1xfq!s zyJu$&=W1Iw&FOmDe!H$5Zq4~gQUw1;AN*_o(^IJ|ijrHDaz9GTV_{B_6``E=4DtjP z3!pq@b++5E(5l|eBavaMO7X&p4?B_L%sp%GA$pEfRrs#W*pQaJ_6D(7>{xOO@9R?G zhWXo43c|?^X2E1`1vOE0gJ zT>bM3R3syc=$oG{Qob%TowFa7OW#e(itMUGW?1JExQeNTf$rDtkfxif#9bN%JX{dRung(k&(U(#4_;gWbcv%Xiua&MO-v=WI0^DHH|e=H2hP zASqs=pk;Q2X~{F0KpZ(f*D|7LwFLWP&XRkO*l(#}g5@&V&!)&t6G5%$%bKyvlF@XY zz#02M=CYk{1GItLnsE7v@oK3PwU%Zjs|$Ro&%TZ{mOX1XM5nm|wQo7b#9XM`4i zHWl5b)8^)`$?NVNNmG>aWtpK&;BW9>Bgx(hs_+$0(T9H=n|rA_XGF@2rkB}c`r4b% z$_D~vS&I}qwhDY-qwHGWc^5iJ32e6{JD8itr4^X=xk-1is{D%->>vTRKzW8-!L#qK Zl{nIoj`WSuzX1RM|Nm@inXCXF000Zikk$YI diff --git a/charts/atlantis/templates/cluster.yaml b/charts/atlantis/templates/cluster.yaml index 194c80d3..57c19e7b 100644 --- a/charts/atlantis/templates/cluster.yaml +++ b/charts/atlantis/templates/cluster.yaml @@ -3,6 +3,7 @@ apiVersion: postgresql.cnpg.io/v1 kind: Cluster metadata: name: {{ include "Atlantis.fullname" . }}-db + namespace: {{ .Release.Namespace }} annotations: linkerd.io/inject: disabled labels: diff --git a/charts/atlantis/templates/deployment.yaml b/charts/atlantis/templates/deployment.yaml index 14ff716d..e599553f 100644 --- a/charts/atlantis/templates/deployment.yaml +++ b/charts/atlantis/templates/deployment.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "Atlantis.fullname" . }} + namespace: {{ .Release.Namespace }} labels: {{- include "Atlantis.labels" . | nindent 4 }} spec: diff --git a/charts/atlantis/templates/hpa.yaml b/charts/atlantis/templates/hpa.yaml index 88ff2c11..ec33d8b1 100644 --- a/charts/atlantis/templates/hpa.yaml +++ b/charts/atlantis/templates/hpa.yaml @@ -3,6 +3,7 @@ apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler metadata: name: {{ include "Atlantis.fullname" . }} + namespace: {{ .Release.Namespace }} labels: {{- include "Atlantis.labels" . | nindent 4 }} spec: diff --git a/charts/atlantis/templates/ingress.yaml b/charts/atlantis/templates/ingress.yaml index 588939f4..3a22ec67 100644 --- a/charts/atlantis/templates/ingress.yaml +++ b/charts/atlantis/templates/ingress.yaml @@ -16,6 +16,7 @@ apiVersion: extensions/v1beta1 kind: Ingress metadata: name: {{ $fullName }} + namespace: {{ .Release.Namespace }} labels: {{- include "Atlantis.labels" . | nindent 4 }} {{- with .Values.ingress.annotations }} diff --git a/charts/atlantis/templates/networkpolicies.yaml b/charts/atlantis/templates/networkpolicies.yaml new file mode 100644 index 00000000..5b5611cd --- /dev/null +++ b/charts/atlantis/templates/networkpolicies.yaml @@ -0,0 +1,26 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-atlantis-services + namespace: {{ .Release.Namespace }} +spec: + egress: + - toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: dapr-system + - toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: {{ .Values.rabbitmq.namespace | default "rabbitmq" }} + - toEndpoints: + - matchLabels: + k8s:io.kubernetes.pod.namespace: {{ .Values.tracing.namespace | default "otel" }} + - toFQDNs: + - matchName: '*.oceanbox.io' + - matchName: api.github.com + - matchName: dapr.github.io + - matchName: gitlab.com + - matchPattern: '*.gitlab.com' + - matchPattern: "*.k1.itpartner.no" + - matchName: analytics.loft.rocks + endpointSelector: + matchLabels: {} diff --git a/resources/atlantis/manifests/prod/pubsub-rabbitmq.yaml b/charts/atlantis/templates/pubsub.yaml similarity index 80% rename from resources/atlantis/manifests/prod/pubsub-rabbitmq.yaml rename to charts/atlantis/templates/pubsub.yaml index 35248e0c..9e1d1086 100644 --- a/resources/atlantis/manifests/prod/pubsub-rabbitmq.yaml +++ b/charts/atlantis/templates/pubsub.yaml @@ -2,21 +2,21 @@ apiVersion: dapr.io/v1alpha1 kind: Component metadata: name: pubsub - namespace: atlantis + namespace: {{ .Release.Namespace }} spec: - type: pubsub.rabbitmq version: v1 + type: pubsub.rabbitmq metadata: - name: hostname - value: prod-rabbitmq.rabbitmq.svc - - name: protocol - value: amqp + value: {{ .Values.rabbitmq.service }}.