fix: add eli and hansi to ocenographers acl

Update Helm release gatus to v1.4.5

See merge request oceanbox/manifests!71

.envrc

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+# the shebang is ignored, but nice for editors
+watch_file nix/sources.json
+watch_file nix/checks.nix
+
+# Load .env file if it exists
+dotenv_if_exists
+
+# Set npins dir
+export NPINS_DIRECTORY="nix"
+
+# Activate development shell
+use nix

.gitignore

@@ -1,2 +1,7 @@
-_manifest.yaml
-_resources.yaml
+*.tgz
+_*/
+.direnv/
+.env
+.pre-commit-config.yaml
+_*.yaml
+backup/

.gitlab-ci.yml

@@ -1,46 +1,54 @@
-image:
-  name: alpine/helm:latest
-  entrypoint: [ "/bin/bash", "-c" ]
+# yaml-language-server: $schema=https://gitlab.com/gitlab-org/gitlab/-/raw/master/app/assets/javascripts/editor/schema/ci.json
+default:
+  tags:
+    - nix
 
-stages:
-  - release
+include:
+  - project: oceanbox/gitlab-ci
+    ref: v4.5
+    file: template/Base.gitlab-ci.yml
+# stages:
+# - release
 
-release:
-  stage: release
-  rules:
-  - if: '$CI_COMMIT_BRANCH =~ /^main/'
-    when: always
-  - when: never
-  script:
-    - |
-      cd $CI_PROJECT_DIR
-      for i in $(git show --pretty="" --name-only | grep '^charts/.*/Chart.yaml' | cut -d/ -f2); do
-        pack=$(helm package ./charts/$i | sed 's/Success.*: \(.*\)/\1/')
-        if [ ! -z $pack ]; then
-          chart=$(basename $pack)
-          curl --request POST \
-               --user gitlab-ci-token:$CI_JOB_TOKEN \
-               --form "chart=@${chart}" \
-               "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/api/stable/charts"
-        fi
-      done
+# image:
+# name: alpine/helm:latest
+# entrypoint: ["/bin/bash", "-c"]
 
-rebuild:
-  stage: release
-  rules:
-    - when: manual
-      allow_failure: true
-  script:
-    - |
-      cd $CI_PROJECT_DIR
-      for i in $(find ./charts -maxdepth 2 -name Chart.yaml | cut -d/ -f3); do
-        pack=$(helm package ./charts/$i | sed 's/Success.*: \(.*\)/\1/')
-        if [ ! -z $pack ]; then
-          chart=$(basename $pack)
-          curl --request POST \
-               --user gitlab-ci-token:$CI_JOB_TOKEN \
-               --form "chart=@${chart}" \
-               "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/api/stable/charts"
-        fi
-      done
+# release:
+# stage: release
+# rules:
+# - if: "$CI_COMMIT_BRANCH =~ /^main/"
+# when: always
+# - when: never
+# script:
+# - |
+# cd $CI_PROJECT_DIR
+# for i in $(git show --pretty="" --name-only | grep '^charts/.*/Chart.yaml' | cut -d/ -f2); do
+# pack=$(helm package ./charts/$i | sed 's/Success.*: \(.*\)/\1/')
+# if [ ! -z $pack ]; then
+# chart=$(basename $pack)
+# curl --request POST \
+# --user gitlab-ci-token:$CI_JOB_TOKEN \
+# --form "chart=@${chart}" \
+# "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/api/stable/charts"
+# fi
+# done
 
+# rebuild:
+# stage: release
+# rules:
+# - when: manual
+# allow_failure: true
+# script:
+# - |
+# cd $CI_PROJECT_DIR
+# for i in $(find ./charts -maxdepth 2 -name Chart.yaml | cut -d/ -f3); do
+# pack=$(helm package ./charts/$i | sed 's/Success.*: \(.*\)/\1/')
+# if [ ! -z $pack ]; then
+# chart=$(basename $pack)
+# curl --request POST \
+# --user gitlab-ci-token:$CI_JOB_TOKEN \
+# --form "chart=@${chart}" \
+# "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/api/stable/charts"
+# fi
+# done

README.md

@@ -0,0 +1,33 @@
+# Manifests
+
+> [!note]
+> For CI/CD to push updates to this repo add your repo [here](https://gitlab.com/oceanbox/alpine-k8s/-/settings/ci_cd#js-token-access)
+
+Manifest repo managed using [Helmfile](https://github.com/helmfile/helmfile).
+
+Repository structure:
+
+```bash
+/
+├── helmfile.d/                                                 # Helmfiles, *.yaml.gotmpl
+├── charts/                                                     # Our own charts, e.g `Atlantis`
+├── values                                                      # Values for helmfiles
+│   ├── <chart>
+│   │   ├── env.yaml.gotmpl                                     # Values to be templated in `values/`
+│   │   ├── kustomize                                           # Kustomizations per environment
+│   │   ├── manifests                                           # Raw manifests
+│   │   │   ├── <chart>.yaml                                    # Argo App for bootstrap
+│   │   │   ├── dashboards                                      # Grafana dashboards
+│   │   │   │   └── <chart>-metrics.yaml
+│   │   │   └── policies                                        # Cilium and Kyverno policies
+│   │   │       ├── CiliumNetworkPolicy-allow-api-server.yaml
+│   │   │       └── KyvernoPolicy-regred-secret.yaml
+│   │   └── values                                              # Values for each environment
+│   │       ├── <chart>-staging.yaml.gotmpl                     # Values for staging environment
+│   │       ├── <chart>-prod.yaml.gotmpl                        # Values for prod environment
+│   │       └── <chart>.yaml.gotmpl                             # Standard values for all environments
+│   │
+│   ├── env.yaml                                             # Standard values for all cluster
+│   ├── env-oceanbox.yaml                                    # Values overrides for oceanbox
+│   ├── env-ekman.yaml                                       # Values overrides for ekman
+```

acl.json

@@ -1 +0,0 @@
-kustomizations/petimeter/manifests/acl.json

applications/archmeister.yaml

@@ -1,47 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: archmeister
-  namespace: argocd
-spec:
-  goTemplate: true
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        hostname: archmeister.srv.oceanbox.io
-        autoSync: false
-        prune: true
-      - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
-        hostname: archmeister.beta.oceanbox.io
-        autoSync: true
-        prune: true
-  template:
-    metadata:
-      name: "{{ .env }}-archmeister"
-    spec:
-      project: atlantis
-      destination:
-        namespace: atlantis
-        server: "{{ .cluster }}"
-      sources:
-      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: main
-        path: kustomizations/archmeister
-        plugin:
-          name: kustomize-helm-with-rewrite
-          parameters:
-          - name: env
-            string: "{{ .env }}"
-          - name: hostname
-            string: "{{ .hostname }}"
-  templatePatch: |
-    {{- if .autoSync }}
-    spec:
-      syncPolicy:
-        automated:
-          prune: {{ .prune }}
-          selfHeal: false
-    {{- end }}

applications/atlantis-host-resources.yaml

@@ -1,36 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: atlantis-host-cluster-resources
-  namespace: argocd
-  # annotations: # close, but no cigar
-  #   argocd.argoproj.io/compare-options: ServerSideDiff=true,IncludeMutationWebhook=true
-spec:
-  project: aux
-  destination:
-    server: https://kubernetes.default.svc
-  syncPolicy:
-    automated:
-      prune: false
-      selfHeal: false
-  ignoreDifferences:
-    - kind: Secret
-      name: prod-rabbitmq
-      jqPathExpressions:
-        - '.data'
-        - '.metadata.annotations.clone'
-        - '.metadata.labels'
-    - kind: Secret
-      name: prod-redis
-      jqPathExpressions:
-        - '.data'
-        - '.metadata.annotations.clone'
-        - '.metadata.labels'
-  sources:
-  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
-    path: resources/atlantis/host-manifests
-  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
-    path: 'resources/atlantis/manifests/prod'
-

applications/atlantis-resources.yaml

@@ -1,41 +0,0 @@
-# Currently not in use. Configured via the create-vcluster script.
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: atlantis-resources
-  namespace: argocd
-spec:
-  goTemplate: true
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        autoSync: false
-        prune: false
-      # - cluster: https://staging-vcluster.staging-vcluster
-      #   env: staging
-      #   autoSync: false
-      #   prune: false
-  template:
-    metadata:
-      name: "{{ .env }}-atlantis-resources"
-    spec:
-      project: aux
-      syncPolicy:
-        automated: {}
-      destination:
-        server: "{{ .cluster }}"
-        namespace: atlantis
-      sources: {}
-      # - repoURL: https://gitlab.com/oceanbox/manifests.git
-      #   targetRevision: main
-      #   path: 'resources/atlantis/manifests/{{ env }}'
-  templatePatch: |
-    {{- if .autoSync }}
-    spec:
-      syncPolicy:
-        automated:
-          prune: {{ .prune }}
-          selfHeal: false
-    {{- end }}

applications/atlantis.yaml

@@ -1,47 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: atlantis
-  namespace: argocd
-spec:
-  goTemplate: true
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        hostname: atlantis.srv.oceanbox.io
-        autoSync: false
-        prune: true
-      - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
-        hostname: atlantis.beta.oceanbox.io
-        autoSync: true
-        prune: true
-  template:
-    metadata:
-      name: '{{ .env }}-atlantis'
-    spec:
-      project: atlantis
-      destination:
-        namespace: atlantis
-        server: '{{ .cluster }}'
-      sources:
-      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: main
-        path: kustomizations/atlantis
-        plugin:
-          name: kustomize-helm-with-rewrite
-          parameters:
-          - name: env
-            string: '{{ .env }}'
-          - name: hostname
-            string: '{{ .hostname }}'
-  templatePatch: |
-    {{- if .autoSync }}
-    spec:
-      syncPolicy:
-        automated:
-          prune: {{ .prune }}
-          selfHeal: false
-    {{- end }}

applications/busynix.yaml

@@ -1,34 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: busynix
-  namespace: argocd
-spec:
-  generators:
-  - list:
-      elements:
-      # - cluster: https://kubernetes.default.svc
-      #   env: prod
-      #   hostname: busynix.srv.oceanbox.io
-      - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
-        hostname: busynix.beta.oceanbox.io
-  template:
-    metadata:
-      name: '{{ env }}-busynix'
-    spec:
-      project: aux
-      destination:
-        namespace: default
-        server: '{{ cluster }}'
-      source:
-        repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: main
-        path: kustomizations/busynix
-        plugin:
-          name: kustomize-helm-with-rewrite
-          parameters:
-          - name: env
-            string: '{{ env }}'
-          - name: hostname
-            string: '{{ hostname }}'

applications/cerbos.yaml

@@ -1,32 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: cerbos
-  namespace: argocd
-spec:
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-      - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
-  template:
-    metadata:
-      name: '{{ env }}-cerbos'
-    spec:
-      project: aux
-      destination:
-        server: https://kubernetes.default.svc
-        namespace: idp
-      sources:
-        - repoURL: https://download.cerbos.dev/helm-charts
-          targetRevision: 0.33.0
-          chart: cerbos
-          helm:
-            valueFiles:
-              - $values/kustomizations/cerbos/values.yaml
-              - $values/kustomizations/cerbos/values-{{ env }}.yaml
-        - repoURL: https://gitlab.com/oceanbox/manifests.git
-          targetRevision: main
-          ref: values

applications/dex.yaml

@@ -1,15 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: dex
-  namespace: argocd
-spec:
-  project: aux
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: idp
-  source:
-    repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
-    path: kustomizations/dex/manifests
-

