feat: simplify charts, resources, kustomizations and applications for atlantis SPMSA

.gitignore

@@ -1,2 +1,3 @@
 _manifest.yaml
 _resources.yaml
+*.tgz

applications/atlantis-host-resources.yaml

@@ -1,36 +1,27 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: atlantis-host-cluster-resources
+  name: atlantis-cluster-resources
   namespace: argocd
   # annotations: # close, but no cigar
   #   argocd.argoproj.io/compare-options: ServerSideDiff=true,IncludeMutationWebhook=true
 spec:
-  project: aux
+  project: atlantis
   destination:
     server: https://kubernetes.default.svc
   syncPolicy:
     automated:
       prune: false
       selfHeal: false
-  ignoreDifferences:
-    - kind: Secret
-      name: prod-rabbitmq
-      jqPathExpressions:
-        - '.data'
-        - '.metadata.annotations.clone'
-        - '.metadata.labels'
-    - kind: Secret
-      name: prod-redis
-      jqPathExpressions:
-        - '.data'
-        - '.metadata.annotations.clone'
-        - '.metadata.labels'
+  # ignoreDifferences:
+  #   - kind: Secret
+  #     name: prod-rabbitmq
+  #     jqPathExpressions:
+  #       - '.data'
+  #       - '.metadata.annotations.clone'
+  #       - '.metadata.labels'
   sources:
   - repoURL: https://gitlab.com/oceanbox/manifests.git
     targetRevision: main
-    path: resources/atlantis/host-manifests
-  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
-    path: 'resources/atlantis/manifests/prod'
+    path: resources/atlantis
 

applications/keycloak.yaml

@@ -10,7 +10,7 @@ spec:
     namespace: idp
   sources:
   - repoURL: https://charts.bitnami.com/bitnami
-    targetRevision: 24.0.2
+    targetRevision: 18.3.4
     chart: keycloak
     helm:
       valueFiles:

applications/opentelemetry-collector.yaml

@@ -90,12 +90,12 @@ spec:
         ingress:
           enabled: true
           annotations:
-              cert-manager.io/cluster-issuer: letsencrypt-production
+              cert-manager.io/cluster-issuer: letsencrypt-staging
               nginx.ingress.kubernetes.io/ssl-redirect: "true"
               atlantis.oceanbox.io/expose: internal
           ingressClassName: nginx
           hosts:
-            - host: opentelemetry-collector.adm.oceanbox.io
+            - host: collector.adm.oceanbox.io
               paths:
                 - path: /
                   pathType: Prefix
@@ -103,4 +103,4 @@ spec:
           tls:
             - secretName: collector-tls
               hosts:
-                - opentelemetry-collector.adm.oceanbox.io
+                - collector.adm.oceanbox.io

charts/archmeister/values.yaml

@@ -11,17 +11,6 @@ init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
-env:
-  - name: LOG_LEVEL
-    value: "3"
-  - name: APP_NAME
-    valueFrom:
-      fieldRef:
-        fieldPath: metadata.name
-  - name: APP_NAMESPACE
-    valueFrom:
-      fieldRef:
-        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""

charts/atlantis/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: redis
+  repository: https://charts.bitnami.com/bitnami
+  version: 20.1.7
+digest: sha256:9c9be148366bb3d50f7394ba5a33e1a00a087b5ed61d2bcf1faec9b369e76582
+generated: "2024-10-08T13:21:10.374993273+02:00"

charts/atlantis/Chart.yaml

@@ -1,18 +1,12 @@
 apiVersion: v2
 name: atlantis
 description: Atlantis map and simulation service
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
 version: v2.87.1
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application.
 appVersion: v2.87.1
+dependencies:
+  - name: redis
+    version: 20.1.7
+    repository: https://charts.bitnami.com/bitnami
+    condition: redis.enabled
+    alias: redis

