fix: fix amqp password

network policy for csi-addons controller

See merge request oceanbox/manifests!1

.envrc

@@ -0,0 +1 @@
+use nix

.gitignore

@@ -1,2 +1,6 @@
+*.tgz
+_*/
+.direnv/
+.pre-commit-config.yaml
 _manifest.yaml
 _resources.yaml

.gitlab-ci.yml

@@ -14,8 +14,8 @@ release:
   script:
     - |
       cd $CI_PROJECT_DIR
-      for i in $(git show --pretty="" --name-only | grep '^[^/]*/chart/Chart.yaml' | cut -d/ -f1); do
+      for i in $(git show --pretty="" --name-only | grep '^charts/.*/Chart.yaml' | cut -d/ -f2); do
-        pack=$(helm package $i/chart | sed 's/Success.*: \(.*\)/\1/')
+        pack=$(helm package ./charts/$i | sed 's/Success.*: \(.*\)/\1/')
         if [ ! -z $pack ]; then
           chart=$(basename $pack)
           curl --request POST \
@@ -33,8 +33,8 @@ rebuild:
   script:
     - |
       cd $CI_PROJECT_DIR
-      for i in $(find -maxdepth 3 -name Chart.yaml | cut -d/ -f2); do
+      for i in $(find ./charts -maxdepth 2 -name Chart.yaml | cut -d/ -f3); do
-        pack=$(helm package $i/chart | sed 's/Success.*: \(.*\)/\1/')
+        pack=$(helm package ./charts/$i | sed 's/Success.*: \(.*\)/\1/')
         if [ ! -z $pack ]; then
           chart=$(basename $pack)
           curl --request POST \

applications/atlantis-host-resources.yaml

@@ -1,16 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: atlantis-host-cluster-resources
-  namespace: argocd
-spec:
-  project: atlantis
-  destination:
-    server: https://kubernetes.default.svc
-  syncPolicy:
-    automated: {}
-  source:
-    repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: dev
-    path: resources/atlantis/host-manifests
-

applications/atlantis-resources.yaml

@@ -1,27 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: atlantis-resources
-  namespace: argocd
-spec:
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-      - cluster: https://staging-vcluster.staging-vcluster:443
-        env: staging
-  template:
-    metadata:
-      name: '{{ env }}-atlantis-resources'
-    spec:
-      project: atlantis
-      syncPolicy:
-        automated: {}
-      destination:
-        server: '{{ cluster }}'
-        namespace: atlantis
-      sources:
-      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
-        path: 'resources/atlantis/manifests/{{ env }}'

applications/redis.yaml

@@ -1,46 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: redis
-  namespace: argocd
-spec:
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        hostname: redis.srv.oceanbox.io
-      - cluster: https://kubernetes.default.svc
-        env: staging
-        hostname: redis.beta.oceanbox.io
-  template:
-    metadata:
-      name: '{{ env }}-redis'
-    spec:
-      project: atlantis
-      destination:
-        server: https://kubernetes.default.svc
-        namespace: redis
-      sources:
-        # - repoURL: https://charts.bitnami.com/bitnami
-        #   targetRevision: 18.9.1
-        #   chart: redis
-        #   helm:
-        #     valueFiles:
-        #       - $values/redis/values.yaml
-        # - repoURL: https://gitlab.com/oceanbox/manifests.git
-        #   targetRevision: HEAD
-        #   path: charts/redis/{{ env }}
-        #   ref: values
-        - repoURL: https://gitlab.com/oceanbox/manifests.git
-          targetRevision: dev
-          path: charts/redis
-          plugin:
-            name: kustomize-helm-with-rewrite
-            parameters:
-            - name: env
-              string: '{{ env }}'
-            - name: hostname
-              string: '{{ hostname }}'
-            - name: chart
-              string: bitnami/redis

apps/archmeister.yaml

@@ -13,11 +13,11 @@ spec:
         hostname: archmeister.srv.oceanbox.io
         autoSync: false
         prune: true
-      - cluster: https://staging-vcluster.staging-vcluster:443
+      # - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
+      #   env: staging
-        hostname: archmeister.beta.oceanbox.io
+      #   hostname: archmeister.beta.oceanbox.io
-        autoSync: true
+      #   autoSync: true
-        prune: true
+      #   prune: true
   template:
     metadata:
       name: "{{ .env }}-archmeister"
@@ -28,8 +28,8 @@ spec:
         server: "{{ .cluster }}"
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
+        targetRevision: main
-        path: charts/archmeister
+        path: values/archmeister
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:
@@ -43,4 +43,5 @@ spec:
       syncPolicy:
         automated:
           prune: {{ .prune }}
+          selfHeal: false
     {{- end }}

apps/atlantis-host-resources.yaml

@@ -0,0 +1,27 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: atlantis-cluster-resources
+  namespace: argocd
+  # annotations: # close, but no cigar
+  #   argocd.argoproj.io/compare-options: ServerSideDiff=true,IncludeMutationWebhook=true
+spec:
+  project: atlantis
+  destination:
+    server: https://kubernetes.default.svc
+  syncPolicy:
+    automated:
+      prune: false
+      selfHeal: false
+  # ignoreDifferences:
+  #   - kind: Secret
+  #     name: prod-rabbitmq
+  #     jqPathExpressions:
+  #       - '.data'
+  #       - '.metadata.annotations.clone'
+  #       - '.metadata.labels'
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    path: resources/atlantis
+

apps/atlantis-resources.yaml

@@ -0,0 +1,41 @@
+# Currently not in use. Configured via the create-vcluster script.
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: atlantis-resources
+  namespace: argocd
+spec:
+  goTemplate: true
+  generators:
+  - list:
+      elements:
+      - cluster: https://kubernetes.default.svc
+        env: prod
+        autoSync: false
+        prune: false
+      # - cluster: https://staging-vcluster.staging-vcluster
+      #   env: staging
+      #   autoSync: false
+      #   prune: false
+  template:
+    metadata:
+      name: "{{ .env }}-atlantis-resources"
+    spec:
+      project: aux
+      syncPolicy:
+        automated: {}
+      destination:
+        server: "{{ .cluster }}"
+        namespace: atlantis
+      sources: {}
+      # - repoURL: https://gitlab.com/oceanbox/manifests.git
+      #   targetRevision: main
+      #   path: 'resources/atlantis/manifests/{{ env }}'
+  templatePatch: |
+    {{- if .autoSync }}
+    spec:
+      syncPolicy:
+        automated:
+          prune: {{ .prune }}
+          selfHeal: false
+    {{- end }}

apps/atlantis.nix

@@ -0,0 +1,51 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.atlantis;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    base = ../values/atlantis;
+    extraValues = {};
+  };
+
+  kustomize = r:
+    if r.kind == "Deployment" then
+      lib.attrsets.recursiveUpdate r {
+        spec.template.spec.containers =
+        builtins.map (x:
+        x // {
+            livenessProbe.httpGet.path = "/healthz";
+            readinessProble.httpGet.path = "/healthz";
+            env = x.env ++ [ { name = "INERNAL_PORT"; value = 8000; } ];
+        }) r.spec.template.spec.containers;
+      }
+      else if r.kind == "Service" then
+      {}
+    else r;
+in
+{
+  options.apps.atlantis = lib.apps.appOptions {
+      revision = lib.mkOption {
+        type = lib.types.str;
+        default = "main";
+        description = "Revision";
+      };
+
+      hostname = lib.mkOption {
+        type = lib.types.str;
+        default = if env == "prod"
+          then "maps.oceanbox.io"
+          else "atlantis.beta.oceanbox.io";
+        description = "Revision";
+      };
+  };
+
+  config = lib.apps.appConfig cfg "${env}-atlantis" {
+    helm.releases."${env}-atlantis" = {
+      inherit values;
+      chart = ../charts/atlantis;
+      transformer = rs: builtins.map (x: kustomize x) rs;
+    };
+  };
+}