applications/geoserver.yaml

@@ -1,38 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: geoserver
-  namespace: argocd
-spec:
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        hostname: geoserver.srv.oceanbox.io
-      # - cluster: https://kubernetes.default.svc
-      #   env: staging
-      #   hostname: geoserver.beta.oceanbox.io
-  template:
-    metadata:
-      name: '{{ env }}-geoserver'
-    spec:
-      project: aux
-      destination:
-        server: https://kubernetes.default.svc
-        namespace: geoserver
-      sources:
-      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: main
-        path: kustomizations/geoserver
-        plugin:
-          name: kustomize-helm-with-rewrite
-          parameters:
-          - name: env
-            string: '{{ env }}'
-          - name: hostname
-            string: geoserver.srv.oceanbox.io
-          - name: flags
-            string: "--skip-tests"
-          - name: chart
-            string: ncsa/geoserver

applications/hipster.yaml

@@ -1,47 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: hipster
-  namespace: argocd
-spec:
-  goTemplate: true
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        hostname: hipster.srv.oceanbox.io
-        autoSync: false
-        prune: true
-      - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
-        hostname: hipster.beta.oceanbox.io
-        autoSync: true
-        prune: true
-  template:
-    metadata:
-      name: '{{ .env }}-hipster'
-    spec:
-      project: atlantis
-      destination:
-        namespace: atlantis
-        server: '{{ .cluster }}'
-      sources:
-      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: main
-        path: kustomizations/hipster
-        plugin:
-          name: kustomize-helm-with-rewrite
-          parameters:
-          - name: env
-            string: '{{ .env }}'
-          - name: hostname
-            string: '{{ .hostname }}'
-  templatePatch: |
-    {{- if .autoSync }}
-    spec:
-      syncPolicy:
-        automated:
-          prune: {{ .prune }}
-          selfHeal: false
-    {{- end }}

applications/jaeger.yaml

@@ -1,22 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: jaeger
-  namespace: argocd
-spec:
-  project: atlantis
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: jaeger
-  sources:
-  - repoURL: https://jaegertracing.github.io/helm-charts
-    targetRevision: 2.54.0
-    chart: jaeger-operator
-    helm:
-      valueFiles:
-        - $values/kustomizations/jaeger/values.yaml
-  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
-    # path: kustomizations/jaeger/manifests
-    ref: values
-

applications/keycloak.yaml

@@ -1,21 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: keycloak
-  namespace: argocd
-spec:
-  project: aux
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: idp
-  sources:
-  - repoURL: https://charts.bitnami.com/bitnami
-    targetRevision: 24.0.2
-    chart: keycloak
-    helm:
-      valueFiles:
-        - $values/kustomizations/keycloak/values.yaml
-  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
-    ref: values
-

applications/loki.yaml

@@ -1,150 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: loki
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  destination:
-    namespace: loki
-    server: 'https://kubernetes.default.svc'
-  project: aux
-  ignoreDifferences:
-  - group: apps
-    kind: StatefulSet
-    jsonPointers:
-    - /spec/persistentVolumeClaimRetentionPolicy
-  syncPolicy:
-    managedNamespaceMetadata:
-      labels:
-        component: aux
-    syncOptions:
-      - CreateNamespace=true
-      - ApplyOutOfSyncOnly=true
-    automated:
-      prune: true
-      selfHeal: true
-  sources:
-  - repoURL: https://gitlab.com/serit/k8s/serit-platform-manifests.git
-    path: network-policies/netpol-loki
-    targetRevision: HEAD
-  - repoURL: 'https://grafana.github.io/helm-charts'
-    targetRevision: 6.12.0
-    chart: loki
-    helm:
-      values: |
-        loki:
-          auth_enabled: false
-          storage:
-            bucketNames:
-              chunks: loki-chunks
-              ruler: loki-chunks
-              admin: loki-chunks
-            s3:
-              endpoint: http://10.255.241.30:30080
-              region: tos
-              secretAccessKey: ${S3SECRET}
-              accessKeyId: ${S3KEY}
-              s3ForcePathStyle: true
-              http_config:
-                insecure_skip_verify: true
-          schemaConfig:
-            configs:
-            - from: "2024-04-01"
-              index:
-                period: 24h
-                prefix: loki_index_
-              object_store: s3
-              schema: v13
-              store: tsdb
-          compactor:
-            compaction_interval: 10m
-            working_directory: /tmp/loki/compactor
-            retention_enabled: true
-            retention_delete_delay: 2h
-            retention_delete_worker_count: 150
-            delete_request_store: s3
-          limits_config:
-            retention_period: 744h
-        write:
-          extraArgs:
-            - -config.expand-env=true
-          extraEnv:
-          - name: S3KEY
-            valueFrom:
-              secretKeyRef:
-                name: loki-s3
-                key: AWS_ACCESS_KEY_ID
-          - name: S3SECRET
-            valueFrom:
-              secretKeyRef:
-                name: loki-s3
-                key: AWS_ACCESS_KEY_SECRET
-          tolerations:
-          - effect: "NoSchedule"
-            operator: "Equal"
-            key: "unschedulable"
-            value: "true"
-        read:
-          extraArgs:
-            - -config.expand-env=true
-          extraEnv:
-          - name: S3KEY
-            valueFrom:
-              secretKeyRef:
-                name: loki-s3
-                key: AWS_ACCESS_KEY_ID
-          - name: S3SECRET
-            valueFrom:
-              secretKeyRef:
-                name: loki-s3
-                key: AWS_ACCESS_KEY_SECRET
-          tolerations:
-          - effect: "NoSchedule"
-            operator: "Equal"
-            key: "unschedulable"
-            value: "true"
-        ingress:
-          enabled: true
-          ingressClassName: nginx
-          annotations:
-            cert-manager.io/cluster-issuer: letsencrypt-staging
-            nginx.ingress.kubernetes.io/ssl-redirect: "true"
-            atlantis.oceanbox.io/expose: internal
-          hosts:
-            - loki.adm.oceanbox.io
-          tls:
-            - hosts:
-               - loki.adm.oceanbox.io
-              secretName: loki-distributed-tls
-        compactor:
-          extraArgs:
-            - -config.expand-env=true
-          extraEnv:
-          - name: S3KEY
-            valueFrom:
-              secretKeyRef:
-                name: loki-s3
-                key: AWS_ACCESS_KEY_ID
-          - name: S3SECRET
-            valueFrom:
-              secretKeyRef:
-                name: loki-s3
-                key: AWS_ACCESS_KEY_SECRET
-        backend:
-          extraArgs:
-            - -config.expand-env=true
-          extraEnv:
-          - name: S3KEY
-            valueFrom:
-              secretKeyRef:
-                name: loki-s3
-                key: AWS_ACCESS_KEY_ID
-          - name: S3SECRET
-            valueFrom:
-              secretKeyRef:
-                name: loki-s3
-                key: AWS_ACCESS_KEY_SECRET

applications/openfga.yaml

@@ -1,47 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: openfga
-  namespace: argocd
-spec:
-  goTemplate: true
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        hostname: openfga.adm.oceanbox.io
-        autoSync: false
-        prune: true
-      - cluster: https://kubernetes.default.svc
-        env: staging
-        hostname: openfga.dev.oceanbox.io
-        autoSync: true
-        prune: true
-  template:
-    metadata:
-      name: '{{ .env }}-openfga'
-    spec:
-      project: aux
-      destination:
-        namespace: idp
-        server: '{{ .cluster }}'
-      sources:
-        - repoURL: https://openfga.github.io/helm-charts
-          targetRevision: 0.2.12
-          chart: openfga
-          helm:
-            valueFiles:
-              - $values/kustomizations/openfga/values.yaml
-              - $values/kustomizations/openfga/values-{{ .env }}.yaml
-        - repoURL: https://gitlab.com/oceanbox/manifests.git
-          targetRevision: main
-          ref: values
-  templatePatch: |
-    {{- if .autoSync }}
-    spec:
-      syncPolicy:
-        automated:
-          prune: {{ .prune }}
-          selfHeal: false
-    {{- end }}

applications/opentelemetry-collector.yaml

@@ -1,106 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: opentelemetry-collector
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  destination:
-    namespace: otel
-    server: 'https://kubernetes.default.svc'
-  project: aux
-  syncPolicy:
-    # managedNamespaceMetadata:
-    #   labels:
-    #     component: aux
-    syncOptions:
-      - CreateNamespace=true
-      - ApplyOutOfSyncOnly=true
-    automated:
-      prune: true
-      selfHeal: true
-  sources:
-  - repoURL: 'https://open-telemetry.github.io/opentelemetry-helm-charts'
-    targetRevision: 0.107.0
-    chart: opentelemetry-collector
-    helm:
-      values: |
-        mode: deployment
-        image:
-          repository: otel/opentelemetry-collector-k8s
-        config:
-          receivers:
-            prometheus/collector:
-              config:
-                scrape_configs:
-                  - job_name: 'opentelemetry-collector'
-                    static_configs:
-                      - targets:
-                         - ${env:MY_POD_IP}:8888
-            zipkin:
-              endpoint: ${env:MY_POD_IP}:9411
-          exporters:
-            otlp:
-              endpoint: "tempo.tempo.svc:4317"
-              tls:
-                insecure: true
-            otlphttp/metrics:
-              endpoint: http://prom-prometheus.prometheus:9090/api/v1/otlp
-              tls:
-                insecure: true
-            otlphttp/logs:
-              endpoint: http://loki-write-headless.loki:3100/otlp
-              tls:
-                insecure: true
-            debug/metrics:
-              verbosity: detailed
-            debug/traces:
-              verbosity: detailed
-            debug/logs:
-              verbosity: detailed
-          service:
-            telemetry:
-              logs:
-                level: "info"
-            pipelines:
-              traces:
-                receivers: [otlp,zipkin]
-                processors: [batch]
-                exporters: [otlp]
-                # exporters: [otlphttp/traces,debug/traces]
-              metrics:
-                receivers: [otlp,prometheus/collector]
-                processors: [batch]
-                exporters: [otlphttp/metrics]
-                # exporters: [otlphttp/metrics,debug/metrics]
-              logs:
-                receivers: [otlp]
-                processors: [batch]
-                exporters: [otlphttp/logs]
-                # exporters: [otlphttp/logs,debug/logs]
-        ports:
-          metrics:
-            enabled: true
-        # presets:
-        #   logsCollection:
-        #     enabled: true
-        ingress:
-          enabled: true
-          annotations:
-              cert-manager.io/cluster-issuer: letsencrypt-production
-              nginx.ingress.kubernetes.io/ssl-redirect: "true"
-              atlantis.oceanbox.io/expose: internal
-          ingressClassName: nginx
-          hosts:
-            - host: opentelemetry-collector.adm.oceanbox.io
-              paths:
-                - path: /
-                  pathType: Prefix
-                  port: 4318
-          tls:
-            - secretName: collector-tls
-              hosts:
-                - opentelemetry-collector.adm.oceanbox.io

applications/osm-tile-server.yaml

@@ -1,34 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: osm-tile-server
-  namespace: argocd
-spec:
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        hostname: osm.srv.oceanbox.io
-      - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
-        hostname: osm.beta.oceanbox.io
-  template:
-    metadata:
-      name: '{{ env }}-osm-tile-server'
-    spec:
-      project: aux
-      destination:
-        namespace: oceanbox
-        server: '{{ cluster }}'
-      source:
-        repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: HEAD
-        path: kustomizations/osm-tile-server
-        plugin:
-          name: kustomize-helm-with-rewrite
-          parameters:
-          - name: env
-            string: '{{ env }}'
-          - name: hostname
-            string: '{{ hostname }}'

applications/petimeter.yaml

@@ -1,50 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: petimeter
-  namespace: argocd
-spec:
-  goTemplate: true
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        hostname: petimeter.srv.oceanbox.io
-        autoSync: false
-        prune: true
-      - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
-        hostname: petimeter.beta.oceanbox.io
-        autoSync: true
-        prune: true
-  template:
-    metadata:
-      name: '{{ .env }}-petimeter'
-    spec:
-      project: atlantis
-      destination:
-        namespace: atlantis
-        server: '{{ .cluster }}'
-      sources:
-      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: main
-        path: kustomizations/petimeter
-        plugin:
-          name: kustomize-helm-with-rewrite
-          parameters:
-          - name: env
-            string: '{{ .env }}'
-          - name: hostname
-            string: '{{ .hostname }}'
-      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: main
-        path: kustomizations/petimeter/manifests
-  templatePatch: |
-    {{- if .autoSync }}
-    spec:
-      syncPolicy:
-        automated:
-          prune: {{ .prune }}
-          selfHeal: false
-    {{- end }}

