platform/manifests
1
0
Fork 0
Code Issues 7 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: platform/manifests:nixidy
Branches Tags
platform/manifests:main platform/manifests:renovate/kube-prometheus-stack-86.x platform/manifests:renovate/kube-prometheus-stack-85.x platform/manifests:renovate/jobset-0.x platform/manifests:renovate/spegel-0.x platform/manifests:renovate/rabbitmq-16.x platform/manifests:renovate/ghcr.io-juanfont-headscale-0.x platform/manifests:mrtz/cilium-hel1-gateway platform/manifests:automated/npins-update-20260130 platform/manifests:vcluster platform/manifests:attic platform/manifests:nexus platform/manifests:diadash platform/manifests:mrtz/beta platform/manifests:simkir/codex platform/manifests:mrtz/nixidy platform/manifests:nixidy platform/manifests:otel-policy platform/manifests:spmsa platform/manifests:priv-redis platform/manifests:wip platform/manifests:dev
..
pull from: platform/manifests:otel-policy
Branches Tags
platform/manifests:main platform/manifests:renovate/kube-prometheus-stack-86.x platform/manifests:renovate/kube-prometheus-stack-85.x platform/manifests:renovate/jobset-0.x platform/manifests:renovate/spegel-0.x platform/manifests:renovate/rabbitmq-16.x platform/manifests:renovate/ghcr.io-juanfont-headscale-0.x platform/manifests:mrtz/cilium-hel1-gateway platform/manifests:automated/npins-update-20260130 platform/manifests:vcluster platform/manifests:attic platform/manifests:nexus platform/manifests:diadash platform/manifests:mrtz/beta platform/manifests:simkir/codex platform/manifests:mrtz/nixidy platform/manifests:nixidy platform/manifests:otel-policy platform/manifests:spmsa platform/manifests:priv-redis platform/manifests:wip platform/manifests:dev

1 Commits
nixidy .. otel-policy

Author SHA1 Message Date
hanssenkai f9838604e8 allow otel world 2024-11-20 10:20:04 +01:00
385 changed files with 1476 additions and 68791 deletions
Expand all files Collapse all files
.envrc
-1
View File
@@ -1 +0,0 @@
use nix
.gitignore
-4
View File
@@ -1,6 +1,2 @@
*.tgz
_*/
.direnv/
.pre-commit-config.yaml
_manifest.yaml _manifest.yaml
_resources.yaml _resources.yaml
acl.json
Symlink
+1
View File
@@ -0,0 +1 @@
kustomizations/petimeter/manifests/acl.json
apps/archmeister.yaml → applications/archmeister.yaml
+6 -6
View File
@@ -13,11 +13,11 @@ spec:
hostname: archmeister.srv.oceanbox.io hostname: archmeister.srv.oceanbox.io
autoSync: false autoSync: false
prune: true prune: true
# - cluster: https://staging-vcluster.staging-vcluster - cluster: https://staging-vcluster.staging-vcluster
# env: staging env: staging
# hostname: archmeister.beta.oceanbox.io hostname: archmeister.beta.oceanbox.io
# autoSync: true autoSync: true
# prune: true prune: true
template: template:
metadata: metadata:
name: "{{ .env }}-archmeister" name: "{{ .env }}-archmeister"
@@ -29,7 +29,7 @@ spec:
sources: sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
path: values/archmeister path: kustomizations/archmeister
plugin: plugin:
name: kustomize-helm-with-rewrite name: kustomize-helm-with-rewrite
parameters: parameters:
applications/atlantis-host-resources.yaml
+36
View File
@@ -0,0 +1,36 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: atlantis-host-cluster-resources
namespace: argocd
# annotations: # close, but no cigar
# argocd.argoproj.io/compare-options: ServerSideDiff=true,IncludeMutationWebhook=true
spec:
project: aux
destination:
server: https://kubernetes.default.svc
syncPolicy:
automated:
prune: false
selfHeal: false
ignoreDifferences:
- kind: Secret
name: prod-rabbitmq
jqPathExpressions:
- '.data'
- '.metadata.annotations.clone'
- '.metadata.labels'
- kind: Secret
name: prod-redis
jqPathExpressions:
- '.data'
- '.metadata.annotations.clone'
- '.metadata.labels'
sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main
path: resources/atlantis/host-manifests
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main
path: 'resources/atlantis/manifests/prod'
apps/atlantis-resources.yaml → applications/atlantis-resources.yaml
View File
apps/atlantis.yaml → applications/atlantis.yaml
+6 -6
View File
@@ -13,11 +13,11 @@ spec:
hostname: atlantis.srv.oceanbox.io hostname: atlantis.srv.oceanbox.io
autoSync: false autoSync: false
prune: true prune: true
# - cluster: https://staging-vcluster.staging-vcluster - cluster: https://staging-vcluster.staging-vcluster
# env: staging env: staging
# hostname: atlantis.beta.oceanbox.io hostname: atlantis.beta.oceanbox.io
# autoSync: true autoSync: true
# prune: true prune: true
template: template:
metadata: metadata:
name: '{{ .env }}-atlantis' name: '{{ .env }}-atlantis'
@@ -29,7 +29,7 @@ spec:
sources: sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
path: values/atlantis path: kustomizations/atlantis
plugin: plugin:
name: kustomize-helm-with-rewrite name: kustomize-helm-with-rewrite
parameters: parameters:
apps/busynix.yaml → applications/busynix.yaml
+1 -1
View File
@@ -24,7 +24,7 @@ spec:
source: source:
repoURL: https://gitlab.com/oceanbox/manifests.git repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
path: values/busynix path: kustomizations/busynix
plugin: plugin:
name: kustomize-helm-with-rewrite name: kustomize-helm-with-rewrite
parameters: parameters:
apps/cerbos.yaml → applications/cerbos.yaml
+2 -2
View File
@@ -25,8 +25,8 @@ spec:
chart: cerbos chart: cerbos
helm: helm:
valueFiles: valueFiles:
- $values/values/cerbos/values.yaml - $values/kustomizations/cerbos/values.yaml
- $values/values/cerbos/values-{{ env }}.yaml - $values/kustomizations/cerbos/values-{{ env }}.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
ref: values ref: values
apps/dex.yaml → applications/dex.yaml
+2 -2
View File
@@ -10,6 +10,6 @@ spec:
namespace: idp namespace: idp
source: source:
repoURL: https://gitlab.com/oceanbox/manifests.git repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy targetRevision: main
path: values/dex/manifests path: kustomizations/dex/manifests
apps/geoserver.yaml → applications/geoserver.yaml
+1 -1
View File
@@ -24,7 +24,7 @@ spec:
sources: sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
path: values/geoserver path: kustomizations/geoserver
plugin: plugin:
name: kustomize-helm-with-rewrite name: kustomize-helm-with-rewrite
parameters: parameters:
apps/hipster.yaml → applications/hipster.yaml
+6 -6
View File
@@ -13,11 +13,11 @@ spec:
hostname: hipster.srv.oceanbox.io hostname: hipster.srv.oceanbox.io
autoSync: false autoSync: false
prune: true prune: true
# - cluster: https://staging-vcluster.staging-vcluster - cluster: https://staging-vcluster.staging-vcluster
# env: staging env: staging
# hostname: hipster.beta.oceanbox.io hostname: hipster.beta.oceanbox.io
# autoSync: true autoSync: true
# prune: true prune: true
template: template:
metadata: metadata:
name: '{{ .env }}-hipster' name: '{{ .env }}-hipster'
@@ -29,7 +29,7 @@ spec:
sources: sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
path: values/hipster path: kustomizations/hipster
plugin: plugin:
name: kustomize-helm-with-rewrite name: kustomize-helm-with-rewrite
parameters: parameters:
apps/jaeger.yaml → applications/jaeger.yaml
+2 -2
View File
@@ -14,9 +14,9 @@ spec:
chart: jaeger-operator chart: jaeger-operator
helm: helm:
valueFiles: valueFiles:
- $values/values/jaeger/values.yaml - $values/kustomizations/jaeger/values.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
# path: values/jaeger/manifests # path: kustomizations/jaeger/manifests
ref: values ref: values
apps/keycloak.yaml → applications/keycloak.yaml
+2 -2
View File
@@ -14,8 +14,8 @@ spec:
chart: keycloak chart: keycloak
helm: helm:
valueFiles: valueFiles:
- $values/values/keycloak/values.yaml - $values/kustomizations/keycloak/values.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy targetRevision: main
ref: values ref: values
apps/loki.yaml → applications/loki.yaml
+1 -1
View File
@@ -46,8 +46,8 @@ spec:
s3: s3:
endpoint: http://10.255.241.30:30080 endpoint: http://10.255.241.30:30080
region: tos region: tos
accessKeyId: ${S3KEY}
secretAccessKey: ${S3SECRET} secretAccessKey: ${S3SECRET}
accessKeyId: ${S3KEY}
s3ForcePathStyle: true s3ForcePathStyle: true
http_config: http_config:
insecure_skip_verify: true insecure_skip_verify: true
applications/openfga.yaml
+47
View File
@@ -0,0 +1,47 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: openfga
namespace: argocd
spec:
goTemplate: true
generators:
- list:
elements:
- cluster: https://kubernetes.default.svc
env: prod
hostname: openfga.adm.oceanbox.io
autoSync: false
prune: true
- cluster: https://kubernetes.default.svc
env: staging
hostname: openfga.dev.oceanbox.io
autoSync: true
prune: true
template:
metadata:
name: '{{ .env }}-openfga'
spec:
project: aux