apps/atlantis.yaml

@@ -13,11 +13,11 @@ spec:
         hostname: atlantis.srv.oceanbox.io
         autoSync: false
         prune: true
-      - cluster: https://staging-vcluster.staging-vcluster:443
+      # - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
+      #   env: staging
-        hostname: atlantis.beta.oceanbox.io
+      #   hostname: atlantis.beta.oceanbox.io
-        autoSync: true
+      #   autoSync: true
-        prune: true
+      #   prune: true
   template:
     metadata:
       name: '{{ .env }}-atlantis'
@@ -28,8 +28,8 @@ spec:
         server: '{{ .cluster }}'
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
+        targetRevision: main
-        path: charts/atlantis
+        path: values/atlantis
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:
@@ -37,13 +37,11 @@ spec:
             string: '{{ .env }}'
           - name: hostname
             string: '{{ .hostname }}'
-      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
-        path: charts/atlantis/manifests
   templatePatch: |
     {{- if .autoSync }}
     spec:
       syncPolicy:
         automated:
           prune: {{ .prune }}
+          selfHeal: false
     {{- end }}

apps/busynix.yaml

@@ -7,24 +7,24 @@ spec:
   generators:
   - list:
       elements:
-      - cluster: https://kubernetes.default.svc
+      # - cluster: https://kubernetes.default.svc
-        env: prod
+      #   env: prod
-        hostname: busynix.srv.oceanbox.io
+      #   hostname: busynix.srv.oceanbox.io
-      - cluster: https://staging-vcluster.staging-vcluster:443
+      - cluster: https://staging-vcluster.staging-vcluster
         env: staging
         hostname: busynix.beta.oceanbox.io
   template:
     metadata:
       name: '{{ env }}-busynix'
     spec:
-      project: atlantis
+      project: aux
       destination:
         namespace: default
         server: '{{ cluster }}'
       source:
         repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
+        targetRevision: main
-        path: charts/busynix
+        path: values/busynix
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

apps/cerbos.yaml

@@ -9,13 +9,13 @@ spec:
       elements:
       - cluster: https://kubernetes.default.svc
         env: prod
-      - cluster: https://staging-vcluster.staging-vcluster:443
+      - cluster: https://staging-vcluster.staging-vcluster
         env: staging
   template:
     metadata:
       name: '{{ env }}-cerbos'
     spec:
-      project: atlantis
+      project: aux
       destination:
         server: https://kubernetes.default.svc
         namespace: idp
@@ -25,8 +25,8 @@ spec:
           chart: cerbos
           helm:
             valueFiles:
-              - $values/charts/cerbos/values.yaml
+              - $values/values/cerbos/values.yaml
-              - $values/charts/cerbos/values-{{ env }}.yaml
+              - $values/values/cerbos/values-{{ env }}.yaml
         - repoURL: https://gitlab.com/oceanbox/manifests.git
-          targetRevision: dev
+          targetRevision: main
           ref: values

apps/dapr.yaml

@@ -0,0 +1,33 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: dapr
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: dapr-system
+    server: https://kubernetes.default.svc
+  project: default
+  syncPolicy:
+    # managedNamespaceMetadata:
+    #   labels:
+    #     component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL:  https://dapr.github.io/helm-charts/
+    targetRevision: 1.14.4
+    chart: dapr
+    helm:
+      values: |
+        global:
+          ha:
+            enabled: true

apps/default.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  imports = [
+    ./atlantis.nix
+    ./openfga.nix
+  ];
+}

apps/dex.yaml

@@ -4,12 +4,12 @@ metadata:
   name: dex
   namespace: argocd
 spec:
-  project: atlantis
+  project: aux
   destination:
     server: https://kubernetes.default.svc
     namespace: idp
   source:
     repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: dev
+    targetRevision: nixidy
-    path: charts/dex/manifests
+    path: values/dex/manifests
 

apps/geoserver.yaml

@@ -17,14 +17,14 @@ spec:
     metadata:
       name: '{{ env }}-geoserver'
     spec:
-      project: atlantis
+      project: aux
       destination:
         server: https://kubernetes.default.svc
         namespace: geoserver
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
+        targetRevision: main
-        path: charts/geoserver
+        path: values/geoserver
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

apps/hipster.yaml

@@ -13,11 +13,11 @@ spec:
         hostname: hipster.srv.oceanbox.io
         autoSync: false
         prune: true
-      - cluster: https://staging-vcluster.staging-vcluster:443
+      # - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
+      #   env: staging
-        hostname: hipster.beta.oceanbox.io
+      #   hostname: hipster.beta.oceanbox.io
-        autoSync: true
+      #   autoSync: true
-        prune: true
+      #   prune: true
   template:
     metadata:
       name: '{{ .env }}-hipster'
@@ -28,8 +28,8 @@ spec:
         server: '{{ .cluster }}'
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
+        targetRevision: main
-        path: charts/hipster
+        path: values/hipster
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:
@@ -43,4 +43,5 @@ spec:
       syncPolicy:
         automated:
           prune: {{ .prune }}
+          selfHeal: false
     {{- end }}

apps/jaeger.yaml

@@ -10,13 +10,13 @@ spec:
     namespace: jaeger
   sources:
   - repoURL: https://jaegertracing.github.io/helm-charts
-    targetRevision: 2.50.1
+    targetRevision: 2.54.0
     chart: jaeger-operator
     helm:
       valueFiles:
-        - $values/charts/jaeger/values.yaml
+        - $values/values/jaeger/values.yaml
   - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: dev
+    targetRevision: main
-    # path: charts/jaeger/manifests
+    # path: values/jaeger/manifests
     ref: values
 

apps/keycloak.yaml

@@ -4,18 +4,18 @@ metadata:
   name: keycloak
   namespace: argocd
 spec:
-  project: atlantis
+  project: aux
   destination:
     server: https://kubernetes.default.svc
     namespace: idp
   sources:
   - repoURL: https://charts.bitnami.com/bitnami
-    targetRevision: 18.3.4
+    targetRevision: 24.0.2
     chart: keycloak
     helm:
       valueFiles:
-        - $values/charts/keycloak/values.yaml
+        - $values/values/keycloak/values.yaml
   - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: dev
+    targetRevision: nixidy
     ref: values
 

apps/loki.yaml

@@ -0,0 +1,150 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: loki
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: loki
+    server: 'https://kubernetes.default.svc'
+  project: aux
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/persistentVolumeClaimRetentionPolicy
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: https://gitlab.com/serit/k8s/serit-platform-manifests.git
+    path: network-policies/netpol-loki
+    targetRevision: HEAD
+  - repoURL: 'https://grafana.github.io/helm-charts'
+    targetRevision: 6.12.0
+    chart: loki
+    helm:
+      values: |
+        loki:
+          auth_enabled: false
+          storage:
+            bucketNames:
+              chunks: loki-chunks
+              ruler: loki-chunks
+              admin: loki-chunks
+            s3:
+              endpoint: http://10.255.241.30:30080
+              region: tos
+              accessKeyId: ${S3KEY}
+              secretAccessKey: ${S3SECRET}
+              s3ForcePathStyle: true
+              http_config:
+                insecure_skip_verify: true
+          schemaConfig:
+            configs:
+            - from: "2024-04-01"
+              index:
+                period: 24h
+                prefix: loki_index_
+              object_store: s3
+              schema: v13
+              store: tsdb
+          compactor:
+            compaction_interval: 10m
+            working_directory: /tmp/loki/compactor
+            retention_enabled: true
+            retention_delete_delay: 2h
+            retention_delete_worker_count: 150
+            delete_request_store: s3
+          limits_config:
+            retention_period: 744h
+        write:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_SECRET
+          tolerations:
+          - effect: "NoSchedule"
+            operator: "Equal"
+            key: "unschedulable"
+            value: "true"
+        read:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_SECRET
+          tolerations:
+          - effect: "NoSchedule"
+            operator: "Equal"
+            key: "unschedulable"
+            value: "true"
+        ingress:
+          enabled: true
+          ingressClassName: nginx
+          annotations:
+            cert-manager.io/cluster-issuer: letsencrypt-staging
+            nginx.ingress.kubernetes.io/ssl-redirect: "true"
+            atlantis.oceanbox.io/expose: internal
+          hosts:
+            - loki.adm.oceanbox.io
+          tls:
+            - hosts:
+               - loki.adm.oceanbox.io
+              secretName: loki-distributed-tls
+        compactor:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_SECRET
+        backend:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_SECRET

