allow otel world

applications/keycloak.yaml

@@ -10,7 +10,7 @@ spec:
     namespace: idp
   sources:
   - repoURL: https://charts.bitnami.com/bitnami
-    targetRevision: 18.3.4
+    targetRevision: 24.0.2
     chart: keycloak
     helm:
       valueFiles:

applications/opentelemetry-collector.yaml

@@ -90,12 +90,12 @@ spec:
         ingress:
           enabled: true
           annotations:
-              cert-manager.io/cluster-issuer: letsencrypt-staging
+              cert-manager.io/cluster-issuer: letsencrypt-production
               nginx.ingress.kubernetes.io/ssl-redirect: "true"
               atlantis.oceanbox.io/expose: internal
           ingressClassName: nginx
           hosts:
-            - host: collector.adm.oceanbox.io
+            - host: opentelemetry-collector.adm.oceanbox.io
               paths:
                 - path: /
                   pathType: Prefix
@@ -103,4 +103,4 @@ spec:
           tls:
             - secretName: collector-tls
               hosts:
-                - collector.adm.oceanbox.io
+                - opentelemetry-collector.adm.oceanbox.io

charts/archmeister/values.yaml

@@ -11,6 +11,17 @@ init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""

charts/atlantis/values.yaml

@@ -14,6 +14,14 @@ init:
 env:
   - name: LOG_LEVEL
     value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""

charts/hipster/values.yaml

@@ -11,6 +11,17 @@ init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""

charts/petimeter/values.yaml

@@ -11,6 +11,17 @@ init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""

charts/sorcerer/templates/deployment.yaml

@@ -38,8 +38,7 @@ spec:
               containerPort: {{ .Values.service.port }}
               protocol: TCP
           env:
-            - name: LOG_LEVEL
-              value: "3"
+            {{- toYaml .Values.env | nindent 12 }}
           livenessProbe:
             httpGet:
               path: /

charts/sorcerer/values.yaml

@@ -11,6 +11,17 @@ init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""

kustomizations/dex/base/config.yaml

@@ -91,6 +91,7 @@ staticClients:
       - 'https://stig-atlantis.dev.oceanbox.io/signin-oidc'
       - 'https://simkir-atlantis.dev.oceanbox.io/signin-oidc'
       - 'https://atlantis.local.oceanbox.io:8080/signin-oidc'
+      - 'https://atlantis.local.oceanbox.io:8085/signin-oidc'
     name: 'Atlantis dev'
     secret: 3QjfSPmAemjn34XVA2o1fvoS7I4gKvOR
   - id: petimeter
@@ -119,6 +120,8 @@ staticClients:
       - 'https://jonas-sorcerer.ekman.oceanbox.io/signin-oidc'
       - 'https://stig-sorcerer.ekman.oceanbox.io/signin-oidc'
       - 'https://simkir-sorcerer.ekman.oceanbox.io/signin-oidc'
+      - 'https://sorcerer.local.oceanbox.io:8080/signin-oidc'
+      - 'https://sorcerer.local.oceanbox.io:8085/signin-oidc'
     name: 'Sorcerer dev'
     secret: cyrgDr1UzhQrJn8nRVqEt9BJ9mLk3OBy
   - id: archmeister

