allow otel world

network policy for csi-addons controller

See merge request oceanbox/manifests!1

acl.json

@@ -0,0 +1 @@
+kustomizations/petimeter/manifests/acl.json

applications/archmeister.yaml

@@ -29,7 +29,7 @@ spec:
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: main
-        path: manifests/archmeister
+        path: kustomizations/archmeister
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

applications/atlantis-host-resources.yaml

@@ -3,6 +3,8 @@ kind: Application
 metadata:
   name: atlantis-host-cluster-resources
   namespace: argocd
+  # annotations: # close, but no cigar
+  #   argocd.argoproj.io/compare-options: ServerSideDiff=true,IncludeMutationWebhook=true
 spec:
   project: aux
   destination:
@@ -11,6 +13,19 @@ spec:
     automated:
       prune: false
       selfHeal: false
+  ignoreDifferences:
+    - kind: Secret
+      name: prod-rabbitmq
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.annotations.clone'
+        - '.metadata.labels'
+    - kind: Secret
+      name: prod-redis
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.annotations.clone'
+        - '.metadata.labels'
   sources:
   - repoURL: https://gitlab.com/oceanbox/manifests.git
     targetRevision: main

applications/atlantis-resources.yaml

@@ -1,3 +1,4 @@
+# Currently not in use. Configured via the create-vcluster script.
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
@@ -14,6 +15,8 @@ spec:
         prune: false
       # - cluster: https://staging-vcluster.staging-vcluster
       #   env: staging
+      #   autoSync: false
+      #   prune: false
   template:
     metadata:
       name: "{{ .env }}-atlantis-resources"

applications/atlantis.yaml

@@ -29,7 +29,7 @@ spec:
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: main
-        path: manifests/atlantis
+        path: kustomizations/atlantis
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

applications/busynix.yaml

@@ -7,9 +7,9 @@ spec:
   generators:
   - list:
       elements:
-      - cluster: https://kubernetes.default.svc
+      # - cluster: https://kubernetes.default.svc
-        env: prod
+      #   env: prod
-        hostname: busynix.srv.oceanbox.io
+      #   hostname: busynix.srv.oceanbox.io
       - cluster: https://staging-vcluster.staging-vcluster
         env: staging
         hostname: busynix.beta.oceanbox.io
@@ -24,7 +24,7 @@ spec:
       source:
         repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: main
-        path: manifests/busynix
+        path: kustomizations/busynix
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

applications/cerbos.yaml

@@ -25,8 +25,8 @@ spec:
           chart: cerbos
           helm:
             valueFiles:
-              - $values/manifests/cerbos/values.yaml
+              - $values/kustomizations/cerbos/values.yaml
-              - $values/manifests/cerbos/values-{{ env }}.yaml
+              - $values/kustomizations/cerbos/values-{{ env }}.yaml
         - repoURL: https://gitlab.com/oceanbox/manifests.git
           targetRevision: main
           ref: values

applications/dex.yaml

@@ -11,5 +11,5 @@ spec:
   source:
     repoURL: https://gitlab.com/oceanbox/manifests.git
     targetRevision: main
-    path: manifests/dex/manifests
+    path: kustomizations/dex/manifests
 

applications/geoserver.yaml

@@ -24,7 +24,7 @@ spec:
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: main
-        path: manifests/geoserver
+        path: kustomizations/geoserver
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

applications/hipster.yaml

@@ -29,7 +29,7 @@ spec:
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: main
-        path: manifests/hipster
+        path: kustomizations/hipster
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

applications/jaeger.yaml

@@ -14,9 +14,9 @@ spec:
     chart: jaeger-operator
     helm:
       valueFiles:
-        - $values/manifests/jaeger/values.yaml
+        - $values/kustomizations/jaeger/values.yaml
   - repoURL: https://gitlab.com/oceanbox/manifests.git
     targetRevision: main
-    # path: manifests/jaeger/manifests
+    # path: kustomizations/jaeger/manifests
     ref: values
 

applications/keycloak.yaml

@@ -10,11 +10,11 @@ spec:
     namespace: idp
   sources:
   - repoURL: https://charts.bitnami.com/bitnami
-    targetRevision: 18.3.4
+    targetRevision: 24.0.2
     chart: keycloak
     helm:
       valueFiles:
-        - $values/manifests/keycloak/values.yaml
+        - $values/kustomizations/keycloak/values.yaml
   - repoURL: https://gitlab.com/oceanbox/manifests.git
     targetRevision: main
     ref: values

