feat: simplify charts, resources, kustomizations and applications for atlantis SPMSA

network policy for csi-addons controller

See merge request oceanbox/manifests!1

.gitignore

@@ -1,2 +1,3 @@
 _manifest.yaml
 _resources.yaml
+*.tgz

.gitlab-ci.yml

@@ -14,8 +14,8 @@ release:
   script:
     - |
       cd $CI_PROJECT_DIR
-      for i in $(git show --pretty="" --name-only | grep '^[^/]*/chart/Chart.yaml' | cut -d/ -f1); do
-        pack=$(helm package $i/chart | sed 's/Success.*: \(.*\)/\1/')
+      for i in $(git show --pretty="" --name-only | grep '^charts/.*/Chart.yaml' | cut -d/ -f2); do
+        pack=$(helm package ./charts/$i | sed 's/Success.*: \(.*\)/\1/')
         if [ ! -z $pack ]; then
           chart=$(basename $pack)
           curl --request POST \
@@ -33,8 +33,8 @@ rebuild:
   script:
     - |
       cd $CI_PROJECT_DIR
-      for i in $(find -maxdepth 3 -name Chart.yaml | cut -d/ -f2); do
-        pack=$(helm package $i/chart | sed 's/Success.*: \(.*\)/\1/')
+      for i in $(find ./charts -maxdepth 2 -name Chart.yaml | cut -d/ -f3); do
+        pack=$(helm package ./charts/$i | sed 's/Success.*: \(.*\)/\1/')
         if [ ! -z $pack ]; then
           chart=$(basename $pack)
           curl --request POST \

acl.json

@@ -0,0 +1 @@
+kustomizations/petimeter/manifests/acl.json

applications/archmeister.yaml

@@ -13,7 +13,7 @@ spec:
         hostname: archmeister.srv.oceanbox.io
         autoSync: false
         prune: true
-      - cluster: https://staging-vcluster.staging-vcluster:443
+      - cluster: https://staging-vcluster.staging-vcluster
         env: staging
         hostname: archmeister.beta.oceanbox.io
         autoSync: true
@@ -28,8 +28,8 @@ spec:
         server: "{{ .cluster }}"
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
-        path: charts/archmeister
+        targetRevision: main
+        path: kustomizations/archmeister
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:
@@ -43,4 +43,5 @@ spec:
       syncPolicy:
         automated:
           prune: {{ .prune }}
+          selfHeal: false
     {{- end }}

applications/atlantis-host-resources.yaml

@@ -1,16 +1,27 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: atlantis-host-cluster-resources
+  name: atlantis-cluster-resources
   namespace: argocd
+  # annotations: # close, but no cigar
+  #   argocd.argoproj.io/compare-options: ServerSideDiff=true,IncludeMutationWebhook=true
 spec:
   project: atlantis
   destination:
     server: https://kubernetes.default.svc
   syncPolicy:
-    automated: {}
-  source:
-    repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: dev
-    path: resources/atlantis/host-manifests
+    automated:
+      prune: false
+      selfHeal: false
+  # ignoreDifferences:
+  #   - kind: Secret
+  #     name: prod-rabbitmq
+  #     jqPathExpressions:
+  #       - '.data'
+  #       - '.metadata.annotations.clone'
+  #       - '.metadata.labels'
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    path: resources/atlantis
 

applications/atlantis-resources.yaml

@@ -1,27 +1,41 @@
+# Currently not in use. Configured via the create-vcluster script.
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
   name: atlantis-resources
   namespace: argocd
 spec:
+  goTemplate: true
   generators:
   - list:
       elements:
       - cluster: https://kubernetes.default.svc
         env: prod
-      - cluster: https://staging-vcluster.staging-vcluster:443
-        env: staging
+        autoSync: false
+        prune: false
+      # - cluster: https://staging-vcluster.staging-vcluster
+      #   env: staging
+      #   autoSync: false
+      #   prune: false
   template:
     metadata:
-      name: '{{ env }}-atlantis-resources'
+      name: "{{ .env }}-atlantis-resources"
     spec:
-      project: atlantis
+      project: aux
       syncPolicy:
         automated: {}
       destination:
-        server: '{{ cluster }}'
+        server: "{{ .cluster }}"
         namespace: atlantis
-      sources:
-      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
-        path: 'resources/atlantis/manifests/{{ env }}'
+      sources: {}
+      # - repoURL: https://gitlab.com/oceanbox/manifests.git
+      #   targetRevision: main
+      #   path: 'resources/atlantis/manifests/{{ env }}'
+  templatePatch: |
+    {{- if .autoSync }}
+    spec:
+      syncPolicy:
+        automated:
+          prune: {{ .prune }}
+          selfHeal: false
+    {{- end }}

applications/atlantis.yaml

@@ -13,7 +13,7 @@ spec:
         hostname: atlantis.srv.oceanbox.io
         autoSync: false
         prune: true
-      - cluster: https://staging-vcluster.staging-vcluster:443
+      - cluster: https://staging-vcluster.staging-vcluster
         env: staging
         hostname: atlantis.beta.oceanbox.io
         autoSync: true
@@ -28,8 +28,8 @@ spec:
         server: '{{ .cluster }}'
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
-        path: charts/atlantis
+        targetRevision: main
+        path: kustomizations/atlantis
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:
@@ -37,13 +37,11 @@ spec:
             string: '{{ .env }}'
           - name: hostname
             string: '{{ .hostname }}'
-      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
-        path: charts/atlantis/manifests
   templatePatch: |
     {{- if .autoSync }}
     spec:
       syncPolicy:
         automated:
           prune: {{ .prune }}
+          selfHeal: false
     {{- end }}

applications/busynix.yaml

@@ -7,24 +7,24 @@ spec:
   generators:
   - list:
       elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        hostname: busynix.srv.oceanbox.io
-      - cluster: https://staging-vcluster.staging-vcluster:443
+      # - cluster: https://kubernetes.default.svc
+      #   env: prod
+      #   hostname: busynix.srv.oceanbox.io
+      - cluster: https://staging-vcluster.staging-vcluster
         env: staging
         hostname: busynix.beta.oceanbox.io
   template:
     metadata:
       name: '{{ env }}-busynix'
     spec:
-      project: atlantis
+      project: aux
       destination:
         namespace: default
         server: '{{ cluster }}'
       source:
         repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
-        path: charts/busynix
+        targetRevision: main
+        path: kustomizations/busynix
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

applications/cerbos.yaml

@@ -9,13 +9,13 @@ spec:
       elements:
       - cluster: https://kubernetes.default.svc
         env: prod
-      - cluster: https://staging-vcluster.staging-vcluster:443
+      - cluster: https://staging-vcluster.staging-vcluster
         env: staging
   template:
     metadata:
       name: '{{ env }}-cerbos'
     spec:
-      project: atlantis
+      project: aux
       destination:
         server: https://kubernetes.default.svc
         namespace: idp
@@ -25,8 +25,8 @@ spec:
           chart: cerbos
           helm:
             valueFiles:
-              - $values/charts/cerbos/values.yaml
-              - $values/charts/cerbos/values-{{ env }}.yaml
+              - $values/kustomizations/cerbos/values.yaml
+              - $values/kustomizations/cerbos/values-{{ env }}.yaml
         - repoURL: https://gitlab.com/oceanbox/manifests.git
-          targetRevision: dev
+          targetRevision: main
           ref: values

