Add more Nix Apps

Rewrite of some of the Apps to Nix. Tried to convert ApplicationSets to simple Applications with an ${env} modifier.
fix: fix amqp password
2025-02-21 17:47:45 +00:00 · 2025-02-04 17:02:42 +01:00 · 2025-02-04 15:43:37 +01:00 · 2025-02-04 15:43:24 +01:00 · 2025-01-31 13:25:45 +01:00 · 2025-01-31 13:22:27 +01:00
503 changed files with 71633 additions and 1796 deletions
@@ -0,0 +1 @@
+use nix
@@ -1,2 +1,6 @@
+*.tgz
+_*/
+.direnv/
+.pre-commit-config.yaml
 _manifest.yaml
 _resources.yaml
@@ -14,8 +14,8 @@ release:
  script:
    - |
      cd $CI_PROJECT_DIR
-      for i in $(git show --pretty="" --name-only | grep '^[^/]*/chart/Chart.yaml' | cut -d/ -f1); do
-        pack=$(helm package $i/chart | sed 's/Success.*: \(.*\)/\1/')
+      for i in $(git show --pretty="" --name-only | grep '^charts/.*/Chart.yaml' | cut -d/ -f2); do
+        pack=$(helm package ./charts/$i | sed 's/Success.*: \(.*\)/\1/')
        if [ ! -z $pack ]; then
          chart=$(basename $pack)
          curl --request POST \
@@ -33,8 +33,8 @@ rebuild:
  script:
    - |
      cd $CI_PROJECT_DIR
-      for i in $(find -maxdepth 3 -name Chart.yaml | cut -d/ -f2); do
-        pack=$(helm package $i/chart | sed 's/Success.*: \(.*\)/\1/')
+      for i in $(find ./charts -maxdepth 2 -name Chart.yaml | cut -d/ -f3); do
+        pack=$(helm package ./charts/$i | sed 's/Success.*: \(.*\)/\1/')
        if [ ! -z $pack ]; then
          chart=$(basename $pack)
          curl --request POST \
@@ -1,16 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: atlantis-host-cluster-resources
-  namespace: argocd
-spec:
-  project: atlantis
-  destination:
-    server: https://kubernetes.default.svc
-  syncPolicy:
-    automated: {}
-  source:
-    repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: dev
-    path: resources/atlantis/host-manifests
-
@@ -1,27 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: atlantis-resources
-  namespace: argocd
-spec:
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-      - cluster: https://staging-vcluster.staging-vcluster:443
-        env: staging
-  template:
-    metadata:
-      name: '{{ env }}-atlantis-resources'
-    spec:
-      project: atlantis
-      syncPolicy:
-        automated: {}
-      destination:
-        server: '{{ cluster }}'
-        namespace: atlantis
-      sources:
-      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
-        path: 'resources/atlantis/manifests/{{ env }}'
@@ -1,46 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: redis
-  namespace: argocd
-spec:
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        hostname: redis.srv.oceanbox.io
-      - cluster: https://kubernetes.default.svc
-        env: staging
-        hostname: redis.beta.oceanbox.io
-  template:
-    metadata:
-      name: '{{ env }}-redis'
-    spec:
-      project: atlantis
-      destination:
-        server: https://kubernetes.default.svc
-        namespace: redis
-      sources:
-        # - repoURL: https://charts.bitnami.com/bitnami
-        #   targetRevision: 18.9.1
-        #   chart: redis
-        #   helm:
-        #     valueFiles:
-        #       - $values/redis/values.yaml
-        # - repoURL: https://gitlab.com/oceanbox/manifests.git
-        #   targetRevision: HEAD
-        #   path: charts/redis/{{ env }}
-        #   ref: values
-        - repoURL: https://gitlab.com/oceanbox/manifests.git
-          targetRevision: dev
-          path: charts/redis
-          plugin:
-            name: kustomize-helm-with-rewrite
-            parameters:
-            - name: env
-              string: '{{ env }}'
-            - name: hostname
-              string: '{{ hostname }}'
-            - name: chart
-              string: bitnami/redis
@@ -13,11 +13,11 @@ spec:
        hostname: archmeister.srv.oceanbox.io
        autoSync: false
        prune: true
-      - cluster: https://staging-vcluster.staging-vcluster:443
-        env: staging
-        hostname: archmeister.beta.oceanbox.io
-        autoSync: true
-        prune: true
+      # - cluster: https://staging-vcluster.staging-vcluster
+      #   env: staging
+      #   hostname: archmeister.beta.oceanbox.io
+      #   autoSync: true
+      #   prune: true
  template:
    metadata:
      name: "{{ .env }}-archmeister"
@@ -28,8 +28,8 @@ spec:
        server: "{{ .cluster }}"
      sources:
      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
-        path: charts/archmeister
+        targetRevision: main
+        path: values/archmeister
        plugin:
          name: kustomize-helm-with-rewrite
          parameters:
@@ -43,4 +43,5 @@ spec:
      syncPolicy:
        automated:
          prune: {{ .prune }}
+          selfHeal: false
    {{- end }}
@@ -0,0 +1,27 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: atlantis-cluster-resources
+  namespace: argocd
+  # annotations: # close, but no cigar
+  #   argocd.argoproj.io/compare-options: ServerSideDiff=true,IncludeMutationWebhook=true
+spec:
+  project: atlantis
+  destination:
+    server: https://kubernetes.default.svc
+  syncPolicy:
+    automated:
+      prune: false
+      selfHeal: false
+  # ignoreDifferences:
+  #   - kind: Secret
+  #     name: prod-rabbitmq
+  #     jqPathExpressions:
+  #       - '.data'
+  #       - '.metadata.annotations.clone'
+  #       - '.metadata.labels'
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    path: resources/atlantis
+
@@ -0,0 +1,41 @@
+# Currently not in use. Configured via the create-vcluster script.
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: atlantis-resources
+  namespace: argocd
+spec:
+  goTemplate: true
+  generators:
+  - list:
+      elements:
+      - cluster: https://kubernetes.default.svc
+        env: prod
+        autoSync: false
+        prune: false
+      # - cluster: https://staging-vcluster.staging-vcluster
+      #   env: staging
+      #   autoSync: false
+      #   prune: false
+  template:
+    metadata:
+      name: "{{ .env }}-atlantis-resources"
+    spec:
+      project: aux
+      syncPolicy:
+        automated: {}
+      destination:
+        server: "{{ .cluster }}"
+        namespace: atlantis
+      sources: {}
+      # - repoURL: https://gitlab.com/oceanbox/manifests.git
+      #   targetRevision: main
+      #   path: 'resources/atlantis/manifests/{{ env }}'
+  templatePatch: |
+    {{- if .autoSync }}
+    spec:
+      syncPolicy:
+        automated:
+          prune: {{ .prune }}
+          selfHeal: false
+    {{- end }}
@@ -0,0 +1,51 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.atlantis;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    base = ../values/atlantis;
+    extraValues = {};
+  };
+
+  kustomize = r:
+    if r.kind == "Deployment" then
+      lib.attrsets.recursiveUpdate r {
+        spec.template.spec.containers =
+        builtins.map (x:
+        x // {
+            livenessProbe.httpGet.path = "/healthz";
+            readinessProble.httpGet.path = "/healthz";
+            env = x.env ++ [ { name = "INERNAL_PORT"; value = 8000; } ];
+        }) r.spec.template.spec.containers;
+      }
+      else if r.kind == "Service" then
+      {}
+    else r;
+in
+{
+  options.apps.atlantis = lib.apps.appOptions {
+      revision = lib.mkOption {
+        type = lib.types.str;
+        default = "main";
+        description = "Revision";
+      };
+
+      hostname = lib.mkOption {
+        type = lib.types.str;
+        default = if env == "prod"
+          then "maps.oceanbox.io"
+          else "atlantis.beta.oceanbox.io";
+        description = "Revision";
+      };
+  };
+
+  config = lib.apps.appConfig cfg "${env}-atlantis" {
+    helm.releases."${env}-atlantis" = {
+      inherit values;
+      chart = ../charts/atlantis;
+      transformer = rs: builtins.map (x: kustomize x) rs;
+    };
+  };
+}
@@ -13,11 +13,11 @@ spec:
        hostname: atlantis.srv.oceanbox.io
        autoSync: false
        prune: true
-      - cluster: https://staging-vcluster.staging-vcluster:443
-        env: staging
-        hostname: atlantis.beta.oceanbox.io
-        autoSync: true
-        prune: true
+      # - cluster: https://staging-vcluster.staging-vcluster
+      #   env: staging
+      #   hostname: atlantis.beta.oceanbox.io
+      #   autoSync: true
+      #   prune: true
  template:
    metadata:
      name: '{{ .env }}-atlantis'
@@ -28,8 +28,8 @@ spec:
        server: '{{ .cluster }}'
      sources:
      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
-        path: charts/atlantis
+        targetRevision: main
+        path: values/atlantis
        plugin:
          name: kustomize-helm-with-rewrite
          parameters:
@@ -37,13 +37,11 @@ spec:
            string: '{{ .env }}'
          - name: hostname
            string: '{{ .hostname }}'
-      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
-        path: charts/atlantis/manifests
  templatePatch: |
    {{- if .autoSync }}
    spec:
      syncPolicy:
        automated:
          prune: {{ .prune }}
+          selfHeal: false
    {{- end }}
@@ -7,24 +7,24 @@ spec:
  generators:
  - list:
      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        hostname: busynix.srv.oceanbox.io
-      - cluster: https://staging-vcluster.staging-vcluster:443
+      # - cluster: https://kubernetes.default.svc
+      #   env: prod
+      #   hostname: busynix.srv.oceanbox.io
+      - cluster: https://staging-vcluster.staging-vcluster
        env: staging
        hostname: busynix.beta.oceanbox.io
  template:
    metadata:
      name: '{{ env }}-busynix'
    spec:
-      project: atlantis
+      project: aux
      destination:
        namespace: default
        server: '{{ cluster }}'
      source:
        repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
-        path: charts/busynix
+        targetRevision: main
+        path: values/busynix
        plugin:
          name: kustomize-helm-with-rewrite
          parameters:
@@ -9,13 +9,13 @@ spec:
      elements:
      - cluster: https://kubernetes.default.svc
        env: prod
-      - cluster: https://staging-vcluster.staging-vcluster:443
+      - cluster: https://staging-vcluster.staging-vcluster
        env: staging
  template:
    metadata:
      name: '{{ env }}-cerbos'
    spec:
-      project: atlantis
+      project: aux
      destination:
        server: https://kubernetes.default.svc
        namespace: idp
@@ -25,8 +25,8 @@ spec:
          chart: cerbos
          helm:
            valueFiles:
-              - $values/charts/cerbos/values.yaml
-              - $values/charts/cerbos/values-{{ env }}.yaml
+              - $values/values/cerbos/values.yaml
+              - $values/values/cerbos/values-{{ env }}.yaml
        - repoURL: https://gitlab.com/oceanbox/manifests.git
-          targetRevision: dev
+          targetRevision: main
          ref: values
@@ -0,0 +1,46 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.dapr;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    extraValues = {
+      global.ha.enabled = true;
+    };
+  };
+
+in
+{
+  options.apps.dapr = lib.apps.appOptions {
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "1.14.4";
+      description = "Dapr chart version";
+    };
+  };
+
+  config = lib.apps.appConfig cfg "dapr" {
+    namespace = "argocd";
+    helm.releases.dapr = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://dapr.github.io/helm-charts/";
+        chart = "dapr";
+        version = cfg.revision;
+      };
+    };
+    annotations = {
+      "argocd.argoproj.io/sync-options" = "SkipDryRunOnMissingResource=true";
+    };
+    resources = {
+      "argoproj.io".v1alpha1.Application.dapr.spec = {
+        destination = {
+          namespace = "dapr-system";
+          server = "https://kubernetes.default.svc";
+        };
+        project = "default";
+      };
+    };
+  };
+}
@@ -0,0 +1,33 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: dapr
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: dapr-system
+    server: https://kubernetes.default.svc
+  project: default
+  syncPolicy:
+    # managedNamespaceMetadata:
+    #   labels:
+    #     component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL:  https://dapr.github.io/helm-charts/
+    targetRevision: 1.14.4
+    chart: dapr
+    helm:
+      values: |
+        global:
+          ha:
+            enabled: true
@@ -0,0 +1,16 @@
+{ ... }:
+{
+  imports = [
+    ./atlantis.nix
+    ./dapr.nix
+    ./dex.nix
+    ./keycloak.nix
+    ./loki.nix
+    ./openfga.nix
+    ./opentelemetry-collector.nix
+    ./rabbitmq.nix
+    ./redis.nix
+    ./tempo.nix
+    ./wordpress.nix
+  ];
+}
@@ -0,0 +1,39 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.dex;
+  env = config.apps.env;
+  
+  values = lib.apps.appValues {
+    inherit env;
+    base = ../values/dex;
+    extraValues = {};
+  };
+in
+{
+  options.apps.dex = lib.apps.appOptions { 
+    enable = lib.mkEnableOption "Dex";
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "0.16.0";
+      description = "Dex chart version";
+    };
+    hostname = lib.mkOption {
+      type = lib.types.str;
+      description = "Dex hostname";
+      default = "idp.${env}.oceanbox.io";
+    };
+  };
+  config = lib.apps.appConfig cfg "${env}-dex" {
+    namespace = "idp";
+    helm.releases.dex = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://charts.dexidp.io";
+        chart = "dex";
+        version = cfg.revision;
+        chartHash = "";
+      };
+      transformer = rs: builtins.map (x: kustomize x) rs;
+    };
+  };
+}
@@ -4,12 +4,12 @@ metadata:
  name: dex
  namespace: argocd
 spec:
-  project: atlantis
+  project: aux
  destination:
    server: https://kubernetes.default.svc
    namespace: idp
  source:
    repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: dev
-    path: charts/dex/manifests
+    targetRevision: nixidy
+    path: values/dex/manifests

