feat: simplify charts, resources, kustomizations and applications for atlantis SPMSA

2024-10-08 16:54:58 +02:00
parent 2e00aceed1
commit eb2eebaa34
37 changed files with 136 additions and 428 deletions
@@ -1,8 +1,7 @@
-apiVersion: cilium.io/v2
+piVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: allow-external-idp
-  namespace: idp
 spec:
  egress:
  - toFQDNs:
@@ -11,8 +10,4 @@ spec:
    - matchName: s3.k1.itpartner.no
    - matchName: telemetry.cerbos.dev
  endpointSelector: {}
-    # matchExpressions:
-    #   - key: app.kubernetes.io/name
-    #     operator: In
-    #     values: [ cerbos, dex ]

@@ -1,40 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: sync-prod-archmeister-replication-secrets
-spec:
-  background: true
-  generateExisting: true
-  rules:
-  - name: sync-archmeister-ca
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: prod-archmeister-ca
-      namespace: '{{request.object.metadata.name}}'
-      synchronize: true
-      clone:
-        namespace: atlantis
-        name: prod-archmeister-ca
-    match:
-      resources:
-        kinds:
-        - Namespace
-        names:
-        - '*-vcluster'
-  - name: sync-archmeister-replication
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: prod-archmeister-replication
-      namespace: '{{request.object.metadata.name}}'
-      synchronize: true
-      clone:
-        namespace: atlantis
-        name: prod-archmeister-replication
-    match:
-      resources:
-        kinds:
-        - Namespace
-        names:
-        - '*-vcluster'
@@ -1,77 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: sync-rabbitmq-secrets
-spec:
-  background: true
-  generateExisting: true
-  rules:
-  - name: add-rabbitmq-connstring
-    mutate:
-      patchStrategicMerge:
-        stringData:
-          connString: 'amqp://user:{{ request.object.data."rabbitmq-password" | base64_decode(@) }}@{{ request.object.metadata.labels."app.kubernetes.io/instance" }}.rabbitmq.svc'
-    match:
-     any:
-       - resources:
-           kinds:
-           - Secret
-           names:
-           - prod-rabbitmq
-           - staging-rabbitmq
-           namespaces:
-           - rabbitmq
-  - name: sync-prod-rabbitmq-secret
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: '{{ request.object.metadata.name }}'
-      namespace: '{{ request.object.metadata.namespace }}'
-      synchronize: true
-      clone:
-        name: prod-rabbitmq
-        namespace: rabbitmq
-    match:
-     any:
-     - resources:
-         kinds:
-         - Secret
-         names:
-         - prod-rabbitmq
-         annotations:
-           clone: "true"
-    # exclude:
-    #  any:
-    #  - resources:
-    #      kinds:
-    #      - Secret
-    #      selector:
-    #        matchLabels:
-    #          generate.kyverno.io/clone-source: ""
-  - name: sync-staging-rabbitmq-secret
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: '{{ request.object.metadata.name }}'
-      namespace: '{{ request.object.metadata.namespace }}'
-      synchronize: true
-      clone:
-        name: staging-rabbitmq
-        namespace: rabbitmq
-    match:
-     any:
-     - resources:
-         kinds:
-         - Secret
-         names:
-         - staging-rabbitmq
-         annotations:
-           clone: "true"
-    # exclude:
-    #  any:
-    #  - resources:
-    #      kinds:
-    #      - Secret
-    #      selector:
-    #        matchLabels:
-    #          generate.kyverno.io/clone-source: ""
@@ -1,63 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: sync-redis-secrets
-spec:
-  background: true
-  generateExisting: true
-  rules:
-  - name: sync-prod-redis-secret
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: '{{ request.object.metadata.name }}'
-      namespace: '{{ request.object.metadata.namespace }}'
-      synchronize: true
-      clone:
-        name: prod-redis