applications/rabbitmq.yaml

@@ -1,34 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: rabbitmq
-  namespace: argocd
-spec:
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        hostname: rabbitmq.srv.oceanbox.io
-      - cluster: https://kubernetes.default.svc
-        env: staging
-        hostname: rabbitmq.beta.oceanbox.io
-  template:
-    metadata:
-      name: '{{ env }}-rabbitmq'
-    spec:
-      project: aux
-      destination:
-        server: https://kubernetes.default.svc
-        namespace: rabbitmq
-      sources:
-        - repoURL: https://charts.bitnami.com/bitnami
-          targetRevision: 12.9.0
-          chart: rabbitmq
-          helm:
-            valueFiles:
-              - $values/kustomizations/rabbitmq/values-{{ env }}.yaml
-        - repoURL: https://gitlab.com/oceanbox/manifests.git
-          targetRevision: main
-          path: kustomizations/rabbitmq/{{ env }}
-          ref: values

applications/redis.yaml

@@ -1,39 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: redis
-  namespace: argocd
-spec:
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-      - cluster: https://kubernetes.default.svc
-        env: staging
-  template:
-    metadata:
-      name: '{{ env }}-redis'
-    spec:
-      project: aux
-      destination:
-        server: https://kubernetes.default.svc
-        namespace: redis
-      sources:
-        - repoURL: https://charts.bitnami.com/bitnami
-          targetRevision: 19.5.2
-          chart: redis
-          helm:
-            valueFiles:
-              - $values/kustomizations/redis/values-{{ env }}.yaml
-        - repoURL: https://gitlab.com/oceanbox/manifests.git
-          targetRevision: HEAD
-          ref: values
-        - repoURL: https://gitlab.com/oceanbox/manifests.git
-          targetRevision: main
-          path: kustomizations/redis/{{ env }}
-      ignoreDifferences:
-        - group: apps
-          kind: StatefulSet
-          jqPathExpressions:
-            - '.spec.template.spec.containers[].resources.limits.cpu'

applications/seq.yaml

@@ -1,20 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: seq
-  namespace: argocd
-spec:
-  project: aux
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: seq
-  sources:
-  - repoURL: https://helm.datalust.co
-    targetRevision: 2024.1.0
-    chart: seq
-    helm:
-      valueFiles:
-        - $values/kustomizations/seq/values.yaml
-  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
-    ref: values

applications/sorcerer.yaml

@@ -1,47 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: sorcerer
-  namespace: argocd
-spec:
-  goTemplate: true
-  generators:
-  - list:
-      elements:
-      - cluster: https://10.255.241.99:4443
-        env: prod
-        hostname: sorcerer.data.oceanbox.io
-        autoSync: false
-        prune: true
-      - cluster: https://10.255.241.99:4443
-        env: staging
-        hostname: sorcerer.ekman.oceanbox.io
-        autoSync: true
-        prune: true
-  template:
-    metadata:
-      name: '{{ .env }}-sorcerer'
-    spec:
-      project: atlantis
-      destination:
-        namespace: sorcerer
-        server: '{{ .cluster }}'
-      sources:
-      - repoURL: https://gitlab.com/oceanbox/manifests.git
-        targetRevision: main
-        path: kustomizations/sorcerer
-        plugin:
-          name: kustomize-helm-with-rewrite
-          parameters:
-          - name: env
-            string: '{{ .env }}'
-          - name: hostname
-            string: '{{ .hostname }}'
-  templatePatch: |
-    {{- if .autoSync }}
-    spec:
-      syncPolicy:
-        automated:
-          prune: {{ .prune }}
-          selfHeal: false
-    {{- end }}

applications/tempo.yaml

@@ -1,75 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: tempo
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  destination:
-    namespace: tempo
-    server: 'https://kubernetes.default.svc'
-  project: aux
-  syncPolicy:
-    # managedNamespaceMetadata:
-    #   labels:
-    #     component: aux
-    syncOptions:
-      - CreateNamespace=true
-      - ApplyOutOfSyncOnly=true
-    automated:
-      prune: true
-      selfHeal: true
-  sources:
-  - repoURL: 'https://grafana.github.io/helm-charts'
-    targetRevision: 1.10.3
-    chart: tempo
-    helm:
-      values: |
-        tempo:
-          storage:
-            trace:
-              backend: s3
-              s3:
-                bucket: tempo-traces
-                endpoint: http://10.255.241.30:30080
-                access_key: ${S3SECRET}
-                secret_key: ${S3KEY}
-                insecure: true
-              backend: local
-              local:
-                path: /var/tempo/traces
-              wal:
-                path: /var/tempo/wal
-          metricsGenerator:
-            enabled: true
-            remoteWriteUrl: "http://prom-prometheus.prometheus:9090/api/v1/write"
-          extraEnv:
-          - name: S3KEY
-            valueFrom:
-              secretKeyRef:
-                name: tempo-s3
-                key: AWS_ACCESS_KEY_ID
-          - name: S3SECRET
-            valueFrom:
-              secretKeyRef:
-                name: tempo-s3
-                key: AWS_ACCESS_KEY_SECRET
-        tempoQuery:
-          ingress:
-            enabled: true
-            ingressClassName: nginx
-            annotations:
-              cert-manager.io/cluster-issuer: letsencrypt-staging
-              nginx.ingress.kubernetes.io/ssl-redirect: "true"
-              atlantis.oceanbox.io/expose: internal
-            path: /
-            pathType: Prefix
-            hosts:
-              - query.tempo.adm.oceanbox.io
-            tls:
-             - secretName: tempo-query-tls
-               hosts:
-                 - query.tempo.adm.oceanbox.io

applications/wordpress.yaml

@@ -1,20 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: www-oceanbox
-  namespace: argocd
-spec:
-  project: default
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: www-oceanbox
-  sources:
-  - repoURL: https://charts.bitnami.com/bitnami
-    targetRevision: 19.2.2
-    chart: wordpress
-    helm:
-      valueFiles:
-        - $values/wordpress/values.yaml
-  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: HEAD
-    ref: values

applications/yolo-dl.yaml

@@ -1,14 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: yolo-dl
-  namespace: argocd
-spec:
-  project: aux
-  destination:
-    server: https://10.255.241.99:4443
-    namespace: oceanbox
-  sources:
-  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
-    path: charts/yolo-dl

argocd/kustomize-helm-with-rewrite/deploy.sh

@@ -1,7 +0,0 @@
-#!/bin/sh
-
-img=registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite
-tag=${1:-latest}
-
-docker build -t $img:$tag .
-docker push $img:$tag

argocd/kustomize-helm-with-rewrite/generate.sh

@@ -1,35 +0,0 @@
-#!/bin/sh
-
-export HOME=/helm-working-dir
-
-env > /tmp/$ARGOCD_APP_NAME.env
-
-echo "$ARGOCD_APP_PARAMETERS" | jq '.[] | select(.name == "helm-parameters") | .map' | yq -P -oy > parameters.yaml
-cp parameters.yaml /tmp/$ARGOCD_APP_NAME-parameters.yaml
-
-if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then
-    CHART=$PARAM_CHART
-elif [ -d chart ]; then
-    CHART=chart
-elif [ -f chart ]; then
-    CHART=$(cat chart)
-else
-    CHART="."
-fi
-
-[ -f chart/values.yaml ] && VALUES="-f chart/values.yaml"
-[ -f values-chart.yaml ] && VALUES="$VALUES -f values-chart.yaml"
-[ -f values.yaml ] && VALUES="$VALUES -f values.yaml"
-[ -f values-$PARAM_ENV.yaml ] && VALUES="$VALUES -f values-$PARAM_ENV.yaml"
-VALUES="$VALUES -f parameters.yaml"
-
-mkdir -p base
-echo "helm template -n $ARGOCD_APP_NAMESPACE $PARAM_FLAGS $VALUES $ARGOCD_APP_NAME $CHART" > /tmp/$ARGOCD_APP_NAME-helm.sh
-helm template -n $ARGOCD_APP_NAMESPACE $PARAM_FLAGS $VALUES $ARGOCD_APP_NAME $CHART > ./base/_manifest.yaml
-
-sed -i "$PARAM_REWRITE" ./base/_manifest.yaml
-cp ./base/_manifest.yaml /tmp/$ARGOCD_APP_NAME-manifest.yaml
-
-[ -d "$PARAM_ENV" ] && kubectl kustomize $PARAM_ENV > /tmp/$ARGOCD_APP_NAME-manifest.yaml
-
-cat /tmp/$ARGOCD_APP_NAME-manifest.yaml

argocd/kustomize-helm-with-rewrite/init.sh

@@ -1,12 +0,0 @@
-#!/bin/sh
-
-export HOME=/helm-working-dir
-
-helm repo update oceanbox
-
-if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then
-    helm show values $PARAM_CHART > values-chart.yaml
-elif [ -f chart ]; then
-    CHART=$(cat chart)
-    helm show values $CHART > values-chart.yaml
-fi

bin/generate.sh

@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC2034  # Unused variables left for readability
+
+helmfile () {
+
+name=$1
+tier=$2
+
+cat <<EOF
+bases:
+ - ../envs/environments.yaml.gotmpl
+
+commonLabels:
+  tier: ${tier}
+
+releases:
+- name: ${name}
+  namespace: {{ .Environment.Name }}-${name}
+  chart: ../charts/${name}
+  condition: ${name}.enabled
+  values:
+  - ../values/${name}/values/values.yaml.gotmpl
+  - ../values/${name}/values/values-{{ .Environment.Name }}.yaml
+  postRenderer: ../bin/kustomizer
+  postRendererArgs:
+  - ../values/${name}/kustomize/{{ .Environment.Name }}
+  missingFileHandler: Info
+- name: manifests
+  namespace: {{ .Environment.Name }}-${name}
+  chart: manifests
+  condition: ${name}.enabled
+  missingFileHandler: Info
+  values:
+  - ../values/env.yaml
+  - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
+  - ../values/${name}/env.yaml.gotmpl
+  - ../values/${name}/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
+  hooks:
+  - events: [ prepare, cleanup ]
+    showlogs: true
+    command: ../bin/helmify
+    args:
+    - '{{\`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}\`}}'
+    - '{{\`{{ .Release.Chart }}\`}}'
+    - '{{\`{{ .Environment.Name }}\`}}'
+    - ../values/${name}/manifests
+    - manifests
+EOF
+}
+
+while true; do
+    case $* in
+        --with-env)
+            ns=true
+            shift ;;
+        --*|-*) shift;;
+        *) break ;;
+    esac
+done
+
+name=$1
+tier=$2
+if [[ -n "${ns}" ]]; then
+    namespace="namespace: {{ .Environment.Name }}-${name}"
+else
+    namespace="namespace: ${name}"
+fi
+
+helmfile "$1" "$2"

bin/helmify

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+
+set -o pipefail
+
+cmd=$1
+chart=$2
+manifests=${4:-manifests}
+outdir=${5:-_manifests}
+
+build() {
+  mkdir -p "${outdir}"/templates
+  echo "Creating ${outdir}/templates"
+
+  echo "generating ${outdir}/Chart.yaml" 1>&2
+
+  cat <<EOF > "${outdir}"/Chart.yaml
+apiVersion: v1
+appVersion: "1.0"
+# description: A Helm chart for Kubernetes
+name: ${chart}
+version: 0.1.0
+EOF
+
+if [[ -d "${manifests}" ]]; then
+    cp -r "${manifests}"/* "${outdir}"/templates
+elif [[ -f "${manifests}" ]]; then
+    cp "${manifests}" "${outdir}"/templates
+fi
+}
+
+clean() {
+  echo "cleaning ${outdir}" 1>&2
+  rm -rf "${outdir}"
+}
+
+case "${cmd}" in
+  "build" ) build ;;
+  "clean" ) clean ;;
+  * ) echo "unsupported command: ${cmd}" 1>&2; exit 1 ;;
+esac
+

