Update ghcr.io/juanfont/headscale Docker tag to v0.28.0

This reverts commit e049ec06b7.

.envrc

@@ -1,13 +1,16 @@
 #!/usr/bin/env bash
 # the shebang is ignored, but nice for editors
-watch_file nix/sources.json
-watch_file nix/checks.nix
+watch_file npins/sources.json
 
 # Load .env file if it exists
 dotenv_if_exists
 
-# Set npins dir
-export NPINS_DIRECTORY="nix"
-
 # Activate development shell
-use nix
+if type lorri &>/dev/null; then
+    echo "direnv: using lorri from PATH ($(type -p lorri))"
+    eval "$(lorri direnv)"
+else
+    # fall back to using direnv's builtin nix support
+    # to prevent bootstrapping problems.
+    use nix
+fi

.gitlab-ci.yml

@@ -1,54 +0,0 @@
-# yaml-language-server: $schema=https://gitlab.com/gitlab-org/gitlab/-/raw/master/app/assets/javascripts/editor/schema/ci.json
-default:
-  tags:
-    - nix
-
-include:
-  - project: oceanbox/gitlab-ci
-    ref: v4.5
-    file: template/Base.gitlab-ci.yml
-# stages:
-# - release
-
-# image:
-# name: alpine/helm:latest
-# entrypoint: ["/bin/bash", "-c"]
-
-# release:
-# stage: release
-# rules:
-# - if: "$CI_COMMIT_BRANCH =~ /^main/"
-# when: always
-# - when: never
-# script:
-# - |
-# cd $CI_PROJECT_DIR
-# for i in $(git show --pretty="" --name-only | grep '^charts/.*/Chart.yaml' | cut -d/ -f2); do
-# pack=$(helm package ./charts/$i | sed 's/Success.*: \(.*\)/\1/')
-# if [ ! -z $pack ]; then
-# chart=$(basename $pack)
-# curl --request POST \
-# --user gitlab-ci-token:$CI_JOB_TOKEN \
-# --form "chart=@${chart}" \
-# "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/api/stable/charts"
-# fi
-# done
-
-# rebuild:
-# stage: release
-# rules:
-# - when: manual
-# allow_failure: true
-# script:
-# - |
-# cd $CI_PROJECT_DIR
-# for i in $(find ./charts -maxdepth 2 -name Chart.yaml | cut -d/ -f3); do
-# pack=$(helm package ./charts/$i | sed 's/Success.*: \(.*\)/\1/')
-# if [ ! -z $pack ]; then
-# chart=$(basename $pack)
-# curl --request POST \
-# --user gitlab-ci-token:$CI_JOB_TOKEN \
-# --form "chart=@${chart}" \
-# "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/api/stable/charts"
-# fi
-# done

bootstrap/helmfile-cmp/Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/helmfile/helmfile:v1.1.9
+FROM ghcr.io/helmfile/helmfile:v1.3.1
 
 RUN mkdir -p /home/argocd/cmp-server/config/
 COPY plugin.yaml /home/argocd/cmp-server/config/

bootstrap/helmfile-cmp/deploy.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-img=registry.gitlab.com/oceanbox/manifests/helmfile-cmp
+img=git.oceanbox.io/platform/manifests/helmfile-cmp
 tag=${1:-latest}
 
 docker build -t "${img}":"${tag}" .

bootstrap/keycloak-theme/Dockerfile

@@ -0,0 +1,3 @@
+FROM busybox
+
+COPY keycloak-themes/oceanbox /theme

bootstrap/keycloak-theme/keycloak-themes/oceanbox/login/resources/css/oceanbox.css

@@ -0,0 +1,109 @@
+/* Oceanbox Keycloak Login Theme
+ *
+ * Branding aligned with oceanbox.io:
+ *   Primary teal:    #0bb4aa
+ *   Dark teal:       #37746F
+ *   Deep blue:       #031275
+ *   Background:      #f9fafd
+ *   Text:            #101010
+ */
+
+:root {
+    --pf-v5-global--primary-color--100: #0bb4aa;
+    --pf-v5-global--primary-color--200: #099e95;
+    --pf-v5-global--link--Color: #0bb4aa;
+    --pf-v5-global--link--Color--hover: #031275;
+}
+
+.login-pf body {
+    background: #f9fafd url("../img/oceanbox-bg.png") no-repeat center bottom fixed;
+    background-size: cover;
+    height: 100%;
+}
+
+/* Login container layout */
+.pf-v5-c-login__container {
+    grid-template-columns: 34rem;
+    grid-template-areas: "header"
+                         "main";
+}
+
+/* Logo */
+div.kc-logo-text {
+    background-image: url('../img/oceanbox-logo-text.png');
+    height: 80px;
+    width: 360px;
+    background-repeat: no-repeat;
+    background-size: contain;
+    background-position: center;
+    margin: 0 auto;
+}
+
+div.kc-logo-text span {
+    display: none;
+}
+
+/* Header */
+#kc-header-wrapper {
+    font-size: 29px;
+    text-transform: uppercase;
+    letter-spacing: 3px;
+    line-height: 1.2em;
+    white-space: normal;
+    color: #37746F !important;
+    text-align: center;
+}
+
+/* Login card */
+.pf-v5-c-login__main {
+    border-radius: 8px;
+    box-shadow: 0 4px 24px rgba(0, 0, 0, 0.08);
+}
+
+/* Primary button */
+.pf-v5-c-button.pf-m-primary {
+    --pf-v5-c-button--m-primary--BackgroundColor: #0bb4aa;
+    --pf-v5-c-button--m-primary--hover--BackgroundColor: #099e95;
+    --pf-v5-c-button--m-primary--active--BackgroundColor: #37746F;
+    --pf-v5-c-button--m-primary--focus--BackgroundColor: #099e95;
+    border-radius: 4px;
+}
+
+/* Links */
+.pf-v5-c-button.pf-m-link {
+    --pf-v5-c-button--m-link--Color: #0bb4aa;
+    --pf-v5-c-button--m-link--hover--Color: #031275;
+}
+
+a {
+    color: #0bb4aa;
+}
+
+a:hover {
+    color: #031275;
+}
+
+/* Form inputs */
+.pf-v5-c-form-control > input,
+.pf-v5-c-form-control > textarea {
+    border-radius: 4px;
+}
+
+#kc-recovery-codes-list {
+    columns: 2;
+}
+
+#certificate_subjectDN {
+    overflow-wrap: break-word;
+}
+
+hr {
+    margin-top: var(--pf-v5-global--spacer--sm);
+    margin-bottom: var(--pf-v5-global--spacer--md);
+}
+
+@media (min-width: 768px) {
+    div.pf-v5-c-login__main-header {
+        grid-template-columns: 70% 30%;
+    }
+}

bootstrap/keycloak-theme/keycloak-themes/oceanbox/login/theme.properties

@@ -0,0 +1,5 @@
+parent=keycloak.v2
+import=common/keycloak
+
+stylesCommon=vendor/patternfly-v5/patternfly.min.css vendor/patternfly-v5/patternfly-addons.css
+styles=css/styles.css css/oceanbox.css

charts/atlantis/Chart.yaml

@@ -4,10 +4,10 @@ description: Atlantis map and simulation service
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v1.35.2
+version: v1.46.5
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v1.35.2
+appVersion: v1.46.5
 dependencies:
   - name: diagrid-dashboard
     version: "0.1.0"