{{ .Values.rabbitmq.namespace | default "rabbitmq" }} - name: username - value: user + value: {{ .Values.rabbitmq.username }} - name: password secretKeyRef: - name: prod-rabbitmq + name: {{ .Values.rabbitmq.secretName | default (printf "%s-rabbitmq" .Release.Name) }} key: rabbitmq-password + - name: protocol + value: amqp - name: durable value: true - name: deletedWhenUnused diff --git a/charts/atlantis/templates/pvc.yaml b/charts/atlantis/templates/pvc.yaml index 2e9d6b11..085a7a65 100644 --- a/charts/atlantis/templates/pvc.yaml +++ b/charts/atlantis/templates/pvc.yaml @@ -3,6 +3,7 @@ kind: PersistentVolumeClaim apiVersion: v1 metadata: name: {{ template "Atlantis.fullname" . }} + namespace: {{ .Release.Namespace }} {{- with .Values.persistence.annotations }} annotations: {{ toYaml . | indent 4 }} diff --git a/charts/atlantis/templates/secrets.yaml b/charts/atlantis/templates/secrets.yaml index 6acba356..6cab650e 100644 --- a/charts/atlantis/templates/secrets.yaml +++ b/charts/atlantis/templates/secrets.yaml @@ -4,6 +4,7 @@ metadata: annotations: kyverno/clone: "true" name: {{ .Release.Name }}-rabbitmq + namespace: {{ .Release.Namespace }} type: Opaque data: --- @@ -25,6 +26,7 @@ metadata: annotations: kyverno/clone: "true" name: {{ include "Atlantis.fullname" . }}-db-superuser + namespace: {{ .Release.Namespace }} type: kubernetes.io/basic-auth data: username: @@ -48,6 +50,7 @@ metadata: annotations: kyverno/clone: "true" name: {{ .Values.cluster.bootstrap.source.db }}-ca + namespace: {{ .Release.Namespace }} data: ca.crt: "" ca.key: "" diff --git a/charts/atlantis/templates/service.yaml b/charts/atlantis/templates/service.yaml index de02894a..d1a4187b 100644 --- a/charts/atlantis/templates/service.yaml +++ b/charts/atlantis/templates/service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: name: {{ include "Atlantis.fullname" . }} + namespace: {{ .Release.Namespace }} labels: {{- include "Atlantis.labels" . | nindent 4 }} spec: diff --git a/charts/atlantis/templates/serviceaccount.yaml b/charts/atlantis/templates/serviceaccount.yaml index b665c29a..b9876e83 100644 --- a/charts/atlantis/templates/serviceaccount.yaml +++ b/charts/atlantis/templates/serviceaccount.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "Atlantis.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} labels: {{- include "Atlantis.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/resources/atlantis/manifests/prod/state-redis.yaml b/charts/atlantis/templates/statestore.yaml similarity index 64% rename from resources/atlantis/manifests/prod/state-redis.yaml rename to charts/atlantis/templates/statestore.yaml index 70ecd0fc..edd38238 100644 --- a/resources/atlantis/manifests/prod/state-redis.yaml +++ b/charts/atlantis/templates/statestore.yaml @@ -2,23 +2,21 @@ apiVersion: dapr.io/v1alpha1 kind: Component metadata: name: statestore - namespace: atlantis + namespace: {{ .Release.Namespace }} spec: type: state.redis version: v1 