fix(atlantis): Use prod-openfga, prod-rabbitmq, staging-sorcerer and staging-plume

To see more submits in our dashboard

.envrc

@@ -5,5 +5,8 @@ watch_file nix/sources.json
 # Load .env file if it exists
 dotenv_if_exists
 
+# Set npins dir
+export NPINS_DIRECTORY="nix"
+
 # Activate development shell
 use nix

charts/atlantis/Chart.yaml

@@ -4,7 +4,7 @@ description: Atlantis map and simulation service
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v1.33.0
+version: v1.35.2
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v1.33.0
+appVersion: v1.35.2

charts/atlantis/values.yaml

@@ -4,7 +4,7 @@
 replicaCount: 1
 image:
   repository: registry.gitlab.com/oceanbox/poseidon/atlantis
-  tag: v1.33.0
+  tag: v1.35.2
   pullPolicy: IfNotPresent
 init:
   enabled: false

charts/codex/Chart.yaml

@@ -1,7 +1,6 @@
 apiVersion: v2
 name: codex
 description: A Helm chart for Kubernetes
-
 # A chart can be either an 'application' or a 'library' chart.
 #
 # Application charts are a collection of templates that can be packaged into versioned archives
@@ -11,14 +10,12 @@ description: A Helm chart for Kubernetes
 # a dependency of application charts to inject those utilities and functions into the rendering
 # pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
-
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.0.1
-
+version: v1.35.2
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.0.0-alpha.1"
+appVersion: "v1.35.2"

charts/codex/values.yaml

@@ -4,22 +4,19 @@
 
 # This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
 replicaCount: 1
-
 # This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/
 image:
   repository: registry.gitlab.com/oceanbox/poseidon/codex
   # This sets the pull policy for images.
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  tag: v1.33.2
-
+  tag: v1.35.2
 # This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
 imagePullSecrets:
   - name: gitlab-pull-secret
 # This is to override the chart name.
 nameOverride: ""
 fullnameOverride: ""
-
 # This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/
 serviceAccount:
   # Specifies whether a service account should be created
@@ -31,47 +28,41 @@ serviceAccount:
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
   name: ""
-
 # This is for setting Kubernetes Annotations to a Pod.
 # For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
 podAnnotations: {}
 # This is for setting Kubernetes Labels to a Pod.
 # For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
 podLabels: {}
-
 podSecurityContext:
   fsGroup: 2000
-
 securityContext:
   capabilities:
     drop:
-    - ALL
+      - ALL
   readOnlyRootFilesystem: false
   runAsNonRoot: true
   runAsUser: 1000
-
 # This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/
 service:
   # This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
   type: ClusterIP
   # This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports
   port: 8085
-
 # This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/
 ingress:
   enabled: false
-
 resources: {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
+# We usually recommend not to specify default resources and to leave this as a conscious
+# choice for the user. This also increases chances charts run on environments with little
+# resources, such as Minikube. If you do want to specify resources, uncomment the following
+# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+# limits:
+#   cpu: 100m
+#   memory: 128Mi
+# requests:
+#   cpu: 100m
+#   memory: 128Mi
 
 # This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
 livenessProbe:
@@ -82,7 +73,6 @@ readinessProbe:
   httpGet:
     path: /
     port: http
-
 # This section is for setting up autoscaling more information can be found here: https://kubernetes.io/docs/concepts/workloads/autoscaling/
 autoscaling:
   enabled: false
@@ -90,7 +80,6 @@ autoscaling:
   maxReplicas: 100
   targetCPUUtilizationPercentage: 80
   # targetMemoryUtilizationPercentage: 80
-
 # Additional volumes on the output Deployment definition.
 volumes: []
 # - name: foo
@@ -105,7 +94,5 @@ volumeMounts: []
 #   readOnly: true
 
 nodeSelector: {}
-
 tolerations: []
-
 affinity: {}

charts/sorcerer/Chart.yaml

@@ -4,7 +4,7 @@ description: A Helm chart for Kubernetes
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v1.33.0
+version: v1.35.2
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v1.33.0
+appVersion: v1.35.2

charts/sorcerer/values.yaml

@@ -5,7 +5,7 @@
 replicaCount: 1
 image:
   repository: registry.gitlab.com/oceanbox/poseidon/sorcerer
-  tag: v1.33.0
+  tag: v1.35.2
   pullPolicy: IfNotPresent
 init:
   enabled: false

helmfile.d/dragonfly.yaml.gotmpl

@@ -13,7 +13,7 @@ releases:
 - name: dragonfly
   namespace: dragonfly
   chart: dragonfly/dragonfly-operator
-  version: v1.3.0
+  version: v1.3.1
   condition: dragonfly.enabled
   values:
   - ../values/dragonfly/values/dragonfly.yaml.gotmpl

helmfile.d/nexus.yaml.gotmpl

@@ -0,0 +1,43 @@
+bases:
+ - ../envs/environments.yaml.gotmpl
+
+repositories:
+  - name: stevehipwell
+    url: 'https://stevehipwell.github.io/helm-charts/'
+
+commonLabels:
+  tier: system
+
+releases:
+- name: nexus3
+  namespace: nexus
+  chart: stevehipwell/nexus3
+  version: 5.9.0
+  condition: nexus.enabled
+  values:
+  - ../values/nexus/values/nexus.yaml.gotmpl
+  - ../values/nexus/values/nexus-{{ .Environment.Name }}.yaml.gotmpl
+  postRenderer: ../bin/kustomizer
+  postRendererArgs:
+  - ../values/nexus/kustomize/{{ .Environment.Name }}
+  missingFileHandler: Info
+- name: manifests
+  namespace: nexus
+  chart: manifests
+  condition: nexus.enabled
+  missingFileHandler: Info
+  values:
+  - ../values/env.yaml
+  - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
+  - ../values/nexus/env.yaml.gotmpl
+  - ../values/nexus/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
+  hooks:
+  - events: [ prepare, cleanup ]
+    showlogs: true
+    command: ../bin/helmify
+    args:
+    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
+    - '{{`{{ .Release.Chart }}`}}'
+    - '{{`{{ .Environment.Name }}`}}'
+    - ../values/nexus/manifests
+    - manifests

helmfile.d/sorcerer.yaml.gotmpl

@@ -11,15 +11,15 @@ commonLabels:
 releases:
 - name: {{ .Environment.Name }}-sorcerer
   namespace: {{ .Environment.Name }}-sorcerer
-  #chart: oceanbox/sorcerer
   chart: ../charts/sorcerer
   condition: sorcerer.enabled
   values:
   - ../values/sorcerer/values/values.yaml
   - ../values/sorcerer/values/values-{{ .Environment.Name }}.yaml
+  - ../values/sorcerer/values/values-{{ .Environment.Name }}-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
   postRenderer: ../bin/kustomizer
   postRendererArgs:
-  - ../values/sorcerer/kustomize/{{ .Environment.Name }}
+  - ../values/sorcerer/kustomize/{{ .Environment.Name }}-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}
   missingFileHandler: Info
 - name: manifests
   namespace: {{ .Environment.Name }}-sorcerer

nix/sources.json

@@ -3,8 +3,8 @@
     "nixpkgs": {
       "type": "Channel",
       "name": "nixpkgs-unstable",
-      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.11pre883899.02f2cb8e0feb/nixexprs.tar.xz",
-      "hash": "0k4n6f873a4ls1mff6wck6z31kglgg8irwc5s3xsprrwbxdv7p58"
+      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre903996.59b6c96beacc/nixexprs.tar.xz",
+      "hash": "0b0yr9d1xyfwgpaj68bimsbjjbj7yis4whjvkrfdycfnasdf0gf0"
     }
   },
   "version": 5

shell.nix

@@ -25,17 +25,16 @@ pkgs.mkShellNoCC {
     kubelogin-oidc
     kubectl-rook-ceph
 