charts/atlantis/values.yaml

@@ -3,8 +3,8 @@
 # Declare variables to be passed into your templates.
 replicaCount: 1
 image:
-  repository: registry.gitlab.com/oceanbox/poseidon/atlantis
-  tag: v1.35.2
+  repository: git.oceanbox.io/oceanbox/poseidon/atlantis
+  tag: v1.46.5
   pullPolicy: IfNotPresent
 init:
   enabled: false
@@ -116,6 +116,5 @@ serviceMonitor:
 nodeSelector: {}
 tolerations: []
 affinity: {}
-
 diagrid-dashboard:
   enabled: false

charts/codex/Chart.yaml

@@ -13,9 +13,9 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: v1.35.2
+version: v1.46.5
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v1.35.2"
+appVersion: "v1.46.5"

charts/codex/values.yaml

@@ -6,11 +6,11 @@
 replicaCount: 1
 # This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/
 image:
-  repository: registry.gitlab.com/oceanbox/poseidon/codex
+  repository: git.oceanbox.io/oceanbox/poseidon/codex
   # This sets the pull policy for images.
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  tag: v1.35.2
+  tag: v1.46.5
 # This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
 imagePullSecrets:
   - name: gitlab-pull-secret

charts/diagrid-dashboard/templates/statestore.yaml

@@ -8,6 +8,7 @@ data:
     kind: Component
     metadata:
       name: statestore
+      namespace: {{ .Values.statestore.namespace | default "default" }}
     scopes:
       - {{ .Values.statestore.scope }}
     spec:
@@ -17,10 +18,10 @@ data:
         - name: redisUsername
           value: default
         - name: redisPassword
-          value: secret
+          value: {{ .Values.statestore.password | default "secret" }}
         - name: actorStateStore
           value: "true"
         - name: redisDB
-          value: "1"
+          value: "{{ .Values.statestore.redisDB | default "0" }}"
       type: state.redis
       version: v1

charts/diagrid-dashboard/values.yaml

@@ -5,6 +5,9 @@
 statestore:
   scope: my-scope
   redis: my-redis
+  namespace: default
+  password: secret
+  redisDB: "0"
 
 # This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
 replicaCount: 1

charts/docs/.helmignore

@@ -0,0 +1,26 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+base/
+prod/
+staging/
+review/

charts/docs/Chart.yaml

@@ -0,0 +1,18 @@
+apiVersion: v2
+name: docs
+description: Oceanbox Documentation
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+version: v0.1.0
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application.
+appVersion: v0.1.0

charts/docs/templates/NOTES.txt

@@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "docs.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "docs.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "docs.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "docs.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}

charts/docs/templates/_helpers.tpl

@@ -0,0 +1,63 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "docs.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "docs.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "docs.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "docs.labels" -}}
+helm.sh/chart: {{ include "docs.chart" . }}
+{{ include "docs.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "docs.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "docs.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "docs.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "docs.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}

charts/docs/templates/cluster.yaml

@@ -0,0 +1,24 @@
+{{- if .Values.cluster.enabled -}}
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: {{ include "docs.fullname" . }}
+  annotations:
+    linkerd.io/inject: disabled
+  labels:
+    {{- include "docs.labels" . | nindent 4 }}
+spec:
+  instances: {{ .Values.cluster.instances | default "2" }}
+
+  # Example of rolling update strategy:
+  # - unsupervised: automated update of the primary once all
+  #                 replicas have been upgraded (default)
+  # - supervised: requires manual supervision to perform
+  #               the switchover of the primary
+  primaryUpdateStrategy: unsupervised
+  backup:
+    retentionPolicy: {{ .Values.cluster.backupRetention | default "60d" }}
+
+  storage:
+    size: {{ .Values.cluster.size | default "5Gi" }}
+{{- end }}

charts/docs/templates/deployment.yaml

@@ -0,0 +1,84 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "docs.fullname" . }}
+  labels:
+    {{- include "docs.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "docs.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "docs.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "docs.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          env:
+            - name: LOG_LEVEL
+              value: "3"
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+          - name: data
+            mountPath: /data
+      {{- if .Values.init.enabled }}
+      initContainers:
+      - name: init
+        image: {{ .Values.init.image }}
+        command: {{- toYaml .Values.init.command | nindent 10 }}
+        volumeMounts:
+        - name: data
+          mountPath: /data
+      {{- end }}
+      volumes:
+      - name: data
+      {{- if .Values.persistence.enabled }}
+        persistentVolumeClaim:
+          claimName: {{ .Values.persistence.existingClaim | default (include "docs.fullname" .) }}
+      {{- else }}
+        emptyDir: {}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

charts/docs/templates/hpa.yaml

@@ -0,0 +1,28 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2beta1
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "docs.fullname" . }}
+  labels:
+    {{- include "docs.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "docs.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}

charts/docs/templates/ingress.yaml

@@ -0,0 +1,61 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "docs.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "docs.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: {{ .pathType }}
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+              {{- else }}
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+              {{- end }}
+          {{- end }}
+    {{- end }}
+{{- end }}

charts/docs/templates/pvc.yaml

@@ -0,0 +1,25 @@
+{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ template "docs.fullname" . }}
+{{- with .Values.persistence.annotations  }}
+  annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
+  labels:
+{{ include "docs.labels" . | indent 4 }}
+spec:
+  accessModes:
+    - {{ .Values.persistence.accessMode | quote }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size | quote }}
+{{- if .Values.persistence.storageClass }}
+{{- if (eq "-" .Values.persistence.storageClass) }}
+  storageClassName: ""
+{{- else }}
+  storageClassName: "{{ .Values.persistence.storageClass }}"
+{{- end }}
+{{- end }}
+{{- end }}

charts/docs/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "docs.fullname" . }}
+  labels:
+    {{- include "docs.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "docs.selectorLabels" . | nindent 4 }}

charts/docs/templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "docs.serviceAccountName" . }}
+  labels:
+    {{- include "docs.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

charts/docs/values.yaml

@@ -0,0 +1,82 @@
+# Default values for docs.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+replicaCount: 1
+image:
+  repository: git.oceanbox.io/oceanbox/documentation/docs
+  tag: v0.1.0
+  pullPolicy: IfNotPresent
+init:
+  enabled: false
+  image: ubuntu:rolling
+  command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "2"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
+# imagePullSecrets:
+  # - name: gitea-pull-secret
+nameOverride: ""
+fullnameOverride: ""
+serviceAccount:
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+podAnnotations: {}
+podSecurityContext:
+  fsGroup: 2000
+securityContext:
+  capabilities:
+    drop:
+      - ALL
+  readOnlyRootFilesystem: false
+  runAsNonRoot: false
+  runAsUser: 0
+service:
+  type: ClusterIP
+  port: 8080
+ingress:
+  enabled: true
+  className: nginx
+persistence:
+  enabled: false
+  size: 1G
+  storageClass: ""
+  accessMode: ReadWriteOnce
+cluster:
+  enabled: false
+  instances: 2
+  backupEnabled: true
+  backupRetention: 60d
+  size: 5Gi
+resources: {}
+# We usually recommend not to specify default resources and to leave this as a conscious
+# choice for the user. This also increases chances charts run on environments with little
+# resources, such as Minikube. If you do want to specify resources, uncomment the following
+# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+# limits:
+#   cpu: 100m
+#   memory: 128Mi
+# requests:
+#   cpu: 100m
+#   memory: 128Mi
+
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+nodeSelector: {}
+tolerations: []
+affinity: {}

charts/makai/values.yaml

@@ -3,7 +3,7 @@
 # Declare variables to be passed into your templates.
 replicaCount: 1
 image:
-  repository: registry.gitlab.com/oceanbox/makai
+  repository: git.oceanbox.io/oceanbox/makai/makai
   tag: v0.1.0
   pullPolicy: IfNotPresent
 init:

charts/plume/Chart.yaml

@@ -4,7 +4,12 @@ description: A Helm chart for Kubernetes
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v1.6.7
+version: v1.6.13
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v1.6.7
+appVersion: v1.6.13
+dependencies:
+  - name: diagrid-dashboard
+    version: "0.1.0"
+    repository: "file://../diagrid-dashboard"
+    condition: diagrid-dashboard.enabled

charts/plume/values.yaml

@@ -3,8 +3,8 @@
 # Declare variables to be passed into your templates.
 replicaCount: 1
 image:
-  repository: registry.gitlab.com/oceanbox/plume
-  tag: v1.6.7
+  repository: git.oceanbox.io/oceanbox/plume/plume
+  tag: v1.6.13
   pullPolicy: IfNotPresent
 init:
   enabled: false
@@ -90,3 +90,6 @@ serviceMonitor:
 nodeSelector: {}
 tolerations: []
 affinity: {}
+
+diagrid-dashboard:
+  enabled: false

charts/sorcerer/Chart.yaml

@@ -4,10 +4,10 @@ description: A Helm chart for Kubernetes
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v1.35.2
+version: v1.46.5
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v1.35.2
+appVersion: v1.46.5
 dependencies:
   - name: diagrid-dashboard
     version: "0.1.0"

charts/sorcerer/values.yaml

@@ -4,8 +4,8 @@
 
 replicaCount: 1
 image:
-  repository: registry.gitlab.com/oceanbox/poseidon/sorcerer
-  tag: v1.35.2
+  repository: git.oceanbox.io/oceanbox/poseidon/sorcerer
+  tag: v1.46.5
   pullPolicy: IfNotPresent
 init:
   enabled: false
@@ -108,7 +108,6 @@ serviceMonitor:
 nodeSelector: {}
 tolerations: []
 affinity: {}
-
 diagrid-dashboard:
   enabled: false
   statestore:

envs/environments.yaml.gotmpl

@@ -20,4 +20,11 @@ environments:
     - ../values/*/env.yaml.gotmpl
     - ../values/*/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
     missingFileHandler: Info
+  beta:
+    values:
+    - ../values/env.yaml
+    - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
+    - ../values/*/env.yaml.gotmpl
+    - ../values/*/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
+    missingFileHandler: Info
 

helmfile.d/argo.yaml.gotmpl

@@ -15,7 +15,7 @@ releases:
 - name: argocd
   namespace: argocd
   chart: argo/argo-cd
-  version: 7.9.1
+  version: 9.4.10
   condition: argo.enabled
   values:
   - ../values/argo/values/argocd.yaml.gotmpl
@@ -27,7 +27,7 @@ releases:
 - name: argocd-apps
   namespace: argocd
   chart: argo/argocd-apps
-  version: 2.0.3
+  version: 2.0.4
   condition: argo.apps.enabled
   values:
   - ../values/argo/values/apps.yaml.gotmpl
@@ -35,7 +35,7 @@ releases:
 - name: argo-rollouts
   namespace: argocd
   chart: argo/argo-rollouts
-  version: 2.40.5
+  version: 2.40.6
   condition: argo.rollouts.enabled
   values:
   - ../values/argo/values/rollouts.yaml.gotmpl
@@ -43,7 +43,7 @@ releases:
 - name: argo-workflows
   namespace: argocd
   chart: argo/argo-workflows
-  version: 0.45.27
+  version: 0.47.5
   condition: argo.workflows.enabled
   missingFileHandler: Info
 - name: manifests
@@ -66,4 +66,3 @@ releases:
     - '{{`{{ .Environment.Name }}`}}'
     - ../values/argo/manifests
     - _argo
-

helmfile.d/cert-manager.yaml.gotmpl

@@ -13,7 +13,7 @@ releases:
 - name: cert-manager
   namespace: cert-manager
   chart: cert-manager/cert-manager
-  version: v1.19.2
+  version: v1.19.4
   condition: cert_manager.enabled
   values:
   - ../values/cert-manager/values/cert-manager.yaml.gotmpl

helmfile.d/cilium.yaml.gotmpl

@@ -3,7 +3,8 @@ bases:
 
 repositories:
 - name: cilium
-  url: 'https://helm.cilium.io'
+  oci: true
+  url: 'quay.io/cilium/charts'
 
 commonLabels:
   tier: system
@@ -15,11 +16,11 @@ releases:
 - name: cilium
   namespace: kube-system
   chart: cilium/cilium
-  version: 1.16.2
+  version: {{ if eq (requiredEnv "ARGOCD_ENV_CLUSTER_NAME") "hel1" }}1.19.1{{ else if eq (requiredEnv "ARGOCD_ENV_CLUSTER_NAME") "ekman" }}1.19.1{{ else }}1.16.19{{ end }}
   condition: cilium.enabled
   values:
   - ../values/cilium/values/cilium.yaml.gotmpl
-  - ../values/cilium/values/cilium-{{ .Environment.Name }}.yaml.gotmpl
+  - ../values/cilium/values/cilium-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
   missingFileHandler: Info
 - name: manifests
   namespace: cilium
@@ -55,4 +56,3 @@ releases:
     - '{{`{{ .Environment.Name }}`}}'
     - ../values/cilium/cilium-manifests
     - manifests
-

helmfile.d/docs.yaml.gotmpl

@@ -0,0 +1,38 @@
+bases:
+ - ../envs/environments.yaml.gotmpl
+
+commonLabels:
+  tier: oceanbox
+
+releases:
+- name: docs
+  namespace: docs
+  chart: ../charts/docs
+  condition: docs.enabled
+  values:
+  - ../values/docs/values/values.yaml
+  - ../values/docs/values/values-{{ .Environment.Name }}.yaml
+  postRenderer: ../bin/kustomizer
+  postRendererArgs:
+  - ../values/docs/kustomize/{{ .Environment.Name }}
+  missingFileHandler: Info
+- name: manifests
+  namespace: docs
+  chart: manifests
+  condition: docs.enabled
+  missingFileHandler: Info
+  values:
+  - ../values/env.yaml
+  - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
+  - ../values/docs/env.yaml.gotmpl
+  - ../values/docs/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
+  hooks:
+  - events: [ prepare, cleanup ]
+    showlogs: true
+    command: ../bin/helmify
+    args:
+    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
+    - '{{`{{ .Release.Chart }}`}}'
+    - '{{`{{ .Environment.Name }}`}}'
+    - ../values/docs/manifests
+    - manifests

helmfile.d/dragonfly.yaml.gotmpl

@@ -13,7 +13,7 @@ releases:
 - name: dragonfly
   namespace: dragonfly
   chart: dragonfly/dragonfly-operator
-  version: v1.3.1
+  version: v1.4.0
   condition: dragonfly.enabled
   values:
   - ../values/dragonfly/values/dragonfly.yaml.gotmpl

helmfile.d/drupal.yaml.gotmpl

@@ -0,0 +1,43 @@
+bases:
+ - ../envs/environments.yaml.gotmpl
+
+#repositories:
+#- name: drupal
+# url: "https://drupalwxt.github.io/helm-drupal/index.yaml"
+
+commonLabels:
+  tier: system
+
+releases:
+- name: drupal
+  namespace: drupal
+  #chart: drupal/drupal
+  #version: v1.3.0
+  condition: drupal.enabled
+  values:
+  - ../values/drupal/values/drupal.yaml.gotmpl
+  - ../values/drupal/values/drupal-{{ .Environment.Name }}.yaml.gotmpl
+  postRenderer: ../bin/kustomizer
+  postRendererArgs:
+  - ../values/drupal/kustomize/{{ .Environment.Name }}
+  missingFileHandler: Info
+- name: manifests
+  namespace: drupal
+  chart: manifests
+  condition: drupal.enabled
+  missingFileHandler: Info
+  values:
+  - ../values/env.yaml
+  - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
+  - ../values/drupal/env.yaml.gotmpl
+  - ../values/drupal/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
+  hooks:
+  - events: [ prepare, cleanup ]
+    showlogs: true
+    command: ../bin/helmify
+    args:
+    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
+    - '{{`{{ .Release.Chart }}`}}'
+    - '{{`{{ .Environment.Name }}`}}'
+    - ../values/drupal/manifests
+    - manifests