charts/atlantis/templates/cluster.yaml

@@ -2,14 +2,15 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
-  name: {{ include "Atlantis.fullname" . }}
+  name: {{ include "Atlantis.fullname" . }}-db
+  namespace: {{ .Release.Namespace }}
   annotations:
     linkerd.io/inject: disabled
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
 spec:
-  instances: {{ .Values.cluster.instances | default "2" }}
-
+  instances: {{ .Values.cluster.instances | default "1" }}
+  imageName: ghcr.io/cloudnative-pg/postgis:15-3.3
   # Example of rolling update strategy:
   # - unsupervised: automated update of the primary once all
   #                 replicas have been upgraded (default)
@@ -18,9 +19,36 @@ spec:
   primaryUpdateStrategy: unsupervised
   backup:
     retentionPolicy: {{ .Values.cluster.backupRetention | default "60d" }}
-
   storage:
     size: {{ .Values.cluster.size | default "5Gi" }}
+{{- with .Values.cluster.bootstrap }}
+  bootstrap:
+{{- if .enabled }}
+    pg_basebackup:
+      source: archmaester
+  externalClusters:
+  - name: archmaester
+    connectionParameters:
+      host: {{ .source.db }}-rw.{{ .source.namespace }}
+      user: streaming_replica
+      sslmode: verify-full
+    sslKey:
+      name: {{ .source.db }}-replication
+      key: tls.key
+    sslCert:
+      name: {{ .source.db }}-replication
+      key: tls.crt
+    sslRootCert:
+      name: {{ .source.db }}-ca
+      key: ca.crt
+{{- else }}
+    initdb:
+      postInitTemplateSQL:
+        - CREATE EXTENSION postgis;
+        - CREATE EXTENSION postgis_topology;
+        - CREATE EXTENSION fuzzystrmatch;
+        - CREATE EXTENSION postgis_tiger_geocoder;
+        - ALTER USER app WITH SUPERUSER;
+{{- end }}
+{{- end }}
 {{- end }}
-
-

charts/atlantis/templates/deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
 spec:

charts/atlantis/templates/hpa.yaml

@@ -3,6 +3,7 @@ apiVersion: autoscaling/v2beta1
 kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
 spec:

charts/atlantis/templates/ingress.yaml

@@ -16,6 +16,7 @@ apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
   name: {{ $fullName }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
   {{- with .Values.ingress.annotations }}

charts/atlantis/templates/networkpolicies.yaml

@@ -0,0 +1,26 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-atlantis-services
+  namespace: {{ .Release.Namespace }}
+spec:
+  egress:
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: dapr-system
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: {{ .Values.rabbitmq.namespace | default "rabbitmq" }}
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: {{ .Values.tracing.namespace | default "otel" }}
+  - toFQDNs:
+    - matchName: '*.oceanbox.io'
+    - matchName: api.github.com
+    - matchName: dapr.github.io
+    - matchName: gitlab.com
+    - matchPattern: '*.gitlab.com'
+    - matchPattern: "*.k1.itpartner.no"
+    - matchName: analytics.loft.rocks
+  endpointSelector:
+    matchLabels: {}

charts/atlantis/templates/pubsub.yaml

@@ -2,21 +2,21 @@ apiVersion: dapr.io/v1alpha1
 kind: Component
 metadata:
   name: pubsub
-  namespace: atlantis
+  namespace: {{ .Release.Namespace }}
 spec:
-  type: pubsub.rabbitmq
   version: v1
+  type: pubsub.rabbitmq
   metadata:
   - name: hostname
-    value: prod-rabbitmq.rabbitmq.svc
-  - name: protocol
-    value: amqp
+    value: {{ .Values.rabbitmq.service }}.{{ .Values.rabbitmq.namespace | default "rabbitmq" }}
   - name: username
-    value: user
+    value: {{ .Values.rabbitmq.username }}
   - name: password
     secretKeyRef:
-      name: prod-rabbitmq
+      name: {{ .Values.rabbitmq.secretName | default (printf "%s-rabbitmq" .Release.Name) }}
       key:  rabbitmq-password
+  - name: protocol
+    value: amqp
   - name: durable
     value: true
   - name: deletedWhenUnused

charts/atlantis/templates/pvc.yaml

@@ -3,6 +3,7 @@ kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
   name: {{ template "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
 {{- with .Values.persistence.annotations  }}
   annotations:
 {{ toYaml . | indent 4 }}

charts/atlantis/templates/secrets.yaml

@@ -0,0 +1,57 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ .Release.Name }}-rabbitmq
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+---
+{{- if not .Values.redis.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ .Release.Name }}-redis
+type: Opaque
+data:
+{{- end }}
+---
+{{- if not .Values.cluster.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ include "Atlantis.fullname" . }}-db-superuser
+  namespace: {{ .Release.Namespace }}
+type: kubernetes.io/basic-auth
+data:
+  username:
+  password:
+{{- else }}
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ .Values.cluster.bootstrap.source.db }}-replication
+type: kubernetes.io/tls
+data:
+  tls.crt: ""
+  tls.key: ""
+---
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ .Values.cluster.bootstrap.source.db }}-ca
+  namespace: {{ .Release.Namespace }}
+data:
+  ca.crt: ""
+  ca.key: ""
+{{- end }}