apps/openfga.nix

@@ -0,0 +1,39 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.openfga;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    base = ../values/openfga;
+    extraValues = {};
+  };
+
+  kustomize = r:
+    if r.kind == "Job" then
+      lib.attrsets.recursiveUpdate r { spec.backoffLimit = 2; }
+    else r;
+
+in
+  {
+    options.apps.openfga = lib.apps.appOptions {};
+
+    config = lib.apps.appConfig cfg "${env}-openfga" {
+        helm.releases."${env}-openfga" = {
+          inherit values;
+          chart = lib.helm.downloadHelmChart {
+            repo = "https://openfga.github.io/helm-charts";
+            chart = "openfga";
+              version = "0.2.12";
+              chartHash = "sha256-7yLcw9/oNPvCePrtTJwKAG88t0Ym5Dl/S83Gz+gQdDU=";
+          };
+          transformer = rs: builtins.map (x: kustomize x) rs;
+        };
+
+        annotations = {};
+        resources = {
+          services.poop.spec = {
+          };
+        };
+      };
+  }

apps/opentelemetry-collector.yaml

@@ -0,0 +1,109 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: opentelemetry-collector
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: otel
+    server: 'https://kubernetes.default.svc'
+  project: aux
+  syncPolicy:
+    # managedNamespaceMetadata:
+    #   labels:
+    #     component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: 'https://open-telemetry.github.io/opentelemetry-helm-charts'
+    targetRevision: 0.107.0
+    chart: opentelemetry-collector
+    helm:
+      values: |
+        mode: deployment
+        image:
+          repository: otel/opentelemetry-collector-k8s
+        service:
+          type: LoadBalancer
+          loadBalancerIP: 10.255.241.12
+        config:
+          receivers:
+            prometheus/collector:
+              config:
+                scrape_configs:
+                  - job_name: 'opentelemetry-collector'
+                    static_configs:
+                      - targets:
+                         - ${env:MY_POD_IP}:8888
+            zipkin:
+              endpoint: ${env:MY_POD_IP}:9411
+          exporters:
+            otlp:
+              endpoint: "tempo.tempo.svc:4317"
+              tls:
+                insecure: true
+            otlphttp/metrics:
+              endpoint: http://prom-prometheus.prometheus:9090/api/v1/otlp
+              tls:
+                insecure: true
+            otlphttp/logs:
+              endpoint: http://loki-write-headless.loki:3100/otlp
+              tls:
+                insecure: true
+            debug/metrics:
+              verbosity: detailed
+            debug/traces:
+              verbosity: detailed
+            debug/logs:
+              verbosity: detailed
+          service:
+            telemetry:
+              logs:
+                level: "info"
+            pipelines:
+              traces:
+                receivers: [otlp,zipkin]
+                processors: [batch]
+                exporters: [otlp]
+                # exporters: [otlphttp/traces,debug/traces]
+              metrics:
+                receivers: [otlp,prometheus/collector]
+                processors: [batch]
+                exporters: [otlphttp/metrics]
+                # exporters: [otlphttp/metrics,debug/metrics]
+              logs:
+                receivers: [otlp]
+                processors: [batch]
+                exporters: [otlphttp/logs]
+                # exporters: [otlphttp/logs,debug/logs]
+        ports:
+          metrics:
+            enabled: true
+        # presets:
+        #   logsCollection:
+        #     enabled: true
+        ingress:
+          enabled: false
+          annotations:
+              cert-manager.io/cluster-issuer: letsencrypt-production
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              atlantis.oceanbox.io/expose: internal
+          ingressClassName: nginx
+          hosts:
+            - host: opentelemetry-collector.adm.oceanbox.io
+              paths:
+                - path: /
+                  pathType: Prefix
+                  port: 4318
+          tls:
+            - secretName: collector-tls
+              hosts:
+                - opentelemetry-collector.adm.oceanbox.io

apps/osm-tile-server.yaml

@@ -10,21 +10,21 @@ spec:
       - cluster: https://kubernetes.default.svc
         env: prod
         hostname: osm.srv.oceanbox.io
-      - cluster: https://staging-vcluster.staging-vcluster:443
+      - cluster: https://staging-vcluster.staging-vcluster
         env: staging
         hostname: osm.beta.oceanbox.io
   template:
     metadata:
       name: '{{ env }}-osm-tile-server'
     spec:
-      project: atlantis
+      project: aux
       destination:
         namespace: oceanbox
         server: '{{ cluster }}'
       source:
-        repoURL: https://gitlab.com/oceanbox/charts.git
+        repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: HEAD
-        path: charts/osm-tile-server
+        path: values/osm-tile-server
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

apps/petimeter.yaml

@@ -13,11 +13,11 @@ spec:
         hostname: petimeter.srv.oceanbox.io
         autoSync: false
         prune: true
-      - cluster: https://staging-vcluster.staging-vcluster:443
+      # - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
+      #   env: staging
-        hostname: petimeter.beta.oceanbox.io
+      #   hostname: petimeter.beta.oceanbox.io
-        autoSync: true
+      #   autoSync: true
-        prune: true
+      #   prune: true
   template:
     metadata:
       name: '{{ .env }}-petimeter'
@@ -28,8 +28,8 @@ spec:
         server: '{{ .cluster }}'
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
+        targetRevision: main
-        path: charts/petimeter
+        path: values/petimeter
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:
@@ -38,12 +38,13 @@ spec:
           - name: hostname
             string: '{{ .hostname }}'
       - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
+        targetRevision: main
-        path: charts/petimeter/manifests
+        path: values/petimeter/manifests
   templatePatch: |
     {{- if .autoSync }}
     spec:
       syncPolicy:
         automated:
           prune: {{ .prune }}
+          selfHeal: false
     {{- end }}

apps/prod-atlantis.yaml

@@ -0,0 +1,66 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prod-atlantis
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: prod-atlantis
+    server: https://kubernetes.default.svc
+  project: atlantis
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    path: values/atlantis
+    plugin:
+      name: kustomize-helm-with-rewrite
+      parameters:
+      - name: env
+        string: prod
+      - name: hostname
+        string: maps.oceanbox.io
+  - repoURL: https://charts.bitnami.com/bitnami
+    targetRevision: 20.1.7
+    chart: redis
+    helm:
+      valueFiles:
+      - $values/values/atlantis/prod/redis.yaml
+  ignoreDifferences:
+    - kind: Secret
+      name: azure-keyvault
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-atlantis-rabbitmq
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-archmeister-replication
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-archmeister-ca
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    # automated:
+    #   prune: true
+    #   selfHeal: false