metadata: - name: redisHost - value: prod-redis-master.redis.svc:6379 + value: {{ .Release.Name }}-redis-master:6379 - name: redisUsername value: default - name: redisPassword secretKeyRef: - name: prod-redis + name: {{ .Release.Name }}-redis key: redis-password - name: actorStateStore value: "true" scopes: - - prod-atlantis - - prod-petimeter - - prod-hipster - - prod-archmeister + - atlantis + - {{ .Release.Name }}-atlantis diff --git a/kustomizations/atlantis/staging/subscriptions.yaml b/charts/atlantis/templates/subscriptions.yaml similarity index 72% rename from kustomizations/atlantis/staging/subscriptions.yaml rename to charts/atlantis/templates/subscriptions.yaml index 2ef6be6f..077a6b7f 100644 --- a/kustomizations/atlantis/staging/subscriptions.yaml +++ b/charts/atlantis/templates/subscriptions.yaml @@ -2,6 +2,7 @@ apiVersion: dapr.io/v2alpha1 kind: Subscription metadata: name: hipster-events + namespace: {{ .Release.Namespace }} spec: topic: hipster routes: @@ -10,12 +11,14 @@ spec: metadata: queueType: quorum scopes: -- staging-atlantis +- atlantis +- {{ .Release.Name}}-atlantis --- apiVersion: dapr.io/v2alpha1 kind: Subscription metadata: name: inbox-events + namespace: {{ .Release.Namespace }} spec: topic: inbox routes: @@ -24,4 +27,5 @@ spec: metadata: queueType: quorum scopes: -- staging-atlantis +- atlantis +- {{ .Release.Name}}-atlantis diff --git a/resources/atlantis/manifests/base/dapr-tracing.yaml b/charts/atlantis/templates/tracing.yaml similarity index 54% rename from resources/atlantis/manifests/base/dapr-tracing.yaml rename to charts/atlantis/templates/tracing.yaml index 7ded938d..5542b302 100644 --- a/resources/atlantis/manifests/base/dapr-tracing.yaml +++ b/charts/atlantis/templates/tracing.yaml @@ -2,10 +2,10 @@ apiVersion: dapr.io/v1alpha1 kind: Configuration metadata: name: tracing - namespace: atlantis + namespace: {{ .Release.Namespace }} spec: tracing: samplingRate: "1" zipkin: - endpointAddress: " http://opentelemetry-collector.otel.svc:9411/api/v2/spans" + endpointAddress: {{ .Values.tracing.endpoint }} diff --git a/charts/atlantis/values.yaml b/charts/atlantis/values.yaml index 84e346e5..bf31d691 100644 --- a/charts/atlantis/values.yaml +++ b/charts/atlantis/values.yaml @@ -3,21 +3,28 @@ # Declare variables to be passed into your templates. replicaCount: 1 + image: repository: registry.gitlab.com/oceanbox/atlantis tag: v2.87.1 pullPolicy: IfNotPresent + init: enabled: false image: ubuntu:rolling command: ["/bin/sh", "-c", "true"] + env: - name: LOG_LEVEL value: "3" + imagePullSecrets: - name: gitlab-pull-secret + nameOverride: "" + fullnameOverride: "" + serviceAccount: create: true # Annotations to add to the service account @@ -25,9 +32,12 @@ serviceAccount: # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" + podAnnotations: {} + podSecurityContext: fsGroup: 2000 + securityContext: capabilities: drop: @@ -35,9 +45,11 @@ securityContext: readOnlyRootFilesystem: false runAsNonRoot: true runAsUser: 1000 + service: type: ClusterIP port: 8085 + ingress: enabled: false className: "nginx" @@ -53,11 +65,13 @@ ingress: - hosts: - atlantis.srv.oceanbox.io secretName: atlantis-tls + persistence: enabled: false size: 1G storageClass: "" accessMode: ReadWriteOnce + cluster: enabled: true instances: 1 @@ -69,15 +83,53 @@ cluster: source: db: prod-archmeister namespace: atlantis + redis: enabled: true - name: redis-stack - redis_stack_server: - image: "redis/redis-stack-server" - tag: "7.4.0-v1" - replicas: 1 - storage_class: ceph-rbd - storage: 1Gi + image: + repository: redis/redis-stack-server + tag: 7.2.0-v10 + architecture: standalone + replica: + replicaCount: 1 + command: + - "/opt/redis-stack/bin/redis-server" + - "--loadmodule" + - "/opt/redis-stack/lib/redisearch.so" + - "MAXSEARCHRESULTS" + - "10000" + - "MAXAGGREGATERESULTS" + - "10000" + - "--loadmodule" + - "/opt/redis-stack/lib/rejson.so" + auth: + enabled: true + sentinel: true + password: "" + usePasswordFiles: false + existingSecretPasswordKey: "" + # existingSecret: staging-redis + master: + resources: + limits: + cpu: null + ephemeral-storage: 1024Mi + memory: 192Mi + requests: + cpu: 150m + ephemeral-storage: 50Mi + memory: 128Mi + +tracing: + namespace: otel + endpoint: "http://opentelemetry-collector.otel:9411/api/v2/spans" + +rabbitmq: + namespace: rabbitmq + service: staging-rabbitmq + username: user + # secretName: staging-rabbitmq + resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little @@ -96,6 +148,7 @@ autoscaling: maxReplicas: 100 targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 + nodeSelector: {} tolerations: [] affinity: {} diff --git a/kustomizations/atlantis/staging/kustomization.yaml b/kustomizations/atlantis/staging/kustomization.yaml index 4d1ef702..67328264 100644 --- a/kustomizations/atlantis/staging/kustomization.yaml +++ b/kustomizations/atlantis/staging/kustomization.yaml @@ -19,4 +19,3 @@ patches: path: deployment_patch.yaml resources: - ../base - - subscriptions.yaml diff --git a/resources/atlantis/host-manifests/add-ingress-whitelist.yaml b/resources/atlantis/add-ingress-whitelist.yaml similarity index 100% rename from resources/atlantis/host-manifests/add-ingress-whitelist.yaml rename to resources/atlantis/add-ingress-whitelist.yaml diff --git a/resources/atlantis/host-manifests/allow-idp-external-access.yaml b/resources/atlantis/allow-idp-external-access.yaml similarity index 62% rename from resources/atlantis/host-manifests/allow-idp-external-access.yaml rename to resources/atlantis/allow-idp-external-access.yaml index 00101412..e53b0c85 100644 --- a/resources/atlantis/host-manifests/allow-idp-external-access.yaml +++ b/resources/atlantis/allow-idp-external-access.yaml @@ -1,8 +1,7 @@ -apiVersion: cilium.io/v2 +piVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: name: allow-external-idp - namespace: idp spec: egress: - toFQDNs: @@ -11,8 +10,4 @@ spec: - matchName: s3.k1.itpartner.no - matchName: telemetry.cerbos.dev endpointSelector: {} - # matchExpressions: - # - key: app.kubernetes.io/name - # operator: In - # values: [ cerbos, dex ] diff --git a/resources/atlantis/host-manifests/sync-archmeister-secrets.yaml b/resources/atlantis/host-manifests/sync-archmeister-secrets.yaml deleted file mode 100644 index 3da81b3b..00000000 --- a/resources/atlantis/host-manifests/sync-archmeister-secrets.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: sync-prod-archmeister-replication-secrets -spec: - background: true - generateExisting: true - rules: - - name: sync-archmeister-ca - generate: - apiVersion: v1 - kind: Secret - name: prod-archmeister-ca - namespace: '{{request.object.metadata.name}}' - synchronize: true - clone: - namespace: atlantis - name: prod-archmeister-ca - match: - resources: - kinds: - - Namespace - names: - - '*-vcluster' - - name: sync-archmeister-replication - generate: - apiVersion: v1 - kind: Secret - name: prod-archmeister-replication - namespace: '{{request.object.metadata.name}}' - synchronize: true - clone: - namespace: atlantis - name: prod-archmeister-replication - match: - resources: - kinds: - - Namespace - names: - - '*-vcluster' diff --git a/resources/atlantis/host-manifests/sync-rabbitmq-secrets.yaml b/resources/atlantis/host-manifests/sync-rabbitmq-secrets.yaml deleted file mode 100644 index ccaca192..00000000 --- a/resources/atlantis/host-manifests/sync-rabbitmq-secrets.yaml +++ /dev/null @@ -1,77 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: sync-rabbitmq-secrets -spec: - background: true - generateExisting: true - rules: - - name: add-rabbitmq-connstring - mutate: - patchStrategicMerge: - stringData: - connString: 'amqp://user:{{ request.object.data."rabbitmq-password" | base64_decode(@) }}@{{ request.object.metadata.labels."app.kubernetes.io/instance" }}.rabbitmq.svc' - match: - any: - - resources: - kinds: - - Secret - names: - - prod-rabbitmq - - staging-rabbitmq - namespaces: - - rabbitmq - - name: sync-prod-rabbitmq-secret - generate: - apiVersion: v1 - kind: Secret - name: '{{ request.object.metadata.name }}' - namespace: '{{ request.object.metadata.namespace }}' - synchronize: true - clone: - name: prod-rabbitmq - namespace: rabbitmq - match: - any: - - resources: - kinds: - - Secret - names: - - prod-rabbitmq - annotations: - clone: "true" - # exclude: - # any: - # - resources: - # kinds: - # - Secret - # selector: - # matchLabels: - # generate.kyverno.io/clone-source: "" - - name: sync-staging-rabbitmq-secret - generate: - apiVersion: v1 - kind: Secret - name: '{{ request.object.metadata.name }}' - namespace: '{{ request.object.metadata.namespace }}' - synchronize: true - clone: - name: staging-rabbitmq - namespace: rabbitmq - match: - any: - - resources: - kinds: - - Secret - names: - - staging-rabbitmq - annotations: - clone: "true" - # exclude: - # any: - # - resources: - # kinds: - # - Secret - # selector: - # matchLabels: - # generate.kyverno.io/clone-source: "" diff --git a/resources/atlantis/host-manifests/sync-redis-secrets.yaml b/resources/atlantis/host-manifests/sync-redis-secrets.yaml deleted file mode 100644 index 631bfd7f..00000000 --- a/resources/atlantis/host-manifests/sync-redis-secrets.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: sync-redis-secrets -spec: - background: true - generateExisting: true - rules: - - name: sync-prod-redis-secret - generate: - apiVersion: v1 - kind: Secret - name: '{{ request.object.metadata.name }}' - namespace: '{{ request.object.metadata.namespace }}' - synchronize: true - clone: - name: prod-redis - namespace: redis - match: - any: - - resources: - kinds: - - Secret - names: - - prod-redis - annotations: - clone: "true" - # exclude: - # any: - # - resources: - # kinds: - # - Secret - # selector: - # matchLabels: - # generate.kyverno.io/clone-source: "" - - name: sync-staging-redis-secret - generate: - apiVersion: v1 - kind: Secret - name: '{{ request.object.metadata.name }}' - namespace: '{{ request.object.metadata.namespace }}' - synchronize: true - clone: - name: staging-redis - namespace: redis - match: - any: - - resources: - kinds: - - Secret - names: - - staging-redis - annotations: - clone: "true" - # exclude: - # any: - # - resources: - # kinds: - # - Secret - # selector: - # matchLabels: - # generate.kyverno.io/clone-source: "" - diff --git a/resources/atlantis/manifests/base/allow-atlantis-external-services.yaml b/resources/atlantis/manifests/base/allow-atlantis-external-services.yaml deleted file mode 100644 index 79acff07..00000000 --- a/resources/atlantis/manifests/base/allow-atlantis-external-services.