Bump prod atlantis v1.42.24 -> v1.42.25

Bump prod sorcerer v1.42.24 -> v1.42.25
Bump beta v2.8.0 -> v2.9.4
2026-06-05 01:48:22 +02:00 · 2026-06-05 01:47:16 +02:00 · 2026-06-05 01:33:40 +02:00 · 2026-06-04 23:22:44 +00:00 · 2026-06-04 23:22:06 +00:00 · 2026-06-04 23:21:20 +00:00
79 changed files with 1101 additions and 106 deletions
@@ -4,10 +4,10 @@ description: Atlantis map and simulation service
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v2.5.2
+version: v1.42.25
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v2.5.2
+appVersion: v1.42.25
 dependencies:
  - name: diagrid-dashboard
    version: "0.1.0"
@@ -4,7 +4,7 @@
 replicaCount: 1
 image:
  repository: git.oceanbox.io/oceanbox/poseidon/atlantis
-  tag: v2.5.2
+  tag: v1.42.25
  pullPolicy: IfNotPresent
 init:
  enabled: false
@@ -13,9 +13,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: v2.5.2
+version: v2.9.4
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v2.5.2"
+appVersion: "v2.9.4"
@@ -10,7 +10,7 @@ image:
  # This sets the pull policy for images.
  pullPolicy: IfNotPresent
  # Overrides the image tag whose default is the chart appVersion.
-  tag: v2.5.2
+  tag: v2.9.4
 # This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
 imagePullSecrets:
  - name: gitlab-pull-secret
@@ -47,7 +47,7 @@ service:
  port: 8080
 ingress:
  enabled: true
-  className: nginx
+  className: haproxy
 persistence:
  enabled: false
  size: 1G
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: fapr
+description: A Helm chart for Fapr (F# Dapr workflow orchestrator)
+type: application
+version: v0.1.0
+appVersion: v0.1.0
@@ -0,0 +1,61 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "fapr.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+*/}}
+{{- define "fapr.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "fapr.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "fapr.labels" -}}
+helm.sh/chart: {{ include "fapr.chart" . }}
+{{ include "fapr.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "fapr.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "fapr.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "fapr.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "fapr.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
@@ -0,0 +1,85 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "fapr.fullname" . }}
+  labels:
+    {{- include "fapr.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "fapr.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "fapr.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "fapr.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          env:
+            {{- toYaml .Values.env | nindent 12 }}
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 15
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+            initialDelaySeconds: 3
+            periodSeconds: 10
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - name: data
+              mountPath: /data
+            - name: appsettings
+              mountPath: /app/appsettings.json
+              subPath: appsettings.json
+              readOnly: true
+      volumes:
+        - name: data
+        {{- if .Values.persistence.enabled }}
+          persistentVolumeClaim:
+            claimName: {{ .Values.persistence.existingClaim | default (include "fapr.fullname" .) }}
+        {{- else }}
+          emptyDir: {}
+        {{- end }}
+        - name: appsettings
+          configMap:
+            name: {{ include "fapr.fullname" . }}-appsettings
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
@@ -0,0 +1,21 @@
+{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ include "fapr.fullname" . }}
+  labels:
+{{ include "fapr.labels" . | indent 4 }}
+spec:
+  accessModes:
+    - {{ .Values.persistence.accessMode | quote }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size | quote }}
+{{- if .Values.persistence.storageClass }}
+{{- if (eq "-" .Values.persistence.storageClass) }}
+  storageClassName: ""
+{{- else }}
+  storageClassName: "{{ .Values.persistence.storageClass }}"
+{{- end }}
+{{- end }}
+{{- end }}
@@ -0,0 +1,49 @@
+{{- if .Values.redis.enabled -}}
+apiVersion: dragonflydb.io/v1alpha1
+kind: Dragonfly
+metadata:
+  name: {{ include "fapr.fullname" . }}-redis
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    linkerd.io/inject: disabled
+  labels:
+    app.kubernetes.io/created-by: dragonfly-operator
+    {{- include "fapr.labels" . | nindent 4 }}
+spec:
+  args:
+    - --dbfilename=dump
+    - --maxmemory=$(MAX_MEMORY)Mi
+    - --proactor_threads=1
+    - --logtostderr
+    - --save_schedule=
+  env:
+    - name: MAX_MEMORY
+      valueFrom:
+        resourceFieldRef:
+          resource: limits.memory
+          divisor: 1Mi
+  replicas: {{ .Values.redis.replicas | default "1" }}
+  resources:
+    requests:
+      cpu: {{ .Values.redis.resources.cpu | default "100m" }}
+      memory: {{ .Values.redis.resources.memory | default "128Mi" }}
+    limits:
+      memory: {{ .Values.redis.resources.memory | default "128Mi" }}
+  authentication:
+    passwordFromSecret:
+      name: {{ .Values.redis.secret.name | default (printf "%s-redis" (include "fapr.fullname" .)) | quote }}
+      key: {{ .Values.redis.secret.key | quote }}
+  {{- if .Values.redis.backup.enabled }}
+  snapshot:
+    dir: /data
+    cron: "0 3 * * *"
+    enableOnMasterOnly: false
+    persistentVolumeClaimSpec:
+      storageClassName: {{ .Values.redis.storageClass | default "managed-nfs-storage" }}
+      accessModes:
+        - ReadWriteOnce
+      resources:
+        requests:
+          storage: {{ .Values.redis.size | default "1Gi" }}
+  {{- end }}
+{{- end }}
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "fapr.fullname" . }}
+  labels:
+    {{- include "fapr.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "fapr.selectorLabels" . | nindent 4 }}
@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "fapr.serviceAccountName" . }}
+  labels:
+    {{- include "fapr.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
@@ -0,0 +1,67 @@
+# Default values for fapr.