apps/prod-keycloak.yaml

@@ -0,0 +1,38 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prod-keycloak
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: aux
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: keycloak
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    path: values/keycloak/prod
+  - repoURL: https://charts.bitnami.com/bitnami
+    targetRevision: 24.0.2
+    chart: keycloak
+    helm:
+      valueFiles:
+        - $values/values/keycloak/values-prod.yaml
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
+

apps/prod-openfga.yaml

@@ -0,0 +1,39 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prod-openfga
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: openfga
+    server: https://kubernetes.default.svc
+  project: aux
+  # ignoreDifferences:
+  # - group: apps
+  #   kind: StatefulSet
+  #   jsonPointers:
+  #   - /spec/persistentVolumeClaimRetentionPolicy
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: https://openfga.github.io/helm-charts
+    targetRevision: 0.2.19
+    chart: openfga
+    helm:
+      valueFiles:
+      - $values/values/openfga/values-prod.yaml
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values

apps/prod-sorcerer.yaml

@@ -0,0 +1,54 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prod-sorcerer
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: prod-sorcerer
+    server: https://10.255.241.99:4443
+  project: atlantis
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    path: values/sorcerer
+    plugin:
+      name: kustomize-helm-with-rewrite
+      parameters:
+      - name: env
+        string: prod
+      - name: hostname
+        string: sorcerer.data.oceanbox.io
+  - repoURL: https://charts.bitnami.com/bitnami
+    targetRevision: 20.1.7
+    chart: redis
+    helm:
+      valueFiles:
+      - $values/values/sorcerer/prod/redis.yaml
+  ignoreDifferences:
+    - kind: Secret
+      name: azure-keyvault
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-atlantis-rabbitmq
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    # automated:
+    #   prune: true
+    #   selfHeal: false

apps/rabbitmq.yaml

@@ -17,7 +17,7 @@ spec:
     metadata:
       name: '{{ env }}-rabbitmq'
     spec:
-      project: atlantis
+      project: aux
       destination:
         server: https://kubernetes.default.svc
         namespace: rabbitmq
@@ -27,8 +27,8 @@ spec:
           chart: rabbitmq
           helm:
             valueFiles:
-              - $values/charts/rabbitmq/values-{{ env }}.yaml
+              - $values/values/rabbitmq/values-{{ env }}.yaml
         - repoURL: https://gitlab.com/oceanbox/manifests.git
-          targetRevision: dev
+          targetRevision: main
-          path: charts/rabbitmq/{{ env }}
+          path: values/rabbitmq/{{ env }}
           ref: values

apps/redis.yaml

@@ -0,0 +1,39 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: redis
+  namespace: argocd
+spec:
+  generators:
+  - list:
+      elements:
+      - cluster: https://kubernetes.default.svc
+        env: prod
+      - cluster: https://kubernetes.default.svc
+        env: staging
+  template:
+    metadata:
+      name: '{{ env }}-redis'
+    spec:
+      project: aux
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: redis
+      sources:
+        - repoURL: https://charts.bitnami.com/bitnami
+          targetRevision: 19.5.2
+          chart: redis
+          helm:
+            valueFiles:
+              - $values/values/redis/values-{{ env }}.yaml
+        - repoURL: https://gitlab.com/oceanbox/manifests.git
+          targetRevision: HEAD
+          ref: values
+        - repoURL: https://gitlab.com/oceanbox/manifests.git
+          targetRevision: main
+          path: values/redis/{{ env }}
+      ignoreDifferences:
+        - group: apps
+          kind: StatefulSet
+          jqPathExpressions:
+            - '.spec.template.spec.containers[].resources.limits.cpu'

apps/seq.yaml

@@ -4,7 +4,7 @@ metadata:
   name: seq
   namespace: argocd
 spec:
-  project: atlantis
+  project: aux
   destination:
     server: https://kubernetes.default.svc
     namespace: seq
@@ -14,7 +14,7 @@ spec:
     chart: seq
     helm:
       valueFiles:
-        - $values/charts/seq/values.yaml
+        - $values/values/seq/values.yaml
   - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: dev
+    targetRevision: main
     ref: values

apps/sorcerer.yaml

@@ -10,26 +10,26 @@ spec:
       elements:
       - cluster: https://10.255.241.99:4443
         env: prod
-        hostname: sorcerer.srv.archive.oceanbox.io
+        hostname: sorcerer.data.oceanbox.io
         autoSync: false
         prune: true
-      - cluster: https://10.255.241.99:4443
+      # - cluster: https://10.255.241.99:4443
-        env: staging
+      #   env: staging
-        hostname: sorcerer.beta.archive.oceanbox.io
+      #   hostname: sorcerer.ekman.oceanbox.io
-        autoSync: true
+      #   autoSync: true
-        prune: true
+      #   prune: true
   template:
     metadata:
       name: '{{ .env }}-sorcerer'
     spec:
       project: atlantis
       destination:
-        namespace: oceanbox
+        namespace: sorcerer
         server: '{{ .cluster }}'
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
+        targetRevision: main
-        path: charts/sorcerer
+        path: values/sorcerer
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:
@@ -43,4 +43,5 @@ spec:
       syncPolicy:
         automated:
           prune: {{ .prune }}
+          selfHeal: false
     {{- end }}

apps/staging-atlantis.yaml

@@ -0,0 +1,66 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: staging-atlantis
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: staging-atlantis
+    server: https://kubernetes.default.svc
+  project: atlantis
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    path: values/atlantis
+    plugin:
+      name: kustomize-helm-with-rewrite
+      parameters:
+      - name: env
+        string: staging
+      - name: hostname
+        string: atlantis.beta.oceanbox.io
+  - repoURL: https://charts.bitnami.com/bitnami
+    targetRevision: 20.1.7
+    chart: redis
+    helm:
+      valueFiles:
+      - $values/values/atlantis/staging/redis.yaml
+  ignoreDifferences:
+    - kind: Secret
+      name: azure-keyvault
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: staging-atlantis-rabbitmq
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-archmeister-replication
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-archmeister-ca
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: false

apps/staging-openfga.yaml

@@ -0,0 +1,39 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: staging-openfga
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: openfga
+    server: https://kubernetes.default.svc
+  project: aux
+  # ignoreDifferences:
+  # - group: apps
+  #   kind: StatefulSet
+  #   jsonPointers:
+  #   - /spec/persistentVolumeClaimRetentionPolicy
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: https://openfga.github.io/helm-charts
+    targetRevision: 0.2.19
+    chart: openfga
+    helm:
+      valueFiles:
+      - $values/values/openfga/values-staging.yaml
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values

apps/staging-sorcerer.yaml

@@ -0,0 +1,54 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: staging-sorcerer
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: staging-sorcerer
+    server: https://10.255.241.99:4443
+  project: atlantis
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    path: values/sorcerer
+    plugin:
+      name: kustomize-helm-with-rewrite
+      parameters:
+      - name: env
+        string: staging
+      - name: hostname
+        string: sorcerer.ekman.oceanbox.io
+  - repoURL: https://charts.bitnami.com/bitnami
+    targetRevision: 20.1.7
+    chart: redis
+    helm:
+      valueFiles:
+      - $values/values/sorcerer/staging/redis.yaml
+  ignoreDifferences:
+    - kind: Secret
+      name: azure-keyvault
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-atlantis-rabbitmq
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    # automated:
+    #   prune: true
+    #   selfHeal: false