destination:
namespace: idp
server: '{{ .cluster }}'
sources:
- repoURL: https://openfga.github.io/helm-charts
targetRevision: 0.2.12
chart: openfga
helm:
valueFiles:
- $values/kustomizations/openfga/values.yaml
- $values/kustomizations/openfga/values-{{ .env }}.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main
ref: values
templatePatch: |
{{- if .autoSync }}
spec:
syncPolicy:
automated:
prune: {{ .prune }}
selfHeal: false
{{- end }}
apps/opentelemetry-collector.yaml → applications/opentelemetry-collector.yaml
+1 -4
View File
@@ -31,9 +31,6 @@ spec:
mode: deployment mode: deployment
image: image:
repository: otel/opentelemetry-collector-k8s repository: otel/opentelemetry-collector-k8s
service:
type: LoadBalancer
loadBalancerIP: 10.255.241.12
config: config:
receivers: receivers:
prometheus/collector: prometheus/collector:
@@ -91,7 +88,7 @@ spec:
# logsCollection: # logsCollection:
# enabled: true # enabled: true
ingress: ingress:
enabled: false enabled: true
annotations: annotations:
cert-manager.io/cluster-issuer: letsencrypt-production cert-manager.io/cluster-issuer: letsencrypt-production
nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/ssl-redirect: "true"
apps/osm-tile-server.yaml → applications/osm-tile-server.yaml
+1 -1
View File
@@ -24,7 +24,7 @@ spec:
source: source:
repoURL: https://gitlab.com/oceanbox/manifests.git repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: HEAD targetRevision: HEAD
path: values/osm-tile-server path: kustomizations/osm-tile-server
plugin: plugin:
name: kustomize-helm-with-rewrite name: kustomize-helm-with-rewrite
parameters: parameters:
apps/petimeter.yaml → applications/petimeter.yaml
+7 -7
View File
@@ -13,11 +13,11 @@ spec:
hostname: petimeter.srv.oceanbox.io hostname: petimeter.srv.oceanbox.io
autoSync: false autoSync: false
prune: true prune: true
# - cluster: https://staging-vcluster.staging-vcluster - cluster: https://staging-vcluster.staging-vcluster
# env: staging env: staging
# hostname: petimeter.beta.oceanbox.io hostname: petimeter.beta.oceanbox.io
# autoSync: true autoSync: true
# prune: true prune: true
template: template:
metadata: metadata:
name: '{{ .env }}-petimeter' name: '{{ .env }}-petimeter'
@@ -29,7 +29,7 @@ spec:
sources: sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
path: values/petimeter path: kustomizations/petimeter
plugin: plugin:
name: kustomize-helm-with-rewrite name: kustomize-helm-with-rewrite
parameters: parameters:
@@ -39,7 +39,7 @@ spec:
string: '{{ .hostname }}' string: '{{ .hostname }}'
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
path: values/petimeter/manifests path: kustomizations/petimeter/manifests
templatePatch: | templatePatch: |
{{- if .autoSync }} {{- if .autoSync }}
spec: spec:
apps/rabbitmq.yaml → applications/rabbitmq.yaml
+2 -2
View File
@@ -27,8 +27,8 @@ spec:
chart: rabbitmq chart: rabbitmq
helm: helm:
valueFiles: valueFiles:
- $values/values/rabbitmq/values-{{ env }}.yaml - $values/kustomizations/rabbitmq/values-{{ env }}.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
path: values/rabbitmq/{{ env }} path: kustomizations/rabbitmq/{{ env }}
ref: values ref: values
apps/redis.yaml → applications/redis.yaml
+2 -2
View File
@@ -25,13 +25,13 @@ spec:
chart: redis chart: redis
helm: helm:
valueFiles: valueFiles:
- $values/values/redis/values-{{ env }}.yaml - $values/kustomizations/redis/values-{{ env }}.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: HEAD targetRevision: HEAD
ref: values ref: values
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
path: values/redis/{{ env }} path: kustomizations/redis/{{ env }}
ignoreDifferences: ignoreDifferences:
- group: apps - group: apps
kind: StatefulSet kind: StatefulSet
apps/seq.yaml → applications/seq.yaml
+1 -1
View File
@@ -14,7 +14,7 @@ spec:
chart: seq chart: seq
helm: helm:
valueFiles: valueFiles:
- $values/values/seq/values.yaml - $values/kustomizations/seq/values.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
ref: values ref: values
apps/sorcerer.yaml → applications/sorcerer.yaml
+6 -6
View File
@@ -13,11 +13,11 @@ spec:
hostname: sorcerer.data.oceanbox.io hostname: sorcerer.data.oceanbox.io
autoSync: false autoSync: false
prune: true prune: true
# - cluster: https://10.255.241.99:4443 - cluster: https://10.255.241.99:4443
# env: staging env: staging
# hostname: sorcerer.ekman.oceanbox.io hostname: sorcerer.ekman.oceanbox.io
# autoSync: true autoSync: true
# prune: true prune: true
template: template:
metadata: metadata:
name: '{{ .env }}-sorcerer' name: '{{ .env }}-sorcerer'
@@ -29,7 +29,7 @@ spec:
sources: sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
path: values/sorcerer path: kustomizations/sorcerer
plugin: plugin:
name: kustomize-helm-with-rewrite name: kustomize-helm-with-rewrite
parameters: parameters:
apps/tempo.yaml → applications/tempo.yaml
+4 -5
View File
@@ -34,11 +34,11 @@ spec:
backend: s3 backend: s3
s3: s3:
bucket: tempo-traces bucket: tempo-traces
endpoint: 10.255.241.30:30080 endpoint: http://10.255.241.30:30080
access_key: ${S3KEY} access_key: ${S3SECRET}
secret_key: ${S3SECRET} secret_key: ${S3KEY}
forcepathstyle: true
insecure: true insecure: true
backend: local
local: local:
path: /var/tempo/traces path: /var/tempo/traces
wal: wal:
@@ -46,7 +46,6 @@ spec:
metricsGenerator: metricsGenerator:
enabled: true enabled: true
remoteWriteUrl: "http://prom-prometheus.prometheus:9090/api/v1/write" remoteWriteUrl: "http://prom-prometheus.prometheus:9090/api/v1/write"
extraArgs: { config.expand-env=true }
extraEnv: extraEnv:
- name: S3KEY - name: S3KEY
valueFrom: valueFrom:
apps/wordpress.yaml → applications/wordpress.yaml
View File
apps/yolo-dl.yaml → applications/yolo-dl.yaml
View File
apps/atlantis-host-resources.yaml
-27
View File
@@ -1,27 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: atlantis-cluster-resources
namespace: argocd
# annotations: # close, but no cigar
# argocd.argoproj.io/compare-options: ServerSideDiff=true,IncludeMutationWebhook=true
spec:
project: atlantis
destination:
server: https://kubernetes.default.svc
syncPolicy:
automated:
prune: false
selfHeal: false
# ignoreDifferences:
# - kind: Secret
# name: prod-rabbitmq
# jqPathExpressions:
# - '.data'
# - '.metadata.annotations.clone'
# - '.metadata.labels'
sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main
path: resources/atlantis
apps/atlantis.nix
-51
View File
@@ -1,51 +0,0 @@
{ lib, config, ... }:
let
cfg = config.apps.atlantis;
env = config.apps.env;
values = lib.apps.appValues {
inherit env;
base = ../values/atlantis;
extraValues = {};
};
kustomize = r:
if r.kind == "Deployment" then
lib.attrsets.recursiveUpdate r {
spec.template.spec.containers =
builtins.map (x:
x // {
livenessProbe.httpGet.path = "/healthz";
readinessProble.httpGet.path = "/healthz";
env = x.env ++ [ { name = "INERNAL_PORT"; value = 8000; } ];
}) r.spec.template.spec.containers;
}
else if r.kind == "Service" then
{}
else r;
in
{
options.apps.atlantis = lib.apps.appOptions {
revision = lib.mkOption {
type = lib.types.str;
default = "main";
description = "Revision";
};
hostname = lib.mkOption {
type = lib.types.str;
default = if env == "prod"
then "maps.oceanbox.io"
else "atlantis.beta.oceanbox.io";
description = "Revision";
};
};
config = lib.apps.appConfig cfg "${env}-atlantis" {
helm.releases."${env}-atlantis" = {
inherit values;
chart = ../charts/atlantis;
transformer = rs: builtins.map (x: kustomize x) rs;
};
};
}
apps/dapr.yaml
-33
View File
@@ -1,33 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: dapr
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: dapr-system
server: https://kubernetes.default.svc
project: default
syncPolicy:
# managedNamespaceMetadata:
# labels:
# component: aux
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
automated:
prune: true
selfHeal: true
sources:
- repoURL: https://dapr.github.io/helm-charts/
targetRevision: 1.14.4
chart: dapr
helm:
values: |
global:
ha:
enabled: true
apps/default.nix
-7
View File
@@ -1,7 +0,0 @@
{ ... }:
{
imports = [
./atlantis.nix
./openfga.nix
];
}
apps/openfga.nix
-39
View File
@@ -1,39 +0,0 @@
{ lib, config, ... }:
let
cfg = config.apps.openfga;
env = config.apps.env;
values = lib.apps.appValues {
inherit env;
base = ../values/openfga;
extraValues = {};
};
kustomize = r:
if r.kind == "Job" then
lib.attrsets.recursiveUpdate r { spec.backoffLimit = 2; }
else r;
in
{
options.apps.openfga = lib.apps.appOptions {};
config = lib.apps.appConfig cfg "${env}-openfga" {
helm.releases."${env}-openfga" = {
inherit values;
chart = lib.helm.downloadHelmChart {
repo = "https://openfga.github.io/helm-charts";
chart = "openfga";
version = "0.2.12";
chartHash = "sha256-7yLcw9/oNPvCePrtTJwKAG88t0Ym5Dl/S83Gz+gQdDU=";