helmfile.d/gatus.yaml.gotmpl

@@ -12,7 +12,7 @@ releases:
 - name: gatus
   namespace: uptime
   chart: gatus/gatus
-  version: 1.4.4
+  version: 1.5.0
   condition: gatus.enabled
   values:
   - ../values/gatus/values/values.yaml

helmfile.d/gitea.yaml.gotmpl

@@ -2,35 +2,36 @@ bases:
  - ../envs/environments.yaml.gotmpl
 
 repositories:
-  - name: stevehipwell
-    url: 'https://stevehipwell.github.io/helm-charts/'
+- name: gitea
+  oci: true
+  url: docker.gitea.com/charts
 
 commonLabels:
   tier: system
 
 releases:
-- name: nexus3
-  namespace: nexus
-  chart: stevehipwell/nexus3
-  version: 5.9.0
-  condition: nexus.enabled
+- name: gitea
+  namespace: gitea
+  chart: gitea/gitea
+  version: 12.5.0
+  condition: gitea.enabled
   values:
-  - ../values/nexus/values/nexus.yaml.gotmpl
-  - ../values/nexus/values/nexus-{{ .Environment.Name }}.yaml.gotmpl
+  - ../values/gitea/values/values.yaml
+  - ../values/gitea/values/values-{{ .Environment.Name }}.yaml
   postRenderer: ../bin/kustomizer
   postRendererArgs:
-  - ../values/nexus/kustomize/{{ .Environment.Name }}
+  - ../values/gitea/kustomize/{{ .Environment.Name }}
   missingFileHandler: Info
 - name: manifests
-  namespace: nexus
+  namespace: gitea
   chart: manifests
-  condition: nexus.enabled
+  condition: gitea.enabled
   missingFileHandler: Info
   values:
   - ../values/env.yaml
   - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
-  - ../values/nexus/env.yaml.gotmpl
-  - ../values/nexus/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
+  - ../values/gitea/env.yaml.gotmpl
+  - ../values/gitea/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
   hooks:
   - events: [ prepare, cleanup ]
     showlogs: true
@@ -39,5 +40,5 @@ releases:
     - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
     - '{{`{{ .Release.Chart }}`}}'
     - '{{`{{ .Environment.Name }}`}}'
-    - ../values/nexus/manifests
+    - ../values/gitea/manifests
     - manifests

helmfile.d/ingress-nginx.yaml.gotmpl

@@ -12,7 +12,7 @@ releases:
 - name: ingress-nginx
   namespace: ingress-nginx
   chart: ingress-nginx/ingress-nginx
-  version: 4.14.1
+  version: 4.14.3
   condition: nginx.enabled
   values:
   - ../values/ingress-nginx/values/ingress-nginx.yaml.gotmpl

helmfile.d/jobset.yaml.gotmpl

@@ -0,0 +1,41 @@
+bases:
+ - ../envs/environments.yaml.gotmpl
+
+repositories:
+- name: jobset
+  oci: true
+  url: registry.k8s.io/jobset/charts
+
+releases:
+- name: jobset
+  namespace: jobset-system
+  chart: jobset/jobset
+  version: 0.11.1
+  condition: jobset.enabled
+  values:
+  - ../values/jobset/values/jobset.yaml.gotmpl
+  - ../values/jobset/values/jobset-{{ .Environment.Name }}.yaml.gotmpl
+  postRenderer: ../bin/kustomizer
+  postRendererArgs:
+  - ../values/jobset/kustomize/{{ .Environment.Name }}
+  missingFileHandler: Info
+- name: manifests
+  namespace: jobset-system
+  chart: manifests
+  condition: jobset.enabled
+  missingFileHandler: Info
+  values:
+  - ../values/env.yaml
+  - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
+  - ../values/jobset/env.yaml.gotmpl
+  - ../values/jobset/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
+  hooks:
+  - events: [ prepare, cleanup ]
+    showlogs: true
+    command: ../bin/helmify
+    args:
+    - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
+    - '{{`{{ .Release.Chart }}`}}'
+    - '{{`{{ .Environment.Name }}`}}'
+    - ../values/jobset/manifests
+    - manifests

helmfile.d/keycloak.yaml.gotmpl

@@ -12,7 +12,7 @@ releases:
 - name: {{ .Environment.Name }}-keycloak
   namespace: keycloak
   chart: bitnami/keycloak
-  version: 24.0.2
+  version: 25.2.0
   condition: keycloak.enabled
   values:
   - ../values/keycloak/values/values.yaml

helmfile.d/kueue.yaml.gotmpl

@@ -8,7 +8,7 @@ releases:
 - name: kueue
   namespace: kueue-system
   chart: oci://registry.k8s.io/kueue/charts/kueue
-  version: 0.15.0
+  version: 0.16.2
   condition: kueue.enabled
   values:
   - ../values/kueue/values/values.yaml

helmfile.d/kyverno.yaml.gotmpl

@@ -15,7 +15,7 @@ releases:
 - name: kyverno
   namespace: kyverno
   chart: kyverno/kyverno
-  version: 3.6.1
+  version: 3.7.1
   condition: kyverno.enabled
   values:
   - ../values/kyverno/values/kyverno.yaml.gotmpl

helmfile.d/loki.yaml.gotmpl

@@ -12,7 +12,7 @@ releases:
 - name: loki
   namespace: loki
   chart: loki/loki
-  version: 6.42.0
+  version: 6.53.0
   condition: loki.enabled
   values:
   - ../values/loki/values/loki.yaml.gotmpl

helmfile.d/makai.yaml.gotmpl

@@ -6,7 +6,7 @@ commonLabels:
 
 releases:
 - name: makai
-  namespace: {{ .Environment.Name }}-makai
+  namespace: makai
   chart: ../charts/makai
   condition: makai.enabled
   values:
@@ -17,7 +17,7 @@ releases:
   - ../values/makai/kustomize/{{ .Environment.Name }}
   missingFileHandler: Info
 - name: manifests
-  namespace: {{ .Environment.Name }}-makai
+  namespace: makai
   chart: manifests
   condition: makai.enabled
   missingFileHandler: Info

helmfile.d/mariadb-operator.yaml.gotmpl

@@ -12,7 +12,7 @@ releases:
 - name: mariadb-operator
   namespace: mariadb-operator
   chart: mariadb-operator/mariadb-operator
-  version: 25.10.3
+  version: 25.10.4
   condition: mariadb_operator.enabled
   values:
   - ../values/mariadb-operator/values/mariadb-operator.yaml.gotmpl

helmfile.d/openfga.yaml.gotmpl

@@ -16,7 +16,7 @@ releases:
   namespace: {{ .Environment.Name }}-openfga
   {{- end }}
   chart: openfga/openfga
-  version: 0.2.50
+  version: 0.2.56
   condition: openfga.enabled
   values:
   - ../values/openfga/values/values.yaml

helmfile.d/opentelemetry-collector.yaml.gotmpl

@@ -12,7 +12,7 @@ releases:
 - name: opentelemetry-collector
   namespace: otel
   chart: open-telemetry/opentelemetry-collector
-  version: 0.142.1
+  version: 0.146.1
   condition: otel.enabled
   values:
   - ../values/opentelemetry-collector/values/values.yaml

