platform/manifests
1
1
Fork 0
Code Issues 7 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: platform/manifests:spmsa
Branches Tags
platform/manifests:main platform/manifests:renovate/kubernetes-ingress-1.x platform/manifests:renovate/jobset-0.x platform/manifests:renovate/registry.k8s.io-kueue-charts-kueue-0.x platform/manifests:renovate/spegel-0.x platform/manifests:renovate/rabbitmq-16.x platform/manifests:renovate/ghcr.io-juanfont-headscale-0.x platform/manifests:mrtz/cilium-hel1-gateway platform/manifests:automated/npins-update-20260130 platform/manifests:vcluster platform/manifests:attic platform/manifests:nexus platform/manifests:diadash platform/manifests:mrtz/beta platform/manifests:simkir/codex platform/manifests:mrtz/nixidy platform/manifests:nixidy platform/manifests:otel-policy platform/manifests:spmsa platform/manifests:priv-redis platform/manifests:wip platform/manifests:dev
...
pull from: platform/manifests:mrtz/nixidy
Branches Tags
platform/manifests:main platform/manifests:renovate/kubernetes-ingress-1.x platform/manifests:renovate/jobset-0.x platform/manifests:renovate/registry.k8s.io-kueue-charts-kueue-0.x platform/manifests:renovate/spegel-0.x platform/manifests:renovate/rabbitmq-16.x platform/manifests:renovate/ghcr.io-juanfont-headscale-0.x platform/manifests:mrtz/cilium-hel1-gateway platform/manifests:automated/npins-update-20260130 platform/manifests:vcluster platform/manifests:attic platform/manifests:nexus platform/manifests:diadash platform/manifests:mrtz/beta platform/manifests:simkir/codex platform/manifests:mrtz/nixidy platform/manifests:nixidy platform/manifests:otel-policy platform/manifests:spmsa platform/manifests:priv-redis platform/manifests:wip platform/manifests:dev

190 Commits
spmsa ... mrtz/nixidy

Author SHA1 Message Date
Moritz Jörg 9e1beb6895 Add more Nix Apps 
Rewrite of some of the Apps to Nix. Tried to convert
ApplicationSets to simple Applications with an ${env}
modifier.
 2025-02-21 17:47:45 +00:00
juselius e3b1ef76da fix: fix amqp password 2025-02-04 17:02:42 +01:00
juselius 6663fc2cc5 Merge branch 'nixidy' of gitlab.com:oceanbox/manifests into nixidy 2025-02-04 15:43:37 +01:00
juselius dd7e28c2e2 fix: add bast and oty to sorcerer dev cors 2025-02-04 15:43:24 +01:00
juselius 6976ea8d93 fix: only sync atlantis db secrets if bootstrap is enabled 2025-01-31 13:25:45 +01:00
juselius 8421acaa25 fix: unify atlantis secrets policy 2025-01-31 13:22:27 +01:00
juselius f425a1c551 fix: update prod atlantis 2025-01-30 21:53:54 +01:00
juselius d8a3706305 fix: fix increase prod-atlantis replica count 2025-01-30 21:18:03 +01:00
juselius 1ef512e2eb fix: fix prod-atlantis sorcerer uri to prod 2025-01-30 21:16:40 +01:00
juselius 39e69dff7f fix: fix prod-atlantis db and disable bootstrap 2025-01-30 20:55:39 +01:00
juselius 5d86e81fb0 feat: change preprod to prod! 2025-01-30 20:45:33 +01:00
juselius 265f188f66 fix: fix prod-sorcerer replica count 2025-01-30 20:23:38 +01:00
juselius 2508817f30 fix: fix redis prod env secret 2025-01-30 20:22:10 +01:00
juselius e04dd170ac fix: fix redis prod env secret 2025-01-30 20:19:13 +01:00
juselius 861f288ec0 fix: fix redis secret (static) 2025-01-30 20:14:12 +01:00
juselius 20de965607 fix: fix redis secret 2025-01-30 20:13:16 +01:00
juselius b63d89d9e6 fix: add missing redis 2025-01-30 20:10:37 +01:00
juselius c9ba27539e feat: add new prod-sorcerer 2025-01-30 20:08:09 +01:00
juselius daa4a87597 fix: update atlantis preprod 2025-01-28 10:50:28 +01:00
juselius a96c6c28a9 fix: update atlantis preprod 2025-01-24 16:29:36 +01:00
juselius 45f598fb8b fix: update preprod atlantis 2025-01-23 21:04:20 +01:00
juselius b0cdab1790 feat: remove rabbitmq secret from atlantis chart and put it in kustomizations 2025-01-23 18:09:26 +01:00
juselius 28e2ba87eb fix: fix accidental lowecasing 2025-01-23 18:08:27 +01:00
juselius 89e99bed42 fix: ignore redis secret 2025-01-23 17:03:49 +01:00
juselius d30ec463bb fix: fix redis secret name 2025-01-23 16:59:13 +01:00
juselius 0f8dae5436 fix: update preprod atlantis and sorcerer 2025-01-23 16:43:03 +01:00
juselius 2422db91e2 fix: update atlantis preprod and sorcerer beta 2025-01-21 10:58:57 +01:00
juselius d7117d18b8 feat: flip over to new keycloak instance 2025-01-20 08:58:56 +01:00
juselius befe13225c fix: new atlantis and sorcerer preprod 2025-01-17 15:27:16 +01:00
juselius bc71b78da6 fix: update atlantis preprod 2025-01-14 18:52:26 +01:00
juselius f1385b8d0b fix: update sorcerer beta and atlantis preprod 2025-01-14 15:54:55 +01:00
juselius 87e3219c0c fix: add redis to sorcerer 2025-01-11 21:12:18 +01:00
juselius 74fa77e91c fix: update atlantis preprod 2025-01-11 21:11:44 +01:00
juselius 5940db6833 fix: update staging sorcerer for maps.beta 2025-01-11 16:37:04 +01:00
juselius c02d40564d fix: update staging sorcerer for maps.beta 2025-01-11 16:19:36 +01:00
juselius 934ea43ae9 fix: update staging sorcerer for maps.beta 2025-01-11 16:00:06 +01:00
juselius f0eae55b5e fix: update atlantis fga model 2025-01-11 13:36:22 +01:00
juselius 423b9ce28c fix: temp hack for preprod atlantis db 2025-01-11 09:36:51 +01:00
juselius a93031b11b fix: fix atlantis env secret policy 2025-01-11 09:36:14 +01:00
juselius 4fc69cafe6 fix: fix preprod wankery 2025-01-10 14:04:29 +01:00
juselius 089096f936 fix: fix preprod wankery 2025-01-10 13:50:16 +01:00
juselius e3c174a995 fix: atlantis preprod tweaks 2025-01-10 13:26:56 +01:00
juselius 4830a58ed9 fix: fix pølsefingre 2025-01-10 13:16:04 +01:00
juselius d47ee8f5f1 fix: fix atlantis subscriptions 2025-01-10 13:08:02 +01:00
juselius 211db0669f Merge branch 'nixidy' of gitlab.com:oceanbox/manifests into nixidy 2025-01-10 12:49:01 +01:00
juselius 386c098373 fix: update (pre)prod atlantis manifests 2025-01-10 12:48:34 +01:00
juselius fcde51b19e fix: update atlantis beta 2025-01-09 18:51:44 +01:00
juselius 20a34d6bf0 fix: update salmar client secret 2025-01-09 12:40:15 +01:00
juselius 8d666f5722 fix: update aqua-kompetanse client secret 2025-01-06 11:53:49 +01:00
juselius a0c5699c71 Merge branch 'nixidy' of gitlab.com:oceanbox/manifests into nixidy 2025-01-03 08:50:31 +01:00
juselius ea7b4d7d01 fix: update atlantis beta 2025-01-03 08:50:15 +01:00
juselius b20300e315 fix: fix appsettings with oidc logout endpoint 2025-01-02 20:37:24 +01:00
juselius fa552169bc fix: update openfga secret policy 2025-01-01 12:05:54 +01:00
juselius f2bfd484b4 fix: change openfga db name 2024-12-31 15:30:52 +01:00
juselius e1317584ce feat: add policy to fixup openfga connection uri 2024-12-31 15:17:08 +01:00
juselius ff3407f80c fix: fix image name 2024-12-31 13:49:24 +01:00
juselius d05f619618 fix: update openfga postgres to 17 2024-12-31 13:44:17 +01:00
juselius aaf7fad09a fix: fix (defunct) keycloak frontend url 2024-12-31 13:43:23 +01:00
juselius 4498df8aea fix: fix staging atlantis app and tweak keycloak 2024-12-31 13:34:38 +01:00
juselius 0726aa922b fix: fix keycloak admin ingress secret 2024-12-30 18:47:11 +01:00
juselius b291bba5d1 fix: disable keycloak admin ingress 2024-12-30 18:37:19 +01:00
juselius 2f8e31b829 fix: fix json typo 2024-12-30 15:28:18 +01:00
juselius 45b46e2394 fix: move staging atlantis onto keycloak 2024-12-30 15:19:26 +01:00
juselius f9231e96a0 fix: disable keycloak cli job 2024-12-30 14:14:52 +01:00
juselius fcc0994c38 fix: change ingress to auth.oceanbox.io 2024-12-30 13:47:25 +01:00
juselius f065b69ab7 fix: reduce old keycloak replicas to 1 2024-12-30 13:43:53 +01:00
juselius 2ea3e85c3c fix: fix keycloak and remove import-export sidecar 2024-12-30 13:40:53 +01:00
juselius d176df16dd debug: add import-export sidecar 2024-12-29 21:50:31 +01:00
juselius 43c6077d9a debug: add import-export sidecar 2024-12-29 21:47:15 +01:00
juselius 3d67b97222 debug: add import-export sidecar 2024-12-29 21:44:06 +01:00
juselius 3706f37030 debug: add import-export sidecar 2024-12-29 21:41:07 +01:00
juselius dee898a97d fix: fix(?) admin ingress on prod-keycloak 2024-12-28 14:55:25 +01:00
juselius ce1bbcfda2 fix: tweak ingress for now 2024-12-28 14:46:17 +01:00
juselius 3a17a72924 fix: enable admin ingress on prod-keycloak 2024-12-28 14:34:51 +01:00
juselius b46c2cb456 debug: missing account token 2024-12-28 13:35:06 +01:00
juselius 2531e40a80 debug: missing account token 2024-12-28 10:37:58 +01:00
juselius fdc3de12fd debug: missing account token 2024-12-28 10:25:00 +01:00
juselius ae707279e7 debug: missing account token 2024-12-28 10:20:45 +01:00
juselius 0ce818e2f5 debug: missing account token 2024-12-28 09:44:12 +01:00
juselius 4c7315c5ba fix: add keycloak ingress whitelist for now 2024-12-27 22:43:02 +01:00
juselius 768c54db1a feat: new prod keycloak deploy with cnpg database 2024-12-27 22:15:17 +01:00
juselius 0f62b0b01c fix: update keycloak theme (perhaps) 2024-12-27 18:05:06 +01:00
juselius 13178964cb Merge branch 'nixidy' of gitlab.com:oceanbox/manifests into nixidy 2024-12-27 17:54:59 +01:00
juselius 83241d90f9 fix: update keycloak theme (perhaps) 2024-12-27 17:53:39 +01:00
juselius fc24cee169 fix: disable keycloak admin ingress (again) 2024-12-27 15:02:27 +01:00
juselius 768ccb8fd3 fix: enable keycloak admin ingress (again) 2024-12-27 14:24:19 +01:00
juselius d2b03dd2eb fix: remove redis secret from atlantis chart 2024-12-27 12:26:03 +01:00
juselius 22cab489a5 fix: disable keycloak admin ingress 2024-12-25 09:23:33 +01:00
juselius 5081ef9a13 fix: run keycloak in 2 replicas 2024-12-25 09:10:15 +01:00
juselius 38f80bdf48 fix: add missing ingress to keycloak 2024-12-25 09:02:12 +01:00
juselius 674dfa1ed5 fix: add missing ingress to keycloak 2024-12-25 08:47:13 +01:00
juselius 1f7a82e895 fix: disable redis-stack for now 2024-12-23 08:21:08 +01:00
juselius 1a39118763 fix: use unified external redis for sorcerer and atlantis 2024-12-23 07:31:14 +01:00
juselius 50aabe96b8 fix: migrate from internal to external redis 2024-12-23 07:23:06 +01:00
juselius 261f287e53 fix: secure keycloak master realm 2024-12-21 18:39:57 +01:00
juselius 3b1d5e0ee1 fix: increases prod openfga db replicas to 2 2024-12-21 08:44:40 +01:00
juselius c58e2f675f fix: upgrade dex 2024-12-20 14:42:01 +01:00
juselius d836ff2cef fix: add itp as a test domain for multi-tenant 2024-12-20 14:40:05 +01:00
juselius e68c57ed05 fix: update atlantis and sorcerer 2024-12-20 14:27:57 +01:00
juselius 1c713f324a fix: flip dex over on nixidy branch (for now) 2024-12-20 09:52:38 +01:00
juselius b7631bf882 fix: flip dex over on nixidy branch (for now) 2024-12-20 09:49:57 +01:00
juselius c21945811e fix: flip dex over on nixidy branch (for now) 2024-12-20 09:47:43 +01:00
juselius 426fe34412 fix: flip dex over on nixidy branch (for now) 2024-12-20 09:45:24 +01:00
juselius dd3f44ff52 fix: update dex for upstream multi-tenancy 2024-12-20 09:24:31 +01:00
juselius d299f4a21c Merge branch 'nixidy' of gitlab.com:oceanbox/manifests into nixidy 2024-12-20 09:16:25 +01:00
juselius 000161461f fix: update openfga uri 2024-12-20 09:15:11 +01:00