};
transformer = rs: builtins.map (x: kustomize x) rs;
};
annotations = {};
resources = {
services.poop.spec = {
};
};
};
}
apps/prod-atlantis.yaml
-66
View File
@@ -1,66 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: prod-atlantis
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: prod-atlantis
server: https://kubernetes.default.svc
project: atlantis
sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
ref: values
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
path: values/atlantis
plugin:
name: kustomize-helm-with-rewrite
parameters:
- name: env
string: prod
- name: hostname
string: maps.oceanbox.io
- repoURL: https://charts.bitnami.com/bitnami
targetRevision: 20.1.7
chart: redis
helm:
valueFiles:
- $values/values/atlantis/prod/redis.yaml
ignoreDifferences:
- kind: Secret
name: azure-keyvault
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
- kind: Secret
name: prod-atlantis-rabbitmq
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
- kind: Secret
name: prod-archmeister-replication
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
- kind: Secret
name: prod-archmeister-ca
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
syncPolicy:
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
# automated:
# prune: true
# selfHeal: false
apps/prod-keycloak.yaml
-38
View File
@@ -1,38 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: prod-keycloak
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: aux
destination:
server: https://kubernetes.default.svc
namespace: keycloak
syncPolicy:
managedNamespaceMetadata:
labels:
component: aux
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
automated:
prune: true
selfHeal: true
sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
path: values/keycloak/prod
- repoURL: https://charts.bitnami.com/bitnami
targetRevision: 24.0.2
chart: keycloak
helm:
valueFiles:
- $values/values/keycloak/values-prod.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
ref: values
apps/prod-openfga.yaml
-39
View File
@@ -1,39 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: prod-openfga
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: openfga
server: https://kubernetes.default.svc
project: aux
# ignoreDifferences:
# - group: apps
# kind: StatefulSet
# jsonPointers:
# - /spec/persistentVolumeClaimRetentionPolicy
syncPolicy:
managedNamespaceMetadata:
labels:
component: aux
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
automated:
prune: true
selfHeal: true
sources:
- repoURL: https://openfga.github.io/helm-charts
targetRevision: 0.2.19
chart: openfga
helm:
valueFiles:
- $values/values/openfga/values-prod.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
ref: values
apps/prod-sorcerer.yaml
-54
View File
@@ -1,54 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: prod-sorcerer
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: prod-sorcerer
server: https://10.255.241.99:4443
project: atlantis
sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
ref: values
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
path: values/sorcerer
plugin:
name: kustomize-helm-with-rewrite
parameters:
- name: env
string: prod
- name: hostname
string: sorcerer.data.oceanbox.io
- repoURL: https://charts.bitnami.com/bitnami
targetRevision: 20.1.7
chart: redis
helm:
valueFiles:
- $values/values/sorcerer/prod/redis.yaml
ignoreDifferences:
- kind: Secret
name: azure-keyvault
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
- kind: Secret
name: prod-atlantis-rabbitmq
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
syncPolicy:
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
# automated:
# prune: true
# selfHeal: false
apps/staging-atlantis.yaml
-66
View File
@@ -1,66 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: staging-atlantis
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: staging-atlantis
server: https://kubernetes.default.svc
project: atlantis
sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
ref: values
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
path: values/atlantis
plugin:
name: kustomize-helm-with-rewrite
parameters:
- name: env
string: staging
- name: hostname
string: atlantis.beta.oceanbox.io
- repoURL: https://charts.bitnami.com/bitnami
targetRevision: 20.1.7
chart: redis
helm:
valueFiles:
- $values/values/atlantis/staging/redis.yaml
ignoreDifferences:
- kind: Secret
name: azure-keyvault
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
- kind: Secret
name: staging-atlantis-rabbitmq
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
- kind: Secret
name: prod-archmeister-replication
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
- kind: Secret
name: prod-archmeister-ca
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
syncPolicy:
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
automated:
prune: true
selfHeal: false
apps/staging-openfga.yaml
-39
View File
@@ -1,39 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: staging-openfga
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: openfga
server: https://kubernetes.default.svc
project: aux
# ignoreDifferences:
# - group: apps
# kind: StatefulSet
# jsonPointers:
# - /spec/persistentVolumeClaimRetentionPolicy
syncPolicy:
managedNamespaceMetadata:
labels:
component: aux
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
automated:
prune: true
selfHeal: true
sources:
- repoURL: https://openfga.github.io/helm-charts
targetRevision: 0.2.19
chart: openfga
helm:
valueFiles:
- $values/values/openfga/values-staging.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
ref: values
apps/staging-sorcerer.yaml
-54
View File
@@ -1,54 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: staging-sorcerer
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: staging-sorcerer
server: https://10.255.241.99:4443
project: atlantis
sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
ref: values
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
path: values/sorcerer
plugin:
name: kustomize-helm-with-rewrite
parameters:
- name: env
string: staging
- name: hostname
string: sorcerer.ekman.oceanbox.io
- repoURL: https://charts.bitnami.com/bitnami
targetRevision: 20.1.7
chart: redis
helm:
valueFiles:
- $values/values/sorcerer/staging/redis.yaml
ignoreDifferences:
- kind: Secret
name: azure-keyvault
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
- kind: Secret
name: prod-atlantis-rabbitmq
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
syncPolicy:
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
# automated:
# prune: true
# selfHeal: false
charts/atlantis/Chart.yaml
+12
View File
@@ -1,6 +1,18 @@
apiVersion: v2 apiVersion: v2
name: atlantis name: atlantis
description: Atlantis map and simulation service description: Atlantis map and simulation service
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
version: v2.87.1 version: v2.87.1
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application.
appVersion: v2.87.1 appVersion: v2.87.1
charts/atlantis/templates/cluster.yaml
+6 -34
View File
@@ -2,15 +2,14 @@
apiVersion: postgresql.cnpg.io/v1 apiVersion: postgresql.cnpg.io/v1
kind: Cluster kind: Cluster
metadata: metadata:
name: {{ include "Atlantis.fullname" . }}-db name: {{ include "Atlantis.fullname" . }}
namespace: {{ .Release.Namespace }}
annotations: annotations:
linkerd.io/inject: disabled linkerd.io/inject: disabled
labels: labels:
{{- include "Atlantis.labels" . | nindent 4 }} {{- include "Atlantis.labels" . | nindent 4 }}
spec: spec:
instances: {{ .Values.cluster.instances | default "1" }} instances: {{ .Values.cluster.instances | default "2" }}
imageName: ghcr.io/cloudnative-pg/postgis:15-3.3
# Example of rolling update strategy: # Example of rolling update strategy:
# - unsupervised: automated update of the primary once all # - unsupervised: automated update of the primary once all
# replicas have been upgraded (default) # replicas have been upgraded (default)
@@ -19,36 +18,9 @@ spec:
primaryUpdateStrategy: unsupervised primaryUpdateStrategy: unsupervised
backup: backup:
retentionPolicy: {{ .Values.cluster.backupRetention | default "60d" }} retentionPolicy: {{ .Values.cluster.backupRetention | default "60d" }}
storage: storage:
size: {{ .Values.cluster.size | default "5Gi" }} size: {{ .Values.cluster.size | default "5Gi" }}
{{- with .Values.cluster.bootstrap }}
bootstrap:
{{- if .enabled }}
pg_basebackup:
source: archmaester
externalClusters:
- name: archmaester
connectionParameters:
host: {{ .source.db }}-rw.{{ .source.namespace }}
user: streaming_replica
sslmode: verify-full
sslKey:
name: {{ .source.db }}-replication
key: tls.key
sslCert:
name: {{ .source.db }}-replication
key: tls.crt