applications/loki.yaml

@@ -0,0 +1,150 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: loki
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: loki
+    server: 'https://kubernetes.default.svc'
+  project: aux
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/persistentVolumeClaimRetentionPolicy
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: https://gitlab.com/serit/k8s/serit-platform-manifests.git
+    path: network-policies/netpol-loki
+    targetRevision: HEAD
+  - repoURL: 'https://grafana.github.io/helm-charts'
+    targetRevision: 6.12.0
+    chart: loki
+    helm:
+      values: |
+        loki:
+          auth_enabled: false
+          storage:
+            bucketNames:
+              chunks: loki-chunks
+              ruler: loki-chunks
+              admin: loki-chunks
+            s3:
+              endpoint: http://10.255.241.30:30080
+              region: tos
+              secretAccessKey: ${S3SECRET}
+              accessKeyId: ${S3KEY}
+              s3ForcePathStyle: true
+              http_config:
+                insecure_skip_verify: true
+          schemaConfig:
+            configs:
+            - from: "2024-04-01"
+              index:
+                period: 24h
+                prefix: loki_index_
+              object_store: s3
+              schema: v13
+              store: tsdb
+          compactor:
+            compaction_interval: 10m
+            working_directory: /tmp/loki/compactor
+            retention_enabled: true
+            retention_delete_delay: 2h
+            retention_delete_worker_count: 150
+            delete_request_store: s3
+          limits_config:
+            retention_period: 744h
+        write:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_SECRET
+          tolerations:
+          - effect: "NoSchedule"
+            operator: "Equal"
+            key: "unschedulable"
+            value: "true"
+        read:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_SECRET
+          tolerations:
+          - effect: "NoSchedule"
+            operator: "Equal"
+            key: "unschedulable"
+            value: "true"
+        ingress:
+          enabled: true
+          ingressClassName: nginx
+          annotations:
+            cert-manager.io/cluster-issuer: letsencrypt-staging
+            nginx.ingress.kubernetes.io/ssl-redirect: "true"
+            atlantis.oceanbox.io/expose: internal
+          hosts:
+            - loki.adm.oceanbox.io
+          tls:
+            - hosts:
+               - loki.adm.oceanbox.io
+              secretName: loki-distributed-tls
+        compactor:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_SECRET
+        backend:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_SECRET

applications/openfga.yaml

@@ -0,0 +1,47 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: openfga
+  namespace: argocd
+spec:
+  goTemplate: true
+  generators:
+  - list:
+      elements:
+      - cluster: https://kubernetes.default.svc
+        env: prod
+        hostname: openfga.adm.oceanbox.io
+        autoSync: false
+        prune: true
+      - cluster: https://kubernetes.default.svc
+        env: staging
+        hostname: openfga.dev.oceanbox.io
+        autoSync: true
+        prune: true
+  template:
+    metadata:
+      name: '{{ .env }}-openfga'
+    spec:
+      project: aux
+      destination:
+        namespace: idp
+        server: '{{ .cluster }}'
+      sources:
+        - repoURL: https://openfga.github.io/helm-charts
+          targetRevision: 0.2.12
+          chart: openfga
+          helm:
+            valueFiles:
+              - $values/kustomizations/openfga/values.yaml
+              - $values/kustomizations/openfga/values-{{ .env }}.yaml
+        - repoURL: https://gitlab.com/oceanbox/manifests.git
+          targetRevision: main
+          ref: values
+  templatePatch: |
+    {{- if .autoSync }}
+    spec:
+      syncPolicy:
+        automated:
+          prune: {{ .prune }}
+          selfHeal: false
+    {{- end }}

applications/opentelemetry-collector.yaml

@@ -0,0 +1,106 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: opentelemetry-collector
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: otel
+    server: 'https://kubernetes.default.svc'
+  project: aux
+  syncPolicy:
+    # managedNamespaceMetadata:
+    #   labels:
+    #     component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: 'https://open-telemetry.github.io/opentelemetry-helm-charts'
+    targetRevision: 0.107.0
+    chart: opentelemetry-collector
+    helm:
+      values: |
+        mode: deployment
+        image:
+          repository: otel/opentelemetry-collector-k8s
+        config:
+          receivers:
+            prometheus/collector:
+              config:
+                scrape_configs:
+                  - job_name: 'opentelemetry-collector'
+                    static_configs:
+                      - targets:
+                         - ${env:MY_POD_IP}:8888
+            zipkin:
+              endpoint: ${env:MY_POD_IP}:9411
+          exporters:
+            otlp:
+              endpoint: "tempo.tempo.svc:4317"
+              tls:
+                insecure: true
+            otlphttp/metrics:
+              endpoint: http://prom-prometheus.prometheus:9090/api/v1/otlp
+              tls:
+                insecure: true
+            otlphttp/logs:
+              endpoint: http://loki-write-headless.loki:3100/otlp
+              tls:
+                insecure: true
+            debug/metrics:
+              verbosity: detailed
+            debug/traces:
+              verbosity: detailed
+            debug/logs:
+              verbosity: detailed
+          service:
+            telemetry:
+              logs:
+                level: "info"
+            pipelines:
+              traces:
+                receivers: [otlp,zipkin]
+                processors: [batch]
+                exporters: [otlp]
+                # exporters: [otlphttp/traces,debug/traces]
+              metrics:
+                receivers: [otlp,prometheus/collector]
+                processors: [batch]
+                exporters: [otlphttp/metrics]
+                # exporters: [otlphttp/metrics,debug/metrics]
+              logs:
+                receivers: [otlp]
+                processors: [batch]
+                exporters: [otlphttp/logs]
+                # exporters: [otlphttp/logs,debug/logs]
+        ports:
+          metrics:
+            enabled: true
+        # presets:
+        #   logsCollection:
+        #     enabled: true
+        ingress:
+          enabled: true
+          annotations:
+              cert-manager.io/cluster-issuer: letsencrypt-production
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              atlantis.oceanbox.io/expose: internal
+          ingressClassName: nginx
+          hosts:
+            - host: opentelemetry-collector.adm.oceanbox.io
+              paths:
+                - path: /
+                  pathType: Prefix
+                  port: 4318
+          tls:
+            - secretName: collector-tls
+              hosts:
+                - opentelemetry-collector.adm.oceanbox.io