helmfile.d/postfix.yaml.gotmpl

@@ -2,36 +2,35 @@ bases:
  - ../envs/environments.yaml.gotmpl
 
 repositories:
-- name: forgejo
-  oci: true
-  url: code.forgejo.org/forgejo-helm
+- name: postfix
+  url: https://bokysan.github.io/docker-postfix
 
 commonLabels:
   tier: system
 
 releases:
-- name: forgejo
-  namespace: forgejo
-  chart: forgejo/forgejo
-  version: 16.0.0
-  condition: forgejo.enabled
+- name: postfix
+  namespace: postfix
+  chart: postfix/mail
+  version: 5.1.0
+  condition: postfix.enabled
   values:
-  - ../values/forgejo/values/values.yaml
-  - ../values/forgejo/values/values-{{ .Environment.Name }}.yaml
+  - ../values/postfix/values/values.yaml
+  - ../values/postfix/values/values-{{ .Environment.Name }}.yaml
   postRenderer: ../bin/kustomizer
   postRendererArgs:
-  - ../values/forgejo/kustomize/{{ .Environment.Name }}
+  - ../values/postfix/kustomize/{{ .Environment.Name }}
   missingFileHandler: Info
 - name: manifests
-  namespace: forgejo
+  namespace: postfix
   chart: manifests
-  condition: forgejo.enabled
+  condition: postfix.enabled
   missingFileHandler: Info
   values:
   - ../values/env.yaml
   - ../values/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml
-  - ../values/forgejo/env.yaml.gotmpl
-  - ../values/forgejo/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
+  - ../values/postfix/env.yaml.gotmpl
+  - ../values/postfix/env-{{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}.yaml.gotmpl
   hooks:
   - events: [ prepare, cleanup ]
     showlogs: true
@@ -40,5 +39,5 @@ releases:
     - '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
     - '{{`{{ .Release.Chart }}`}}'
     - '{{`{{ .Environment.Name }}`}}'
-    - ../values/forgejo/manifests
+    - ../values/postfix/manifests
     - manifests

helmfile.d/postgres-operator.yaml.gotmpl

@@ -27,7 +27,7 @@ releases:
 - name: plugin-barman-cloud
   namespace: cnpg
   chart: cloudnative-pg/plugin-barman-cloud
-  version: 0.3.1
+  version: 0.5.0
   condition: postgres_operator.enabled
   values:
   - ../values/postgres-operator/values/plugin-barman-cloud.yaml.gotmpl

helmfile.d/prometheus.yaml.gotmpl

@@ -15,7 +15,7 @@ releases:
 - name: prometheus
   namespace: prometheus
   chart: prometheus/kube-prometheus-stack
-  version: 72.7.0
+  version: 82.10.3
   condition: prometheus.enabled
   values:
   - ../values/prometheus/values/prometheus.yaml.gotmpl

helmfile.d/slurm-operator.yaml.gotmpl

@@ -13,7 +13,7 @@ releases:
 - name: slurm-operator
   namespace: slinky
   chart: slurm-operator/slurm-operator
-  version: 0.4.1
+  version: 1.0.2
   condition: slurm_operator.enabled
   values:
   - ../values/slurm-operator/values/slurm-operator.yaml.gotmpl

helmfile.d/slurm.yaml.gotmpl

@@ -13,7 +13,7 @@ releases:
 - name: slurm
   namespace: slurm
   chart: slurm/slurm
-  version: 0.4.1
+  version: 1.0.2
   condition: slurm.enabled
   values:
   - ../values/slurm/values/slurm.yaml.gotmpl

helmfile.d/umami.yaml.gotmpl

@@ -14,7 +14,7 @@ releases:
 - name: umami
   namespace: analytics
   chart: umami/umami
-  version: 6.0.1
+  version: 7.7.3
   condition: umami.enabled
   values:
   - ../values/umami/values/values.yaml

helmfile.d/velero.yaml.gotmpl

@@ -15,7 +15,7 @@ releases:
 - name: velero
   namespace: velero
   chart: velero/velero
-  version: 11.3.2
+  version: 12.0.0
   condition: velero.enabled
   values:
   - ../values/velero/values/velero.yaml.gotmpl

nix/kueuectl.nix

@@ -0,0 +1,19 @@
+{
+  buildGoModule,
+  fetchFromGitHub,
+}:
+buildGoModule rec {
+  pname = "kueuectl";
+  version = "0.16.3";
+
+  src = fetchFromGitHub {
+    owner = "kubernetes-sigs";
+    repo = "kueue";
+    rev = "v${version}";
+    hash = "sha256-JbU+ZoQ+YriaiIbbVCe45OTYycxYRanLhmQAdpE+xQ4=";
+  };
+
+  vendorHash = null;
+
+  subPackages = [ "cmd/kueuectl" ];
+}

nix/sources.json

@@ -1,24 +0,0 @@
-{
-  "pins": {
-    "git-hooks": {
-      "type": "Git",
-      "repository": {
-        "type": "GitHub",
-        "owner": "cachix",
-        "repo": "git-hooks.nix"
-      },
-      "branch": "master",
-      "submodules": false,
-      "revision": "f0927703b7b1c8d97511c4116eb9b4ec6645a0fa",
-      "url": "https://github.com/cachix/git-hooks.nix/archive/f0927703b7b1c8d97511c4116eb9b4ec6645a0fa.tar.gz",
-      "hash": "sha256-6MkqajPICgugsuZ92OMoQcgSHnD6sJHwk8AxvMcIgTE="
-    },
-    "nixpkgs": {
-      "type": "Channel",
-      "name": "nixpkgs-unstable",
-      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre927565.13868c071cc7/nixexprs.tar.xz",
-      "hash": "sha256-wufp5c0nWh/87f9eK7xy1eZXms5zd4yl6S4SR+LfA08="
-    }
-  },
-  "version": 7
-}

nix/treefmt.nix

@@ -0,0 +1,71 @@
+{
+  sources ? import ../npins,
+  pkgs ? import sources.nixpkgs { },
+  treefmt ? import sources.treefmt-nix,
+}:
+let
+  globalExcludes = [
+    "npins/default.nix"
+    "attic"
+    "vcluster"
+    ".*vendor"
+    ".*chart/.*"
+    ".*schema.json"
+  ];
+in
+treefmt.evalModule pkgs {
+  projectRootFile = ".git/config";
+
+  settings = {
+    excludes = globalExcludes;
+  };
+
+  programs = {
+
+    # --- Nix formatting ---
+    nixfmt = {
+      enable = true;
+      package = pkgs.nixfmt-rfc-style;
+    };
+    statix.enable = true;
+    deadnix.enable = true;
+
+    # --- Shell ---
+    shellcheck = {
+      enable = true;
+      excludes = [
+        "vcluster/"
+        "attic/"
+      ];
+    };
+
+    shfmt.enable = true;
+
+    # --- YAML ---
+    yamllint = {
+      enable = true;
+      excludes = [
+        "attic/"
+        "charts/templates/"
+        "charts/"
+        "values/"
+        "vcluster/"
+      ];
+      settings = {
+        extends = "default";
+        rules = {
+          document-start = "disable";
+          line-length = {
+            max = 300;
+          };
+        };
+      };
+    };
+
+    # --- JSON ---
+    jsonfmt.enable = true;
+
+    # Optional: keep JSON sorted
+    # prettier.enable = true;
+  };
+}