sslRootCert:
name: {{ .source.db }}-ca
key: ca.crt
{{- else }}
initdb:
postInitTemplateSQL:
- CREATE EXTENSION postgis;
- CREATE EXTENSION postgis_topology;
- CREATE EXTENSION fuzzystrmatch;
- CREATE EXTENSION postgis_tiger_geocoder;
- ALTER USER app WITH SUPERUSER;
{{- end }}
{{- end }}
{{- end }} {{- end }}
charts/atlantis/templates/deployment.yaml
-1
View File
@@ -2,7 +2,6 @@ apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
name: {{ include "Atlantis.fullname" . }} name: {{ include "Atlantis.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: labels:
{{- include "Atlantis.labels" . | nindent 4 }} {{- include "Atlantis.labels" . | nindent 4 }}
spec: spec:
charts/atlantis/templates/hpa.yaml
-1
View File
@@ -3,7 +3,6 @@ apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler kind: HorizontalPodAutoscaler
metadata: metadata:
name: {{ include "Atlantis.fullname" . }} name: {{ include "Atlantis.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: labels:
{{- include "Atlantis.labels" . | nindent 4 }} {{- include "Atlantis.labels" . | nindent 4 }}
spec: spec:
charts/atlantis/templates/ingress.yaml
+2 -3
View File
@@ -16,7 +16,6 @@ apiVersion: extensions/v1beta1
kind: Ingress kind: Ingress
metadata: metadata:
name: {{ $fullName }} name: {{ $fullName }}
namespace: {{ .Release.Namespace }}
labels: labels:
{{- include "Atlantis.labels" . | nindent 4 }} {{- include "Atlantis.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }} {{- with .Values.ingress.annotations }}
@@ -54,8 +53,8 @@ spec:
port: port:
number: {{ $svcPort }} number: {{ $svcPort }}
{{- else }} {{- else }}
serviceName: {{ .serviceName | default $fullName }} serviceName: {{ $fullName }}
servicePort: {{ .servicePort | default $svcPort }} servicePort: {{ $svcPort }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
charts/atlantis/templates/internal-ingress.yaml
-62
View File
@@ -1,62 +0,0 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "Atlantis.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}-internal
labels:
{{- include "Atlantis.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
atlantis.oceanbox.io/expose: internal
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .internal }}
- path: {{ .path }}
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
charts/atlantis/templates/pvc.yaml
-1
View File
@@ -3,7 +3,6 @@ kind: PersistentVolumeClaim
apiVersion: v1 apiVersion: v1
metadata: metadata:
name: {{ template "Atlantis.fullname" . }} name: {{ template "Atlantis.fullname" . }}
namespace: {{ .Release.Namespace }}
{{- with .Values.persistence.annotations }} {{- with .Values.persistence.annotations }}
annotations: annotations:
{{ toYaml . | indent 4 }} {{ toYaml . | indent 4 }}
charts/atlantis/templates/secrets.yaml
-38
View File
@@ -1,38 +0,0 @@
{{- if not .Values.cluster.enabled }}
apiVersion: v1
kind: Secret
metadata:
annotations:
kyverno/clone: "true"
name: {{ include "Atlantis.fullname" . }}-db-superuser
namespace: {{ .Release.Namespace }}
type: kubernetes.io/basic-auth
data:
username:
password:
{{- else }}
{{- if .Values.cluster.bootstrap.enabled }}
apiVersion: v1
kind: Secret
metadata:
annotations:
kyverno/clone: "true"
name: {{ .Values.cluster.bootstrap.source.db }}-replication
type: kubernetes.io/tls
data:
tls.crt: ""
tls.key: ""
---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
annotations:
kyverno/clone: "true"
name: {{ .Values.cluster.bootstrap.source.db }}-ca
namespace: {{ .Release.Namespace }}
data:
ca.crt: ""
ca.key: ""
{{- end }}
{{- end }}
charts/atlantis/templates/service.yaml
-1
View File
@@ -2,7 +2,6 @@ apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: {{ include "Atlantis.fullname" . }} name: {{ include "Atlantis.fullname" . }}
namespace: {{ .Release.Namespace }}
labels: labels:
{{- include "Atlantis.labels" . | nindent 4 }} {{- include "Atlantis.labels" . | nindent 4 }}
spec: spec:
charts/atlantis/templates/serviceaccount.yaml
-1
View File
@@ -3,7 +3,6 @@ apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
name: {{ include "Atlantis.serviceAccountName" . }} name: {{ include "Atlantis.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels: labels:
{{- include "Atlantis.labels" . | nindent 4 }} {{- include "Atlantis.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }} {{- with .Values.serviceAccount.annotations }}
charts/atlantis/templates/servicemonitor.yaml
-20
View File
@@ -1,20 +0,0 @@
{{- if .Values.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "Atlantis.fullname" . }}
namespace: {{ .Release.Namespace }}
spec:
endpoints:
- honorLabels: false
path: /metrics
port: http
jobLabel: {{ .Values.serviceMonitor.label | default (include "Atlantis.fullname" .) }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
selector:
matchLabels:
app.kubernetes.io/instance: {{ include "Atlantis.fullname" . }}
app.kubernetes.io/name: atlantis
{{- end }}
charts/atlantis/values.yaml
+3 -34
View File
@@ -3,17 +3,14 @@
# Declare variables to be passed into your templates. # Declare variables to be passed into your templates.
replicaCount: 1 replicaCount: 1
image: image:
repository: registry.gitlab.com/oceanbox/atlantis repository: registry.gitlab.com/oceanbox/atlantis
tag: v2.87.1 tag: v2.87.1
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
init: init:
enabled: false enabled: false
image: ubuntu:rolling image: ubuntu:rolling
command: ["/bin/sh", "-c", "true"] command: ["/bin/sh", "-c", "true"]
env: env:
- name: LOG_LEVEL - name: LOG_LEVEL
value: "3" value: "3"
@@ -25,14 +22,10 @@ env:
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: metadata.namespace fieldPath: metadata.namespace
imagePullSecrets: imagePullSecrets:
- name: gitlab-pull-secret - name: gitlab-pull-secret
nameOverride: "" nameOverride: ""
fullnameOverride: "" fullnameOverride: ""
serviceAccount: serviceAccount:
create: true create: true
# Annotations to add to the service account # Annotations to add to the service account
@@ -40,12 +33,9 @@ serviceAccount:
# The name of the service account to use. # The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template # If not set and create is true, a name is generated using the fullname template
name: "" name: ""
podAnnotations: {} podAnnotations: {}
podSecurityContext: podSecurityContext:
fsGroup: 2000 fsGroup: 2000
securityContext: securityContext:
capabilities: capabilities:
drop: drop:
@@ -53,13 +43,11 @@ securityContext:
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
runAsNonRoot: true runAsNonRoot: true
runAsUser: 1000 runAsUser: 1000
service: service:
type: ClusterIP type: ClusterIP
port: 8085 port: 8085
ingress: ingress:
enabled: false enabled: true
className: "nginx" className: "nginx"
annotations: annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/ssl-redirect: "true"
@@ -69,36 +57,21 @@ ingress:
paths: paths:
- path: / - path: /
pathType: ImplementationSpecific pathType: ImplementationSpecific
- path: /events
pathType: ImplementationSpecific
serviceName: main-ingress-nginx-defaultbackend.ingress-nginx
servicePort: 80
internal:
- path: /internal
pathType: ImplementationSpecific
tls: tls:
- hosts: - hosts:
- atlantis.srv.oceanbox.io - atlantis.srv.oceanbox.io
secretName: atlantis-tls secretName: atlantis-tls
persistence: persistence:
enabled: false enabled: false
size: 1G size: 1G
storageClass: "" storageClass: ""
accessMode: ReadWriteOnce accessMode: ReadWriteOnce
cluster: cluster:
enabled: true enabled: false
instances: 1 instances: 2
backupEnabled: true backupEnabled: true
backupRetention: 60d backupRetention: 60d
size: 5Gi size: 5Gi
bootstrap:
enabled: true
source:
db: prod-archmeister
namespace: atlantis
resources: {} resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious # We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little # choice for the user. This also increases chances charts run on environments with little
@@ -117,10 +90,6 @@ autoscaling:
maxReplicas: 100 maxReplicas: 100
targetCPUUtilizationPercentage: 80 targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80
serviceMonitor:
enabled: true
nodeSelector: {} nodeSelector: {}
tolerations: [] tolerations: []
affinity: {} affinity: {}
charts/sorcerer/Chart.yaml
+12
View File
@@ -1,6 +1,18 @@
apiVersion: v2 apiVersion: v2
name: sorcerer name: sorcerer
description: A Helm chart for Kubernetes description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
version: v4.9.0 version: v4.9.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application.
appVersion: v4.9.0 appVersion: v4.9.0
charts/sorcerer/templates/internal-ingress.yaml
-62
View File
@@ -1,62 +0,0 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "Sorcerer.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}-internal
labels:
{{- include "Sorcerer.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
atlantis.oceanbox.io/expose: internal
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .internal }}
- path: {{ .path }}
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
charts/sorcerer/values.yaml
-20
View File
@@ -3,17 +3,14 @@
# Declare variables to be passed into your templates. # Declare variables to be passed into your templates.
replicaCount: 1 replicaCount: 1
image: image:
repository: registry.gitlab.com/oceanbox/sorcerer repository: registry.gitlab.com/oceanbox/sorcerer
tag: v4.9.0 tag: v4.9.0
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
init: init:
enabled: false enabled: false
image: ubuntu:rolling image: ubuntu:rolling
command: ["/bin/sh", "-c", "true"] command: ["/bin/sh", "-c", "true"]
env: env:
- name: LOG_LEVEL - name: LOG_LEVEL
value: "3" value: "3"
@@ -25,14 +22,10 @@ env:
valueFrom: valueFrom:
fieldRef: fieldRef:
fieldPath: metadata.namespace fieldPath: metadata.namespace
imagePullSecrets: imagePullSecrets:
- name: gitlab-pull-secret - name: gitlab-pull-secret
nameOverride: "" nameOverride: ""
fullnameOverride: "" fullnameOverride: ""
serviceAccount: serviceAccount:
create: true create: true
# Annotations to add to the service account # Annotations to add to the service account
@@ -40,12 +33,9 @@ serviceAccount:
# The name of the service account to use. # The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template # If not set and create is true, a name is generated using the fullname template
name: "" name: ""
podAnnotations: {} podAnnotations: {}
podSecurityContext: podSecurityContext:
fsGroup: 2000 fsGroup: 2000
securityContext: securityContext:
capabilities: capabilities:
drop: drop:
@@ -53,11 +43,9 @@ securityContext:
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
runAsNonRoot: true runAsNonRoot: true
runAsUser: 1000 runAsUser: 1000
service: service:
type: ClusterIP type: ClusterIP
port: 8085 port: 8085
ingress: ingress:
enabled: true enabled: true
className: "nginx" className: "nginx"
@@ -69,9 +57,6 @@ ingress:
paths: paths:
- path: / - path: /
pathType: ImplementationSpecific pathType: ImplementationSpecific
internal:
- path: /internal
pathType: ImplementationSpecific
tls: tls:
- hosts: - hosts:
- sorcerer.srv.oceanbox.io - sorcerer.srv.oceanbox.io
@@ -88,7 +73,6 @@ cluster:
backupEnabled: true backupEnabled: true
backupRetention: 60d backupRetention: 60d
size: 5Gi size: 5Gi
resources: {} resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious # We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little # choice for the user. This also increases chances charts run on environments with little
@@ -107,10 +91,6 @@ autoscaling:
maxReplicas: 100 maxReplicas: 100
targetCPUUtilizationPercentage: 80 targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80
serviceMonitor:
enabled: true
nodeSelector: {} nodeSelector: {}
tolerations: [] tolerations: []
affinity: {} affinity: {}
charts/vcluster/templates/allow-external-services.yaml
+2 -2
View File
@@ -6,9 +6,9 @@ metadata:
spec: spec:
egress: egress:
- toFQDNs: - toFQDNs:
- matchName: api.github.com
- matchName: dapr.github.io - matchName: dapr.github.io
- matchName: gitlab.com
- matchName: analytics.loft.rocks - matchName: analytics.loft.rocks
# - matchName: gitlab.com
# - matchName: api.github.com
endpointSelector: endpointSelector:
matchLabels: {} matchLabels: {}
charts/vcluster/templates/cnpg.yaml
+2 -2
View File
@@ -24,7 +24,7 @@ spec:
apiVersion: postgresql.cnpg.io/v1 apiVersion: postgresql.cnpg.io/v1
kind: Cluster kind: Cluster
metadata: metadata:
name: {{ $name }}-archmaester name: staging-archmeister
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
annotations: annotations:
linkerd.io/inject: disabled linkerd.io/inject: disabled
@@ -54,7 +54,7 @@ spec:
externalClusters: externalClusters:
- name: prod-archmeister - name: prod-archmeister
connectionParameters: connectionParameters:
host: prod-archmeister-rw.atlantis host: prod-archmeister-rw.atlantis.svc
user: streaming_replica user: streaming_replica
sslmode: verify-full sslmode: verify-full
sslKey: sslKey:
charts/vcluster/templates/kyverno-policies/allow-vcluster-apiserver.yaml
+49
View File
@@ -0,0 +1,49 @@
{{- $fullname := include "vCluster.fullname" . -}}
{{- $name := include "vCluster.releaseName" . -}}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
kyverno.io/kyverno-version: 1.7.0
policies.kyverno.io/description: Allow egress to vcluster kube-apiserver
policies.kyverno.io/minversion: 1.7.0
policies.kyverno.io/subject: Namespace, NetworkPolicy
policies.kyverno.io/title: Generate NetworkPolicy to Existing Namespaces
name: allow-{{ $name }}-vcluster-apiserver
namespace: {{ .Release.Namespace }}
spec:
background: true
generateExisting: true
rules:
- name: allow-{{ $name }}-vcluster-apiserver
generate:
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
name: allow-{{ $name }}-vcluster-apiserver-access
namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
synchronize: true
data:
spec:
description: Allow egress to vcluster kube-apiserver
egress:
- toEndpoints:
- matchLabels:
app: vcluster
toPorts:
- ports:
- port: "443"
protocol: TCP
endpointSelector: {}
match:
any:
- resources:
kinds:
- Namespace
names:
- {{ $fullname }}
- resources:
kinds:
- Namespace
selector:
matchLabels:
vcluster.loft.sh/vcluster-name: {{ $fullname }}
charts/vcluster/templates/kyverno-policies/sync-vcluster-atlantis-secrets.yaml
+66
View File
@@ -0,0 +1,66 @@
{{- $name := include "vCluster.releaseName" . -}}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: "sync-{{ $name }}-vcluster-secrets"
spec:
background: true
generateExisting: true
rules:
- name: sync-rabbitmq-secrets
generate:
apiVersion: v1
kind: Secret
name: staging-rabbitmq
namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
synchronize: false
clone:
namespace: rabbitmq
name: staging-rabbitmq
match:
resources:
kinds:
- Namespace
names:
- "vcluster-009dba7e-*"
selector:
matchLabels:
vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'
- name: sync-redis-secrets
generate:
apiVersion: v1
kind: Secret
name: staging-redis
namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
synchronize: false
clone:
namespace: redis
name: staging-redis
match:
resources:
kinds:
- Namespace
names:
- "vcluster-009dba7e-*"
selector:
matchLabels:
vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'
- name: sync-archmeister-app-secret
generate:
apiVersion: v1
kind: Secret
name: staging-archmeister-app
namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
synchronize: false
clone:
namespace: '{{ .Release.Namespace }}'
name: staging-archmeister-superuser
match:
resources:
kinds:
- Namespace
names:
- "vcluster-009dba7e-*"
selector:
matchLabels:
vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'
charts/vcluster/templates/kyverno-policies/sync-vcluster-oceanbox-regcred.yaml
+40
View File
@@ -0,0 +1,40 @@
{{- $fullname := include "vCluster.fullname" . -}}
{{- $name := include "vCluster.releaseName" . -}}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Sample
policies.kyverno.io/description: 'Secrets like registry credentials often need
to exist in multiple Namespaces so Pods there have access. Manually duplicating
those Secrets is time consuming and error prone. This policy will copy a Secret
called `regcred` which exists in the `default` Namespace to new Namespaces when
they are created. It will also push updates to the copied Secrets should the
source Secret be changed. '
creationTimestamp: "2024-01-15T11:58:24Z"
name: sync-{{ $name }}-vcluster-oceanbox-regcred
spec:
admission: true
background: true
generateExisting: true
rules:
- generate:
apiVersion: v1
clone:
# name: oceanbox-regcred
name: gitlab-pull-secret
namespace: default
kind: Secret
# name: oceanbox-regcred
name: gitlab-pull-secret
namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
synchronize: false
match:
any:
- resources:
kinds:
- Namespace
selector:
matchLabels:
vcluster.loft.sh/vcluster-name: {{ $fullname }}
name: sync-vcluster-oceanbox-regcred
charts/vcluster/templates/vcluster.yaml
+18 -6
View File
@@ -16,7 +16,7 @@ spec:
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
source: source:
repoURL: https://charts.loft.sh repoURL: https://charts.loft.sh
targetRevision: 0.20.1 targetRevision: 0.19.5
chart: vcluster chart: vcluster
helm: helm:
values: |- values: |-
@@ -63,10 +63,12 @@ spec:
mapServices: mapServices:
fromHost: fromHost:
- from: "redis/{{ .Values.environment }}-redis-master"
to: "redis/{{ .Values.environment }}-redis-master"
- from: "rabbitmq/{{ .Values.environment }}-rabbitmq" - from: "rabbitmq/{{ .Values.environment }}-rabbitmq"
to: "rabbitmq/{{ .Values.environment }}-rabbitmq" to: "rabbitmq/{{ .Values.environment }}-rabbitmq"