applications/dex.yaml

@@ -4,12 +4,12 @@ metadata:
   name: dex
   namespace: argocd
 spec:
-  project: atlantis
+  project: aux
   destination:
     server: https://kubernetes.default.svc
     namespace: idp
   source:
     repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: dev
-    path: charts/dex/manifests
+    targetRevision: main
+    path: kustomizations/dex/manifests
 

applications/geoserver.yaml

@@ -17,14 +17,14 @@ spec:
     metadata:
       name: '{{ env }}-geoserver'
     spec:
-      project: atlantis
+      project: aux
       destination:
         server: https://kubernetes.default.svc
         namespace: geoserver
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
-        path: charts/geoserver
+        targetRevision: main
+        path: kustomizations/geoserver
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

applications/hipster.yaml

@@ -13,7 +13,7 @@ spec:
         hostname: hipster.srv.oceanbox.io
         autoSync: false
         prune: true
-      - cluster: https://staging-vcluster.staging-vcluster:443
+      - cluster: https://staging-vcluster.staging-vcluster
         env: staging
         hostname: hipster.beta.oceanbox.io
         autoSync: true
@@ -28,8 +28,8 @@ spec:
         server: '{{ .cluster }}'
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
-        path: charts/hipster
+        targetRevision: main
+        path: kustomizations/hipster
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:
@@ -43,4 +43,5 @@ spec:
       syncPolicy:
         automated:
           prune: {{ .prune }}
+          selfHeal: false
     {{- end }}

applications/jaeger.yaml

@@ -10,13 +10,13 @@ spec:
     namespace: jaeger
   sources:
   - repoURL: https://jaegertracing.github.io/helm-charts
-    targetRevision: 2.50.1
+    targetRevision: 2.54.0
     chart: jaeger-operator
     helm:
       valueFiles:
-        - $values/charts/jaeger/values.yaml
+        - $values/kustomizations/jaeger/values.yaml
   - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: dev
-    # path: charts/jaeger/manifests
+    targetRevision: main
+    # path: kustomizations/jaeger/manifests
     ref: values
 

applications/keycloak.yaml

@@ -4,7 +4,7 @@ metadata:
   name: keycloak
   namespace: argocd
 spec:
-  project: atlantis
+  project: aux
   destination:
     server: https://kubernetes.default.svc
     namespace: idp
@@ -14,8 +14,8 @@ spec:
     chart: keycloak
     helm:
       valueFiles:
-        - $values/charts/keycloak/values.yaml
+        - $values/kustomizations/keycloak/values.yaml
   - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: dev
+    targetRevision: main
     ref: values
 

applications/loki.yaml

@@ -0,0 +1,150 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: loki
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: loki
+    server: 'https://kubernetes.default.svc'
+  project: aux
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/persistentVolumeClaimRetentionPolicy
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: https://gitlab.com/serit/k8s/serit-platform-manifests.git
+    path: network-policies/netpol-loki
+    targetRevision: HEAD
+  - repoURL: 'https://grafana.github.io/helm-charts'
+    targetRevision: 6.12.0
+    chart: loki
+    helm:
+      values: |
+        loki:
+          auth_enabled: false
+          storage:
+            bucketNames:
+              chunks: loki-chunks
+              ruler: loki-chunks
+              admin: loki-chunks
+            s3:
+              endpoint: http://10.255.241.30:30080
+              region: tos
+              secretAccessKey: ${S3SECRET}
+              accessKeyId: ${S3KEY}
+              s3ForcePathStyle: true
+              http_config:
+                insecure_skip_verify: true
+          schemaConfig:
+            configs:
+            - from: "2024-04-01"
+              index:
+                period: 24h
+                prefix: loki_index_
+              object_store: s3
+              schema: v13
+              store: tsdb
+          compactor:
+            compaction_interval: 10m
+            working_directory: /tmp/loki/compactor
+            retention_enabled: true
+            retention_delete_delay: 2h
+            retention_delete_worker_count: 150
+            delete_request_store: s3
+          limits_config:
+            retention_period: 744h
+        write:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_SECRET
+          tolerations:
+          - effect: "NoSchedule"
+            operator: "Equal"
+            key: "unschedulable"
+            value: "true"
+        read:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_SECRET
+          tolerations:
+          - effect: "NoSchedule"
+            operator: "Equal"
+            key: "unschedulable"
+            value: "true"
+        ingress:
+          enabled: true
+          ingressClassName: nginx
+          annotations:
+            cert-manager.io/cluster-issuer: letsencrypt-staging
+            nginx.ingress.kubernetes.io/ssl-redirect: "true"
+            atlantis.oceanbox.io/expose: internal
+          hosts:
+            - loki.adm.oceanbox.io
+          tls:
+            - hosts:
+               - loki.adm.oceanbox.io
+              secretName: loki-distributed-tls
+        compactor:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_SECRET
+        backend:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_SECRET

applications/openfga.yaml

@@ -0,0 +1,47 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: openfga
+  namespace: argocd
+spec:
+  goTemplate: true
+  generators:
+  - list:
+      elements:
+      - cluster: https://kubernetes.default.svc
+        env: prod
+        hostname: openfga.adm.oceanbox.io
+        autoSync: false
+        prune: true
+      - cluster: https://kubernetes.default.svc
+        env: staging
+        hostname: openfga.dev.oceanbox.io
+        autoSync: true
+        prune: true
+  template:
+    metadata:
+      name: '{{ .env }}-openfga'
+    spec:
+      project: aux
+      destination:
+        namespace: idp
+        server: '{{ .cluster }}'
+      sources:
+        - repoURL: https://openfga.github.io/helm-charts
+          targetRevision: 0.2.12
+          chart: openfga
+          helm:
+            valueFiles:
+              - $values/kustomizations/openfga/values.yaml
+              - $values/kustomizations/openfga/values-{{ .env }}.yaml
+        - repoURL: https://gitlab.com/oceanbox/manifests.git
+          targetRevision: main
+          ref: values
+  templatePatch: |
+    {{- if .autoSync }}
+    spec:
+      syncPolicy:
+        automated:
+          prune: {{ .prune }}
+          selfHeal: false
+    {{- end }}

applications/opentelemetry-collector.yaml

@@ -0,0 +1,106 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: opentelemetry-collector
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: otel
+    server: 'https://kubernetes.default.svc'
+  project: aux
+  syncPolicy:
+    # managedNamespaceMetadata:
+    #   labels:
+    #     component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: 'https://open-telemetry.github.io/opentelemetry-helm-charts'
+    targetRevision: 0.107.0
+    chart: opentelemetry-collector
+    helm:
+      values: |
+        mode: deployment
+        image:
+          repository: otel/opentelemetry-collector-k8s
+        config:
+          receivers:
+            prometheus/collector:
+              config:
+                scrape_configs:
+                  - job_name: 'opentelemetry-collector'
+                    static_configs:
+                      - targets:
+                         - ${env:MY_POD_IP}:8888
+            zipkin:
+              endpoint: ${env:MY_POD_IP}:9411
+          exporters:
+            otlp:
+              endpoint: "tempo.tempo.svc:4317"
+              tls:
+                insecure: true
+            otlphttp/metrics:
+              endpoint: http://prom-prometheus.prometheus:9090/api/v1/otlp
+              tls:
+                insecure: true
+            otlphttp/logs:
+              endpoint: http://loki-write-headless.loki:3100/otlp
+              tls:
+                insecure: true
+            debug/metrics:
+              verbosity: detailed
+            debug/traces:
+              verbosity: detailed
+            debug/logs:
+              verbosity: detailed
+          service:
+            telemetry:
+              logs:
+                level: "info"
+            pipelines:
+              traces:
+                receivers: [otlp,zipkin]
+                processors: [batch]
+                exporters: [otlp]
+                # exporters: [otlphttp/traces,debug/traces]
+              metrics:
+                receivers: [otlp,prometheus/collector]
+                processors: [batch]
+                exporters: [otlphttp/metrics]
+                # exporters: [otlphttp/metrics,debug/metrics]
+              logs:
+                receivers: [otlp]
+                processors: [batch]
+                exporters: [otlphttp/logs]
+                # exporters: [otlphttp/logs,debug/logs]
+        ports:
+          metrics:
+            enabled: true
+        # presets:
+        #   logsCollection:
+        #     enabled: true
+        ingress:
+          enabled: true
+          annotations:
+              cert-manager.io/cluster-issuer: letsencrypt-staging
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              atlantis.oceanbox.io/expose: internal
+          ingressClassName: nginx
+          hosts:
+            - host: collector.adm.oceanbox.io
+              paths:
+                - path: /
+                  pathType: Prefix
+                  port: 4318
+          tls:
+            - secretName: collector-tls
+              hosts:
+                - collector.adm.oceanbox.io