kustomizations/petimeter/manifests/acl.json

@@ -46,6 +46,48 @@
             }
         ]
     },
+    {
+        "domain": "leroyseafood.com",
+        "access": [
+            {
+                "matching": ".*@leroyseafood.com",
+                "group": "/leroy",
+                "roles": [ "user" ],
+                "capabilities": [
+                    "run:transport",
+                    "run:sedimentation"
+                ]
+            }
+        ]
+    },
+    {
+        "domain": "leroyaurora.no",
+        "access": [
+            {
+                "matching": ".*@leroyaurora.no",
+                "group": "/leroy",
+                "roles": [ "user" ],
+                "capabilities": [
+                    "run:transport",
+                    "run:sedimentation"
+                ]
+            }
+        ]
+    },
+    {
+        "domain": "leroymidt.no",
+        "access": [
+            {
+                "matching": ".*@leroymidt.no",
+                "group": "/leroy",
+                "roles": [ "user" ],
+                "capabilities": [
+                    "run:transport",
+                    "run:sedimentation"
+                ]
+            }
+        ]
+    },
     {
         "domain": "serit.no",
         "access": [
@@ -277,6 +319,34 @@
             }
         ]
     },
+    {
+        "domain": "oceandata.earth",
+        "access": [
+            {
+                "matching": ".*@oceandata.earth",
+                "group": "/hubocean",
+                "roles": [ "user" ],
+                "capabilities": [
+                    "run:transport",
+                    "run:sedimentation"
+                ]
+            }
+        ]
+    },
+    {
+        "domain": "masoval.no",
+        "access": [
+            {
+                "matching": ".*@masoval.no",
+                "group": "/masoval",
+                "roles": [ "user" ],
+                "capabilities": [
+                    "run:transport",
+                    "run:sedimentation"
+                ]
+            }
+        ]
+    },
     {
         "domain": "gmail.com",
         "access": [

resources/ekman-cluster/kyverno-policies/sync-keyvault-secret.yaml

@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/description: 'Access dataprotection keys from Azure Key Vault'
+  creationTimestamp: "2024-01-15T11:58:24Z"
+  name: sync-keyvault-secrets
+spec:
+  admission: true
+  background: true
+  generateExisting: true
+  rules:
+  - generate:
+      apiVersion: v1
+      clone:
+        name: azure-keyvault
+        namespace: sorcerer
+      kind: Secret
+      name: azure-keyvault
+      namespace: '{{request.object.metadata.name}}'
+      synchronize: true
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+          names:
+          - "*-sorcerer"
+    name: sync-keyvault-secrets
+
+

resources/ekman-cluster/kyverno-policies/sync-oceanbox-regcred.yaml

@@ -0,0 +1,44 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/description: 'Secrets like registry credentials often need
+      to exist in multiple Namespaces so Pods there have access. Manually duplicating
+      those Secrets is time consuming and error prone. This policy will copy a Secret
+      called `regcred` which exists in the `default` Namespace to new Namespaces when
+      they are created. It will also push updates to the copied Secrets should the
+      source Secret be changed.            '
+  creationTimestamp: "2024-01-15T11:58:24Z"
+  name: sync-oceanbox-regcred
+spec:
+  admission: true
+  background: true
+  generateExisting: true
+  rules:
+  - generate:
+      apiVersion: v1
+      clone:
+        # name: oceanbox-regcred
+        name: gitlab-pull-secret
+        namespace: default
+      kind: Secret
+      # name: oceanbox-regcred
+      name: gitlab-pull-secret
+      namespace: '{{request.object.metadata.name}}'
+      synchronize: true
+    exclude:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+          names:
+          - "vcluster-*"
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    name: sync-oceanbox-regcred
+
+

resources/oceanbox-cluster/kyverno-policies/sync-keyvault-secret.yaml

@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/description: 'Access dataprotection keys from Azure Key Vault'
+  creationTimestamp: "2024-01-15T11:58:24Z"
+  name: sync-keyvault-secrets
+spec:
+  admission: true
+  background: true
+  generateExisting: true
+  rules:
+  - generate:
+      apiVersion: v1
+      clone:
+        name: azure-keyvault
+        namespace: atlantis
+      kind: Secret
+      name: azure-keyvault
+      namespace: '{{request.object.metadata.name}}'
+      synchronize: true
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+          names:
+          - "*-atlantis"
+    name: sync-keyvault-secrets
+
+

resources/oceanbox-cluster/network-policies/otel/allow-otel-collector-ingress.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-otel-collector-loadbalancer-ingress
+  namespace: otel
+spec:
+  description: Allow ingress from world
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: opentelemetry-collector
+  ingress:
+    - fromEntities:
+        - world