apps/tempo.yaml

@@ -0,0 +1,76 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tempo
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: tempo
+    server: 'https://kubernetes.default.svc'
+  project: aux
+  syncPolicy:
+    # managedNamespaceMetadata:
+    #   labels:
+    #     component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: 'https://grafana.github.io/helm-charts'
+    targetRevision: 1.10.3
+    chart: tempo
+    helm:
+      values: |
+        tempo:
+          storage:
+            trace:
+              backend: s3
+              s3:
+                bucket: tempo-traces
+                endpoint: 10.255.241.30:30080
+                access_key: ${S3KEY}
+                secret_key: ${S3SECRET}
+                forcepathstyle: true
+                insecure: true
+              local:
+                path: /var/tempo/traces
+              wal:
+                path: /var/tempo/wal
+          metricsGenerator:
+            enabled: true
+            remoteWriteUrl: "http://prom-prometheus.prometheus:9090/api/v1/write"
+          extraArgs: { config.expand-env=true }
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: tempo-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: tempo-s3
+                key: AWS_ACCESS_KEY_SECRET
+        tempoQuery:
+          ingress:
+            enabled: true
+            ingressClassName: nginx
+            annotations:
+              cert-manager.io/cluster-issuer: letsencrypt-staging
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              atlantis.oceanbox.io/expose: internal
+            path: /
+            pathType: Prefix
+            hosts:
+              - query.tempo.adm.oceanbox.io
+            tls:
+             - secretName: tempo-query-tls
+               hosts:
+                 - query.tempo.adm.oceanbox.io

apps/yolo-dl.yaml

@@ -0,0 +1,14 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: yolo-dl
+  namespace: argocd
+spec:
+  project: aux
+  destination:
+    server: https://10.255.241.99:4443
+    namespace: oceanbox
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    path: charts/yolo-dl

argo/staging-vcluster.yaml

@@ -1,18 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    managed-by: argocd.argoproj.io
-  labels:
-    argocd.argoproj.io/secret-type: cluster
-  name: staging-vcluster
-  namespace: argocd
-stringData:
-  config: |
-    {"bearerToken":"eyJhbGciOiJSUzI1NiIsImtpZCI6IlVrakhGancyRzVMajNvQ3Jjb2FEU0kwRnlQeGsxc0Z3OThzLWV6akljVzAifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiLCJodHRwczovL2t1YmVybmV0ZXMuZGVmYXVsdC5zdmMiLCJodHRwczovL2t1YmVybmV0ZXMuZGVmYXVsdCJdLCJleHAiOjIwMjM3MjEwMDksImlhdCI6MTcwODM2MTAwOSwiaXNzIjoiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiLCJrdWJlcm5ldGVzLmlvIjp7Im5hbWVzcGFjZSI6Imt1YmUtc3lzdGVtIiwic2VydmljZWFjY291bnQiOnsibmFtZSI6ImFkbWluIiwidWlkIjoiMDRlOGJlZDQtYWUwNy00MTBiLWI4NTYtNzg3MTkzNDAzYjcyIn19LCJuYmYiOjE3MDgzNjEwMDksInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.TJuQb9dpgOU6w42-WSJQmu39CZ7NyXWks6itH5qtUUkOvkwRwEtChV-53epM1HNOpK3mj2IWlJ7MaUb5AVFMx0alUJthBX_kL3mjdvUdn2MbPl-S0UFPclp8JoYeALjwtSFkuch1HqlMT7s-BbhXowo8AVFXDJE3rUJBrzzFqQ_e1IIf327qUfyo_TidwVoiya7q6cRU1n-XsP6sE0cgOxnScHXZ-DpysydjKCqXFYbnz9KYVagsOdK4LPb3x-Qb6Ae4PGJAfo3myzmiha3bTGO8HFF4WmMTWrlqeCXTPjER1vVJ_RQMY_LF4G8Of9zIX-8gvTZLcQAQ6BnlmY4QxQ","tlsClientConfig":{"insecure":true}}
-  name: staging-vcluster
-  server: https://staging-vcluster.staging-vcluster:443
-type: Opaque
-
-
-

argocd/ekman.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+stringData:
+  config: |
+    {"bearerToken":"","tlsClientConfig":{"insecure":true}}
+  name: ekman
+  server: https://10.255.241.99:4443
+kind: Secret
+metadata:
+  labels:
+    argocd.argoproj.io/secret-type: cluster
+  name: cluster-10.255.241.99-4046803085
+  namespace: argocd
+type: Opaque
+

argocd/kustomize-helm-with-rewrite/Dockerfile

@@ -1,10 +1,7 @@
-FROM alpine/k8s:1.28.3
+FROM alpine/k8s:1.28.9
 
 RUN mkdir -p /home/argocd/cmp-server/config/
 COPY plugin.yaml /home/argocd/cmp-server/config/
 
 WORKDIR /plugin
-COPY init.sh get-values.sh generate.sh ./
+COPY init-helm-repos.sh init.sh get-values.sh generate.sh ./
-
-
-

argocd/kustomize-helm-with-rewrite/deploy.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-img=registry.gitlab.com/oceanbox/gitops-manifests/kustomize-helm-with-rewrite
+img=registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite
 tag=${1:-latest}
 
 docker build -t $img:$tag .

argocd/kustomize-helm-with-rewrite/generate.sh

@@ -1,23 +1,24 @@
 #!/bin/sh
 
-export HOME=/tmp
+export HOME=/helm-working-dir
 
 env > /tmp/$ARGOCD_APP_NAME.env
 
 echo "$ARGOCD_APP_PARAMETERS" | jq '.[] | select(.name == "helm-parameters") | .map' | yq -P -oy > parameters.yaml
 cp parameters.yaml /tmp/$ARGOCD_APP_NAME-parameters.yaml
 
-if [ -d chart ]; then
+if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then
-    CHART=chart
-elif [ -f chart -a "$PARAM_CHART" = "." ]; then
-    CHART=$(cat chart)
-elif [ -n "$PARAM_CHART" ]; then
     CHART=$PARAM_CHART
+elif [ -d chart ]; then
+    CHART=chart
+elif [ -f chart ]; then
+    CHART=$(cat chart)
 else
     CHART="."
 fi
 
 [ -f chart/values.yaml ] && VALUES="-f chart/values.yaml"
+[ -f values-chart.yaml ] && VALUES="$VALUES -f values-chart.yaml"
 [ -f values.yaml ] && VALUES="$VALUES -f values.yaml"
 [ -f values-$PARAM_ENV.yaml ] && VALUES="$VALUES -f values-$PARAM_ENV.yaml"
 VALUES="$VALUES -f parameters.yaml"

argocd/kustomize-helm-with-rewrite/get-values.sh

@@ -2,6 +2,8 @@
 
 if [ -f values.yaml ]; then
     VALUES="values.yaml"
+elif [ -f values-chart.yaml ]; then
+    VALUES="values-chart.yaml"
 elif [ -f chart/values.yaml ]; then
     VALUES="chart/values.yaml"
 else

argocd/kustomize-helm-with-rewrite/init-helm-repos.sh

@@ -1,12 +1,15 @@
 #!/bin/sh
 
-export HOME=/tmp
+export HOME=/helm-working-dir
+
+helm repo add --username argocd-helm --password "$OCEANBOX_HELM_ACCESS_TOKEN" oceanbox \
+    https://gitlab.com/api/v4/projects/54396343/packages/helm/stable
 
 helm repo add bitnami https://charts.bitnami.com/bitnami
 helm repo add cerbos https://download.cerbos.dev/helm-charts
 helm repo add dapr https://dapr.github.io/helm-charts/
 helm repo add ncsa https://opensource.ncsa.illinois.edu/charts
 helm repo add dex https://charts.dexidp.io
+helm repo add openfga https://openfga.github.io/helm-charts
 