applications/osm-tile-server.yaml

@@ -10,21 +10,21 @@ spec:
       - cluster: https://kubernetes.default.svc
         env: prod
         hostname: osm.srv.oceanbox.io
-      - cluster: https://staging-vcluster.staging-vcluster:443
+      - cluster: https://staging-vcluster.staging-vcluster
         env: staging
         hostname: osm.beta.oceanbox.io
   template:
     metadata:
       name: '{{ env }}-osm-tile-server'
     spec:
-      project: atlantis
+      project: aux
       destination:
         namespace: oceanbox
         server: '{{ cluster }}'
       source:
-        repoURL: https://gitlab.com/oceanbox/charts.git
+        repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: HEAD
-        path: charts/osm-tile-server
+        path: kustomizations/osm-tile-server
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

applications/petimeter.yaml

@@ -13,7 +13,7 @@ spec:
         hostname: petimeter.srv.oceanbox.io
         autoSync: false
         prune: true
-      - cluster: https://staging-vcluster.staging-vcluster:443
+      - cluster: https://staging-vcluster.staging-vcluster
         env: staging
         hostname: petimeter.beta.oceanbox.io
         autoSync: true
@@ -28,8 +28,8 @@ spec:
         server: '{{ .cluster }}'
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
-        path: charts/petimeter
+        targetRevision: main
+        path: kustomizations/petimeter
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:
@@ -38,12 +38,13 @@ spec:
           - name: hostname
             string: '{{ .hostname }}'
       - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
-        path: charts/petimeter/manifests
+        targetRevision: main
+        path: kustomizations/petimeter/manifests
   templatePatch: |
     {{- if .autoSync }}
     spec:
       syncPolicy:
         automated:
           prune: {{ .prune }}
+          selfHeal: false
     {{- end }}

applications/rabbitmq.yaml

@@ -17,7 +17,7 @@ spec:
     metadata:
       name: '{{ env }}-rabbitmq'
     spec:
-      project: atlantis
+      project: aux
       destination:
         server: https://kubernetes.default.svc
         namespace: rabbitmq
@@ -27,8 +27,8 @@ spec:
           chart: rabbitmq
           helm:
             valueFiles:
-              - $values/charts/rabbitmq/values-{{ env }}.yaml
+              - $values/kustomizations/rabbitmq/values-{{ env }}.yaml
         - repoURL: https://gitlab.com/oceanbox/manifests.git
-          targetRevision: dev
-          path: charts/rabbitmq/{{ env }}
+          targetRevision: main
+          path: kustomizations/rabbitmq/{{ env }}
           ref: values

applications/redis.yaml

@@ -9,38 +9,31 @@ spec:
       elements:
       - cluster: https://kubernetes.default.svc
         env: prod
-        hostname: redis.srv.oceanbox.io
       - cluster: https://kubernetes.default.svc
         env: staging
-        hostname: redis.beta.oceanbox.io
   template:
     metadata:
       name: '{{ env }}-redis'
     spec:
-      project: atlantis
+      project: aux
       destination:
         server: https://kubernetes.default.svc
         namespace: redis
       sources:
-        # - repoURL: https://charts.bitnami.com/bitnami
-        #   targetRevision: 18.9.1
-        #   chart: redis
-        #   helm:
-        #     valueFiles:
-        #       - $values/redis/values.yaml
-        # - repoURL: https://gitlab.com/oceanbox/manifests.git
-        #   targetRevision: HEAD
-        #   path: charts/redis/{{ env }}
-        #   ref: values
+        - repoURL: https://charts.bitnami.com/bitnami
+          targetRevision: 19.5.2
+          chart: redis
+          helm:
+            valueFiles:
+              - $values/kustomizations/redis/values-{{ env }}.yaml
         - repoURL: https://gitlab.com/oceanbox/manifests.git
-          targetRevision: dev
-          path: charts/redis
-          plugin:
-            name: kustomize-helm-with-rewrite
-            parameters:
-            - name: env
-              string: '{{ env }}'
-            - name: hostname
-              string: '{{ hostname }}'
-            - name: chart
-              string: bitnami/redis
+          targetRevision: HEAD
+          ref: values
+        - repoURL: https://gitlab.com/oceanbox/manifests.git
+          targetRevision: main
+          path: kustomizations/redis/{{ env }}
+      ignoreDifferences:
+        - group: apps
+          kind: StatefulSet
+          jqPathExpressions:
+            - '.spec.template.spec.containers[].resources.limits.cpu'

applications/seq.yaml

@@ -4,7 +4,7 @@ metadata:
   name: seq
   namespace: argocd
 spec:
-  project: atlantis
+  project: aux
   destination:
     server: https://kubernetes.default.svc
     namespace: seq
@@ -14,7 +14,7 @@ spec:
     chart: seq
     helm:
       valueFiles:
-        - $values/charts/seq/values.yaml
+        - $values/kustomizations/seq/values.yaml
   - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: dev
+    targetRevision: main
     ref: values

applications/sorcerer.yaml

@@ -10,12 +10,12 @@ spec:
       elements:
       - cluster: https://10.255.241.99:4443
         env: prod
-        hostname: sorcerer.srv.archive.oceanbox.io
+        hostname: sorcerer.data.oceanbox.io
         autoSync: false
         prune: true
       - cluster: https://10.255.241.99:4443
         env: staging
-        hostname: sorcerer.beta.archive.oceanbox.io
+        hostname: sorcerer.ekman.oceanbox.io
         autoSync: true
         prune: true
   template:
@@ -24,12 +24,12 @@ spec:
     spec:
       project: atlantis
       destination:
-        namespace: oceanbox
+        namespace: sorcerer
         server: '{{ .cluster }}'
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
-        path: charts/sorcerer
+        targetRevision: main
+        path: kustomizations/sorcerer
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:
@@ -43,4 +43,5 @@ spec:
       syncPolicy:
         automated:
           prune: {{ .prune }}
+          selfHeal: false
     {{- end }}