-    # linkerd
+    # other tools
     step-cli
     linkerd
-
-    # velero
     velero
+    cmctl
 
     # dapr
     dapr-cli
   ];
 
-  ARGOCD_ENV_CLUSTER_NAME = "ekman";
+  ARGOCD_ENV_CLUSTER_NAME = "rossby";
   HELM_GIT_ACCESS_TOKEN = "glpat-xxx";
 }

values/argo/manifests/sys-project.yaml

@@ -72,6 +72,8 @@ spec:
     server: https://kubernetes.default.svc
   - namespace: headscale
     server: https://kubernetes.default.svc
+  - namespace: drupal
+    server: https://kubernetes.default.svc
   - namespace: otel
     server: https://kubernetes.default.svc
   - namespace: opentelemetry

values/atlantis/kustomize/beta/appsettings.json

@@ -0,0 +1,96 @@
+{
+    "oidc": {
+        "issuer": "https://auth.oceanbox.io/realms/oceanbox",
+        "authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth",
+        "token_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/token",
+        "jwks_uri": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/certs",
+        "userinfo_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/userinfo",
+        "end_session_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/logout",
+        "device_authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth/device",
+        "clientId": "atlantis",
+        "clientSecret": "",
+        "scopes": [
+            "openid",
+            "email",
+            "offline_access",
+            "profile"
+        ],
+        "audiences": [
+            "atlantis",
+            "atlantis_dev",
+            "sorcerer",
+            "sorcerer_dev"
+        ]
+    },
+    "sso": {
+        "cookieDomain": ".oceanbox.io",
+        "cookieName": ".obx.beta",
+        "ttl": 12.0,
+        "signedOutRedirectUri": "https://maps.beta.oceanbox.io",
+        "realm": "atlantis",
+        "environment": "beta",
+        "keyStore": {
+            "kind": "azure",
+            "uri": "https://atlantis.blob.core.windows.net",
+            "key": "dataprotection-keys"
+        },
+        "keyVault": {
+            "kind": "azure",
+            "uri": "https://atlantisvault.vault.azure.net",
+            "key": "dataencryption-keys"
+        }
+    },
+    "fga": {
+      "apiUrl": "http://prod-openfga.openfga.svc.cluster.local:8080",
+      "apiKey": "",
+      "storeId": "01JKTZXMP7ANN4GG2P5W8Y56M6",
+      "modelId": "01JKTZYMCZZBVSBG66W27XMW0A"
+    },
+    "sentryUrl": "https://b6e03cfc8e247297b89217b09341b4cb@o4509530141622272.ingest.de.sentry.io/4509530195492944",
+    "plainAuthUsers": [
+        {
+            "username": "admin",
+            "password": "en-to-tre-fire",
+            "groups": [ "/oceanbox" ],
+            "roles": [ "admin" ]
+        },
+        {
+            "username": "sorcerer",
+            "password": "fire tre to en",
+            "groups": [ "/oceanbox" ],
+            "roles": [ "admin" ]
+        },
+        {
+            "username": "archivist",
+            "password": "en-to-tre-fire",
+            "groups": [ "/oceanbox" ],
+            "roles": [ "admin" ]
+        }
+    ],
+    "plume": "plume.ekman.oceanbox.io",
+    "redis": "prod-atlantis-redis-master:6379",
+    "objectStore": "https://atlantis.blob.core.windows.net",
+    "connString": "Username=postgres;Password=secret;Host=localhost;Port=5432;Database=app;Pooling=true;",
+    "sorcerer" : "https://sorcerer.ekman.oceanbox.io",
+    "allowedOrigins": [
+        "https://maps.dev.oceanbox.io",
+    ],
+    "appName": "atlantis",
+    "appEnv": "beta",
+    "appNamespace": "atlantis",
+    "appVersion": "2.95.1",
+    "otelCollector": "http://opentelemetry-collector.otel.svc:4317",
+    "pubsubName": "pubsub",
+    "pubsubTopic": "hipster-atlantis",
+    "slurm": {
+        "baseUrl": "https://slurmrestd.ekman.oceanbox.io/",
+        "slurmApi": "slurm/v0.0.42/",
+        "dbdApi": "slurmdbd/v0.0.42/",
+        "accessToken": ""
+    },
+    "amqp": {
+        "auth": "user:hunny-bunny",
+        "host": "10.255.241.201:30673"
+    },
+    "fenceRadius": 1250.0
+}

values/atlantis/kustomize/beta/barentswatch-api.env

@@ -0,0 +1,2 @@
+client-id=simen.kirkvik@tromso.serit.no:simkir-tilt-atlantis
+secret=d9tInZ1XpeDAxD.DySv'*SB=P

values/atlantis/kustomize/beta/bindings.yaml

@@ -0,0 +1,22 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: slurm-events
+spec:
+  type: bindings.rabbitmq
+  version: v1
+  metadata:
+  - name: host
+    secretKeyRef:
+      name: prod-atlantis-rabbitmq
+      key:  connString
+  - name: queueName
+    value: prod-slurm-job-events
+  - name: durable
+    value: true
+  - name: contentType
+    value: "application/json"
+  - name: route
+    value: /events/slurm
+scopes:
+  - beta-atlantis

values/atlantis/kustomize/beta/configurations.yaml

@@ -0,0 +1,20 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: configstore
+spec:
+  type: configuration.redis
+  version: v1
+  metadata:
+  - name: redisHost
+    value: beta-atlantis-redis-master:6379
+  - name: redisUsername
+    value: default
+  - name: redisPassword
+    secretKeyRef:
+      name: beta-atlantis-redis
+      key:  redis-password
+  - name: redisDB
+    value: "1"
+scopes:
+  - beta-atlantis

values/atlantis/kustomize/beta/default.env

@@ -0,0 +1 @@
+OIDC_CLIENT_SECRET=KOJ6bDHzE5vdyfSrzgwLjtM5PzA809Zm

values/atlantis/kustomize/beta/deployment_patch.yaml

@@ -0,0 +1,10 @@
+- op: add
+  path: /spec/template/spec/containers/0/envFrom/-
+  value:
+    secretRef:
+      name: azure-keyvault
+- op: add
+  path: /spec/template/spec/containers/0/envFrom/-
+  value:
+    secretRef:
+      name: prod-atlantis-env