juselius d69830cc47 fix: fix openfga ingress (use production certs) 2024-12-20 06:21:29 +01:00
juselius 675e3299a1 fix: update openfga 2024-12-19 19:26:27 +01:00
juselius 219bc47465 fix: update openfga 2024-12-19 18:56:06 +01:00
juselius c31bf79671 fix: update openfga 2024-12-19 18:52:23 +01:00
juselius 903fbdbaa8 fix: update openfga values 2024-12-19 17:44:12 +01:00
juselius 83a025cdcf fix: fix yet another typo 2024-12-19 16:39:16 +01:00
juselius bc7c15db24 fix: fix typo 2024-12-19 16:02:44 +01:00
juselius 73555a2d80 fix: update loki, tempo and openfga apps 2024-12-19 16:00:53 +01:00
juselius b19abf333d fix: update verisons and ingress 2024-12-19 15:56:36 +01:00
juselius 5b8732ae04 fix: revert servicemonitor port 2024-12-19 15:52:35 +01:00
juselius 3a49ef6c53 feat: make servicemonitor port configurable 2024-12-19 15:27:16 +01:00
juselius 4d9c401ab8 fix: fix typo 2024-12-19 15:22:07 +01:00
juselius ec0344ffe8 fix: update sorcerer and ingress paths 2024-12-19 15:12:31 +01:00
juselius cc85d8eccf fix: update atlantis and ingress paths 2024-12-19 15:11:54 +01:00
juselius 4131917813 Merge branch 'nixidy' of gitlab.com:oceanbox/manifests into nixidy 2024-12-19 09:55:04 +01:00
juselius 0f3f8b7a38 feat: enable dapr-api-token 2024-12-19 09:54:55 +01:00
juselius 64048984a6 feat: add internal ingress to sorcerer 2024-12-19 09:53:32 +01:00
juselius 8989cdb100 fix: add kyverno policies for dapr api tokens 2024-12-19 09:50:33 +01:00
juselius 95fa446986 fix: update sorcerer 2024-12-14 20:35:01 +01:00
juselius d2e50f1776 fix: use multi-audience tokens 2024-12-14 19:12:27 +01:00
juselius a0d937e40a fix: update staging atlantis and sorcerer 2024-12-14 12:02:20 +01:00
juselius eba8f961f0 fix: update staging atlantis and sorcerer 2024-12-14 11:50:21 +01:00
juselius 8edbe0e078 fix: dapr component scopes for sorcerer 2024-12-14 09:10:15 +01:00
juselius 61403261cd fix: update atlantis 2024-12-14 08:59:30 +01:00
juselius 721049e742 fix: update atlantis 2024-12-13 19:24:05 +01:00
juselius 69cb89aba1 fix: update atlatis and sorcerer staging 2024-12-13 18:48:16 +01:00
juselius b55c36832f fix: fix atlantis ingress 2024-12-12 16:06:44 +01:00
juselius 90e1e35e0a feat: rudimentary fga permissions checking in api 2024-12-12 15:45:17 +01:00
juselius a8c29c6b00 :fix: enable atlantis ingress 2024-12-12 15:24:42 +01:00
juselius 57a9246b35 :fix: update atlantis image 2024-12-12 15:19:14 +01:00
juselius c96fae310d :fix: enable atlantis ingress 2024-12-12 15:18:24 +01:00
juselius 4e5fcda742 :fix: update atlantis secrets 2024-12-12 14:59:13 +01:00
juselius b331dff18e :fix: update atlantis image 2024-12-12 14:56:44 +01:00
juselius d1e9df5b35 fix: update atlantis manifests 2024-12-12 14:53:24 +01:00
juselius 4ece141ce0 fix: update atlantis manifests 2024-12-12 14:47:14 +01:00
juselius 9d9836bffb fix: update atlantis manifests and argo apps 2024-12-12 14:38:26 +01:00
juselius b12146c054 fix: fix sorcerer redis settings 2024-12-12 14:24:14 +01:00
juselius ce94dc0a3b fix: fix sorcerer chart link 2024-12-12 13:41:00 +01:00
juselius db011cfb4d fix: fix fixes 2024-12-12 13:15:25 +01:00
juselius 9b1a687ef5 fix: update sorcerer image 2024-12-12 12:53:32 +01:00
juselius e51c5eb248 fix: update sorcerer image 2024-12-12 12:43:37 +01:00
juselius 1dfdf226d5 fix: update sorcerer image 2024-12-12 12:32:51 +01:00
juselius a04cbeadad fix: update sorcerer image 2024-12-12 12:13:51 +01:00
juselius 3283758478 fix: update sorcerer image 2024-12-12 12:10:33 +01:00
juselius 5296c67194 fix: fix sorcerer volume claims 2024-12-12 12:03:57 +01:00
juselius 9eb9714c7f feat: move from atlantis and sorcerer applicationsets 2024-12-09 12:46:35 +01:00
juselius 70a78699e3 fix: update sorcerer manifests 2024-12-09 12:40:42 +01:00
juselius ca6b80d13f feat: update atlantis chart, values and app for spmsa 2024-12-09 10:49:02 +01:00
juselius 6ba97b006b feat: disable flakes, use normal nix shell 2024-12-04 15:15:31 +01:00
juselius 1feb953dc4 fix: add internal ingress to atlantis 2024-12-04 15:00:35 +01:00
Jonas Juselius a2203fc1d7 fix: add kyverno secret policies for sorcerer 2024-11-25 13:17:49 +01:00
Jonas Juselius c520f042c6 fix: allow atlatnis azure keyvault and blobstore 2024-11-22 13:55:33 +01:00
Jonas Juselius e6788bbc41 Merge branch 'nixidy' of gitlab.com:oceanbox/manifests into nixidy 2024-11-21 09:56:51 +01:00
juselius c75378a0e3 fix: fix atlantis secrets policies 2024-11-20 20:09:22 +01:00
Jonas Juselius e8e652039c Merge remote-tracking branch 'origin/main' into nixidy 2024-11-18 13:24:20 +01:00
juselius 993612f3bd feat: add cpol to sync regcreds 2024-11-18 10:35:37 +01:00
juselius b45432c826 fix: make sorcerer honor env: in values 2024-11-18 10:34:29 +01:00
juselius 414c993fe1 feat: add cpol to sync azure keyvault credentials 2024-11-18 10:33:34 +01:00
juselius 5c044cbbfe fix: disable zipkin ingress on otel collector 2024-11-18 08:34:19 +01:00
Jonas Juselius 243260f479 feat: add redis to sorcerer 2024-11-16 14:23:34 +01:00
juselius 8510a9b8a2 fix: add zipkin path to otel collector 2024-11-16 10:06:05 +01:00
juselius 77ed76758e fix: add port 8085 to local atlantis and sorcerer 2024-11-16 08:13:59 +01:00
Jonas Juselius f8d82f4f46 fix: fix sorcerer local redirect url 2024-11-15 11:49:00 +01:00
Jonas Juselius 50bf3814a5 fix: add all known leroys 2024-11-15 09:36:39 +01:00
Jonas Juselius a8da4c1198 fix: fix otel url typo 2024-11-14 14:37:53 +01:00
juselius 35b5882d3e feat: add dapr configuration store to atlantis staging 2024-11-01 12:35:12 +01:00
juselius 2203b09fb4 fix: add acl.json to new atlantis deployment 2024-10-31 14:33:10 +01:00
juselius 673bb00a9a fix: add Måsøval 2024-10-31 14:25:55 +01:00
juselius 01b9bc4465 fix: add Måsøval 2024-10-31 12:56:22 +01:00
Jonas Juselius ef6282ca17 fix: upgrade keycloak 2024-10-30 12:02:21 +01:00
Jonas Juselius 503128903b feat: update atlantis chart and values for monolith 2024-10-25 19:14:10 +02:00
Jonas Juselius 7ca0a2d397 Merge branch 'nixidy' of gitlab.com:oceanbox/manifests into nixidy 2024-10-15 08:02:36 +02:00
Jonas Juselius 474d04862c fix: enable atlantis service monitor 2024-10-15 08:02:22 +02:00
juselius ea929b7dc4 wip: kustomization experiments 2024-10-15 07:37:43 +02:00
juselius 354bd72248 wip: well, looking better 2024-10-14 18:02:42 +02:00
Jonas Juselius ed26ad8af2 wip: getting there, slowly 2024-10-14 15:47:14 +02:00
juselius 372c11c31e feat: rename kustomizations/ to values/ 2024-10-14 07:59:16 +02:00
juselius 91b56423f2 wip: figuring out how to do multiple envs and stuff 2024-10-14 07:51:07 +02:00
Jonas Juselius 768cb1ddef wip: figuring it out, slowly 2024-10-11 18:56:56 +02:00
juselius a5cf93c758 wip: add openfga app with direct helm render 2024-10-10 20:50:50 +02:00
Jonas Juselius 11b398801d wip: try nixidy 2024-10-10 16:04:41 +02:00
Jonas Juselius 61379ad665 fix: update vcluster adn remove kyverno policies 2024-10-09 14:07:23 +02:00
Jonas Juselius 15dae312ef fix: add hubocean group 2024-10-08 09:39:46 +02:00
Jonas Juselius 7b046c343f fix: add APP_NAME and APP_NAMESPACE to default env 2024-09-28 12:58:51 +02:00
380 changed files with 69664 additions and 1288 deletions
Expand all files Collapse all files
.envrc
+1
View File
@@ -0,0 +1 @@
use nix
.gitignore
+4 -1
View File
@@ -1,3 +1,6 @@
*.tgz
_*/
.direnv/
.pre-commit-config.yaml
_manifest.yaml _manifest.yaml
_resources.yaml _resources.yaml
*.tgz
acl.json
-1
View File
@@ -1 +0,0 @@
kustomizations/petimeter/manifests/acl.json
applications/openfga.yaml
-47
View File
@@ -1,47 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: openfga
namespace: argocd
spec:
goTemplate: true
generators:
- list:
elements:
- cluster: https://kubernetes.default.svc
env: prod
hostname: openfga.adm.oceanbox.io
autoSync: false
prune: true
- cluster: https://kubernetes.default.svc
env: staging
hostname: openfga.dev.oceanbox.io
autoSync: true
prune: true
template:
metadata:
name: '{{ .env }}-openfga'
spec:
project: aux
destination:
namespace: idp
server: '{{ .cluster }}'
sources:
- repoURL: https://openfga.github.io/helm-charts
targetRevision: 0.2.12
chart: openfga
helm:
valueFiles:
- $values/kustomizations/openfga/values.yaml
- $values/kustomizations/openfga/values-{{ .env }}.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main
ref: values
templatePatch: |
{{- if .autoSync }}
spec:
syncPolicy:
automated:
prune: {{ .prune }}
selfHeal: false
{{- end }}
applications/archmeister.yaml → apps/archmeister.yaml
+6 -6
View File
@@ -13,11 +13,11 @@ spec:
hostname: archmeister.srv.oceanbox.io hostname: archmeister.srv.oceanbox.io
autoSync: false autoSync: false
prune: true prune: true
- cluster: https://staging-vcluster.staging-vcluster # - cluster: https://staging-vcluster.staging-vcluster
env: staging # env: staging
hostname: archmeister.beta.oceanbox.io # hostname: archmeister.beta.oceanbox.io
autoSync: true # autoSync: true
prune: true # prune: true
template: template:
metadata: metadata:
name: "{{ .env }}-archmeister" name: "{{ .env }}-archmeister"
@@ -29,7 +29,7 @@ spec:
sources: sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
path: kustomizations/archmeister path: values/archmeister
plugin: plugin:
name: kustomize-helm-with-rewrite name: kustomize-helm-with-rewrite
parameters: parameters:
applications/atlantis-host-resources.yaml → apps/atlantis-host-resources.yaml
View File
applications/atlantis-resources.yaml → apps/atlantis-resources.yaml
View File
apps/atlantis.nix
+51
View File
@@ -0,0 +1,51 @@
{ lib, config, ... }:
let
cfg = config.apps.atlantis;
env = config.apps.env;
values = lib.apps.appValues {
inherit env;
base = ../values/atlantis;
extraValues = {};
};
kustomize = r:
if r.kind == "Deployment" then
lib.attrsets.recursiveUpdate r {
spec.template.spec.containers =
builtins.map (x:
x // {
livenessProbe.httpGet.path = "/healthz";
readinessProble.httpGet.path = "/healthz";
env = x.env ++ [ { name = "INERNAL_PORT"; value = 8000; } ];
}) r.spec.template.spec.containers;
}
else if r.kind == "Service" then
{}
else r;
in
{
options.apps.atlantis = lib.apps.appOptions {
revision = lib.mkOption {
type = lib.types.str;
default = "main";
description = "Revision";
};
hostname = lib.mkOption {
type = lib.types.str;
default = if env == "prod"
then "maps.oceanbox.io"
else "atlantis.beta.oceanbox.io";
description = "Revision";
};
};
config = lib.apps.appConfig cfg "${env}-atlantis" {
helm.releases."${env}-atlantis" = {
inherit values;
chart = ../charts/atlantis;
transformer = rs: builtins.map (x: kustomize x) rs;
};
};
}
applications/atlantis.yaml → apps/atlantis.yaml
+6 -6
View File
@@ -13,11 +13,11 @@ spec:
hostname: atlantis.srv.oceanbox.io hostname: atlantis.srv.oceanbox.io
autoSync: false autoSync: false
prune: true prune: true
- cluster: https://staging-vcluster.staging-vcluster # - cluster: https://staging-vcluster.staging-vcluster
env: staging # env: staging
hostname: atlantis.beta.oceanbox.io # hostname: atlantis.beta.oceanbox.io
autoSync: true # autoSync: true
prune: true # prune: true