applications/osm-tile-server.yaml

@@ -22,9 +22,9 @@ spec:
         namespace: oceanbox
         server: '{{ cluster }}'
       source:
-        repoURL: https://gitlab.com/oceanbox/charts.git
+        repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: HEAD
-        path: manifests/osm-tile-server
+        path: kustomizations/osm-tile-server
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

applications/petimeter.yaml

@@ -29,7 +29,7 @@ spec:
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: main
-        path: manifests/petimeter
+        path: kustomizations/petimeter
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:
@@ -39,7 +39,7 @@ spec:
             string: '{{ .hostname }}'
       - repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: main
-        path: manifests/petimeter/manifests
+        path: kustomizations/petimeter/manifests
   templatePatch: |
     {{- if .autoSync }}
     spec:

applications/rabbitmq.yaml

@@ -27,8 +27,8 @@ spec:
           chart: rabbitmq
           helm:
             valueFiles:
-              - $values/manifests/rabbitmq/values-{{ env }}.yaml
+              - $values/kustomizations/rabbitmq/values-{{ env }}.yaml
         - repoURL: https://gitlab.com/oceanbox/manifests.git
           targetRevision: main
-          path: manifests/rabbitmq/{{ env }}
+          path: kustomizations/rabbitmq/{{ env }}
           ref: values

applications/redis.yaml

@@ -9,10 +9,8 @@ spec:
       elements:
       - cluster: https://kubernetes.default.svc
         env: prod
-        hostname: redis.srv.oceanbox.io
       - cluster: https://kubernetes.default.svc
         env: staging
-        hostname: redis.beta.oceanbox.io
   template:
     metadata:
       name: '{{ env }}-redis'
@@ -22,25 +20,20 @@ spec:
         server: https://kubernetes.default.svc
         namespace: redis
       sources:
-        # - repoURL: https://charts.bitnami.com/bitnami
+        - repoURL: https://charts.bitnami.com/bitnami
-        #   targetRevision: 18.9.1
+          targetRevision: 19.5.2
-        #   chart: redis
+          chart: redis
-        #   helm:
+          helm:
-        #     valueFiles:
+            valueFiles:
-        #       - $values/redis/values.yaml
+              - $values/kustomizations/redis/values-{{ env }}.yaml
-        # - repoURL: https://gitlab.com/oceanbox/manifests.git
+        - repoURL: https://gitlab.com/oceanbox/manifests.git
-        #   targetRevision: HEAD
+          targetRevision: HEAD
-        #   path: manifests/redis/{{ env }}
+          ref: values
-        #   ref: values
         - repoURL: https://gitlab.com/oceanbox/manifests.git
           targetRevision: main
-          path: manifests/redis
+          path: kustomizations/redis/{{ env }}
-          plugin:
+      ignoreDifferences:
-            name: kustomize-helm-with-rewrite
+        - group: apps
-            parameters:
+          kind: StatefulSet
-            - name: env
+          jqPathExpressions:
-              string: '{{ env }}'
+            - '.spec.template.spec.containers[].resources.limits.cpu'
-            - name: hostname
-              string: '{{ hostname }}'
-            - name: chart
-              string: bitnami/redis

applications/seq.yaml

@@ -14,7 +14,7 @@ spec:
     chart: seq
     helm:
       valueFiles:
-        - $values/manifests/seq/values.yaml
+        - $values/kustomizations/seq/values.yaml
   - repoURL: https://gitlab.com/oceanbox/manifests.git
     targetRevision: main
     ref: values

applications/sorcerer.yaml

@@ -29,7 +29,7 @@ spec:
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: main
-        path: manifests/sorcerer
+        path: kustomizations/sorcerer
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