 helm repo update
-

argocd/kustomize-helm-with-rewrite/init.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+export HOME=/helm-working-dir
+
+helm repo update oceanbox
+
+if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then
+    helm show values $PARAM_CHART > values-chart.yaml
+elif [ -f chart ]; then
+    CHART=$(cat chart)
+    helm show values $CHART > values-chart.yaml
+fi

argocd/staging-vcluster.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    managed-by: argocd.argoproj.io
+  labels:
+    argocd.argoproj.io/secret-type: cluster
+  name: cluster-staging-vcluster
+  namespace: argocd
+stringData:
+  config: |
+    {"bearerToken":"","tlsClientConfig":{"insecure":true}}
+  name: staging-vcluster
+  server: https://staging-vcluster.staging-vcluster
+type: Opaque
+

charts/archmeister/Chart.yaml

@@ -12,7 +12,7 @@ description: Archive management for Atlantis
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v6.17.0
+version: v6.20.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v6.17.0
+appVersion: v6.20.0

charts/archmeister/prod/appsettings.json

@@ -1,47 +0,0 @@
-{
-    "connString": "Username=app;Password=secret;Host=prod-archmeister-rw;Port=5432;Database=app;Pooling=true;",
-    "oidc": {
-        "issuer": "https://idp.srv.oceanbox.io/dex",
-        "authorization_endpoint": "https://idp.srv.oceanbox.io/dex/auth",
-        "token_endpoint": "https://idp.srv.oceanbox.io/dex/token",
-        "jwks_uri": "https://idp.srv.oceanbox.io/dex/keys",
-        "userinfo_endpoint": "https://idp.srv.oceanbox.io/dex/userinfo",
-        "device_authorization_endpoint": "https://idp.srv.oceanbox.io/dex/device/code",
-        "clientId": "archmeister",
-        "clientSecret": "",
-        "scopes": [
-            "openid",
-            "email",
-            "offline_access",
-            "profile"
-        ]
-    },
-    "sso": {
-        "cookieDomain": ".oceanbox.io",
-        "signedOutRedirectUri": "https://idp.srv.oceanbox.io/dex/static/logout.html",
-        "redis": "prod-redis-master.redis.svc,user=default,password=secret",
-        "appDomain": "atlantis",
-        "dataProtectionKeys": "DataProtection-Keys"
-    },
-    "allowedOrigins": [
-        "https://maps.oceanbox.io",
-        "https://atlantis.srv.oceanbox.io",
-        "https://maps.relic.oceanbox.io",
-        "https://sorcerer.data.oceanbox.io",
-        "https://sorcerer.hpc.oceanbox.io",
-        "https://jonas-sorcerer.ekman.oceanbox.io",
-        "https://beta.sorcerer.ekman.oceanbox.io",
-        "https://simkir-sorcerer.ekman.oceanbox.io",
-        "https://stig-sorcerer.ekman.oceanbox.io",
-        "https://atlantis.beta.oceanbox.io",
-        "https://jonas-atlantis.beta.oceanbox.io",
-        "https://simkir-atlantis.beta.oceanbox.io",
-        "https://stig-atlantis.beta.oceanbox.io",
-        "https://a.local.oceanbox.io:8080"
-    ],
-    "logService" : "https://seq.oceanbox.io",
-    "logApiKey": "",
-    "cliUsers": [
-        "admin:en-to-tre-fire"
-    ]
-}

charts/archmeister/staging/appsettings.json

@@ -1,42 +0,0 @@
-{
-    "connString": "Username=app;Password=secret;Host=staging-archmeister-rw;Port=5432;Database=app;Pooling=true;",
-    "oidc": {
-        "issuer": "https://idp.srv.oceanbox.io/dex",
-        "authorization_endpoint": "https://idp.srv.oceanbox.io/dex/auth",
-        "token_endpoint": "https://idp.srv.oceanbox.io/dex/token",
-        "jwks_uri": "https://idp.srv.oceanbox.io/dex/keys",
-        "userinfo_endpoint": "https://idp.srv.oceanbox.io/dex/userinfo",
-        "device_authorization_endpoint": "https://idp.srv.oceanbox.io/dex/device/code",
-        "clientId": "archmeister_dev",
-        "clientSecret": "",
-        "scopes": [
-            "openid",
-            "email",
-            "offline_access",
-            "profile"
-        ]
-    },
-    "sso": {
-        "cookieDomain": ".oceanbox.io",
-        "signedOutRedirectUri": "https://idp.srv.oceanbox.io/dex/static/logout.html",
-        "redis": "staging-redis-master.redis.svc,user=default,password=secret",
-        "appDomain": "atlantis",
-        "dataProtectionKeys": "DataProtection-Keys"
-    },
-    "allowedOrigins": [
-        "https://atlantis.beta.oceanbox.io",
-        "https://sorcerer.beta.data.oceanbox.io",
-        "https://sorcerer.hpc.oceanbox.io",
-        "https://s.local.oceanbox.io:8080",
-        "https://maps.oceanbox.io",
-        "https://jonas-atlantis.beta.oceanbox.io",
-        "https://simkir-atlantis.beta.oceanbox.io",
-        "https://stig-atlantis.beta.oceanbox.io",
-        "https://atlantis.local.oceanbox.io:8080"
-    ],
-    "logService" : "https://seq.oceanbox.io",
-    "logApiKey": "",
-    "cliUsers": [
-        "admin:en-to-tre-fire"
-    ]
-}

charts/archmeister/templates/deployment.yaml

@@ -84,8 +84,8 @@ spec:
         emptyDir: {}
       {{- end }}
       - name: appsettings
-        secret:
+        configMap:
-          secretName: {{ template "Archmeister.fullname" . }}-appsettings
+          name: {{ template "Archmeister.fullname" . }}-appsettings
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/archmeister/values-prod.yaml

@@ -1,26 +0,0 @@
-ingress:
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-  hosts:
-    - host: archmeister.srv.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls:
-    - hosts:
-       - archmeister.srv.oceanbox.io
-      secretName: prod-archmeister-tls
-
-cluster:
-  backupEnabled: true
-  backupRetention: 60d
-  instances: 2
-
-resources:
-  limits:
-    cpu: 200m
-    memory: 1Gi
-  requests:
-    cpu: 200m
-    memory: 1Gi
-

charts/archmeister/values-staging.yaml

@@ -1,25 +0,0 @@
-image:
-  tag: 04ca077a-debug
-
-ingress:
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-    atlantis.oceanbox.io/expose: global
-  hosts:
-    - host: archmeister.beta.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls:
-    - hosts:
-       - archmeister.beta.oceanbox.io
-      secretName: staging-archmeister-tls
-
-resources:
-  limits:
-    cpu: 200m
-    memory: 1Gi
-  requests:
-    cpu: 200m
-    memory: 1Gi
-

charts/archmeister/values.yaml

@@ -5,12 +5,23 @@
 replicaCount: 1
 image:
   repository: registry.gitlab.com/oceanbox/oceanbox.dataagent
-  tag: v6.17.0
+  tag: v6.20.0
   pullPolicy: IfNotPresent
 init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""
@@ -58,7 +69,6 @@ persistence:
   # size: 10G
   # storageClass: ""
   # accessMode: ReadWriteMany
-
 cluster:
   enabled: true
   instances: 1
@@ -74,7 +84,6 @@ cluster:
         - CREATE EXTENSION fuzzystrmatch;
         - CREATE EXTENSION postgis_tiger_geocoder;
         - ALTER USER app WITH SUPERUSER;
-
 resources: {}
 # We usually recommend not to specify default resources and to leave this as a conscious
 # choice for the user. This also increases chances charts run on environments with little