template: template:
metadata: metadata:
name: '{{ .env }}-atlantis' name: '{{ .env }}-atlantis'
@@ -29,7 +29,7 @@ spec:
sources: sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
path: kustomizations/atlantis path: values/atlantis
plugin: plugin:
name: kustomize-helm-with-rewrite name: kustomize-helm-with-rewrite
parameters: parameters:
applications/busynix.yaml → apps/busynix.yaml
+1 -1
View File
@@ -24,7 +24,7 @@ spec:
source: source:
repoURL: https://gitlab.com/oceanbox/manifests.git repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
path: kustomizations/busynix path: values/busynix
plugin: plugin:
name: kustomize-helm-with-rewrite name: kustomize-helm-with-rewrite
parameters: parameters:
applications/cerbos.yaml → apps/cerbos.yaml
+2 -2
View File
@@ -25,8 +25,8 @@ spec:
chart: cerbos chart: cerbos
helm: helm:
valueFiles: valueFiles:
- $values/kustomizations/cerbos/values.yaml - $values/values/cerbos/values.yaml
- $values/kustomizations/cerbos/values-{{ env }}.yaml - $values/values/cerbos/values-{{ env }}.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
ref: values ref: values
apps/dapr.nix
+46
View File
@@ -0,0 +1,46 @@
{ lib, config, ... }:
let
cfg = config.apps.dapr;
env = config.apps.env;
values = lib.apps.appValues {
inherit env;
extraValues = {
global.ha.enabled = true;
};
};
in
{
options.apps.dapr = lib.apps.appOptions {
revision = lib.mkOption {
type = lib.types.str;
default = "1.14.4";
description = "Dapr chart version";
};
};
config = lib.apps.appConfig cfg "dapr" {
namespace = "argocd";
helm.releases.dapr = {
inherit values;
chart = lib.helm.downloadHelmChart {
repo = "https://dapr.github.io/helm-charts/";
chart = "dapr";
version = cfg.revision;
};
};
annotations = {
"argocd.argoproj.io/sync-options" = "SkipDryRunOnMissingResource=true";
};
resources = {
"argoproj.io".v1alpha1.Application.dapr.spec = {
destination = {
namespace = "dapr-system";
server = "https://kubernetes.default.svc";
};
project = "default";
};
};
};
}
apps/dapr.yaml
+33
View File
@@ -0,0 +1,33 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: dapr
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: dapr-system
server: https://kubernetes.default.svc
project: default
syncPolicy:
# managedNamespaceMetadata:
# labels:
# component: aux
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
automated:
prune: true
selfHeal: true
sources:
- repoURL: https://dapr.github.io/helm-charts/
targetRevision: 1.14.4
chart: dapr
helm:
values: |
global:
ha:
enabled: true
apps/default.nix
+16
View File
@@ -0,0 +1,16 @@
{ ... }:
{
imports = [
./atlantis.nix
./dapr.nix
./dex.nix
./keycloak.nix
./loki.nix
./openfga.nix
./opentelemetry-collector.nix
./rabbitmq.nix
./redis.nix
./tempo.nix
./wordpress.nix
];
}
apps/dex.nix
+39
View File
@@ -0,0 +1,39 @@
{ lib, config, ... }:
let
cfg = config.apps.dex;
env = config.apps.env;
values = lib.apps.appValues {
inherit env;
base = ../values/dex;
extraValues = {};
};
in
{
options.apps.dex = lib.apps.appOptions {
enable = lib.mkEnableOption "Dex";
revision = lib.mkOption {
type = lib.types.str;
default = "0.16.0";
description = "Dex chart version";
};
hostname = lib.mkOption {
type = lib.types.str;
description = "Dex hostname";
default = "idp.${env}.oceanbox.io";
};
};
config = lib.apps.appConfig cfg "${env}-dex" {
namespace = "idp";
helm.releases.dex = {
inherit values;
chart = lib.helm.downloadHelmChart {
repo = "https://charts.dexidp.io";
chart = "dex";
version = cfg.revision;
chartHash = "";
};
transformer = rs: builtins.map (x: kustomize x) rs;
};
};
}
applications/dex.yaml → apps/dex.yaml
+2 -2
View File
@@ -10,6 +10,6 @@ spec:
namespace: idp namespace: idp
source: source:
repoURL: https://gitlab.com/oceanbox/manifests.git repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: nixidy
path: kustomizations/dex/manifests path: values/dex/manifests
applications/geoserver.yaml → apps/geoserver.yaml
+1 -1
View File
@@ -24,7 +24,7 @@ spec:
sources: sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
path: kustomizations/geoserver path: values/geoserver
plugin: plugin:
name: kustomize-helm-with-rewrite name: kustomize-helm-with-rewrite
parameters: parameters:
applications/hipster.yaml → apps/hipster.yaml
+6 -6
View File
@@ -13,11 +13,11 @@ spec:
hostname: hipster.srv.oceanbox.io hostname: hipster.srv.oceanbox.io
autoSync: false autoSync: false
prune: true prune: true
- cluster: https://staging-vcluster.staging-vcluster # - cluster: https://staging-vcluster.staging-vcluster
env: staging # env: staging
hostname: hipster.beta.oceanbox.io # hostname: hipster.beta.oceanbox.io
autoSync: true # autoSync: true
prune: true # prune: true
template: template:
metadata: metadata:
name: '{{ .env }}-hipster' name: '{{ .env }}-hipster'
@@ -29,7 +29,7 @@ spec:
sources: sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
path: kustomizations/hipster path: values/hipster
plugin: plugin:
name: kustomize-helm-with-rewrite name: kustomize-helm-with-rewrite
parameters: parameters:
applications/jaeger.yaml → apps/jaeger.yaml
+2 -2
View File
@@ -14,9 +14,9 @@ spec:
chart: jaeger-operator chart: jaeger-operator
helm: helm:
valueFiles: valueFiles:
- $values/kustomizations/jaeger/values.yaml - $values/values/jaeger/values.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
# path: kustomizations/jaeger/manifests # path: values/jaeger/manifests
ref: values ref: values
apps/keycloak.nix
+34
View File
@@ -0,0 +1,34 @@
{ lib, config, ... }:
let
cfg = config.apps.keycloak;
env = config.apps.env;
values = lib.apps.appValues {
inherit env;
base = ../values/keycloak;
extraValues = {};
};
in
{
options.apps.keycloak = lib.apps.appOptions {
enable = lib.mkEnableOption "Keycloak";
revision = lib.mkOption {
type = lib.types.str;
default = "24.0.2";
description = "Keycloak chart version";
};
};
config = lib.apps.appConfig cfg "keycloak" {
namespace = "idp";
helm.releases.keycloak = {
inherit values;
chart = lib.helm.downloadHelmChart {
repo = "https://charts.bitnami.com/bitnami";
chart = "keycloak";
version = cfg.revision;
chartHash = "";
};
transformer = rs: builtins.map (x: kustomize x) rs;
};
};
}
applications/keycloak.yaml → apps/keycloak.yaml
+3 -3
View File
@@ -10,12 +10,12 @@ spec:
namespace: idp namespace: idp
sources: sources:
- repoURL: https://charts.bitnami.com/bitnami - repoURL: https://charts.bitnami.com/bitnami
targetRevision: 18.3.4 targetRevision: 24.0.2
chart: keycloak chart: keycloak
helm: helm:
valueFiles: valueFiles:
- $values/kustomizations/keycloak/values.yaml - $values/values/keycloak/values.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: nixidy
ref: values ref: values
apps/loki.nix
+249
View File
@@ -0,0 +1,249 @@
{ lib, config, ... }:
let
cfg = config.apps.loki;
env = config.apps.env;
values = lib.apps.appValues {
inherit env;
extraValues = {
loki = {
auth_enabled = false;
storage = {
bucketNames = {
chunks = cfg.buckets.chunks;
ruler = cfg.buckets.ruler;
admin = cfg.buckets.admin;
};
s3 =
{
endpoint = cfg.s3.endpoint;
region = cfg.s3.region;
secretAccessKey = "\${S3SECRET}";
accessKeyId = "\${S3KEY}";
s3ForcePathStyle = true;
}
// lib.optionalAttrs cfg.s3.insecureSkipVerify {
http_config.insecure_skip_verify = true;
};
};
schemaConfig.configs = [
{
from = "2024-04-01";
index.period = "24h";
index.prefix = "loki_index_";
object_store = "s3";
schema = "v13";
store = "tsdb";
}
];
compactor = {
compaction_interval = "10m";
working_directory = "/tmp/loki/compactor";
retention_enabled = true;
retention_delete_delay = "2h";
retention_delete_worker_count = 150;
delete_request_store = "s3";
};
limits_config.retention_period = "744h";
};
write = {
extraArgs = [ "-config.expand-env=true" ];
extraEnv = [
{
name = "S3KEY";
valueFrom.secretKeyRef = {
name = cfg.secret.name;
key = cfg.secret.accessKey;
};
}
{
name = "S3SECRET";
valueFrom.secretKeyRef = {
name = cfg.secret.name;
key = cfg.secret.secretKey;
};
}
];
tolerations = [
{
effect = "NoSchedule";
operator = "Equal";
key = "unschedulable";
value = "true";
}
];
};
read = {
extraArgs = [ "-config.expand-env=true" ];
extraEnv = [
{
name = "S3KEY";
valueFrom.secretKeyRef = {
name = cfg.secret.name;
key = cfg.secret.accessKey;
};
}
{
name = "S3SECRET";
valueFrom.secretKeyRef = {
name = cfg.secret.name;
key = cfg.secret.secretKey;
};
}
];
tolerations = [
{
effect = "NoSchedule";
operator = "Equal";
key = "unschedulable";
value = "true";
}
];
};
ingress = {
enabled = true;
ingressClassName = "nginx";
annotations = {
"cert-manager.io/cluster-issuer" = "letsencrypt-staging";
"nginx.ingress.kubernetes.io/ssl-redirect" = "true";
"atlantis.oceanbox.io/expose" = "internal";
};
hosts = [ "loki.adm.oceanbox.io" ];
tls = [{
hosts = [ "loki.adm.oceanbox.io" ];
secretName = "loki-distributed-tls";
}];
};
compactor = {
extraArgs = [ "-config.expand-env=true" ];
extraEnv = [
{
name = "S3KEY";
valueFrom.secretKeyRef = {
name = cfg.secret.name;
key = cfg.secret.accessKey;
};
}
{
name = "S3SECRET";
valueFrom.secretKeyRef = {
name = cfg.secret.name;
key = cfg.secret.secretKey;
};
}
];
};
backend = {
extraArgs = [ "-config.expand-env=true" ];
extraEnv = [
{
name = "S3KEY";
valueFrom.secretKeyRef = {
name = cfg.secret.name;
key = cfg.secret.accessKey;
};
}
{
name = "S3SECRET";
valueFrom.secretKeyRef = {
name = cfg.secret.name;
key = cfg.secret.secretKey;
};
}
];
};
};
};
in
{
options.apps.loki = lib.apps.appOptions {
revision = lib.mkOption {
type = lib.types.str;
default = "6.12.0";
description = "Loki chart version";
};
buckets = {
chunks = lib.mkOption {
type = lib.types.str;
default = "loki-chunks";
description = "S3 bucket for chunks";
};
ruler = lib.mkOption {
type = lib.types.str;
default = "loki-chunks";
description = "S3 bucket for ruler";
};
admin = lib.mkOption {
type = lib.types.str;
default = "loki-chunks";
description = "S3 bucket for admin";
};
};
s3 = {
endpoint = lib.mkOption {
type = lib.types.str;
default = "http://10.255.241.30:30080";
description = "S3 endpoint";
};
region = lib.mkOption {
type = lib.types.str;
default = "tos";
description = "S3 region";
};
insecureSkipVerify = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Skip TLS verification";
};
};
secret = {
name = lib.mkOption {
type = lib.types.str;
default = "loki-s3";
description = "Name of the S3 credentials secret";
};
accessKey = lib.mkOption {
type = lib.types.str;
default = "AWS_ACCESS_KEY_ID";
description = "Access key field in secret";
};
secretKey = lib.mkOption {
type = lib.types.str;
default = "AWS_ACCESS_KEY_SECRET";
description = "Secret key field in secret";
};
};
};
config = lib.apps.appConfig cfg "loki" {
namespace = "argocd";
helm.releases.loki = {
inherit values;
chart = lib.helm.downloadHelmChart {
repo = "https://grafana.github.io/helm-charts";
chart = "loki";
version = cfg.revision;
chartHash = "sha256-YUtEIUiQWRzlttfOOgDk1xfTaiAZ12tIgpGr1QcMpro=";
};
};
annotations = {
"argocd.argoproj.io/sync-options" = "SkipDryRunOnMissingResource=true";
};