charts/atlantis/templates/service.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
 spec:

charts/atlantis/templates/serviceaccount.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "Atlantis.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}

charts/atlantis/templates/statestore.yaml

@@ -2,23 +2,21 @@ apiVersion: dapr.io/v1alpha1
 kind: Component
 metadata:
   name: statestore
-  namespace: atlantis
+  namespace: {{ .Release.Namespace }}
 spec:
   type: state.redis
   version: v1
   metadata:
   - name: redisHost
-    value: prod-redis-master.redis.svc:6379
+    value: {{ .Release.Name }}-redis-master:6379
   - name: redisUsername
     value: default
   - name: redisPassword
     secretKeyRef:
-      name: prod-redis
+      name: {{ .Release.Name }}-redis
       key:  redis-password
   - name: actorStateStore
     value: "true"
 scopes:
-  - prod-atlantis
-  - prod-petimeter
-  - prod-hipster
-  - prod-archmeister
+  - atlantis
+  - {{ .Release.Name }}-atlantis

charts/atlantis/templates/subscriptions.yaml

@@ -2,6 +2,7 @@ apiVersion: dapr.io/v2alpha1
 kind: Subscription
 metadata:
   name: hipster-events
+  namespace: {{ .Release.Namespace }}
 spec:
   topic: hipster
   routes:
@@ -10,12 +11,14 @@ spec:
   metadata:
     queueType: quorum
 scopes:
-- staging-atlantis
+- atlantis
+- {{ .Release.Name}}-atlantis
 ---
 apiVersion: dapr.io/v2alpha1
 kind: Subscription
 metadata:
   name: inbox-events
+  namespace: {{ .Release.Namespace }}
 spec:
   topic: inbox
   routes:
@@ -24,4 +27,5 @@ spec:
   metadata:
     queueType: quorum
 scopes:
-- staging-atlantis
+- atlantis
+- {{ .Release.Name}}-atlantis

charts/atlantis/templates/tracing.yaml

@@ -2,10 +2,10 @@ apiVersion: dapr.io/v1alpha1
 kind: Configuration
 metadata:
   name: tracing
-  namespace: atlantis
+  namespace: {{ .Release.Namespace }}
 spec:
   tracing:
     samplingRate: "1"
     zipkin:
-      endpointAddress: "http://opentelemetry-collector.otel.svc:9411/api/v2/spans"
+      endpointAddress: {{ .Values.tracing.endpoint }}
 

charts/atlantis/values.yaml

@@ -3,29 +3,28 @@
 # Declare variables to be passed into your templates.
 
 replicaCount: 1
+
 image:
   repository: registry.gitlab.com/oceanbox/atlantis
   tag: v2.87.1
   pullPolicy: IfNotPresent
+
 init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+
 env:
   - name: LOG_LEVEL
     value: "3"
-  - name: APP_NAME
-    valueFrom:
-      fieldRef:
-        fieldPath: metadata.name
-  - name: APP_NAMESPACE
-    valueFrom:
-      fieldRef:
-        fieldPath: metadata.namespace
+
 imagePullSecrets:
   - name: gitlab-pull-secret
+
 nameOverride: ""
+
 fullnameOverride: ""
+
 serviceAccount:
   create: true
   # Annotations to add to the service account
@@ -33,9 +32,12 @@ serviceAccount:
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
   name: ""
+
 podAnnotations: {}
+
 podSecurityContext:
   fsGroup: 2000
+
 securityContext:
   capabilities:
     drop:
@@ -43,11 +45,13 @@ securityContext:
   readOnlyRootFilesystem: false
   runAsNonRoot: true
   runAsUser: 1000
+
 service:
   type: ClusterIP
   port: 8085
+
 ingress:
-  enabled: true
+  enabled: false
   className: "nginx"
   annotations:
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
@@ -61,17 +65,71 @@ ingress:
     - hosts:
         - atlantis.srv.oceanbox.io
       secretName: atlantis-tls
+
 persistence:
   enabled: false
   size: 1G
   storageClass: ""
   accessMode: ReadWriteOnce
+
 cluster:
-  enabled: false
-  instances: 2
+  enabled: true
+  instances: 1
   backupEnabled: true
   backupRetention: 60d
   size: 5Gi
+  bootstrap:
+    enabled: true
+    source:
+      db: prod-archmeister
+      namespace: atlantis
+
+redis:
+  enabled: true
+  image:
+    repository: redis/redis-stack-server
+    tag: 7.2.0-v10
+  architecture: standalone
+  replica:
+    replicaCount: 1
+    command:
+      - "/opt/redis-stack/bin/redis-server"
+      - "--loadmodule"
+      - "/opt/redis-stack/lib/redisearch.so"
+      - "MAXSEARCHRESULTS"
+      - "10000"
+      - "MAXAGGREGATERESULTS"
+      - "10000"
+      - "--loadmodule"
+      - "/opt/redis-stack/lib/rejson.so"
+  auth:
+    enabled: true
+    sentinel: true
+    password: ""
+    usePasswordFiles: false
+    existingSecretPasswordKey: ""
+    # existingSecret: staging-redis
+  master:
+    resources:
+      limits:
+        cpu: null
+        ephemeral-storage: 1024Mi
+        memory: 192Mi
+      requests:
+        cpu: 150m
+        ephemeral-storage: 50Mi
+        memory: 128Mi
+
+tracing:
+  namespace: otel
+  endpoint: "http://opentelemetry-collector.otel:9411/api/v2/spans"
+
+rabbitmq:
+  namespace: rabbitmq
+  service: staging-rabbitmq
+  username: user
+  # secretName: staging-rabbitmq
+
 resources: {}
 # We usually recommend not to specify default resources and to leave this as a conscious
 # choice for the user. This also increases chances charts run on environments with little
@@ -90,6 +148,7 @@ autoscaling:
   maxReplicas: 100
   targetCPUUtilizationPercentage: 80
   # targetMemoryUtilizationPercentage: 80
+
 nodeSelector: {}
 tolerations: []
 affinity: {}