+
+replicaCount: 1
+image:
+  repository: git.oceanbox.io/oceanbox/fapr/fapr
+  tag: v0.1.0
+  pullPolicy: IfNotPresent
+env:
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
+imagePullSecrets:
+  - name: gitlab-pull-secret
+nameOverride: ""
+fullnameOverride: ""
+serviceAccount:
+  create: true
+  annotations: {}
+  name: ""
+podAnnotations: {}
+podSecurityContext:
+  fsGroup: 0
+securityContext:
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: false
+  runAsNonRoot: false
+  runAsUser: 0
+service:
+  type: ClusterIP
+  port: 8080
+persistence:
+  enabled: true
+  existingClaim: ""
+  size: 1Gi
+  storageClass: "ceph-rbd"
+  accessMode: ReadWriteMany
+redis:
+  enabled: true
+  replicas: 1
+  backup:
+    enabled: false
+  size: 1Gi
+  storageClass: "ceph-rbd"
+  secret:
+    name: ""
+    key: "redis-password"
+  resources:
+    cpu: 100m
+    memory: 128Mi
+resources: {}
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 3
+  targetCPUUtilizationPercentage: 80
+serviceMonitor:
+  enabled: false
+nodeSelector: {}
+tolerations: []
+affinity: {}
@@ -47,7 +47,7 @@ service:
  port: 8080
 ingress:
  enabled: true
-  className: nginx
+  className: haproxy
 persistence:
  enabled: false
  size: 1G
@@ -4,10 +4,10 @@ description: A Helm chart for Kubernetes
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v2.5.2
+version: v1.42.25
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v2.5.2
+appVersion: v1.42.25
 dependencies:
  - name: diagrid-dashboard
    version: "0.1.0"
@@ -5,7 +5,7 @@
 replicaCount: 1
 image:
  repository: git.oceanbox.io/oceanbox/poseidon/sorcerer
-  tag: v2.5.2
+  tag: v1.42.25
  pullPolicy: IfNotPresent
 init:
  enabled: false
@@ -15,7 +15,7 @@ releases:
 - name: argocd
  namespace: argocd
  chart: argo/argo-cd
-  version: 9.5.2
+  version: 9.5.15
  condition: argo.enabled
  values:
  - ../values/argo/values/argocd.yaml.gotmpl
@@ -27,7 +27,7 @@ releases:
 - name: argocd-apps
  namespace: argocd
  chart: argo/argocd-apps
-  version: 2.0.4
+  version: 2.0.5
  condition: argo.apps.enabled
  values:
  - ../values/argo/values/apps.yaml.gotmpl
@@ -43,7 +43,7 @@ releases:
 - name: argo-workflows
  namespace: argocd
  chart: argo/argo-workflows
-  version: 1.0.10
+  version: 1.0.14
  condition: argo.workflows.enabled
  missingFileHandler: Info
 - name: manifests
@@ -0,0 +1,39 @@
+bases:
+ - ../envs/environments.yaml.gotmpl
+
+commonLabels:
+  tier: oceanbox
+
+releases:
+- name: {{ .Environment.Name }}-fapr
+  namespace: {{ .Environment.Name }}-fapr
+  chart: ../charts/fapr
+  condition: fapr.enabled
+  values:
+  - ../values/fapr/values/values.yaml
+  - ../values/fapr/values/values-{{ .Environment.Name }}.yaml
+  - ../values/fapr/values/values-{{ .Environment.Name }}-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
+  postRenderer: ../bin/kustomizer
+  postRendererArgs:
+  - ../values/fapr/kustomize/{{ .Environment.Name }}-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}
+  missingFileHandler: Info
+- name: manifests
+  namespace: {{ .Environment.Name }}-fapr
+  chart: manifests
+  condition: fapr.enabled
+  missingFileHandler: Info
+  values:
+  - ../values/env.yaml
+  - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
+  - ../values/fapr/env.yaml.gotmpl
+  - ../values/fapr/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
+  hooks:
+  - events: [ prepare, cleanup ]
+    showlogs: true
+    command: ../bin/helmify
+    args:
+    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
+    - '{{`{{ .Release.Chart }}`}}'
+    - '{{`{{ .Environment.Name }}`}}'
+    - ../values/fapr/manifests
+    - manifests
@@ -13,7 +13,7 @@ releases:
 - name: gitea
  namespace: gitea
  chart: gitea/gitea
-  version: 12.5.3
+  version: 12.6.0
  condition: gitea.enabled
  values:
  - ../values/gitea/values/values.yaml
@@ -0,0 +1,44 @@
+bases:
+ - ../envs/environments.yaml.gotmpl
+
+repositories:
+- name: haproxytech
+  oci: true
+  url: 'ghcr.io/haproxytech/helm-charts'
+
+commonLabels:
+  tier: system
+
+releases:
+- name: ingress-haproxy
+  namespace: ingress-haproxy
+  chart: haproxytech/kubernetes-ingress
+  version: 1.42.0
+  condition: haproxy.enabled
+  values:
+  - ../values/ingress-haproxy/values/ingress-haproxy.yaml.gotmpl
+  - ../values/ingress-haproxy/values/ingress-haproxy-{{ .Environment.Name }}.yaml.gotmpl
+  postRenderer: ../bin/kustomizer
+  postRendererArgs:
+  - ../values/ingress-haproxy/kustomize/{{ .Environment.Name }}
+  missingFileHandler: Info
+- name: manifests
+  namespace: ingress-haproxy
+  chart: manifests
+  condition: haproxy.enabled
+  missingFileHandler: Info
+  values:
+  - ../values/env.yaml
+  - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
+  - ../values/ingress-haproxy/env.yaml.gotmpl
+  - ../values/ingress-haproxy/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