applications/tempo.yaml

@@ -0,0 +1,75 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tempo
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: tempo
+    server: 'https://kubernetes.default.svc'
+  project: aux
+  syncPolicy:
+    # managedNamespaceMetadata:
+    #   labels:
+    #     component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: 'https://grafana.github.io/helm-charts'
+    targetRevision: 1.10.3
+    chart: tempo
+    helm:
+      values: |
+        tempo:
+          storage:
+            trace:
+              backend: s3
+              s3:
+                bucket: tempo-traces
+                endpoint: http://10.255.241.30:30080
+                access_key: ${S3SECRET}
+                secret_key: ${S3KEY}
+                insecure: true
+              backend: local
+              local:
+                path: /var/tempo/traces
+              wal:
+                path: /var/tempo/wal
+          metricsGenerator:
+            enabled: true
+            remoteWriteUrl: "http://prom-prometheus.prometheus:9090/api/v1/write"
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: tempo-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: tempo-s3
+                key: AWS_ACCESS_KEY_SECRET
+        tempoQuery:
+          ingress:
+            enabled: true
+            ingressClassName: nginx
+            annotations:
+              cert-manager.io/cluster-issuer: letsencrypt-staging
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              atlantis.oceanbox.io/expose: internal
+            path: /
+            pathType: Prefix
+            hosts:
+              - query.tempo.adm.oceanbox.io
+            tls:
+             - secretName: tempo-query-tls
+               hosts:
+                 - query.tempo.adm.oceanbox.io

applications/yolo-dl.yaml

@@ -0,0 +1,14 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: yolo-dl
+  namespace: argocd
+spec:
+  project: aux
+  destination:
+    server: https://10.255.241.99:4443
+    namespace: oceanbox
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    path: charts/yolo-dl

argo/staging-vcluster.yaml

@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    managed-by: argocd.argoproj.io
-  labels:
-    argocd.argoproj.io/secret-type: cluster
-  name: cluster-staging-vcluster
-  namespace: argocd
-stringData:
-  config: |
-    {"bearerToken":"eyJhbGciOiJSUzI1NiIsImtpZCI6InhKNmNNemw4V01jR0cxUHJ4ajE3bTdQRDlKd1ZyQUQ0cDFPcXRuVDBFbWsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImUyNjQ2MDgzLTNjMDMtNDc0Ni1iMGIxLWViOGRmMzY3NTNiMiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.hXQzh4mus2yPwXz-EyowgSpOKgOk7uDU8z-dH-sZJ-UgzxQFOxABfkjD4Kb4JYlXrr_zkMO7n_zkaDOl3iFDCDS2Pury7hsIlJNKETYk-_llH0RYI9DYzAB5PkeOyuKhmRq8eklynq5ObPtk7WVuj3Bp-64uSqfX-WvxqoE0dfh0erSVcU7BwwjRdeDnO01xzv5zXXAYkOmk6e5DGOLBdUMD8kDZE0_NEa-MKCVkl78sc2mCsOMOUhzXoCduvc92hfnoFEfoTKe7xHwLeUim4HvVfD9czXOpRtHKXgEsk0UGtj0xg7D70uftUIxpr4a8rbWceM4eyGtXpjPUm1mh1Q","tlsClientConfig":{"insecure":true}}
-  name: staging-vcluster
-  server: https://staging-vcluster.staging-vcluster
-type: Opaque
-

argocd/ekman.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+stringData:
+  config: |
+    {"bearerToken":"","tlsClientConfig":{"insecure":true}}
+  name: ekman
+  server: https://10.255.241.99:4443
+kind: Secret
+metadata:
+  labels:
+    argocd.argoproj.io/secret-type: cluster
+  name: cluster-10.255.241.99-4046803085
+  namespace: argocd
+type: Opaque
+

argocd/kustomize-helm-with-rewrite/Dockerfile

@@ -4,4 +4,4 @@ RUN mkdir -p /home/argocd/cmp-server/config/
 COPY plugin.yaml /home/argocd/cmp-server/config/
 
 WORKDIR /plugin
-COPY init.sh get-values.sh generate.sh ./
+COPY init-helm-repos.sh init.sh get-values.sh generate.sh ./

argocd/kustomize-helm-with-rewrite/generate.sh

@@ -1,23 +1,24 @@
 #!/bin/sh
 
-export HOME=/tmp
+export HOME=/helm-working-dir
 
 env > /tmp/$ARGOCD_APP_NAME.env
 
 echo "$ARGOCD_APP_PARAMETERS" | jq '.[] | select(.name == "helm-parameters") | .map' | yq -P -oy > parameters.yaml
 cp parameters.yaml /tmp/$ARGOCD_APP_NAME-parameters.yaml
 
-if [ -d chart ]; then
+if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then
-    CHART=chart
-elif [ -f chart -a "$PARAM_CHART" = "." ]; then
-    CHART=$(cat chart)
-elif [ -n "$PARAM_CHART" ]; then
     CHART=$PARAM_CHART
+elif [ -d chart ]; then
+    CHART=chart
+elif [ -f chart ]; then
+    CHART=$(cat chart)
 else
     CHART="."
 fi
 