charts/hipster/values.yaml

@@ -11,17 +11,6 @@ init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
-env:
-  - name: LOG_LEVEL
-    value: "3"
-  - name: APP_NAME
-    valueFrom:
-      fieldRef:
-        fieldPath: metadata.name
-  - name: APP_NAMESPACE
-    valueFrom:
-      fieldRef:
-        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""

charts/petimeter/values.yaml

@@ -11,17 +11,6 @@ init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
-env:
-  - name: LOG_LEVEL
-    value: "3"
-  - name: APP_NAME
-    valueFrom:
-      fieldRef:
-        fieldPath: metadata.name
-  - name: APP_NAMESPACE
-    valueFrom:
-      fieldRef:
-        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""

charts/sorcerer/templates/deployment.yaml

@@ -38,7 +38,8 @@ spec:
               containerPort: {{ .Values.service.port }}
               protocol: TCP
           env:
-            {{- toYaml .Values.env | nindent 12 }}
+            - name: LOG_LEVEL
+              value: "3"
           livenessProbe:
             httpGet:
               path: /

charts/sorcerer/values.yaml

@@ -11,17 +11,6 @@ init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
-env:
-  - name: LOG_LEVEL
-    value: "3"
-  - name: APP_NAME
-    valueFrom:
-      fieldRef:
-        fieldPath: metadata.name
-  - name: APP_NAMESPACE
-    valueFrom:
-      fieldRef:
-        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""

kustomizations/atlantis/staging/kustomization.yaml

@@ -19,4 +19,3 @@ patches:
     path: deployment_patch.yaml
 resources:
   - ../base
-  - subscriptions.yaml

kustomizations/dex/base/config.yaml

@@ -91,7 +91,6 @@ staticClients:
       - 'https://stig-atlantis.dev.oceanbox.io/signin-oidc'
       - 'https://simkir-atlantis.dev.oceanbox.io/signin-oidc'
       - 'https://atlantis.local.oceanbox.io:8080/signin-oidc'
-      - 'https://atlantis.local.oceanbox.io:8085/signin-oidc'
     name: 'Atlantis dev'
     secret: 3QjfSPmAemjn34XVA2o1fvoS7I4gKvOR
   - id: petimeter
@@ -120,8 +119,6 @@ staticClients:
       - 'https://jonas-sorcerer.ekman.oceanbox.io/signin-oidc'
       - 'https://stig-sorcerer.ekman.oceanbox.io/signin-oidc'
       - 'https://simkir-sorcerer.ekman.oceanbox.io/signin-oidc'
-      - 'https://sorcerer.local.oceanbox.io:8080/signin-oidc'
-      - 'https://sorcerer.local.oceanbox.io:8085/signin-oidc'
     name: 'Sorcerer dev'
     secret: cyrgDr1UzhQrJn8nRVqEt9BJ9mLk3OBy
   - id: archmeister