+  hooks:
+  - events: [ prepare, cleanup ]
+    showlogs: true
+    command: ../bin/helmify
+    args:
+    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
+    - '{{`{{ .Release.Chart }}`}}'
+    - '{{`{{ .Environment.Name }}`}}'
+    - ../values/ingress-haproxy/manifests
+    - manifests
@@ -15,7 +15,7 @@ releases:
 - name: kyverno
  namespace: kyverno
  chart: kyverno/kyverno
-  version: 3.7.1
+  version: 3.8.1
  condition: kyverno.enabled
  values:
  - ../values/kyverno/values/kyverno.yaml.gotmpl
@@ -12,7 +12,7 @@ releases:
 - name: loki
  namespace: loki
  chart: loki/loki
-  version: 6.55.0
+  version: 7.0.0
  condition: loki.enabled
  values:
  - ../values/loki/values/loki.yaml.gotmpl
@@ -16,7 +16,7 @@ releases:
  namespace: {{ .Environment.Name }}-openfga
  {{- end }}
  chart: openfga/openfga
-  version: 0.3.2
+  version: 0.3.5
  condition: openfga.enabled
  values:
  - ../values/openfga/values/values.yaml
@@ -12,7 +12,7 @@ releases:
 - name: opentelemetry-collector
  namespace: otel
  chart: open-telemetry/opentelemetry-collector
-  version: 0.150.1
+  version: 0.156.2
  condition: otel.enabled
  values:
  - ../values/opentelemetry-collector/values/values.yaml
@@ -15,7 +15,7 @@ releases:
 - name: postgres-operator
  namespace: cnpg
  chart: cloudnative-pg/cloudnative-pg
-  version: 0.28.0
+  version: 0.28.2
  condition: postgres_operator.enabled
  values:
  - ../values/postgres-operator/values/postgres-operator.yaml.gotmpl
@@ -15,7 +15,7 @@ releases:
 - name: prometheus
  namespace: prometheus
  chart: prometheus/kube-prometheus-stack
-  version: 82.15.1
+  version: 85.3.0
  condition: prometheus.enabled
  values:
  - ../values/prometheus/values/prometheus.yaml.gotmpl
@@ -14,7 +14,7 @@ releases:
 - name: umami
  namespace: analytics
  chart: umami/umami
-  version: 7.7.20
+  version: 7.9.4
  condition: umami.enabled
  values:
  - ../values/umami/values/values.yaml
@@ -15,7 +15,7 @@ releases:
 - name: velero
  namespace: velero
  chart: velero/velero
-  version: 12.0.0
+  version: 12.0.1
  condition: velero.enabled
  values:
  - ../values/velero/values/velero.yaml.gotmpl
@@ -3,7 +3,8 @@ bases:

 repositories:
  - name: x509-exporter
-    url: 'https://charts.enix.io'
+    oci: true
+    url: 'quay.io/enix/charts'

 commonLabels:
  tier: sys
@@ -12,7 +13,7 @@ releases:
 - name: x509-exporter
  namespace: x509-exporter
  chart: x509-exporter/x509-certificate-exporter
-  version: 3.20.1
+  version: 4.1.0
  condition: x509_exporter.enabled
  values:
  - ../values/x509-exporter/values/x509-exporter.yaml.gotmpl
@@ -94,6 +94,8 @@ spec:
    server: https://kubernetes.default.svc
  - namespace: jobset-system
    server: https://kubernetes.default.svc
+  - namespace: ingress-haproxy
+    server: https://kubernetes.default.svc
  - namespace: dex
    server: https://kubernetes.default.svc
  - namespace: cra-agent
@@ -139,6 +141,7 @@ spec:
  - ghcr.io/spegel-org/helm-charts
  - quay.io/cilium/charts
  - quay.io/jetstack/charts
+  - quay.io/enix/charts
  - registry.k8s.io/jobset/charts/jobset
  - ghcr.io/dragonflydb/dragonfly-operator/helm/dragonfly-operator
  - docker.gitea.com
@@ -148,3 +151,4 @@ spec:
  - https://twin.github.io/helm-charts
  - https://charts.dexidp.io
  - public.ecr.aws/diagrid/catalyst
+  - ghcr.io/haproxytech/helm-charts
@@ -3,7 +3,8 @@ kind: ConfigMap
 metadata:
  name: beta-atlantis-actor-config
 data:
-  XTRACT_IMAGE: "git.oceanbox.io/oceanbox/katamari/excavator:v1.2.8"
+  KUEUE_NAMESPACE: "prod-queue"
+  XTRACT_IMAGE: "git.oceanbox.io/oceanbox/katamari/excavator:v1.2.14"
  XTRACT_QUEUE: "prod-queue"
-  PLUME_IMAGE: "git.oceanbox.io/oceanbox/katamari/plume:v1.2.8"
+  PLUME_IMAGE: "git.oceanbox.io/oceanbox/katamari/plume:v1.2.14"
  PLUME_QUEUE: "prod-queue"
@@ -76,7 +76,7 @@
        "https://maps.beta.oceanbox.io"
    ],
    "appName": "atlantis",
-    "appEnv": "prod",
+    "appEnv": "preprod",
    "appNamespace": "atlantis",
    "appVersion": "2.95.1",
    "otelCollector": "http://opentelemetry-collector.otel.svc:4317",
@@ -3,6 +3,7 @@ kind: ConfigMap
 metadata:
  name: prod-atlantis-actor-config
 data:
+  KUEUE_NAMESPACE: "prod-queue"
  XTRACT_IMAGE: "git.oceanbox.io/oceanbox/katamari/excavator:v1.2.8"
  XTRACT_QUEUE: "prod-queue"
  PLUME_IMAGE: "git.oceanbox.io/oceanbox/katamari/plume:v1.2.8"
@@ -3,7 +3,7 @@ kind: ConfigMap
 metadata:
  name: staging-atlantis-actor-config
 data:
-  XTRACT_IMAGE: "git.oceanbox.io/oceanbox/katamari/excavator:v1.2.8"
+  XTRACT_IMAGE: "git.oceanbox.io/oceanbox/katamari/excavator:v1.4.0"
  XTRACT_QUEUE: "dev-queue"
-  PLUME_IMAGE: "git.oceanbox.io/oceanbox/katamari/plume:v1.2.8"
+  PLUME_IMAGE: "git.oceanbox.io/oceanbox/katamari/plume:v1.4.0"
  PLUME_QUEUE: "dev-queue"
@@ -2,7 +2,7 @@ replicaCount: 1

 image:
  repository: git.oceanbox.io/oceanbox/poseidon/atlantis
-  tag: v1.48.1
+  tag: v2.9.4

 podAnnotations:
  dapr.io/app-id: "beta-atlantis"
@@ -11,7 +11,7 @@ env:
  - name: APP_NAMESPACE
    value: beta-atlantis
  - name: APP_VERSION
-    value: "2.97.4-beta"
+    value: "2.9.4-beta"
  - name: LOG_LEVEL
    value: "1"
  - name: ANALYTICS_WEB_ID
@@ -1,7 +1,7 @@
 replicaCount: 1
 image:
  repository: git.oceanbox.io/oceanbox/poseidon/atlantis
-  tag: 5d810716-debug
+  tag: d7525aed-debug
 podAnnotations:
  dapr.io/app-id: "staging-atlantis"
 env:
@@ -3,17 +3,14 @@ kind: Ingress
 metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
-    nginx.ingress.kubernetes.io/backend-protocol: HTTP
-    nginx.ingress.kubernetes.io/proxy-body-size: "0"
-    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
-    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    haproxy.org/backend-protocol: h1
+    haproxy.org/timeout-server: 600s
  labels:
    app.kubernetes.io/component: attic
  name: attic
  namespace: attic
 spec:
-  ingressClassName: nginx
+  ingressClassName: haproxy
  rules:
  - host: attic.srv.oceanbox.io
    http:
@@ -9,14 +9,6 @@ metadata:
  name: shared-gateway
  namespace: kube-system
 spec:
-  infrastructure:
-    annotations:
-      load-balancer.hetzner.cloud/location: hel1
-      load-balancer.hetzner.cloud/type: lb11
-      load-balancer.hetzner.cloud/name: load-balancer-2
-      load-balancer.hetzner.cloud/use-private-ip: "true"
-      load-balancer.hetzner.cloud/uses-proxyprotocol: "true"
-      load-balancer.hetzner.cloud/http-redirect-https: "false"
  gatewayClassName: cilium
  listeners:
    - name: http
@@ -38,4 +38,4 @@ volumeMounts:
    readOnly: true
    subPath: appsettings.json
 image:
-  tag: 651291bd-debug
+  tag: 32f66b86-debug
@@ -1,6 +1,6 @@
 replicaCount: 1
 image:
-  tag: "ea8cf7dc-debug"
+  tag: "1c160398-debug"
 env:
  - name: APP_VERSION
    value: "0.0.0"
@@ -8,13 +8,11 @@ env:
    value: "1"
 ingress:
  enabled: true
-  className: "nginx"
+  className: "haproxy"
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
-    nginx.ingress.kubernetes.io/backend-protocol: HTTP
-    nginx.ingress.kubernetes.io/enable-cors: "true"
-    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    haproxy.org/backend-protocol: h1
+    haproxy.org/cors-enable: "true"
    oceanbox.io/expose: internal
  hosts:
    - host: docs.oceanbox.io
@@ -0,0 +1,2 @@
+fapr:
+  enabled: true
@@ -0,0 +1,4 @@
+fapr:
+  enabled: true
+  autosync: {{ if or (eq .Environment.Name "prod") (eq .Environment.Name "beta") }}false{{ else }}true{{ end }}
+  env: {{ .Environment.Name }}
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - _manifest.yaml
@@ -0,0 +1,20 @@
+{
+  "appName": "fapr",
+  "appEnv": "prod",
+  "logLevel": "Information",
+  "aromeOutputDir": "/data/hdd/data/AROME",
+  "aromeStartDate": "2026-04-24",
+  "nveOutputDir": "/data/hdd/data/river-data/Data",
+  "nveNdays": 5000,
+  "nveApiUrl": "https://chartserver.nve.no/ShowData.aspx?req=getchart&ver=1.0",
+  "riverrunBinary": "/app/riverrun",
+  "norshelfOutputDir": "/data/hdd/data/norshelf/sea_norshelf_files",
+  "norshelfStartDate": "2026-03-01",
+  "nemoOutputDir": "/data/hdd/data/NEMO",
+  "copernicusmarineBinary": "/usr/local/bin/copernicusmarine",
+  "copernicusUsername": "",
+  "copernicusPassword": "",
+  "murOutputDir": "/data/hdd/data/river-data/MUR/MUR_SST_nc",
+  "netrcPath": "/root/.netrc",
+  "norkystOutputDir": "/data/hdd/data/norkyst"
+}
@@ -0,0 +1,77 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: cron-arome
+spec:
+  type: bindings.cron
+  version: v1
+  metadata:
+    - name: schedule
+      value: "0 6 * * *"
+scopes:
+  - prod-fapr
+---
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: cron-nve
+spec:
+  type: bindings.cron
+  version: v1
+  metadata:
+    - name: schedule
+      value: "0 8 * * *"
+scopes:
+  - prod-fapr
+---
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: cron-norshelf
+spec:
+  type: bindings.cron
+  version: v1
+  metadata:
+    - name: schedule
+      value: "0 13 * * *"
+scopes:
+  - prod-fapr
+---
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: cron-nemo
+spec:
+  type: bindings.cron
+  version: v1
+  metadata:
+    - name: schedule
+      value: "0 13 * * *"
+scopes:
+  - prod-fapr
+---
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: cron-mur
+spec:
+  type: bindings.cron
+  version: v1
+  metadata:
+    - name: schedule
+      value: "0 6 * * *"
+scopes:
+  - prod-fapr
+---
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: cron-norkyst
+spec:
+  type: bindings.cron
+  version: v1
+  metadata:
+    - name: schedule
+      value: "0 13 * * *"
+scopes:
+  - prod-fapr
@@ -0,0 +1,3 @@
+- op: add
+  path: /spec/template/spec/containers/0/envFrom
+  value: []
@@ -0,0 +1,21 @@
+generatorOptions:
+  disableNameSuffixHash: true
+configMapGenerator:
+  - name: prod-fapr-appsettings
+    files:
+      - appsettings.json
+patches:
+  - target:
+      group: apps
+      version: v1
+      kind: Deployment
+    path: deployment_patch.yaml
+resources:
+  - ../base
+  - pv.yaml
+  - pvc.yaml
+  - secrets.yaml
+  - secretstore.yaml
+  - statestore.yaml
+  - tracing.yaml
+  - cron-bindings.yaml
@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: pv-prod-fapr-ceph-data
+spec:
+  accessModes:
+    - ReadWriteMany
+  capacity:
+    storage: 1Gi
+  csi:
+    driver: rook-ceph.cephfs.csi.ceph.com
+    nodeStageSecretRef:
+      name: rook-csi-cephfs-node
+      namespace: rook-ceph
+    volumeAttributes:
+      clusterID: rook-ceph
+      fsName: data
+      rootPath: /
+      staticVolume: "true"
+    volumeHandle: pv-prod-fapr-ceph-data
+  persistentVolumeReclaimPolicy: Retain
+  volumeMode: Filesystem
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: prod-fapr-ceph-data
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: ""
+  volumeMode: Filesystem
+  volumeName: pv-prod-fapr-ceph-data
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: prod-fapr-redis
+type: Opaque
+data:
@@ -0,0 +1,12 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: secretstore
+spec:
+  type: secretstores.kubernetes
+  version: v1
+  metadata:
+    - name: defaultNamespace
+      value: prod-fapr
+scopes:
+  - prod-fapr
@@ -0,0 +1,22 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: statestore
+spec:
+  type: state.redis
+  version: v1
+  metadata:
+    - name: redisHost
+      value: prod-fapr-redis:6379
+    - name: redisUsername
+      value: default
+    - name: redisPassword
+      secretKeyRef:
+        name: prod-fapr-redis
+        key: redis-password
+    - name: actorStateStore
+      value: "true"
+    - name: redisDB
+      value: "0"
+scopes:
+  - prod-fapr
@@ -0,0 +1,11 @@
+apiVersion: dapr.io/v1alpha1
+kind: Configuration
+metadata:
+  name: tracing
+spec:
+  tracing:
+    samplingRate: "1"
+    otel:
+      endpointAddress: "10.255.241.12:4317"
+      protocol: grpc
+      isSecure: false
@@ -0,0 +1,42 @@
+{{ if .Values.clusterConfig.argo.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: {{ .Values.fapr.env }}-fapr
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/compare-options: ServerSideDiff=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: {{ .Values.fapr.env }}-fapr
+    server: https://kubernetes.default.svc
+  project: atlantis
+  sources:
+  - repoURL: {{ .Values.clusterConfig.manifests }}
+    targetRevision: HEAD
+    path: helmfile.d
+    plugin:
+      name: helmfile-cmp
+      env:
+      - name: CLUSTER_NAME
+        value: {{ .Values.clusterConfig.cluster }}
+      - name: HELMFILE_ENVIRONMENT
+        value: {{ .Values.fapr.env }}
+      - name: HELMFILE_FILE_PATH
+        value: fapr.yaml.gotmpl
+  - repoURL: https://git.oceanbox.io/platform/manifests.git
+    targetRevision: main
+    ref: values
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    {{- if .Values.fapr.autosync }}
+    automated:
+      prune: true
+      selfHeal: false
+    {{- end }}
+{{- end }}
@@ -0,0 +1,55 @@
+replicaCount: 1
+
+podAnnotations:
+  dapr.io/enabled: "true"
+  dapr.io/app-id: "prod-fapr"
+  dapr.io/app-port: "8080"
+  dapr.io/api-token-secret: "dapr-api-token"
+  dapr.io/config: "tracing"
+  dapr.io/app-protocol: "http"
+  dapr.io/log-as-json: "true"
+  dapr.io/sidecar-cpu-request: "10m"
+  dapr.io/sidecar-memory-request: "50Mi"
+
+env:
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
+  - name: DAPR_API_TOKEN
+    valueFrom:
+      secretKeyRef:
+        name: dapr-api-token
+        key: token
+
+persistence:
+  enabled: true
+  existingClaim: prod-fapr-ceph-data
+
+redis:
+  enabled: true
+  replicas: 1
+  backup:
+    enabled: true
+  size: 2Gi
+  storageClass: "ceph-rbd"
+  secret:
+    name: "prod-fapr-redis"
+    key: "redis-password"
+  resources:
+    cpu: 100m
+    memory: 128Mi
+
+affinity:
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: "topology.kubernetes.io/group"
+              operator: In
+              values:
+                - srv
@@ -0,0 +1 @@
+# Base values for fapr - overridden per environment
@@ -3,17 +3,15 @@ kind: Ingress
 metadata:
  annotations:
    cert-manager.io/cluster-issuer: ca-issuer
-    nginx.ingress.kubernetes.io/backend-protocol: HTTP
-    nginx.ingress.kubernetes.io/cors-allow-headers: Content-Type, x-gatus-cache
-    nginx.ingress.kubernetes.io/enable-cors: "true"
-    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    haproxy.org/backend-protocol: h1
+    haproxy.org/cors-allow-headers: Content-Type, x-gatus-cache
+    haproxy.org/cors-enable: "true"
  labels:
    app.kubernetes.io/name: gatus
  name: gatus
  namespace: uptime
 spec:
-  ingressClassName: nginx
+  ingressClassName: haproxy
  rules:
    - host: uptime.adm.hel1.obx
      http:
@@ -24,7 +22,7 @@ spec:
                port:
                  number: 80
            path: /
-            pathType: ImplementationSpecific
+            pathType: Prefix
  tls:
    - hosts:
        - uptime.adm.hel1.obx
@@ -1,6 +1,6 @@
 image:
  repository: twinproduction/gatus
-  tag: v5.35.0
+  tag: v5.36.0

 # Does envFrom secret named gatus
 secrets: true
@@ -3,7 +3,7 @@ replicaCount: 1
 image:
  registry: "docker.gitea.com"
  repository: gitea
-  tag: "1.26.0"
+  tag: "1.26.2"

 resources:
  requests:
@@ -135,15 +135,12 @@ gitea:

 ingress:
  enabled: true
-  className: nginx
+  className: haproxy
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/backend-protocol: HTTP
-    nginx.ingress.kubernetes.io/proxy-body-size: "0"
-    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
-    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24,100.64.0.0/12,185.125.160.4/32,37.27.203.38/32
+    haproxy.org/backend-protocol: h1
+    haproxy.org/timeout-server: 600s
+    haproxy.org/allow-list: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24,100.64.0.0/12,185.125.160.4/32,37.27.203.38/32
  hosts:
    - host: git.oceanbox.io
      paths:
@@ -0,0 +1,14 @@
+haproxy:
+  enabled: true
+  autosync: true
+  pdb:
+    minAvailable: 1
+  resources:
+    controller:
+      cpu: "100m"
+      memory: "100Mi"
+  annotations:
+    load-balancer.hetzner.cloud/location: hel1
+    load-balancer.hetzner.cloud/name: load-balancer-1
+    load-balancer.hetzner.cloud/type: lb11
+    load-balancer.hetzner.cloud/use-private-ip: "true"
@@ -0,0 +1,10 @@
+haproxy:
+  enabled: false
+  autosync: true
+  pdb:
+    minAvailable: 1
+  resources:
+    controller:
+      cpu: "100m"
+      memory: "100Mi"
+  annotations: []
@@ -0,0 +1,40 @@
+{{- if .Values.clusterConfig.argo.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ingress-haproxy
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  destination:
+    namespace: ingress-haproxy
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.clusterConfig.manifests }}
+    targetRevision: HEAD
+    path: helmfile.d
+    plugin:
+      name: helmfile-cmp
+      env:
+        - name: CLUSTER_NAME
+          value: {{ .Values.clusterConfig.cluster }}
+        - name: HELMFILE_ENVIRONMENT
+          value: default
+        - name: HELMFILE_FILE_PATH
+          value: ingress-haproxy.yaml.gotmpl
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      - ServerSideApply=true
+    {{- if .Values.haproxy.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+{{- end }}
@@ -0,0 +1,16 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-host-traffic
+  namespace: ingress-haproxy
+spec:
+  egress:
+    - toEntities:
+        - kube-apiserver
+        - host
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: kubernetes-ingress
+      app.kubernetes.io/instance: ingress-haproxy
+{{- end }}
@@ -0,0 +1,16 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-hubble-traffic
+  namespace: ingress-haproxy
+spec:
+  egress:
+    - toFQDNs:
+        - matchPattern: hubble.*.*.*
+        - matchPattern: hubble.*.*.*.*
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: kubernetes-ingress
+      app.kubernetes.io/instance: ingress-haproxy
+{{- end }}
@@ -0,0 +1,19 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-prometheus-metrics
+  namespace: ingress-haproxy
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: ingress-haproxy
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: prometheus
+    - toPorts:
+        - ports:
+            - port: "1024"
+              protocol: TCP
+{{- end }}
@@ -0,0 +1,21 @@
+{{- if .Values.clusterConfig.cilium.enabled }}
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-world-to-ingress-haproxy
+  namespace: ingress-haproxy
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: kubernetes-ingress
+      app.kubernetes.io/instance: ingress-haproxy
+  ingress:
+    - fromEntities:
+        - world
+    - toPorts:
+        - ports:
+            - port: "80"
+              protocol: TCP
+            - port: "443"
+              protocol: TCP
+{{- end }}
@@ -0,0 +1,110 @@
+## HAProxy Kubernetes Ingress Controller configuration
+## Ref: https://www.haproxy.com/documentation/kubernetes-ingress/
+##
+controller:
+  resources:
+    requests:
+      cpu: {{ .Values.haproxy.resources.controller.cpu }}
+      memory: {{ .Values.haproxy.resources.controller.memory }}
+
+  ingressClass: haproxy
+
+  ingressClassResource:
+    name: haproxy
+    default: true
+
+  config:
+    body-size: "0"
+    tune.bufsize: "131072"
+    ssl-redirect: "true"
+    forwarded-for: "true"
+
+    # Disable QUIC ar Hetzner LB doesn't support UDP
+    quic-enabled: "false"
+