values/atlantis/kustomize/beta/keyvault.yaml

@@ -0,0 +1,22 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: azure-keyvault
+spec:
+  type: secretstores.azure.keyvault
+  version: v1
+  metadata:
+  - name: vaultName
+    value: atlantisvault
+  - name: azureTenantId
+    secretKeyRef:
+      name: azure-keyvault
+      key: AZURE_TENANT_ID
+  - name: azureClientId
+    secretKeyRef:
+      name: azure-keyvault
+      key: AZURE_CLIENT_ID
+  - name: azureClientSecret
+    secretKeyRef:
+      name: azure-keyvault
+      key: AZURE_CLIENT_SECRET

values/atlantis/kustomize/beta/kustomization.yaml

@@ -0,0 +1,24 @@
+generatorOptions:
+  disableNameSuffixHash: true
+configMapGenerator:
+- name: beta-atlantis-appsettings
+  files:
+    - appsettings.json
+patches:
+  - target:
+      group: apps
+      version: v1
+      kind: Deployment
+    path: deployment_patch.yaml
+resources:
+  - ../base
+  - secrets.yaml
+  - rbac.yaml
+  - tracing.yaml
+  - bindings.yaml
+  - pubsub.yaml
+  - statestore.yaml
+  - subscriptions.yaml
+  - configurations.yaml
+  - secretstore.yaml
+  - keyvault.yaml

values/atlantis/kustomize/beta/pubsub.yaml

@@ -0,0 +1,52 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: pubsub
+spec:
+  version: v1
+  type: pubsub.rabbitmq
+  metadata:
+  - name: hostname
+    value: prod-rabbitmq.rabbitmq
+  - name: username
+    value: user
+  - name: password
+    secretKeyRef:
+      name: prod-atlantis-rabbitmq
+      key:  rabbitmq-password
+  - name: protocol
+    value: amqp
+  - name: durable
+    value: true
+  - name: deletedWhenUnused
+    value: false
+  - name: autoAck
+    value: false
+  - name: deliveryMode
+    value: 1
+  - name: requeueInFailure
+    value: false
+  - name: prefetchCount
+    value: 0
+  - name: reconnectWait
+    value: 0
+  - name: concurrencyMode
+    value: parallel
+  - name: publisherConfirm
+    value: false
+  - name: backOffPolicy
+    value: exponential
+  - name: backOffInitialInterval
+    value: 100
+  - name: backOffMaxRetries
+    value: 16
+  - name: enableDeadLetter # Optional enable dead Letter or not
+    value: true
+  - name: maxLen # Optional max message count in a queue
+    value: 3000
+  - name: maxLenBytes # Optional maximum length in bytes of a queue.
+    value: 10485760
+  - name: exchangeKind
+    value: fanout
+  - name: clientName
+    value: "{appID}"

values/atlantis/kustomize/beta/rbac.yaml

@@ -0,0 +1,40 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: beta-atlantis
+  namespace: beta-atlantis
+rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - beta-atlantis-appsettings
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - azure-keyvault
+  - beta-atlantis-redis
+  - slurm-access-token
+  resources:
+  - secrets
+  verbs:
+  - get
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: beta-atlantis
+  namespace: beta-atlantis
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: beta-atlantis
+subjects:
+- kind: ServiceAccount
+  name: beta-atlantis
+  namespace: beta-atlantis

values/atlantis/kustomize/beta/secrets.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+    kyverno/env: "prod"
+  name: prod-atlantis-rabbitmq
+type: Opaque
+data:

values/atlantis/kustomize/beta/secretstore.yaml

@@ -0,0 +1,10 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: secretstore
+spec:
+  type: secretstores.kubernetes
+  version: v1
+  metadata:
+   - name: defaultNamespace
+     value: prod-atlantis

values/atlantis/kustomize/beta/statestore.yaml

@@ -0,0 +1,22 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: statestore
+spec:
+  type: state.redis
+  version: v1
+  metadata:
+  - name: redisHost
+    value: beta-atlantis-redis-master:6379
+  - name: redisUsername
+    value: default
+  - name: redisPassword
+    secretKeyRef:
+      name: beta-atlantis-redis
+      key:  redis-password
+  - name: actorStateStore
+    value: "true"
+  - name: redisDB
+    value: "0"
+scopes:
+  - beta-atlantis

values/atlantis/kustomize/beta/subscriptions.yaml

@@ -0,0 +1,27 @@
+apiVersion: dapr.io/v2alpha1
+kind: Subscription
+metadata:
+  name: hipster-events
+spec:
+  topic: hipster
+  routes:
+    default: /events/hipster
+  pubsubname: pubsub
+  metadata:
+    queueType: quorum
+scopes:
+- beta-atlantis
+---
+apiVersion: dapr.io/v2alpha1
+kind: Subscription
+metadata:
+  name: inbox-events
+spec:
+  topic: inbox
+  routes:
+    default: /events/inbox
+  pubsubname: pubsub
+  metadata:
+    queueType: quorum
+scopes:
+- beta-atlantis

values/atlantis/kustomize/beta/tracing.yaml

@@ -0,0 +1,11 @@
+apiVersion: dapr.io/v1alpha1
+kind: Configuration
+metadata:
+  name: tracing
+spec:
+  tracing:
+    samplingRate: "1"
+    otel:
+      endpointAddress: "opentelemetry-collector.otel.svc.cluster.local:4317"
+      protocol: grpc
+      isSecure: false

values/atlantis/kustomize/staging/appsettings.json

@@ -26,7 +26,7 @@
         "cookieDomain": ".oceanbox.io",
         "cookieName": ".obx.staging",
         "ttl": 12.0,
-        "signedOutRedirectUri": "https://atlantis.beta.oceanbox.io",
+        "signedOutRedirectUri": "https://maps.dev.oceanbox.io",
         "realm": "atlantis",
         "environment": "staging",
         "keyStore": {
@@ -73,9 +73,10 @@
     "connString": "Username=postgres;Password=secret;Host=localhost;Port=5432;Database=app;Pooling=true;",
     "sorcerer" : "https://sorcerer.ekman.oceanbox.io",
     "allowedOrigins": [
-        "https://atlantis.beta.oceanbox.io",
+        "https://maps.dev.oceanbox.io",
         "https://atlantis.dev.oceanbox.io",
-        "https://atlantis.local.oceanbox.io:8080"
+        "https://atlantis.local.oceanbox.io:8080",
+        "https://maps.dev.oceanbox.io"
     ],
     "appName": "atlantis",
     "appEnv": "staging",