# TODO: Add network policies as a second source or integrate them into `resources`.
resources = {
"argoproj.io".v1alpha1.Application.loki.spec.ignoreDifferences = [
{
group = "apps";
kind = "StatefulSet";
jsonPointers = [ "/spec/persistentVolumeClaimRetentionPolicy" ];
}
];
};
};
}
applications/loki.yaml → apps/loki.yaml
+1 -1
View File
@@ -46,8 +46,8 @@ spec:
s3: s3:
endpoint: http://10.255.241.30:30080 endpoint: http://10.255.241.30:30080
region: tos region: tos
secretAccessKey: ${S3SECRET}
accessKeyId: ${S3KEY} accessKeyId: ${S3KEY}
secretAccessKey: ${S3SECRET}
s3ForcePathStyle: true s3ForcePathStyle: true
http_config: http_config:
insecure_skip_verify: true insecure_skip_verify: true
apps/openfga.nix
+39
View File
@@ -0,0 +1,39 @@
{ lib, config, ... }:
let
cfg = config.apps.openfga;
env = config.apps.env;
values = lib.apps.appValues {
inherit env;
base = ../values/openfga;
extraValues = {};
};
kustomize = r:
if r.kind == "Job" then
lib.attrsets.recursiveUpdate r { spec.backoffLimit = 2; }
else r;
in
{
options.apps.openfga = lib.apps.appOptions {};
config = lib.apps.appConfig cfg "${env}-openfga" {
helm.releases."${env}-openfga" = {
inherit values;
chart = lib.helm.downloadHelmChart {
repo = "https://openfga.github.io/helm-charts";
chart = "openfga";
version = "0.2.12";
chartHash = "sha256-7yLcw9/oNPvCePrtTJwKAG88t0Ym5Dl/S83Gz+gQdDU=";
};
transformer = rs: builtins.map (x: kustomize x) rs;
};
annotations = {};
resources = {
services.poop.spec = {
};
};
};
}
apps/opentelemetry-collector.nix
+117
View File
@@ -0,0 +1,117 @@
{ lib, config, ... }:
let
cfg = config.apps.opentelemetry-collector;
env = config.apps.env;
values = lib.apps.appValues {
inherit env;
extraValues = {
mode = "deployment";
image = {
repository = "otel/opentelemetry-collector-k8s";
};
service = {
type = "LoadBalancer";
loadBalancerIP = "10.255.241.12";
};
config = {
receivers = {
"prometheus/collector" = {
config.scrape_configs = [{
job_name = "opentelemetry-collector";
static_configs = [{
targets = [ "\${env:MY_POD_IP}:8888" ];
}];
}];
};
zipkin.endpoint = "\${env:MY_POD_IP}:9411";
};
exporters = {
otlp = {
endpoint = "tempo.tempo.svc:4317";
tls.insecure = true;
};
"otlphttp/metrics" = {
endpoint = "http://prom-prometheus.prometheus:9090/api/v1/otlp";
tls.insecure = true;
};
"otlphttp/logs" = {
endpoint = "http://loki-write-headless.loki:3100/otlp";
tls.insecure = true;
};
"debug/metrics".verbosity = "detailed";
"debug/traces".verbosity = "detailed";
"debug/logs".verbosity = "detailed";
};
service = {
telemetry.logs.level = "info";
pipelines = {
traces = {
receivers = [ "otlp" "zipkin" ];
processors = [ "batch" ];
exporters = [ "otlp" ];
};
metrics = {
receivers = [ "otlp" "prometheus/collector" ];
processors = [ "batch" ];
exporters = [ "otlphttp/metrics" ];
};
logs = {
receivers = [ "otlp" ];
processors = [ "batch" ];
exporters = [ "otlphttp/logs" ];
};
};
};
};
ports.metrics.enabled = true;
ingress = {
enabled = false;
annotations = {
"cert-manager.io/cluster-issuer" = "letsencrypt-production";
"nginx.ingress.kubernetes.io/ssl-redirect" = "true";
"atlantis.oceanbox.io/expose" = "internal";
};
ingressClassName = "nginx";
hosts = [{
host = "opentelemetry-collector.adm.oceanbox.io";
paths = [{
path = "/";
pathType = "Prefix";
port = 4318;
}];
}];
tls = [{
secretName = "collector-tls";
hosts = [ "opentelemetry-collector.adm.oceanbox.io" ];
}];
};
};
};
in
{
options.apps.opentelemetry-collector = lib.apps.appOptions {
revision = lib.mkOption {
type = lib.types.str;
default = "0.107.0";
description = "OpenTelemetry Collector chart version";
};
};
config = lib.apps.appConfig cfg "opentelemetry-collector" {
namespace = "argocd";
helm.releases.opentelemetry-collector = {
inherit values;
chart = lib.helm.downloadHelmChart {
repo = "https://open-telemetry.github.io/opentelemetry-helm-charts";
chart = "opentelemetry-collector";
version = cfg.revision;
chartHash = "sha256-0000000000000000000000000000000000000000000000"; # TODO: Add correct hash
};
};
annotations = {
"argocd.argoproj.io/sync-options" = "SkipDryRunOnMissingResource=true";
};
};
}
applications/opentelemetry-collector.yaml → apps/opentelemetry-collector.yaml
+7 -4
View File
@@ -31,6 +31,9 @@ spec:
mode: deployment mode: deployment
image: image:
repository: otel/opentelemetry-collector-k8s repository: otel/opentelemetry-collector-k8s
service:
type: LoadBalancer
loadBalancerIP: 10.255.241.12
config: config:
receivers: receivers:
prometheus/collector: prometheus/collector:
@@ -88,14 +91,14 @@ spec:
# logsCollection: # logsCollection:
# enabled: true # enabled: true
ingress: ingress:
enabled: true enabled: false
annotations: annotations:
cert-manager.io/cluster-issuer: letsencrypt-staging cert-manager.io/cluster-issuer: letsencrypt-production
nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/ssl-redirect: "true"
atlantis.oceanbox.io/expose: internal atlantis.oceanbox.io/expose: internal
ingressClassName: nginx ingressClassName: nginx
hosts: hosts:
- host: collector.adm.oceanbox.io - host: opentelemetry-collector.adm.oceanbox.io
paths: paths:
- path: / - path: /
pathType: Prefix pathType: Prefix
@@ -103,4 +106,4 @@ spec:
tls: tls:
- secretName: collector-tls - secretName: collector-tls
hosts: hosts:
- collector.adm.oceanbox.io - opentelemetry-collector.adm.oceanbox.io
applications/osm-tile-server.yaml → apps/osm-tile-server.yaml
+1 -1
View File
@@ -24,7 +24,7 @@ spec:
source: source:
repoURL: https://gitlab.com/oceanbox/manifests.git repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: HEAD targetRevision: HEAD
path: kustomizations/osm-tile-server path: values/osm-tile-server
plugin: plugin:
name: kustomize-helm-with-rewrite name: kustomize-helm-with-rewrite
parameters: parameters:
applications/petimeter.yaml → apps/petimeter.yaml
+7 -7
View File
@@ -13,11 +13,11 @@ spec:
hostname: petimeter.srv.oceanbox.io hostname: petimeter.srv.oceanbox.io
autoSync: false autoSync: false
prune: true prune: true
- cluster: https://staging-vcluster.staging-vcluster # - cluster: https://staging-vcluster.staging-vcluster
env: staging # env: staging
hostname: petimeter.beta.oceanbox.io # hostname: petimeter.beta.oceanbox.io
autoSync: true # autoSync: true
prune: true # prune: true
template: template:
metadata: metadata:
name: '{{ .env }}-petimeter' name: '{{ .env }}-petimeter'
@@ -29,7 +29,7 @@ spec:
sources: sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
path: kustomizations/petimeter path: values/petimeter
plugin: plugin:
name: kustomize-helm-with-rewrite name: kustomize-helm-with-rewrite
parameters: parameters:
@@ -39,7 +39,7 @@ spec:
string: '{{ .hostname }}' string: '{{ .hostname }}'
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
path: kustomizations/petimeter/manifests path: values/petimeter/manifests
templatePatch: | templatePatch: |
{{- if .autoSync }} {{- if .autoSync }}
spec: spec:
apps/prod-atlantis.yaml
+66
View File
@@ -0,0 +1,66 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: prod-atlantis
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: prod-atlantis
server: https://kubernetes.default.svc
project: atlantis
sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
ref: values
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
path: values/atlantis
plugin:
name: kustomize-helm-with-rewrite
parameters:
- name: env
string: prod
- name: hostname
string: maps.oceanbox.io
- repoURL: https://charts.bitnami.com/bitnami
targetRevision: 20.1.7
chart: redis
helm:
valueFiles:
- $values/values/atlantis/prod/redis.yaml
ignoreDifferences:
- kind: Secret
name: azure-keyvault
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
- kind: Secret
name: prod-atlantis-rabbitmq
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
- kind: Secret
name: prod-archmeister-replication
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
- kind: Secret
name: prod-archmeister-ca
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
syncPolicy:
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
# automated:
# prune: true
# selfHeal: false
apps/prod-keycloak.yaml
+38
View File
@@ -0,0 +1,38 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: prod-keycloak
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: aux
destination:
server: https://kubernetes.default.svc
namespace: keycloak
syncPolicy:
managedNamespaceMetadata:
labels:
component: aux
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
automated:
prune: true
selfHeal: true
sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
path: values/keycloak/prod
- repoURL: https://charts.bitnami.com/bitnami
targetRevision: 24.0.2
chart: keycloak
helm:
valueFiles:
- $values/values/keycloak/values-prod.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
ref: values
apps/prod-openfga.yaml
+39
View File
@@ -0,0 +1,39 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: prod-openfga
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: openfga
server: https://kubernetes.default.svc
project: aux
# ignoreDifferences:
# - group: apps
# kind: StatefulSet
# jsonPointers:
# - /spec/persistentVolumeClaimRetentionPolicy
syncPolicy:
managedNamespaceMetadata:
labels:
component: aux
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
automated:
prune: true
selfHeal: true
sources:
- repoURL: https://openfga.github.io/helm-charts
targetRevision: 0.2.19
chart: openfga
helm:
valueFiles:
- $values/values/openfga/values-prod.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
ref: values
apps/prod-sorcerer.yaml
+54
View File
@@ -0,0 +1,54 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: prod-sorcerer
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: prod-sorcerer
server: https://10.255.241.99:4443
project: atlantis
sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
ref: values
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
path: values/sorcerer
plugin:
name: kustomize-helm-with-rewrite
parameters:
- name: env
string: prod
- name: hostname
string: sorcerer.data.oceanbox.io
- repoURL: https://charts.bitnami.com/bitnami
targetRevision: 20.1.7
chart: redis
helm:
valueFiles:
- $values/values/sorcerer/prod/redis.yaml
ignoreDifferences:
- kind: Secret
name: azure-keyvault
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
- kind: Secret
name: prod-atlantis-rabbitmq
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
syncPolicy:
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
# automated:
# prune: true
# selfHeal: false
apps/rabbitmq.nix
+39
View File
@@ -0,0 +1,39 @@
{ lib, config, ... }:
let
cfg = config.apps.rabbitmq;
env = config.apps.env;
values = lib.apps.appValues {
inherit env;
base = ../values/rabbitmq;
extraValues = {};
};
in
{
options.apps.rabbitmq = lib.apps.appOptions {
enable = lib.mkEnableOption "RabbitMQ";
revision = lib.mkOption {
type = lib.types.str;
default = "12.9.0";
description = "RabbitMQ chart version";
};
hostname = lib.mkOption {
type = lib.types.str;
description = "RabbitMQ hostname";
default = "rabbitmq.${env}.oceanbox.io";
};
};
config = lib.apps.appConfig cfg "${env}-rabbitmq" {
namespace = "rabbitmq";
helm.releases.rabbitmq = {
inherit values;
chart = lib.helm.downloadHelmChart {
repo = "https://charts.bitnami.com/bitnami";
chart = "rabbitmq";
version = cfg.revision;
chartHash = "";
};
transformer = rs: builtins.map (x: kustomize x) rs;
};
};
}
applications/rabbitmq.yaml → apps/rabbitmq.yaml
+2 -2
View File
@@ -27,8 +27,8 @@ spec:
chart: rabbitmq chart: rabbitmq
helm: helm:
valueFiles: valueFiles:
- $values/kustomizations/rabbitmq/values-{{ env }}.yaml - $values/values/rabbitmq/values-{{ env }}.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
path: kustomizations/rabbitmq/{{ env }} path: values/rabbitmq/{{ env }}
ref: values ref: values
apps/redis.nix
+34
View File
@@ -0,0 +1,34 @@
{ lib, config, ... }:
let
cfg = config.apps.redis;
env = config.apps.env;
values = lib.apps.appValues {
inherit env;
base = ../values/redis;
extraValues = {};
};
in
{
options.apps.redis = lib.apps.appOptions {
enable = lib.mkEnableOption "Redis";
revision = lib.mkOption {
type = lib.types.str;
default = "19.5.2";
description = "Redis chart version";
};
};
config = lib.apps.appConfig cfg "${env}-redis" {
namespace = "redis";
helm.releases.redis = {
inherit values;
chart = lib.helm.downloadHelmChart {
repo = "https://charts.bitnami.com/bitnami";
chart = "redis";
version = cfg.revision;
chartHash = "";
};
transformer = rs: builtins.map (x: kustomize x) rs;
};
};
}
applications/redis.yaml → apps/redis.yaml
+2 -2
View File
@@ -25,13 +25,13 @@ spec:
chart: redis chart: redis
helm: helm:
valueFiles: valueFiles:
- $values/kustomizations/redis/values-{{ env }}.yaml - $values/values/redis/values-{{ env }}.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: HEAD targetRevision: HEAD
ref: values ref: values
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
path: kustomizations/redis/{{ env }} path: values/redis/{{ env }}
ignoreDifferences: ignoreDifferences:
- group: apps - group: apps
kind: StatefulSet kind: StatefulSet
applications/seq.yaml → apps/seq.yaml
+1 -1
View File
@@ -14,7 +14,7 @@ spec:
chart: seq chart: seq
helm: helm:
valueFiles: valueFiles:
- $values/kustomizations/seq/values.yaml - $values/values/seq/values.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
ref: values ref: values
applications/sorcerer.yaml → apps/sorcerer.yaml
+6 -6
View File
@@ -13,11 +13,11 @@ spec:
hostname: sorcerer.data.oceanbox.io hostname: sorcerer.data.oceanbox.io
autoSync: false autoSync: false
prune: true prune: true
- cluster: https://10.255.241.99:4443 # - cluster: https://10.255.241.99:4443
env: staging # env: staging
hostname: sorcerer.ekman.oceanbox.io # hostname: sorcerer.ekman.oceanbox.io
autoSync: true # autoSync: true
prune: true # prune: true
template: template:
metadata: metadata:
name: '{{ .env }}-sorcerer' name: '{{ .env }}-sorcerer'
@@ -29,7 +29,7 @@ spec:
sources: sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git - repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: main targetRevision: main
path: kustomizations/sorcerer path: values/sorcerer
plugin: plugin:
name: kustomize-helm-with-rewrite name: kustomize-helm-with-rewrite
parameters: parameters:
apps/staging-atlantis.yaml
+66
View File
@@ -0,0 +1,66 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: staging-atlantis
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: staging-atlantis
server: https://kubernetes.default.svc
project: atlantis
sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
ref: values
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
path: values/atlantis
plugin:
name: kustomize-helm-with-rewrite