bin/kustomizer

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+[[ $# != 1 ]] && exit 1
+
+dir=$1
+base=${dir}/../base
+
+if [[ -f "${base}"/kustomization.yaml ]] && [[ -f "${dir}"/kustomization.yaml ]]; then
+    cat > "${base}"/_manifest.yaml
+    kubectl kustomize "${dir}"
+else
+    cat
+fi

bootstrap/argocd-cluster-admin.yaml

@@ -0,0 +1,35 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argocd-cluster-admin
+rules:
+  - apiGroups:
+      - "*"
+    resources:
+      - "*"
+    verbs:
+      - "*"
+  - nonResourceURLs:
+      - "*"
+    verbs:
+      - "*"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argocd-cluster-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argocd-cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: argocd-cluster-admin
+    namespace: kube-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argocd-cluster-admin
+  namespace: kube-system
+---

bootstrap/cluster-admin-token.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: cluster-admin
+  name: cluster-admin-token
+  namespace: kube-system
+type: kubernetes.io/service-account-token

bootstrap/cluster-ekman.yaml

@@ -1,14 +1,12 @@
 apiVersion: v1
 stringData:
-  config: |
-    {"bearerToken":"","tlsClientConfig":{"insecure":true}}
+  config: '{"bearerToken":"@token@","tlsClientConfig":{"insecure":true}}'
   name: ekman
   server: https://10.255.241.99:4443
 kind: Secret
 metadata:
   labels:
     argocd.argoproj.io/secret-type: cluster
-  name: cluster-10.255.241.99-4046803085
+  name: cluster-ekman
   namespace: argocd
 type: Opaque
-

bootstrap/deploy.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+helm upgrade --install --create-namespace argocd argo/argo-cd -n argocd --version 7.8.0
+helm upgrade --install --create-namespace --values values.yaml argocd-apps argo/argocd-apps -n argocd
+#kubectl patch -n argocd deployment argocd-repo-server --type merge --patch-file helmfile-cmp/argo-repo-server-patch.yaml
+
+

bootstrap/helm-kustomize-cmp/deploy.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+img=registry.gitlab.com/oceanbox/manifests/helm-kustomize-cmp
+tag=${1:-latest}
+
+docker build -t "${img}":"${tag}" .
+docker push "${img}":"${tag}"

bootstrap/helm-kustomize-cmp/generate.sh

@@ -0,0 +1,37 @@
+#!/bin/sh
+# shellcheck disable=SC2154
+
+export HOME=/plugin
+
+env > /tmp/"${ARGOCD_APP_NAME}".env
+
+echo "${ARGOCD_APP_PARAMETERS}" | jq '.[] | select(.name == "helm-parameters") | .map' | yq -P -oy > parameters.yaml
+cp parameters.yaml /tmp/"${ARGOCD_APP_NAME}"-parameters.yaml
+
+if [ -n "${PARAM_CHART}" ] && [ "${PARAM_CHART}" != "." ]; then
+    CHART=${PARAM_CHART}
+elif [ -d chart ]; then
+    CHART=chart
+elif [ -f chart ]; then
+    CHART=$(cat chart)
+else
+    CHART="."
+fi
+
+[ -f chart/values.yaml ] && VALUES="-f chart/values.yaml"
+[ -f values-chart.yaml ] && VALUES="${VALUES} -f values-chart.yaml"
+[ -f values.yaml ] && VALUES="${VALUES} -f values.yaml"
+[ -f values-"${PARAM_ENV}".yaml ] && VALUES="${VALUES} -f values-${PARAM_ENV}.yaml"
+VALUES="${VALUES} -f parameters.yaml"
+
+helm dependency update "${CHART}" >/tmp/"${ARGOCD_APP_NAME}"-helm-dependency-build.out
+
+mkdir -p base
+echo "helm template -n ${ARGOCD_APP_NAMESPACE} ${PARAM_FLAGS} ${VALUES} ${ARGOCD_APP_NAME} ${CHART}" > /tmp/"${ARGOCD_APP_NAME}"-helm.sh
+helm template -n "${ARGOCD_APP_NAMESPACE}" "${PARAM_FLAGS}" "${VALUES}" "${ARGOCD_APP_NAME}" "${CHART}" > ./base/_manifest.yaml
+
+cp ./base/_manifest.yaml /tmp/"${ARGOCD_APP_NAME}"-manifest.yaml
+
+[ -d "${PARAM_ENV}" ] && kubectl kustomize "${PARAM_ENV}" > /tmp/"${ARGOCD_APP_NAME}"-manifest.yaml
+
+cat /tmp/"${ARGOCD_APP_NAME}"-manifest.yaml

bootstrap/helm-kustomize-cmp/get-values.sh

@@ -18,7 +18,7 @@ EOF
     exit 0
 fi
 
-yq e -o=p $VALUES | jq --slurp --raw-input '
+yq e -o=p "${VALUES}" | jq --slurp --raw-input '
   [{
     name: "helm-parameters",
     title: "Helm Parameters",

bootstrap/helm-kustomize-cmp/init-helm-repos.sh

@@ -1,8 +1,9 @@
 #!/bin/sh
+# shellcheck disable=SC2154
 
-export HOME=/helm-working-dir
+export HOME=/plugin
 
-helm repo add --username argocd-helm --password "$OCEANBOX_HELM_ACCESS_TOKEN" oceanbox \
+helm repo add --username argocd-helm --password "${OCEANBOX_HELM_ACCESS_TOKEN}" oceanbox \
     https://gitlab.com/api/v4/projects/54396343/packages/helm/stable
 
 helm repo add bitnami https://charts.bitnami.com/bitnami

bootstrap/helm-kustomize-cmp/init.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+export HOME=/plugin
+
+helm repo update oceanbox
+
+if [ -n "${PARAM_CHART}" ] && [ "${PARAM_CHART}" != "." ]; then
+    helm show values "${PARAM_CHART}" > values-chart.yaml
+elif [ -f chart ]; then
+    CHART=$(cat chart)
+    helm show values "${CHART}" > values-chart.yaml
+fi

bootstrap/helm-kustomize-cmp/plugin.yaml

@@ -1,7 +1,7 @@
 apiVersion: argoproj.io/v1alpha1
 kind: ConfigManagementPlugin
 metadata:
-  name: kustomize-helm-with-rewrite
+  name: helm-kustomize-cmp
 spec:
   # version: v1.2
   # The init command runs in the Application source directory at the beginning of each manifest generation. The init
@@ -9,7 +9,7 @@ spec:
   init:
     # Init always happens immediately before generate, but its output is not treated as manifests.
     # This is a good place to, for example, download chart dependencies.
-    command: [ /bin/sh ]
+    command: [/bin/sh]
     args:
       - /plugin/init.sh
   # The generate command runs in the Application source directory each time manifests are generated. Standard output
@@ -17,7 +17,7 @@ spec:
   # To write log messages from the command, write them to stderr, it will always be displayed.
   # Error output will be sent to the UI, so avoid printing sensitive information (such as secrets).
   generate:
-    command: [ /bin/sh ]
+    command: [/bin/sh]
     args:
       - /plugin/generate.sh
 
@@ -27,15 +27,15 @@ spec:
   # Only one of fileName, find.glob, or find.command should be specified. If multiple are specified then only the
   # first (in that order) is evaluated.
   # discover:
-    # fileName is a glob pattern (https://pkg.go.dev/path/filepath#Glob) that is applied to the Application's source
-    # directory. If there is a match, this plugin may be used for the Application.
-    # fileName: "./subdir/s*.yaml"
-    # find:
-      # This does the same thing as fileName, but it supports double-start (nested directory) glob patterns.
-      # glob: "**/Chart.yaml"
-      # The find command runs in the repository's root directory. To match, it must exit with status code 0 _and_
-      # produce non-empty output to standard out.
-      # command: [sh, -c, find . -name env.yaml]
+  # fileName is a glob pattern (https://pkg.go.dev/path/filepath#Glob) that is applied to the Application's source
+  # directory. If there is a match, this plugin may be used for the Application.
+  # fileName: "./subdir/s*.yaml"
+  # find:
+  # This does the same thing as fileName, but it supports double-start (nested directory) glob patterns.
+  # glob: "**/Chart.yaml"
+  # The find command runs in the repository's root directory. To match, it must exit with status code 0 _and_
+  # produce non-empty output to standard out.
+  # command: [sh, -c, find . -name env.yaml]
   # The parameters config describes what parameters the UI should display for an Application. It is up to the user to
   # actually set parameters in the Application manifest (in spec.source.plugin.parameters). The announcements _only_
   # inform the "Parameters" tab in the App Details page of the UI.
@@ -52,13 +52,6 @@ spec:
         itemType: string
         collectionType: string
         string: "staging"
-      - name: rewrite
-        title: Rewrite
-        tooltip: sed rewrite experssion
-        required: false
-        itemType: string
-        collectionType: string
-        string: ""
       - name: chart
         title: Chart
         tooltip: Name or path of helm chart
@@ -73,22 +66,21 @@ spec:
         itemType: string
         collectionType: string
         string: ""
-      # All the fields above besides "string" apply to both the array and map type parameter announcements.
-      # - name: array-param
-      #   # This field communicates the parameter's default value to the UI. Setting this field is optional.
-      #   array: [default, items]
-      #   collectionType: array
-      # - name: map-param
-      #   # This field communicates the parameter's default value to the UI. Setting this field is optional.
-      #   map:
-      #     some: value
-      #   collectionType: map
-    dynamic:
-      # The command is run in an Application's source directory. Standard output must be JSON matching the schema of the
-      # static parameter announcements list.
-      command: [ /bin/sh, /plugin/get-values.sh ]
+        # All the fields above besides 'string' apply to both the array and map type parameter announcements.
+        # - name: array-param
+        #   # This field communicates the parameter's default value to the UI. Setting this field is optional.
+        #   array: [default, items]
+        #   collectionType: array
+        # - name: map-param
+        #   # This field communicates the parameter's default value to the UI. Setting this field is optional.
+        #   map:
+        #     some: value
+        #   collectionType: map
+    # dynamic:
+    # The command is run in an Application's source directory. Standard output must be JSON matching the schema of the
+    # static parameter announcements list.
+    # command: [ /bin/sh, /plugin/get-values.sh ]
 