applications/tempo.yaml

@@ -0,0 +1,75 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tempo
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: tempo
+    server: 'https://kubernetes.default.svc'
+  project: aux
+  syncPolicy:
+    # managedNamespaceMetadata:
+    #   labels:
+    #     component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: 'https://grafana.github.io/helm-charts'
+    targetRevision: 1.10.3
+    chart: tempo
+    helm:
+      values: |
+        tempo:
+          storage:
+            trace:
+              backend: s3
+              s3:
+                bucket: tempo-traces
+                endpoint: http://10.255.241.30:30080
+                access_key: ${S3SECRET}
+                secret_key: ${S3KEY}
+                insecure: true
+              backend: local
+              local:
+                path: /var/tempo/traces
+              wal:
+                path: /var/tempo/wal
+          metricsGenerator:
+            enabled: true
+            remoteWriteUrl: "http://prom-prometheus.prometheus:9090/api/v1/write"
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: tempo-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: tempo-s3
+                key: AWS_ACCESS_KEY_SECRET
+        tempoQuery:
+          ingress:
+            enabled: true
+            ingressClassName: nginx
+            annotations:
+              cert-manager.io/cluster-issuer: letsencrypt-staging
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              atlantis.oceanbox.io/expose: internal
+            path: /
+            pathType: Prefix
+            hosts:
+              - query.tempo.adm.oceanbox.io
+            tls:
+             - secretName: tempo-query-tls
+               hosts:
+                 - query.tempo.adm.oceanbox.io

applications/yolo-dl.yaml

@@ -0,0 +1,14 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: yolo-dl
+  namespace: argocd
+spec:
+  project: aux
+  destination:
+    server: https://10.255.241.99:4443
+    namespace: oceanbox
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    path: charts/yolo-dl

argo/staging-vcluster.yaml

@@ -1,18 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    managed-by: argocd.argoproj.io
-  labels:
-    argocd.argoproj.io/secret-type: cluster
-  name: staging-vcluster
-  namespace: argocd
-stringData:
-  config: |
-    {"bearerToken":"eyJhbGciOiJSUzI1NiIsImtpZCI6IlVrakhGancyRzVMajNvQ3Jjb2FEU0kwRnlQeGsxc0Z3OThzLWV6akljVzAifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiLCJodHRwczovL2t1YmVybmV0ZXMuZGVmYXVsdC5zdmMiLCJodHRwczovL2t1YmVybmV0ZXMuZGVmYXVsdCJdLCJleHAiOjIwMjM3MjEwMDksImlhdCI6MTcwODM2MTAwOSwiaXNzIjoiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiLCJrdWJlcm5ldGVzLmlvIjp7Im5hbWVzcGFjZSI6Imt1YmUtc3lzdGVtIiwic2VydmljZWFjY291bnQiOnsibmFtZSI6ImFkbWluIiwidWlkIjoiMDRlOGJlZDQtYWUwNy00MTBiLWI4NTYtNzg3MTkzNDAzYjcyIn19LCJuYmYiOjE3MDgzNjEwMDksInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.TJuQb9dpgOU6w42-WSJQmu39CZ7NyXWks6itH5qtUUkOvkwRwEtChV-53epM1HNOpK3mj2IWlJ7MaUb5AVFMx0alUJthBX_kL3mjdvUdn2MbPl-S0UFPclp8JoYeALjwtSFkuch1HqlMT7s-BbhXowo8AVFXDJE3rUJBrzzFqQ_e1IIf327qUfyo_TidwVoiya7q6cRU1n-XsP6sE0cgOxnScHXZ-DpysydjKCqXFYbnz9KYVagsOdK4LPb3x-Qb6Ae4PGJAfo3myzmiha3bTGO8HFF4WmMTWrlqeCXTPjER1vVJ_RQMY_LF4G8Of9zIX-8gvTZLcQAQ6BnlmY4QxQ","tlsClientConfig":{"insecure":true}}
-  name: staging-vcluster
-  server: https://staging-vcluster.staging-vcluster:443
-type: Opaque
-
-
-

argocd/ekman.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+stringData:
+  config: |
+    {"bearerToken":"","tlsClientConfig":{"insecure":true}}
+  name: ekman
+  server: https://10.255.241.99:4443
+kind: Secret
+metadata:
+  labels:
+    argocd.argoproj.io/secret-type: cluster
+  name: cluster-10.255.241.99-4046803085
+  namespace: argocd
+type: Opaque
+

argocd/kustomize-helm-with-rewrite/Dockerfile

@@ -1,10 +1,7 @@
-FROM alpine/k8s:1.28.3
+FROM alpine/k8s:1.28.9
 
 RUN mkdir -p /home/argocd/cmp-server/config/
 COPY plugin.yaml /home/argocd/cmp-server/config/
 
 WORKDIR /plugin
-COPY init.sh get-values.sh generate.sh ./
-
-
-
+COPY init-helm-repos.sh init.sh get-values.sh generate.sh ./

argocd/kustomize-helm-with-rewrite/deploy.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-img=registry.gitlab.com/oceanbox/gitops-manifests/kustomize-helm-with-rewrite
+img=registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite
 tag=${1:-latest}
 
 docker build -t $img:$tag .

argocd/kustomize-helm-with-rewrite/generate.sh

@@ -1,23 +1,24 @@
 #!/bin/sh
 
-export HOME=/tmp
+export HOME=/helm-working-dir
 
 env > /tmp/$ARGOCD_APP_NAME.env
 
 echo "$ARGOCD_APP_PARAMETERS" | jq '.[] | select(.name == "helm-parameters") | .map' | yq -P -oy > parameters.yaml
 cp parameters.yaml /tmp/$ARGOCD_APP_NAME-parameters.yaml
 
-if [ -d chart ]; then
-    CHART=chart
-elif [ -f chart -a "$PARAM_CHART" = "." ]; then
-    CHART=$(cat chart)
-elif [ -n "$PARAM_CHART" ]; then
+if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then
     CHART=$PARAM_CHART
+elif [ -d chart ]; then
+    CHART=chart
+elif [ -f chart ]; then
+    CHART=$(cat chart)
 else
     CHART="."
 fi
 
 [ -f chart/values.yaml ] && VALUES="-f chart/values.yaml"
+[ -f values-chart.yaml ] && VALUES="$VALUES -f values-chart.yaml"
 [ -f values.yaml ] && VALUES="$VALUES -f values.yaml"
 [ -f values-$PARAM_ENV.yaml ] && VALUES="$VALUES -f values-$PARAM_ENV.yaml"
 VALUES="$VALUES -f parameters.yaml"

argocd/kustomize-helm-with-rewrite/get-values.sh

@@ -2,6 +2,8 @@
 
 if [ -f values.yaml ]; then
     VALUES="values.yaml"
+elif [ -f values-chart.yaml ]; then
+    VALUES="values-chart.yaml"
 elif [ -f chart/values.yaml ]; then
     VALUES="chart/values.yaml"
 else

argocd/kustomize-helm-with-rewrite/init-helm-repos.sh

@@ -1,12 +1,15 @@
 #!/bin/sh
 
-export HOME=/tmp
+export HOME=/helm-working-dir
+
+helm repo add --username argocd-helm --password "$OCEANBOX_HELM_ACCESS_TOKEN" oceanbox \
+    https://gitlab.com/api/v4/projects/54396343/packages/helm/stable
 
 helm repo add bitnami https://charts.bitnami.com/bitnami
 helm repo add cerbos https://download.cerbos.dev/helm-charts
 helm repo add dapr https://dapr.github.io/helm-charts/
 helm repo add ncsa https://opensource.ncsa.illinois.edu/charts
 helm repo add dex https://charts.dexidp.io
+helm repo add openfga https://openfga.github.io/helm-charts
 