parameters:
- name: env
string: staging
- name: hostname
string: atlantis.beta.oceanbox.io
- repoURL: https://charts.bitnami.com/bitnami
targetRevision: 20.1.7
chart: redis
helm:
valueFiles:
- $values/values/atlantis/staging/redis.yaml
ignoreDifferences:
- kind: Secret
name: azure-keyvault
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
- kind: Secret
name: staging-atlantis-rabbitmq
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
- kind: Secret
name: prod-archmeister-replication
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
- kind: Secret
name: prod-archmeister-ca
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
syncPolicy:
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
automated:
prune: true
selfHeal: false
apps/staging-openfga.yaml
+39
View File
@@ -0,0 +1,39 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: staging-openfga
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: openfga
server: https://kubernetes.default.svc
project: aux
# ignoreDifferences:
# - group: apps
# kind: StatefulSet
# jsonPointers:
# - /spec/persistentVolumeClaimRetentionPolicy
syncPolicy:
managedNamespaceMetadata:
labels:
component: aux
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
automated:
prune: true
selfHeal: true
sources:
- repoURL: https://openfga.github.io/helm-charts
targetRevision: 0.2.19
chart: openfga
helm:
valueFiles:
- $values/values/openfga/values-staging.yaml
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
ref: values
apps/staging-sorcerer.yaml
+54
View File
@@ -0,0 +1,54 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: staging-sorcerer
namespace: argocd
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: staging-sorcerer
server: https://10.255.241.99:4443
project: atlantis
sources:
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
ref: values
- repoURL: https://gitlab.com/oceanbox/manifests.git
targetRevision: nixidy
path: values/sorcerer
plugin:
name: kustomize-helm-with-rewrite
parameters:
- name: env
string: staging
- name: hostname
string: sorcerer.ekman.oceanbox.io
- repoURL: https://charts.bitnami.com/bitnami
targetRevision: 20.1.7
chart: redis
helm:
valueFiles:
- $values/values/sorcerer/staging/redis.yaml
ignoreDifferences:
- kind: Secret
name: azure-keyvault
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
- kind: Secret
name: prod-atlantis-rabbitmq
jqPathExpressions:
- '.data'
- '.metadata.labels'
- '.metadata.annotations'
syncPolicy:
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
# automated:
# prune: true
# selfHeal: false
apps/tempo.nix
+124
View File
@@ -0,0 +1,124 @@
{ lib, config, ... }:
let
cfg = config.apps.tempo;
env = config.apps.env;
values = lib.apps.appValues {
inherit env;
extraValues = {
tempo = {
storage = {
trace = {
backend = "s3";
s3 = {
bucket = cfg.s3.bucket;
endpoint = cfg.s3.endpoint;
access_key = "\${S3SECRET}";
secret_key = "\${S3KEY}";
insecure = true;
};
local = {
path = "/var/tempo/traces";
};
wal = {
path = "/var/tempo/wal";
};
};
};
metricsGenerator = {
enabled = true;
remoteWriteUrl = "http://prom-prometheus.prometheus:9090/api/v1/write";
};
extraEnv = [
{
name = "S3KEY";
valueFrom.secretKeyRef = {
name = cfg.secret.name;
key = cfg.secret.accessKey;
};
}
{
name = "S3SECRET";
valueFrom.secretKeyRef = {
name = cfg.secret.name;
key = cfg.secret.secretKey;
};
}
];
};
tempoQuery = {
ingress = {
enabled = true;
ingressClassName = "nginx";
annotations = {
"cert-manager.io/cluster-issuer" = "letsencrypt-staging";
"nginx.ingress.kubernetes.io/ssl-redirect" = "true";
"atlantis.oceanbox.io/expose" = "internal";
};
path = "/";
pathType = "Prefix";
hosts = [ "query.tempo.adm.oceanbox.io" ];
tls = [{
secretName = "tempo-query-tls";
hosts = [ "query.tempo.adm.oceanbox.io" ];
}];
};
};
};
};
in
{
options.apps.tempo = lib.apps.appOptions {
revision = lib.mkOption {
type = lib.types.str;
default = "1.10.3";
description = "Tempo chart version";
};
s3 = {
bucket = lib.mkOption {
type = lib.types.str;
default = "tempo-traces";
description = "S3 bucket for traces";
};
endpoint = lib.mkOption {
type = lib.types.str;
default = "http://10.255.241.30:30080";
description = "S3 endpoint";
};
};
secret = {
name = lib.mkOption {
type = lib.types.str;
default = "tempo-s3";
description = "Name of the S3 credentials secret";
};
accessKey = lib.mkOption {
type = lib.types.str;
default = "AWS_ACCESS_KEY_ID";
description = "Access key field in secret";
};
secretKey = lib.mkOption {
type = lib.types.str;
default = "AWS_ACCESS_KEY_SECRET";
description = "Secret key field in secret";
};
};
};
config = lib.apps.appConfig cfg "tempo" {
namespace = "argocd";
helm.releases.tempo = {
inherit values;
chart = lib.helm.downloadHelmChart {
repo = "https://grafana.github.io/helm-charts";
chart = "tempo";
version = cfg.revision;
};
};
annotations = {
"argocd.argoproj.io/sync-options" = "SkipDryRunOnMissingResource=true";
};
};
}
applications/tempo.yaml → apps/tempo.yaml
+5 -4
View File
@@ -34,11 +34,11 @@ spec:
backend: s3 backend: s3
s3: s3:
bucket: tempo-traces bucket: tempo-traces
endpoint: http://10.255.241.30:30080 endpoint: 10.255.241.30:30080
access_key: ${S3SECRET} access_key: ${S3KEY}
secret_key: ${S3KEY} secret_key: ${S3SECRET}
forcepathstyle: true
insecure: true insecure: true
backend: local
local: local:
path: /var/tempo/traces path: /var/tempo/traces
wal: wal:
@@ -46,6 +46,7 @@ spec:
metricsGenerator: metricsGenerator:
enabled: true enabled: true
remoteWriteUrl: "http://prom-prometheus.prometheus:9090/api/v1/write" remoteWriteUrl: "http://prom-prometheus.prometheus:9090/api/v1/write"
extraArgs: { config.expand-env=true }
extraEnv: extraEnv:
- name: S3KEY - name: S3KEY
valueFrom: valueFrom:
apps/wordpress.nix
+39
View File
@@ -0,0 +1,39 @@
{ lib, config, ... }:
let
cfg = config.apps.wordpress;
env = config.apps.env;
values = lib.apps.appValues {
inherit env;
base = ../values/wordpress;
extraValues = {};
};
in
{
options.apps.wordpress = lib.apps.appOptions {
enable = lib.mkEnableOption "WordPress";
revision = lib.mkOption {
type = lib.types.str;
default = "19.2.2";
description = "WordPress chart version";
};
hostname = lib.mkOption {
type = lib.types.str;
description = "WordPress hostname";
default = "www.${env}.oceanbox.io";
};
};
config = lib.apps.appConfig cfg "www-oceanbox" {
namespace = "www-oceanbox";
helm.releases.wordpress = {
inherit values;
chart = lib.helm.downloadHelmChart {
repo = "https://charts.bitnami.com/bitnami";
chart = "wordpress";
version = cfg.revision;
chartHash = "";
};
transformer = rs: builtins.map (x: kustomize x) rs;
};
};
}
applications/wordpress.yaml → apps/wordpress.yaml
View File
applications/yolo-dl.yaml → apps/yolo-dl.yaml
View File
charts/archmeister/values.yaml
+11
View File
@@ -11,6 +11,17 @@ init:
enabled: false enabled: false
image: ubuntu:rolling image: ubuntu:rolling
command: ["/bin/sh", "-c", "true"] command: ["/bin/sh", "-c", "true"]
env:
- name: LOG_LEVEL
value: "3"
- name: APP_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: APP_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
imagePullSecrets: imagePullSecrets:
- name: gitlab-pull-secret - name: gitlab-pull-secret
nameOverride: "" nameOverride: ""
charts/atlantis/Chart.lock
-6
View File
@@ -1,6 +0,0 @@
dependencies:
- name: redis
repository: https://charts.bitnami.com/bitnami
version: 20.1.7
digest: sha256:9c9be148366bb3d50f7394ba5a33e1a00a087b5ed61d2bcf1faec9b369e76582
generated: "2024-10-08T13:21:10.374993273+02:00"
charts/atlantis/Chart.yaml
-6
View File
@@ -4,9 +4,3 @@ description: Atlantis map and simulation service
type: application type: application
version: v2.87.1 version: v2.87.1
appVersion: v2.87.1 appVersion: v2.87.1
dependencies:
- name: redis
version: 20.1.7
repository: https://charts.bitnami.com/bitnami
condition: redis.enabled
alias: redis
charts/atlantis/templates/ingress.yaml
+2 -2
View File
@@ -54,8 +54,8 @@ spec:
port: port:
number: {{ $svcPort }} number: {{ $svcPort }}
{{- else }} {{- else }}
serviceName: {{ $fullName }} serviceName: {{ .serviceName | default $fullName }}
servicePort: {{ $svcPort }} servicePort: {{ .servicePort | default $svcPort }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
charts/atlantis/templates/internal-ingress.yaml
+62
View File
@@ -0,0 +1,62 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "Atlantis.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}-internal
labels:
{{- include "Atlantis.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
atlantis.oceanbox.io/expose: internal
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .internal }}
- path: {{ .path }}
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
charts/atlantis/templates/secrets.yaml
+2 -21
View File
@@ -1,24 +1,3 @@
apiVersion: v1
kind: Secret
metadata:
annotations:
kyverno/clone: "true"
name: {{ .Release.Name }}-rabbitmq
namespace: {{ .Release.Namespace }}
type: Opaque
data:
---
{{- if not .Values.redis.enabled }}
apiVersion: v1
kind: Secret
metadata:
annotations:
kyverno/clone: "true"
name: {{ .Release.Name }}-redis
type: Opaque
data:
{{- end }}
---
{{- if not .Values.cluster.enabled }} {{- if not .Values.cluster.enabled }}
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
@@ -32,6 +11,7 @@ data:
username: username:
password: password:
{{- else }} {{- else }}
{{- if .Values.cluster.bootstrap.enabled }}
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
@@ -55,3 +35,4 @@ data:
ca.crt: "" ca.crt: ""
ca.key: "" ca.key: ""
{{- end }} {{- end }}
{{- end }}
charts/atlantis/templates/servicemonitor.yaml
+20
View File
@@ -0,0 +1,20 @@
{{- if .Values.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "Atlantis.fullname" . }}
namespace: {{ .Release.Namespace }}
spec:
endpoints:
- honorLabels: false
path: /metrics
port: http
jobLabel: {{ .Values.serviceMonitor.label | default (include "Atlantis.fullname" .) }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
selector:
matchLabels:
app.kubernetes.io/instance: {{ include "Atlantis.fullname" . }}
app.kubernetes.io/name: atlantis
{{- end }}
charts/atlantis/values.yaml
+18 -46
View File
@@ -17,6 +17,14 @@ init:
env: env:
- name: LOG_LEVEL - name: LOG_LEVEL
value: "3" value: "3"
- name: APP_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: APP_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
imagePullSecrets: imagePullSecrets:
- name: gitlab-pull-secret - name: gitlab-pull-secret
@@ -61,6 +69,13 @@ ingress:
paths: paths:
- path: / - path: /
pathType: ImplementationSpecific pathType: ImplementationSpecific
- path: /events
pathType: ImplementationSpecific
serviceName: main-ingress-nginx-defaultbackend.ingress-nginx
servicePort: 80
internal:
- path: /internal
pathType: ImplementationSpecific
tls: tls:
- hosts: - hosts:
- atlantis.srv.oceanbox.io - atlantis.srv.oceanbox.io
@@ -84,52 +99,6 @@ cluster:
db: prod-archmeister db: prod-archmeister
namespace: atlantis namespace: atlantis
redis:
enabled: true
image:
repository: redis/redis-stack-server
tag: 7.2.0-v10
architecture: standalone
replica:
replicaCount: 1
command:
- "/opt/redis-stack/bin/redis-server"
- "--loadmodule"
- "/opt/redis-stack/lib/redisearch.so"
- "MAXSEARCHRESULTS"
- "10000"
- "MAXAGGREGATERESULTS"
- "10000"
- "--loadmodule"
- "/opt/redis-stack/lib/rejson.so"
auth:
enabled: true
sentinel: true
password: ""
usePasswordFiles: false
existingSecretPasswordKey: ""
# existingSecret: staging-redis
master:
resources:
limits:
cpu: null
ephemeral-storage: 1024Mi
memory: 192Mi
requests:
cpu: 150m
ephemeral-storage: 50Mi
memory: 128Mi
tracing:
namespace: otel
endpoint: "http://opentelemetry-collector.otel:9411/api/v2/spans"
rabbitmq:
namespace: rabbitmq
service: staging-rabbitmq
username: user
# secretName: staging-rabbitmq
resources: {} resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious # We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little # choice for the user. This also increases chances charts run on environments with little
@@ -149,6 +118,9 @@ autoscaling:
targetCPUUtilizationPercentage: 80 targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80
serviceMonitor:
enabled: true
nodeSelector: {} nodeSelector: {}
tolerations: [] tolerations: []
affinity: {} affinity: {}
charts/hipster/values.yaml
+11
View File
@@ -11,6 +11,17 @@ init:
enabled: false enabled: false
image: ubuntu:rolling image: ubuntu:rolling
command: ["/bin/sh", "-c", "true"] command: ["/bin/sh", "-c", "true"]
env:
- name: LOG_LEVEL
value: "3"
- name: APP_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: APP_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
imagePullSecrets: imagePullSecrets:
- name: gitlab-pull-secret - name: gitlab-pull-secret
nameOverride: "" nameOverride: ""
charts/petimeter/values.yaml
+11
View File
@@ -11,6 +11,17 @@ init:
enabled: false enabled: false
image: ubuntu:rolling image: ubuntu:rolling
command: ["/bin/sh", "-c", "true"] command: ["/bin/sh", "-c", "true"]
env:
- name: LOG_LEVEL
value: "3"
- name: APP_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: APP_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
imagePullSecrets: imagePullSecrets:
- name: gitlab-pull-secret - name: gitlab-pull-secret
nameOverride: "" nameOverride: ""
charts/sorcerer/Chart.yaml
-12
View File
@@ -1,18 +1,6 @@
apiVersion: v2 apiVersion: v2
name: sorcerer name: sorcerer
description: A Helm chart for Kubernetes description: A Helm chart for Kubernetes
# A chart can be either an 'application' or a 'library' chart.
#
# Application charts are a collection of templates that can be packaged into versioned archives
# to be deployed.
#
# Library charts provide useful utilities or functions for the chart developer. They're included as
# a dependency of application charts to inject those utilities and functions into the rendering
# pipeline. Library charts do not define any templates and therefore cannot be deployed.
type: application type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
version: v4.9.0 version: v4.9.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application.
appVersion: v4.9.0 appVersion: v4.9.0
charts/sorcerer/templates/deployment.yaml
+1 -2
View File
@@ -38,8 +38,7 @@ spec:
containerPort: {{ .Values.service.port }} containerPort: {{ .Values.service.port }}
protocol: TCP protocol: TCP
env: env:
- name: LOG_LEVEL {{- toYaml .Values.env | nindent 12 }}
value: "3"
livenessProbe: livenessProbe:
httpGet: httpGet:
path: / path: /
charts/sorcerer/templates/internal-ingress.yaml
+62
View File
@@ -0,0 +1,62 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "Sorcerer.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}-internal
labels:
{{- include "Sorcerer.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
atlantis.oceanbox.io/expose: internal
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .internal }}
- path: {{ .path }}
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
charts/sorcerer/values.yaml
+31
View File
@@ -3,18 +3,36 @@
# Declare variables to be passed into your templates. # Declare variables to be passed into your templates.
replicaCount: 1 replicaCount: 1
image: image:
repository: registry.gitlab.com/oceanbox/sorcerer repository: registry.gitlab.com/oceanbox/sorcerer
tag: v4.9.0 tag: v4.9.0
pullPolicy: IfNotPresent pullPolicy: IfNotPresent
init: init:
enabled: false enabled: false
image: ubuntu:rolling image: ubuntu:rolling
command: ["/bin/sh", "-c", "true"] command: ["/bin/sh", "-c", "true"]
env:
- name: LOG_LEVEL
value: "3"
- name: APP_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: APP_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
imagePullSecrets: imagePullSecrets:
- name: gitlab-pull-secret - name: gitlab-pull-secret
nameOverride: "" nameOverride: ""
fullnameOverride: "" fullnameOverride: ""
serviceAccount: serviceAccount:
create: true create: true
# Annotations to add to the service account # Annotations to add to the service account
@@ -22,9 +40,12 @@ serviceAccount:
# The name of the service account to use. # The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template # If not set and create is true, a name is generated using the fullname template
name: "" name: ""
podAnnotations: {} podAnnotations: {}
podSecurityContext: podSecurityContext:
fsGroup: 2000 fsGroup: 2000
securityContext: securityContext:
capabilities: capabilities:
drop: drop:
@@ -32,9 +53,11 @@ securityContext:
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
runAsNonRoot: true runAsNonRoot: true
runAsUser: 1000 runAsUser: 1000
service: service:
type: ClusterIP type: ClusterIP
port: 8085 port: 8085
ingress: ingress:
enabled: true enabled: true
className: "nginx" className: "nginx"
@@ -46,6 +69,9 @@ ingress:
paths: paths:
- path: / - path: /
pathType: ImplementationSpecific pathType: ImplementationSpecific
internal:
- path: /internal
pathType: ImplementationSpecific
tls: tls:
- hosts: - hosts:
- sorcerer.srv.oceanbox.io - sorcerer.srv.oceanbox.io
@@ -62,6 +88,7 @@ cluster:
backupEnabled: true backupEnabled: true
backupRetention: 60d backupRetention: 60d
size: 5Gi size: 5Gi
resources: {} resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious # We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little # choice for the user. This also increases chances charts run on environments with little
@@ -80,6 +107,10 @@ autoscaling:
maxReplicas: 100 maxReplicas: 100
targetCPUUtilizationPercentage: 80 targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80
serviceMonitor:
enabled: true
nodeSelector: {} nodeSelector: {}
tolerations: [] tolerations: []
affinity: {} affinity: {}
charts/vcluster/templates/allow-external-services.yaml
+2 -2
View File
@@ -6,9 +6,9 @@ metadata:
spec: spec:
egress: egress:
- toFQDNs: - toFQDNs:
- matchName: api.github.com
- matchName: dapr.github.io - matchName: dapr.github.io
- matchName: gitlab.com
- matchName: analytics.loft.rocks - matchName: analytics.loft.rocks
# - matchName: gitlab.com
# - matchName: api.github.com
endpointSelector: endpointSelector:
matchLabels: {} matchLabels: {}
charts/vcluster/templates/cnpg.yaml
+2 -2
View File
@@ -24,7 +24,7 @@ spec:
apiVersion: postgresql.cnpg.io/v1 apiVersion: postgresql.cnpg.io/v1
kind: Cluster kind: Cluster
metadata: metadata:
name: staging-archmeister name: {{ $name }}-archmaester
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
annotations: annotations:
linkerd.io/inject: disabled linkerd.io/inject: disabled
@@ -54,7 +54,7 @@ spec:
externalClusters: externalClusters:
- name: prod-archmeister - name: prod-archmeister
connectionParameters: connectionParameters:
host: prod-archmeister-rw.atlantis.svc host: prod-archmeister-rw.atlantis
user: streaming_replica user: streaming_replica
sslmode: verify-full sslmode: verify-full
sslKey: sslKey:
charts/vcluster/templates/kyverno-policies/allow-vcluster-apiserver.yaml
-49
View File
@@ -1,49 +0,0 @@
{{- $fullname := include "vCluster.fullname" . -}}
{{- $name := include "vCluster.releaseName" . -}}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
kyverno.io/kyverno-version: 1.7.0
policies.kyverno.io/description: Allow egress to vcluster kube-apiserver
policies.kyverno.io/minversion: 1.7.0
policies.kyverno.io/subject: Namespace, NetworkPolicy
policies.kyverno.io/title: Generate NetworkPolicy to Existing Namespaces
name: allow-{{ $name }}-vcluster-apiserver
namespace: {{ .Release.Namespace }}
spec:
background: true
generateExisting: true
rules:
- name: allow-{{ $name }}-vcluster-apiserver
generate:
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
name: allow-{{ $name }}-vcluster-apiserver-access
namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
synchronize: true
data:
spec:
description: Allow egress to vcluster kube-apiserver
egress:
- toEndpoints:
- matchLabels:
app: vcluster
toPorts:
- ports:
- port: "443"
protocol: TCP
endpointSelector: {}
match:
any:
- resources:
kinds:
- Namespace
names:
- {{ $fullname }}
- resources:
kinds:
- Namespace
selector:
matchLabels:
vcluster.loft.sh/vcluster-name: {{ $fullname }}
charts/vcluster/templates/kyverno-policies/sync-vcluster-atlantis-secrets.yaml
-66
View File
@@ -1,66 +0,0 @@
{{- $name := include "vCluster.releaseName" . -}}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: "sync-{{ $name }}-vcluster-secrets"
spec:
background: true
generateExisting: true
rules:
- name: sync-rabbitmq-secrets
generate:
apiVersion: v1
kind: Secret
name: staging-rabbitmq
namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
synchronize: false
clone:
namespace: rabbitmq
name: staging-rabbitmq
match:
resources:
kinds:
- Namespace
names:
- "vcluster-009dba7e-*"
selector:
matchLabels:
vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'
- name: sync-redis-secrets
generate:
apiVersion: v1
kind: Secret
name: staging-redis
namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
synchronize: false
clone:
namespace: redis
name: staging-redis
match:
resources:
kinds:
- Namespace
names:
- "vcluster-009dba7e-*"
selector:
matchLabels:
vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'
- name: sync-archmeister-app-secret
generate:
apiVersion: v1
kind: Secret
name: staging-archmeister-app
namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
synchronize: false
clone:
namespace: '{{ .Release.Namespace }}'
name: staging-archmeister-superuser
match:
resources:
kinds:
- Namespace
names:
- "vcluster-009dba7e-*"
selector:
matchLabels:
vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'
charts/vcluster/templates/vcluster.yaml
+5 -17
View File
@@ -16,7 +16,7 @@ spec:
namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
source: source:
repoURL: https://charts.loft.sh repoURL: https://charts.loft.sh
targetRevision: 0.19.5 targetRevision: 0.20.1
chart: vcluster chart: vcluster
helm: helm:
values: |- values: |-
@@ -63,12 +63,10 @@ spec:
mapServices: mapServices:
fromHost: fromHost:
- from: "redis/{{ .Values.environment }}-redis-master"
to: "redis/{{ .Values.environment }}-redis-master"
- from: "rabbitmq/{{ .Values.environment }}-rabbitmq" - from: "rabbitmq/{{ .Values.environment }}-rabbitmq"
to: "rabbitmq/{{ .Values.environment }}-rabbitmq" to: "rabbitmq/{{ .Values.environment }}-rabbitmq"
- from: "{{ .Release.Namespace }}/staging-archmeister-rw" - from: "{{ .Release.Namespace }}/{{ $name }}-archmaester-rw"
to: "atlantis/staging-archmeister-rw" to: "atlantis/{{ $name }}-archmaester-rw"
- from: "idp/{{ .Values.environment }}-openfga" - from: "idp/{{ .Values.environment }}-openfga"
to: "idp/{{ .Values.environment }}-openfga" to: "idp/{{ .Values.environment }}-openfga"
- from: "otel/opentelemetry-collector" - from: "otel/opentelemetry-collector"
@@ -99,21 +97,11 @@ spec:
config: |- config: |-
version: v1beta1 version: v1beta1
import: import:
- kind: Cluster
apiVersion: postgresql.cnpg.io/v1
- kind: Secret - kind: Secret
apiVersion: v1 apiVersion: v1
# - kind: Component
# apiVersion: dapr.io/v1alpha1
# - kind: Configuration
# apiVersion: dapr.io/v1alpha1
# - kind: Subscription
# apiVersion: dapr.io/v1alpha1
# - kind: CiliumNetworkPolicy
# apiVersion: cilium.io/v2
export: export:
- kind: CiliumNetworkPolicy - kind: Cluster
apiVersion: cilium.io/v2 apiVersion: postgresql.cnpg.io/v1
init: init:
manifests: |- manifests: |-
--- ---
default.nix
+33
View File
@@ -0,0 +1,33 @@
let
sources = import ./nix;
system = builtins.currentSystem;
pkgs = import sources.nixpkgs {
inherit system;
config = { };
overlays = [ ];
};
nixpkgs = sources.nixpkgs;
nixhelm = sources.nixhelm;
nixidy = import sources.nixidy { inherit nixpkgs; };
kube = pkgs.callPackage "${sources.nix-kube-gen}/lib/default.nix" { inherit pkgs; };
in
nixidy.lib.mkEnvs {
libOverlay = self: super: {
apps = import ./modules/lib.nix { inherit pkgs kube; };
};
modules = [
(
{ lib, ... }:
{
nixidy.charts = lib.helm.mkChartAttrs "${nixhelm}/charts";
}
)
./modules
./apps
./policies
];
envs = {
prod.modules = [ ./envs/prod.nix ];
staging.modules = [ ./envs/staging.nix ];
};
}
envs/prod.nix
+13
View File
@@ -0,0 +1,13 @@
_:
{
config = {
apps = {
env = "prod";
autoSync = false;
prune = false;
atlantis.enable = true;
openfga.enable = true;
};
};
}
envs/staging.nix
+17
View File
@@ -0,0 +1,17 @@
_:
{
config = {
apps = {
env = "staging";
autoSync = true;
prune = true;
atlantis = {
enable = true;
autoSync = true;
prune = false;
};
openfga.enable = true;
};
};
}
flake.lock
Generated
+666
View File
@@ -0,0 +1,666 @@
{
"nodes": {
"cargo2nix": {
"inputs": {
"flake-compat": "flake-compat_3",
"flake-utils": "flake-utils_5",
"nixpkgs": "nixpkgs_3",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1699033427,
"narHash": "sha256-OVtd5IPbb4NvHibN+QvMrMxq7aZN5GFoINZSAXKjUdA=",
"owner": "cargo2nix",
"repo": "cargo2nix",
"rev": "c6f33051f412352f293e738cc8da6fd4c457080f",
"type": "github"
},
"original": {
"owner": "cargo2nix",
"ref": "release-0.11.0",
"repo": "cargo2nix",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"id": "flake-utils",
"type": "indirect"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_4": {
"inputs": {
"systems": "systems_5"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_5": {
"inputs": {
"systems": "systems_7"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"haumea": {
"inputs": {
"nixpkgs": [
"nixhelm",
"nixpkgs"
]
},
"locked": {
"lastModified": 1685133229,
"narHash": "sha256-FePm/Gi9PBSNwiDFq3N+DWdfxFq0UKsVVTJS3cQPn94=",
"owner": "nix-community",
"repo": "haumea",
"rev": "34dd58385092a23018748b50f9b23de6266dffc2",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.2.2",
"repo": "haumea",
"type": "github"
}
},
"kubenix": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nixidy",
"nixpkgs"
],
"systems": "systems_6",
"treefmt": "treefmt"
},
"locked": {
"lastModified": 1718110643,
"narHash": "sha256-KrEOCx/bpN++sySOEL5EO5AhYsqRZZk+CXacueUeSl4=",
"owner": "hall",
"repo": "kubenix",
"rev": "a04066c45526c6d8410ba998134f692ff991b4f3",
"type": "github"
},
"original": {
"owner": "hall",
"repo": "kubenix",
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"nixhelm",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703863825,
"narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-kube-generators": {
"locked": {
"lastModified": 1708155396,
"narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
"owner": "farcaller",
"repo": "nix-kube-generators",
"rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
"type": "github"
},
"original": {
"owner": "farcaller",
"repo": "nix-kube-generators",
"type": "github"
}
},
"nix-kube-generators_2": {
"locked": {
"lastModified": 1708155396,
"narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
"owner": "farcaller",
"repo": "nix-kube-generators",
"rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
"type": "github"
},
"original": {
"owner": "farcaller",
"repo": "nix-kube-generators",
"type": "github"
}
},
"nix-kube-generators_3": {
"locked": {
"lastModified": 1708155396,
"narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
"owner": "farcaller",
"repo": "nix-kube-generators",
"rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
"type": "github"
},
"original": {
"owner": "farcaller",
"repo": "nix-kube-generators",
"type": "github"
}
},
"nixhelm": {
"inputs": {
"flake-utils": "flake-utils_2",
"haumea": "haumea",
"nix-kube-generators": "nix-kube-generators_2",
"nixpkgs": [
"nixpkgs"
],
"poetry2nix": "poetry2nix"
},
"locked": {
"lastModified": 1728868745,
"narHash": "sha256-ZuaxkAtUL1visOmVMxgHk3j+H8/bMmm82tJfE1s35VY=",
"owner": "farcaller",
"repo": "nixhelm",
"rev": "f901d2ba3ce1bd0086d50efdcce3cc76bce04d80",
"type": "github"
},
"original": {
"owner": "farcaller",
"repo": "nixhelm",
"type": "github"
}
},
"nixidy": {
"inputs": {
"flake-utils": "flake-utils_4",
"kubenix": "kubenix",
"nix-kube-generators": "nix-kube-generators_3",
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1728815994,
"narHash": "sha256-uF6HAoDMAX0cZbKH27k/0UpIteQMhyLkP1rYKUfj5ys=",
"owner": "arnarg",
"repo": "nixidy",
"rev": "6e20193c95a0aaca444289d7c69f4eb329d25234",
"type": "github"
},
"original": {
"owner": "arnarg",
"ref": "HEAD",
"repo": "nixidy",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1702151865,
"narHash": "sha256-9VAt19t6yQa7pHZLDbil/QctAgVsA66DLnzdRGqDisg=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "666fc80e7b2afb570462423cb0e1cf1a3a34fedd",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1720386169,
"narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "194846768975b7ad2c4988bdb82572c00222c0d7",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1728492678,
"narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1697382362,
"narHash": "sha256-PvFjWFmSYOF6TjNZ/WjOeqa+sgaWm+83Fz37vEuATHA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "ad9a253a0d34f313707f9c25fb8c95c65b1c8882",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "release-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"poetry2nix": {
"inputs": {
"flake-utils": "flake-utils_3",
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"nixhelm",
"nixpkgs"
],
"systems": "systems_4",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1718285706,
"narHash": "sha256-DScsBM+kZvxOva7QegfdtleebMXh30XPxDQr/1IGKYo=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "a5be1bbbe0af0266147a88e0ec43b18c722f2bb9",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "poetry2nix",
"type": "github"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat_2",
"gitignore": "gitignore",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1728778939,
"narHash": "sha256-WybK5E3hpGxtCYtBwpRj1E9JoiVxe+8kX83snTNaFHE=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "ff68f91754be6f3427e4986d7949e6273659be1d",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nix-kube-generators": "nix-kube-generators",
"nixhelm": "nixhelm",
"nixidy": "nixidy",
"nixpkgs": "nixpkgs_2",
"pre-commit-hooks": "pre-commit-hooks",
"yaml2nix": "yaml2nix"
}
},
"rust-overlay": {
"inputs": {
"flake-utils": [
"yaml2nix",
"cargo2nix",
"flake-utils"
],
"nixpkgs": [
"yaml2nix",
"cargo2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1697336027,
"narHash": "sha256-ctmmw7j4liyfSh63v9rdFZeIoNYCkCvgqvtEOB7KhX8=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "e494404d36a41247987eeb1bfc2f1ca903e97764",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"id": "systems",
"type": "indirect"
}
},
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_6": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"id": "systems",
"type": "indirect"
}
},
"systems_7": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt": {
"inputs": {
"nixpkgs": [
"nixidy",
"kubenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1688026376,
"narHash": "sha256-qJmkr9BWDpqblk4E9/rCsAEl39y2n4Ycw6KRopvpUcY=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nixhelm",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1717850719,
"narHash": "sha256-npYqVg+Wk4oxnWrnVG7416fpfrlRhp/lQ6wQ4DHI8YE=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "4fc1c45a5f50169f9f29f6a98a438fb910b834ed",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"yaml2nix": {
"inputs": {
"cargo2nix": "cargo2nix",
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1726132715,
"narHash": "sha256-DkHWWpvBco2yodyOk40LjTNcoaJ1bFKf0JY9OwWgy5M=",
"owner": "euank",
"repo": "yaml2nix",
"rev": "3a6df359da40ee49cb9ed597c2400342b76f2083",
"type": "github"
},
"original": {
"owner": "euank",
"repo": "yaml2nix",
"type": "github"
}
}
},
"root": "root",
"version": 7
}
flake.nix
+148
View File
@@ -0,0 +1,148 @@
{
description = "My ArgoCD configuration with nixidy.";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
flake-utils.url = "github:numtide/flake-utils";
nixidy = {
url = "github:juselius/nixidy?ref=HEAD";
# url = "github:juselius/nixidy?ref=special-args";
# url = "/home/jonas/src/OceanBox/nixidy";
# inputs.nixpkgs.follows = "nixpkgs";
};
nixhelm = {
url = "github:farcaller/nixhelm";
inputs.nixpkgs.follows = "nixpkgs";
};
pre-commit-hooks = {
url = "github:cachix/pre-commit-hooks.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-kube-generators.url = "github:farcaller/nix-kube-generators";
yaml2nix = {
url = "github:euank/yaml2nix";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
};
outputs =
{
self,
nixpkgs,
flake-utils,
nixidy,
nixhelm,
yaml2nix,
pre-commit-hooks,
nix-kube-generators,
}:
(flake-utils.lib.eachDefaultSystem (
system:
let
pkgs = import nixpkgs { inherit system; };
kube = nix-kube-generators.lib { inherit pkgs; };
lib = {
apps = import ./modules/lib.nix { inherit pkgs kube;};
};
in
{
nixidyEnvs = nixidy.lib.mkEnvs {
inherit pkgs;
extraSpecialArgs = { inherit lib; };
charts = nixhelm.chartsDerivations.${system};
modules = [
./modules
./apps
./policies
];
envs = {
prod.modules = [ ./envs/prod.nix ];
staging.modules = [ ./envs/staging.nix ];
};
};
checks = {
pre-commit-check = pre-commit-hooks.lib.${system}.run {
src = ./.;
hooks = {
nixfmt-rfc-style.enable = false;
deadnix.enable = false;
statix.enable = false;
};
};
};
packages = {
nixidy = nixidy.packages.${system}.default;
generators = {
cilium = nixidy.packages.${system}.generators.fromCRD {
name = "cilium";
src = pkgs.fetchFromGitHub {
owner = "cilium";
repo = "cilium";
rev = "v1.16.0";
hash = "sha256-LJrNGHF52hdKCuVwjvGifqsH+8hxkf/A3LZNpCHeR7E=";
};
crds = [
"pkg/k8s/apis/cilium.io/client/crds/v2/ciliumnetworkpolicies.yaml"
"pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml"
];
};
kyverno = nixidy.packages.${system}.generators.fromCRD {
name = "kyverno";
src = pkgs.fetchFromGitHub {
owner = "kyverno";
repo = "kyverno";
rev = "v1.12.6";
hash = "sha256-FwVB1okxhWTzWlZljGEEH9KuSsJl9GmwnX7bn4iDx/M=";
};
crds = [
"config/crds/kyverno/kyverno.io_cleanuppolicies.yaml"
"config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml"
"config/crds/kyverno/kyverno.io_clusterpolicies.yaml"
"config/crds/kyverno/kyverno.io_globalcontextentries.yaml"
"config/crds/kyverno/kyverno.io_policies.yaml"
"config/crds/kyverno/kyverno.io_policyexceptions.yaml"
"config/crds/kyverno/kyverno.io_updaterequests.yaml"
];
};
};
};
apps = {
gen-crd = {
type = "app";
program =
(pkgs.writeShellScript "generate-modules" ''
set -eo pipefail
echo "generate cilium"
cat ${self.packages.${system}.generators.cilium} > modules/cilium-crd.nix
echo "generate kyverno"
cat ${self.packages.${system}.generators.kyverno} > modules/kyverno-crd.nix
'').outPath;
};
};
devShells.default = pkgs.mkShellNoCC {
inherit (self.checks.${system}.pre-commit-check) shellHook;
nativeBuildInputs = with pkgs; [
self.checks.${system}.pre-commit-check.enabledPackages
nixidy.packages.${system}.default
yaml2nix.packages.${system}.default
nixd
nixfmt-rfc-style
just
fzf
];
NIXD_FLAGS = "--inlay-hints";
};
}
));
}
generate.nix
+44
View File
@@ -0,0 +1,44 @@
let
sources = import ./nix;
system = builtins.currentSystem;
pkgs = import sources.nixpkgs {
inherit system;
config = { };
overlays = [ ];
};
nixpkgs = sources.nixpkgs;
nixidy = import sources.nixidy { inherit nixpkgs; };
in
{
cilium = nixidy.generators.fromCRD {
name = "cilium";
src = pkgs.fetchFromGitHub {
owner = "cilium";
repo = "cilium";
rev = "v1.16.0";
hash = "sha256-LJrNGHF52hdKCuVwjvGifqsH+8hxkf/A3LZNpCHeR7E=";
};
crds = [
"pkg/k8s/apis/cilium.io/client/crds/v2/ciliumnetworkpolicies.yaml"
"pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml"
];
};
kyverno = nixidy.generators.fromCRD {
name = "kyverno";
src = pkgs.fetchFromGitHub {
owner = "kyverno";
repo = "kyverno";
rev = "v1.12.6";
hash = "sha256-FwVB1okxhWTzWlZljGEEH9KuSsJl9GmwnX7bn4iDx/M=";
};
crds = [
"config/crds/kyverno/kyverno.io_cleanuppolicies.yaml"
"config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml"
"config/crds/kyverno/kyverno.io_clusterpolicies.yaml"
"config/crds/kyverno/kyverno.io_globalcontextentries.yaml"
"config/crds/kyverno/kyverno.io_policies.yaml"
"config/crds/kyverno/kyverno.io_policyexceptions.yaml"
"config/crds/kyverno/kyverno.io_updaterequests.yaml"
];
};
}
justfile
+17
View File
@@ -0,0 +1,17 @@
default := "prod"
default:
just --choose
info target=default:
nix run .#nixidy -- info .#{{target}}
build target=default:
nix run .#nixidy -- build .#{{target}}
switch target=default:
nix run .#nixidy -- switch .#{{target}}
generate:
nix build .#generators.cilium
nix build .#generators.kyverno
kustomizations/atlantis/chart
-1
View File
@@ -1 +0,0 @@
oceanbox/atlantis
kustomizations/atlantis/prod/appsettings.json
-37
View File
@@ -1,37 +0,0 @@
{
"oidc": {
"issuer": "https://idp.oceanbox.io/dex",
"authorization_endpoint": "https://idp.oceanbox.io/dex/auth",
"token_endpoint": "https://idp.oceanbox.io/dex/token",
"jwks_uri": "https://idp.oceanbox.io/dex/keys",
"userinfo_endpoint": "https://idp.oceanbox.io/dex/userinfo",
"device_authorization_endpoint": "https://idp.oceanbox.io/dex/device/code",
"clientId": "atlantis",
"clientSecret": "",
"scopes": [
"openid",
"email",
"offline_access",
"profile"
]
},
"redis": "prod-redis-master.redis.svc,user=default,password=secret",
"sso": {
"cookieDomain": ".oceanbox.io",
"signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html",
"appDomain": "atlantis",
"dataProtectionKeys": "DataProtection-Keys"
},
"archmeister" : "https://archmeister.srv.oceanbox.io",
"sorcerer" : "https://sorcerer.data.oceanbox.io",
"allowedOrigins": [
"http://maps.oceanbox.io",
"https://maps.oceanbox.io",
"http://atlantis.srv.oceanbox.io",
"https://atlantis.srv.oceanbox.io"
],
"logService" : "https://seq.adm.oceanbox.io",
"logApiKey": "",
"deployEnv": "prod",
"plainAuthUsers": []
}
kustomizations/atlantis/prod/default.env
-3
View File
@@ -1,3 +0,0 @@
OIDC_CLIENT_SECRET=KOJ6bDHzE5vdyfSrzgwLjtM5PzA809Zm
SEQ_APIKEY=v9RfeLBD9Si7OkFlkjPm
DEPLOY_NAME=prod-atlantis
kustomizations/atlantis/prod/deployment_patch.yaml
-41
View File
@@ -1,41 +0,0 @@
- op: replace
path: /spec/template/spec/containers/0/env/0
value:
name: LOG_LEVEL
value: "4"
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: BARENTSWATCH_SECRET
valueFrom:
secretKeyRef:
name: prod-atlantis-barentswatch
key: secret
optional: true
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: BARENTSWATCH_CLIENT_ID
valueFrom:
secretKeyRef:
name: prod-atlantis-barentswatch
key: client-id
optional: true
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: REDIS_USER
value: default
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: prod-redis
key: redis-password
- op: add
path: /spec/template/spec/containers/0/envFrom/-
value:
secretRef:
name: prod-atlantis-env
kustomizations/atlantis/staging/appsettings.json
-35
View File
@@ -1,35 +0,0 @@
{
"oidc": {
"issuer": "https://idp.oceanbox.io/dex",
"authorization_endpoint": "https://idp.oceanbox.io/dex/auth",
"token_endpoint": "https://idp.oceanbox.io/dex/token",
"jwks_uri": "https://idp.oceanbox.io/dex/keys",
"userinfo_endpoint": "https://idp.oceanbox.io/dex/userinfo",
"device_authorization_endpoint": "https://idp.oceanbox.io/dex/device/code",
"clientId": "atlantis_dev",
"clientSecret": "",
"scopes": [
"openid",
"email",
"offline_access",
"profile"
]
},
"redis": "staging-redis-master.redis.svc,user=default,password=secret",
"sso": {
"cookieDomain": ".oceanbox.io",
"signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html",
"appDomain": "atlantis",
"dataProtectionKeys": "DataProtection-Keys"
},
"archmeister" : "https://archmeister.beta.oceanbox.io",
"sorcerer" : "https://sorcerer.ekman.oceanbox.io",
"allowedOrigins": [
"http://atlantis.beta.oceanbox.io",
"https://atlantis.beta.oceanbox.io"
],
"logService" : "https://seq.adm.oceanbox.io",
"logApiKey": "",
"deployEnv": "staging",
"plainAuthUsers": []
}
kustomizations/atlantis/staging/default.env
-3
View File
@@ -1,3 +0,0 @@
OIDC_CLIENT_SECRET=3QjfSPmAemjn34XVA2o1fvoS7I4gKvOR
SEQ_APIKEY=v9RfeLBD9Si7OkFlkjPm
DEPLOY_NAME=staging-atlantis
kustomizations/atlantis/staging/deployment_patch.yaml
-41
View File
@@ -1,41 +0,0 @@
- op: replace
path: /spec/template/spec/containers/0/env/0
value:
name: LOG_LEVEL
value: "4"
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: BARENTSWATCH_SECRET
valueFrom:
secretKeyRef:
name: staging-atlantis-barentswatch
key: secret
optional: true
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: BARENTSWATCH_CLIENT_ID
valueFrom:
secretKeyRef:
name: staging-atlantis-barentswatch
key: client-id
optional: true
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: REDIS_USER
value: default
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: staging-redis
key: redis-password
- op: add
path: /spec/template/spec/containers/0/envFrom/-
value:
secretRef:
name: staging-atlantis-env
kustomizations/atlantis/values-prod.yaml
-46
View File
@@ -1,46 +0,0 @@
replicaCount: 2
podAnnotations:
dapr.io/app-id: "prod-atlantis"
dapr.io/enabled: "true"
dapr.io/app-port: "8000"
dapr.io/config: "tracing"
dapr.io/app-protocol: "http"
dapr.io/enable-app-health-check: "true"
dapr.io/app-health-check-path: "/healthz"
dapr.io/app-health-probe-interval: "3"
dapr.io/app-health-probe-timeout: "200"
dapr.io/app-health-threshold: "2"
dapr.io/sidecar-cpu-request: "100m"
dapr.io/sidecar-memory-request: "250Mi"
dapr.io/sidecar-cpu-limit: "300m"
dapr.io/sidecar-memory-limit: "1000Mi"
dapr.io/log-as-json: "true"
ingress:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
hosts:
- host: atlantis.srv.oceanbox.io
paths:
- path: /
pathType: ImplementationSpecific
- host: maps.oceanbox.io
paths:
- path: /
pathType: ImplementationSpecific
tls:
- hosts:
- atlantis.srv.oceanbox.io
- maps.oceanbox.io
secretName: atlantis-tls
resources:
limits:
cpu: 250m
memory: 1Gi
requests:
cpu: 250m
memory: 1Gi
kustomizations/atlantis/values-staging.yaml
-54
View File
@@ -1,54 +0,0 @@
replicaCount: 2
podAnnotations:
dapr.io/app-id: "staging-atlantis"
dapr.io/enabled: "true"
dapr.io/app-port: "8000"
dapr.io/config: "tracing"
dapr.io/app-protocol: "http"
dapr.io/enable-app-health-check: "true"
dapr.io/app-health-check-path: "/healthz"
dapr.io/app-health-probe-interval: "3"
dapr.io/app-health-probe-timeout: "200"
dapr.io/app-health-threshold: "2"
dapr.io/sidecar-cpu-request: "100m"
dapr.io/sidecar-memory-request: "250Mi"
dapr.io/sidecar-cpu-limit: "300m"
dapr.io/sidecar-memory-limit: "1000Mi"
dapr.io/log-as-json: "true"
image:
tag: 7f3512e0-debug
ingress:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
# nginx.ingress.kubernetes.io/affinity: "cookie"
# nginx.ingress.kubernetes.io/session-cookie-name: "http-affinity"
# nginx.ingress.kubernetes.io/session-cookie-expires: "86400"
# nginx.ingress.kubernetes.io/session-cookie-max-age: "86400"
# atlantis.oceanbox.io/expose: internal
hosts:
- host: atlantis.beta.oceanbox.io
paths:
- path: /
pathType: ImplementationSpecific
- host: atlas.oceanbox.io
paths:
- path: /
pathType: ImplementationSpecific
- host: beta.oceanbox.io
paths:
- path: /
pathType: ImplementationSpecific
tls:
- hosts:
- atlantis.beta.oceanbox.io
- atlas.oceanbox.io
- beta.oceanbox.io
secretName: staging-atlantis-tls
resources:
limits:
cpu: 250m
memory: 1Gi
requests:
cpu: 250m
memory: 1Gi
kustomizations/openfga/values-prod.yaml
-31
View File
@@ -1,31 +0,0 @@
replicaCount: 2
datastore:
engine: postgres
uriSecret: prod-openfga-postgresql
postgresql:
enabled: true
auth:
existingSecret: prod-openfga-postgresql
secretKeys:
userPasswordKey: postgres-password
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-staging
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
hosts:
- host: openfga.srv.oceanbox.io
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: staging-openfga-tls
hosts:
- openfga.srv.oceanbox.io
kustomizations/openfga/values-staging.yaml
-29
View File
@@ -1,29 +0,0 @@
replicaCount: 1
datastore:
engine: postgres
uriSecret: staging-openfga-postgresql
postgresql:
enabled: true
auth:
existingSecret: staging-openfga-postgresql
secretKeys:
userPasswordKey: postgres-password
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-staging
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
hosts:
- host: openfga.dev.oceanbox.io
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: staging-openfga-tls
hosts:
- openfga.dev.oceanbox.io
kustomizations/openfga/values.yaml
-8
View File
@@ -1,8 +0,0 @@
# fullnameOverride: openfga
playground:
enabled: false
port: 3000
kustomizations/sorcerer/chart
-1
View File
@@ -1 +0,0 @@
oceanbox/sorcerer
kustomizations/sorcerer/prod/appsettings.json
-28
View File
@@ -1,28 +0,0 @@
{
"sso": {
"cookieDomain": ".oceanbox.io",
"signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html",
"redis": "10.255.241.201:30379,user=default,password=secret",
"appDomain": "atlantis",
"dataProtectionKeys": "DataProtection-Keys"
},
"allowedOrigins": [
"http://localhost:8085",
"http://localhost:8080",
"https://localhost:8080",
"https://maps.oceanbox.io",
"https://atlantis.srv.oceanbox.io",
"https://maps.relic.oceanbox.io",
"https://atlantis.beta.oceanbox.io",
"https://atlantis.dev.oceanbox.io",
"https://atlantis.local.oceanbox.io:8080",
"https://jonas-atlantis.dev.oceanbox.io",
"https://stig-atlantis.dev.oceanbox.io",
"https://simkir-atlantis.dev.oceanbox.io"
],
"archiveSvc": "https://archmeister.srv.oceanbox.io",
"cacheDir": "/data/archives/cache",
"logService" : "https://seq.adm.oceanbox.io",
"logApiKey": "",
"deployEnv": "prod"
}
kustomizations/sorcerer/prod/deployment_patch.yaml
-43
View File
@@ -1,43 +0,0 @@
- op: replace
path: /spec/template/spec/containers/0/volumeMounts/0/mountPath
value: /data
- op: add
path: /spec/template/spec/containers/0/volumeMounts/-
value:
mountPath: /backup/archives
name: backup
- op: add
path: /spec/template/spec/volumes/-
value:
name: backup
persistentVolumeClaim:
claimName: prod-oceanbox-backup-archives
- op: replace
path: /spec/template/spec/containers/0/env/0
value:
name: LOG_LEVEL
value: "3"
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: REDIS_USER
value: default
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: prod-redis
key: redis-password
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: ARCHMEISTER_AUTH
value: "admin:en-to-tre-fire"
- op: add
path: /spec/template/spec/containers/0/envFrom/-
value:
secretRef:
name: prod-sorcerer-env
kustomizations/sorcerer/prod/pv.yaml
-40
View File
@@ -1,40 +0,0 @@
# apiVersion: v1
# kind: PersistentVolume
# metadata:
# name: pv-prod-oceanbox-archives
# spec:
# accessModes:
# - ReadWriteMany
# capacity:
# storage: 300T
# mountOptions:
# - vers=4.2
# - rdma
# - soft
# nfs:
# path: /data/archives
# server: 10.255.243.80
# persistentVolumeReclaimPolicy: Retain
# volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-prod-backup-archives
spec:
accessModes:
- ReadOnlyMany
capacity:
storage: 400T
local:
path: /backup/archives
persistentVolumeReclaimPolicy: Retain
volumeMode: Filesystem
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- fs-backup
kustomizations/sorcerer/prod/pvc.yaml
-32
View File
@@ -1,32 +0,0 @@
# apiVersion: v1
# kind: PersistentVolumeClaim
# metadata:
# name: prod-oceanbox-archives
# spec:
# accessModes:
# - ReadWriteMany
# resources:
# requests:
# storage: 300T
# storageClassName: ""
# volumeMode: Filesystem
# volumeName: pv-prod-oceanbox-archives
# status:
# accessModes:
# - ReadWriteMany
# capacity:
# storage: 300T
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: prod-oceanbox-backup-archives
spec:
accessModes:
- ReadOnlyMany
resources:
requests:
storage: 400T
storageClassName: ""
volumeMode: Filesystem
volumeName: pv-prod-backup-archives
kustomizations/sorcerer/staging/appsettings.json
-28
View File
@@ -1,28 +0,0 @@
{
"sso": {
"cookieDomain": ".oceanbox.io",
"signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html",
"redis": "10.255.241.201:31379,user=default,password=secret",
"appDomain": "atlantis",
"dataProtectionKeys": "DataProtection-Keys"
},
"allowedOrigins": [
"http://localhost:8085",
"http://localhost:8080",
"https://localhost:8080",
"https://maps.oceanbox.io",
"https://atlantis.srv.oceanbox.io",
"https://atlantis.dev.oceanbox.io",
"https://atlantis.beta.oceanbox.io",
"https://atlantis.local.oceanbox.io:8080",
"https://jonas-atlantis.dev.oceanbox.io",
"https://stig-atlantis.dev.oceanbox.io",
"https://simkir-atlantis.dev.oceanbox.io"
],
"archiveSvc": "https://archmeister.beta.oceanbox.io",
"cacheDir": "/data/archives/cache",
"logService" : "https://seq.adm.oceanbox.io",
"logApiKey": "",
"deployEnv": "staging"
}
kustomizations/sorcerer/staging/default.env
-1
View File
@@ -1 +0,0 @@
SEQ_APIKEY=7iIXHJukYjSLQDix6CnZ
kustomizations/sorcerer/staging/deployment_patch.yaml
-43
View File
@@ -1,43 +0,0 @@
- op: replace
path: /spec/template/spec/containers/0/volumeMounts/0/mountPath
value: /data
- op: add
path: /spec/template/spec/containers/0/volumeMounts/-
value:
mountPath: /backup/archives
name: backup
- op: add
path: /spec/template/spec/volumes/-
value:
name: backup
persistentVolumeClaim:
claimName: staging-oceanbox-backup-archives
- op: replace
path: /spec/template/spec/containers/0/env/0
value:
name: LOG_LEVEL
value: "4"
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: REDIS_USER
value: default
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: staging-redis
key: redis-password
- op: add
path: /spec/template/spec/containers/0/env/-
value:
name: ARCHMEISTER_AUTH
value: "admin:en-to-tre-fire"
- op: add
path: /spec/template/spec/containers/0/envFrom/-
value:
secretRef:
name: staging-sorcerer-env
kustomizations/sorcerer/staging/pv.yaml
-41
View File
@@ -1,41 +0,0 @@
# apiVersion: v1
# kind: PersistentVolume
# metadata:
# name: pv-staging-oceanbox-archives
# spec:
# accessModes:
# - ReadWriteMany
# capacity:
# storage: 300T
# mountOptions:
# - vers=4.2
# - rdma
# - soft
# nfs:
# path: /data/archives
# server: 10.255.243.80
# persistentVolumeReclaimPolicy: Retain
# volumeMode: Filesystem
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-staging-backup-archives
spec:
accessModes:
- ReadWriteMany
capacity:
storage: 400T
local:
path: /backup/archives
persistentVolumeReclaimPolicy: Retain
volumeMode: Filesystem
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- fs2
kustomizations/sorcerer/staging/pvc.yaml
-32
View File
@@ -1,32 +0,0 @@
# apiVersion: v1
# kind: PersistentVolumeClaim
# metadata:
# name: staging-oceanbox-archives
# spec:
# accessModes:
# - ReadWriteMany
# resources:
# requests:
# storage: 300T
# storageClassName: ""
# volumeMode: Filesystem
# volumeName: pv-staging-oceanbox-archives
# status:
# accessModes:
# - ReadWriteMany
# capacity:
# storage: 300T
# ---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: staging-oceanbox-backup-archives
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 400T
storageClassName: ""
volumeMode: Filesystem
volumeName: pv-staging-backup-archives
kustomizations/sorcerer/values-prod.yaml
-35
View File
@@ -1,35 +0,0 @@
replicaCount: 2
ingress:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
nginx.ingress.kubernetes.io/affinity: "cookie"
nginx.ingress.kubernetes.io/session-cookie-name: "http-affinity"
nginx.ingress.kubernetes.io/session-cookie-expires: "86400"
nginx.ingress.kubernetes.io/session-cookie-max-age: "86400"
atlantis.oceanbox.io/expose: internal
hosts:
- host: sorcerer.data.oceanbox.io
paths:
- path: /
pathType: ImplementationSpecific
tls:
- hosts:
- sorcerer.data.oceanbox.io
secretName: prod-sorcerer-tls
persistence:
enabled: true
existingClaim: prod-ceph-archives
# existingClaim: prod-oceanbox-backup-archives
nodeSelector:
topology.kubernetes.io/group: login
# kubernetes.io/hostname: fs-backup
# node-role.kubernetes.io/worker: c1-1
# tolerations:
# - key: workload
# operator: Equal
# value: compute
# effect: NoSchedule
kustomizations/sorcerer/values-staging.yaml
-34
View File
@@ -1,34 +0,0 @@
replicaCount: 1
image:
tag: 183dec97-debug
ingress:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
# nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
nginx.ingress.kubernetes.io/affinity: "cookie"
nginx.ingress.kubernetes.io/session-cookie-name: "http-affinity"
nginx.ingress.kubernetes.io/session-cookie-expires: "86400"
nginx.ingress.kubernetes.io/session-cookie-max-age: "86400"
atlantis.oceanbox.io/expose: internal
hosts:
- host: sorcerer.ekman.oceanbox.io
paths:
- path: /
pathType: ImplementationSpecific
tls:
- hosts:
- sorcerer.ekman.oceanbox.io
secretName: staging-sorcerer-tls
persistence:
enabled: true
existingClaim: staging-ceph-archives
# existingClaim: staging-oceanbox-backup-archives
nodeSelector:
topology.kubernetes.io/group: login
# kubernetes.io/hostname: fs-backup
# node-role.kubernetes.io/worker: c1-1
# tolerations:
# - key: workload
# operator: Equal
# value: compute
# effect: NoSchedule
modules/cilium-crd.nix
+9771
View File
File diff suppressed because it is too large Load Diff
modules/default.nix
+79
View File
@@ -0,0 +1,79 @@
{ lib, config, ... }:
let
cfg = config.apps;
in
{
imports = [];
options.apps = with lib; {
env = mkOption {
type = types.str;
default = "prod";
description = "Enable";
};
autoSync = mkOption {
type = types.bool;
default = true;
description = "Auto sync";
};
prune = mkOption {
type = types.bool;
default = false;
description = "Prune";
};
selfHeal = mkOption {
type = types.bool;
default = false;
description = "Self-heal";
};
serverSideDiff = mkOption {
type = types.bool;
default = true;
description = "Enable server-side diffing";
};
};
config = {
nixidy = {
target = {
repository = "https://gitlab.com/oveanbox/manifests.git";
branch = "main";
rootPath = "_manifests/${config.apps.env}";
};
resourceImports = [
./cilium-crd.nix
./kyverno-crd.nix
];
chartsDir = ../charts;
defaults = {
syncPolicy = {
autoSync = {
enabled = cfg.autoSync;
prune = cfg.prune;
selfHeal = cfg.selfHeal;
};
};
# Many helm chars will render all resources with the
# following labels.
# This produces huge diffs when the charts are updated
# because the values of these labels change each release.
# Here we add a transformer that strips them out after
# templating the helm charts in each application.
helm.transformer = map (
lib.kube.removeLabels [
"app.kubernetes.io/version"
"helm.sh/chart"
]
);
};
};
};
}
modules/kyverno-crd.nix
+44300
View File
File diff suppressed because it is too large Load Diff
modules/lib.nix
+93
View File
@@ -0,0 +1,93 @@
{ pkgs, kube }:
{
appOptions = opts: with pkgs.lib; {
enable = mkOption {
type = types.bool;
default = true;
description = "Enable";
};
autoSync = mkOption {
type = types.bool;
default = true;
description = "Auto sync";
};
prune = mkOption {
type = types.bool;
default = false;
description = "Prune";
};
serverSideDiff = mkOption {
type = types.bool;
default = true;
description = "Enable server-side diffing";
};
name = mkOption {
type = types.nullOr types.str;
default = null;
description = "Application name";
};
namespace = mkOption {
type = types.nullOr types.str;
default = null;
description = "Namespace";
};
project = mkOption {
type = types.str;
default = "default";
description = "Project";
};
cluster = mkOption {
type = types.str;
default = "https://kubernetes.default.svc";
description = "Cluster";
};
values = mkOption {
type = types.attrsOf types.anything;
default = {};
description = "Values";
};
} // opts;
appConfig = cfg: name: conf:
with pkgs.lib;
let
app = conf // {
name = if builtins.isNull cfg.name then name else cfg.name;
project = cfg.project;
destination.server = cfg.cluster;
createNamespace = true;
compareOptions = {
serverSideDiff = cfg.serverSideDiff;
};
syncPolicy = {
syncOptions = {
applyOutOfSyncOnly = true;
};
autoSync = mkIf cfg.autoSync {
prune = cfg.prune;
selfHeal = false;
};
};
} // (if builtins.isNull cfg.namespace then {} else { namespace = cfg.namespace; });
in mkIf cfg.enable { applications.${name} = app; };
appValues = with pkgs.lib; { env, base, extraValues}:
attrsets.mergeAttrsList (lists.flatten [
(kube.fromYAML (builtins.readFile "${base}/values.yaml"))
(kube.fromYAML (builtins.readFile "${base}/values-${env}.yaml"))
[ extraValues ]
]);
}

Some files were not shown because too many files have changed in this diff Show More