     # If set to `true` then the plugin receives repository files with original file mode. Dangerous since the repository
     # might have executable files. Set to true only if you trust the CMP plugin authors.
     preserveFileMode: false
-

bootstrap/helmfile-cmp/Dockerfile

@@ -0,0 +1,7 @@
+FROM ghcr.io/helmfile/helmfile:v1.1.9
+
+RUN mkdir -p /home/argocd/cmp-server/config/
+COPY plugin.yaml /home/argocd/cmp-server/config/
+
+WORKDIR /plugin
+COPY generate.sh ./

bootstrap/helmfile-cmp/argo-repo-server-old.yaml

@@ -0,0 +1,476 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    argocd.argoproj.io/tracking-id: argocd:apps/Deployment:argocd/argocd-repo-server
+    deployment.kubernetes.io/revision: "27"
+  labels:
+    app.kubernetes.io/component: repo-server
+    app.kubernetes.io/instance: argocd
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: argocd-repo-server
+    app.kubernetes.io/part-of: argocd
+    app.kubernetes.io/version: v2.12.3
+    helm.sh/chart: argo-cd-7.5.2
+  name: argocd-repo-server
+  namespace: argocd
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: argocd
+      app.kubernetes.io/name: argocd-repo-server
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        checksum/cm: 67d6152e0e3482f9a74a6b570fd32bbec4e7856bffe49f577a2a0d3aeaed6f48
+        checksum/cmd-params: 69ed50e8936f4d6429dc331f782ad0a7d22eb12c318d6800403040352214b781
+      creationTimestamp: null
+      labels:
+        app.kubernetes.io/component: repo-server
+        app.kubernetes.io/instance: argocd
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: argocd-repo-server
+        app.kubernetes.io/part-of: argocd
+        app.kubernetes.io/version: v2.12.3
+        helm.sh/chart: argo-cd-7.5.2
+    spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - podAffinityTerm:
+                labelSelector:
+                  matchLabels:
+                    app.kubernetes.io/name: argocd-repo-server
+                topologyKey: kubernetes.io/hostname
+              weight: 100
+      automountServiceAccountToken: true
+      containers:
+        - args:
+            - /usr/local/bin/argocd-repo-server
+            - --port=8081
+            - --metrics-port=8084
+          env:
+            - name: ARGOCD_REPO_SERVER_NAME
+              value: argocd-repo-server
+            - name: ARGOCD_RECONCILIATION_TIMEOUT
+              valueFrom:
+                configMapKeyRef:
+                  key: timeout.reconciliation
+                  name: argocd-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_LOGFORMAT
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.log.format
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_LOGLEVEL
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.log.level
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.parallelism.limit
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.listen.address
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.metrics.listen.address
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_DISABLE_TLS
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.disable.tls
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_TLS_MIN_VERSION
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.tls.minversion
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_TLS_MAX_VERSION
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.tls.maxversion
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_TLS_CIPHERS
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.tls.ciphers
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_CACHE_EXPIRATION
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.repo.cache.expiration
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: REDIS_SERVER
+              valueFrom:
+                configMapKeyRef:
+                  key: redis.server
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: REDIS_COMPRESSION
+              valueFrom:
+                configMapKeyRef:
+                  key: redis.compression
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: REDISDB
+              valueFrom:
+                configMapKeyRef:
+                  key: redis.db
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: REDIS_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  key: redis-username
+                  name: argocd-redis
+                  optional: true
+            - name: REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: auth
+                  name: argocd-redis
+            - name: REDIS_SENTINEL_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  key: redis-sentinel-username
+                  name: argocd-redis
+                  optional: true
+            - name: REDIS_SENTINEL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: redis-sentinel-password
+                  name: argocd-redis
+                  optional: true
+            - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.default.cache.expiration
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_OTLP_ADDRESS
+              valueFrom:
+                configMapKeyRef:
+                  key: otlp.address
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_OTLP_INSECURE
+              valueFrom:
+                configMapKeyRef:
+                  key: otlp.insecure
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_OTLP_HEADERS
+              valueFrom:
+                configMapKeyRef:
+                  key: otlp.headers
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.max.combined.directory.manifests.size
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.plugin.tar.exclusions
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.allow.oob.symlinks
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.streamed.manifest.max.tar.size
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.streamed.manifest.max.extracted.size
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.helm.manifest.max.extracted.size
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.disable.helm.manifest.max.extracted.size
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_GIT_MODULES_ENABLED
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.enable.git.submodule
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.git.lsremote.parallelism.limit
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_GIT_REQUEST_TIMEOUT
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.git.request.timeout
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REVISION_CACHE_LOCK_TIMEOUT
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.revision.cache.lock.timeout
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_INCLUDE_HIDDEN_DIRECTORIES
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.include.hidden.directories
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: HELM_CACHE_HOME
+              value: /helm-working-dir
+            - name: HELM_CONFIG_HOME
+              value: /helm-working-dir
+            - name: HELM_DATA_HOME
+              value: /helm-working-dir
+          image: quay.io/argoproj/argocd:v2.12.3
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /healthz?full=true
+              port: metrics
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          name: repo-server
+          ports:
+            - containerPort: 8081
+              name: repo-server
+              protocol: TCP
+            - containerPort: 8084
+              name: metrics
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /healthz
+              port: metrics
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /app/config/ssh
+              name: ssh-known-hosts
+            - mountPath: /app/config/tls
+              name: tls-certs
+            - mountPath: /app/config/gpg/source
+              name: gpg-keys
+            - mountPath: /app/config/gpg/keys
+              name: gpg-keyring
+            - mountPath: /app/config/reposerver/tls
+              name: argocd-repo-server-tls
+            - mountPath: /helm-working-dir
+              name: helm-working-dir
+            - mountPath: /home/argocd/cmp-server/plugins
+              name: plugins
+            - mountPath: /tmp
+              name: tmp
+        - command:
+            - /var/run/argocd/argocd-cmp-server
+          image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
+          imagePullPolicy: Always
+          name: kustomize-helm-with-rewrite
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 999
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /var/run/argocd
+              name: var-files
+            - mountPath: /home/argocd/cmp-server/plugins
+              name: plugins
+            - mountPath: /tmp
+              name: cmp-tmp
+            - mountPath: /helm-working-dir
+              name: helm-working-dir
+        - command:
+            - /var/run/argocd/argocd-cmp-server
+          image: registry.gitlab.com/oceanbox/manifests/helm-kustomize-cmp:latest
+          imagePullPolicy: Always
+          name: helm-kustomize-cmp
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 999
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /var/run/argocd
+              name: var-files
+            - mountPath: /home/argocd/cmp-server/plugins
+              name: plugins
+            - mountPath: /tmp
+              name: cmp-tmp
+            - mountPath: /helm-working-dir
+              name: helm-working-dir
+        - command:
+            - /var/run/argocd/argocd-cmp-server
+          image: registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest
+          imagePullPolicy: Always
+          name: helmfile-cmp
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 999
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /var/run/argocd
+              name: var-files
+            - mountPath: /home/argocd/cmp-server/plugins
+              name: plugins
+            - mountPath: /tmp
+              name: cmp-tmp
+            - mountPath: /helm-working-dir
+              name: helm-working-dir
+      dnsPolicy: ClusterFirst
+      imagePullSecrets:
+        - name: gitlab-pull-secret
+      initContainers:
+        - command:
+            - /bin/cp
+            - -n
+            - /usr/local/bin/argocd
+            - /var/run/argocd/argocd-cmp-server
+          image: quay.io/argoproj/argocd:v2.12.3
+          imagePullPolicy: IfNotPresent
+          name: copyutil
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /var/run/argocd
+              name: var-files
+        - command:
+            - /bin/sh
+            - /plugin/init-helm-repos.sh
+          env:
+            - name: OCEANBOX_HELM_ACCESS_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  key: token
+                  name: oceanbox-helm
+                  optional: false
+          image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
+          imagePullPolicy: Always
+          name: init-helm-repos
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 999
+            seccompProfile:
+              type: RuntimeDefault
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /helm-working-dir
+              name: helm-working-dir
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      serviceAccount: argocd-repo-server
+      serviceAccountName: argocd-repo-server
+      terminationGracePeriodSeconds: 30
+      volumes:
+        - name: cmp-tmp
+        - name: helm-working-dir
+        - name: plugins
+        - name: var-files
+        - name: tmp
+        - configMap:
+            defaultMode: 420
+            name: argocd-ssh-known-hosts-cm
+          name: ssh-known-hosts
+        - configMap:
+            defaultMode: 420
+            name: argocd-tls-certs-cm
+          name: tls-certs
+        - configMap:
+            defaultMode: 420
+            name: argocd-gpg-keys-cm
+          name: gpg-keys
+        - name: gpg-keyring
+        - name: argocd-repo-server-tls
+          secret:
+            defaultMode: 420
+            items:
+              - key: tls.crt
+                path: tls.crt
+              - key: tls.key
+                path: tls.key
+              - key: ca.crt
+                path: ca.crt
+            optional: true
+            secretName: argocd-repo-server-tls

bootstrap/helmfile-cmp/argo-repo-server-patch.yaml

@@ -0,0 +1,27 @@
+# Don't apply this patch with kubectl, it overwrites the original repo-server!
+# Instead merge by hand in the bootstap process.
+spec:
+  template:
+    spec:
+      imagePullSecrets:
+        - name: gitlab-pull-secret
+      containers:
+        - command:
+            - /var/run/argocd/argocd-cmp-server
+          image: registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest
+          imagePullPolicy: Always
+          name: helmfile-cmp
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 999
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /var/run/argocd
+              name: var-files
+            - mountPath: /home/argocd/cmp-server/plugins
+              name: plugins
+            - mountPath: /tmp
+              name: tmp
+            - mountPath: /helm-working-dir
+              name: helm-working-dir

bootstrap/helmfile-cmp/deploy.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+img=registry.gitlab.com/oceanbox/manifests/helmfile-cmp
+tag=${1:-latest}
+
+docker build -t "${img}":"${tag}" .
+docker push "${img}":"${tag}"

bootstrap/helmfile-cmp/generate.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+# shellcheck disable=SC2154
+
+# NOTE: Ensure errors are part of exitcode
+# set -o pipefail
+
+export HOME=/plugin
+
+export HELM_CACHE_HOME=/tmp/helm/cache
+export HELM_CONFIG_HOME=/tmp/helm/config
+export HELMFILE_CACHE_HOME=/tmp/helmfile/cache
+export HELMFILE_TEMPDIR=/tmp/helmfile/tmp
+
+test -n ARGOCD_ENV_HELMFILE_ENVIRONMENT && export HELMFILE_ENVIRONMENT="${ARGOCD_ENV_HELMFILE_ENVIRONMENT}"
+test -n ARGOCD_ENV_HELMFILE_FILE_PATH && export HELMFILE_FILE_PATH="${ARGOCD_ENV_HELMFILE_FILE_PATH}"
+
+helmfile -n "${ARGOCD_APP_NAMESPACE}" "${ARGS}" template -q --include-crds

bootstrap/helmfile-cmp/plugin.yaml

@@ -0,0 +1,11 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ConfigManagementPlugin
+metadata:
+  name: helmfile-cmp
+spec:
+  generate:
+    command: ["/bin/sh"]
+    args:
+      - /plugin/generate.sh
+  lockRepo: false
+  preserveFileMode: true