 helm repo update
-

argocd/kustomize-helm-with-rewrite/init.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+export HOME=/helm-working-dir
+
+helm repo update oceanbox
+
+if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then
+    helm show values $PARAM_CHART > values-chart.yaml
+elif [ -f chart ]; then
+    CHART=$(cat chart)
+    helm show values $CHART > values-chart.yaml
+fi

argocd/staging-vcluster.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    managed-by: argocd.argoproj.io
+  labels:
+    argocd.argoproj.io/secret-type: cluster
+  name: cluster-staging-vcluster
+  namespace: argocd
+stringData:
+  config: |
+    {"bearerToken":"","tlsClientConfig":{"insecure":true}}
+  name: staging-vcluster
+  server: https://staging-vcluster.staging-vcluster
+type: Opaque
+

charts/archmeister/Chart.yaml

@@ -12,7 +12,7 @@ description: Archive management for Atlantis
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v6.17.0
+version: v6.20.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v6.17.0
+appVersion: v6.20.0

charts/archmeister/prod/appsettings.json

@@ -1,47 +0,0 @@
-{
-    "connString": "Username=app;Password=secret;Host=prod-archmeister-rw;Port=5432;Database=app;Pooling=true;",
-    "oidc": {
-        "issuer": "https://idp.srv.oceanbox.io/dex",
-        "authorization_endpoint": "https://idp.srv.oceanbox.io/dex/auth",
-        "token_endpoint": "https://idp.srv.oceanbox.io/dex/token",
-        "jwks_uri": "https://idp.srv.oceanbox.io/dex/keys",
-        "userinfo_endpoint": "https://idp.srv.oceanbox.io/dex/userinfo",
-        "device_authorization_endpoint": "https://idp.srv.oceanbox.io/dex/device/code",
-        "clientId": "archmeister",
-        "clientSecret": "",
-        "scopes": [
-            "openid",
-            "email",
-            "offline_access",
-            "profile"
-        ]
-    },
-    "sso": {
-        "cookieDomain": ".oceanbox.io",
-        "signedOutRedirectUri": "https://idp.srv.oceanbox.io/dex/static/logout.html",
-        "redis": "prod-redis-master.redis.svc,user=default,password=secret",
-        "appDomain": "atlantis",
-        "dataProtectionKeys": "DataProtection-Keys"
-    },
-    "allowedOrigins": [
-        "https://maps.oceanbox.io",
-        "https://atlantis.srv.oceanbox.io",
-        "https://maps.relic.oceanbox.io",
-        "https://sorcerer.data.oceanbox.io",
-        "https://sorcerer.hpc.oceanbox.io",
-        "https://jonas-sorcerer.ekman.oceanbox.io",
-        "https://beta.sorcerer.ekman.oceanbox.io",
-        "https://simkir-sorcerer.ekman.oceanbox.io",
-        "https://stig-sorcerer.ekman.oceanbox.io",
-        "https://atlantis.beta.oceanbox.io",
-        "https://jonas-atlantis.beta.oceanbox.io",
-        "https://simkir-atlantis.beta.oceanbox.io",
-        "https://stig-atlantis.beta.oceanbox.io",
-        "https://a.local.oceanbox.io:8080"
-    ],
-    "logService" : "https://seq.oceanbox.io",
-    "logApiKey": "",
-    "cliUsers": [
-        "admin:en-to-tre-fire"
-    ]
-}

charts/archmeister/staging/appsettings.json

@@ -1,42 +0,0 @@
-{
-    "connString": "Username=app;Password=secret;Host=staging-archmeister-rw;Port=5432;Database=app;Pooling=true;",
-    "oidc": {
-        "issuer": "https://idp.srv.oceanbox.io/dex",
-        "authorization_endpoint": "https://idp.srv.oceanbox.io/dex/auth",
-        "token_endpoint": "https://idp.srv.oceanbox.io/dex/token",
-        "jwks_uri": "https://idp.srv.oceanbox.io/dex/keys",
-        "userinfo_endpoint": "https://idp.srv.oceanbox.io/dex/userinfo",
-        "device_authorization_endpoint": "https://idp.srv.oceanbox.io/dex/device/code",
-        "clientId": "archmeister_dev",
-        "clientSecret": "",
-        "scopes": [
-            "openid",
-            "email",
-            "offline_access",
-            "profile"
-        ]
-    },
-    "sso": {
-        "cookieDomain": ".oceanbox.io",
-        "signedOutRedirectUri": "https://idp.srv.oceanbox.io/dex/static/logout.html",
-        "redis": "staging-redis-master.redis.svc,user=default,password=secret",
-        "appDomain": "atlantis",
-        "dataProtectionKeys": "DataProtection-Keys"
-    },
-    "allowedOrigins": [
-        "https://atlantis.beta.oceanbox.io",
-        "https://sorcerer.beta.data.oceanbox.io",
-        "https://sorcerer.hpc.oceanbox.io",
-        "https://s.local.oceanbox.io:8080",
-        "https://maps.oceanbox.io",
-        "https://jonas-atlantis.beta.oceanbox.io",
-        "https://simkir-atlantis.beta.oceanbox.io",
-        "https://stig-atlantis.beta.oceanbox.io",
-        "https://atlantis.local.oceanbox.io:8080"
-    ],
-    "logService" : "https://seq.oceanbox.io",
-    "logApiKey": "",
-    "cliUsers": [
-        "admin:en-to-tre-fire"
-    ]
-}

charts/archmeister/templates/deployment.yaml

@@ -84,8 +84,8 @@ spec:
         emptyDir: {}
       {{- end }}
       - name: appsettings
-        secret:
-          secretName: {{ template "Archmeister.fullname" . }}-appsettings
+        configMap:
+          name: {{ template "Archmeister.fullname" . }}-appsettings
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/archmeister/values-prod.yaml

@@ -1,26 +0,0 @@
-ingress:
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-  hosts:
-    - host: archmeister.srv.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls:
-    - hosts:
-       - archmeister.srv.oceanbox.io
-      secretName: prod-archmeister-tls
-
-cluster:
-  backupEnabled: true
-  backupRetention: 60d
-  instances: 2
-
-resources:
-  limits:
-    cpu: 200m
-    memory: 1Gi
-  requests:
-    cpu: 200m
-    memory: 1Gi
-

charts/archmeister/values-staging.yaml

@@ -1,25 +0,0 @@
-image:
-  tag: 04ca077a-debug
-
-ingress:
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-    atlantis.oceanbox.io/expose: global
-  hosts:
-    - host: archmeister.beta.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls:
-    - hosts:
-       - archmeister.beta.oceanbox.io
-      secretName: staging-archmeister-tls
-
-resources:
-  limits:
-    cpu: 200m
-    memory: 1Gi
-  requests:
-    cpu: 200m
-    memory: 1Gi
-

charts/archmeister/values.yaml

@@ -5,7 +5,7 @@
 replicaCount: 1
 image:
   repository: registry.gitlab.com/oceanbox/oceanbox.dataagent
-  tag: v6.17.0
+  tag: v6.20.0
   pullPolicy: IfNotPresent
 init:
   enabled: false
@@ -52,13 +52,12 @@ ingress:
       secretName: archmeister-tls
   internal:
     annotations: {}
-  #       nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+    #       nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
 persistence:
   enabled: false
   # size: 10G
   # storageClass: ""
   # accessMode: ReadWriteMany
-
 cluster:
   enabled: true
   instances: 1
@@ -74,7 +73,6 @@ cluster:
         - CREATE EXTENSION fuzzystrmatch;
         - CREATE EXTENSION postgis_tiger_geocoder;
         - ALTER USER app WITH SUPERUSER;
-
 resources: {}
 # We usually recommend not to specify default resources and to leave this as a conscious
 # choice for the user. This also increases chances charts run on environments with little

