allow otel world

applications/keycloak.yaml

@@ -10,7 +10,7 @@ spec:
     namespace: idp
   sources:
   - repoURL: https://charts.bitnami.com/bitnami
-    targetRevision: 18.3.4
+    targetRevision: 24.0.2
     chart: keycloak
     helm:
       valueFiles:

applications/opentelemetry-collector.yaml

@@ -90,12 +90,12 @@ spec:
         ingress:
           enabled: true
           annotations:
-              cert-manager.io/cluster-issuer: letsencrypt-staging
+              cert-manager.io/cluster-issuer: letsencrypt-production
               nginx.ingress.kubernetes.io/ssl-redirect: "true"
               atlantis.oceanbox.io/expose: internal
           ingressClassName: nginx
           hosts:
-            - host: collector.adm.oceanbox.io
+            - host: opentelemetry-collector.adm.oceanbox.io
               paths:
                 - path: /
                   pathType: Prefix
@@ -103,4 +103,4 @@ spec:
           tls:
             - secretName: collector-tls
               hosts:
-                - collector.adm.oceanbox.io
+                - opentelemetry-collector.adm.oceanbox.io

charts/archmeister/values.yaml

@@ -11,6 +11,17 @@ init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""

charts/atlantis/Chart.lock

@@ -1,6 +0,0 @@
-dependencies:
-- name: redis-stack-server
-  repository: https://redis-stack.github.io/helm-redis-stack/
-  version: 0.4.14
-digest: sha256:ed6bf447567c0d92030bffebc947801c67cb4e9b4dd95680c35a0b5f6b23d71f
-generated: "2024-10-04T11:54:47.575418518+02:00"

charts/atlantis/Chart.yaml

@@ -1,12 +1,18 @@
 apiVersion: v2
 name: atlantis
 description: Atlantis map and simulation service
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
 version: v2.87.1
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application.
 appVersion: v2.87.1
-dependencies:
-  - name: redis-stack-server
-    version: 0.4.14
-    repository: https://redis-stack.github.io/helm-redis-stack/
-    condition: redis.enabled
-    alias: redis

charts/atlantis/templates/cluster.yaml

@@ -2,14 +2,14 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
-  name: {{ include "Atlantis.fullname" . }}-db
+  name: {{ include "Atlantis.fullname" . }}
   annotations:
     linkerd.io/inject: disabled
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
 spec:
-  instances: {{ .Values.cluster.instances | default "1" }}
+  instances: {{ .Values.cluster.instances | default "2" }}
-  imageName: ghcr.io/cloudnative-pg/postgis:15-3.3
+
   # Example of rolling update strategy:
   # - unsupervised: automated update of the primary once all
   #                 replicas have been upgraded (default)
@@ -18,36 +18,9 @@ spec:
   primaryUpdateStrategy: unsupervised
   backup:
     retentionPolicy: {{ .Values.cluster.backupRetention | default "60d" }}
+
   storage:
     size: {{ .Values.cluster.size | default "5Gi" }}
-{{- with .Values.cluster.bootstrap }}
-  bootstrap:
-{{- if .enabled }}
-    pg_basebackup:
-      source: archmaester
-  externalClusters:
-  - name: archmaester
-    connectionParameters:
-      host: {{ .source.db }}-rw.{{ .source.namespace }}
-      user: streaming_replica
-      sslmode: verify-full
-    sslKey:
-      name: {{ .source.db }}-replication
-      key: tls.key
-    sslCert:
-      name: {{ .source.db }}-replication
-      key: tls.crt
-    sslRootCert:
-      name: {{ .source.db }}-ca
-      key: ca.crt
-{{- else }}
-    initdb:
-      postInitTemplateSQL:
-        - CREATE EXTENSION postgis;
-        - CREATE EXTENSION postgis_topology;
-        - CREATE EXTENSION fuzzystrmatch;
-        - CREATE EXTENSION postgis_tiger_geocoder;
-        - ALTER USER app WITH SUPERUSER;
-{{- end }}
-{{- end }}
 {{- end }}
+
+