@@ -17,14 +17,14 @@ spec:
    metadata:
      name: '{{ env }}-geoserver'
    spec:
-      project: atlantis
+      project: aux
      destination:
        server: https://kubernetes.default.svc
        namespace: geoserver
      sources:
      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
-        path: charts/geoserver
+        targetRevision: main
+        path: values/geoserver
        plugin:
          name: kustomize-helm-with-rewrite
          parameters:
@@ -13,11 +13,11 @@ spec:
        hostname: hipster.srv.oceanbox.io
        autoSync: false
        prune: true
-      - cluster: https://staging-vcluster.staging-vcluster:443
-        env: staging
-        hostname: hipster.beta.oceanbox.io
-        autoSync: true
-        prune: true
+      # - cluster: https://staging-vcluster.staging-vcluster
+      #   env: staging
+      #   hostname: hipster.beta.oceanbox.io
+      #   autoSync: true
+      #   prune: true
  template:
    metadata:
      name: '{{ .env }}-hipster'
@@ -28,8 +28,8 @@ spec:
        server: '{{ .cluster }}'
      sources:
      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
-        path: charts/hipster
+        targetRevision: main
+        path: values/hipster
        plugin:
          name: kustomize-helm-with-rewrite
          parameters:
@@ -43,4 +43,5 @@ spec:
      syncPolicy:
        automated:
          prune: {{ .prune }}
+          selfHeal: false
    {{- end }}
@@ -10,13 +10,13 @@ spec:
    namespace: jaeger
  sources:
  - repoURL: https://jaegertracing.github.io/helm-charts
-    targetRevision: 2.50.1
+    targetRevision: 2.54.0
    chart: jaeger-operator
    helm:
      valueFiles:
-        - $values/charts/jaeger/values.yaml
+        - $values/values/jaeger/values.yaml
  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: dev
-    # path: charts/jaeger/manifests
+    targetRevision: main
+    # path: values/jaeger/manifests
    ref: values

@@ -0,0 +1,34 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.keycloak;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    base = ../values/keycloak;
+    extraValues = {};
+  };
+in
+{
+  options.apps.keycloak = lib.apps.appOptions {
+    enable = lib.mkEnableOption "Keycloak";
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "24.0.2";
+      description = "Keycloak chart version";
+    };
+  };
+  config = lib.apps.appConfig cfg "keycloak" {
+    namespace = "idp";
+    helm.releases.keycloak = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://charts.bitnami.com/bitnami";
+        chart = "keycloak";
+        version = cfg.revision;
+        chartHash = "";
+      };
+      transformer = rs: builtins.map (x: kustomize x) rs;
+    };
+  };
+}
@@ -4,18 +4,18 @@ metadata:
  name: keycloak
  namespace: argocd
 spec:
-  project: atlantis
+  project: aux
  destination:
    server: https://kubernetes.default.svc
    namespace: idp
  sources:
  - repoURL: https://charts.bitnami.com/bitnami
-    targetRevision: 18.3.4
+    targetRevision: 24.0.2
    chart: keycloak
    helm:
      valueFiles:
-        - $values/charts/keycloak/values.yaml
+        - $values/values/keycloak/values.yaml
  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: dev
+    targetRevision: nixidy
    ref: values