 [ -f chart/values.yaml ] && VALUES="-f chart/values.yaml"
+[ -f values-chart.yaml ] && VALUES="$VALUES -f values-chart.yaml"
 [ -f values.yaml ] && VALUES="$VALUES -f values.yaml"
 [ -f values-$PARAM_ENV.yaml ] && VALUES="$VALUES -f values-$PARAM_ENV.yaml"
 VALUES="$VALUES -f parameters.yaml"

argocd/kustomize-helm-with-rewrite/get-values.sh

@@ -2,6 +2,8 @@
 
 if [ -f values.yaml ]; then
     VALUES="values.yaml"
+elif [ -f values-chart.yaml ]; then
+    VALUES="values-chart.yaml"
 elif [ -f chart/values.yaml ]; then
     VALUES="chart/values.yaml"
 else

argocd/kustomize-helm-with-rewrite/init-helm-repos.sh

@@ -1,12 +1,15 @@
 #!/bin/sh
 
-export HOME=/tmp
+export HOME=/helm-working-dir
+
+helm repo add --username argocd-helm --password "$OCEANBOX_HELM_ACCESS_TOKEN" oceanbox \
+    https://gitlab.com/api/v4/projects/54396343/packages/helm/stable
 
 helm repo add bitnami https://charts.bitnami.com/bitnami
 helm repo add cerbos https://download.cerbos.dev/helm-charts
 helm repo add dapr https://dapr.github.io/helm-charts/
 helm repo add ncsa https://opensource.ncsa.illinois.edu/charts
 helm repo add dex https://charts.dexidp.io
+helm repo add openfga https://openfga.github.io/helm-charts
 
 helm repo update
-

argocd/kustomize-helm-with-rewrite/init.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+export HOME=/helm-working-dir
+
+helm repo update oceanbox
+
+if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then
+    helm show values $PARAM_CHART > values-chart.yaml
+elif [ -f chart ]; then
+    CHART=$(cat chart)
+    helm show values $CHART > values-chart.yaml
+fi

argocd/staging-vcluster.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    managed-by: argocd.argoproj.io
+  labels:
+    argocd.argoproj.io/secret-type: cluster
+  name: cluster-staging-vcluster
+  namespace: argocd
+stringData:
+  config: |
+    {"bearerToken":"","tlsClientConfig":{"insecure":true}}
+  name: staging-vcluster
+  server: https://staging-vcluster.staging-vcluster
+type: Opaque
+

charts/archmeister/Chart.yaml

@@ -12,8 +12,7 @@ description: Archive management for Atlantis
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v6.19.5
+version: v6.20.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v6.19.5
+appVersion: v6.20.0
-

charts/archmeister/templates/deployment.yaml

@@ -84,8 +84,8 @@ spec:
         emptyDir: {}
       {{- end }}
       - name: appsettings
-        secret:
+        configMap:
-          secretName: {{ template "Archmeister.fullname" . }}-appsettings
+          name: {{ template "Archmeister.fullname" . }}-appsettings
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/archmeister/values.yaml

@@ -5,12 +5,23 @@
 replicaCount: 1
 image:
   repository: registry.gitlab.com/oceanbox/oceanbox.dataagent
-  tag: v6.19.5
+  tag: v6.20.0
   pullPolicy: IfNotPresent
 init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""

charts/atlantis/Chart.yaml

@@ -12,7 +12,7 @@ description: Atlantis map and simulation service
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v2.78.15
+version: v2.87.1
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v2.78.15
+appVersion: v2.87.1

charts/atlantis/templates/deployment.yaml

@@ -83,8 +83,8 @@ spec:
         emptyDir: {}
       {{- end }}
       - name: appsettings
-        secret:
+        configMap:
-          secretName: {{ template "Atlantis.fullname" . }}-appsettings
+          name: {{ template "Atlantis.fullname" . }}-appsettings
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/atlantis/values.yaml

@@ -5,7 +5,7 @@
 replicaCount: 1
 image:
   repository: registry.gitlab.com/oceanbox/atlantis
-  tag: v2.78.15
+  tag: v2.87.1
   pullPolicy: IfNotPresent
 init:
   enabled: false
@@ -14,6 +14,14 @@ init:
 env:
   - name: LOG_LEVEL
     value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""

charts/hipster/Chart.yaml

@@ -12,7 +12,7 @@ description: A Helm chart for Kubernetes
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v2.6.4
+version: v2.7.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v2.6.4
+appVersion: v2.7.0

charts/hipster/templates/deployment.yaml

@@ -81,8 +81,8 @@ spec:
         emptyDir: {}
       {{- end }}
       - name: appsettings
-        secret:
+        configMap:
-          secretName: {{ template "Hipster.fullname" . }}-appsettings
+          name: {{ template "Hipster.fullname" . }}-appsettings
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/hipster/values.yaml

@@ -5,12 +5,23 @@
 replicaCount: 1
 image:
   repository: registry.gitlab.com/oceanbox/hipster
-  tag: v2.6.4
+  tag: v2.7.0
   pullPolicy: IfNotPresent
 init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""

charts/petimeter/Chart.yaml

@@ -12,7 +12,7 @@ description: A Helm chart for Kubernetes
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v1.9.8
+version: v1.9.9
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v1.9.8
+appVersion: v1.9.9

charts/petimeter/base/deployment_patch.yaml

@@ -1,19 +0,0 @@
-- op: replace
-  path: /spec/template/spec/containers/0/livenessProbe/httpGet/path
-  value: /healthz
-- op: replace
-  path: /spec/template/spec/containers/0/readinessProbe/httpGet/path
-  value: /healthz
-- op: add
-  path: /spec/template/spec/containers/0/volumeMounts/-
-  value:
-    name: acl
-    mountPath: /app/acl.json
-    subPath: acl.json
-    readOnly: true
-- op: add
-  path: /spec/template/spec/volumes/-
-  value:
-    name: acl
-    configMap:
-      name: petimeter-acl

