fix: fix volumes and secrets for atlantis

charts/atlantis/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: redis-stack-server
+  repository: https://redis-stack.github.io/helm-redis-stack/
+  version: 0.4.14
+digest: sha256:ed6bf447567c0d92030bffebc947801c67cb4e9b4dd95680c35a0b5f6b23d71f
+generated: "2024-10-04T11:54:47.575418518+02:00"

charts/atlantis/Chart.yaml

@@ -1,18 +1,12 @@
 apiVersion: v2
 name: atlantis
 description: Atlantis map and simulation service
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
 version: v2.87.1
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application.
 appVersion: v2.87.1
+dependencies:
+  - name: redis-stack-server
+    version: 0.4.14
+    repository: https://redis-stack.github.io/helm-redis-stack/
+    condition: redis.enabled
+    alias: redis

charts/atlantis/templates/cluster.yaml

@@ -2,14 +2,14 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
-  name: {{ include "Atlantis.fullname" . }}
+  name: {{ include "Atlantis.fullname" . }}-db
   annotations:
     linkerd.io/inject: disabled
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
 spec:
-  instances: {{ .Values.cluster.instances | default "2" }}
+  instances: {{ .Values.cluster.instances | default "1" }}
-
+  imageName: ghcr.io/cloudnative-pg/postgis:15-3.3
   # Example of rolling update strategy:
   # - unsupervised: automated update of the primary once all
   #                 replicas have been upgraded (default)
@@ -18,9 +18,36 @@ spec:
   primaryUpdateStrategy: unsupervised
   backup:
     retentionPolicy: {{ .Values.cluster.backupRetention | default "60d" }}
-
   storage:
     size: {{ .Values.cluster.size | default "5Gi" }}
+{{- with .Values.cluster.bootstrap }}
+  bootstrap:
+{{- if .enabled }}
+    pg_basebackup:
+      source: archmaester
+  externalClusters:
+  - name: archmaester
+    connectionParameters:
+      host: {{ .source.db }}-rw.{{ .source.namespace }}
+      user: streaming_replica
+      sslmode: verify-full
+    sslKey:
+      name: {{ .source.db }}-replication
+      key: tls.key
+    sslCert:
+      name: {{ .source.db }}-replication
+      key: tls.crt
+    sslRootCert:
+      name: {{ .source.db }}-ca
+      key: ca.crt
+{{- else }}
+    initdb:
+      postInitTemplateSQL:
+        - CREATE EXTENSION postgis;
+        - CREATE EXTENSION postgis_topology;
+        - CREATE EXTENSION fuzzystrmatch;
+        - CREATE EXTENSION postgis_tiger_geocoder;
+        - ALTER USER app WITH SUPERUSER;
+{{- end }}
+{{- end }}
 {{- end }}
-
-

charts/atlantis/templates/secrets.yaml

@@ -0,0 +1,54 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ .Release.Name }}-rabbitmq
+type: Opaque
+data:
+---
+{{- if not .Values.redis.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ .Release.Name }}-redis
+type: Opaque
+data:
+{{- end }}
+---
+{{- if not .Values.cluster.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ include "Atlantis.fullname" . }}-db-superuser
+type: kubernetes.io/basic-auth
+data:
+  username:
+  password:
+{{- else }}
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ .Values.cluster.bootstrap.source.db }}-replication
+type: kubernetes.io/tls
+data:
+  tls.crt: ""
+  tls.key: ""
+---
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ .Values.cluster.bootstrap.source.db }}-ca
+data:
+  ca.crt: ""
+  ca.key: ""
+{{- end }}

charts/atlantis/values.yaml

@@ -39,7 +39,7 @@ service:
   type: ClusterIP
   port: 8085
 ingress:
-  enabled: true
+  enabled: false
   className: "nginx"
   annotations:
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
@@ -59,11 +59,25 @@ persistence:
   storageClass: ""
   accessMode: ReadWriteOnce
 cluster:
-  enabled: false
+  enabled: true
-  instances: 2
+  instances: 1
   backupEnabled: true
   backupRetention: 60d
   size: 5Gi
+  bootstrap:
+    enabled: true
+    source:
+      db: prod-archmeister
+      namespace: atlantis
+redis:
+  enabled: true
+  name: redis-stack
+  redis_stack_server:
+    image: "redis/redis-stack-server"
+    tag: "7.4.0-v1"
+    replicas: 1
+    storage_class: ceph-rbd
+    storage: 1Gi
 resources: {}
 # We usually recommend not to specify default resources and to leave this as a conscious
 # choice for the user. This also increases chances charts run on environments with little

resources/atlantis/host-manifests/sync-atlantis-secrets.yaml

@@ -0,0 +1,111 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sync-dev-atlantis-secrets
+spec:
+  background: true
+  generateExisting: false
+  rules:
+  - name: sync-rabbitmq-secret
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{ request.object.metadata.name }}'
+      namespace: '{{ request.object.metadata.namespace }}'
+      synchronize: true
+      clone:
+        name: staging-rabbitmq
+        namespace: rabbitmq
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - "*-rabbitmq"
+         annotations:
+           kyverno/clone: "true"
+  - name: sync-redis-secret
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{ request.object.metadata.name }}'
+      namespace: '{{ request.object.metadata.namespace }}'
+      synchronize: true
+      clone:
+        name: staging-redis
+        namespace: redis
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - "*-redis"
+         annotations:
+           kyverno/clone: "true"
+  - name: sync-archmaester-secret
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{ request.object.metadata.name }}'
+      namespace: '{{ request.object.metadata.namespace }}'
+      synchronize: true
+      clone:
+        name: prod-archmeister-superuser
+        namespace: atlantis
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - "*-db-superuser"
+         annotations:
+           kyverno/clone: "true"
+  - name: sync-archmaester-replication-secret
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{ request.object.metadata.name }}'
+      namespace: '{{ request.object.metadata.namespace }}'
+      synchronize: true
+      clone:
+        name: prod-archmeister-replication
+        namespace: atlantis
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - prod-archmeister-replication
+         annotations:
+           kyverno/clone: "true"
+  - name: sync-archmaester-ca
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{ request.object.metadata.name }}'
+      namespace: '{{ request.object.metadata.namespace }}'
+      synchronize: true
+      clone:
+        name: prod-archmeister-ca
+        namespace: atlantis
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - prod-archmeister-ca
+         annotations:
+           kyverno/clone: "true"
+    # exclude:
+    #  any:
+    #  - resources:
+    #      kinds:
+    #      - Secret
+    #      selector:
+    #        matchLabels:
+    #          generate.kyverno.io/clone-source: ""