@@ -0,0 +1,249 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.loki;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    extraValues = {
+      loki = {
+        auth_enabled = false;
+        storage = {
+          bucketNames = {
+            chunks = cfg.buckets.chunks;
+            ruler = cfg.buckets.ruler;
+            admin = cfg.buckets.admin;
+          };
+          s3 =
+            {
+              endpoint = cfg.s3.endpoint;
+              region = cfg.s3.region;
+              secretAccessKey = "\${S3SECRET}";
+              accessKeyId = "\${S3KEY}";
+              s3ForcePathStyle = true;
+            }
+            // lib.optionalAttrs cfg.s3.insecureSkipVerify {
+              http_config.insecure_skip_verify = true;
+            };
+        };
+        schemaConfig.configs = [
+          {
+            from = "2024-04-01";
+            index.period = "24h";
+            index.prefix = "loki_index_";
+            object_store = "s3";
+            schema = "v13";
+            store = "tsdb";
+          }
+        ];
+        compactor = {
+          compaction_interval = "10m";
+          working_directory = "/tmp/loki/compactor";
+          retention_enabled = true;
+          retention_delete_delay = "2h";
+          retention_delete_worker_count = 150;
+          delete_request_store = "s3";
+        };
+        limits_config.retention_period = "744h";
+      };
+
+      write = {
+        extraArgs = [ "-config.expand-env=true" ];
+        extraEnv = [
+          {
+            name = "S3KEY";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.accessKey;
+            };
+          }
+          {
+            name = "S3SECRET";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.secretKey;
+            };
+          }
+        ];
+        tolerations = [
+          {
+            effect = "NoSchedule";
+            operator = "Equal";
+            key = "unschedulable";
+            value = "true";
+          }
+        ];
+      };
+
+      read = {
+        extraArgs = [ "-config.expand-env=true" ];
+        extraEnv = [
+          {
+            name = "S3KEY";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.accessKey;
+            };
+          }
+          {
+            name = "S3SECRET";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.secretKey;
+            };
+          }
+        ];
+        tolerations = [
+          {
+            effect = "NoSchedule";
+            operator = "Equal";
+            key = "unschedulable";
+            value = "true";
+          }
+        ];
+      };
+
+      ingress = {
+        enabled = true;
+        ingressClassName = "nginx";
+        annotations = {
+          "cert-manager.io/cluster-issuer" = "letsencrypt-staging";
+          "nginx.ingress.kubernetes.io/ssl-redirect" = "true";
+          "atlantis.oceanbox.io/expose" = "internal";
+        };
+        hosts = [ "loki.adm.oceanbox.io" ];
+        tls = [{
+          hosts = [ "loki.adm.oceanbox.io" ];
+          secretName = "loki-distributed-tls";
+        }];
+      };
+
+      compactor = {
+        extraArgs = [ "-config.expand-env=true" ];
+        extraEnv = [
+          {
+            name = "S3KEY";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.accessKey;
+            };
+          }
+          {
+            name = "S3SECRET";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.secretKey;
+            };
+          }
+        ];
+      };
+
+      backend = {
+        extraArgs = [ "-config.expand-env=true" ];
+        extraEnv = [
+          {
+            name = "S3KEY";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.accessKey;
+            };
+          }
+          {
+            name = "S3SECRET";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.secretKey;
+            };
+          }
+        ];
+      };
+    };
+  };
+
+in
+{
+  options.apps.loki = lib.apps.appOptions {
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "6.12.0";
+      description = "Loki chart version";
+    };
+    buckets = {
+      chunks = lib.mkOption {
+        type = lib.types.str;
+        default = "loki-chunks";
+        description = "S3 bucket for chunks";
+      };
+      ruler = lib.mkOption {
+        type = lib.types.str;
+        default = "loki-chunks";
+        description = "S3 bucket for ruler";
+      };
+      admin = lib.mkOption {
+        type = lib.types.str;
+        default = "loki-chunks";
+        description = "S3 bucket for admin";
+      };
+    };
+    s3 = {
+      endpoint = lib.mkOption {
+        type = lib.types.str;
+        default = "http://10.255.241.30:30080";
+        description = "S3 endpoint";
+      };
+      region = lib.mkOption {
+        type = lib.types.str;
+        default = "tos";
+        description = "S3 region";
+      };
+      insecureSkipVerify = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = "Skip TLS verification";
+      };
+    };
+    secret = {
+      name = lib.mkOption {
+        type = lib.types.str;
+        default = "loki-s3";
+        description = "Name of the S3 credentials secret";
+      };
+      accessKey = lib.mkOption {
+        type = lib.types.str;
+        default = "AWS_ACCESS_KEY_ID";
+        description = "Access key field in secret";
+      };
+      secretKey = lib.mkOption {
+        type = lib.types.str;
+        default = "AWS_ACCESS_KEY_SECRET";
+        description = "Secret key field in secret";
+      };
+    };
+  };
+
+  config = lib.apps.appConfig cfg "loki" {
+    namespace = "argocd";
+    helm.releases.loki = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://grafana.github.io/helm-charts";
+        chart = "loki";
+        version = cfg.revision;
+        chartHash = "sha256-YUtEIUiQWRzlttfOOgDk1xfTaiAZ12tIgpGr1QcMpro=";
+      };
+    };
+    annotations = {
+      "argocd.argoproj.io/sync-options" = "SkipDryRunOnMissingResource=true";
+    };
+    # TODO: Add network policies as a second source or integrate them into `resources`.
+    resources = {
+      "argoproj.io".v1alpha1.Application.loki.spec.ignoreDifferences = [
+        {
+          group = "apps";
+          kind = "StatefulSet";
+          jsonPointers = [ "/spec/persistentVolumeClaimRetentionPolicy" ];
+        }
+      ];
+    };
+  };
+}
@@ -0,0 +1,150 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: loki
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: loki
+    server: 'https://kubernetes.default.svc'
+  project: aux
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/persistentVolumeClaimRetentionPolicy
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: https://gitlab.com/serit/k8s/serit-platform-manifests.git
+    path: network-policies/netpol-loki
+    targetRevision: HEAD
+  - repoURL: 'https://grafana.github.io/helm-charts'
+    targetRevision: 6.12.0
+    chart: loki
+    helm:
+      values: |
+        loki:
+          auth_enabled: false
+          storage:
+            bucketNames:
+              chunks: loki-chunks
+              ruler: loki-chunks
+              admin: loki-chunks
+            s3:
+              endpoint: http://10.255.241.30:30080
+              region: tos
+              accessKeyId: ${S3KEY}
+              secretAccessKey: ${S3SECRET}
+              s3ForcePathStyle: true
+              http_config:
+                insecure_skip_verify: true
+          schemaConfig:
+            configs:
+            - from: "2024-04-01"
+              index:
+                period: 24h
+                prefix: loki_index_
+              object_store: s3
+              schema: v13
+              store: tsdb
+          compactor:
+            compaction_interval: 10m
+            working_directory: /tmp/loki/compactor
+            retention_enabled: true
+            retention_delete_delay: 2h
+            retention_delete_worker_count: 150
+            delete_request_store: s3
+          limits_config:
+            retention_period: 744h
+        write:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_SECRET
+          tolerations:
+          - effect: "NoSchedule"
+            operator: "Equal"
+            key: "unschedulable"
+            value: "true"
+        read:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_SECRET
+          tolerations:
+          - effect: "NoSchedule"
+            operator: "Equal"
+            key: "unschedulable"
+            value: "true"
+        ingress:
+          enabled: true
+          ingressClassName: nginx
+          annotations:
+            cert-manager.io/cluster-issuer: letsencrypt-staging
+            nginx.ingress.kubernetes.io/ssl-redirect: "true"
+            atlantis.oceanbox.io/expose: internal
+          hosts:
+            - loki.adm.oceanbox.io
+          tls:
+            - hosts:
+               - loki.adm.oceanbox.io
+              secretName: loki-distributed-tls
+        compactor:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_SECRET
+        backend:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_SECRET
@@ -0,0 +1,39 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.openfga;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    base = ../values/openfga;
+    extraValues = {};
+  };
+
+  kustomize = r:
+    if r.kind == "Job" then
+      lib.attrsets.recursiveUpdate r { spec.backoffLimit = 2; }
+    else r;
+
+in
+  {
+    options.apps.openfga = lib.apps.appOptions {};
+
+    config = lib.apps.appConfig cfg "${env}-openfga" {
+        helm.releases."${env}-openfga" = {
+          inherit values;
+          chart = lib.helm.downloadHelmChart {
+            repo = "https://openfga.github.io/helm-charts";
+            chart = "openfga";
+            version = "0.2.12";
+            chartHash = "sha256-7yLcw9/oNPvCePrtTJwKAG88t0Ym5Dl/S83Gz+gQdDU=";
+          };
+          transformer = rs: builtins.map (x: kustomize x) rs;
+        };
+
+        annotations = {};
+        resources = {
+          services.poop.spec = {
+          };
+        };
+      };
+  }
@@ -0,0 +1,117 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.opentelemetry-collector;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    extraValues = {
+      mode = "deployment";
+      image = {
+        repository = "otel/opentelemetry-collector-k8s";
+      };
+      service = {
+        type = "LoadBalancer";
+        loadBalancerIP = "10.255.241.12";
+      };
+      config = {
+        receivers = {
+          "prometheus/collector" = {
+            config.scrape_configs = [{
+              job_name = "opentelemetry-collector";
+              static_configs = [{
+                targets = [ "\${env:MY_POD_IP}:8888" ];
+              }];
+            }];
+          };
+          zipkin.endpoint = "\${env:MY_POD_IP}:9411";
+        };
+        exporters = {
+          otlp = {
+            endpoint = "tempo.tempo.svc:4317";
+            tls.insecure = true;
+          };
+          "otlphttp/metrics" = {
+            endpoint = "http://prom-prometheus.prometheus:9090/api/v1/otlp";
+            tls.insecure = true;
+          };
+          "otlphttp/logs" = {
+            endpoint = "http://loki-write-headless.loki:3100/otlp";
+            tls.insecure = true;
+          };
+          "debug/metrics".verbosity = "detailed";
+          "debug/traces".verbosity = "detailed";
+          "debug/logs".verbosity = "detailed";
+        };
+        service = {
+          telemetry.logs.level = "info";
+          pipelines = {
+            traces = {
+              receivers = [ "otlp" "zipkin" ];
+              processors = [ "batch" ];
+              exporters = [ "otlp" ];
+            };
+            metrics = {
+              receivers = [ "otlp" "prometheus/collector" ];
+              processors = [ "batch" ];
+              exporters = [ "otlphttp/metrics" ];
+            };
+            logs = {
+              receivers = [ "otlp" ];
+              processors = [ "batch" ];
+              exporters = [ "otlphttp/logs" ];
+            };
+          };
+        };
+      };
+      ports.metrics.enabled = true;
+      ingress = {
+        enabled = false;
+        annotations = {
+          "cert-manager.io/cluster-issuer" = "letsencrypt-production";
+          "nginx.ingress.kubernetes.io/ssl-redirect" = "true";
+          "atlantis.oceanbox.io/expose" = "internal";
+        };
+        ingressClassName = "nginx";
+        hosts = [{
+          host = "opentelemetry-collector.adm.oceanbox.io";
+          paths = [{