charts/petimeter/base/kustomization.yaml

@@ -1,16 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: oceanbox
-patches:
-  - target:
-      version: v1
-      group: apps
-      kind: Deployment
-      name: petimeter
-    path: deployment_patch.yaml
-# configMapGenerator:
-#   - name: petimeter-acl
-#     files:
-#       - acl.json
-resources:
-  - _manifest.yaml

charts/petimeter/templates/deployment.yaml

@@ -84,8 +84,8 @@ spec:
         emptyDir: {}
       {{- end }}
       - name: appsettings
-        secret:
+        configMap:
-          secretName: {{ template "Petimeter.fullname" . }}-appsettings
+          name: {{ template "Petimeter.fullname" . }}-appsettings
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/petimeter/values.yaml

@@ -5,12 +5,23 @@
 replicaCount: 1
 image:
   repository: registry.gitlab.com/oceanbox/petimeter
-  tag: v1.9.8
+  tag: v1.9.9
   pullPolicy: IfNotPresent
 init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""

charts/sorcerer/Chart.yaml

@@ -12,7 +12,7 @@ description: A Helm chart for Kubernetes
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v4.7.7
+version: v4.9.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v4.7.7
+appVersion: v4.9.0

charts/sorcerer/templates/deployment.yaml

@@ -38,8 +38,7 @@ spec:
               containerPort: {{ .Values.service.port }}
               protocol: TCP
           env:
-            - name: LOG_LEVEL
+            {{- toYaml .Values.env | nindent 12 }}
-              value: "3"
           livenessProbe:
             httpGet:
               path: /
@@ -84,8 +83,8 @@ spec:
         emptyDir: {}
       {{- end }}
       - name: appsettings
-        secret:
+        configMap:
-          secretName: {{ template "Sorcerer.fullname" . }}-appsettings
+          name: {{ template "Sorcerer.fullname" . }}-appsettings
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/sorcerer/values.yaml

@@ -5,12 +5,23 @@
 replicaCount: 1
 image:
   repository: registry.gitlab.com/oceanbox/sorcerer
-  tag: v4.7.7
+  tag: v4.9.0
   pullPolicy: IfNotPresent
 init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""

charts/vcluster/templates/jaeger.yaml

@@ -1,14 +0,0 @@
-apiVersion: jaegertracing.io/v1
-kind: Jaeger
-metadata:
-  name: jaeger
-  namespace: {{ .Release.Namespace }}
-spec:
-  strategy: allInOne
-  ingress:
-    enabled: false
-  allInOne:
-    image: jaegertracing/all-in-one:1.22
-    options:
-      query:
-        base-path: /jaeger

charts/vcluster/templates/rbac.yaml

@@ -11,16 +11,3 @@ subjects:
 - kind: ServiceAccount
   namespace: {{ $fullname }}
   name: {{ $fullname }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: vcluster-jaegers
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: vcluster-jaegers
-subjects:
-- kind: ServiceAccount
-  namespace: {{ $fullname }}
-  name: {{ $fullname }}

charts/vcluster/templates/vcluster.yaml

@@ -69,8 +69,10 @@ spec:
               to: "rabbitmq/{{ .Values.environment }}-rabbitmq"
             - from: "{{ .Release.Namespace }}/staging-archmeister-rw"
               to: "atlantis/staging-archmeister-rw"
-            - from: "{{ .Release.Namespace }}/jaeger-collector"
+            - from: "idp/{{ .Values.environment }}-openfga"
-              to: "atlantis/jaeger-collector"
+              to: "idp/{{ .Values.environment }}-openfga"
+            - from: "otel/opentelemetry-collector"
+              to: "otel/opentelemetry-collector"
             - from: "idp/{{ .Values.environment }}-cerbos"
               to: "idp/{{ .Values.environment }}-cerbos"
           sync:
@@ -94,9 +96,6 @@ spec:
                   - apiGroups: [ "cilium.io" ]
                     resources: [ "ciliumnetworkpolicies" ]
                     verbs: [ "get", "list", "watch", "create", "patch" ]
-                  # - apiGroups: [ "jaegertracing.io" ]
-                  #   resources: [ "jaegers" ]
-                  #   verbs: [ "get", "list", "watch", "create", "patch" ]
               config: |-
                 version: v1beta1
                 import:
@@ -110,15 +109,11 @@ spec:
                 #   apiVersion: dapr.io/v1alpha1
                 # - kind: Subscription
                 #   apiVersion: dapr.io/v1alpha1
-                # - kind: Jaeger
-                #   apiVersion: jaegertracing.io/v1
                 # - kind: CiliumNetworkPolicy
                 #   apiVersion: cilium.io/v2
                 export:
                 - kind: CiliumNetworkPolicy
                   apiVersion: cilium.io/v2
-                # - kind: Jaeger
-                #   apiVersion: jaegertracing.io/v1
           init:
             manifests: |-
               ---
@@ -161,6 +156,13 @@ spec:
                 annotations:
                   kubernetes.io/service-account.name: admin
               type: kubernetes.io/service-account-token
+              ---
+              apiVersion: v1
+              kind: Namespace
+              metadata:
+                labels:
+                  kubernetes.io/metadata.name: atlantis
+                name: atlantis
 