charts/atlantis/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: redis
+  repository: https://charts.bitnami.com/bitnami
+  version: 20.1.7
+digest: sha256:9c9be148366bb3d50f7394ba5a33e1a00a087b5ed61d2bcf1faec9b369e76582
+generated: "2024-10-08T13:21:10.374993273+02:00"

charts/atlantis/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: atlantis
+description: Atlantis map and simulation service
+type: application
+version: v2.87.1
+appVersion: v2.87.1
+dependencies:
+  - name: redis
+    version: 20.1.7
+    repository: https://charts.bitnami.com/bitnami
+    condition: redis.enabled
+    alias: redis

charts/atlantis/chart/Chart.yaml

@@ -1,21 +0,0 @@
-apiVersion: v2
-name: atlantis
-description: Atlantis map and simulation service
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-version: 1.0.1
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application.
-appVersion: 0.0.0

charts/atlantis/chart/templates/cluster.yaml

@@ -1,26 +0,0 @@
-{{- if .Values.cluster.enabled -}}
-apiVersion: postgresql.cnpg.io/v1
-kind: Cluster
-metadata:
-  name: {{ include "Atlantis.fullname" . }}
-  annotations:
-    linkerd.io/inject: disabled
-  labels:
-    {{- include "Atlantis.labels" . | nindent 4 }}
-spec:
-  instances: {{ .Values.cluster.instances | default "2" }}
-
-  # Example of rolling update strategy:
-  # - unsupervised: automated update of the primary once all
-  #                 replicas have been upgraded (default)
-  # - supervised: requires manual supervision to perform
-  #               the switchover of the primary
-  primaryUpdateStrategy: unsupervised
-  backup:
-    retentionPolicy: {{ .Values.cluster.backupRetention | default "60d" }}
-
-  storage:
-    size: {{ .Values.cluster.size | default "5Gi" }}
-{{- end }}
-
-

charts/atlantis/chart/values.yaml

@@ -1,104 +0,0 @@
-# Default values for Atlantis.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-replicaCount: 1
-
-image:
-  repository: registry.gitlab.com/oceanbox/atlantis
-  tag: v2.77.5
-  pullPolicy: IfNotPresent
-
-init:
-  enabled: false
-  image: ubuntu:rolling
-  command: [ "/bin/sh", "-c", "true"  ]
-
-env:
-  - name: LOG_LEVEL
-    value: "3"
-
-imagePullSecrets:
-  - name: gitlab-pull-secret
-
-nameOverride: ""
-fullnameOverride: ""
-
-serviceAccount:
-  create: true
-  # Annotations to add to the service account
-  annotations: {}
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name: ""
-
-podAnnotations: {}
-
-podSecurityContext:
-  fsGroup: 2000
-
-securityContext:
-  capabilities:
-    drop:
-    - ALL
-  readOnlyRootFilesystem: false
-  runAsNonRoot: true
-  runAsUser: 1000
-
-service:
-  type: ClusterIP
-  port: 8085
-
-ingress:
-  enabled: true
-  className: "nginx"
-  annotations:
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/backend-protocol: HTTP
-  hosts:
-    - host: atlantis.srv.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls:
-    - hosts:
-       - atlantis.srv.oceanbox.io
-      secretName: atlantis-tls
-
-persistence:
-  enabled: false
-  size: 1G
-  storageClass: ""
-  accessMode: ReadWriteOnce
-
-cluster:
-  enabled: false
-  instances: 2
-  backupEnabled: true
-  backupRetention: 60d
-  size: 5Gi
-
-resources: {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
-
-autoscaling:
-  enabled: false
-  minReplicas: 1
-  maxReplicas: 100
-  targetCPUUtilizationPercentage: 80
-  # targetMemoryUtilizationPercentage: 80
-
-nodeSelector: {}
-
-tolerations: []
-
-affinity: {}

charts/atlantis/manifests/subscriptions.yaml

@@ -1,21 +0,0 @@
-apiVersion: dapr.io/v1alpha1
-kind: Subscription
-metadata:
-  name: hipster-events
-spec:
-  topic: hipster
-  route: /hipster-events
-  pubsubname: pubsub
-scopes:
-- atlantis
----
-apiVersion: dapr.io/v1alpha1
-kind: Subscription
-metadata:
-  name: inbox-events
-spec:
-  topic: inbox
-  route: /inbox-events
-  pubsubname: pubsub
-scopes:
-- atlantis

charts/atlantis/prod/appsettings.json

@@ -1,35 +0,0 @@
-{
-    "oidc": {
-        "issuer": "https://idp.srv.oceanbox.io/dex",
-        "authorization_endpoint": "https://idp.srv.oceanbox.io/dex/auth",
-        "token_endpoint": "https://idp.srv.oceanbox.io/dex/token",
-        "jwks_uri": "https://idp.srv.oceanbox.io/dex/keys",
-        "userinfo_endpoint": "https://idp.srv.oceanbox.io/dex/userinfo",
-        "device_authorization_endpoint": "https://idp.srv.oceanbox.io/dex/device/code",
-        "clientId": "atlantis",
-        "clientSecret": "",
-        "scopes": [
-            "openid",
-            "email",
-            "offline_access",
-            "profile"
-        ]
-    },
-    "sso": {
-        "cookieDomain": ".oceanbox.io",
-        "signedOutRedirectUri": "https://idp.srv.oceanbox.io/dex/static/logout.html",
-        "redis": "prod-redis-master.redis.svc,user=default,password=secret",
-        "appDomain": "atlantis",
-        "dataProtectionKeys": "DataProtection-Keys"
-    },
-    "archmeister" : "https://archmeister.srv.oceanbox.io",
-    "sorcerer" : "https://sorcerer.data.oceanbox.io",
-    "allowedOrigins": [
-        "http://maps.oceanbox.io",
-        "https://maps.oceanbox.io",
-        "http://atlantis.srv.oceanbox.io",
-        "https://atlantis.srv.oceanbox.io"
-    ],
-    "logService" : "https://seq.oceanbox.io",
-    "logApiKey": ""
-}

charts/atlantis/prod/default.env

@@ -1,2 +0,0 @@
-OIDC_CLIENT_SECRET=KOJ6bDHzE5vdyfSrzgwLjtM5PzA809Zm
-SEQ_APIKEY=WmZplDeFoxIHpJQ5BiDk