values/atlantis/values/values-beta.yaml.gotmpl

@@ -0,0 +1,81 @@
+replicaCount: 1
+
+podAnnotations:
+  dapr.io/app-id: "beta-atlantis"
+
+env:
+  - name: APP_NAMESPACE
+    value: beta-atlantis
+  - name: APP_VERSION
+    value: "2.97.4"
+  - name: LOG_LEVEL
+    value: "2"
+  - name: ANALYTICS_WEB_ID
+    value: "16e7d807-4db5-45fd-92a9-27393445a153"
+  - name: REDIS_USER
+    value: default
+  - name: REDIS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: beta-atlantis-redis
+        key: redis-password
+  - name: DB_HOST
+    value: beta-atlantis-db-rw
+  - name: DB_PORT
+    value: "5432"
+  - name: DB_USER
+    valueFrom:
+      secretKeyRef:
+        name: beta-atlantis-db-superuser
+        key: username
+  - name: DB_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: beta-atlantis-db-superuser
+        key: password
+  - name: DAPR_API_TOKEN
+    valueFrom:
+      secretKeyRef:
+        name: dapr-api-token
+        key: token
+
+ingress:
+  enabled: true
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
+  hosts:
+    - host: maps.beta.oceanbox.io
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+      internal:
+        - path: /internal
+          pathType: ImplementationSpecific
+        - path: /dapr
+          pathType: ImplementationSpecific
+        - path: /actors
+          pathType: ImplementationSpecific
+        - path: /job
+          pathType: ImplementationSpecific
+        - path: /events
+          pathType: ImplementationSpecific
+        - path: /metrics
+          pathType: ImplementationSpecific
+  tls:
+    - hosts:
+       - maps.beta.oceanbox.io
+      secretName: beta-atlantis-tls
+
+cluster:
+  instances: 2
+  bootstrap:
+    enabled: false
+
+resources:
+  limits:
+    cpu: 1
+    memory: 1Gi
+  requests:
+    cpu: 500m
+    memory: 1Gi

values/atlantis/values/values-staging.yaml.gotmpl

@@ -1,6 +1,6 @@
 replicaCount: 1
 image:
-  tag: 4d9e78cd-debug
+  tag: 369127e0-debug
 podAnnotations:
   dapr.io/app-id: "staging-atlantis"
 env:
@@ -49,7 +49,24 @@ ingress:
     # nginx.ingress.kubernetes.io/session-cookie-max-age: "86400"
     # oceanbox.io/expose: internal
   hosts:
-    - host: atlantis.beta.oceanbox.io
+    - host: maps.dev.oceanbox.io
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+      internal:
+        - path: /internal
+          pathType: ImplementationSpecific
+        - path: /dapr
+          pathType: ImplementationSpecific
+        - path: /actors
+          pathType: ImplementationSpecific
+        - path: /job
+          pathType: ImplementationSpecific
+        - path: /events
+          pathType: ImplementationSpecific
+        - path: /metrics
+          pathType: ImplementationSpecific
+    - host: maps.dev.oceanbox.io
       paths:
         - path: /
           pathType: ImplementationSpecific
@@ -85,8 +102,9 @@ ingress:
           pathType: ImplementationSpecific
   tls:
     - hosts:
-        - atlantis.beta.oceanbox.io
+        - maps.dev.oceanbox.io
         - atlas.oceanbox.io
+        - maps.dev.oceanbox.io
       secretName: staging-atlantis-tls
 cluster:
   instances: 1

values/atlantis/values/values.yaml.gotmpl

@@ -1,4 +1,3 @@
-
 podAnnotations:
   dapr.io/enabled: "true"
   dapr.io/app-port: "8085"

values/codex/kustomize/staging/deployment_patch.yaml

@@ -1,5 +1,65 @@
 - op: add
-  path: /spec/template/spec/containers/0/envFrom/-
+  path: /spec/template/spec/containers/0/envFrom
   value:
-    secretRef:
-      name: azure-keyvault
+    - secretRef:
+        name: azure-keyvault
+- op: add
+  path: /spec/template/spec/containers/0/env
+  value:
+    - name: APP_NAMESPACE
+      value: staging-atlantis
+    - name: DOTNET_ENVIRONMENT
+      value: Development
+    - name: ASPNETCORE_ENVIRONMENT
+      value: Development
+    - name: DB_HOST
+      valueFrom:
+        secretKeyRef:
+          name: staging-atlantis-db-app
+          key: host
+    - name: DB_PORT
+      valueFrom:
+        secretKeyRef:
+          name: staging-atlantis-db-app
+          key: port
+    - name: DB_DATABASE
+      valueFrom:
+        secretKeyRef:
+          name: staging-atlantis-db-app
+          key: dbname
+    - name: DB_USER
+      valueFrom:
+        secretKeyRef:
+          name: staging-atlantis-db-app
+          key: user
+    - name: DB_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: staging-atlantis-db-app
+          key: password
+    - name: FGA_DB_HOST
+      valueFrom:
+        secretKeyRef:
+          name: staging-openfga-db-app
+          key: host
+    - name: FGA_DB_PORT
+      valueFrom:
+        secretKeyRef:
+          name: staging-openfga-db-app
+          key: port
+    - name: FGA_DB_DATABASE
+      valueFrom:
+        secretKeyRef:
+          name: staging-openfga-db-app
+          key: dbname
+    - name: FGA_DB_USER
+      valueFrom:
+        secretKeyRef:
+          name: staging-openfga-db-app
+          key: user
+    - name: FGA_DB_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: staging-openfga-db-app
+          key: password
+  name: azure-keyvault

values/codex/kustomize/staging/env.patch.yaml

@@ -1,82 +0,0 @@
-# env.patch.yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: staging-codex
-  labels:
-    app.kubernetes.io/name: codex
-    app.kubernetes.io/instance: staging-codex
-spec:
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: codex
-        app.kubernetes.io/instance: staging-codex
-    spec:
-      containers:
-        - name: codex
-          env:
-          - name: APP_NAME
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.name
-          - name: APP_NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
-          - name: APP_NAMESPACE
-            value: prod-atlantis
-          - name: DOTNET_ENVIRONMENT
-            value: Development
-          - name: ASPNETCORE_ENVIRONMENT
-            value: Development
-          - name: DB_HOST
-            valueFrom:
-              secretKeyRef:
-                name: staging-atlantis-db-app
-                key: host
-          - name: DB_PORT
-            valueFrom:
-              secretKeyRef:
-                name: staging-atlantis-db-app
-                key: port
-          - name: DB_DATABASE
-            valueFrom:
-              secretKeyRef:
-                name: staging-atlantis-db-app
-                key: dbname
-          - name: DB_USER
-            valueFrom:
-              secretKeyRef:
-                name: staging-atlantis-db-app
-                key: user
-          - name: DB_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: staging-atlantis-db-app
-                key: password
-          - name: FGA_DB_HOST
-            valueFrom:
-              secretKeyRef:
-                name: staging-openfga-db-app
-                key: host
-          - name: FGA_DB_PORT
-            valueFrom:
-              secretKeyRef:
-                name: staging-openfga-db-app
-                key: port
-          - name: FGA_DB_DATABASE
-            valueFrom:
-              secretKeyRef:
-                name: staging-openfga-db-app
-                key: dbname
-          - name: FGA_DB_USER
-            valueFrom:
-              secretKeyRef:
-                name: staging-openfga-db-app
-                key: user
-          - name: FGA_DB_PASSWORD
-            valueFrom:
-              secretKeyRef:
-                name: staging-openfga-db-app
-                key: password

values/codex/kustomize/staging/kustomization.yaml

@@ -10,7 +10,5 @@ patches:
       version: v1
       kind: Deployment
     path: deployment_patch.yaml
-  - path: env.patch.yaml
-    target:
-      labelSelector: "app.kubernetes.io/name=codex"
-
+resources:
+  - ../base