charts/atlantis/templates/secrets.yaml

@@ -1,54 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    kyverno/clone: "true"
-  name: {{ .Release.Name }}-rabbitmq
-type: Opaque
-data:
----
-{{- if not .Values.redis.enabled }}
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    kyverno/clone: "true"
-  name: {{ .Release.Name }}-redis
-type: Opaque
-data:
-{{- end }}
----
-{{- if not .Values.cluster.enabled }}
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    kyverno/clone: "true"
-  name: {{ include "Atlantis.fullname" . }}-db-superuser
-type: kubernetes.io/basic-auth
-data:
-  username:
-  password:
-{{- else }}
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    kyverno/clone: "true"
-  name: {{ .Values.cluster.bootstrap.source.db }}-replication
-type: kubernetes.io/tls
-data:
-  tls.crt: ""
-  tls.key: ""
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  annotations:
-    kyverno/clone: "true"
-  name: {{ .Values.cluster.bootstrap.source.db }}-ca
-data:
-  ca.crt: ""
-  ca.key: ""
-{{- end }}

charts/atlantis/values.yaml

@@ -14,6 +14,14 @@ init:
 env:
   - name: LOG_LEVEL
     value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""
@@ -39,7 +47,7 @@ service:
   type: ClusterIP
   port: 8085
 ingress:
-  enabled: false
+  enabled: true
   className: "nginx"
   annotations:
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
@@ -59,25 +67,11 @@ persistence:
   storageClass: ""
   accessMode: ReadWriteOnce
 cluster:
-  enabled: true
+  enabled: false
-  instances: 1
+  instances: 2
   backupEnabled: true
   backupRetention: 60d
   size: 5Gi
-  bootstrap:
-    enabled: true
-    source:
-      db: prod-archmeister
-      namespace: atlantis
-redis:
-  enabled: true
-  name: redis-stack
-  redis_stack_server:
-    image: "redis/redis-stack-server"
-    tag: "7.4.0-v1"
-    replicas: 1
-    storage_class: ceph-rbd
-    storage: 1Gi
 resources: {}
 # We usually recommend not to specify default resources and to leave this as a conscious
 # choice for the user. This also increases chances charts run on environments with little

charts/hipster/values.yaml

@@ -11,6 +11,17 @@ init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""

charts/petimeter/values.yaml

@@ -11,6 +11,17 @@ init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""

charts/sorcerer/templates/deployment.yaml

@@ -38,8 +38,7 @@ spec:
               containerPort: {{ .Values.service.port }}
               protocol: TCP
           env:
-            - name: LOG_LEVEL
+            {{- toYaml .Values.env | nindent 12 }}
-              value: "3"
           livenessProbe:
             httpGet:
               path: /

charts/sorcerer/values.yaml

@@ -11,6 +11,17 @@ init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""

kustomizations/dex/base/config.yaml

@@ -91,6 +91,7 @@ staticClients:
       - 'https://stig-atlantis.dev.oceanbox.io/signin-oidc'
       - 'https://simkir-atlantis.dev.oceanbox.io/signin-oidc'
       - 'https://atlantis.local.oceanbox.io:8080/signin-oidc'
+      - 'https://atlantis.local.oceanbox.io:8085/signin-oidc'
     name: 'Atlantis dev'
     secret: 3QjfSPmAemjn34XVA2o1fvoS7I4gKvOR
   - id: petimeter
@@ -119,6 +120,8 @@ staticClients:
       - 'https://jonas-sorcerer.ekman.oceanbox.io/signin-oidc'
       - 'https://stig-sorcerer.ekman.oceanbox.io/signin-oidc'
       - 'https://simkir-sorcerer.ekman.oceanbox.io/signin-oidc'
+      - 'https://sorcerer.local.oceanbox.io:8080/signin-oidc'
+      - 'https://sorcerer.local.oceanbox.io:8085/signin-oidc'
     name: 'Sorcerer dev'
     secret: cyrgDr1UzhQrJn8nRVqEt9BJ9mLk3OBy
   - id: archmeister