+            path = "/";
+            pathType = "Prefix";
+            port = 4318;
+          }];
+        }];
+        tls = [{
+          secretName = "collector-tls";
+          hosts = [ "opentelemetry-collector.adm.oceanbox.io" ];
+        }];
+      };
+    };
+  };
+
+in
+{
+  options.apps.opentelemetry-collector = lib.apps.appOptions {
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "0.107.0";
+      description = "OpenTelemetry Collector chart version";
+    };
+  };
+
+  config = lib.apps.appConfig cfg "opentelemetry-collector" {
+    namespace = "argocd";
+    helm.releases.opentelemetry-collector = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://open-telemetry.github.io/opentelemetry-helm-charts";
+        chart = "opentelemetry-collector";
+        version = cfg.revision;
+        chartHash = "sha256-0000000000000000000000000000000000000000000000"; # TODO: Add correct hash
+      };
+    };
+    annotations = {
+      "argocd.argoproj.io/sync-options" = "SkipDryRunOnMissingResource=true";
+    };
+  };
+}
@@ -0,0 +1,109 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: opentelemetry-collector
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: otel
+    server: 'https://kubernetes.default.svc'
+  project: aux
+  syncPolicy:
+    # managedNamespaceMetadata:
+    #   labels:
+    #     component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: 'https://open-telemetry.github.io/opentelemetry-helm-charts'
+    targetRevision: 0.107.0
+    chart: opentelemetry-collector
+    helm:
+      values: |
+        mode: deployment
+        image:
+          repository: otel/opentelemetry-collector-k8s
+        service:
+          type: LoadBalancer
+          loadBalancerIP: 10.255.241.12
+        config:
+          receivers:
+            prometheus/collector:
+              config:
+                scrape_configs:
+                  - job_name: 'opentelemetry-collector'
+                    static_configs:
+                      - targets:
+                         - ${env:MY_POD_IP}:8888
+            zipkin:
+              endpoint: ${env:MY_POD_IP}:9411
+          exporters:
+            otlp:
+              endpoint: "tempo.tempo.svc:4317"
+              tls:
+                insecure: true
+            otlphttp/metrics:
+              endpoint: http://prom-prometheus.prometheus:9090/api/v1/otlp
+              tls:
+                insecure: true
+            otlphttp/logs:
+              endpoint: http://loki-write-headless.loki:3100/otlp
+              tls:
+                insecure: true
+            debug/metrics:
+              verbosity: detailed
+            debug/traces:
+              verbosity: detailed
+            debug/logs:
+              verbosity: detailed
+          service:
+            telemetry:
+              logs:
+                level: "info"
+            pipelines:
+              traces:
+                receivers: [otlp,zipkin]
+                processors: [batch]
+                exporters: [otlp]
+                # exporters: [otlphttp/traces,debug/traces]
+              metrics:
+                receivers: [otlp,prometheus/collector]
+                processors: [batch]
+                exporters: [otlphttp/metrics]
+                # exporters: [otlphttp/metrics,debug/metrics]
+              logs:
+                receivers: [otlp]
+                processors: [batch]
+                exporters: [otlphttp/logs]
+                # exporters: [otlphttp/logs,debug/logs]
+        ports:
+          metrics:
+            enabled: true
+        # presets:
+        #   logsCollection:
+        #     enabled: true
+        ingress:
+          enabled: false
+          annotations:
+              cert-manager.io/cluster-issuer: letsencrypt-production
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              atlantis.oceanbox.io/expose: internal
+          ingressClassName: nginx
+          hosts:
+            - host: opentelemetry-collector.adm.oceanbox.io
+              paths:
+                - path: /
+                  pathType: Prefix
+                  port: 4318
+          tls:
+            - secretName: collector-tls
+              hosts:
+                - opentelemetry-collector.adm.oceanbox.io
@@ -10,21 +10,21 @@ spec:
      - cluster: https://kubernetes.default.svc
        env: prod
        hostname: osm.srv.oceanbox.io
-      - cluster: https://staging-vcluster.staging-vcluster:443
+      - cluster: https://staging-vcluster.staging-vcluster
        env: staging
        hostname: osm.beta.oceanbox.io
  template:
    metadata:
      name: '{{ env }}-osm-tile-server'
    spec:
-      project: atlantis
+      project: aux
      destination:
        namespace: oceanbox
        server: '{{ cluster }}'
      source:
-        repoURL: https://gitlab.com/oceanbox/charts.git
+        repoURL: https://gitlab.com/oceanbox/manifests.git
        targetRevision: HEAD
-        path: charts/osm-tile-server
+        path: values/osm-tile-server
        plugin:
          name: kustomize-helm-with-rewrite
          parameters:
@@ -13,11 +13,11 @@ spec:
        hostname: petimeter.srv.oceanbox.io
        autoSync: false
        prune: true
-      - cluster: https://staging-vcluster.staging-vcluster:443
-        env: staging
-        hostname: petimeter.beta.oceanbox.io
-        autoSync: true
-        prune: true
+      # - cluster: https://staging-vcluster.staging-vcluster
+      #   env: staging
+      #   hostname: petimeter.beta.oceanbox.io
+      #   autoSync: true
+      #   prune: true
  template:
    metadata:
      name: '{{ .env }}-petimeter'
@@ -28,8 +28,8 @@ spec:
        server: '{{ .cluster }}'
      sources:
      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
-        path: charts/petimeter
+        targetRevision: main
+        path: values/petimeter
        plugin:
          name: kustomize-helm-with-rewrite
          parameters:
@@ -38,12 +38,13 @@ spec:
          - name: hostname
            string: '{{ .hostname }}'
      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
-        path: charts/petimeter/manifests
+        targetRevision: main
+        path: values/petimeter/manifests
  templatePatch: |
    {{- if .autoSync }}
    spec:
      syncPolicy:
        automated:
          prune: {{ .prune }}
+          selfHeal: false
    {{- end }}
@@ -0,0 +1,66 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prod-atlantis
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: prod-atlantis
+    server: https://kubernetes.default.svc
+  project: atlantis
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    path: values/atlantis
+    plugin:
+      name: kustomize-helm-with-rewrite
+      parameters:
+      - name: env
+        string: prod
+      - name: hostname
+        string: maps.oceanbox.io
+  - repoURL: https://charts.bitnami.com/bitnami
+    targetRevision: 20.1.7
+    chart: redis
+    helm:
+      valueFiles:
+      - $values/values/atlantis/prod/redis.yaml
+  ignoreDifferences:
+    - kind: Secret
+      name: azure-keyvault
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-atlantis-rabbitmq
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-archmeister-replication
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-archmeister-ca
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    # automated:
+    #   prune: true
+    #   selfHeal: false
@@ -0,0 +1,38 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prod-keycloak
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: aux
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: keycloak
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    path: values/keycloak/prod
+  - repoURL: https://charts.bitnami.com/bitnami
+    targetRevision: 24.0.2
+    chart: keycloak
+    helm:
+      valueFiles:
+        - $values/values/keycloak/values-prod.yaml
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
+
@@ -0,0 +1,39 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prod-openfga
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: openfga
+    server: https://kubernetes.default.svc
+  project: aux
+  # ignoreDifferences:
+  # - group: apps
+  #   kind: StatefulSet
+  #   jsonPointers:
+  #   - /spec/persistentVolumeClaimRetentionPolicy
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: https://openfga.github.io/helm-charts
+    targetRevision: 0.2.19
+    chart: openfga
+    helm:
+      valueFiles:
+      - $values/values/openfga/values-prod.yaml
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
@@ -0,0 +1,54 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prod-sorcerer
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: prod-sorcerer
+    server: https://10.255.241.99:4443
+  project: atlantis
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    path: values/sorcerer
+    plugin:
+      name: kustomize-helm-with-rewrite
+      parameters:
+      - name: env
+        string: prod
+      - name: hostname
+        string: sorcerer.data.oceanbox.io
+  - repoURL: https://charts.bitnami.com/bitnami
+    targetRevision: 20.1.7
+    chart: redis
+    helm:
+      valueFiles:
+      - $values/values/sorcerer/prod/redis.yaml
+  ignoreDifferences:
+    - kind: Secret
+      name: azure-keyvault
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-atlantis-rabbitmq
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    # automated:
+    #   prune: true
+    #   selfHeal: false
@@ -0,0 +1,39 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.rabbitmq;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    base = ../values/rabbitmq;
+    extraValues = {};
+  };
+in
+{
+  options.apps.rabbitmq = lib.apps.appOptions {
+    enable = lib.mkEnableOption "RabbitMQ";
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "12.9.0";
+      description = "RabbitMQ chart version";
+    };
+    hostname = lib.mkOption {
+      type = lib.types.str;
+      description = "RabbitMQ hostname";
+      default = "rabbitmq.${env}.oceanbox.io";
+    };
+  };
+  config = lib.apps.appConfig cfg "${env}-rabbitmq" {
+    namespace = "rabbitmq";
+    helm.releases.rabbitmq = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://charts.bitnami.com/bitnami";
+        chart = "rabbitmq";
+        version = cfg.revision;
+        chartHash = "";
+      };
+      transformer = rs: builtins.map (x: kustomize x) rs;
+    };
+  };
+}
@@ -17,7 +17,7 @@ spec:
    metadata:
      name: '{{ env }}-rabbitmq'
    spec:
-      project: atlantis
+      project: aux
      destination:
        server: https://kubernetes.default.svc
        namespace: rabbitmq
@@ -27,8 +27,8 @@ spec:
          chart: rabbitmq
          helm:
            valueFiles:
-              - $values/charts/rabbitmq/values-{{ env }}.yaml
+              - $values/values/rabbitmq/values-{{ env }}.yaml
        - repoURL: https://gitlab.com/oceanbox/manifests.git
-          targetRevision: dev
-          path: charts/rabbitmq/{{ env }}
+          targetRevision: main
+          path: values/rabbitmq/{{ env }}
          ref: values
@@ -0,0 +1,34 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.redis;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    base = ../values/redis;
+    extraValues = {};
+  };
+in
+{
+  options.apps.redis = lib.apps.appOptions {
+    enable = lib.mkEnableOption "Redis";
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "19.5.2";
+      description = "Redis chart version";
+    };
+  };
+  config = lib.apps.appConfig cfg "${env}-redis" {
+    namespace = "redis";
+    helm.releases.redis = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://charts.bitnami.com/bitnami";
+        chart = "redis";
+        version = cfg.revision;
+        chartHash = "";
+      };
+      transformer = rs: builtins.map (x: kustomize x) rs;
+    };
+  };
+}
@@ -0,0 +1,39 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: redis
+  namespace: argocd
+spec:
+  generators:
+  - list:
+      elements:
+      - cluster: https://kubernetes.default.svc
+        env: prod
+      - cluster: https://kubernetes.default.svc
+        env: staging
+  template:
+    metadata:
+      name: '{{ env }}-redis'
+    spec:
+      project: aux
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: redis
+      sources:
+        - repoURL: https://charts.bitnami.com/bitnami
+          targetRevision: 19.5.2
+          chart: redis
+          helm:
+            valueFiles:
+              - $values/values/redis/values-{{ env }}.yaml