values/codex/manifests/codex.yaml

@@ -13,7 +13,7 @@ spec:
   destination:
     namespace: {{ .Values.codex.env }}-atlantis
     server: https://kubernetes.default.svc
-  project: default
+  project: atlantis
   sources:
   - repoURL: {{ .Values.clusterConfig.manifests }}
     targetRevision: HEAD
@@ -27,6 +27,9 @@ spec:
         value: {{ .Values.codex.env }}
       - name: HELMFILE_FILE_PATH
         value: codex.yaml.gotmpl
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    ref: values
   syncPolicy:
     syncOptions:
       - CreateNamespace=true

values/codex/values/values-staging.yaml

@@ -1,13 +1,11 @@
 replicaCount: 1
-
 image:
-  tag: 028945bf-debug
-
+  tag: 1b8167c6-debug
 ingress:
   enabled: true
   className: "nginx"
   annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
+    cert-manager.io/cluster-issuer: ca-issuer
     nginx.ingress.kubernetes.io/backend-protocol: HTTP
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
     oceanbox.io/expose: internal
@@ -16,16 +14,19 @@ ingress:
       paths:
         - path: /
           pathType: ImplementationSpecific
+    - host: codex.dev.tos.obx
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
   tls:
     - hosts:
         - codex.dev.oceanbox.io
+        - codex.dev.tos.obx
       secretName: staging-codex-tls
-
 volumes:
   - name: appsettings
     configMap:
       name: staging-codex-appsettings
-
 volumeMounts:
   - name: appsettings
     mountPath: "/app/appsettings.Development.json"

values/dapr/manifests/ingress-dashboard.yaml

@@ -14,7 +14,7 @@ metadata:
 spec:
   ingressClassName: nginx
   rules:
-  - host: dapr.{{ .Values.clusterConfig.cluster }}.oceanbox.io
+  - host: dapr.adm.oceanbox.io
     http:
       paths:
       - backend:
@@ -26,6 +26,6 @@ spec:
         pathType: ImplementationSpecific
   tls:
   - hosts:
-    - dapr.{{ .Values.clusterConfig.cluster }}.oceanbox.io
+    - dapr.adm.oceanbox.io
     secretName: dapr-dashboard-tls
 {{- end }}

values/drupal/env-hel1.yaml.gotmpl

@@ -0,0 +1,2 @@
+drupal:
+  enabled: true

values/drupal/env.yaml.gotmpl

@@ -0,0 +1,3 @@
+drupal:
+  enabled: false
+  autosync: false

values/drupal/manifests/allow-external-services.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-external-services
+  namespace: drupal
+spec:
+  egress:
+    - toFQDNs:
+        - matchPattern: 'cache.nixos.org'
+        - matchPattern: 'nix-community.cachix.org'
+  endpointSelector:
+    matchLabels:
+      app: drupal

values/drupal/manifests/cluster.yaml

@@ -0,0 +1,11 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: drupal-db
+spec:
+  instances: 1
+  primaryUpdateStrategy: unsupervised
+  storage:
+    size: 2Gi
+  monitoring:
+    enablePodMonitor: true

values/drupal/manifests/drupal.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: drupal
+  namespace: argocd
+spec:
+  destination:
+    namespace: drupal
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: HEAD
+    path: values/drupal/manifests
+  project: sys
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      - ServerSideApply=true
+    automated:
+      prune: true
+      # selfHeal: false

values/drupal/manifests/raw.yaml

@@ -0,0 +1,129 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: drupal
+  labels:
+    app: drupal
+spec:
+  ports:
+    - port: 80
+      name: http
+      targetPort: http
+  selector:
+    app: drupal
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: drupal
+  labels:
+    app: drupal
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: drupal
+  labels:
+    app: drupal
+spec:
+  selector:
+    matchLabels:
+      app: drupal
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: drupal
+    spec:
+      initContainers:
+        - name: init-sites-volume
+          image: drupal
+          command: ["/bin/bash", "-c"]
+          args:
+            [
+              "cp -r /var/www/html/sites/ /data/; chown www-data:www-data /data/ -R",
+            ]
+          volumeMounts:
+            - mountPath: /data
+              name: drupal
+      containers:
+        - image: registry.gitlab.com/oceanbox/fornix/oceanbox:dev
+          name: drupal
+          ports:
+            - containerPort: 80
+              name: http
+              protocol: TCP
+          env:
+          - name: DRUPAL_DATABASE_HOST
+            value: drupal-db-rw
+          - name: DRUPAL_DATABASE_PREFIX
+            value: ""
+          - name: DRUPAL_DATABASE_NAME
+            value: app
+          - name: DRUPAL_DATABASE_USERNAME
+            valueFrom:
+              secretKeyRef:
+                name: drupal-db-app
+                key: username
+          - name: DRUPAL_DATABASE_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: drupal-db-app
+                key: password
+          volumeMounts:
+            - mountPath: /var/www/html/modules
+              name: drupal
+              subPath: modules
+            - mountPath: /var/www/html/profiles
+              name: drupal
+              subPath: profiles
+            - mountPath: /var/www/html/sites
+              name: drupal
+              subPath: sites
+            - mountPath: /var/www/html/themes
+              name: drupal
+              subPath: themes
+      volumes:
+        - name: drupal
+          persistentVolumeClaim:
+            claimName: drupal
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+    nginx.ingress.kubernetes.io/backend-protocol: HTTP
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24,100.64.0.0/12
+  labels:
+    app.kubernetes.io/component: drupal
+  name: drupal
+  namespace: drupal
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: drupal.hel1.oceanbox.io
+    http:
+      paths:
+      - backend:
+          service:
+            name: drupal
+            port:
+              number: 80
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - drupal.hel1.oceanbox.io
+    secretName: drupal-tls

values/drupal/values/drupal.yaml.gotmpl

@@ -0,0 +1,35 @@
+# Default values for Example Single Node.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+drupal:
+  persistence:
+    enabled: true
+    ## A manually managed Persistent Volume and Claim
+    ## Requires persistence.enabled: true
+    ## If defined, PVC must be created manually before volume will be bound
+    # existingClaim:
+
+    ## Drupal data Persistent Volume Storage Class
+    ## If defined, storageClassName: <storageClass>
+    ## If set to "-", storageClassName: "", which disables dynamic provisioning
+    ## If undefined (the default) or set to null, no storageClassName spec is
+    ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
+    ##   GKE, AWS & OpenStack)
+    ##
+    # storageClass: "-"
+    annotations: {}
+    accessMode: ReadWriteOnce
+    size: 2Gi
+
+varnish:
+  enabled: false
+
+redis:
+  enabled: false
+
+mysql:
+  enabled: false
+
+proxysql:
+  enabled: false

values/gatus/values/values.yaml

@@ -79,21 +79,28 @@ config:
       - "[RESPONSE_TIME] <= 1000"
 
   endpoints:
-    - name: Atlantis
+    - name: Atlantis TOS
       <<: *https-endpoint
       group: "Primary Services"
       url: https://maps.oceanbox.io/healthz
       alerts:
       - type: custom
 