bootstrap/kustomize-helm-with-rewrite/argo-repo-server.yaml

@@ -0,0 +1,424 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    argocd.argoproj.io/tracking-id: argocd:apps/Deployment:argocd/argocd-repo-server
+  labels:
+    app.kubernetes.io/component: repo-server
+    app.kubernetes.io/instance: argocd
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: argocd-repo-server
+    app.kubernetes.io/part-of: argocd
+    app.kubernetes.io/version: v2.10.4
+    helm.sh/chart: argo-cd-6.7.3
+  name: argocd-repo-server
+  namespace: argocd
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: argocd
+      app.kubernetes.io/name: argocd-repo-server
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      annotations:
+        checksum/cm: 3d88c02b8c8e470b75262aae39da4b4bc6f29a02d2a6c7a9e0d44d2d69aa908b
+        checksum/cmd-params: d76791b7d65a3839bc44b46b65ecfecb5be7ac834b4915b0dea1577f524ea687
+      creationTimestamp: null
+      labels:
+        app.kubernetes.io/component: repo-server
+        app.kubernetes.io/instance: argocd
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: argocd-repo-server
+        app.kubernetes.io/part-of: argocd
+        app.kubernetes.io/version: v2.10.4
+        helm.sh/chart: argo-cd-6.7.3
+    spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - podAffinityTerm:
+                labelSelector:
+                  matchLabels:
+                    app.kubernetes.io/name: argocd-repo-server
+                topologyKey: kubernetes.io/hostname
+              weight: 100
+      containers:
+        - args:
+            - /usr/local/bin/argocd-repo-server
+            - --port=8081
+            - --metrics-port=8084
+          env:
+            - name: ARGOCD_REPO_SERVER_NAME
+              value: argocd-repo-server
+            - name: ARGOCD_RECONCILIATION_TIMEOUT
+              valueFrom:
+                configMapKeyRef:
+                  key: timeout.reconciliation
+                  name: argocd-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_LOGFORMAT
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.log.format
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_LOGLEVEL
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.log.level
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.parallelism.limit
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.listen.address
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.metrics.listen.address
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_DISABLE_TLS
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.disable.tls
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_TLS_MIN_VERSION
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.tls.minversion
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_TLS_MAX_VERSION
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.tls.maxversion
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_TLS_CIPHERS
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.tls.ciphers
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_CACHE_EXPIRATION
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.repo.cache.expiration
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: REDIS_SERVER
+              valueFrom:
+                configMapKeyRef:
+                  key: redis.server
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: REDIS_COMPRESSION
+              valueFrom:
+                configMapKeyRef:
+                  key: redis.compression
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: REDISDB
+              valueFrom:
+                configMapKeyRef:
+                  key: redis.db
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: REDIS_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  key: redis-username
+                  name: argocd-redis
+                  optional: true
+            - name: REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: redis-password
+                  name: argocd-redis
+                  optional: true
+            - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.default.cache.expiration
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_OTLP_ADDRESS
+              valueFrom:
+                configMapKeyRef:
+                  key: otlp.address
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_OTLP_INSECURE
+              valueFrom:
+                configMapKeyRef:
+                  key: otlp.insecure
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_OTLP_HEADERS
+              valueFrom:
+                configMapKeyRef:
+                  key: otlp.headers
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.max.combined.directory.manifests.size
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.plugin.tar.exclusions
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.allow.oob.symlinks
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.streamed.manifest.max.tar.size
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.streamed.manifest.max.extracted.size
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.helm.manifest.max.extracted.size
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.disable.helm.manifest.max.extracted.size
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_GIT_MODULES_ENABLED
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.enable.git.submodule
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.git.lsremote.parallelism.limit
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_GIT_REQUEST_TIMEOUT
+              valueFrom:
+                configMapKeyRef:
+                  key: reposerver.git.request.timeout
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: HELM_CACHE_HOME
+              value: /helm-working-dir
+            - name: HELM_CONFIG_HOME
+              value: /helm-working-dir
+            - name: HELM_DATA_HOME
+              value: /helm-working-dir
+          image: quay.io/argoproj/argocd:v2.10.4
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /healthz?full=true
+              port: metrics
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          name: repo-server
+          ports:
+            - containerPort: 8081
+              name: repo-server
+              protocol: TCP
+            - containerPort: 8084
+              name: metrics
+              protocol: TCP
+          readinessProbe:
+            failureThreshold: 3
+            httpGet:
+              path: /healthz
+              port: metrics
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          resources: {}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /app/config/ssh
+              name: ssh-known-hosts
+            - mountPath: /app/config/tls
+              name: tls-certs
+            - mountPath: /app/config/gpg/source
+              name: gpg-keys
+            - mountPath: /app/config/gpg/keys
+              name: gpg-keyring
+            - mountPath: /app/config/reposerver/tls
+              name: argocd-repo-server-tls
+            - mountPath: /helm-working-dir
+              name: helm-working-dir
+            - mountPath: /home/argocd/cmp-server/plugins
+              name: plugins
+            - mountPath: /tmp
+              name: tmp
+        - command:
+            - /var/run/argocd/argocd-cmp-server
+          image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
+          imagePullPolicy: Always
+          name: kustomize-helm-with-rewrite
+          resources: {}
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 999
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /var/run/argocd
+              name: var-files
+            - mountPath: /home/argocd/cmp-server/plugins
+              name: plugins
+            - mountPath: /tmp
+              name: cmp-tmp
+            - mountPath: /helm-working-dir
+              name: helm-working-dir
+      dnsPolicy: ClusterFirst
+      imagePullSecrets:
+        - name: gitlab-pull-secret
+      initContainers:
+        - command:
+            - /bin/cp
+            - -n
+            - /usr/local/bin/argocd
+            - /var/run/argocd/argocd-cmp-server
+          image: quay.io/argoproj/argocd:v2.10.4
+          imagePullPolicy: IfNotPresent
+          name: copyutil
+          resources: {}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /var/run/argocd
+              name: var-files
+        - command:
+            - /bin/sh
+            - /plugin/init-helm-repos.sh
+          image: registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest
+          imagePullPolicy: Always
+          name: init-helm-repos
+          resources: {}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsUser: 999
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          env:
+            - name: OCEANBOX_HELM_ACCESS_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  key: token
+                  name: oceanbox-helm
+                  optional: false
+          volumeMounts:
+            - mountPath: /helm-working-dir
+              name: helm-working-dir
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext: {}
+      serviceAccount: argocd-repo-server
+      serviceAccountName: argocd-repo-server
+      terminationGracePeriodSeconds: 30
+      volumes:
+        - emptyDir: {}
+          name: cmp-tmp
+        - emptyDir: {}
+          name: helm-working-dir
+        - emptyDir: {}
+          name: plugins
+        - emptyDir: {}
+          name: var-files
+        - emptyDir: {}
+          name: tmp
+        - configMap:
+            defaultMode: 420
+            name: argocd-ssh-known-hosts-cm
+          name: ssh-known-hosts
+        - configMap:
+            defaultMode: 420
+            name: argocd-tls-certs-cm
+          name: tls-certs
+        - configMap:
+            defaultMode: 420
+            name: argocd-gpg-keys-cm
+          name: gpg-keys
+        - emptyDir: {}
+          name: gpg-keyring
+        - name: argocd-repo-server-tls
+          secret:
+            defaultMode: 420
+            items:
+              - key: tls.crt
+                path: tls.crt
+              - key: tls.key
+                path: tls.key
+              - key: ca.crt
+                path: ca.crt
+            optional: true
+            secretName: argocd-repo-server-tls

bootstrap/purge.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+helm uninstall argocd argo/argocd-apps -n argocd
+helm uninstall argocd argo/argo-cd -n argocd
+
+

bootstrap/reset-ekman-cluster.sh

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+echo "reset ekman cluster admin token... "
+kubectl --context ekman delete -f cluster-admin-token.yaml
+sleep 1
+kubectl --context ekman apply -f cluster-admin-token.yaml
+
+# secret=$(kubectl --context ekman get secret -n kube-system | grep cluster-admin-token | cut -d' ' -f1)
+# token=$(kubectl --context ekman get secret -n kube-system $secret -o yaml | grep ' token:' | cut -d' ' -f4 | base64 -d)
+# sed "s/@token@/$token/" cluster-ekman.yaml > _cluster-ekman.yaml
+# echo "configure argocd ekman-cluster..."
+# cat _cluster-ekman.yaml
+# kubectl --context oceanbox apply -f _cluster-ekman.yaml
+
+token=$(kubectl --context ekman get secret -n kube-system argocd-manager-token -o yaml | grep ' token:' | cut -d' ' -f4 | base64 -d)
+sed "s/@token@/${token}/" cluster-ekman.yaml > _cluster-ekman.yaml
+echo "configure argocd ekman-cluster..."
+cat _cluster-ekman.yaml
+kubectl --context oceanbox apply -f _cluster-ekman.yaml
+echo "done."
+

bootstrap/staging-vcluster.yaml

@@ -13,4 +13,3 @@ stringData:
   name: staging-vcluster
   server: https://staging-vcluster.staging-vcluster
 type: Opaque
-

bootstrap/values.yaml

@@ -0,0 +1,43 @@
+## !!
+# This values files only contains the bare minimum to get argo up and running.
+# Only update things like initial argo-cd version here
+# Rest of config is located in argocd-apps/sys/argocd.yaml
+##
+applications:
+  system:
+    namespace: argocd
+    additionalAnnotations:
+      argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    destination:
+      namespace: argocd
+      server: https://kubernetes.default.svc
+    project: sys
+    sources:
+      - repoURL: https://gitlab.com/oceanbox//manifests.git
+        targetRevision: HEAD
+        path: helmfile.d
+        plugin:
+          name: helmfile-cmp
+          env:
+            - name: CLUSTER_NAME
+              value: replaceme
+            - name: HELMFILE_ENVIRONMENT
+              value: default
+            - name: HELMFILE_FILE_PATH
+              value: system.yaml.gotmpl
+projects:
+  sys:
+    namespace: argocd
+    additionalLabels: {}
+    additionalAnnotations: {}
+    description: sys components project
+    sourceRepos:
+      - "*"
+    destinations:
+      - namespace: "*"
+        server: https://kubernetes.default.svc
+    clusterResourceWhitelist:
+      - group: "*"
+        kind: "*"
+    orphanedResources:
+      warn: false

charts/archmeister/templates/internal-ingress.yaml

@@ -20,7 +20,7 @@ metadata:
     {{- include "Archmeister.labels" . | nindent 4 }}
   {{- with .Values.ingress.annotations }}
   annotations:
-    atlantis.oceanbox.io/expose: internal
+    oceanbox.io/expose: internal
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:

charts/atlantis/Chart.yaml

@@ -1,18 +1,15 @@
 apiVersion: v2
 name: atlantis
 description: Atlantis map and simulation service
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v2.87.1
+version: v1.35.2
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v2.87.1
+appVersion: v1.35.2
+dependencies:
+  - name: diagrid-dashboard
+    version: "0.1.0"
+    repository: "file://../diagrid-dashboard"
+    condition: diagrid-dashboard.enabled

charts/atlantis/templates/cluster.yaml

@@ -2,25 +2,106 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
-  name: {{ include "Atlantis.fullname" . }}
+  name: {{ include "Atlantis.fullname" . }}-db
+  namespace: {{ .Release.Namespace }}
   annotations:
     linkerd.io/inject: disabled
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
 spec:
-  instances: {{ .Values.cluster.instances | default "2" }}
-
+  instances: {{ .Values.cluster.instances | default "1" }}
+  imageName: ghcr.io/cloudnative-pg/postgis:15-3.3
   # Example of rolling update strategy:
   # - unsupervised: automated update of the primary once all
   #                 replicas have been upgraded (default)
   # - supervised: requires manual supervision to perform
   #               the switchover of the primary
   primaryUpdateStrategy: unsupervised
-  backup:
-    retentionPolicy: {{ .Values.cluster.backupRetention | default "60d" }}
-
+  {{- if .Values.cluster.backup.enabled }}
+  plugins:
+  - name: barman-cloud.cloudnative-pg.io
+    isWALArchiver: true
+    parameters:
+      barmanObjectName: tos-store
+  {{- end}}
   storage:
     size: {{ .Values.cluster.size | default "5Gi" }}
+{{- with .Values.cluster.bootstrap }}
+  bootstrap:
+{{- if .enabled }}
+    pg_basebackup:
+      source: archmaester
+  externalClusters:
+  - name: archmaester
+    connectionParameters:
+      host: {{ .source.db }}-rw.{{ .source.namespace }}
+      user: streaming_replica
+      sslmode: verify-full
+    sslKey:
+      name: {{ .source.db }}-replication
+      key: tls.key
+    sslCert:
+      name: {{ .source.db }}-replication
+      key: tls.crt
+    sslRootCert:
+      name: {{ .source.db }}-ca
+      key: ca.crt
+{{- else }}
+    initdb:
+      postInitTemplateSQL:
+        - CREATE EXTENSION postgis;
+        - CREATE EXTENSION postgis_topology;
+        - CREATE EXTENSION fuzzystrmatch;
+        - CREATE EXTENSION postgis_tiger_geocoder;
+        - ALTER USER app WITH SUPERUSER;
+{{- end }}
+{{- end }}
+---
+{{- if and .Values.cluster.backup.enabled .Values.cluster.enabled -}}
+apiVersion: barmancloud.cnpg.io/v1
+kind: ObjectStore
+metadata:
+  name: tos-store
+  namespace: {{ .Release.Namespace }}
+spec:
+  retentionPolicy: {{ .Values.cluster.backup.backupRetention | default "60d" }}
+  configuration:
+    destinationPath: {{ .Values.cluster.destinationPath | default ""}}
+    endpointURL: http://10.255.241.30:30080
+    s3Credentials:
+      accessKeyId:
+        name: cnpg-s3
+        key: access_key
+      secretAccessKey:
+        name: cnpg-s3
+        key: access_secret
+    wal:
+      compression: snappy
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: {{ include "Atlantis.fullname" . }}-db
+  namespace: {{ .Release.Namespace }}
+spec:
+  schedule: "0 0 1 * * *"
+  backupOwnerReference: self
+  cluster:
+    name: '{{ include "Atlantis.fullname" . }}-db'
+  method: plugin
+  pluginConfiguration:
+    name: barman-cloud.cloudnative-pg.io
+{{- end }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: {{ include "Atlantis.fullname" . }}-db-monitor
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    matchLabels:
+      cnpg.io/cluster: {{ include "Atlantis.fullname" . }}-db
+  podMetricsEndpoints:
+  - port: metrics
 {{- end }}
-
-