kustomizations/petimeter/manifests/acl.json

@@ -46,48 +46,6 @@
             }
         ]
     },
-    {
-        "domain": "leroyseafood.com",
-        "access": [
-            {
-                "matching": ".*@leroyseafood.com",
-                "group": "/leroy",
-                "roles": [ "user" ],
-                "capabilities": [
-                    "run:transport",
-                    "run:sedimentation"
-                ]
-            }
-        ]
-    },
-    {
-        "domain": "leroyaurora.no",
-        "access": [
-            {
-                "matching": ".*@leroyaurora.no",
-                "group": "/leroy",
-                "roles": [ "user" ],
-                "capabilities": [
-                    "run:transport",
-                    "run:sedimentation"
-                ]
-            }
-        ]
-    },
-    {
-        "domain": "leroymidt.no",
-        "access": [
-            {
-                "matching": ".*@leroymidt.no",
-                "group": "/leroy",
-                "roles": [ "user" ],
-                "capabilities": [
-                    "run:transport",
-                    "run:sedimentation"
-                ]
-            }
-        ]
-    },
     {
         "domain": "serit.no",
         "access": [
@@ -319,34 +277,6 @@
             }
         ]
     },
-    {
-        "domain": "oceandata.earth",
-        "access": [
-            {
-                "matching": ".*@oceandata.earth",
-                "group": "/hubocean",
-                "roles": [ "user" ],
-                "capabilities": [
-                    "run:transport",
-                    "run:sedimentation"
-                ]
-            }
-        ]
-    },
-    {
-        "domain": "masoval.no",
-        "access": [
-            {
-                "matching": ".*@masoval.no",
-                "group": "/masoval",
-                "roles": [ "user" ],
-                "capabilities": [
-                    "run:transport",
-                    "run:sedimentation"
-                ]
-            }
-        ]
-    },
     {
         "domain": "gmail.com",
         "access": [

resources/atlantis/allow-idp-external-access.yaml

@@ -1,8 +1,7 @@
-apiVersion: cilium.io/v2
+piVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
   name: allow-external-idp
-  namespace: idp
 spec:
   egress:
   - toFQDNs:
@@ -11,8 +10,4 @@ spec:
     - matchName: s3.k1.itpartner.no
     - matchName: telemetry.cerbos.dev
   endpointSelector: {}
-    # matchExpressions:
-    #   - key: app.kubernetes.io/name
-    #     operator: In
-    #     values: [ cerbos, dex ]
 

resources/atlantis/host-manifests/sync-archmeister-secrets.yaml

@@ -1,40 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: sync-prod-archmeister-replication-secrets
-spec:
-  background: true
-  generateExisting: true
-  rules:
-  - name: sync-archmeister-ca
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: prod-archmeister-ca
-      namespace: '{{request.object.metadata.name}}'
-      synchronize: true
-      clone:
-        namespace: atlantis
-        name: prod-archmeister-ca
-    match:
-      resources:
-        kinds:
-        - Namespace
-        names:
-        - '*-vcluster'
-  - name: sync-archmeister-replication
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: prod-archmeister-replication
-      namespace: '{{request.object.metadata.name}}'
-      synchronize: true
-      clone:
-        namespace: atlantis
-        name: prod-archmeister-replication
-    match:
-      resources:
-        kinds:
-        - Namespace
-        names:
-        - '*-vcluster'