+        - repoURL: https://gitlab.com/oceanbox/manifests.git
+          targetRevision: HEAD
+          ref: values
+        - repoURL: https://gitlab.com/oceanbox/manifests.git
+          targetRevision: main
+          path: values/redis/{{ env }}
+      ignoreDifferences:
+        - group: apps
+          kind: StatefulSet
+          jqPathExpressions:
+            - '.spec.template.spec.containers[].resources.limits.cpu'
@@ -4,7 +4,7 @@ metadata:
  name: seq
  namespace: argocd
 spec:
-  project: atlantis
+  project: aux
  destination:
    server: https://kubernetes.default.svc
    namespace: seq
@@ -14,7 +14,7 @@ spec:
    chart: seq
    helm:
      valueFiles:
-        - $values/charts/seq/values.yaml
+        - $values/values/seq/values.yaml
  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: dev
+    targetRevision: main
    ref: values
@@ -10,26 +10,26 @@ spec:
      elements:
      - cluster: https://10.255.241.99:4443
        env: prod
-        hostname: sorcerer.srv.archive.oceanbox.io
+        hostname: sorcerer.data.oceanbox.io
        autoSync: false
        prune: true
-      - cluster: https://10.255.241.99:4443
-        env: staging
-        hostname: sorcerer.beta.archive.oceanbox.io
-        autoSync: true
-        prune: true
+      # - cluster: https://10.255.241.99:4443
+      #   env: staging
+      #   hostname: sorcerer.ekman.oceanbox.io
+      #   autoSync: true
+      #   prune: true
  template:
    metadata:
      name: '{{ .env }}-sorcerer'
    spec:
      project: atlantis
      destination:
-        namespace: oceanbox
+        namespace: sorcerer
        server: '{{ .cluster }}'
      sources:
      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: dev
-        path: charts/sorcerer
+        targetRevision: main
+        path: values/sorcerer
        plugin:
          name: kustomize-helm-with-rewrite
          parameters:
@@ -43,4 +43,5 @@ spec:
      syncPolicy:
        automated:
          prune: {{ .prune }}
+          selfHeal: false
    {{- end }}
@@ -0,0 +1,66 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: staging-atlantis
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: staging-atlantis
+    server: https://kubernetes.default.svc
+  project: atlantis
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    path: values/atlantis
+    plugin:
+      name: kustomize-helm-with-rewrite
+      parameters:
+      - name: env
+        string: staging
+      - name: hostname
+        string: atlantis.beta.oceanbox.io
+  - repoURL: https://charts.bitnami.com/bitnami
+    targetRevision: 20.1.7
+    chart: redis
+    helm:
+      valueFiles:
+      - $values/values/atlantis/staging/redis.yaml
+  ignoreDifferences:
+    - kind: Secret
+      name: azure-keyvault
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: staging-atlantis-rabbitmq
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-archmeister-replication
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-archmeister-ca
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: false
@@ -0,0 +1,39 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: staging-openfga
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: openfga
+    server: https://kubernetes.default.svc
+  project: aux
+  # ignoreDifferences:
+  # - group: apps
+  #   kind: StatefulSet
+  #   jsonPointers:
+  #   - /spec/persistentVolumeClaimRetentionPolicy
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: https://openfga.github.io/helm-charts
+    targetRevision: 0.2.19
+    chart: openfga
+    helm:
+      valueFiles:
+      - $values/values/openfga/values-staging.yaml
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
@@ -0,0 +1,54 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: staging-sorcerer
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: staging-sorcerer
+    server: https://10.255.241.99:4443
+  project: atlantis
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    path: values/sorcerer
+    plugin:
+      name: kustomize-helm-with-rewrite
+      parameters:
+      - name: env
+        string: staging
+      - name: hostname
+        string: sorcerer.ekman.oceanbox.io
+  - repoURL: https://charts.bitnami.com/bitnami
+    targetRevision: 20.1.7
+    chart: redis
+    helm:
+      valueFiles:
+      - $values/values/sorcerer/staging/redis.yaml
+  ignoreDifferences:
+    - kind: Secret
+      name: azure-keyvault
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-atlantis-rabbitmq
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    # automated:
+    #   prune: true
+    #   selfHeal: false
@@ -0,0 +1,124 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.tempo;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    extraValues = {
+      tempo = {
+        storage = {
+          trace = {
+            backend = "s3";
+            s3 = {
+              bucket = cfg.s3.bucket;
+              endpoint = cfg.s3.endpoint;
+              access_key = "\${S3SECRET}";
+              secret_key = "\${S3KEY}";
+              insecure = true;
+            };
+            local = {
+              path = "/var/tempo/traces";
+            };
+            wal = {
+              path = "/var/tempo/wal";
+            };
+          };
+        };
+        metricsGenerator = {
+          enabled = true;
+          remoteWriteUrl = "http://prom-prometheus.prometheus:9090/api/v1/write";
+        };
+        extraEnv = [
+          {
+            name = "S3KEY";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.accessKey;
+            };
+          }
+          {
+            name = "S3SECRET";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.secretKey;
+            };
+          }
+        ];
+      };
+
+      tempoQuery = {
+        ingress = {
+          enabled = true;
+          ingressClassName = "nginx";
+          annotations = {
+            "cert-manager.io/cluster-issuer" = "letsencrypt-staging";
+            "nginx.ingress.kubernetes.io/ssl-redirect" = "true";
+            "atlantis.oceanbox.io/expose" = "internal";
+          };
+          path = "/";
+          pathType = "Prefix";
+          hosts = [ "query.tempo.adm.oceanbox.io" ];
+          tls = [{
+            secretName = "tempo-query-tls";
+            hosts = [ "query.tempo.adm.oceanbox.io" ];
+          }];
+        };
+      };
+    };
+  };
+
+in
+{
+  options.apps.tempo = lib.apps.appOptions {
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "1.10.3";
+      description = "Tempo chart version";
+    };
+    s3 = {
+      bucket = lib.mkOption {
+        type = lib.types.str;
+        default = "tempo-traces";
+        description = "S3 bucket for traces";
+      };
+      endpoint = lib.mkOption {
+        type = lib.types.str;
+        default = "http://10.255.241.30:30080";
+        description = "S3 endpoint";
+      };
+    };
+    secret = {
+      name = lib.mkOption {
+        type = lib.types.str;
+        default = "tempo-s3";
+        description = "Name of the S3 credentials secret";
+      };
+      accessKey = lib.mkOption {
+        type = lib.types.str;
+        default = "AWS_ACCESS_KEY_ID";
+        description = "Access key field in secret";
+      };
+      secretKey = lib.mkOption {
+        type = lib.types.str;
+        default = "AWS_ACCESS_KEY_SECRET";
+        description = "Secret key field in secret";
+      };
+    };
+  };
+
+  config = lib.apps.appConfig cfg "tempo" {
+    namespace = "argocd";
+    helm.releases.tempo = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://grafana.github.io/helm-charts";
+        chart = "tempo";
+        version = cfg.revision;
+      };
+    };
+    annotations = {
+      "argocd.argoproj.io/sync-options" = "SkipDryRunOnMissingResource=true";
+    };
+  };
+}
@@ -0,0 +1,76 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tempo
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: tempo
+    server: 'https://kubernetes.default.svc'
+  project: aux
+  syncPolicy:
+    # managedNamespaceMetadata:
+    #   labels:
+    #     component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: 'https://grafana.github.io/helm-charts'
+    targetRevision: 1.10.3
+    chart: tempo
+    helm:
+      values: |
+        tempo:
+          storage:
+            trace:
+              backend: s3
+              s3:
+                bucket: tempo-traces
+                endpoint: 10.255.241.30:30080
+                access_key: ${S3KEY}
+                secret_key: ${S3SECRET}
+                forcepathstyle: true
+                insecure: true
+              local:
+                path: /var/tempo/traces
+              wal:
+                path: /var/tempo/wal
+          metricsGenerator:
+            enabled: true
+            remoteWriteUrl: "http://prom-prometheus.prometheus:9090/api/v1/write"
+          extraArgs: { config.expand-env=true }
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: tempo-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: tempo-s3
+                key: AWS_ACCESS_KEY_SECRET
+        tempoQuery:
+          ingress:
+            enabled: true
+            ingressClassName: nginx
+            annotations:
+              cert-manager.io/cluster-issuer: letsencrypt-staging
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              atlantis.oceanbox.io/expose: internal
+            path: /
+            pathType: Prefix
+            hosts:
+              - query.tempo.adm.oceanbox.io
+            tls:
+             - secretName: tempo-query-tls
+               hosts:
+                 - query.tempo.adm.oceanbox.io
@@ -0,0 +1,39 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.wordpress;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    base = ../values/wordpress;
+    extraValues = {};
+  };
+in
+{
+  options.apps.wordpress = lib.apps.appOptions {
+    enable = lib.mkEnableOption "WordPress";
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "19.2.2";
+      description = "WordPress chart version";
+    };
+    hostname = lib.mkOption {
+      type = lib.types.str;
+      description = "WordPress hostname";
+      default = "www.${env}.oceanbox.io";
+    };
+  };
+  config = lib.apps.appConfig cfg "www-oceanbox" {
+    namespace = "www-oceanbox";
+    helm.releases.wordpress = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://charts.bitnami.com/bitnami";
+        chart = "wordpress";
+        version = cfg.revision;
+        chartHash = "";
+      };
+      transformer = rs: builtins.map (x: kustomize x) rs;
+    };
+  };
+}
@@ -0,0 +1,14 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: yolo-dl
+  namespace: argocd
+spec:
+  project: aux
+  destination:
+    server: https://10.255.241.99:4443
+    namespace: oceanbox
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    path: charts/yolo-dl
@@ -1,18 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    managed-by: argocd.argoproj.io
-  labels:
-    argocd.argoproj.io/secret-type: cluster
-  name: staging-vcluster
-  namespace: argocd
-stringData:
-  config: |
-    {"bearerToken":"eyJhbGciOiJSUzI1NiIsImtpZCI6IlVrakhGancyRzVMajNvQ3Jjb2FEU0kwRnlQeGsxc0Z3OThzLWV6akljVzAifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiLCJodHRwczovL2t1YmVybmV0ZXMuZGVmYXVsdC5zdmMiLCJodHRwczovL2t1YmVybmV0ZXMuZGVmYXVsdCJdLCJleHAiOjIwMjM3MjEwMDksImlhdCI6MTcwODM2MTAwOSwiaXNzIjoiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiLCJrdWJlcm5ldGVzLmlvIjp7Im5hbWVzcGFjZSI6Imt1YmUtc3lzdGVtIiwic2VydmljZWFjY291bnQiOnsibmFtZSI6ImFkbWluIiwidWlkIjoiMDRlOGJlZDQtYWUwNy00MTBiLWI4NTYtNzg3MTkzNDAzYjcyIn19LCJuYmYiOjE3MDgzNjEwMDksInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.TJuQb9dpgOU6w42-WSJQmu39CZ7NyXWks6itH5qtUUkOvkwRwEtChV-53epM1HNOpK3mj2IWlJ7MaUb5AVFMx0alUJthBX_kL3mjdvUdn2MbPl-S0UFPclp8JoYeALjwtSFkuch1HqlMT7s-BbhXowo8AVFXDJE3rUJBrzzFqQ_e1IIf327qUfyo_TidwVoiya7q6cRU1n-XsP6sE0cgOxnScHXZ-DpysydjKCqXFYbnz9KYVagsOdK4LPb3x-Qb6Ae4PGJAfo3myzmiha3bTGO8HFF4WmMTWrlqeCXTPjER1vVJ_RQMY_LF4G8Of9zIX-8gvTZLcQAQ6BnlmY4QxQ","tlsClientConfig":{"insecure":true}}
-  name: staging-vcluster
-  server: https://staging-vcluster.staging-vcluster:443
-type: Opaque
-
-
-
@@ -0,0 +1,14 @@
+apiVersion: v1
+stringData:
+  config: |
+    {"bearerToken":"","tlsClientConfig":{"insecure":true}}
+  name: ekman
+  server: https://10.255.241.99:4443
+kind: Secret
+metadata:
+  labels:
+    argocd.argoproj.io/secret-type: cluster
+  name: cluster-10.255.241.99-4046803085
+  namespace: argocd
+type: Opaque
+
@@ -1,10 +1,7 @@
-FROM alpine/k8s:1.28.3
+FROM alpine/k8s:1.28.9