charts/atlantis/staging/appsettings.json

@@ -1,33 +0,0 @@
-{
-    "oidc": {
-        "issuer": "https://idp.srv.oceanbox.io/dex",
-        "authorization_endpoint": "https://idp.srv.oceanbox.io/dex/auth",
-        "token_endpoint": "https://idp.srv.oceanbox.io/dex/token",
-        "jwks_uri": "https://idp.srv.oceanbox.io/dex/keys",
-        "userinfo_endpoint": "https://idp.srv.oceanbox.io/dex/userinfo",
-        "device_authorization_endpoint": "https://idp.srv.oceanbox.io/dex/device/code",
-        "clientId": "atlantis_dev",
-        "clientSecret": "",
-        "scopes": [
-            "openid",
-            "email",
-            "offline_access",
-            "profile"
-        ]
-    },
-    "sso": {
-        "cookieDomain": ".oceanbox.io",
-        "signedOutRedirectUri": "https://idp.srv.oceanbox.io/dex/static/logout.html",
-        "redis": "staging-redis-master.redis.svc,user=default,password=secret",
-        "appDomain": "atlantis",
-        "dataProtectionKeys": "DataProtection-Keys"
-    },
-    "archmeister" : "https://archmeister.beta.oceanbox.io",
-    "sorcerer" : "https://sorcerer.beta.data.oceanbox.io",
-    "allowedOrigins": [
-        "http://atlantis.beta.oceanbox.io",
-        "https://atlantis.beta.oceanbox.io"
-    ],
-    "logService" : "https://seq.oceanbox.io",
-    "logApiKey": ""
-}

charts/atlantis/staging/default.env

@@ -1,2 +0,0 @@
-OIDC_CLIENT_SECRET=3QjfSPmAemjn34XVA2o1fvoS7I4gKvOR
-SEQ_APIKEY=WmZplDeFoxIHpJQ5BiDk

charts/atlantis/templates/cluster.yaml

@@ -0,0 +1,54 @@
+{{- if .Values.cluster.enabled -}}
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: {{ include "Atlantis.fullname" . }}-db
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    linkerd.io/inject: disabled
+  labels:
+    {{- include "Atlantis.labels" . | nindent 4 }}
+spec:
+  instances: {{ .Values.cluster.instances | default "1" }}
+  imageName: ghcr.io/cloudnative-pg/postgis:15-3.3
+  # Example of rolling update strategy:
+  # - unsupervised: automated update of the primary once all
+  #                 replicas have been upgraded (default)
+  # - supervised: requires manual supervision to perform
+  #               the switchover of the primary
+  primaryUpdateStrategy: unsupervised
+  backup:
+    retentionPolicy: {{ .Values.cluster.backupRetention | default "60d" }}
+  storage:
+    size: {{ .Values.cluster.size | default "5Gi" }}
+{{- with .Values.cluster.bootstrap }}
+  bootstrap:
+{{- if .enabled }}
+    pg_basebackup:
+      source: archmaester
+  externalClusters:
+  - name: archmaester
+    connectionParameters:
+      host: {{ .source.db }}-rw.{{ .source.namespace }}
+      user: streaming_replica
+      sslmode: verify-full
+    sslKey:
+      name: {{ .source.db }}-replication
+      key: tls.key
+    sslCert:
+      name: {{ .source.db }}-replication
+      key: tls.crt
+    sslRootCert:
+      name: {{ .source.db }}-ca
+      key: ca.crt
+{{- else }}
+    initdb:
+      postInitTemplateSQL:
+        - CREATE EXTENSION postgis;
+        - CREATE EXTENSION postgis_topology;
+        - CREATE EXTENSION fuzzystrmatch;
+        - CREATE EXTENSION postgis_tiger_geocoder;
+        - ALTER USER app WITH SUPERUSER;
+{{- end }}
+{{- end }}
+{{- end }}

charts/atlantis/templates/deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
 spec:
@@ -83,8 +84,8 @@ spec:
         emptyDir: {}
       {{- end }}
       - name: appsettings
-        secret:
-          secretName: {{ template "Atlantis.fullname" . }}-appsettings
+        configMap:
+          name: {{ template "Atlantis.fullname" . }}-appsettings
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/atlantis/templates/hpa.yaml

@@ -3,6 +3,7 @@ apiVersion: autoscaling/v2beta1
 kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
 spec:

charts/atlantis/templates/ingress.yaml

@@ -16,6 +16,7 @@ apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
   name: {{ $fullName }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
   {{- with .Values.ingress.annotations }}

charts/atlantis/templates/networkpolicies.yaml

@@ -0,0 +1,26 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-atlantis-services
+  namespace: {{ .Release.Namespace }}
+spec:
+  egress:
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: dapr-system
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: {{ .Values.rabbitmq.namespace | default "rabbitmq" }}
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: {{ .Values.tracing.namespace | default "otel" }}
+  - toFQDNs:
+    - matchName: '*.oceanbox.io'
+    - matchName: api.github.com
+    - matchName: dapr.github.io
+    - matchName: gitlab.com
+    - matchPattern: '*.gitlab.com'
+    - matchPattern: "*.k1.itpartner.no"
+    - matchName: analytics.loft.rocks
+  endpointSelector:
+    matchLabels: {}

charts/atlantis/templates/pubsub.yaml

@@ -2,20 +2,21 @@ apiVersion: dapr.io/v1alpha1
 kind: Component
 metadata:
   name: pubsub
+  namespace: {{ .Release.Namespace }}
 spec:
-  type: pubsub.rabbitmq
   version: v1
+  type: pubsub.rabbitmq
   metadata:
   - name: hostname
-    value: prod-rabbitmq.rabbitmq.svc
-  - name: protocol
-    value: amqp
+    value: {{ .Values.rabbitmq.service }}.{{ .Values.rabbitmq.namespace | default "rabbitmq" }}
   - name: username
-    value: user
+    value: {{ .Values.rabbitmq.username }}
   - name: password
     secretKeyRef:
-      name: prod-rabbitmq
+      name: {{ .Values.rabbitmq.secretName | default (printf "%s-rabbitmq" .Release.Name) }}
       key:  rabbitmq-password
+  - name: protocol
+    value: amqp
   - name: durable
     value: true
   - name: deletedWhenUnused
@@ -41,10 +42,13 @@ spec:
   - name: backOffMaxRetries
     value: 16
   - name: enableDeadLetter # Optional enable dead Letter or not
-    value: false
+    value: true
   - name: maxLen # Optional max message count in a queue
     value: 3000
   - name: maxLenBytes # Optional maximum length in bytes of a queue.
     value: 10485760
   - name: exchangeKind
     value: fanout
+  - name: clientName
+    value: "{appID}"
+

charts/atlantis/templates/pvc.yaml

@@ -3,6 +3,7 @@ kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
   name: {{ template "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
 {{- with .Values.persistence.annotations  }}
   annotations:
 {{ toYaml . | indent 4 }}

charts/atlantis/templates/secrets.yaml

@@ -0,0 +1,57 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ .Release.Name }}-rabbitmq
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+---
+{{- if not .Values.redis.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ .Release.Name }}-redis
+type: Opaque
+data:
+{{- end }}
+---
+{{- if not .Values.cluster.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ include "Atlantis.fullname" . }}-db-superuser
+  namespace: {{ .Release.Namespace }}
+type: kubernetes.io/basic-auth
+data:
+  username:
+  password:
+{{- else }}
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ .Values.cluster.bootstrap.source.db }}-replication
+type: kubernetes.io/tls
+data:
+  tls.crt: ""
+  tls.key: ""
+---
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ .Values.cluster.bootstrap.source.db }}-ca
+  namespace: {{ .Release.Namespace }}
+data:
+  ca.crt: ""
+  ca.key: ""
+{{- end }}

charts/atlantis/templates/service.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
 spec:

charts/atlantis/templates/serviceaccount.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "Atlantis.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}