+    # Proxy protocol
+    proxy-protocol: "10.0.0.0/8"
+    use-proxy-protocol: "true"
+
+  tolerations:
+   - key: unschedulable
+     operator: Exists
+     effect: NoSchedule
+   - key: node-role.kubernetes.io/control-plane
+     operator: Exists
+     effect: NoSchedule
+
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: kubernetes.io/hostname
+            operator: In
+            values: {{ .Values.clusterConfig.ingress_nodes }}
+
+    podAntiAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+      - labelSelector:
+          matchExpressions:
+          - key: app.kubernetes.io/instance
+            operator: In
+            values:
+            - ingress-haproxy
+          - key: app.kubernetes.io/name
+            operator: In
+            values:
+            - kubernetes-ingress
+        topologyKey: "kubernetes.io/hostname"
+
+  replicaCount: {{ .Values.clusterConfig.ingress_replica_count }}
+
+  PodDisruptionBudget:
+    enable: true
+    minAvailable: {{ .Values.haproxy.pdb.minAvailable }}
+
+  service:
+  {{- if .Values.clusterConfig.ingress_loadbalancer }}
+    type: LoadBalancer
+    {{- if .Values.clusterConfig.ingress_nodeport }}
+    nodePorts:
+      http: 30080
+      https: 30443
+    {{- end }}
+  {{- else if .Values.clusterConfig.ingress_nodeport }}
+    type: NodePort
+    externalTrafficPolicy: Local
+    nodePorts:
+      http: 30080
+      https: 30443
+  {{- else }}
+    type: ClusterIP
+  {{- end }}
+    annotations:
+      {{- with .Values.haproxy.annotations }}
+      {{ toYaml . | nindent 8 }}
+      {{- end }}
+
+  hostNetwork: {{ .Values.clusterConfig.ingress_hostnetwork }}
+
+  hostPorts:
+    enable: {{ .Values.clusterConfig.ingress_hostport }}
+    http: 80
+    https: 443
+
+  stats:
+    enabled: true
+
+  prometheus:
+    enabled: true
+    port: 1024
+    service:
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "1024"
+
+  serviceMonitor:
+    enabled: true
+
+  extraArgs:
+    - --disable-quic
@@ -1,5 +1,5 @@
 nginx:
-  enabled: true
+  enabled: false
  autosync: true
  pdb:
    minAvailable: 1
@@ -1,3 +1,42 @@
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: pv-prod-queue-ceph-archives
+spec:
+  accessModes:
+  - ReadWriteMany
+  capacity:
+    storage: 1Gi
+  csi:
+    driver: rook-ceph.cephfs.csi.ceph.com
+    nodeStageSecretRef:
+      name: rook-csi-cephfs-node
+      namespace: rook-ceph
+    volumeAttributes:
+      clusterID: rook-ceph
+      fsName: data
+      rootPath: /
+      staticVolume: "true"
+    volumeHandle: pv-prod-queue-ceph-archives
+  persistentVolumeReclaimPolicy: Retain
+  volumeMode: Filesystem
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: prod-queue-ceph-archives
+  namespace: prod-queue
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: ""
+  volumeMode: Filesystem
+  volumeName: pv-prod-queue-ceph-archives
+---
 # Cross-namespace RBAC: allow sorcerer ServiceAccounts to manage JobSets in dev-queue
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -1,6 +1,6 @@
 replicaCount: 1
 image:
-  tag: "ad49e745-debug"
+  tag: "fd47bfc5-debug"
 env:
  - name: APP_VERSION
    value: "0.0.0"
@@ -8,13 +8,11 @@ env:
    value: "1"
 ingress:
  enabled: true
-  className: "nginx"
+  className: "haproxy"
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
-    nginx.ingress.kubernetes.io/backend-protocol: HTTP
-    nginx.ingress.kubernetes.io/enable-cors: "true"
-    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    haproxy.org/backend-protocol: h1
+    haproxy.org/cors-enable: "true"
    oceanbox.io/expose: internal
  hosts:
    - host: makai.oceanbox.io
@@ -21,7 +21,7 @@
  path: /spec/template/spec/containers/0/envFrom/-
  value:
    secretRef:
-      name: prod-sorcerer-env
+      name: beta-sorcerer-env
 - op: add
  path: /spec/template/spec/containers/0/envFrom/-
  value:
@@ -2,7 +2,7 @@ replicaCount: 1

 image:
  repository: git.oceanbox.io/oceanbox/poseidon/sorcerer
-  tag: v1.48.1
+  tag: v2.9.4

 podAnnotations:
  dapr.io/enabled: "true"
@@ -19,7 +19,7 @@ podAnnotations:

 env:
  - name: APP_VERSION
-    value: "4.16.3-beta"
+    value: "2.9.4-beta"
  - name: LOG_LEVEL
    value: "1"
  - name: REDIS_USER
@@ -1,7 +1,7 @@
 replicaCount: 1
 image:
  repository: git.oceanbox.io/oceanbox/poseidon/sorcerer
-  tag: 651291bd-debug
+  tag: d7525aed-debug
 podAnnotations:
  dapr.io/enabled: "true"
  dapr.io/app-id: "staging-sorcerer"
@@ -2,13 +2,11 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  annotations:
-    nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
-    nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
    oceanbox.io/expose: internal
  name: hubble-ui
  namespace: kube-system
 spec:
-  ingressClassName: nginx
+  ingressClassName: haproxy
  rules:
    - host: hubble.hel1.oceanbox.io
      http:
@@ -26,13 +24,11 @@ kind: Ingress
 metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
-    nginx.ingress.kubernetes.io/proxy-buffer-size: 8k
-    nginx.ingress.kubernetes.io/proxy-busy-buffers-size: 16k
    oceanbox.io/expose: internal
  name: hubble-ui-oauth2-proxy
  namespace: kube-system
 spec:
-  ingressClassName: nginx
+  ingressClassName: haproxy
  rules:
    - host: hubble.hel1.oceanbox.io
      http:
@@ -14,9 +14,8 @@ metadata:
      whitelist to the already existing ones
 spec:
  mutateExistingOnPolicyUpdate: false
-  #precondition: has whitelist annotation or
  rules:
-  - name: ensure-nginx-whitelist-exists
+  - name: ensure-haproxy-allowlist-exists
    skipBackgroundRequests: true
    match:
      resources:
@@ -28,8 +27,8 @@ spec:
      patchStrategicMerge:
        metadata:
          annotations:
-            +(nginx.ingress.kubernetes.io/whitelist-source-range): ""
-  - name: append-existing-whitelist
+            +(haproxy.org/allow-list): ""
+  - name: append-existing-haproxy-allowlist
    skipBackgroundRequests: true
    match:
      resources:
@@ -39,7 +38,7 @@ spec:
          oceanbox.io/expose: internal
    preconditions:
      any:
-      - key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"
+      - key: "{{`{{request.object.metadata.annotations.\"haproxy.org/allow-list\"}}`}}"
        operator: NotEquals
        value: ""
    mutate:
@@ -47,9 +46,9 @@ spec:
        metadata:
          annotations:
            {{- with .Values.clusterConfig.ingress_whitelist }}
-            nginx.ingress.kubernetes.io/whitelist-source-range: "{{`{{ @ }}`}},{{ join "," . }}"
+            haproxy.org/allow-list: "{{`{{ @ }}`}},{{ join "," . }}"
            {{- end }}
-  - name: add-nginx-whitelist
+  - name: add-haproxy-allowlist
    skipBackgroundRequests: true
    match:
      resources:
@@ -59,7 +58,7 @@ spec:
          oceanbox.io/expose: internal
    preconditions:
      any:
-      - key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"
+      - key: "{{`{{request.object.metadata.annotations.\"haproxy.org/allow-list\"}}`}}"
        operator: Equals
        value: ""
    mutate:
@@ -67,7 +66,6 @@ spec:
        metadata:
          annotations:
            {{- with .Values.clusterConfig.ingress_whitelist }}
-            nginx.ingress.kubernetes.io/whitelist-source-range: "{{ join "," . }}"
+            haproxy.org/allow-list: "{{ join "," . }}"
            {{- end }}
 {{- end }}
-
@@ -23,8 +23,8 @@ SELECT
  *
 FROM
  crosstab(
-    'SELECT "group", sim_type, count::text FROM weekly_sim_submit_count_v2 ORDER BY 1, 2',
-    'SELECT DISTINCT sim_type FROM weekly_sim_submit_count_v2 ORDER BY 1'
+    'SELECT "group", sim_type, count::text FROM weekly_sim_submit_count WHERE sim_type <> ''lice-network'' AND sim_type <> ''lice-delousing'' ORDER BY 1, 2',
+    'SELECT DISTINCT sim_type FROM weekly_sim_submit_count WHERE sim_type <> ''lice-network'' AND sim_type <> ''lice-delousing'' ORDER BY 1'
  ) AS ct (
    group_name text,
    lice bigint,
@@ -33,3 +33,9 @@ FROM
    virus bigint,
    watercontact bigint
  )
+WHERE
+  (lice + sedimentation + transport + virus + watercontact) <> 0
+  AND "group" <> '@oceanbox.io'
+ORDER BY
+  (lice + sedimentation + transport + virus + watercontact) DESC
+;
@@ -9,9 +9,11 @@ WITH base AS (
  WHERE
    w.website_id = '16e7d807-4db5-45fd-92a9-27393445a153'
    AND w.event_type = 1
-    AND w.created_at BETWEEN '2025-10-13' AND '2025-10-19'
+    -- NOTE: This is only available in grafana
+    -- AND $__timeFilter(w.created_at)
+    AND w.created_at BETWEEN current_timestamp - '7 days'::interval and current_timestamp
    AND s.distinct_id IS NOT NULL
-    -- AND substring(s.distinct_id SIMILAR '%#"@%#"' ESCAPE '#') IN ('@leroyseafood.com')
+    -- AND substring(s.distinct_id SIMILAR '%#"@%#"' ESCAPE '#') IN ($groups)
 ),
 unique_totals AS (
  SELECT
@@ -28,9 +30,12 @@ unique_users AS (
  GROUP BY "Group"
 )
 SELECT
-	SUM("Users in range")
-FROM
-	unique_totals
+  t."Group",
+  t."Users in range" AS "Weekly users"
+FROM unique_totals t
+LEFT JOIN
+  unique_users u USING ("Group")
 WHERE
-	LOWER("Group") NOT IN ('@oceanbox.io')
-	;
+  t."Group" <> '@oceanbox.io'
+ORDER BY
+  "Users in range" DESC;
@@ -14,6 +14,10 @@ WHERE
 	AND w.event_type = 1
 	AND s.distinct_id IS NOT NULL
 	AND substring(s.distinct_id SIMILAR '%#"@%#"' ESCAPE '#') <> '@oceanbox.io'
+	AND 2025 < EXTRACT(YEAR FROM w.created_at) 
+	-- NOTE(simkir): We started with umami at this time, so the data that week was not complete
+	AND (NOT (EXTRACT(YEAR FROM w.created_at) = 2025 AND EXTRACT(WEEK FROM w.created_at) = 37))
+	AND (NOT (EXTRACT(YEAR FROM w.created_at) = 2025 AND EXTRACT(WEEK FROM w.created_at) = 1))
 GROUP BY
  week
 ORDER BY
				`@@ -0,0 +1 @@`
				`# Base values for fapr - overridden per environment`