charts/atlantis/templates/deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
 spec:
@@ -39,6 +40,12 @@ spec:
               protocol: TCP
           env:
             {{- toYaml .Values.env | nindent 12 }}
+          startupProbe:
+            httpGet:
+              path: /healthz
+              port: http
+            initialDelaySeconds: 30
+            failureThreshold: 10
           livenessProbe:
             httpGet:
               path: /healthz

charts/atlantis/templates/hpa.yaml

@@ -3,6 +3,7 @@ apiVersion: autoscaling/v2beta1
 kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
 spec:

charts/atlantis/templates/ingress.yaml

@@ -16,6 +16,7 @@ apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
   name: {{ $fullName }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
   {{- with .Values.ingress.annotations }}
@@ -53,8 +54,8 @@ spec:
                 port:
                   number: {{ $svcPort }}
               {{- else }}
-              serviceName: {{ $fullName }}
-              servicePort: {{ $svcPort }}
+              serviceName: {{ .serviceName | default $fullName }}
+              servicePort: {{ .servicePort | default $svcPort }}
               {{- end }}
           {{- end }}
     {{- end }}

charts/atlantis/templates/internal-ingress.yaml

@@ -0,0 +1,62 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "Atlantis.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-internal
+  labels:
+    {{- include "Atlantis.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    oceanbox.io/expose: internal
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .internal }}
+          - path: {{ .path }}
+            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: {{ .pathType }}
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+              {{- else }}
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+              {{- end }}
+          {{- end }}
+    {{- end }}
+{{- end }}

charts/atlantis/templates/pvc.yaml

@@ -3,6 +3,7 @@ kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
   name: {{ template "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
 {{- with .Values.persistence.annotations  }}
   annotations:
 {{ toYaml . | indent 4 }}

charts/atlantis/templates/redis.yaml

@@ -0,0 +1,62 @@
+{{- if .Values.redis.enabled -}}
+apiVersion: dragonflydb.io/v1alpha1
+kind: Dragonfly
+metadata:
+  name: {{ include "Atlantis.fullname" . }}-redis
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    linkerd.io/inject: disabled
+  labels:
+    app.kubernetes.io/created-by: dragonfly-operator
+    {{- include "Atlantis.labels" . | nindent 4 }}
+spec:
+  args:
+    - --dbfilename=dump           # Static filename prevents disk exhaustion
+    - --maxmemory=$(MAX_MEMORY)Mi # Graceful memory management (90% of limit)
+    - --proactor_threads=1 # Auto-detect CPU cores (optimal threading)
+    - --cluster_mode=emulated
+    - --logtostderr
+    - --save_schedule=            # Disable continuous saves (cron snapshots only)
+    - --s3_endpoint=hel1.your-objectstorage.com # Hertzner S3
+  env:
+    - name: MAX_MEMORY
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+          divisor: 1Mi
+  {{- if .Values.redis.backup.enabled }}
+    - name: AWS_ACCESS_KEY_ID
+      valueFrom:
+        secretKeyRef:
+          key: access_key
+          name: redis-s3
+    - name: AWS_SECRET_ACCESS_KEY
+      valueFrom:
+        secretKeyRef:
+          key: access_secret
+          name: redis-s3
+  {{- end}}
+  replicas: {{ .Values.redis.replicas | default "1" }}
+  resources:
+    requests:
+      cpu: {{ .Values.redis.resources.cpu | default "150m" }}
+      memory: {{ .Values.redis.resources.memory | default "256Mi"}}
+    limits:
+      memory: {{ .Values.redis.resources.memory | default "256Mi"}}
+  authentication:
+    passwordFromSecret:
+      name: {{ .Values.redis.secret.name | quote }}
+      key: {{ .Values.redis.secret.key | quote }}
+  {{- if .Values.redis.backup.enabled }}
+  snapshot:
+    dir: "s3://obx-redis/hel1/{{ include "Atlantis.fullname" . }}-redis"
+    cron: "0 3 * * *" # Default: every day at 03:00
+    enableOnMasterOnly: false
+    persistentVolumeClaimSpec:
+      accessModes:
+      - ReadWriteOnce
+      resources:
+        requests:
+          storage: {{ .Values.redis.size | default "1Gi" }}
+  {{- end }}
+{{- end}}

charts/atlantis/templates/secrets.yaml

@@ -0,0 +1,38 @@
+{{- if not .Values.cluster.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ include "Atlantis.fullname" . }}-db-superuser
+  namespace: {{ .Release.Namespace }}
+type: kubernetes.io/basic-auth
+data:
+  username:
+  password:
+{{- else }}
+{{- if .Values.cluster.bootstrap.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ .Values.cluster.bootstrap.source.db }}-replication
+type: kubernetes.io/tls
+data:
+  tls.crt: ""
+  tls.key: ""
+---
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ .Values.cluster.bootstrap.source.db }}-ca
+  namespace: {{ .Release.Namespace }}
+data:
+  ca.crt: ""
+  ca.key: ""
+{{- end }}
+{{- end }}

charts/atlantis/templates/service.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
 spec:

charts/atlantis/templates/serviceaccount.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "Atlantis.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}

charts/atlantis/templates/servicemonitor.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpoints:
+  - honorLabels: false
+    path: /metrics
+    port: http
+  jobLabel: {{ .Values.serviceMonitor.label | default (include "Atlantis.fullname" .) }}
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: {{ include "Atlantis.fullname" . }}
+      app.kubernetes.io/name: atlantis
+{{- end }}

charts/atlantis/values.yaml

@@ -1,11 +1,10 @@
 # Default values for Atlantis.
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
-
 replicaCount: 1
 image:
-  repository: registry.gitlab.com/oceanbox/atlantis
-  tag: v2.87.1
+  repository: registry.gitlab.com/oceanbox/poseidon/atlantis
+  tag: v1.35.2
   pullPolicy: IfNotPresent
 init:
   enabled: false
@@ -13,7 +12,7 @@ init:
   command: ["/bin/sh", "-c", "true"]
 env:
   - name: LOG_LEVEL
-    value: "3"
+    value: "2"
   - name: APP_NAME
     valueFrom:
       fieldRef:
@@ -47,7 +46,7 @@ service:
   type: ClusterIP
   port: 8085
 ingress:
-  enabled: true
+  enabled: false
   className: "nginx"
   annotations:
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
@@ -57,6 +56,13 @@ ingress:
       paths:
         - path: /
           pathType: ImplementationSpecific
+        - path: /events
+          pathType: ImplementationSpecific
+          serviceName: main-ingress-nginx-defaultbackend.ingress-nginx
+          servicePort: 80
+      internal:
+        - path: /internal
+          pathType: ImplementationSpecific
   tls:
     - hosts:
         - atlantis.srv.oceanbox.io
@@ -66,12 +72,27 @@ persistence:
   size: 1G
   storageClass: ""
   accessMode: ReadWriteOnce
-cluster:
+redis:
   enabled: false
-  instances: 2
-  backupEnabled: true
-  backupRetention: 60d
+  instances: 1
+  # metrics:
+  # enabled: false
+  backup:
+    enabled: false
   size: 5Gi
+cluster:
+  enabled: true
+  instances: 1
+  destinationPath: "s3://cnpg/prod-atlantis-db"
+  backup:
+    enabled: true
+    backupRetention: 60d
+  size: 5Gi
+  bootstrap:
+    enabled: true
+    source:
+      db: prod-atlantis-db
+      namespace: prod-atlantis
 resources: {}
 # We usually recommend not to specify default resources and to leave this as a conscious
 # choice for the user. This also increases chances charts run on environments with little
@@ -90,6 +111,11 @@ autoscaling:
   maxReplicas: 100
   targetCPUUtilizationPercentage: 80
   # targetMemoryUtilizationPercentage: 80
+serviceMonitor:
+  enabled: true
 nodeSelector: {}
 tolerations: []
 affinity: {}
+
+diagrid-dashboard:
+  enabled: false

charts/codex/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/codex/Chart.yaml

@@ -0,0 +1,21 @@
+apiVersion: v2
+name: codex
+description: A Helm chart for Kubernetes
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: v1.35.2
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "v1.35.2"

charts/codex/templates/NOTES.txt

@@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "codex.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "codex.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "codex.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "codex.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}

charts/codex/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "codex.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "codex.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "codex.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "codex.labels" -}}
+helm.sh/chart: {{ include "codex.chart" . }}
+{{ include "codex.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "codex.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "codex.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "codex.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "codex.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/codex/templates/deployment.yaml

@@ -0,0 +1,78 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "codex.fullname" . }}
+  labels:
+    {{- include "codex.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "codex.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "codex.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "codex.serviceAccountName" . }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          {{- with .Values.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          {{- with .Values.livenessProbe }}
+          livenessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.volumes }}
+      volumes:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/codex/templates/ingress.yaml

@@ -0,0 +1,43 @@
+{{- if .Values.ingress.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "codex.fullname" . }}
+  labels:
+    {{- include "codex.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- with .Values.ingress.className }}
+  ingressClassName: {{ . }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- with .pathType }}
+            pathType: {{ . }}
+            {{- end }}
+            backend:
+              service:
+                name: {{ include "codex.fullname" $ }}
+                port:
+                  number: {{ $.Values.service.port }}
+          {{- end }}
+    {{- end }}
+{{- end }}

charts/codex/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "codex.fullname" . }}
+  labels:
+    {{- include "codex.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "codex.selectorLabels" . | nindent 4 }}

charts/codex/templates/serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "codex.serviceAccountName" . }}
+  labels:
+    {{- include "codex.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
+{{- end }}

charts/codex/templates/tests/test-connection.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "codex.fullname" . }}-test-connection"
+  labels:
+    {{- include "codex.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ include "codex.fullname" . }}:{{ .Values.service.port }}']
+  restartPolicy: Never