 RUN mkdir -p /home/argocd/cmp-server/config/
 COPY plugin.yaml /home/argocd/cmp-server/config/

 WORKDIR /plugin
-COPY init.sh get-values.sh generate.sh ./
-
-
-
+COPY init-helm-repos.sh init.sh get-values.sh generate.sh ./
@@ -1,6 +1,6 @@
 #!/bin/sh

-img=registry.gitlab.com/oceanbox/gitops-manifests/kustomize-helm-with-rewrite
+img=registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite
 tag=${1:-latest}

 docker build -t $img:$tag .
@@ -1,23 +1,24 @@
 #!/bin/sh

-export HOME=/tmp
+export HOME=/helm-working-dir

 env > /tmp/$ARGOCD_APP_NAME.env

 echo "$ARGOCD_APP_PARAMETERS" | jq '.[] | select(.name == "helm-parameters") | .map' | yq -P -oy > parameters.yaml
 cp parameters.yaml /tmp/$ARGOCD_APP_NAME-parameters.yaml

-if [ -d chart ]; then
-    CHART=chart
-elif [ -f chart -a "$PARAM_CHART" = "." ]; then
-    CHART=$(cat chart)
-elif [ -n "$PARAM_CHART" ]; then
+if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then
    CHART=$PARAM_CHART
+elif [ -d chart ]; then
+    CHART=chart
+elif [ -f chart ]; then
+    CHART=$(cat chart)
 else
    CHART="."
 fi

 [ -f chart/values.yaml ] && VALUES="-f chart/values.yaml"
+[ -f values-chart.yaml ] && VALUES="$VALUES -f values-chart.yaml"
 [ -f values.yaml ] && VALUES="$VALUES -f values.yaml"
 [ -f values-$PARAM_ENV.yaml ] && VALUES="$VALUES -f values-$PARAM_ENV.yaml"
 VALUES="$VALUES -f parameters.yaml"
@@ -2,6 +2,8 @@

 if [ -f values.yaml ]; then
    VALUES="values.yaml"
+elif [ -f values-chart.yaml ]; then
+    VALUES="values-chart.yaml"
 elif [ -f chart/values.yaml ]; then
    VALUES="chart/values.yaml"
 else
@@ -1,12 +1,15 @@
 #!/bin/sh

-export HOME=/tmp
+export HOME=/helm-working-dir
+
+helm repo add --username argocd-helm --password "$OCEANBOX_HELM_ACCESS_TOKEN" oceanbox \
+    https://gitlab.com/api/v4/projects/54396343/packages/helm/stable

 helm repo add bitnami https://charts.bitnami.com/bitnami
 helm repo add cerbos https://download.cerbos.dev/helm-charts
 helm repo add dapr https://dapr.github.io/helm-charts/
 helm repo add ncsa https://opensource.ncsa.illinois.edu/charts
 helm repo add dex https://charts.dexidp.io
+helm repo add openfga https://openfga.github.io/helm-charts