resources/atlantis/host-manifests/sync-rabbitmq-secrets.yaml

@@ -1,77 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: sync-rabbitmq-secrets
-spec:
-  background: true
-  generateExisting: true
-  rules:
-  - name: add-rabbitmq-connstring
-    mutate:
-      patchStrategicMerge:
-        stringData:
-          connString: 'amqp://user:{{ request.object.data."rabbitmq-password" | base64_decode(@) }}@{{ request.object.metadata.labels."app.kubernetes.io/instance" }}.rabbitmq.svc'
-    match:
-     any:
-       - resources:
-           kinds:
-           - Secret
-           names:
-           - prod-rabbitmq
-           - staging-rabbitmq
-           namespaces:
-           - rabbitmq
-  - name: sync-prod-rabbitmq-secret
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: '{{ request.object.metadata.name }}'
-      namespace: '{{ request.object.metadata.namespace }}'
-      synchronize: true
-      clone:
-        name: prod-rabbitmq
-        namespace: rabbitmq
-    match:
-     any:
-     - resources:
-         kinds:
-         - Secret
-         names:
-         - prod-rabbitmq
-         annotations:
-           clone: "true"
-    # exclude:
-    #  any:
-    #  - resources:
-    #      kinds:
-    #      - Secret
-    #      selector:
-    #        matchLabels:
-    #          generate.kyverno.io/clone-source: ""
-  - name: sync-staging-rabbitmq-secret
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: '{{ request.object.metadata.name }}'
-      namespace: '{{ request.object.metadata.namespace }}'
-      synchronize: true
-      clone:
-        name: staging-rabbitmq
-        namespace: rabbitmq
-    match:
-     any:
-     - resources:
-         kinds:
-         - Secret
-         names:
-         - staging-rabbitmq
-         annotations:
-           clone: "true"
-    # exclude:
-    #  any:
-    #  - resources:
-    #      kinds:
-    #      - Secret
-    #      selector:
-    #        matchLabels:
-    #          generate.kyverno.io/clone-source: ""

resources/atlantis/host-manifests/sync-redis-secrets.yaml

@@ -1,63 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: sync-redis-secrets
-spec:
-  background: true
-  generateExisting: true
-  rules:
-  - name: sync-prod-redis-secret
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: '{{ request.object.metadata.name }}'
-      namespace: '{{ request.object.metadata.namespace }}'
-      synchronize: true
-      clone:
-        name: prod-redis
-        namespace: redis
-    match:
-     any:
-     - resources:
-         kinds:
-         - Secret
-         names:
-         - prod-redis
-         annotations:
-           clone: "true"
-    # exclude:
-    #  any:
-    #  - resources:
-    #      kinds:
-    #      - Secret
-    #      selector:
-    #        matchLabels:
-    #          generate.kyverno.io/clone-source: ""
-  - name: sync-staging-redis-secret
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: '{{ request.object.metadata.name }}'
-      namespace: '{{ request.object.metadata.namespace }}'
-      synchronize: true
-      clone:
-        name: staging-redis
-        namespace: redis
-    match:
-     any:
-     - resources:
-         kinds:
-         - Secret
-         names:
-         - staging-redis
-         annotations:
-           clone: "true"
-    # exclude:
-    #  any:
-    #  - resources:
-    #      kinds:
-    #      - Secret
-    #      selector:
-    #        matchLabels:
-    #          generate.kyverno.io/clone-source: ""
-

resources/atlantis/manifests/base/allow-atlantis-external-services.yaml

@@ -1,22 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-atlantis-external-services
-  namespace: atlantis
-spec:
-  egress:
-  - toFQDNs:
-    - matchName: idp.oceanbox.io
-    - matchName: idp.srv.oceanbox.io
-    - matchName: idp.beta.oceanbox.io
-    - matchName: auth.srv.oceanbox.io
-    - matchName: auth.oceanbox.io
-    - matchName: hipster-slurmrestd.ekman.oceanbox.io
-    - matchName: api.github.com
-    - matchName: dapr.github.io
-    - matchName: gitlab.com
-    - matchPattern: '*.gitlab.com'
-    - matchPattern: "*.k1.itpartner.no"
-    - matchName: analytics.loft.rocks
-  endpointSelector:
-    matchLabels: {}

resources/atlantis/manifests/base/allow-atlantis-services.yaml

@@ -1,21 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-atlantis-services
-  namespace: atlantis
-spec:
-  egress:
-  - toEndpoints:
-    - matchLabels:
-        k8s:io.kubernetes.pod.namespace: dapr-system
-  - toEndpoints:
-    - matchLabels:
-        k8s:io.kubernetes.pod.namespace: redis
-  - toEndpoints:
-    - matchLabels:
-        k8s:io.kubernetes.pod.namespace: rabbitmq
-  - toEndpoints:
-    - matchLabels:
-        k8s:io.kubernetes.pod.namespace: otel
-  endpointSelector:
-    matchLabels: {}

resources/atlantis/manifests/base/kustomization.yaml

@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - allow-atlantis-external-services.yaml
-  - allow-atlantis-services.yaml
-  - dapr-tracing.yaml

resources/atlantis/manifests/prod/kustomization.yaml

@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - secrets.yaml
-  - pubsub-rabbitmq.yaml
-  - state-redis.yaml
-  - ../base/

resources/atlantis/manifests/prod/secrets.yaml

@@ -1,17 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    clone: "true"
-  name: prod-redis
-  namespace: atlantis
-type: Opaque
----
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    clone: "true"
-  name: prod-rabbitmq
-  namespace: atlantis
-type: Opaque