-        namespace: redis
-    match:
-     any:
-     - resources:
-         kinds:
-         - Secret
-         names:
-         - prod-redis
-         annotations:
-           clone: "true"
-    # exclude:
-    #  any:
-    #  - resources:
-    #      kinds:
-    #      - Secret
-    #      selector:
-    #        matchLabels:
-    #          generate.kyverno.io/clone-source: ""
-  - name: sync-staging-redis-secret
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: '{{ request.object.metadata.name }}'
-      namespace: '{{ request.object.metadata.namespace }}'
-      synchronize: true
-      clone:
-        name: staging-redis
-        namespace: redis
-    match:
-     any:
-     - resources:
-         kinds:
-         - Secret
-         names:
-         - staging-redis
-         annotations:
-           clone: "true"
-    # exclude:
-    #  any:
-    #  - resources:
-    #      kinds:
-    #      - Secret
-    #      selector:
-    #        matchLabels:
-    #          generate.kyverno.io/clone-source: ""
-
@@ -1,22 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-atlantis-external-services
-  namespace: atlantis
-spec:
-  egress:
-  - toFQDNs:
-    - matchName: idp.oceanbox.io
-    - matchName: idp.srv.oceanbox.io
-    - matchName: idp.beta.oceanbox.io
-    - matchName: auth.srv.oceanbox.io
-    - matchName: auth.oceanbox.io
-    - matchName: hipster-slurmrestd.ekman.oceanbox.io
-    - matchName: api.github.com
-    - matchName: dapr.github.io
-    - matchName: gitlab.com
-    - matchPattern: '*.gitlab.com'
-    - matchPattern: "*.k1.itpartner.no"
-    - matchName: analytics.loft.rocks
-  endpointSelector:
-    matchLabels: {}
@@ -1,21 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-atlantis-services
-  namespace: atlantis
-spec:
-  egress:
-  - toEndpoints:
-    - matchLabels:
-        k8s:io.kubernetes.pod.namespace: dapr-system
-  - toEndpoints:
-    - matchLabels:
-        k8s:io.kubernetes.pod.namespace: redis
-  - toEndpoints:
-    - matchLabels:
-        k8s:io.kubernetes.pod.namespace: rabbitmq
-  - toEndpoints:
-    - matchLabels:
-        k8s:io.kubernetes.pod.namespace: otel
-  endpointSelector:
-    matchLabels: {}
@@ -1,11 +0,0 @@
-apiVersion: dapr.io/v1alpha1
-kind: Configuration
-metadata:
-  name: tracing
-  namespace: atlantis
-spec:
-  tracing:
-    samplingRate: "1"
-    zipkin:
-      endpointAddress: " http://opentelemetry-collector.otel.svc:9411/api/v2/spans"
-
@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - allow-atlantis-external-services.yaml
-  - allow-atlantis-services.yaml
-  - dapr-tracing.yaml
@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - secrets.yaml
-  - pubsub-rabbitmq.yaml
-  - state-redis.yaml
-  - ../base/
@@ -1,54 +0,0 @@
-apiVersion: dapr.io/v1alpha1
-kind: Component
-metadata:
-  name: pubsub
-  namespace: atlantis
-spec:
-  type: pubsub.rabbitmq
-  version: v1
-  metadata:
-  - name: hostname
-    value: prod-rabbitmq.rabbitmq.svc
-  - name: protocol
-    value: amqp
-  - name: username
-    value: user
-  - name: password
-    secretKeyRef:
-      name: prod-rabbitmq
-      key:  rabbitmq-password
-  - name: durable
-    value: true
-  - name: deletedWhenUnused
-    value: false
-  - name: autoAck
-    value: false
-  - name: deliveryMode
-    value: 1
-  - name: requeueInFailure
-    value: false
-  - name: prefetchCount
-    value: 0
-  - name: reconnectWait
-    value: 0
-  - name: concurrencyMode
-    value: parallel
-  - name: publisherConfirm
-    value: false
-  - name: backOffPolicy
-    value: exponential
-  - name: backOffInitialInterval
-    value: 100
-  - name: backOffMaxRetries
-    value: 16
-  - name: enableDeadLetter # Optional enable dead Letter or not
-    value: true
-  - name: maxLen # Optional max message count in a queue
-    value: 3000
-  - name: maxLenBytes # Optional maximum length in bytes of a queue.