-    - name: Sorcerer
+    - name: Sorcerer TOS
       <<: *https-endpoint
       group: "Primary Services"
       url: https://sorcerer.data.oceanbox.io/healthz
       alerts:
       - type: custom
 
-    - name: Plume
+    - name: Sorcerer VTN
+      <<: *https-endpoint
+      group: "Primary Services"
+      url: https://sorcerer.vtn.oceanbox.io/healthz
+      # alerts:
+      # - type: custom
+
+    - name: Plume TOS
       <<: *https-endpoint
       group: "Secondary Services"
       url: https://plume.data.oceanbox.io/healthz

values/headscale-router/values/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: ghcr.io/juanfont/headscale
   pullPolicy: IfNotPresent
-  tag: v0.26.1
+  tag: v0.27.1
 
 args: [ "serve" ]
 

values/headscale/values/values.yaml

@@ -1,7 +1,7 @@
 image:
   repository: ghcr.io/juanfont/headscale
   pullPolicy: IfNotPresent
-  tag: v0.26.1
+  tag: v0.27.1
 
 args: ["serve"]
 
@@ -107,6 +107,7 @@ configMaps:
             "group:devops": [
               "radovan.bast@oceanbox.io",
               "ole.tytlandsvik@oceanbox.io",
+              "ismael.abujadur@oceanbox.io",
             ],
             "group:oceanographer": [
               "frank.gaardsted@oceanbox.io",
@@ -243,14 +244,11 @@ configMaps:
     data:
       records: |
         [
-           { "name": "ekman.oceanbox.io", "type": "A", "value": "10.255.241.100" },
-           { "name": "ekman-manage.oceanbox.io", "type": "A", "value": "10.255.241.99" },
-           { "name": "rossby.oceanbox.io", "type": "A", "value": "172.16.239.222" },
-           { "name": "rossby-manage.oceanbox.io", "type": "A", "value": "172.16.239.221" },
-
            { "name": "maps.oceanbox.io", "type": "A", "value": "10.255.241.11" },
            { "name": "maps.beta.oceanbox.io", "type": "A", "value": "10.255.241.11" },
+           { "name": "maps.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
            { "name": "atlantis.beta.oceanbox.io", "type": "A", "value": "10.255.241.11" },
+           { "name": "codex.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
 
            { "name": "auth.oceanbox.io", "type": "A", "value": "10.255.241.11" },
            { "name": "auth.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
@@ -299,6 +297,8 @@ configMaps:
            { "name": "alertmanager.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
            { "name": "hubble.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
 
+           { "name": "codex.dev.tos.obx", "type": "A", "value": "10.255.241.11" },
+
            { "name": "dashboard.ceph.tos.obx", "type": "A", "value": "10.255.241.10" },
            { "name": "grafana.ceph.tos.obx", "type": "A", "value": "10.255.241.10" },
            { "name": "s3.ceph.tos.obx", "type": "A", "value": "10.255.241.10" },
@@ -326,7 +326,7 @@ configMaps:
            { "name": "mrtz-sorcerer.adm.vtn.obx", "type": "A", "value": "172.16.239.221" },
            { "name": "mrtz-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
            { "name": "simkir-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
-           { "name": "simkir-user-portal.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
+           { "name": "simkir-codex.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
            { "name": "simkir-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
            { "name": "simkir-sorcerer.adm.vtn.obx", "type": "A", "value": "172.16.239.221" },
            { "name": "simkir-plume.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },

values/makai/values/values-staging.yaml

@@ -1,6 +1,6 @@
 replicaCount: 1
 image:
-  tag: "f2d0f9ad-debug"
+  tag: "aa4f7d23-debug"
 env:
   - name: APP_VERSION
     value: "0.0.0-staging"

values/nexus/env-oceanbox.yaml.gotmpl

@@ -0,0 +1,3 @@
+nexus:
+ enabled: true
+ autosync: true

values/nexus/env.yaml.gotmpl

@@ -0,0 +1,3 @@
+nexus:
+ enabled: false
+ autosync: false

values/nexus/manifests/admin-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: nexus-admin-password
+  namespace: nexus
+type: Opaque
+stringData:
+  password: "changeme-admin-password-here"

values/nexus/manifests/nexus.yaml

@@ -0,0 +1,37 @@
+{{- if .Values.clusterConfig.argo.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: nexus
+  namespace: argocd
+spec:
+  destination:
+    namespace: nexus
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.clusterConfig.manifests }}
+    targetRevision: HEAD
+    path: helmfile.d
+    plugin:
+      name: helmfile-cmp
+      env:
+      - name: CLUSTER_NAME
+        value: {{ .Values.clusterConfig.cluster }}
+      - name: HELMFILE_ENVIRONMENT
+        value: default
+      - name: HELMFILE_FILE_PATH
+        value: nexus.yaml.gotmpl
+  project: sys
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: sys
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      - ServerSideApply=true
+    {{- if .Values.nexus.autosync }}
+    automated:
+      prune: true
+    {{- end }}
+{{- end }}

values/nexus/values/nexus.yaml.gotmpl

@@ -0,0 +1,60 @@
+image:
+  tag: 3.74.0
+
+ingress:
+  enabled: true
+  ingressClassName: nginx
+  hosts:
+    - host: mochi.tos.oceanbox.io
+      paths:
+        - path: /
+          pathType: Prefix
+  tls:
+    - secretName: nexus-tls
+      hosts:
+        - mochi.tos.oceanbox.io
+
+persistence:
+  enabled: true
+  storageClass: "ceph-rbd"
+  size: 8Gi
+
+env:
+  - name: INSTALL4J_ADD_VM_PARAMS
+    value: "-Xms1024m -Xmx1024m -XX:MaxDirectMemorySize=1024m -Djava.util.prefs.userRoot=/nexus-data/javaprefs"
+
+resources:
+  requests:
+    cpu: 200m
+    memory: 1Gi
+  limits:
+    memory: 1Gi
+
+config:
+  enabled: true
+  data:
+    nexus.properties: |
+      nexus.s3.blobstore.enabled=true
+  rootPassword:
+    secret: nexus-admin-password
+    key: password
+
+serviceAccount:
+  create: true
+
+additionalConfigMaps:
+  - name: nexus-s3-config
+    data:
+      s3-blobstore.json: |
+        {
+          "name": "s3-nuget",
+          "type": "S3",
+          "attributes": {
+            "s3": {
+              "bucket": "nexus-nuget-registry",
+              "region": "us-east-1",
+              "prefix": "nuget/",
+              "expiration": -1
+            }
+          }
+        }

values/nfs-provisioner/env-ekman.yaml.gotmpl

@@ -1,5 +1,5 @@
 nfs_provisioner:
-  enabled: true
+  enabled: false
   autosync: true
   archiveOnDelete: true
   defaultClass: true