             # The contents of manifests-template will be templated using helm
             # this allows you to use helm values inside, e.g.: {{ .Release.Name }}
@@ -172,7 +174,7 @@ spec:
             helm:
               - chart:
                   name: dapr
-                  version: 1.13.3
+                  version: 1.14.0
                   repo: https://dapr.github.io/helm-charts/
                 release:
                   name: dapr

charts/yolo-dl/deployment.yaml

@@ -0,0 +1,49 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: yolo-dl
+  name: yolo-dl
+  namespace: oceanbox
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: yolo-dl
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: yolo-dl
+    spec:
+      containers:
+      - command:
+        - /bin/sh
+        - -c
+        - httpd -p 8000 -f
+        image: busybox:latest
+        imagePullPolicy: IfNotPresent
+        name: yolo-dl
+        ports:
+        - containerPort: 8000
+          protocol: TCP
+        resources: {}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /data
+          name: data
+        workingDir: /data
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      securityContext: {}
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: yolo-dl-data
+

charts/yolo-dl/pv.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: pv-yolo-dl
+spec:
+  accessModes:
+  - ReadWriteMany
+  capacity:
+    storage: 1Gi
+  csi:
+    driver: rook-ceph.cephfs.csi.ceph.com
+    nodeStageSecretRef:
+      name: rook-csi-cephfs-node
+      namespace: rook-ceph
+    volumeAttributes:
+      fsName: data
+      clusterID: rook-ceph
+      staticVolume: "true"
+      rootPath: /ssd/dl
+    volumeHandle: pv-yolo-dl
+  persistentVolumeReclaimPolicy: Retain
+  volumeMode: Filesystem

charts/yolo-dl/pvc.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: yolo-dl-data
+  namespace: oceanbox
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: ""
+  volumeMode: Filesystem
+  volumeName: pv-yolo-dl

kustomizations/archmeister/prod/kustomization.yaml

@@ -1,9 +1,10 @@
 generatorOptions:
   disableNameSuffixHash: true
-secretGenerator:
+configMapGenerator:
 - name: prod-archmeister-appsettings
   files:
   - appsettings.json
+secretGenerator:
 - name: prod-archmeister-env
   envs:
   - default.env

kustomizations/archmeister/staging/ingress_patch.yaml

@@ -0,0 +1,6 @@
+- op: replace
+  path: /spec/rules/0/http/paths/0/path
+  value: /internal
+- op: add
+  path: /metadata/annotations/nginx.ingress.kubernetes.io~1whitelist-source-range
+  value: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

kustomizations/archmeister/staging/kustomization.yaml

@@ -1,9 +1,10 @@
 generatorOptions:
   disableNameSuffixHash: true
-secretGenerator:
+configMapGenerator:
 - name: staging-archmeister-appsettings
   files:
     - appsettings.json
+secretGenerator:
 - name: staging-archmeister-env
   envs:
   - default.env

kustomizations/archmeister/values-prod.yaml

@@ -1,3 +1,5 @@
+replicaCount: 2
+
 podAnnotations:
   dapr.io/app-id: "prod-archmeister"
   dapr.io/enabled: "true"

kustomizations/archmeister/values-staging.yaml

@@ -1,3 +1,4 @@
+replicaCount: 1
 podAnnotations:
   dapr.io/app-id: "staging-archmeister"
   dapr.io/enabled: "true"
@@ -14,13 +15,12 @@ podAnnotations:
   dapr.io/sidecar-cpu-limit: "300m"
   dapr.io/sidecar-memory-limit: "1000Mi"
   dapr.io/log-as-json: "true"
-
 image:
-  tag: f8c27a74-debug
+  tag: 16390a0c-debug
 ingress:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
-    atlantis.oceanbox.io/expose: global
+    # atlantis.oceanbox.io/expose: internal
   hosts:
     - host: archmeister.beta.oceanbox.io
       paths:

kustomizations/atlantis/prod/appsettings.json

@@ -15,10 +15,10 @@
             "profile"
         ]
     },
+    "redis": "prod-redis-master.redis.svc,user=default,password=secret",
     "sso": {
         "cookieDomain": ".oceanbox.io",
         "signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html",
-        "redis": "prod-redis-master.redis.svc,user=default,password=secret",
         "appDomain": "atlantis",
         "dataProtectionKeys": "DataProtection-Keys"
     },
@@ -32,5 +32,6 @@
     ],
     "logService" : "https://seq.adm.oceanbox.io",
     "logApiKey": "",
-    "deployEnv": "prod"
+    "deployEnv": "prod",
+    "plainAuthUsers": []
 }