kustomizations/petimeter/manifests/acl.json

@@ -46,6 +46,48 @@
             }
         ]
     },
+    {
+        "domain": "leroyseafood.com",
+        "access": [
+            {
+                "matching": ".*@leroyseafood.com",
+                "group": "/leroy",
+                "roles": [ "user" ],
+                "capabilities": [
+                    "run:transport",
+                    "run:sedimentation"
+                ]
+            }
+        ]
+    },
+    {
+        "domain": "leroyaurora.no",
+        "access": [
+            {
+                "matching": ".*@leroyaurora.no",
+                "group": "/leroy",
+                "roles": [ "user" ],
+                "capabilities": [
+                    "run:transport",
+                    "run:sedimentation"
+                ]
+            }
+        ]
+    },
+    {
+        "domain": "leroymidt.no",
+        "access": [
+            {
+                "matching": ".*@leroymidt.no",
+                "group": "/leroy",
+                "roles": [ "user" ],
+                "capabilities": [
+                    "run:transport",
+                    "run:sedimentation"
+                ]
+            }
+        ]
+    },
     {
         "domain": "serit.no",
         "access": [
@@ -277,6 +319,34 @@
             }
         ]
     },
+    {
+        "domain": "oceandata.earth",
+        "access": [
+            {
+                "matching": ".*@oceandata.earth",
+                "group": "/hubocean",
+                "roles": [ "user" ],
+                "capabilities": [
+                    "run:transport",
+                    "run:sedimentation"
+                ]
+            }
+        ]
+    },
+    {
+        "domain": "masoval.no",
+        "access": [
+            {
+                "matching": ".*@masoval.no",
+                "group": "/masoval",
+                "roles": [ "user" ],
+                "capabilities": [
+                    "run:transport",
+                    "run:sedimentation"
+                ]
+            }
+        ]
+    },
     {
         "domain": "gmail.com",
         "access": [

resources/atlantis/host-manifests/sync-atlantis-secrets.yaml

@@ -1,111 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: sync-dev-atlantis-secrets
-spec:
-  background: true
-  generateExisting: false
-  rules:
-  - name: sync-rabbitmq-secret
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: '{{ request.object.metadata.name }}'
-      namespace: '{{ request.object.metadata.namespace }}'
-      synchronize: true
-      clone:
-        name: staging-rabbitmq
-        namespace: rabbitmq
-    match:
-     any:
-     - resources:
-         kinds:
-         - Secret
-         names:
-         - "*-rabbitmq"
-         annotations:
-           kyverno/clone: "true"
-  - name: sync-redis-secret
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: '{{ request.object.metadata.name }}'
-      namespace: '{{ request.object.metadata.namespace }}'
-      synchronize: true
-      clone:
-        name: staging-redis
-        namespace: redis
-    match:
-     any:
-     - resources:
-         kinds:
-         - Secret
-         names:
-         - "*-redis"
-         annotations:
-           kyverno/clone: "true"
-  - name: sync-archmaester-secret
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: '{{ request.object.metadata.name }}'
-      namespace: '{{ request.object.metadata.namespace }}'
-      synchronize: true
-      clone:
-        name: prod-archmeister-superuser
-        namespace: atlantis
-    match:
-     any:
-     - resources:
-         kinds:
-         - Secret
-         names:
-         - "*-db-superuser"
-         annotations:
-           kyverno/clone: "true"
-  - name: sync-archmaester-replication-secret
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: '{{ request.object.metadata.name }}'
-      namespace: '{{ request.object.metadata.namespace }}'
-      synchronize: true
-      clone:
-        name: prod-archmeister-replication
-        namespace: atlantis
-    match:
-     any:
-     - resources:
-         kinds:
-         - Secret
-         names:
-         - prod-archmeister-replication
-         annotations:
-           kyverno/clone: "true"
-  - name: sync-archmaester-ca
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: '{{ request.object.metadata.name }}'
-      namespace: '{{ request.object.metadata.namespace }}'
-      synchronize: true
-      clone:
-        name: prod-archmeister-ca
-        namespace: atlantis
-    match:
-     any:
-     - resources:
-         kinds:
-         - Secret
-         names:
-         - prod-archmeister-ca
-         annotations:
-           kyverno/clone: "true"
-    # exclude:
-    #  any:
-    #  - resources:
-    #      kinds:
-    #      - Secret
-    #      selector:
-    #        matchLabels:
-    #          generate.kyverno.io/clone-source: ""