values/sorcerer/env-ekman.yaml.gotmpl

@@ -1,3 +1,2 @@
 sorcerer:
   enabled: true
-

values/sorcerer/env-rossby.yaml.gotmpl

@@ -0,0 +1,2 @@
+sorcerer:
+  enabled: true

values/sorcerer/kustomize/prod-rossby/appsettings.json

@@ -0,0 +1,73 @@
+{
+    "oidc": {
+        "issuer": "https://auth.oceanbox.io/realms/oceanbox",
+        "authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth",
+        "token_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/token",
+        "jwks_uri": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/certs",
+        "userinfo_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/userinfo",
+        "end_session_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/logout",
+        "device_authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth/device",
+        "clientId": "sorcerer",
+        "clientSecret": "",
+        "scopes": [
+            "openid",
+            "email",
+            "offline_access",
+            "profile"
+        ],
+        "audiences": [
+            "atlantis",
+            "atlantis_dev",
+            "sorcerer",
+            "sorcerer_dev"
+        ]
+    },
+    "sso": {
+        "cookieDomain": ".oceanbox.io",
+        "cookieName": ".obx.prod",
+        "ttl": 12.0,
+        "signedOutRedirectUri": "https://maps.oceanbox.io",
+        "realm": "atlantis",
+        "environment": "prod",
+        "keyStore": {
+            "kind": "azure",
+            "uri": "https://atlantis.blob.core.windows.net",
+            "key": "dataprotection-keys"
+        },
+        "keyVault": {
+            "kind": "azure",
+            "uri": "https://atlantisvault.vault.azure.net",
+            "key": "dataencryption-keys"
+        }
+    },
+    "plainAuthUsers": [],
+    "fga": {
+      "apiUrl": "https://openfga.srv.oceanbox.io",
+      "apiKey": "",
+      "storeId": "01JKTZXMP7ANN4GG2P5W8Y56M6",
+      "modelId": "01JKTZYMCZZBVSBG66W27XMW0A"
+    },
+    "sentryUrl": "https://5e6e3584098dc006de18038cf85d2cbe@o4509530141622272.ingest.de.sentry.io/4509547350065232",
+    "redis": "localhost:6379,user=default,password=secret",
+    "allowedOrigins": [
+        "http://localhost:8085",
+        "http://localhost:8080",
+        "https://localhost:8080",
+        "https://sorcerer.vtn.oceanbox.io",
+        "https://sorcerer.local.oceanbox.io:8080",
+        "https://atlantis.local.oceanbox.io:8080",
+        "https://maps.oceanbox.io",
+        "https://maps.beta.oceanbox.io",
+        "https://atlantis.beta.oceanbox.io",
+        "https://jonas-atlantis.dev.oceanbox.io",
+        "https://stig-atlantis.dev.oceanbox.io",
+    ],
+    "appName": "sorcerer",
+    "appEnv": "prod",
+    "appNamespace": "prod-sorcerer",
+    "appVersion": "0.0.0",
+    "otelCollector": "http://10.255.241.12:4317",
+    "archiveSvc": "https://maps.oceanbox.io",
+    "dataDir": "/data/archives",
+    "cacheDir": "/data/archives/cache"
+}

values/sorcerer/kustomize/prod-rossby/archives-backup-volume.yaml

@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: pv-prod-backup-archives
+spec:
+  accessModes:
+  - ReadWriteMany
+  capacity:
+    storage: 400T
+  local:
+    path: /backup/archives
+  persistentVolumeReclaimPolicy: Retain
+  volumeMode: Filesystem
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: kubernetes.io/hostname
+          operator: In
+          values:
+          - ekman
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: prod-oceanbox-backup-archives
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 400T
+  storageClassName: ""
+  volumeMode: Filesystem
+  volumeName: pv-prod-backup-archives

values/sorcerer/kustomize/prod-rossby/configurations.yaml

@@ -0,0 +1,20 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: configstore
+spec:
+  type: configuration.redis
+  version: v1
+  metadata:
+  - name: redisHost
+    value: prod-sorcerer-redis:6379
+  - name: redisUsername
+    value: default
+  - name: redisPassword
+    secretKeyRef:
+      name: prod-sorcerer-redis
+      key:  redis-password
+  - name: redisDB
+    value: "1"
+scopes:
+  - prod-sorcerer

values/sorcerer/kustomize/prod-rossby/default.env

@@ -0,0 +1 @@
+SEQ_APIKEY=7iIXHJukYjSLQDix6CnZ

values/sorcerer/kustomize/prod-rossby/deployment_patch.yaml

@@ -0,0 +1,13 @@
+- op: replace
+  path: /spec/template/spec/containers/0/volumeMounts/0/mountPath
+  value: /data
+- op: add
+  path: /spec/template/spec/containers/0/envFrom/-
+  value:
+    secretRef:
+      name: azure-keyvault
+- op: add
+  path: /spec/template/spec/containers/0/envFrom/-
+  value:
+    secretRef:
+      name: prod-sorcerer-env

values/sorcerer/kustomize/prod-rossby/kustomization.yaml

@@ -0,0 +1,23 @@
+generatorOptions:
+  disableNameSuffixHash: true
+configMapGenerator:
+- name: prod-sorcerer-appsettings
+  files:
+    - appsettings.json
+patches:
+- target:
+    group: apps
+    version: v1
+    kind: Deployment
+  path: deployment_patch.yaml
+resources:
+- ../base
+- pv.yaml
+- pvc.yaml
+- secrets.yaml
+- configurations.yaml
+- keyvault.yaml
+- rbac.yaml
+- secretstore.yaml
+- statestore.yaml
+- tracing.yaml

values/sorcerer/kustomize/prod-rossby/pv.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: pv-prod-sorcerer-ceph-archives
+spec:
+  accessModes:
+  - ReadWriteMany
+  capacity:
+    storage: 1Gi
+  csi:
+    driver: cephfs.csi.ceph.com
+    nodeStageSecretRef:
+      name: csi-cephfs-secret
+      namespace: ceph-csi-operator-system
+    volumeAttributes:
+      clusterID: storage
+      fsName: data
+      rootPath: /
+      staticVolume: "true"
+    volumeHandle: pv-prod-sorcerer-ceph-archives
+  persistentVolumeReclaimPolicy: Retain
+  volumeMode: Filesystem

values/sorcerer/kustomize/prod-rossby/pvc.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: prod-sorcerer-ceph-archives
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: ""
+  volumeMode: Filesystem
+  volumeName: pv-prod-sorcerer-ceph-archives
+status:
+  accessModes:
+  - ReadWriteMany
+  capacity:
+    storage: 1Gi

values/sorcerer/kustomize/prod-rossby/rbac.yaml

@@ -0,0 +1,39 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: prod-sorcerer
+  namespace: prod-sorcerer
+rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - prod-sorcerer-appsettings
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - azure-keyvault
+  - prod-sorcerer-redis
+  resources:
+  - secrets
+  verbs:
+  - get
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: prod-sorcerer
+  namespace: prod-sorcerer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: prod-sorcerer
+subjects:
+- kind: ServiceAccount
+  name: prod-sorcerer
+  namespace: prod-sorcerer

values/sorcerer/kustomize/prod-rossby/secrets.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: prod-sorcerer-env
+type: Opaque
+data:
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: azure-keyvault
+type: Opaque
+data:

values/sorcerer/kustomize/prod-rossby/secretstore.yaml

@@ -0,0 +1,10 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: secretstore
+spec:
+  type: secretstores.kubernetes
+  version: v1
+  metadata:
+   - name: defaultNamespace
+     value: prod-sorcerer

values/sorcerer/kustomize/prod-rossby/statestore.yaml

@@ -0,0 +1,22 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: statestore
+spec:
+  type: state.redis
+  version: v1
+  metadata:
+  - name: redisHost
+    value: prod-sorcerer-redis:6379
+  - name: redisUsername
+    value: default
+  - name: redisPassword
+    secretKeyRef:
+      name: prod-sorcerer-redis
+      key:  redis-password
+  - name: actorStateStore
+    value: "true"
+  - name: redisDB
+    value: "0"
+scopes:
+  - prod-sorcerer

values/sorcerer/kustomize/prod-rossby/tracing.yaml

@@ -0,0 +1,11 @@
+apiVersion: dapr.io/v1alpha1
+kind: Configuration
+metadata:
+  name: tracing
+spec:
+  tracing:
+    samplingRate: "1"
+    otel:
+      endpointAddress: "10.255.241.12:4317"
+      protocol: grpc
+      isSecure: false

values/sorcerer/kustomize/staging-ekman/appsettings.json

@@ -26,7 +26,7 @@
         "cookieDomain": ".oceanbox.io",
         "cookieName": ".obx.staging",
         "ttl": 12.0,
-        "signedOutRedirectUri": "https://atlantis.beta.oceanbox.io",
+        "signedOutRedirectUri": "https://maps.dev.oceanbox.io",
         "realm": "atlantis",
         "environment": "staging",
         "keyStore": {
@@ -58,6 +58,7 @@
         "https://atlantis.local.oceanbox.io:8080",
         "https://maps.oceanbox.io",
         "https://maps.beta.oceanbox.io",
+        "https://maps.dev.oceanbox.io",
         "https://atlantis.beta.oceanbox.io",
         "https://jonas-atlantis.dev.oceanbox.io",
         "https://stig-atlantis.dev.oceanbox.io",
@@ -71,7 +72,7 @@
     "appNamespace": "staging-sorcerer",
     "appVersion": "0.0.0",
     "otelCollector": "http://10.255.241.12:4317",
-    "archiveSvc": "https://atlantis.beta.oceanbox.io",
+    "archiveSvc": "https://maps.dev.oceanbox.io",
     "dataDir": "/data/archives",
     "cacheDir": "/data/archives/cache"
 }

values/sorcerer/kustomize/staging-ekman/keyvault.yaml

@@ -0,0 +1,22 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: azure-keyvault
+spec:
+  type: secretstores.azure.keyvault
+  version: v1
+  metadata:
+  - name: vaultName
+    value: atlantisvault
+  - name: azureTenantId
+    secretKeyRef:
+      name: azure-keyvault
+      key: AZURE_TENANT_ID
+  - name: azureClientId
+    secretKeyRef:
+      name: azure-keyvault
+      key: AZURE_CLIENT_ID
+  - name: azureClientSecret
+    secretKeyRef:
+      name: azure-keyvault
+      key: AZURE_CLIENT_SECRET

values/sorcerer/values/values-prod-rossby.yaml

@@ -0,0 +1,118 @@
+replicaCount: 2
+
+podAnnotations:
+  dapr.io/enabled: "true"
+  dapr.io/app-id: "prod-sorcerer"
+  dapr.io/app-port: "8085"
+  dapr.io/api-token-secret: "dapr-api-token"
+  dapr.io/config: "tracing"
+  dapr.io/app-protocol: "http"
+  dapr.io/log-as-json: "true"
+  dapr.io/sidecar-cpu-request: "10m"
+  dapr.io/sidecar-memory-request: "50Mi"
+  # dapr.io/sidecar-cpu-limit: "300m"
+  # dapr.io/sidecar-memory-limit: "1000Mi"
+
+env:
+  - name: APP_VERSION
+    value: "4.16.3"
+  - name: LOG_LEVEL
+    value: "2"
+  - name: REDIS_USER
+    value: default
+  - name: REDIS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: prod-sorcerer-redis
+        key: redis-password
+  - name: DAPR_API_TOKEN
+    valueFrom:
+      secretKeyRef:
+        name: dapr-api-token
+        key: token
+
+ingress:
+  enabled: true
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+    nginx.ingress.kubernetes.io/affinity: "cookie"
+    nginx.ingress.kubernetes.io/session-cookie-name: "http-affinity"
+    nginx.ingress.kubernetes.io/session-cookie-expires: "86400"
+    nginx.ingress.kubernetes.io/session-cookie-max-age: "86400"
+  hosts:
+    - host: sorcerer.vtn.oceanbox.io
+      paths:
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+      internal:
+        - path: /internal
+          pathType: ImplementationSpecific
+        - path: /dapr
+          pathType: ImplementationSpecific
+        - path: /actors
+          pathType: ImplementationSpecific
+        - path: /job
+          pathType: ImplementationSpecific
+        - path: /events
+          pathType: ImplementationSpecific
+        - path: /metrics
+          pathType: ImplementationSpecific
+  tls:
+    - hosts:
+       - sorcerer.vtn.oceanbox.io
+      secretName: prod-sorcerer-tls
+
+persistence:
+  enabled: true
+  existingClaim: prod-sorcerer-ceph-archives
+  # existingClaim: prod-oceanbox-backup-archives
+
+# nodeSelector:
+#   node-role.kubernetes.io/srv: ""
+#   kubernetes.io/hostname: fs-backup
+#   node-role.kubernetes.io/worker: c1-1
+
+# tolerations:
+#   - key: workload
+#     operator: Equal
+#     value: compute
+#     effect: NoSchedule
+redis:
+  enabled: true
+  replicas: 3
+  storageClass: "csi-rbd"
+  size: 2Gi
+  backup:
+    enabled: true
+  secret:
+    name: "prod-sorcerer-redis"
+    key: "redis-password"
+  resources:
+    cpu: 200m
+    memory: 2Gi
+
+
+affinity: {}
+# affinity:
+  # nodeAffinity:
+    # requiredDuringSchedulingIgnoredDuringExecution:
+      # nodeSelectorTerms:
+      # - matchExpressions:
+        # - key: "topology.kubernetes.io/group"
+          # operator: In
+          # values:
+          # - srv
+  # podAntiAffinity:
+    # requiredDuringSchedulingIgnoredDuringExecution:
+    # - labelSelector:
+        # matchExpressions:
+        # - key: "app.kubernetes.io/name"
+          # operator: In
+          # values:
+          # - sorcerer
+        # - key: "app.kubernetes.io/instance"
+          # operator: In
+          # values:
+          # - prod-sorcerer
+      # topologyKey: "kubernetes.io/hostname"

values/sorcerer/values/values-staging.yaml

@@ -1,6 +1,6 @@
 replicaCount: 1
 image:
-  tag: 8c17a644-debug
+  tag: 1b8167c6-debug
 podAnnotations:
   dapr.io/enabled: "true"
   dapr.io/app-id: "staging-sorcerer"