kustomizations/atlantis/prod/default.env

@@ -1,2 +1,3 @@
 OIDC_CLIENT_SECRET=KOJ6bDHzE5vdyfSrzgwLjtM5PzA809Zm
 SEQ_APIKEY=v9RfeLBD9Si7OkFlkjPm
+DEPLOY_NAME=prod-atlantis

kustomizations/atlantis/prod/kustomization.yaml

@@ -1,9 +1,10 @@
 generatorOptions:
   disableNameSuffixHash: true
-secretGenerator:
+configMapGenerator:
 - name: prod-atlantis-appsettings
   files:
     - appsettings.json
+secretGenerator:
 - name: prod-atlantis-env
   envs:
   - default.env

kustomizations/atlantis/prod/subscriptions.yaml

@@ -1,23 +1,25 @@
-apiVersion: dapr.io/v1alpha1
+apiVersion: dapr.io/v2alpha1
 kind: Subscription
 metadata:
   name: hipster-events
 spec:
   topic: hipster
-  route: /hipster-events
+  routes:
+    default: /hipster-events
   pubsubname: pubsub
   metadata:
     queueType: quorum
 scopes:
 - prod-atlantis
 ---
-apiVersion: dapr.io/v1alpha1
+apiVersion: dapr.io/v2alpha1
 kind: Subscription
 metadata:
   name: inbox-events
 spec:
   topic: inbox
-  route: /inbox-events
+  routes:
+    default: /inbox-events
   pubsubname: pubsub
   metadata:
     queueType: quorum

kustomizations/atlantis/staging/appsettings.json

@@ -15,10 +15,10 @@
             "profile"
         ]
     },
+    "redis": "staging-redis-master.redis.svc,user=default,password=secret",
     "sso": {
         "cookieDomain": ".oceanbox.io",
         "signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html",
-        "redis": "staging-redis-master.redis.svc,user=default,password=secret",
         "appDomain": "atlantis",
         "dataProtectionKeys": "DataProtection-Keys"
     },
@@ -30,5 +30,6 @@
     ],
     "logService" : "https://seq.adm.oceanbox.io",
     "logApiKey": "",
-    "deployEnv": "staging"
+    "deployEnv": "staging",
+    "plainAuthUsers": []
 }

kustomizations/atlantis/staging/default.env

@@ -1,2 +1,3 @@
 OIDC_CLIENT_SECRET=3QjfSPmAemjn34XVA2o1fvoS7I4gKvOR
 SEQ_APIKEY=v9RfeLBD9Si7OkFlkjPm
+DEPLOY_NAME=staging-atlantis

kustomizations/atlantis/staging/kustomization.yaml

@@ -1,9 +1,10 @@
 generatorOptions:
   disableNameSuffixHash: true
-secretGenerator:
+configMapGenerator:
 - name: staging-atlantis-appsettings
   files:
     - appsettings.json
+secretGenerator:
 - name: staging-atlantis-env
   envs:
   - default.env

kustomizations/atlantis/staging/subscriptions.yaml

@@ -1,23 +1,25 @@
-apiVersion: dapr.io/v1alpha1
+apiVersion: dapr.io/v2alpha1
 kind: Subscription
 metadata:
   name: hipster-events
 spec:
   topic: hipster
-  route: /hipster-events
+  routes:
+    default: /hipster-events
   pubsubname: pubsub
   metadata:
     queueType: quorum
 scopes:
 - staging-atlantis
 ---
-apiVersion: dapr.io/v1alpha1
+apiVersion: dapr.io/v2alpha1
 kind: Subscription
 metadata:
   name: inbox-events
 spec:
   topic: inbox
-  route: /inbox-events
+  routes:
+    default: /inbox-events
   pubsubname: pubsub
   metadata:
     queueType: quorum

kustomizations/atlantis/values-prod.yaml

@@ -1,3 +1,5 @@
+replicaCount: 2
+
 podAnnotations:
   dapr.io/app-id: "prod-atlantis"
   dapr.io/enabled: "true"

kustomizations/atlantis/values-staging.yaml

@@ -1,3 +1,4 @@
+replicaCount: 2
 podAnnotations:
   dapr.io/app-id: "staging-atlantis"
   dapr.io/enabled: "true"
@@ -14,13 +15,16 @@ podAnnotations:
   dapr.io/sidecar-cpu-limit: "300m"
   dapr.io/sidecar-memory-limit: "1000Mi"
   dapr.io/log-as-json: "true"
-
 image:
-  tag: c0c8de05-debug
+  tag: 7f3512e0-debug
 ingress:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
     nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
+    # nginx.ingress.kubernetes.io/affinity: "cookie"
+    # nginx.ingress.kubernetes.io/session-cookie-name: "http-affinity"
+    # nginx.ingress.kubernetes.io/session-cookie-expires: "86400"
+    # nginx.ingress.kubernetes.io/session-cookie-max-age: "86400"
     # atlantis.oceanbox.io/expose: internal
   hosts:
     - host: atlantis.beta.oceanbox.io