-    value: 10485760
-  - name: exchangeKind
-    value: fanout
-  - name: clientName
-    value: "{appID}"
-
@@ -1,17 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    clone: "true"
-  name: prod-redis
-  namespace: atlantis
-type: Opaque
---
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    clone: "true"
-  name: prod-rabbitmq
-  namespace: atlantis
-type: Opaque
@@ -1,24 +0,0 @@
-apiVersion: dapr.io/v1alpha1
-kind: Component
-metadata:
-  name: statestore
-  namespace: atlantis
-spec:
-  type: state.redis
-  version: v1
-  metadata:
-  - name: redisHost
-    value: prod-redis-master.redis.svc:6379
-  - name: redisUsername
-    value: default
-  - name: redisPassword
-    secretKeyRef:
-      name: prod-redis
-      key:  redis-password
-  - name: actorStateStore
-    value: "true"
-scopes:
-  - prod-atlantis
-  - prod-petimeter
-  - prod-hipster
-  - prod-archmeister
@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - secrets.yaml
-  - pubsub-rabbitmq.yaml
-  - state-redis.yaml
-  - ../base/
@@ -1,53 +0,0 @@
-apiVersion: dapr.io/v1alpha1
-kind: Component
-metadata:
-  name: pubsub
-  namespace: atlantis
-spec:
-  type: pubsub.rabbitmq
-  version: v1
-  metadata:
-  - name: hostname
-    value: staging-rabbitmq.rabbitmq.svc
-  - name: protocol
-    value: amqp
-  - name: username
-    value: user
-  - name: password
-    secretKeyRef:
-      name: staging-rabbitmq
-      key:  rabbitmq-password
-  - name: durable
-    value: true
-  - name: deletedWhenUnused
-    value: false
-  - name: autoAck
-    value: false
-  - name: deliveryMode
-    value: 1
-  - name: requeueInFailure
-    value: false
-  - name: prefetchCount
-    value: 0
-  - name: reconnectWait
-    value: 0
-  - name: concurrencyMode
-    value: parallel
-  - name: publisherConfirm
-    value: false
-  - name: backOffPolicy
-    value: exponential
-  - name: backOffInitialInterval
-    value: 100
-  - name: backOffMaxRetries
-    value: 16
-  - name: enableDeadLetter # Optional enable dead Letter or not
-    value: true
-  - name: maxLen # Optional max message count in a queue
-    value: 3000
-  - name: maxLenBytes # Optional maximum length in bytes of a queue.
-    value: 10485760
-  - name: exchangeKind
-    value: fanout
-  - name: clientName
-    value: "{appID}"
@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    clone: "true"
-  name: staging-redis
-  namespace: atlantis
-type: Opaque
-data:
---
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    clone: "true"
-  name: staging-rabbitmq
-  namespace: atlantis
-type: Opaque
-data:
@@ -1,24 +0,0 @@
-apiVersion: dapr.io/v1alpha1
-kind: Component
-metadata:
-  name: statestore
-  namespace: atlantis
-spec:
-  type: state.redis
-  version: v1
-  metadata:
-  - name: redisHost
-    value: staging-redis-master.redis.svc:6379
-  - name: redisUsername
-    value: default
-  - name: redisPassword
-    secretKeyRef:
-      name: staging-redis
-      key:  redis-password
-  - name: actorStateStore
-    value: "true"
-# scopes:
-#   - staging-atlantis
-#   - staging-petimeter
-#   - staging-hipster
-#   - staging-archmeister
@@ -1,13 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-hubble-oidc-login
-  namespace: kube-system
-spec:
-  endpointSelector:
-    matchLabels:
-      k8s-app: oauth2-proxy
-  egress:
-  - toFQDNs:
-    - matchName: login.microsoftonline.com
-    - matchPattern: '*.microsoftonline.com'