- from: "{{ .Release.Namespace }}/{{ $name }}-archmaester-rw" - from: "{{ .Release.Namespace }}/staging-archmeister-rw"
to: "atlantis/{{ $name }}-archmaester-rw" to: "atlantis/staging-archmeister-rw"
- from: "idp/{{ .Values.environment }}-openfga" - from: "idp/{{ .Values.environment }}-openfga"
to: "idp/{{ .Values.environment }}-openfga" to: "idp/{{ .Values.environment }}-openfga"
- from: "otel/opentelemetry-collector" - from: "otel/opentelemetry-collector"
@@ -97,11 +99,21 @@ spec:
config: |- config: |-
version: v1beta1 version: v1beta1
import: import:
- kind: Secret
apiVersion: v1
export:
- kind: Cluster - kind: Cluster
apiVersion: postgresql.cnpg.io/v1 apiVersion: postgresql.cnpg.io/v1
- kind: Secret
apiVersion: v1
# - kind: Component
# apiVersion: dapr.io/v1alpha1
# - kind: Configuration
# apiVersion: dapr.io/v1alpha1
# - kind: Subscription
# apiVersion: dapr.io/v1alpha1
# - kind: CiliumNetworkPolicy
# apiVersion: cilium.io/v2
export:
- kind: CiliumNetworkPolicy
apiVersion: cilium.io/v2
init: init:
manifests: |- manifests: |-
--- ---
default.nix
-33
View File
@@ -1,33 +0,0 @@
let
sources = import ./nix;
system = builtins.currentSystem;
pkgs = import sources.nixpkgs {
inherit system;
config = { };
overlays = [ ];
};
nixpkgs = sources.nixpkgs;
nixhelm = sources.nixhelm;
nixidy = import sources.nixidy { inherit nixpkgs; };
kube = pkgs.callPackage "${sources.nix-kube-gen}/lib/default.nix" { inherit pkgs; };
in
nixidy.lib.mkEnvs {
libOverlay = self: super: {
apps = import ./modules/lib.nix { inherit pkgs kube; };
};
modules = [
(
{ lib, ... }:
{
nixidy.charts = lib.helm.mkChartAttrs "${nixhelm}/charts";
}
)
./modules
./apps
./policies
];
envs = {
prod.modules = [ ./envs/prod.nix ];
staging.modules = [ ./envs/staging.nix ];
};
}
envs/prod.nix
-13
View File
@@ -1,13 +0,0 @@
_:
{
config = {
apps = {
env = "prod";
autoSync = false;
prune = false;
atlantis.enable = true;
openfga.enable = true;
};
};
}
envs/staging.nix
-17
View File
@@ -1,17 +0,0 @@
_:
{
config = {
apps = {
env = "staging";
autoSync = true;
prune = true;
atlantis = {
enable = true;
autoSync = true;
prune = false;
};
openfga.enable = true;
};
};
}
flake.lock
Generated
-666
View File
@@ -1,666 +0,0 @@
{
"nodes": {
"cargo2nix": {
"inputs": {
"flake-compat": "flake-compat_3",
"flake-utils": "flake-utils_5",
"nixpkgs": "nixpkgs_3",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1699033427,
"narHash": "sha256-OVtd5IPbb4NvHibN+QvMrMxq7aZN5GFoINZSAXKjUdA=",
"owner": "cargo2nix",
"repo": "cargo2nix",
"rev": "c6f33051f412352f293e738cc8da6fd4c457080f",
"type": "github"
},
"original": {
"owner": "cargo2nix",
"ref": "release-0.11.0",
"repo": "cargo2nix",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"id": "flake-utils",
"type": "indirect"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_4": {
"inputs": {
"systems": "systems_5"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_5": {
"inputs": {
"systems": "systems_7"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"haumea": {
"inputs": {
"nixpkgs": [
"nixhelm",
"nixpkgs"
]
},
"locked": {
"lastModified": 1685133229,
"narHash": "sha256-FePm/Gi9PBSNwiDFq3N+DWdfxFq0UKsVVTJS3cQPn94=",
"owner": "nix-community",
"repo": "haumea",
"rev": "34dd58385092a23018748b50f9b23de6266dffc2",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.2.2",
"repo": "haumea",
"type": "github"
}
},
"kubenix": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nixidy",
"nixpkgs"
],
"systems": "systems_6",
"treefmt": "treefmt"
},
"locked": {
"lastModified": 1718110643,
"narHash": "sha256-KrEOCx/bpN++sySOEL5EO5AhYsqRZZk+CXacueUeSl4=",
"owner": "hall",
"repo": "kubenix",
"rev": "a04066c45526c6d8410ba998134f692ff991b4f3",
"type": "github"
},
"original": {
"owner": "hall",
"repo": "kubenix",
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"nixhelm",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703863825,
"narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-kube-generators": {
"locked": {
"lastModified": 1708155396,
"narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
"owner": "farcaller",
"repo": "nix-kube-generators",
"rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
"type": "github"
},
"original": {
"owner": "farcaller",
"repo": "nix-kube-generators",
"type": "github"
}
},
"nix-kube-generators_2": {
"locked": {
"lastModified": 1708155396,
"narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
"owner": "farcaller",
"repo": "nix-kube-generators",
"rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
"type": "github"
},
"original": {
"owner": "farcaller",
"repo": "nix-kube-generators",
"type": "github"
}
},
"nix-kube-generators_3": {
"locked": {
"lastModified": 1708155396,
"narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
"owner": "farcaller",
"repo": "nix-kube-generators",
"rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
"type": "github"
},
"original": {
"owner": "farcaller",
"repo": "nix-kube-generators",
"type": "github"
}
},
"nixhelm": {
"inputs": {
"flake-utils": "flake-utils_2",
"haumea": "haumea",
"nix-kube-generators": "nix-kube-generators_2",
"nixpkgs": [
"nixpkgs"
],
"poetry2nix": "poetry2nix"
},
"locked": {
"lastModified": 1728868745,
"narHash": "sha256-ZuaxkAtUL1visOmVMxgHk3j+H8/bMmm82tJfE1s35VY=",
"owner": "farcaller",
"repo": "nixhelm",
"rev": "f901d2ba3ce1bd0086d50efdcce3cc76bce04d80",
"type": "github"
},
"original": {
"owner": "farcaller",
"repo": "nixhelm",
"type": "github"
}
},
"nixidy": {
"inputs": {
"flake-utils": "flake-utils_4",
"kubenix": "kubenix",
"nix-kube-generators": "nix-kube-generators_3",
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1728815994,
"narHash": "sha256-uF6HAoDMAX0cZbKH27k/0UpIteQMhyLkP1rYKUfj5ys=",
"owner": "arnarg",
"repo": "nixidy",
"rev": "6e20193c95a0aaca444289d7c69f4eb329d25234",
"type": "github"
},
"original": {
"owner": "arnarg",
"ref": "HEAD",
"repo": "nixidy",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1702151865,
"narHash": "sha256-9VAt19t6yQa7pHZLDbil/QctAgVsA66DLnzdRGqDisg=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "666fc80e7b2afb570462423cb0e1cf1a3a34fedd",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1720386169,
"narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "194846768975b7ad2c4988bdb82572c00222c0d7",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1728492678,
"narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1697382362,
"narHash": "sha256-PvFjWFmSYOF6TjNZ/WjOeqa+sgaWm+83Fz37vEuATHA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "ad9a253a0d34f313707f9c25fb8c95c65b1c8882",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "release-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"poetry2nix": {
"inputs": {
"flake-utils": "flake-utils_3",
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"nixhelm",
"nixpkgs"
],
"systems": "systems_4",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1718285706,
"narHash": "sha256-DScsBM+kZvxOva7QegfdtleebMXh30XPxDQr/1IGKYo=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "a5be1bbbe0af0266147a88e0ec43b18c722f2bb9",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "poetry2nix",
"type": "github"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat_2",
"gitignore": "gitignore",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1728778939,
"narHash": "sha256-WybK5E3hpGxtCYtBwpRj1E9JoiVxe+8kX83snTNaFHE=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "ff68f91754be6f3427e4986d7949e6273659be1d",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nix-kube-generators": "nix-kube-generators",
"nixhelm": "nixhelm",
"nixidy": "nixidy",
"nixpkgs": "nixpkgs_2",
"pre-commit-hooks": "pre-commit-hooks",
"yaml2nix": "yaml2nix"
}
},
"rust-overlay": {
"inputs": {
"flake-utils": [
"yaml2nix",
"cargo2nix",
"flake-utils"
],
"nixpkgs": [
"yaml2nix",
"cargo2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1697336027,
"narHash": "sha256-ctmmw7j4liyfSh63v9rdFZeIoNYCkCvgqvtEOB7KhX8=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "e494404d36a41247987eeb1bfc2f1ca903e97764",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"id": "systems",
"type": "indirect"
}
},
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_6": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"id": "systems",
"type": "indirect"
}
},
"systems_7": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt": {
"inputs": {
"nixpkgs": [
"nixidy",
"kubenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1688026376,
"narHash": "sha256-qJmkr9BWDpqblk4E9/rCsAEl39y2n4Ycw6KRopvpUcY=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nixhelm",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1717850719,