npins/sources.json

@@ -0,0 +1,24 @@
+{
+  "pins": {
+    "nixpkgs": {
+      "type": "Channel",
+      "name": "nixpkgs-unstable",
+      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre961788.75690239f08f/nixexprs.tar.xz",
+      "hash": "sha256-p0h/nSeqzIkbn/2uFC4keoIPwmqXGHsX0gkCXM7km00="
+    },
+    "treefmt-nix": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "numtide",
+        "repo": "treefmt-nix"
+      },
+      "branch": "main",
+      "submodules": false,
+      "revision": "71b125cd05fbfd78cab3e070b73544abe24c5016",
+      "url": "https://github.com/numtide/treefmt-nix/archive/71b125cd05fbfd78cab3e070b73544abe24c5016.tar.gz",
+      "hash": "sha256-6E/yhXP7Oy/NbXtf1ktzmU8SdVqJQ09HC/48ebEGBpk="
+    }
+  },
+  "version": 7
+}

renovate.json

@@ -6,7 +6,6 @@
   "dependencyDashboard": true,
   "semanticCommits": "disabled",
   "ignorePaths": [
-    "**/attic/**",
     "**/bootstrap/**"
   ],
   "helmfile": {

shell.nix

@@ -1,57 +1,51 @@
 let
-  sources = import ./nix;
+  sources = import ./npins;
   system = builtins.currentSystem;
   pkgs = import sources.nixpkgs {
     inherit system;
     config = { };
     overlays = [ ];
   };
-  checks = import ./nix/checks.nix;
+  treefmt = import ./nix/treefmt.nix { };
+  kueuectl = pkgs.callPackage ./nix/kueuectl.nix { };
 in
 pkgs.mkShellNoCC {
-  name = "clstr";
+  packages = [
+    # dev tools
+    pkgs.just
+    pkgs.npins
+    treefmt.config.build.wrapper
 
-  packages =
-    with pkgs;
-    [
-      # dev tools
-      just
-      npins
+    # helm
+    pkgs.helmfile
+    pkgs.kubernetes-helm
 
-      # helm
-      helmfile
-      kubernetes-helm
+    # kubectl tools
+    pkgs.kubectl-cnpg
+    pkgs.kubectl-neat
+    pkgs.kubectl-graph
+    pkgs.kubectl-klock
+    pkgs.kubectl-rook-ceph
 
-      # kubectl tools
-      kubectl-cnpg
-      kubectl-neat
-      kubelogin
-      kubelogin-oidc
-      kubectl-rook-ceph
-      kubectl-graph
-      kubectl-klock
-      graphviz
-
-      # other tools activate when needed
-      # step-cli
-      # linkerd
-      # cmctl
-      # rclone
-      # velero
-      # renovate
-
-      # dapr
-      dapr-cli
-    ]
-    ++ checks.enabledPackages;
+    # other tools activate when needed
+    kueuectl
+    # pkgs.step-cli
+    # pkgs.linkerd
+    # pkgs.cmctl
+    # pkgs.rclone
+    # pkgs.velero
+    # pkgs.renovate
+    # pkgs.graphviz
+    # pkgs.hubble
+    pkgs.cilium-cli
+    pkgs.dapr-cli
+  ];
 
   # Environment variables
-  ARGOCD_ENV_CLUSTER_NAME = "hel1";
+  ARGOCD_ENV_CLUSTER_NAME = "ekman";
   HELM_GIT_ACCESS_TOKEN = "glpat-xxx";
-
-  shellHook = builtins.concatStringsSep "\n" [
-    checks.shellHook
-  ];
+  API_SERVER_IP = "localhost";
+  API_SERVER_PORT = "7445";
 
   # Alternative shells
   passthru = pkgs.lib.mapAttrs (name: value: pkgs.mkShellNoCC (value // { inherit name; })) {
@@ -59,9 +53,6 @@ pkgs.mkShellNoCC {
       packages = [
         pkgs.npins
       ];
-      shellHook = ''
-        export NPINS_DIRECTORY="nix"
-      '';
     };
   };
 }

values/argo/env.yaml.gotmpl

@@ -24,11 +24,7 @@ argocd:
       cpu: 250m
   repoServers:
   - name: "helmfile-cmp"
-    image: "registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest"
-    imagePullSecrets:
-      - gitlab-pull-secret
-  - name: "kustomize-helm-with-rewrite"
-    image: "registry.gitlab.com/oceanbox/manifests/kustomize-helm-with-rewrite:latest"
+    image: "git.oceanbox.io/platform/manifests/helmfile-cmp:latest"
     imagePullSecrets:
       - gitlab-pull-secret
   additional_rbac_settings:

values/argo/manifests/sys-project.yaml

@@ -88,11 +88,19 @@ spec:
     server: https://kubernetes.default.svc
   - namespace: uptime
     server: https://kubernetes.default.svc
-  - namespace: forgejo
+  - namespace: gitea
+    server: https://kubernetes.default.svc
+  - namespace: postfix
+    server: https://kubernetes.default.svc
+  - namespace: jobset-system
+    server: https://kubernetes.default.svc
+  - namespace: dex
     server: https://kubernetes.default.svc
   sourceRepos:
   - https://argoproj.github.io/argo-helm
   - https://kubernetes-sigs.github.io/metrics-server/
+  - https://git.oceanbox.io/platform/manifests.git
+  - https://git.oceanbox.io/platform/manifests
   - https://gitlab.com/oceanbox/manifests.git
   - https://kubernetes.github.io/ingress-nginx
   - https://cloudnative-pg.github.io/charts
@@ -120,13 +128,18 @@ spec:
   - https://open-telemetry.github.io/opentelemetry-helm-charts
   - https://ghcr.io/slinkyproject/charts/slurm-operator
   - https://ghcr.io/slinkyproject/charts/slurm-operator-crds
+  - https://bokysan.github.io/docker-postfix/
   - ghcr.io/slinkyproject/charts
   - ghcr.io/slinkyproject/charts/slurm-operator
   - ghcr.io/slinkyproject/charts/slurm-operator-crds
   - ghcr.io/spegel-org/helm-charts
+  - quay.io/cilium/charts
+  - quay.io/jetstack/charts
+  - registry.k8s.io/jobset/charts/jobset
   - ghcr.io/dragonflydb/dragonfly-operator/helm/dragonfly-operator
-  - code.forgejo.org/forgejo-helm
+  - docker.gitea.com
   - https://operator.mariadb.com/mariadb-enterprise-operator
   - https://operator.mariadb.com
   - https://ot-container-kit.github.io/helm-charts
   - https://twin.github.io/helm-charts
+  - https://charts.dexidp.io