charts/atlantis/templates/statestore.yaml

@@ -2,17 +2,21 @@ apiVersion: dapr.io/v1alpha1
 kind: Component
 metadata:
   name: statestore
+  namespace: {{ .Release.Namespace }}
 spec:
   type: state.redis
   version: v1
   metadata:
   - name: redisHost
-    value: prod-redis-master.redis.svc:6379
+    value: {{ .Release.Name }}-redis-master:6379
   - name: redisUsername
     value: default
   - name: redisPassword
     secretKeyRef:
-      name: prod-redis
+      name: {{ .Release.Name }}-redis
       key:  redis-password
   - name: actorStateStore
     value: "true"
+scopes:
+  - atlantis
+  - {{ .Release.Name }}-atlantis

charts/atlantis/templates/subscriptions.yaml

@@ -0,0 +1,31 @@
+apiVersion: dapr.io/v2alpha1
+kind: Subscription
+metadata:
+  name: hipster-events
+  namespace: {{ .Release.Namespace }}
+spec:
+  topic: hipster
+  routes:
+    default: /hipster-events
+  pubsubname: pubsub
+  metadata:
+    queueType: quorum
+scopes:
+- atlantis
+- {{ .Release.Name}}-atlantis
+---
+apiVersion: dapr.io/v2alpha1
+kind: Subscription
+metadata:
+  name: inbox-events
+  namespace: {{ .Release.Namespace }}
+spec:
+  topic: inbox
+  routes:
+    default: /inbox-events
+  pubsubname: pubsub
+  metadata:
+    queueType: quorum
+scopes:
+- atlantis
+- {{ .Release.Name}}-atlantis

charts/atlantis/templates/tracing.yaml

@@ -2,9 +2,10 @@ apiVersion: dapr.io/v1alpha1
 kind: Configuration
 metadata:
   name: tracing
+  namespace: {{ .Release.Namespace }}
 spec:
   tracing:
     samplingRate: "1"
     zipkin:
-      endpointAddress: "http://jaeger-collector:9411/api/v2/spans"
+      endpointAddress: {{ .Values.tracing.endpoint }}
 

charts/atlantis/values-prod.yaml

@@ -1,27 +0,0 @@
-ingress:
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
-  hosts:
-    - host: atlantis.srv.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-    - host: maps.srv.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls:
-    - hosts:
-       - atlantis.srv.oceanbox.io
-       - maps.srv.oceanbox.io
-      secretName: atlantis-tls
-
-resources:
-  limits:
-    cpu: 250m
-    memory: 1Gi
-  requests:
-    cpu: 250m
-    memory: 1Gi
-

charts/atlantis/values-staging.yaml

@@ -1,26 +0,0 @@
-image:
-  tag: a41b6229-debug
-
-ingress:
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
-    # atlantis.oceanbox.io/expose: internal
-  hosts:
-    - host: atlantis.beta.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls:
-    - hosts:
-       - atlantis.beta.oceanbox.io
-      secretName: staging-atlantis-tls
-
-resources:
-  limits:
-    cpu: 250m
-    memory: 1Gi
-  requests:
-    cpu: 250m
-    memory: 1Gi
-

charts/atlantis/values.yaml

@@ -0,0 +1,154 @@
+# Default values for Atlantis.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  repository: registry.gitlab.com/oceanbox/atlantis
+  tag: v2.87.1
+  pullPolicy: IfNotPresent
+
+init:
+  enabled: false
+  image: ubuntu:rolling
+  command: ["/bin/sh", "-c", "true"]
+
+env:
+  - name: LOG_LEVEL
+    value: "3"
+
+imagePullSecrets:
+  - name: gitlab-pull-secret
+
+nameOverride: ""
+
+fullnameOverride: ""
+
+serviceAccount:
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+podSecurityContext:
+  fsGroup: 2000
+
+securityContext:
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: false
+  runAsNonRoot: true
+  runAsUser: 1000
+
+service:
+  type: ClusterIP
+  port: 8085
+
+ingress:
+  enabled: false
+  className: "nginx"
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/backend-protocol: HTTP
+  hosts:
+    - host: atlantis.srv.oceanbox.io
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls:
+    - hosts:
+        - atlantis.srv.oceanbox.io
+      secretName: atlantis-tls
+
+persistence:
+  enabled: false
+  size: 1G
+  storageClass: ""
+  accessMode: ReadWriteOnce
+
+cluster:
+  enabled: true
+  instances: 1
+  backupEnabled: true
+  backupRetention: 60d
+  size: 5Gi
+  bootstrap:
+    enabled: true
+    source:
+      db: prod-archmeister
+      namespace: atlantis
+
+redis:
+  enabled: true
+  image:
+    repository: redis/redis-stack-server
+    tag: 7.2.0-v10
+  architecture: standalone
+  replica:
+    replicaCount: 1
+    command:
+      - "/opt/redis-stack/bin/redis-server"
+      - "--loadmodule"
+      - "/opt/redis-stack/lib/redisearch.so"
+      - "MAXSEARCHRESULTS"
+      - "10000"
+      - "MAXAGGREGATERESULTS"
+      - "10000"
+      - "--loadmodule"
+      - "/opt/redis-stack/lib/rejson.so"
+  auth:
+    enabled: true
+    sentinel: true
+    password: ""
+    usePasswordFiles: false
+    existingSecretPasswordKey: ""
+    # existingSecret: staging-redis
+  master:
+    resources:
+      limits:
+        cpu: null
+        ephemeral-storage: 1024Mi
+        memory: 192Mi
+      requests:
+        cpu: 150m
+        ephemeral-storage: 50Mi
+        memory: 128Mi
+
+tracing:
+  namespace: otel
+  endpoint: "http://opentelemetry-collector.otel:9411/api/v2/spans"
+
+rabbitmq:
+  namespace: rabbitmq
+  service: staging-rabbitmq
+  username: user
+  # secretName: staging-rabbitmq
+
+resources: {}
+# We usually recommend not to specify default resources and to leave this as a conscious
+# choice for the user. This also increases chances charts run on environments with little
+# resources, such as Minikube. If you do want to specify resources, uncomment the following
+# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+# limits:
+#   cpu: 100m
+#   memory: 128Mi
+# requests:
+#   cpu: 100m
+#   memory: 128Mi
+
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+nodeSelector: {}
+tolerations: []
+affinity: {}

charts/busynix/values.yaml

@@ -36,7 +36,7 @@ service:
   type: ClusterIP
   port: 8000
 ingress:
-  enabled: true
+  enabled: false
   className: nginx
   annotations:
     nginx.ingress.kubernetes.io/ssl-redirect: "true"

charts/hipster/.helmignore

@@ -20,3 +20,7 @@
 .idea/
 *.tmproj
 .vscode/
+base/
+prod/
+staging/
+review/

charts/hipster/Chart.yaml

@@ -1,7 +1,6 @@
 apiVersion: v2
 name: hipster
 description: A Helm chart for Kubernetes
-
 # A chart can be either an 'application' or a 'library' chart.
 #
 # Application charts are a collection of templates that can be packaged into versioned archives
@@ -11,11 +10,9 @@ description: A Helm chart for Kubernetes
 # a dependency of application charts to inject those utilities and functions into the rendering
 # pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
-
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: 0.2.0
-
+version: v2.7.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: 1.10.0
+appVersion: v2.7.0

charts/hipster/templates/deployment.yaml

@@ -81,8 +81,8 @@ spec:
         emptyDir: {}
       {{- end }}
       - name: appsettings
-        secret:
-          secretName: {{ template "Hipster.fullname" . }}-appsettings
+        configMap:
+          name: {{ template "Hipster.fullname" . }}-appsettings
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}