resources/atlantis/manifests/base/dapr-tracing.yaml

@@ -7,5 +7,5 @@ spec:
   tracing:
     samplingRate: "1"
     zipkin:
-      endpointAddress: " http://opentelemetry-collector.otel.svc:9411/api/v2/spans"
+      endpointAddress: "http://opentelemetry-collector.otel.svc:9411/api/v2/spans"
 

resources/ekman-cluster/kyverno-policies/sync-keyvault-secret.yaml

@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/description: 'Access dataprotection keys from Azure Key Vault'
+  creationTimestamp: "2024-01-15T11:58:24Z"
+  name: sync-keyvault-secrets
+spec:
+  admission: true
+  background: true
+  generateExisting: true
+  rules:
+  - generate:
+      apiVersion: v1
+      clone:
+        name: azure-keyvault
+        namespace: sorcerer
+      kind: Secret
+      name: azure-keyvault
+      namespace: '{{request.object.metadata.name}}'
+      synchronize: true
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+          names:
+          - "*-sorcerer"
+    name: sync-keyvault-secrets
+
+

resources/ekman-cluster/kyverno-policies/sync-oceanbox-regcred.yaml

@@ -0,0 +1,44 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/description: 'Secrets like registry credentials often need
+      to exist in multiple Namespaces so Pods there have access. Manually duplicating
+      those Secrets is time consuming and error prone. This policy will copy a Secret
+      called `regcred` which exists in the `default` Namespace to new Namespaces when
+      they are created. It will also push updates to the copied Secrets should the
+      source Secret be changed.            '
+  creationTimestamp: "2024-01-15T11:58:24Z"
+  name: sync-oceanbox-regcred
+spec:
+  admission: true
+  background: true
+  generateExisting: true
+  rules:
+  - generate:
+      apiVersion: v1
+      clone:
+        # name: oceanbox-regcred
+        name: gitlab-pull-secret
+        namespace: default
+      kind: Secret
+      # name: oceanbox-regcred
+      name: gitlab-pull-secret
+      namespace: '{{request.object.metadata.name}}'
+      synchronize: true
+    exclude:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+          names:
+          - "vcluster-*"
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    name: sync-oceanbox-regcred
+
+

resources/oceanbox-cluster/kyverno-policies/sync-keyvault-secret.yaml

@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/description: 'Access dataprotection keys from Azure Key Vault'
+  creationTimestamp: "2024-01-15T11:58:24Z"
+  name: sync-keyvault-secrets
+spec:
+  admission: true
+  background: true
+  generateExisting: true
+  rules:
+  - generate:
+      apiVersion: v1
+      clone:
+        name: azure-keyvault
+        namespace: atlantis
+      kind: Secret
+      name: azure-keyvault
+      namespace: '{{request.object.metadata.name}}'
+      synchronize: true
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+          names:
+          - "*-atlantis"
+    name: sync-keyvault-secrets
+
+

resources/oceanbox-cluster/network-policies/otel/allow-otel-collector-ingress.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-otel-collector-loadbalancer-ingress
+  namespace: otel
+spec:
+  description: Allow ingress from world
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: opentelemetry-collector
+  ingress:
+    - fromEntities:
+        - world