"narHash": "sha256-npYqVg+Wk4oxnWrnVG7416fpfrlRhp/lQ6wQ4DHI8YE=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "4fc1c45a5f50169f9f29f6a98a438fb910b834ed",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"yaml2nix": {
"inputs": {
"cargo2nix": "cargo2nix",
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1726132715,
"narHash": "sha256-DkHWWpvBco2yodyOk40LjTNcoaJ1bFKf0JY9OwWgy5M=",
"owner": "euank",
"repo": "yaml2nix",
"rev": "3a6df359da40ee49cb9ed597c2400342b76f2083",
"type": "github"
},
"original": {
"owner": "euank",
"repo": "yaml2nix",
"type": "github"
}
}
},
"root": "root",
"version": 7
}
flake.nix
-148
View File
@@ -1,148 +0,0 @@
{
description = "My ArgoCD configuration with nixidy.";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
flake-utils.url = "github:numtide/flake-utils";
nixidy = {
url = "github:juselius/nixidy?ref=HEAD";
# url = "github:juselius/nixidy?ref=special-args";
# url = "/home/jonas/src/OceanBox/nixidy";
# inputs.nixpkgs.follows = "nixpkgs";
};
nixhelm = {
url = "github:farcaller/nixhelm";
inputs.nixpkgs.follows = "nixpkgs";
};
pre-commit-hooks = {
url = "github:cachix/pre-commit-hooks.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-kube-generators.url = "github:farcaller/nix-kube-generators";
yaml2nix = {
url = "github:euank/yaml2nix";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
};
outputs =
{
self,
nixpkgs,
flake-utils,
nixidy,
nixhelm,
yaml2nix,
pre-commit-hooks,
nix-kube-generators,
}:
(flake-utils.lib.eachDefaultSystem (
system:
let
pkgs = import nixpkgs { inherit system; };
kube = nix-kube-generators.lib { inherit pkgs; };
lib = {
apps = import ./modules/lib.nix { inherit pkgs kube;};
};
in
{
nixidyEnvs = nixidy.lib.mkEnvs {
inherit pkgs;
extraSpecialArgs = { inherit lib; };
charts = nixhelm.chartsDerivations.${system};
modules = [
./modules
./apps
./policies
];
envs = {
prod.modules = [ ./envs/prod.nix ];
staging.modules = [ ./envs/staging.nix ];
};
};
checks = {
pre-commit-check = pre-commit-hooks.lib.${system}.run {
src = ./.;
hooks = {
nixfmt-rfc-style.enable = false;
deadnix.enable = false;
statix.enable = false;
};
};
};
packages = {
nixidy = nixidy.packages.${system}.default;
generators = {
cilium = nixidy.packages.${system}.generators.fromCRD {
name = "cilium";
src = pkgs.fetchFromGitHub {
owner = "cilium";
repo = "cilium";
rev = "v1.16.0";
hash = "sha256-LJrNGHF52hdKCuVwjvGifqsH+8hxkf/A3LZNpCHeR7E=";
};
crds = [
"pkg/k8s/apis/cilium.io/client/crds/v2/ciliumnetworkpolicies.yaml"
"pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml"
];
};
kyverno = nixidy.packages.${system}.generators.fromCRD {
name = "kyverno";
src = pkgs.fetchFromGitHub {
owner = "kyverno";
repo = "kyverno";
rev = "v1.12.6";
hash = "sha256-FwVB1okxhWTzWlZljGEEH9KuSsJl9GmwnX7bn4iDx/M=";
};
crds = [
"config/crds/kyverno/kyverno.io_cleanuppolicies.yaml"
"config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml"
"config/crds/kyverno/kyverno.io_clusterpolicies.yaml"
"config/crds/kyverno/kyverno.io_globalcontextentries.yaml"
"config/crds/kyverno/kyverno.io_policies.yaml"
"config/crds/kyverno/kyverno.io_policyexceptions.yaml"
"config/crds/kyverno/kyverno.io_updaterequests.yaml"
];
};
};
};
apps = {
gen-crd = {
type = "app";
program =
(pkgs.writeShellScript "generate-modules" ''
set -eo pipefail
echo "generate cilium"
cat ${self.packages.${system}.generators.cilium} > modules/cilium-crd.nix
echo "generate kyverno"
cat ${self.packages.${system}.generators.kyverno} > modules/kyverno-crd.nix
'').outPath;
};
};
devShells.default = pkgs.mkShellNoCC {
inherit (self.checks.${system}.pre-commit-check) shellHook;
nativeBuildInputs = with pkgs; [
self.checks.${system}.pre-commit-check.enabledPackages
nixidy.packages.${system}.default
yaml2nix.packages.${system}.default
nixd
nixfmt-rfc-style
just
fzf
];
NIXD_FLAGS = "--inlay-hints";
};
}
));
}
generate.nix
-44
View File
@@ -1,44 +0,0 @@
let
sources = import ./nix;
system = builtins.currentSystem;
pkgs = import sources.nixpkgs {
inherit system;
config = { };
overlays = [ ];
};
nixpkgs = sources.nixpkgs;
nixidy = import sources.nixidy { inherit nixpkgs; };
in
{
cilium = nixidy.generators.fromCRD {
name = "cilium";
src = pkgs.fetchFromGitHub {
owner = "cilium";
repo = "cilium";
rev = "v1.16.0";
hash = "sha256-LJrNGHF52hdKCuVwjvGifqsH+8hxkf/A3LZNpCHeR7E=";
};
crds = [
"pkg/k8s/apis/cilium.io/client/crds/v2/ciliumnetworkpolicies.yaml"
"pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml"
];
};
kyverno = nixidy.generators.fromCRD {
name = "kyverno";
src = pkgs.fetchFromGitHub {
owner = "kyverno";
repo = "kyverno";
rev = "v1.12.6";
hash = "sha256-FwVB1okxhWTzWlZljGEEH9KuSsJl9GmwnX7bn4iDx/M=";
};
crds = [
"config/crds/kyverno/kyverno.io_cleanuppolicies.yaml"
"config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml"
"config/crds/kyverno/kyverno.io_clusterpolicies.yaml"
"config/crds/kyverno/kyverno.io_globalcontextentries.yaml"
"config/crds/kyverno/kyverno.io_policies.yaml"
"config/crds/kyverno/kyverno.io_policyexceptions.yaml"
"config/crds/kyverno/kyverno.io_updaterequests.yaml"
];
};
}
justfile
-17
View File
@@ -1,17 +0,0 @@
default := "prod"
default:
just --choose
info target=default:
nix run .#nixidy -- info .#{{target}}
build target=default:
nix run .#nixidy -- build .#{{target}}
switch target=default:
nix run .#nixidy -- switch .#{{target}}
generate:
nix build .#generators.cilium
nix build .#generators.kyverno
values/archmeister/base/deployment_patch.yaml → kustomizations/archmeister/base/deployment_patch.yaml
View File
values/archmeister/base/kustomization.yaml → kustomizations/archmeister/base/kustomization.yaml
View File
values/archmeister/chart → kustomizations/archmeister/chart
View File
values/archmeister/prod/appsettings.json → kustomizations/archmeister/prod/appsettings.json
View File
values/archmeister/prod/default.env → kustomizations/archmeister/prod/default.env
View File
values/archmeister/prod/deployment_patch.yaml → kustomizations/archmeister/prod/deployment_patch.yaml
View File
values/archmeister/prod/ingress_patch.yaml → kustomizations/archmeister/prod/ingress_patch.yaml
View File
values/archmeister/prod/kustomization.yaml → kustomizations/archmeister/prod/kustomization.yaml
View File
values/archmeister/staging/appsettings.json → kustomizations/archmeister/staging/appsettings.json
View File
values/archmeister/staging/default.env → kustomizations/archmeister/staging/default.env
View File
values/archmeister/staging/deployment_patch.yaml → kustomizations/archmeister/staging/deployment_patch.yaml
View File
values/archmeister/staging/ingress_patch.yaml → kustomizations/archmeister/staging/ingress_patch.yaml
View File
values/archmeister/staging/kustomization.yaml → kustomizations/archmeister/staging/kustomization.yaml
View File
values/archmeister/values-prod.yaml → kustomizations/archmeister/values-prod.yaml
View File
values/archmeister/values-staging.yaml → kustomizations/archmeister/values-staging.yaml
View File
values/sorcerer/base/deployment_patch.yaml → kustomizations/atlantis/base/deployment_patch.yaml
+5 -2
View File
@@ -1,11 +1,14 @@
- op: replace - op: replace
path: /spec/template/spec/containers/0/livenessProbe/httpGet/path path: /spec/template/spec/containers/0/livenessProbe/httpGet/path
value: /healthz value: /healthz
- op: replace - op: replace
path: /spec/template/spec/containers/0/readinessProbe/httpGet/path path: /spec/template/spec/containers/0/readinessProbe/httpGet/path
value: /healthz value: /healthz
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: INTRERNAL_PORT
value: "8000"
- op: add - op: add
path: /spec/template/spec/containers/0/envFrom path: /spec/template/spec/containers/0/envFrom
value: [] value: []
values/hipster/base/kustomization.yaml → kustomizations/atlantis/base/kustomization.yaml
View File
values/atlantis/base/service_patch.yaml → kustomizations/atlantis/base/service_patch.yaml
View File
kustomizations/atlantis/chart
+1
View File
@@ -0,0 +1 @@
oceanbox/atlantis
kustomizations/atlantis/prod/appsettings.json
+37
View File
@@ -0,0 +1,37 @@
{
"oidc": {
"issuer": "https://idp.oceanbox.io/dex",
"authorization_endpoint": "https://idp.oceanbox.io/dex/auth",
"token_endpoint": "https://idp.oceanbox.io/dex/token",
"jwks_uri": "https://idp.oceanbox.io/dex/keys",
"userinfo_endpoint": "https://idp.oceanbox.io/dex/userinfo",
"device_authorization_endpoint": "https://idp.oceanbox.io/dex/device/code",
"clientId": "atlantis",
"clientSecret": "",
"scopes": [
"openid",
"email",
"offline_access",
"profile"
]
},
"redis": "prod-redis-master.redis.svc,user=default,password=secret",
"sso": {
"cookieDomain": ".oceanbox.io",
"signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html",
"appDomain": "atlantis",
"dataProtectionKeys": "DataProtection-Keys"
},
"archmeister" : "https://archmeister.srv.oceanbox.io",
"sorcerer" : "https://sorcerer.data.oceanbox.io",