 helm repo update
-
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+export HOME=/helm-working-dir
+
+helm repo update oceanbox
+
+if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then
+    helm show values $PARAM_CHART > values-chart.yaml
+elif [ -f chart ]; then
+    CHART=$(cat chart)
+    helm show values $CHART > values-chart.yaml
+fi
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    managed-by: argocd.argoproj.io
+  labels:
+    argocd.argoproj.io/secret-type: cluster
+  name: cluster-staging-vcluster
+  namespace: argocd
+stringData:
+  config: |
+    {"bearerToken":"","tlsClientConfig":{"insecure":true}}
+  name: staging-vcluster
+  server: https://staging-vcluster.staging-vcluster
+type: Opaque
+
@@ -12,7 +12,7 @@ description: Archive management for Atlantis
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v6.17.0
+version: v6.20.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v6.17.0
+appVersion: v6.20.0
@@ -1,47 +0,0 @@
-{
-    "connString": "Username=app;Password=secret;Host=prod-archmeister-rw;Port=5432;Database=app;Pooling=true;",
-    "oidc": {
-        "issuer": "https://idp.srv.oceanbox.io/dex",
-        "authorization_endpoint": "https://idp.srv.oceanbox.io/dex/auth",
-        "token_endpoint": "https://idp.srv.oceanbox.io/dex/token",
-        "jwks_uri": "https://idp.srv.oceanbox.io/dex/keys",
-        "userinfo_endpoint": "https://idp.srv.oceanbox.io/dex/userinfo",
-        "device_authorization_endpoint": "https://idp.srv.oceanbox.io/dex/device/code",
-        "clientId": "archmeister",
-        "clientSecret": "",
-        "scopes": [
-            "openid",
-            "email",
-            "offline_access",
-            "profile"
-        ]
-    },
-    "sso": {
-        "cookieDomain": ".oceanbox.io",
-        "signedOutRedirectUri": "https://idp.srv.oceanbox.io/dex/static/logout.html",
-        "redis": "prod-redis-master.redis.svc,user=default,password=secret",
-        "appDomain": "atlantis",
-        "dataProtectionKeys": "DataProtection-Keys"
-    },
-    "allowedOrigins": [
-        "https://maps.oceanbox.io",
-        "https://atlantis.srv.oceanbox.io",
-        "https://maps.relic.oceanbox.io",
-        "https://sorcerer.data.oceanbox.io",
-        "https://sorcerer.hpc.oceanbox.io",
-        "https://jonas-sorcerer.ekman.oceanbox.io",
-        "https://beta.sorcerer.ekman.oceanbox.io",
-        "https://simkir-sorcerer.ekman.oceanbox.io",
-        "https://stig-sorcerer.ekman.oceanbox.io",
-        "https://atlantis.beta.oceanbox.io",
-        "https://jonas-atlantis.beta.oceanbox.io",
-        "https://simkir-atlantis.beta.oceanbox.io",
-        "https://stig-atlantis.beta.oceanbox.io",
-        "https://a.local.oceanbox.io:8080"
-    ],
-    "logService" : "https://seq.oceanbox.io",
-    "logApiKey": "",
-    "cliUsers": [
-        "admin:en-to-tre-fire"
-    ]
-}
@@ -1,42 +0,0 @@
-{
-    "connString": "Username=app;Password=secret;Host=staging-archmeister-rw;Port=5432;Database=app;Pooling=true;",
-    "oidc": {
-        "issuer": "https://idp.srv.oceanbox.io/dex",
-        "authorization_endpoint": "https://idp.srv.oceanbox.io/dex/auth",
-        "token_endpoint": "https://idp.srv.oceanbox.io/dex/token",
-        "jwks_uri": "https://idp.srv.oceanbox.io/dex/keys",
-        "userinfo_endpoint": "https://idp.srv.oceanbox.io/dex/userinfo",
-        "device_authorization_endpoint": "https://idp.srv.oceanbox.io/dex/device/code",
-        "clientId": "archmeister_dev",
-        "clientSecret": "",
-        "scopes": [
-            "openid",
-            "email",
-            "offline_access",
-            "profile"
-        ]
-    },
-    "sso": {
-        "cookieDomain": ".oceanbox.io",
-        "signedOutRedirectUri": "https://idp.srv.oceanbox.io/dex/static/logout.html",
-        "redis": "staging-redis-master.redis.svc,user=default,password=secret",
-        "appDomain": "atlantis",
-        "dataProtectionKeys": "DataProtection-Keys"
-    },
-    "allowedOrigins": [
-        "https://atlantis.beta.oceanbox.io",
-        "https://sorcerer.beta.data.oceanbox.io",
-        "https://sorcerer.hpc.oceanbox.io",
-        "https://s.local.oceanbox.io:8080",
-        "https://maps.oceanbox.io",
-        "https://jonas-atlantis.beta.oceanbox.io",
-        "https://simkir-atlantis.beta.oceanbox.io",
-        "https://stig-atlantis.beta.oceanbox.io",
-        "https://atlantis.local.oceanbox.io:8080"
-    ],
-    "logService" : "https://seq.oceanbox.io",
-    "logApiKey": "",
-    "cliUsers": [
-        "admin:en-to-tre-fire"
-    ]
-}
@@ -84,8 +84,8 @@ spec:
        emptyDir: {}
      {{- end }}
      - name: appsettings
-        secret:
-          secretName: {{ template "Archmeister.fullname" . }}-appsettings
+        configMap:
+          name: {{ template "Archmeister.fullname" . }}-appsettings
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
@@ -1,26 +0,0 @@
-ingress:
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-  hosts:
-    - host: archmeister.srv.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls:
-    - hosts:
-       - archmeister.srv.oceanbox.io
-      secretName: prod-archmeister-tls
-
-cluster:
-  backupEnabled: true
-  backupRetention: 60d
-  instances: 2
-
-resources:
-  limits:
-    cpu: 200m
-    memory: 1Gi
-  requests:
-    cpu: 200m
-    memory: 1Gi
-
@@ -1,25 +0,0 @@
-image:
-  tag: 04ca077a-debug
-
-ingress:
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-    atlantis.oceanbox.io/expose: global
-  hosts:
-    - host: archmeister.beta.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls:
-    - hosts:
-       - archmeister.beta.oceanbox.io
-      secretName: staging-archmeister-tls
-
-resources:
-  limits:
-    cpu: 200m
-    memory: 1Gi
-  requests:
-    cpu: 200m
-    memory: 1Gi
-
@@ -5,12 +5,23 @@
 replicaCount: 1
 image:
  repository: registry.gitlab.com/oceanbox/oceanbox.dataagent
-  tag: v6.17.0
+  tag: v6.20.0
  pullPolicy: IfNotPresent
 init:
  enabled: false
  image: ubuntu:rolling
  command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
  - name: gitlab-pull-secret
 nameOverride: ""
@@ -52,13 +63,12 @@ ingress:
      secretName: archmeister-tls
  internal:
    annotations: {}
-  #       nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+    #       nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
 persistence:
  enabled: false
  # size: 10G
  # storageClass: ""
  # accessMode: ReadWriteMany
-
 cluster:
  enabled: true
  instances: 1
@@ -74,7 +84,6 @@ cluster:
        - CREATE EXTENSION fuzzystrmatch;
        - CREATE EXTENSION postgis_tiger_geocoder;
        - ALTER USER app WITH SUPERUSER;
-
 resources: {}
 # We usually recommend not to specify default resources and to leave this as a conscious
 # choice for the user. This also increases chances charts run on environments with little
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: atlantis
+description: Atlantis map and simulation service
+type: application
+version: v2.87.1
+appVersion: v2.87.1
@@ -1,21 +0,0 @@
-apiVersion: v2
-name: atlantis
-description: Atlantis map and simulation service
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-version: 1.0.1
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application.
-appVersion: 0.0.0
@@ -1,26 +0,0 @@
-{{- if .Values.cluster.enabled -}}
-apiVersion: postgresql.cnpg.io/v1
-kind: Cluster
-metadata:
-  name: {{ include "Atlantis.fullname" . }}
-  annotations:
-    linkerd.io/inject: disabled
-  labels:
-    {{- include "Atlantis.labels" . | nindent 4 }}
-spec:
-  instances: {{ .Values.cluster.instances | default "2" }}
-
-  # Example of rolling update strategy:
-  # - unsupervised: automated update of the primary once all
-  #                 replicas have been upgraded (default)
-  # - supervised: requires manual supervision to perform
-  #               the switchover of the primary
-  primaryUpdateStrategy: unsupervised
-  backup:
-    retentionPolicy: {{ .Values.cluster.backupRetention | default "60d" }}
-
-  storage:
-    size: {{ .Values.cluster.size | default "5Gi" }}
-{{- end }}
-
-
@@ -1,21 +0,0 @@
-apiVersion: dapr.io/v1alpha1
-kind: Subscription
-metadata:
-  name: hipster-events
-spec:
-  topic: hipster
-  route: /hipster-events
-  pubsubname: pubsub
-scopes:
- atlantis
---
-apiVersion: dapr.io/v1alpha1
-kind: Subscription
-metadata:
-  name: inbox-events
-spec:
-  topic: inbox
-  route: /inbox-events
-  pubsubname: pubsub
-scopes:
- atlantis
@@ -1,35 +0,0 @@
-{
-    "oidc": {
-        "issuer": "https://idp.srv.oceanbox.io/dex",
-        "authorization_endpoint": "https://idp.srv.oceanbox.io/dex/auth",
-        "token_endpoint": "https://idp.srv.oceanbox.io/dex/token",
-        "jwks_uri": "https://idp.srv.oceanbox.io/dex/keys",
-        "userinfo_endpoint": "https://idp.srv.oceanbox.io/dex/userinfo",
-        "device_authorization_endpoint": "https://idp.srv.oceanbox.io/dex/device/code",
-        "clientId": "atlantis",
-        "clientSecret": "",
-        "scopes": [
-            "openid",
-            "email",
-            "offline_access",
-            "profile"
-        ]
-    },
-    "sso": {
-        "cookieDomain": ".oceanbox.io",
-        "signedOutRedirectUri": "https://idp.srv.oceanbox.io/dex/static/logout.html",
-        "redis": "prod-redis-master.redis.svc,user=default,password=secret",
-        "appDomain": "atlantis",
-        "dataProtectionKeys": "DataProtection-Keys"
-    },
-    "archmeister" : "https://archmeister.srv.oceanbox.io",
-    "sorcerer" : "https://sorcerer.data.oceanbox.io",
-    "allowedOrigins": [
-        "http://maps.oceanbox.io",
-        "https://maps.oceanbox.io",
-        "http://atlantis.srv.oceanbox.io",
-        "https://atlantis.srv.oceanbox.io"
-    ],
-    "logService" : "https://seq.oceanbox.io",
-    "logApiKey": ""
-}
@@ -1,48 +0,0 @@
- op: add
-  path: /spec/template/metadata/annotations
-  value:
-    dapr.io/enabled: "true"
-    dapr.io/app-id: "atlantis"
-    dapr.io/app-port: "8000"
-    dapr.io/config: "tracing"
- op: replace
-  path: /spec/template/spec/containers/0/env/0
-  value:
-    name: LOG_LEVEL
-    value: "4"
- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: BARENTSWATCH_SECRET
-    valueFrom:
-      secretKeyRef:
-        name: prod-atlantis-barentswatch
-        key: secret
-        optional: true
- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: BARENTSWATCH_CLIENT_ID
-    valueFrom:
-      secretKeyRef:
-        name: prod-atlantis-barentswatch
-        key: client-id
-        optional: true
- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: REDIS_USER
-    value: default
- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: REDIS_PASSWORD
-    valueFrom:
-      secretKeyRef:
-        name: prod-redis
-        key: redis-password
- op: add
-  path: /spec/template/spec/containers/0/envFrom/-
-  value:
-    secretRef:
-      name: prod-atlantis-env
@@ -1,33 +0,0 @@
-{
-    "oidc": {
-        "issuer": "https://idp.srv.oceanbox.io/dex",
-        "authorization_endpoint": "https://idp.srv.oceanbox.io/dex/auth",
-        "token_endpoint": "https://idp.srv.oceanbox.io/dex/token",
-        "jwks_uri": "https://idp.srv.oceanbox.io/dex/keys",
-        "userinfo_endpoint": "https://idp.srv.oceanbox.io/dex/userinfo",
-        "device_authorization_endpoint": "https://idp.srv.oceanbox.io/dex/device/code",
-        "clientId": "atlantis_dev",
-        "clientSecret": "",
-        "scopes": [
-            "openid",
-            "email",
-            "offline_access",
-            "profile"
-        ]
-    },
-    "sso": {
-        "cookieDomain": ".oceanbox.io",
-        "signedOutRedirectUri": "https://idp.srv.oceanbox.io/dex/static/logout.html",
-        "redis": "staging-redis-master.redis.svc,user=default,password=secret",
-        "appDomain": "atlantis",
-        "dataProtectionKeys": "DataProtection-Keys"
-    },
-    "archmeister" : "https://archmeister.beta.oceanbox.io",
-    "sorcerer" : "https://sorcerer.beta.data.oceanbox.io",
-    "allowedOrigins": [
-        "http://atlantis.beta.oceanbox.io",
-        "https://atlantis.beta.oceanbox.io"
-    ],
-    "logService" : "https://seq.oceanbox.io",
-    "logApiKey": ""
-}
@@ -1,48 +0,0 @@
- op: add
-  path: /spec/template/metadata/annotations
-  value:
-    dapr.io/enabled: "true"
-    dapr.io/app-id: "atlantis"
-    dapr.io/app-port: "8000"
-    dapr.io/config: "tracing"
- op: replace
-  path: /spec/template/spec/containers/0/env/0
-  value:
-    name: LOG_LEVEL
-    value: "4"
- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: BARENTSWATCH_SECRET
-    valueFrom:
-      secretKeyRef:
-        name: staging-atlantis-barentswatch
-        key: secret
-        optional: true
- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: BARENTSWATCH_CLIENT_ID
-    valueFrom:
-      secretKeyRef:
-        name: staging-atlantis-barentswatch
-        key: client-id
-        optional: true
- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: REDIS_USER
-    value: default
- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: REDIS_PASSWORD
-    valueFrom:
-      secretKeyRef:
-        name: staging-redis
-        key: redis-password
- op: add
-  path: /spec/template/spec/containers/0/envFrom/-
-  value:
-    secretRef:
-      name: staging-atlantis-env
@@ -0,0 +1,54 @@
+{{- if .Values.cluster.enabled -}}
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: {{ include "Atlantis.fullname" . }}-db
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    linkerd.io/inject: disabled
+  labels:
+    {{- include "Atlantis.labels" . | nindent 4 }}
+spec:
+  instances: {{ .Values.cluster.instances | default "1" }}
+  imageName: ghcr.io/cloudnative-pg/postgis:15-3.3
+  # Example of rolling update strategy:
+  # - unsupervised: automated update of the primary once all
+  #                 replicas have been upgraded (default)
+  # - supervised: requires manual supervision to perform
+  #               the switchover of the primary
+  primaryUpdateStrategy: unsupervised
+  backup:
+    retentionPolicy: {{ .Values.cluster.backupRetention | default "60d" }}
+  storage:
+    size: {{ .Values.cluster.size | default "5Gi" }}
+{{- with .Values.cluster.bootstrap }}
+  bootstrap:
+{{- if .enabled }}
+    pg_basebackup:
+      source: archmaester
+  externalClusters:
+  - name: archmaester
+    connectionParameters:
+      host: {{ .source.db }}-rw.{{ .source.namespace }}
+      user: streaming_replica
+      sslmode: verify-full
+    sslKey:
+      name: {{ .source.db }}-replication
+      key: tls.key
+    sslCert:
+      name: {{ .source.db }}-replication
+      key: tls.crt
+    sslRootCert:
+      name: {{ .source.db }}-ca
+      key: ca.crt
+{{- else }}
+    initdb:
+      postInitTemplateSQL:
+        - CREATE EXTENSION postgis;
+        - CREATE EXTENSION postgis_topology;
+        - CREATE EXTENSION fuzzystrmatch;
+        - CREATE EXTENSION postgis_tiger_geocoder;
+        - ALTER USER app WITH SUPERUSER;
+{{- end }}
+{{- end }}
+{{- end }}
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "Atlantis.labels" . | nindent 4 }}
 spec:
@@ -83,8 +84,8 @@ spec:
        emptyDir: {}
      {{- end }}
      - name: appsettings
-        secret:
-          secretName: {{ template "Atlantis.fullname" . }}-appsettings
+        configMap:
+          name: {{ template "Atlantis.fullname" . }}-appsettings
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
@@ -3,6 +3,7 @@ apiVersion: autoscaling/v2beta1
 kind: HorizontalPodAutoscaler
 metadata:
  name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "Atlantis.labels" . | nindent 4 }}
 spec:
@@ -0,0 +1,62 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "Atlantis.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "Atlantis.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: {{ .pathType }}
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+              {{- else }}
+              serviceName: {{ .serviceName | default $fullName }}
+              servicePort: {{ .servicePort | default $svcPort }}
+              {{- end }}
+          {{- end }}
+    {{- end }}
+{{- end }}
@@ -15,11 +15,12 @@ apiVersion: extensions/v1beta1
 {{- end }}
 kind: Ingress
 metadata:
-  name: {{ $fullName }}
+  name: {{ $fullName }}-internal
  labels:
    {{- include "Atlantis.labels" . | nindent 4 }}
  {{- with .Values.ingress.annotations }}
  annotations:
+    atlantis.oceanbox.io/expose: internal
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
@@ -41,7 +42,7 @@ spec:
    - host: {{ .host | quote }}
      http:
        paths:
-          {{- range .paths }}
+          {{- range .internal }}
          - path: {{ .path }}
            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
            pathType: {{ .pathType }}
@@ -3,6 +3,7 @@ kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: {{ template "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
 {{- with .Values.persistence.annotations  }}
  annotations:
 {{ toYaml . | indent 4 }}
@@ -0,0 +1,38 @@
+{{- if not .Values.cluster.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ include "Atlantis.fullname" . }}-db-superuser
+  namespace: {{ .Release.Namespace }}
+type: kubernetes.io/basic-auth
+data:
+  username:
+  password:
+{{- else }}
+{{- if .Values.cluster.bootstrap.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ .Values.cluster.bootstrap.source.db }}-replication
+type: kubernetes.io/tls
+data:
+  tls.crt: ""
+  tls.key: ""
+---
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ .Values.cluster.bootstrap.source.db }}-ca
+  namespace: {{ .Release.Namespace }}
+data:
+  ca.crt: ""
+  ca.key: ""
+{{- end }}
+{{- end }}
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "Atlantis.labels" . | nindent 4 }}
 spec:
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "Atlantis.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "Atlantis.labels" . | nindent 4 }}
  {{- with .Values.serviceAccount.annotations }}
@@ -0,0 +1,20 @@
+{{- if .Values.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpoints:
+  - honorLabels: false
+    path: /metrics
+    port: http
+  jobLabel: {{ .Values.serviceMonitor.label | default (include "Atlantis.fullname" .) }}
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: {{ include "Atlantis.fullname" . }}
+      app.kubernetes.io/name: atlantis
+{{- end }}
@@ -1,27 +0,0 @@
-ingress:
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
-  hosts:
-    - host: atlantis.srv.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-    - host: maps.srv.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls:
-    - hosts:
-       - atlantis.srv.oceanbox.io
-       - maps.srv.oceanbox.io
-      secretName: atlantis-tls
-
-resources:
-  limits:
-    cpu: 250m
-    memory: 1Gi
-  requests:
-    cpu: 250m
-    memory: 1Gi
-
@@ -1,26 +0,0 @@
-image:
-  tag: a41b6229-debug
-
-ingress:
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
-    # atlantis.oceanbox.io/expose: internal
-  hosts:
-    - host: atlantis.beta.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls:
-    - hosts:
-       - atlantis.beta.oceanbox.io
-      secretName: staging-atlantis-tls
-
-resources:
-  limits:
-    cpu: 250m
-    memory: 1Gi
-  requests:
-    cpu: 250m
-    memory: 1Gi
-
@@ -6,22 +6,31 @@ replicaCount: 1