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy -metadata: - name: allow-atlantis-external-services - namespace: atlantis -spec: - egress: - - toFQDNs: - - matchName: idp.oceanbox.io - - matchName: idp.srv.oceanbox.io - - matchName: idp.beta.oceanbox.io - - matchName: auth.srv.oceanbox.io - - matchName: auth.oceanbox.io - - matchName: hipster-slurmrestd.ekman.oceanbox.io - - matchName: api.github.com - - matchName: dapr.github.io - - matchName: gitlab.com - - matchPattern: '*.gitlab.com' - - matchPattern: "*.k1.itpartner.no" - - matchName: analytics.loft.rocks - endpointSelector: - matchLabels: {} diff --git a/resources/atlantis/manifests/base/allow-atlantis-services.yaml b/resources/atlantis/manifests/base/allow-atlantis-services.yaml deleted file mode 100644 index 3571a194..00000000 --- a/resources/atlantis/manifests/base/allow-atlantis-services.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy -metadata: - name: allow-atlantis-services - namespace: atlantis -spec: - egress: - - toEndpoints: - - matchLabels: - k8s:io.kubernetes.pod.namespace: dapr-system - - toEndpoints: - - matchLabels: - k8s:io.kubernetes.pod.namespace: redis - - toEndpoints: - - matchLabels: - k8s:io.kubernetes.pod.namespace: rabbitmq - - toEndpoints: - - matchLabels: - k8s:io.kubernetes.pod.namespace: otel - endpointSelector: - matchLabels: {} diff --git a/resources/atlantis/manifests/base/kustomization.yaml b/resources/atlantis/manifests/base/kustomization.yaml deleted file mode 100644 index 64305774..00000000 --- a/resources/atlantis/manifests/base/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - allow-atlantis-external-services.yaml - - allow-atlantis-services.yaml - - dapr-tracing.yaml diff --git a/resources/atlantis/manifests/prod/kustomization.yaml b/resources/atlantis/manifests/prod/kustomization.yaml deleted file mode 100644 index 1521940d..00000000 --- a/resources/atlantis/manifests/prod/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - secrets.yaml - - pubsub-rabbitmq.yaml - - state-redis.yaml - - ../base/ diff --git a/resources/atlantis/manifests/prod/secrets.yaml b/resources/atlantis/manifests/prod/secrets.yaml deleted file mode 100644 index bf4ca330..00000000 --- a/resources/atlantis/manifests/prod/secrets.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - annotations: - clone: "true" - name: prod-redis - namespace: atlantis -type: Opaque ---- -apiVersion: v1 -kind: Secret -metadata: - annotations: - clone: "true" - name: prod-rabbitmq - namespace: atlantis -type: Opaque diff --git a/resources/atlantis/manifests/staging/kustomization.yaml b/resources/atlantis/manifests/staging/kustomization.yaml deleted file mode 100644 index 1521940d..00000000 --- a/resources/atlantis/manifests/staging/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - secrets.yaml - - pubsub-rabbitmq.yaml - - state-redis.yaml - - ../base/ diff --git a/resources/atlantis/manifests/staging/pubsub-rabbitmq.yaml b/resources/atlantis/manifests/staging/pubsub-rabbitmq.yaml deleted file mode 100644 index 5cda7a30..00000000 --- a/resources/atlantis/manifests/staging/pubsub-rabbitmq.yaml +++ /dev/null @@ -1,53 +0,0 @@ -apiVersion: dapr.io/v1alpha1 -kind: Component -metadata: - name: pubsub - namespace: atlantis -spec: - type: pubsub.rabbitmq - version: v1 - metadata: - - name: hostname - value: staging-rabbitmq.rabbitmq.svc - - name: protocol - value: amqp - - name: username - value: user - - name: password - secretKeyRef: - name: staging-rabbitmq - key: rabbitmq-password - - name: durable - value: true - - name: deletedWhenUnused - value: false - - name: autoAck - value: false - - name: deliveryMode - value: 1 - - name: requeueInFailure - value: false - - name: prefetchCount - value: 0 - - name: reconnectWait - value: 0 - - name: concurrencyMode - value: parallel - - name: publisherConfirm - value: false - - name: backOffPolicy - value: exponential - - name: backOffInitialInterval - value: 100 - - name: backOffMaxRetries - value: 16 - - name: enableDeadLetter # Optional enable dead Letter or not - value: true - - name: maxLen # Optional max message count in a queue - value: 3000 - - name: maxLenBytes # Optional maximum length in bytes of a queue. - value: 10485760 - - name: exchangeKind - value: fanout - - name: clientName - value: "{appID}" diff --git a/resources/atlantis/manifests/staging/secrets.yaml b/resources/atlantis/manifests/staging/secrets.yaml deleted file mode 100644 index 796c3bde..00000000 --- a/resources/atlantis/manifests/staging/secrets.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - annotations: - clone: "true" - name: staging-redis - namespace: atlantis -type: Opaque -data: ---- -apiVersion: v1 -kind: Secret -metadata: - annotations: - clone: "true" - name: staging-rabbitmq - namespace: atlantis -type: Opaque -data: diff --git a/resources/atlantis/manifests/staging/state-redis.yaml b/resources/atlantis/manifests/staging/state-redis.yaml deleted file mode 100644 index 1393a511..00000000 --- a/resources/atlantis/manifests/staging/state-redis.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: dapr.io/v1alpha1 -kind: Component -metadata: - name: statestore - namespace: atlantis -spec: - type: state.redis - version: v1 - metadata: - - name: redisHost - value: staging-redis-master.redis.svc:6379 - - name: redisUsername - value: default - - name: redisPassword - secretKeyRef: - name: staging-redis - key: redis-password - - name: actorStateStore - value: "true" -# scopes: -# - staging-atlantis -# - staging-petimeter -# - staging-hipster -# - staging-archmeister diff --git a/resources/atlantis/host-manifests/remove-argocd-tracking-id.yaml b/resources/atlantis/remove-argocd-tracking-id.yaml similarity index 100% rename from resources/atlantis/host-manifests/remove-argocd-tracking-id.yaml rename to resources/atlantis/remove-argocd-tracking-id.yaml diff --git a/resources/atlantis/host-manifests/sync-atlantis-secrets.yaml b/resources/atlantis/sync-atlantis-secrets.yaml similarity index 100% rename from resources/atlantis/host-manifests/sync-atlantis-secrets.yaml rename to resources/atlantis/sync-atlantis-secrets.yaml diff --git a/resources/oceanbox-cluster/network-policies/allow-hubble-oidc.yaml b/resources/oceanbox-cluster/network-policies/allow-hubble-oidc.yaml deleted file mode 100644 index c10fa676..00000000 --- a/resources/oceanbox-cluster/network-policies/allow-hubble-oidc.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy -metadata: - name: allow-hubble-oidc-login - namespace: kube-system -spec: - endpointSelector: - matchLabels: - k8s-app: oauth2-proxy - egress: - - toFQDNs: - - matchName: login.microsoftonline.com - - matchPattern: '*.microsoftonline.com'