resources/atlantis/manifests/staging/kustomization.yaml

@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - secrets.yaml
-  - pubsub-rabbitmq.yaml
-  - state-redis.yaml
-  - ../base/

resources/atlantis/manifests/staging/pubsub-rabbitmq.yaml

@@ -1,53 +0,0 @@
-apiVersion: dapr.io/v1alpha1
-kind: Component
-metadata:
-  name: pubsub
-  namespace: atlantis
-spec:
-  type: pubsub.rabbitmq
-  version: v1
-  metadata:
-  - name: hostname
-    value: staging-rabbitmq.rabbitmq.svc
-  - name: protocol
-    value: amqp
-  - name: username
-    value: user
-  - name: password
-    secretKeyRef:
-      name: staging-rabbitmq
-      key:  rabbitmq-password
-  - name: durable
-    value: true
-  - name: deletedWhenUnused
-    value: false
-  - name: autoAck
-    value: false
-  - name: deliveryMode
-    value: 1
-  - name: requeueInFailure
-    value: false
-  - name: prefetchCount
-    value: 0
-  - name: reconnectWait
-    value: 0
-  - name: concurrencyMode
-    value: parallel
-  - name: publisherConfirm
-    value: false
-  - name: backOffPolicy
-    value: exponential
-  - name: backOffInitialInterval
-    value: 100
-  - name: backOffMaxRetries
-    value: 16
-  - name: enableDeadLetter # Optional enable dead Letter or not
-    value: true
-  - name: maxLen # Optional max message count in a queue
-    value: 3000
-  - name: maxLenBytes # Optional maximum length in bytes of a queue.
-    value: 10485760
-  - name: exchangeKind
-    value: fanout
-  - name: clientName
-    value: "{appID}"

resources/atlantis/manifests/staging/secrets.yaml

@@ -1,19 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    clone: "true"
-  name: staging-redis
-  namespace: atlantis
-type: Opaque
-data:
----
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    clone: "true"
-  name: staging-rabbitmq
-  namespace: atlantis
-type: Opaque
-data:

resources/atlantis/manifests/staging/state-redis.yaml

@@ -1,24 +0,0 @@
-apiVersion: dapr.io/v1alpha1
-kind: Component
-metadata:
-  name: statestore
-  namespace: atlantis
-spec:
-  type: state.redis
-  version: v1
-  metadata:
-  - name: redisHost
-    value: staging-redis-master.redis.svc:6379
-  - name: redisUsername
-    value: default
-  - name: redisPassword
-    secretKeyRef:
-      name: staging-redis
-      key:  redis-password
-  - name: actorStateStore
-    value: "true"
-# scopes:
-#   - staging-atlantis
-#   - staging-petimeter
-#   - staging-hipster
-#   - staging-archmeister

resources/atlantis/sync-atlantis-secrets.yaml

@@ -0,0 +1,111 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sync-dev-atlantis-secrets
+spec:
+  background: true
+  generateExisting: false
+  rules:
+  - name: sync-rabbitmq-secret
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{ request.object.metadata.name }}'
+      namespace: '{{ request.object.metadata.namespace }}'
+      synchronize: true
+      clone:
+        name: staging-rabbitmq
+        namespace: rabbitmq
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - "*-rabbitmq"
+         annotations:
+           kyverno/clone: "true"
+  - name: sync-redis-secret
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{ request.object.metadata.name }}'
+      namespace: '{{ request.object.metadata.namespace }}'
+      synchronize: true
+      clone:
+        name: staging-redis
+        namespace: redis
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - "*-redis"
+         annotations:
+           kyverno/clone: "true"
+  - name: sync-archmaester-secret
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{ request.object.metadata.name }}'
+      namespace: '{{ request.object.metadata.namespace }}'
+      synchronize: true
+      clone:
+        name: prod-archmeister-superuser
+        namespace: atlantis
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - "*-db-superuser"
+         annotations:
+           kyverno/clone: "true"
+  - name: sync-archmaester-replication-secret
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{ request.object.metadata.name }}'
+      namespace: '{{ request.object.metadata.namespace }}'
+      synchronize: true
+      clone:
+        name: prod-archmeister-replication
+        namespace: atlantis
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - prod-archmeister-replication
+         annotations:
+           kyverno/clone: "true"
+  - name: sync-archmaester-ca
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{ request.object.metadata.name }}'
+      namespace: '{{ request.object.metadata.namespace }}'
+      synchronize: true
+      clone:
+        name: prod-archmeister-ca
+        namespace: atlantis
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - prod-archmeister-ca
+         annotations:
+           kyverno/clone: "true"
+    # exclude:
+    #  any:
+    #  - resources:
+    #      kinds:
+    #      - Secret
+    #      selector:
+    #        matchLabels:
+    #          generate.kyverno.io/clone-source: ""