 image:
  repository: registry.gitlab.com/oceanbox/atlantis
-  tag: v2.77.5
+  tag: v2.87.1
  pullPolicy: IfNotPresent

 init:
  enabled: false
  image: ubuntu:rolling
-  command: [ "/bin/sh", "-c", "true"  ]
+  command: ["/bin/sh", "-c", "true"]

 env:
  - name: LOG_LEVEL
    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace

 imagePullSecrets:
  - name: gitlab-pull-secret

 nameOverride: ""
+
 fullnameOverride: ""

 serviceAccount:
@@ -40,7 +49,7 @@ podSecurityContext:
 securityContext:
  capabilities:
    drop:
-    - ALL
+      - ALL
  readOnlyRootFilesystem: false
  runAsNonRoot: true
  runAsUser: 1000
@@ -50,7 +59,7 @@ service:
  port: 8085

 ingress:
-  enabled: true
+  enabled: false
  className: "nginx"
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
@@ -60,9 +69,16 @@ ingress:
      paths:
        - path: /
          pathType: ImplementationSpecific
+        - path: /events
+          pathType: ImplementationSpecific
+          serviceName: main-ingress-nginx-defaultbackend.ingress-nginx
+          servicePort: 80
+      internal:
+        - path: /internal
+          pathType: ImplementationSpecific
  tls:
    - hosts:
-       - atlantis.srv.oceanbox.io
+        - atlantis.srv.oceanbox.io
      secretName: atlantis-tls

 persistence:
@@ -72,23 +88,28 @@ persistence:
  accessMode: ReadWriteOnce

 cluster:
-  enabled: false
-  instances: 2
+  enabled: true
+  instances: 1
  backupEnabled: true
  backupRetention: 60d
  size: 5Gi
+  bootstrap:
+    enabled: true
+    source:
+      db: prod-archmeister
+      namespace: atlantis

 resources: {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
+# We usually recommend not to specify default resources and to leave this as a conscious
+# choice for the user. This also increases chances charts run on environments with little
+# resources, such as Minikube. If you do want to specify resources, uncomment the following
+# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+# limits:
+#   cpu: 100m
+#   memory: 128Mi
+# requests:
+#   cpu: 100m
+#   memory: 128Mi

 autoscaling:
  enabled: false
@@ -97,8 +118,9 @@ autoscaling:
  targetCPUUtilizationPercentage: 80
  # targetMemoryUtilizationPercentage: 80

+serviceMonitor:
+  enabled: true
+
 nodeSelector: {}
-
 tolerations: []
-
 affinity: {}
--- a/Show More
+++ b/Show More