values/argo/values/argocd.yaml.gotmpl

@@ -15,7 +15,7 @@ configs:
     application.resourceTrackingMethod: annotation+label
     application.instanceLabelKey: app.kubernetes.io/instance
     create: true
-    # NOTE(kai): callback URL for dex
+    # NOTE: callback URL for dex
     url: "https://argocd.{{ .Values.clusterConfig.domain }}"
     resource.compareoptions: |
       ignoreAggregatedRoles: true
@@ -81,6 +81,7 @@ configs:
       p, role:org-admin, applications, *, */*, allow
       p, role:org-admin, projects, *, *, allow
       p, role:org-admin, logs, get, *, allow
+      p, role:org-admin, logs, get, */*, allow
       p, role:org-admin, clusters, get, *, allow
       p, role:org-admin, clusters, update, *, allow
       p, role:org-admin, repositories, get, *, allow
@@ -167,7 +168,7 @@ repoServer:
   extraContainers:
   - command:
     - /var/run/argocd/argocd-cmp-server
-    image: registry.gitlab.com/oceanbox/manifests/helmfile-cmp:latest
+    image: {{ .image }}
     env:
     - name: HELM_GIT_ACCESS_TOKEN
       valueFrom:
@@ -176,25 +177,6 @@ repoServer:
           name: oceanbox-gitops-repo
           optional: false
     imagePullPolicy: Always
-    name: helmfile-cmp
-    securityContext:
-      runAsNonRoot: true
-      runAsUser: 999
-    terminationMessagePath: /dev/termination-log
-    terminationMessagePolicy: File
-    volumeMounts:
-    - mountPath: /var/run/argocd
-      name: var-files
-    - mountPath: /home/argocd/cmp-server/plugins
-      name: plugins
-    - mountPath: /tmp
-      name: cmp-tmp
-    - mountPath: /helm-working-dir
-      name: helm-working-dir
-  - command:
-    - /var/run/argocd/argocd-cmp-server
-    image: {{ .image }}
-    imagePullPolicy: Always
     name: {{ .name }}
     securityContext:
       runAsNonRoot: true
@@ -208,6 +190,8 @@ repoServer:
       name: plugins
     - mountPath: /tmp
       name: cmp-tmp
+    - mountPath: /helm-working-dir
+      name: helm-working-dir
   volumes:
   - name: cmp-tmp
     emptyDir: {}
@@ -283,10 +267,6 @@ applicationSet:
     ingressClassName: nginx
     annotations:
       cert-manager.io/cluster-issuer: {{ .Values.clusterConfig.ingress_clusterissuer }}
-      # {{- with .Values.clusterConfig.ingress_whitelist}}
-      # NOTE(kai): include gitlab and github webhook ranges
-      # nginx.ingress.kubernetes.io/whitelist-source-range: {{ join "," . }},192.30.252.0/22,140.82.112.0/20,34.74.226.27/28,34.74.226.0/24
-      # {{- end }}
     hostname: "argocd-applicationset.{{ .Values.clusterConfig.domain }}"
     tls:
       - secretName: argocd-applicationset-tls

values/atlantis/env-oceanbox.yaml.gotmpl

@@ -1,3 +1,2 @@
 atlantis:
   enabled: true
-

values/atlantis/env.yaml.gotmpl

@@ -1,5 +1,4 @@
 atlantis:
   enabled: false
-  autosync: {{ if eq .Environment.Name "prod" }} false {{ else }} true {{ end }}
+  autosync: {{ if or (eq .Environment.Name "prod") (eq .Environment.Name "beta") }}false{{ else }}true{{ end }}
   env: {{ .Environment.Name }}
-

values/atlantis/kustomize/beta/appsettings.json

@@ -0,0 +1,96 @@
+{
+    "oidc": {
+        "issuer": "https://auth.oceanbox.io/realms/oceanbox",
+        "authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth",
+        "token_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/token",
+        "jwks_uri": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/certs",
+        "userinfo_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/userinfo",
+        "end_session_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/logout",
+        "device_authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth/device",
+        "clientId": "atlantis",
+        "clientSecret": "",
+        "scopes": [
+            "openid",
+            "email",
+            "offline_access",
+            "profile"
+        ],
+        "audiences": [
+            "atlantis",
+            "atlantis_dev",
+            "sorcerer",
+            "sorcerer_dev"
+        ]
+    },
+    "sso": {
+        "cookieDomain": ".oceanbox.io",
+        "cookieName": ".obx.beta",
+        "ttl": 12.0,
+        "signedOutRedirectUri": "https://maps.beta.oceanbox.io",
+        "realm": "atlantis",
+        "environment": "prod",
+        "keyStore": {
+            "kind": "azure",
+            "uri": "https://atlantis.blob.core.windows.net",
+            "key": "dataprotection-keys"
+        },
+        "keyVault": {
+            "kind": "azure",
+            "uri": "https://atlantisvault.vault.azure.net",
+            "key": "dataencryption-keys"
+        }
+    },
+    "fga": {
+      "apiUrl": "http://prod-openfga.openfga.svc.cluster.local:8080",
+      "apiKey": "",
+      "storeId": "01JKTZXMP7ANN4GG2P5W8Y56M6",
+      "modelId": "01JKTZYMCZZBVSBG66W27XMW0A"
+    },
+    "sentryUrl": "https://b6e03cfc8e247297b89217b09341b4cb@o4509530141622272.ingest.de.sentry.io/4509530195492944",
+    "plainAuthUsers": [
+        {
+            "username": "admin",
+            "password": "en-to-tre-fire",
+            "groups": [ "/oceanbox" ],
+            "roles": [ "admin" ]
+        },
+        {
+            "username": "sorcerer",
+            "password": "fire tre to en",
+            "groups": [ "/oceanbox" ],
+            "roles": [ "admin" ]
+        },
+        {
+            "username": "archivist",
+            "password": "en-to-tre-fire",
+            "groups": [ "/oceanbox" ],
+            "roles": [ "admin" ]
+        }
+    ],
+    "plume": "plume.data.oceanbox.io",
+    "redis": "beta-atlantis-redis:6379",
+    "objectStore": "https://atlantis.blob.core.windows.net",
+    "connString": "Username=postgres;Password=secret;Host=localhost;Port=5432;Database=app;Pooling=true;",
+    "sorcerer" : "https://sorcerer.beta.ekman.oceanbox.io",
+    "allowedOrigins": [
+        "https://maps.beta.oceanbox.io"
+    ],
+    "appName": "atlantis",
+    "appEnv": "prod",
+    "appNamespace": "atlantis",
+    "appVersion": "2.95.1",
+    "otelCollector": "http://opentelemetry-collector.otel.svc:4317",
+    "pubsubName": "pubsub",
+    "pubsubTopic": "hipster-atlantis",
+    "slurm": {
+        "baseUrl": "https://slurmrestd.ekman.oceanbox.io/",
+        "slurmApi": "slurm/v0.0.42/",
+        "dbdApi": "slurmdbd/v0.0.42/",
+        "accessToken": ""
+    },
+    "amqp": {
+        "auth": "user:hunny-bunny",
+        "host": "10.255.241.201:30673"
+    },
+    "fenceRadius": 1250.0
+}

values/atlantis/kustomize/beta/bindings.yaml

@@ -0,0 +1,22 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: slurm-events
+spec:
+  type: bindings.rabbitmq
+  version: v1
+  metadata:
+  - name: host
+    secretKeyRef:
+      name: prod-atlantis-rabbitmq
+      key:  connString
+  - name: queueName
+    value: beta-slurm-job-events
+  - name: durable
+    value: true
+  - name: contentType
+    value: "application/json"
+  - name: route
+    value: /events/slurm
+scopes:
+  - beta-atlantis

values/atlantis/kustomize/beta/configurations.yaml

@@ -0,0 +1,20 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: configstore
+spec:
+  type: configuration.redis
+  version: v1
+  metadata:
+  - name: redisHost
+    value: beta-atlantis-redis:6379
+  - name: redisUsername
+    value: default
+  - name: redisPassword
+    secretKeyRef:
+      name: beta-atlantis-redis
+      key:  redis-password
+  - name: redisDB
+    value: "1"
+scopes:
+  - beta-atlantis

values/atlantis/kustomize/beta/default.env

@@ -0,0 +1 @@
+OIDC_CLIENT_SECRET=KOJ6bDHzE5vdyfSrzgwLjtM5PzA809Zm

values/atlantis/kustomize/beta/deployment_patch.yaml

@@ -0,0 +1,10 @@
+- op: add
+  path: /spec/template/spec/containers/0/envFrom/-
+  value:
+    secretRef:
+      name: azure-keyvault
+- op: add
+  path: /spec/template/spec/containers/0/envFrom/-
+  value:
+    secretRef:
+      name: prod-atlantis-env