charts/atlantis/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: atlantis
+description: Atlantis map and simulation service
+type: application
+version: v2.87.1
+appVersion: v2.87.1

charts/atlantis/chart/Chart.yaml

@@ -1,21 +0,0 @@
-apiVersion: v2
-name: atlantis
-description: Atlantis map and simulation service
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-version: 1.0.1
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application.
-appVersion: 0.0.0

charts/atlantis/chart/templates/cluster.yaml

@@ -1,26 +0,0 @@
-{{- if .Values.cluster.enabled -}}
-apiVersion: postgresql.cnpg.io/v1
-kind: Cluster
-metadata:
-  name: {{ include "Atlantis.fullname" . }}
-  annotations:
-    linkerd.io/inject: disabled
-  labels:
-    {{- include "Atlantis.labels" . | nindent 4 }}
-spec:
-  instances: {{ .Values.cluster.instances | default "2" }}
-
-  # Example of rolling update strategy:
-  # - unsupervised: automated update of the primary once all
-  #                 replicas have been upgraded (default)
-  # - supervised: requires manual supervision to perform
-  #               the switchover of the primary
-  primaryUpdateStrategy: unsupervised
-  backup:
-    retentionPolicy: {{ .Values.cluster.backupRetention | default "60d" }}
-
-  storage:
-    size: {{ .Values.cluster.size | default "5Gi" }}
-{{- end }}
-
-

charts/atlantis/manifests/subscriptions.yaml

@@ -1,21 +0,0 @@
-apiVersion: dapr.io/v1alpha1
-kind: Subscription
-metadata:
-  name: hipster-events
-spec:
-  topic: hipster
-  route: /hipster-events
-  pubsubname: pubsub
-scopes:
-- atlantis
----
-apiVersion: dapr.io/v1alpha1
-kind: Subscription
-metadata:
-  name: inbox-events
-spec:
-  topic: inbox
-  route: /inbox-events
-  pubsubname: pubsub
-scopes:
-- atlantis

charts/atlantis/prod/appsettings.json

@@ -1,35 +0,0 @@
-{
-    "oidc": {
-        "issuer": "https://idp.srv.oceanbox.io/dex",
-        "authorization_endpoint": "https://idp.srv.oceanbox.io/dex/auth",
-        "token_endpoint": "https://idp.srv.oceanbox.io/dex/token",
-        "jwks_uri": "https://idp.srv.oceanbox.io/dex/keys",
-        "userinfo_endpoint": "https://idp.srv.oceanbox.io/dex/userinfo",
-        "device_authorization_endpoint": "https://idp.srv.oceanbox.io/dex/device/code",
-        "clientId": "atlantis",
-        "clientSecret": "",
-        "scopes": [
-            "openid",
-            "email",
-            "offline_access",
-            "profile"
-        ]
-    },
-    "sso": {
-        "cookieDomain": ".oceanbox.io",
-        "signedOutRedirectUri": "https://idp.srv.oceanbox.io/dex/static/logout.html",
-        "redis": "prod-redis-master.redis.svc,user=default,password=secret",
-        "appDomain": "atlantis",
-        "dataProtectionKeys": "DataProtection-Keys"
-    },
-    "archmeister" : "https://archmeister.srv.oceanbox.io",
-    "sorcerer" : "https://sorcerer.data.oceanbox.io",
-    "allowedOrigins": [
-        "http://maps.oceanbox.io",
-        "https://maps.oceanbox.io",
-        "http://atlantis.srv.oceanbox.io",
-        "https://atlantis.srv.oceanbox.io"
-    ],
-    "logService" : "https://seq.oceanbox.io",
-    "logApiKey": ""
-}

charts/atlantis/prod/deployment_patch.yaml

@@ -1,48 +0,0 @@
-- op: add
-  path: /spec/template/metadata/annotations
-  value:
-    dapr.io/enabled: "true"
-    dapr.io/app-id: "atlantis"
-    dapr.io/app-port: "8000"
-    dapr.io/config: "tracing"
-- op: replace
-  path: /spec/template/spec/containers/0/env/0
-  value:
-    name: LOG_LEVEL
-    value: "4"
-- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: BARENTSWATCH_SECRET
-    valueFrom:
-      secretKeyRef:
-        name: prod-atlantis-barentswatch
-        key: secret
-        optional: true
-- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: BARENTSWATCH_CLIENT_ID
-    valueFrom:
-      secretKeyRef:
-        name: prod-atlantis-barentswatch
-        key: client-id
-        optional: true
-- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: REDIS_USER
-    value: default
-- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: REDIS_PASSWORD
-    valueFrom:
-      secretKeyRef:
-        name: prod-redis
-        key: redis-password
-- op: add
-  path: /spec/template/spec/containers/0/envFrom/-
-  value:
-    secretRef:
-      name: prod-atlantis-env

charts/atlantis/staging/appsettings.json

@@ -1,33 +0,0 @@
-{
-    "oidc": {
-        "issuer": "https://idp.srv.oceanbox.io/dex",
-        "authorization_endpoint": "https://idp.srv.oceanbox.io/dex/auth",
-        "token_endpoint": "https://idp.srv.oceanbox.io/dex/token",
-        "jwks_uri": "https://idp.srv.oceanbox.io/dex/keys",
-        "userinfo_endpoint": "https://idp.srv.oceanbox.io/dex/userinfo",
-        "device_authorization_endpoint": "https://idp.srv.oceanbox.io/dex/device/code",
-        "clientId": "atlantis_dev",
-        "clientSecret": "",
-        "scopes": [
-            "openid",
-            "email",
-            "offline_access",
-            "profile"
-        ]
-    },
-    "sso": {
-        "cookieDomain": ".oceanbox.io",
-        "signedOutRedirectUri": "https://idp.srv.oceanbox.io/dex/static/logout.html",
-        "redis": "staging-redis-master.redis.svc,user=default,password=secret",
-        "appDomain": "atlantis",
-        "dataProtectionKeys": "DataProtection-Keys"
-    },
-    "archmeister" : "https://archmeister.beta.oceanbox.io",
-    "sorcerer" : "https://sorcerer.beta.data.oceanbox.io",
-    "allowedOrigins": [
-        "http://atlantis.beta.oceanbox.io",
-        "https://atlantis.beta.oceanbox.io"
-    ],
-    "logService" : "https://seq.oceanbox.io",
-    "logApiKey": ""
-}

charts/atlantis/staging/deployment_patch.yaml

@@ -1,48 +0,0 @@
-- op: add
-  path: /spec/template/metadata/annotations
-  value:
-    dapr.io/enabled: "true"
-    dapr.io/app-id: "atlantis"
-    dapr.io/app-port: "8000"
-    dapr.io/config: "tracing"
-- op: replace
-  path: /spec/template/spec/containers/0/env/0
-  value:
-    name: LOG_LEVEL
-    value: "4"
-- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: BARENTSWATCH_SECRET
-    valueFrom:
-      secretKeyRef:
-        name: staging-atlantis-barentswatch
-        key: secret
-        optional: true
-- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: BARENTSWATCH_CLIENT_ID
-    valueFrom:
-      secretKeyRef:
-        name: staging-atlantis-barentswatch
-        key: client-id
-        optional: true
-- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: REDIS_USER
-    value: default
-- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: REDIS_PASSWORD
-    valueFrom:
-      secretKeyRef:
-        name: staging-redis
-        key: redis-password
-- op: add
-  path: /spec/template/spec/containers/0/envFrom/-
-  value:
-    secretRef:
-      name: staging-atlantis-env