charts/codex/values.yaml

@@ -0,0 +1,98 @@
+# Default values for codex.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
+replicaCount: 1
+# This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/
+image:
+  repository: registry.gitlab.com/oceanbox/poseidon/codex
+  # This sets the pull policy for images.
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: v1.35.2
+# This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+imagePullSecrets:
+  - name: gitlab-pull-secret
+# This is to override the chart name.
+nameOverride: ""
+fullnameOverride: ""
+# This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Automatically mount a ServiceAccount's API credentials?
+  automount: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+# This is for setting Kubernetes Annotations to a Pod.
+# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+podAnnotations: {}
+# This is for setting Kubernetes Labels to a Pod.
+# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+podLabels: {}
+podSecurityContext:
+  fsGroup: 2000
+securityContext:
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: false
+  runAsNonRoot: true
+  runAsUser: 1000
+# This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/
+service:
+  # This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
+  type: ClusterIP
+  # This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports
+  port: 8085
+# This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/
+ingress:
+  enabled: false
+resources: {}
+# We usually recommend not to specify default resources and to leave this as a conscious
+# choice for the user. This also increases chances charts run on environments with little
+# resources, such as Minikube. If you do want to specify resources, uncomment the following
+# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+# limits:
+#   cpu: 100m
+#   memory: 128Mi
+# requests:
+#   cpu: 100m
+#   memory: 128Mi
+
+# This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
+livenessProbe:
+  httpGet:
+    path: /
+    port: http
+readinessProbe:
+  httpGet:
+    path: /
+    port: http
+# This section is for setting up autoscaling more information can be found here: https://kubernetes.io/docs/concepts/workloads/autoscaling/
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+# Additional volumes on the output Deployment definition.
+volumes: []
+# - name: foo
+#   secret:
+#     secretName: mysecret
+#     optional: false
+
+# Additional volumeMounts on the output Deployment definition.
+volumeMounts: []
+# - name: foo
+#   mountPath: "/etc/foo"
+#   readOnly: true
+
+nodeSelector: {}
+tolerations: []
+affinity: {}

charts/diagrid-dashboard/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/diagrid-dashboard/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: diagrid-dashboard
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"

charts/diagrid-dashboard/templates/NOTES.txt

@@ -0,0 +1,35 @@
+1. Get the application URL by running these commands:
+{{- if .Values.httpRoute.enabled }}
+{{- if .Values.httpRoute.hostnames }}
+    export APP_HOSTNAME={{ .Values.httpRoute.hostnames | first }}
+{{- else }}
+    export APP_HOSTNAME=$(kubectl get --namespace {{(first .Values.httpRoute.parentRefs).namespace | default .Release.Namespace }} gateway/{{ (first .Values.httpRoute.parentRefs).name }} -o jsonpath="{.spec.listeners[0].hostname}")
+  {{- end }}
+{{- if and .Values.httpRoute.rules (first .Values.httpRoute.rules).matches (first (first .Values.httpRoute.rules).matches).path.value }}
+    echo "Visit http://$APP_HOSTNAME{{ (first (first .Values.httpRoute.rules).matches).path.value }} to use your application"
+
+    NOTE: Your HTTPRoute depends on the listener configuration of your gateway and your HTTPRoute rules.
+    The rules can be set for path, method, header and query parameters.
+    You can check the gateway configuration with 'kubectl get --namespace {{(first .Values.httpRoute.parentRefs).namespace | default .Release.Namespace }} gateway/{{ (first .Values.httpRoute.parentRefs).name }} -o yaml'
+{{- end }}
+{{- else if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "diagrid-dashboard.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "diagrid-dashboard.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "diagrid-dashboard.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "diagrid-dashboard.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}

charts/diagrid-dashboard/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "diagrid-dashboard.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "diagrid-dashboard.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "diagrid-dashboard.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "diagrid-dashboard.labels" -}}
+helm.sh/chart: {{ include "diagrid-dashboard.chart" . }}
+{{ include "diagrid-dashboard.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "diagrid-dashboard.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "diagrid-dashboard.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "diagrid-dashboard.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "diagrid-dashboard.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/diagrid-dashboard/templates/deployment.yaml

@@ -0,0 +1,87 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "diagrid-dashboard.fullname" . }}
+  labels:
+    {{- include "diagrid-dashboard.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "diagrid-dashboard.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "diagrid-dashboard.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "diagrid-dashboard.serviceAccountName" . }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          {{- with .Values.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+            - name: COMPONENT_FILE
+              value: /app/components/statestore.yaml
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          {{- with .Values.livenessProbe }}
+          livenessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - name: statestore
+              mountPath: /app/components/statestore.yaml
+              subPath: statestore.yaml
+          {{- with .Values.volumeMounts }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      volumes:
+        - name: statestore
+          configMap:
+            name: {{ include "diagrid-dashboard.fullname" . }}-statestore
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/diagrid-dashboard/templates/hpa.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "diagrid-dashboard.fullname" . }}
+  labels:
+    {{- include "diagrid-dashboard.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "diagrid-dashboard.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}

charts/diagrid-dashboard/templates/httproute.yaml

@@ -0,0 +1,38 @@
+{{- if .Values.httpRoute.enabled -}}
+{{- $fullName := include "diagrid-dashboard.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "diagrid-dashboard.labels" . | nindent 4 }}
+  {{- with .Values.httpRoute.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  parentRefs:
+    {{- with .Values.httpRoute.parentRefs }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.httpRoute.hostnames }}
+  hostnames:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  rules:
+    {{- range .Values.httpRoute.rules }}
+    {{- with .matches }}
+    - matches:
+      {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .filters }}
+      filters:
+      {{- toYaml . | nindent 8 }}
+    {{- end }}
+      backendRefs:
+        - name: {{ $fullName }}
+          port: {{ $svcPort }}
+          weight: 1
+    {{- end }}
+{{- end }}

charts/diagrid-dashboard/templates/ingress.yaml

@@ -0,0 +1,43 @@
+{{- if .Values.ingress.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "diagrid-dashboard.fullname" . }}
+  labels:
+    {{- include "diagrid-dashboard.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- with .Values.ingress.className }}
+  ingressClassName: {{ . }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- with .pathType }}
+            pathType: {{ . }}
+            {{- end }}
+            backend:
+              service:
+                name: {{ include "diagrid-dashboard.fullname" $ }}
+                port:
+                  number: {{ $.Values.service.port }}
+          {{- end }}
+    {{- end }}
+{{- end }}

charts/diagrid-dashboard/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "diagrid-dashboard.fullname" . }}
+  labels:
+    {{- include "diagrid-dashboard.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "diagrid-dashboard.selectorLabels" . | nindent 4 }}

charts/diagrid-dashboard/templates/serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "diagrid-dashboard.serviceAccountName" . }}
+  labels:
+    {{- include "diagrid-dashboard.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
+{{- end }}

charts/diagrid-dashboard/templates/statestore.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "diagrid-dashboard.fullname" . }}-statestore
+data:
+  statestore.yaml: |
+    apiVersion: dapr.io/v1alpha1
+    kind: Component
+    metadata:
+      name: statestore
+    scopes:
+      - {{ .Values.statestore.scope }}
+    spec:
+      metadata:
+        - name: redisHost
+          value: {{ .Values.statestore.redis }}:6379
+        - name: redisUsername
+          value: default
+        - name: redisPassword
+          value: secret
+        - name: actorStateStore
+          value: "true"
+        - name: redisDB
+          value: "1"
+      type: state.redis
+      version: v1

charts/diagrid-dashboard/templates/tests/test-connection.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "diagrid-dashboard.fullname" . }}-test-connection"
+  labels:
+    {{- include "diagrid-dashboard.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ include "diagrid-dashboard.fullname" . }}:{{ .Values.service.port }}']
+  restartPolicy: Never

charts/diagrid-dashboard/values.yaml

@@ -0,0 +1,160 @@
+# Default values for diagrid-dashboard.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+statestore:
+  scope: my-scope
+  redis: my-redis
+
+# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
+replicaCount: 1
+
+# This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/
+image:
+  repository: ghcr.io/diagridio/diagrid-dashboard
+  # This sets the pull policy for images.
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: "latest"
+
+# This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+imagePullSecrets: []
+# This is to override the chart name.
+nameOverride: ""
+fullnameOverride: ""
+
+# This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Automatically mount a ServiceAccount's API credentials?
+  automount: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+# This is for setting Kubernetes Annotations to a Pod.
+# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+podAnnotations: {}
+# This is for setting Kubernetes Labels to a Pod.
+# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+podLabels: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+# This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/
+service:
+  # This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
+  type: ClusterIP
+  # This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports
+  port: 8080
+
+# This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/
+ingress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    cert-manager.io/cluster-issuer: ca-issuer
+    nginx.ingress.kubernetes.io/backend-protocol: HTTP
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    oceanbox.io/expose: internal
+  hosts:
+    - host: diadash.dev.vtn.obx
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls:
+    - secretName: diadash-tls
+      hosts:
+        - diadash.dev.vtn.obx
+
+# -- Expose the service via gateway-api HTTPRoute
+# Requires Gateway API resources and suitable controller installed within the cluster
+# (see: https://gateway-api.sigs.k8s.io/guides/)
+httpRoute:
+  # HTTPRoute enabled.
+  enabled: false
+  # HTTPRoute annotations.
+  annotations: {}
+  # Which Gateways this Route is attached to.
+  parentRefs:
+    - name: gateway
+      sectionName: http
+      # namespace: default
+  # Hostnames matching HTTP header.
+  hostnames:
+    - chart-example.local
+  # List of rules and filters applied.
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /headers
+  #   filters:
+  #   - type: RequestHeaderModifier
+  #     requestHeaderModifier:
+  #       set:
+  #       - name: My-Overwrite-Header
+  #         value: this-is-the-only-value
+  #       remove:
+  #       - User-Agent
+  # - matches:
+  #   - path:
+  #       type: PathPrefix
+  #       value: /echo
+  #     headers:
+  #     - name: version
+  #       value: v2
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+# This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
+livenessProbe:
+  httpGet:
+    path: /
+    port: http
+readinessProbe:
+  httpGet:
+    path: /
+    port: http
+
+# This section is for setting up autoscaling more information can be found here: https://kubernetes.io/docs/concepts/workloads/autoscaling/
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+# Additional volumes on the output Deployment definition.
+volumes: {}
+
+# Additional volumeMounts on the output Deployment definition.
+volumeMounts: {}
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}

charts/docs/.helmignore

@@ -0,0 +1,26 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+base/
+prod/
+staging/
+review/

charts/docs/Chart.yaml

@@ -0,0 +1,18 @@
+apiVersion: v2
+name: docs
+description: Oceanbox Documentation
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+version: v0.1.0
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application.
+appVersion: v0.1.0

charts/docs/templates/NOTES.txt

@@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "docs.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "docs.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "docs.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "docs.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}

charts/docs/templates/_helpers.tpl

@@ -0,0 +1,63 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "docs.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "docs.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "docs.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "docs.labels" -}}
+helm.sh/chart: {{ include "docs.chart" . }}
+{{ include "docs.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "docs.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "docs.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "docs.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "docs.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}

charts/docs/templates/cluster.yaml

@@ -0,0 +1,24 @@
+{{- if .Values.cluster.enabled -}}
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: {{ include "docs.fullname" . }}
+  annotations:
+    linkerd.io/inject: disabled
+  labels:
+    {{- include "docs.labels" . | nindent 4 }}
+spec:
+  instances: {{ .Values.cluster.instances | default "2" }}
+
+  # Example of rolling update strategy:
+  # - unsupervised: automated update of the primary once all
+  #                 replicas have been upgraded (default)
+  # - supervised: requires manual supervision to perform
+  #               the switchover of the primary
+  primaryUpdateStrategy: unsupervised
+  backup:
+    retentionPolicy: {{ .Values.cluster.backupRetention | default "60d" }}
+
+  storage:
+    size: {{ .Values.cluster.size | default "5Gi" }}
+{{- end }}

charts/docs/templates/deployment.yaml

@@ -0,0 +1,84 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "docs.fullname" . }}
+  labels:
+    {{- include "docs.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "docs.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "docs.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "docs.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          env:
+            - name: LOG_LEVEL
+              value: "3"
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+          - name: data
+            mountPath: /data
+      {{- if .Values.init.enabled }}
+      initContainers:
+      - name: init
+        image: {{ .Values.init.image }}
+        command: {{- toYaml .Values.init.command | nindent 10 }}
+        volumeMounts:
+        - name: data
+          mountPath: /data
+      {{- end }}
+      volumes:
+      - name: data
+      {{- if .Values.persistence.enabled }}
+        persistentVolumeClaim:
+          claimName: {{ .Values.persistence.existingClaim | default (include "docs.fullname" .) }}
+      {{- else }}
+        emptyDir: {}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}