resources/ekman-cluster/kyverno-policies/sync-keyvault-secret.yaml

@@ -1,32 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  annotations:
-    policies.kyverno.io/category: Sample
-    policies.kyverno.io/description: 'Access dataprotection keys from Azure Key Vault'
-  creationTimestamp: "2024-01-15T11:58:24Z"
-  name: sync-keyvault-secrets
-spec:
-  admission: true
-  background: true
-  generateExisting: true
-  rules:
-  - generate:
-      apiVersion: v1
-      clone:
-        name: azure-keyvault
-        namespace: sorcerer
-      kind: Secret
-      name: azure-keyvault
-      namespace: '{{request.object.metadata.name}}'
-      synchronize: true
-    match:
-      any:
-      - resources:
-          kinds:
-          - Namespace
-          names:
-          - "*-sorcerer"
-    name: sync-keyvault-secrets
-
-

resources/ekman-cluster/kyverno-policies/sync-oceanbox-regcred.yaml

@@ -1,44 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  annotations:
-    policies.kyverno.io/category: Sample
-    policies.kyverno.io/description: 'Secrets like registry credentials often need
-      to exist in multiple Namespaces so Pods there have access. Manually duplicating
-      those Secrets is time consuming and error prone. This policy will copy a Secret
-      called `regcred` which exists in the `default` Namespace to new Namespaces when
-      they are created. It will also push updates to the copied Secrets should the
-      source Secret be changed.            '
-  creationTimestamp: "2024-01-15T11:58:24Z"
-  name: sync-oceanbox-regcred
-spec:
-  admission: true
-  background: true
-  generateExisting: true
-  rules:
-  - generate:
-      apiVersion: v1
-      clone:
-        # name: oceanbox-regcred
-        name: gitlab-pull-secret
-        namespace: default
-      kind: Secret
-      # name: oceanbox-regcred
-      name: gitlab-pull-secret
-      namespace: '{{request.object.metadata.name}}'
-      synchronize: true
-    exclude:
-      any:
-      - resources:
-          kinds:
-          - Namespace
-          names:
-          - "vcluster-*"
-    match:
-      any:
-      - resources:
-          kinds:
-          - Namespace
-    name: sync-oceanbox-regcred
-
-

resources/oceanbox-cluster/kyverno-policies/sync-keyvault-secret.yaml

@@ -1,32 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  annotations:
-    policies.kyverno.io/category: Sample
-    policies.kyverno.io/description: 'Access dataprotection keys from Azure Key Vault'
-  creationTimestamp: "2024-01-15T11:58:24Z"
-  name: sync-keyvault-secrets
-spec:
-  admission: true
-  background: true
-  generateExisting: true
-  rules:
-  - generate:
-      apiVersion: v1
-      clone:
-        name: azure-keyvault
-        namespace: atlantis
-      kind: Secret
-      name: azure-keyvault
-      namespace: '{{request.object.metadata.name}}'
-      synchronize: true
-    match:
-      any:
-      - resources:
-          kinds:
-          - Namespace
-          names:
-          - "*-atlantis"
-    name: sync-keyvault-secrets
-
-

resources/oceanbox-cluster/network-policies/allow-hubble-oidc.yaml

@@ -1,13 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-hubble-oidc-login
-  namespace: kube-system
-spec:
-  endpointSelector:
-    matchLabels:
-      k8s-app: oauth2-proxy
-  egress:
-  - toFQDNs:
-    - matchName: login.microsoftonline.com
-    - matchPattern: '*.microsoftonline.com'

resources/oceanbox-cluster/network-policies/otel/allow-otel-collector-ingress.yaml

@@ -1,13 +0,0 @@
-apiVersion: cilium.io/v2
-kind: CiliumNetworkPolicy
-metadata:
-  name: allow-otel-collector-loadbalancer-ingress
-  namespace: otel
-spec:
-  description: Allow ingress from world
-  endpointSelector:
-    matchLabels:
-      app.kubernetes.io/name: opentelemetry-collector
-  ingress:
-    - fromEntities:
-        - world