values/atlantis/kustomize/beta/keyvault.yaml

@@ -0,0 +1,22 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: azure-keyvault
+spec:
+  type: secretstores.azure.keyvault
+  version: v1
+  metadata:
+  - name: vaultName
+    value: atlantisvault
+  - name: azureTenantId
+    secretKeyRef:
+      name: azure-keyvault
+      key: AZURE_TENANT_ID
+  - name: azureClientId
+    secretKeyRef:
+      name: azure-keyvault
+      key: AZURE_CLIENT_ID
+  - name: azureClientSecret
+    secretKeyRef:
+      name: azure-keyvault
+      key: AZURE_CLIENT_SECRET

values/atlantis/kustomize/beta/kustomization.yaml

@@ -0,0 +1,24 @@
+generatorOptions:
+  disableNameSuffixHash: true
+configMapGenerator:
+- name: beta-atlantis-appsettings
+  files:
+    - appsettings.json
+patches:
+  - target:
+      group: apps
+      version: v1
+      kind: Deployment
+    path: deployment_patch.yaml
+
+resources:
+  - ../base
+  - rbac.yaml
+  - tracing.yaml
+  - bindings.yaml
+  - pubsub.yaml
+  - statestore.yaml
+  - subscriptions.yaml
+  - configurations.yaml
+  - secretstore.yaml
+  - keyvault.yaml

values/atlantis/kustomize/beta/pubsub.yaml

@@ -0,0 +1,52 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: pubsub
+spec:
+  version: v1
+  type: pubsub.rabbitmq
+  metadata:
+  - name: hostname
+    value: prod-rabbitmq.rabbitmq
+  - name: username
+    value: user
+  - name: password
+    secretKeyRef:
+      name: prod-atlantis-rabbitmq
+      key:  rabbitmq-password
+  - name: protocol
+    value: amqp
+  - name: durable
+    value: true
+  - name: deletedWhenUnused
+    value: false
+  - name: autoAck
+    value: false
+  - name: deliveryMode
+    value: 1
+  - name: requeueInFailure
+    value: false
+  - name: prefetchCount
+    value: 0
+  - name: reconnectWait
+    value: 0
+  - name: concurrencyMode
+    value: parallel
+  - name: publisherConfirm
+    value: false
+  - name: backOffPolicy
+    value: exponential
+  - name: backOffInitialInterval
+    value: 100
+  - name: backOffMaxRetries
+    value: 16
+  - name: enableDeadLetter # Optional enable dead Letter or not
+    value: true
+  - name: maxLen # Optional max message count in a queue
+    value: 3000
+  - name: maxLenBytes # Optional maximum length in bytes of a queue.
+    value: 10485760
+  - name: exchangeKind
+    value: fanout
+  - name: clientName
+    value: "{appID}"

values/atlantis/kustomize/beta/rbac.yaml

@@ -0,0 +1,40 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: beta-atlantis
+  namespace: beta-atlantis
+rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - beta-atlantis-appsettings
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - watch
+- apiGroups:
+  - ""
+  resourceNames:
+  - azure-keyvault
+  - beta-atlantis-redis
+  - slurm-access-token
+  resources:
+  - secrets
+  verbs:
+  - get
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: beta-atlantis
+  namespace: beta-atlantis
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: beta-atlantis
+subjects:
+- kind: ServiceAccount
+  name: beta-atlantis
+  namespace: beta-atlantis

values/atlantis/kustomize/beta/secretstore.yaml

@@ -0,0 +1,10 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: secretstore
+spec:
+  type: secretstores.kubernetes
+  version: v1
+  metadata:
+   - name: defaultNamespace
+     value: beta-atlantis

values/atlantis/kustomize/beta/statestore.yaml

@@ -0,0 +1,22 @@
+apiVersion: dapr.io/v1alpha1
+kind: Component
+metadata:
+  name: statestore
+spec:
+  type: state.redis
+  version: v1
+  metadata:
+  - name: redisHost
+    value: beta-atlantis-redis:6379
+  - name: redisUsername
+    value: default
+  - name: redisPassword
+    secretKeyRef:
+      name: beta-atlantis-redis
+      key:  redis-password
+  - name: actorStateStore
+    value: "true"
+  - name: redisDB
+    value: "0"
+scopes:
+  - beta-atlantis

values/atlantis/kustomize/beta/subscriptions.yaml

@@ -0,0 +1,27 @@
+apiVersion: dapr.io/v2alpha1
+kind: Subscription
+metadata:
+  name: hipster-events
+spec:
+  topic: hipster
+  routes:
+    default: /events/hipster
+  pubsubname: pubsub
+  metadata:
+    queueType: quorum
+scopes:
+- beta-atlantis
+---
+apiVersion: dapr.io/v2alpha1
+kind: Subscription
+metadata:
+  name: inbox-events
+spec:
+  topic: inbox
+  routes:
+    default: /events/inbox
+  pubsubname: pubsub
+  metadata:
+    queueType: quorum
+scopes:
+- beta-atlantis

values/atlantis/kustomize/beta/tracing.yaml

@@ -0,0 +1,11 @@
+apiVersion: dapr.io/v1alpha1
+kind: Configuration
+metadata:
+  name: tracing
+spec:
+  tracing:
+    samplingRate: "1"
+    otel:
+      endpointAddress: "opentelemetry-collector.otel.svc.cluster.local:4317"
+      protocol: grpc
+      isSecure: false

values/atlantis/kustomize/prod/appsettings.json

@@ -73,7 +73,8 @@
     "connString": "Username=postgres;Password=secret;Host=localhost;Port=5432;Database=app;Pooling=true;",
     "sorcerer" : "https://sorcerer.data.oceanbox.io",
     "allowedOrigins": [
-        "https://maps.oceanbox.io"
+        "https://maps.oceanbox.io",
+        "https://codex.adm.oceanbox.io"
     ],
     "appName": "atlantis",
     "appEnv": "prod",

values/atlantis/kustomize/staging/appsettings.json

@@ -26,7 +26,7 @@
         "cookieDomain": ".oceanbox.io",
         "cookieName": ".obx.staging",
         "ttl": 12.0,
-        "signedOutRedirectUri": "https://atlantis.beta.oceanbox.io",
+        "signedOutRedirectUri": "https://maps.dev.oceanbox.io",
         "realm": "atlantis",
         "environment": "staging",
         "keyStore": {
@@ -76,7 +76,8 @@
         "https://atlantis.beta.oceanbox.io",
         "https://atlantis.dev.oceanbox.io",
         "https://atlantis.local.oceanbox.io:8080",
-        "https://maps.dev.oceanbox.io"
+        "https://maps.dev.oceanbox.io",
+        "https://codex.dev.oceanbox.io"
     ],
     "appName": "atlantis",
     "appEnv": "staging",

values/atlantis/manifests/atlantis.yaml

@@ -27,16 +27,24 @@ spec:
         value: {{ .Values.atlantis.env }}
       - name: HELMFILE_FILE_PATH
         value: atlantis.yaml.gotmpl
+  {{- if ne .Values.atlantis.env "beta" }}
   - repoURL: https://charts.bitnami.com/bitnami
     targetRevision: 20.1.7
     chart: redis
     helm:
       valueFiles:
       - $values/values/atlantis/values/redis-{{ .Values.atlantis.env }}.yaml
-  - repoURL: https://gitlab.com/oceanbox/manifests.git
+  {{- end }}
+  - repoURL: https://git.oceanbox.io/platform/manifests.git
     targetRevision: main
     ref: values
   ignoreDifferences:
+    - kind: Secret
+      name: beta-atlantis-db-superuser
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
     - kind: Secret
       name: azure-keyvault
       jqPathExpressions:
@@ -67,6 +75,12 @@ spec:
         - '.data'
         - '.metadata.labels'
         - '.metadata.annotations'
+    - kind: Secret
+      name: slurm-access-token
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
   syncPolicy:
     syncOptions:
       - CreateNamespace=true