"allowedOrigins": [
"http://maps.oceanbox.io",
"https://maps.oceanbox.io",
"http://atlantis.srv.oceanbox.io",
"https://atlantis.srv.oceanbox.io"
],
"logService" : "https://seq.adm.oceanbox.io",
"logApiKey": "",
"deployEnv": "prod",
"plainAuthUsers": []
}
values/atlantis/prod/barentswatch-api.env → kustomizations/atlantis/prod/barentswatch-api.env
View File
kustomizations/atlantis/prod/default.env
+3
View File
@@ -0,0 +1,3 @@
OIDC_CLIENT_SECRET=KOJ6bDHzE5vdyfSrzgwLjtM5PzA809Zm
SEQ_APIKEY=v9RfeLBD9Si7OkFlkjPm
DEPLOY_NAME=prod-atlantis
kustomizations/atlantis/prod/deployment_patch.yaml
+41
View File
@@ -0,0 +1,41 @@
- op: replace
path: /spec/template/spec/containers/0/env/0
value:
name: LOG_LEVEL
value: "4"
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: BARENTSWATCH_SECRET
valueFrom:
secretKeyRef:
name: prod-atlantis-barentswatch
key: secret
optional: true
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: BARENTSWATCH_CLIENT_ID
valueFrom:
secretKeyRef:
name: prod-atlantis-barentswatch
key: client-id
optional: true
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: REDIS_USER
value: default
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: prod-redis
key: redis-password
- op: add
path: /spec/template/spec/containers/0/envFrom/-
value:
secretRef:
name: prod-atlantis-env
values/atlantis/prod/kustomization.yaml → kustomizations/atlantis/prod/kustomization.yaml
+7 -9
View File
@@ -4,6 +4,13 @@ configMapGenerator:
- name: prod-atlantis-appsettings - name: prod-atlantis-appsettings
files: files:
- appsettings.json - appsettings.json
secretGenerator:
- name: prod-atlantis-env
envs:
- default.env
- name: prod-atlantis-barentswatch
envs:
- barentswatch-api.env
patches: patches:
- target: - target:
group: apps group: apps
@@ -12,13 +19,4 @@ patches:
path: deployment_patch.yaml path: deployment_patch.yaml
resources: resources:
- ../base - ../base
- secrets.yaml
- rbac.yaml
- tracing.yaml
- bindings.yaml
- pubsub.yaml
- statestore.yaml
- subscriptions.yaml - subscriptions.yaml
- configurations.yaml
- secretstore.yaml
- keyvault.yaml
values/atlantis/prod/subscriptions.yaml → kustomizations/atlantis/prod/subscriptions.yaml
+2 -2
View File
@@ -5,7 +5,7 @@ metadata:
spec: spec:
topic: hipster topic: hipster
routes: routes:
default: /events/hipster default: /hipster-events
pubsubname: pubsub pubsubname: pubsub
metadata: metadata:
queueType: quorum queueType: quorum
@@ -19,7 +19,7 @@ metadata:
spec: spec:
topic: inbox topic: inbox
routes: routes:
default: /events/inbox default: /inbox-events
pubsubname: pubsub pubsubname: pubsub
metadata: metadata:
queueType: quorum queueType: quorum
kustomizations/atlantis/staging/appsettings.json
+35
View File
@@ -0,0 +1,35 @@
{
"oidc": {
"issuer": "https://idp.oceanbox.io/dex",
"authorization_endpoint": "https://idp.oceanbox.io/dex/auth",
"token_endpoint": "https://idp.oceanbox.io/dex/token",
"jwks_uri": "https://idp.oceanbox.io/dex/keys",
"userinfo_endpoint": "https://idp.oceanbox.io/dex/userinfo",
"device_authorization_endpoint": "https://idp.oceanbox.io/dex/device/code",
"clientId": "atlantis_dev",
"clientSecret": "",
"scopes": [
"openid",
"email",
"offline_access",
"profile"
]
},
"redis": "staging-redis-master.redis.svc,user=default,password=secret",
"sso": {
"cookieDomain": ".oceanbox.io",
"signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html",
"appDomain": "atlantis",
"dataProtectionKeys": "DataProtection-Keys"
},
"archmeister" : "https://archmeister.beta.oceanbox.io",
"sorcerer" : "https://sorcerer.ekman.oceanbox.io",
"allowedOrigins": [
"http://atlantis.beta.oceanbox.io",
"https://atlantis.beta.oceanbox.io"
],
"logService" : "https://seq.adm.oceanbox.io",
"logApiKey": "",
"deployEnv": "staging",
"plainAuthUsers": []
}
values/atlantis/staging/auth → kustomizations/atlantis/staging/auth
View File
values/atlantis/staging/barentswatch-api.env → kustomizations/atlantis/staging/barentswatch-api.env
View File
kustomizations/atlantis/staging/default.env
+3
View File
@@ -0,0 +1,3 @@
OIDC_CLIENT_SECRET=3QjfSPmAemjn34XVA2o1fvoS7I4gKvOR
SEQ_APIKEY=v9RfeLBD9Si7OkFlkjPm
DEPLOY_NAME=staging-atlantis
kustomizations/atlantis/staging/deployment_patch.yaml
+41
View File
@@ -0,0 +1,41 @@
- op: replace
path: /spec/template/spec/containers/0/env/0
value:
name: LOG_LEVEL
value: "4"
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: BARENTSWATCH_SECRET
valueFrom:
secretKeyRef:
name: staging-atlantis-barentswatch
key: secret
optional: true
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: BARENTSWATCH_CLIENT_ID
valueFrom:
secretKeyRef:
name: staging-atlantis-barentswatch
key: client-id
optional: true
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: REDIS_USER
value: default
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: staging-redis
key: redis-password
- op: add
path: /spec/template/spec/containers/0/envFrom/-
value:
secretRef:
name: staging-atlantis-env
values/atlantis/staging/kustomization.yaml → kustomizations/atlantis/staging/kustomization.yaml
+7 -9
View File
@@ -4,6 +4,13 @@ configMapGenerator:
- name: staging-atlantis-appsettings - name: staging-atlantis-appsettings
files: files:
- appsettings.json - appsettings.json
secretGenerator:
- name: staging-atlantis-env
envs:
- default.env
- name: staging-atlantis-barentswatch
envs:
- barentswatch-api.env
patches: patches:
- target: - target:
group: apps group: apps
@@ -12,13 +19,4 @@ patches:
path: deployment_patch.yaml path: deployment_patch.yaml
resources: resources:
- ../base - ../base
- rbac.yaml
- secrets.yaml
- tracing.yaml
- bindings.yaml
- pubsub.yaml
- statestore.yaml
- subscriptions.yaml - subscriptions.yaml
- configurations.yaml
- secretstore.yaml
- keyvault.yaml
values/atlantis/staging/subscriptions.yaml → kustomizations/atlantis/staging/subscriptions.yaml
+2 -2
View File
@@ -5,7 +5,7 @@ metadata:
spec: spec:
topic: hipster topic: hipster
routes: routes:
default: /events/hipster default: /hipster-events
pubsubname: pubsub pubsubname: pubsub
metadata: metadata:
queueType: quorum queueType: quorum
@@ -19,7 +19,7 @@ metadata:
spec: spec:
topic: inbox topic: inbox
routes: routes:
default: /events/inbox default: /inbox-events
pubsubname: pubsub pubsubname: pubsub
metadata: metadata:
queueType: quorum queueType: quorum
kustomizations/atlantis/values-prod.yaml
+46
View File
@@ -0,0 +1,46 @@
replicaCount: 2
podAnnotations:
dapr.io/app-id: "prod-atlantis"
dapr.io/enabled: "true"
dapr.io/app-port: "8000"
dapr.io/config: "tracing"
dapr.io/app-protocol: "http"
dapr.io/enable-app-health-check: "true"
dapr.io/app-health-check-path: "/healthz"
dapr.io/app-health-probe-interval: "3"
dapr.io/app-health-probe-timeout: "200"
dapr.io/app-health-threshold: "2"
dapr.io/sidecar-cpu-request: "100m"
dapr.io/sidecar-memory-request: "250Mi"
dapr.io/sidecar-cpu-limit: "300m"
dapr.io/sidecar-memory-limit: "1000Mi"
dapr.io/log-as-json: "true"
ingress:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
hosts:
- host: atlantis.srv.oceanbox.io
paths:
- path: /
pathType: ImplementationSpecific
- host: maps.oceanbox.io
paths:
- path: /
pathType: ImplementationSpecific
tls:
- hosts:
- atlantis.srv.oceanbox.io
- maps.oceanbox.io
secretName: atlantis-tls
resources:
limits:
cpu: 250m
memory: 1Gi
requests:
cpu: 250m
memory: 1Gi
kustomizations/atlantis/values-staging.yaml
+54
View File
@@ -0,0 +1,54 @@
replicaCount: 2
podAnnotations:
dapr.io/app-id: "staging-atlantis"
dapr.io/enabled: "true"
dapr.io/app-port: "8000"
dapr.io/config: "tracing"
dapr.io/app-protocol: "http"
dapr.io/enable-app-health-check: "true"
dapr.io/app-health-check-path: "/healthz"
dapr.io/app-health-probe-interval: "3"
dapr.io/app-health-probe-timeout: "200"
dapr.io/app-health-threshold: "2"
dapr.io/sidecar-cpu-request: "100m"
dapr.io/sidecar-memory-request: "250Mi"
dapr.io/sidecar-cpu-limit: "300m"
dapr.io/sidecar-memory-limit: "1000Mi"
dapr.io/log-as-json: "true"
image:
tag: 7f3512e0-debug
ingress:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
# nginx.ingress.kubernetes.io/affinity: "cookie"
# nginx.ingress.kubernetes.io/session-cookie-name: "http-affinity"
# nginx.ingress.kubernetes.io/session-cookie-expires: "86400"
# nginx.ingress.kubernetes.io/session-cookie-max-age: "86400"
# atlantis.oceanbox.io/expose: internal
hosts:
- host: atlantis.beta.oceanbox.io
paths:
- path: /
pathType: ImplementationSpecific
- host: atlas.oceanbox.io
paths:
- path: /
pathType: ImplementationSpecific
- host: beta.oceanbox.io
paths:
- path: /
pathType: ImplementationSpecific
tls:
- hosts:
- atlantis.beta.oceanbox.io
- atlas.oceanbox.io
- beta.oceanbox.io
secretName: staging-atlantis-tls
resources:
limits:
cpu: 250m
memory: 1Gi
requests:
cpu: 250m
memory: 1Gi

Some files were not shown because too many files have changed in this diff Show More