charts/atlantis/templates/cluster.yaml

@@ -0,0 +1,54 @@
+{{- if .Values.cluster.enabled -}}
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: {{ include "Atlantis.fullname" . }}-db
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    linkerd.io/inject: disabled
+  labels:
+    {{- include "Atlantis.labels" . | nindent 4 }}
+spec:
+  instances: {{ .Values.cluster.instances | default "1" }}
+  imageName: ghcr.io/cloudnative-pg/postgis:15-3.3
+  # Example of rolling update strategy:
+  # - unsupervised: automated update of the primary once all
+  #                 replicas have been upgraded (default)
+  # - supervised: requires manual supervision to perform
+  #               the switchover of the primary
+  primaryUpdateStrategy: unsupervised
+  backup:
+    retentionPolicy: {{ .Values.cluster.backupRetention | default "60d" }}
+  storage:
+    size: {{ .Values.cluster.size | default "5Gi" }}
+{{- with .Values.cluster.bootstrap }}
+  bootstrap:
+{{- if .enabled }}
+    pg_basebackup:
+      source: archmaester
+  externalClusters:
+  - name: archmaester
+    connectionParameters:
+      host: {{ .source.db }}-rw.{{ .source.namespace }}
+      user: streaming_replica
+      sslmode: verify-full
+    sslKey:
+      name: {{ .source.db }}-replication
+      key: tls.key
+    sslCert:
+      name: {{ .source.db }}-replication
+      key: tls.crt
+    sslRootCert:
+      name: {{ .source.db }}-ca
+      key: ca.crt
+{{- else }}
+    initdb:
+      postInitTemplateSQL:
+        - CREATE EXTENSION postgis;
+        - CREATE EXTENSION postgis_topology;
+        - CREATE EXTENSION fuzzystrmatch;
+        - CREATE EXTENSION postgis_tiger_geocoder;
+        - ALTER USER app WITH SUPERUSER;
+{{- end }}
+{{- end }}
+{{- end }}

charts/atlantis/templates/deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
 spec:
@@ -83,8 +84,8 @@ spec:
         emptyDir: {}
       {{- end }}
       - name: appsettings
-        secret:
+        configMap:
-          secretName: {{ template "Atlantis.fullname" . }}-appsettings
+          name: {{ template "Atlantis.fullname" . }}-appsettings
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/atlantis/templates/hpa.yaml

@@ -3,6 +3,7 @@ apiVersion: autoscaling/v2beta1
 kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
 spec:

charts/atlantis/templates/ingress.yaml

@@ -0,0 +1,62 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "Atlantis.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "Atlantis.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: {{ .pathType }}
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+              {{- else }}
+              serviceName: {{ .serviceName | default $fullName }}
+              servicePort: {{ .servicePort | default $svcPort }}
+              {{- end }}
+          {{- end }}
+    {{- end }}
+{{- end }}

charts/atlantis/templates/internal-ingress.yaml

@@ -15,11 +15,12 @@ apiVersion: extensions/v1beta1
 {{- end }}
 kind: Ingress
 metadata:
-  name: {{ $fullName }}
+  name: {{ $fullName }}-internal
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
   {{- with .Values.ingress.annotations }}
   annotations:
+    atlantis.oceanbox.io/expose: internal
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
@@ -41,7 +42,7 @@ spec:
     - host: {{ .host | quote }}
       http:
         paths:
-          {{- range .paths }}
+          {{- range .internal }}
           - path: {{ .path }}
             {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
             pathType: {{ .pathType }}

charts/atlantis/templates/pvc.yaml

@@ -3,6 +3,7 @@ kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
   name: {{ template "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
 {{- with .Values.persistence.annotations  }}
   annotations:
 {{ toYaml . | indent 4 }}

charts/atlantis/templates/secrets.yaml

@@ -0,0 +1,38 @@
+{{- if not .Values.cluster.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ include "Atlantis.fullname" . }}-db-superuser
+  namespace: {{ .Release.Namespace }}
+type: kubernetes.io/basic-auth
+data:
+  username:
+  password:
+{{- else }}
+{{- if .Values.cluster.bootstrap.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ .Values.cluster.bootstrap.source.db }}-replication
+type: kubernetes.io/tls
+data:
+  tls.crt: ""
+  tls.key: ""
+---
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ .Values.cluster.bootstrap.source.db }}-ca
+  namespace: {{ .Release.Namespace }}
+data:
+  ca.crt: ""
+  ca.key: ""
+{{- end }}
+{{- end }}

charts/atlantis/templates/service.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
 spec:

charts/atlantis/templates/serviceaccount.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "Atlantis.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}

charts/atlantis/templates/servicemonitor.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpoints:
+  - honorLabels: false
+    path: /metrics
+    port: http
+  jobLabel: {{ .Values.serviceMonitor.label | default (include "Atlantis.fullname" .) }}
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: {{ include "Atlantis.fullname" . }}
+      app.kubernetes.io/name: atlantis
+{{- end }}

charts/atlantis/values-prod.yaml

@@ -1,27 +0,0 @@
-ingress:
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
-  hosts:
-    - host: atlantis.srv.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-    - host: maps.srv.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls:
-    - hosts:
-       - atlantis.srv.oceanbox.io
-       - maps.srv.oceanbox.io
-      secretName: atlantis-tls
-
-resources:
-  limits:
-    cpu: 250m
-    memory: 1Gi
-  requests:
-    cpu: 250m
-    memory: 1Gi
-

charts/atlantis/values-staging.yaml

@@ -1,26 +0,0 @@
-image:
-  tag: a41b6229-debug
-
-ingress:
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
-    # atlantis.oceanbox.io/expose: internal
-  hosts:
-    - host: atlantis.beta.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls:
-    - hosts:
-       - atlantis.beta.oceanbox.io
-      secretName: staging-atlantis-tls
-
-resources:
-  limits:
-    cpu: 250m
-    memory: 1Gi
-  requests:
-    cpu: 250m
-    memory: 1Gi
-

charts/atlantis/values.yaml

@@ -6,7 +6,7 @@ replicaCount: 1
 
 image:
   repository: registry.gitlab.com/oceanbox/atlantis
-  tag: v2.77.5
+  tag: v2.87.1
   pullPolicy: IfNotPresent
 
 init:
@@ -17,11 +17,20 @@ init:
 env:
   - name: LOG_LEVEL
     value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 
 imagePullSecrets:
   - name: gitlab-pull-secret
 
 nameOverride: ""
+
 fullnameOverride: ""
 
 serviceAccount:
@@ -50,7 +59,7 @@ service:
   port: 8085
 
 ingress:
-  enabled: true
+  enabled: false
   className: "nginx"
   annotations:
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
@@ -60,6 +69,13 @@ ingress:
       paths:
         - path: /
           pathType: ImplementationSpecific
+        - path: /events
+          pathType: ImplementationSpecific
+          serviceName: main-ingress-nginx-defaultbackend.ingress-nginx
+          servicePort: 80
+      internal:
+        - path: /internal
+          pathType: ImplementationSpecific
   tls:
     - hosts:
         - atlantis.srv.oceanbox.io
@@ -72,11 +88,16 @@ persistence:
   accessMode: ReadWriteOnce
 
 cluster:
-  enabled: false
+  enabled: true
-  instances: 2
+  instances: 1
   backupEnabled: true
   backupRetention: 60d
   size: 5Gi
+  bootstrap:
+    enabled: true
+    source:
+      db: prod-archmeister
+      namespace: atlantis
 
 resources: {}
 # We usually recommend not to specify default resources and to leave this as a conscious
@@ -97,8 +118,9 @@ autoscaling:
   targetCPUUtilizationPercentage: 80
   # targetMemoryUtilizationPercentage: 80
 
+serviceMonitor:
+  enabled: true
+
 nodeSelector: {}
-
 tolerations: []
-
 affinity: {}