feat: simplify charts, resources, kustomizations and applications for atlantis SPMSA

network policy for csi-addons controller

See merge request oceanbox/manifests!1

.gitignore

@@ -1,2 +1,3 @@
 _manifest.yaml
 _resources.yaml
+*.tgz

acl.json

@@ -0,0 +1 @@
+kustomizations/petimeter/manifests/acl.json

applications/archmeister.yaml

@@ -29,7 +29,7 @@ spec:
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: main
-        path: manifests/archmeister
+        path: kustomizations/archmeister
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

applications/atlantis-host-resources.yaml

@@ -1,21 +1,27 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: atlantis-host-cluster-resources
+  name: atlantis-cluster-resources
   namespace: argocd
+  # annotations: # close, but no cigar
+  #   argocd.argoproj.io/compare-options: ServerSideDiff=true,IncludeMutationWebhook=true
 spec:
-  project: aux
+  project: atlantis
   destination:
     server: https://kubernetes.default.svc
   syncPolicy:
     automated:
       prune: false
       selfHeal: false
+  # ignoreDifferences:
+  #   - kind: Secret
+  #     name: prod-rabbitmq
+  #     jqPathExpressions:
+  #       - '.data'
+  #       - '.metadata.annotations.clone'
+  #       - '.metadata.labels'
   sources:
   - repoURL: https://gitlab.com/oceanbox/manifests.git
     targetRevision: main
-    path: resources/atlantis/host-manifests
-  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
-    path: 'resources/atlantis/manifests/prod'
+    path: resources/atlantis
 

applications/atlantis-resources.yaml

@@ -1,3 +1,4 @@
+# Currently not in use. Configured via the create-vcluster script.
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
@@ -14,6 +15,8 @@ spec:
         prune: false
       # - cluster: https://staging-vcluster.staging-vcluster
       #   env: staging
+      #   autoSync: false
+      #   prune: false
   template:
     metadata:
       name: "{{ .env }}-atlantis-resources"

applications/atlantis.yaml

@@ -29,7 +29,7 @@ spec:
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: main
-        path: manifests/atlantis
+        path: kustomizations/atlantis
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

applications/busynix.yaml

@@ -7,9 +7,9 @@ spec:
   generators:
   - list:
       elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        hostname: busynix.srv.oceanbox.io
+      # - cluster: https://kubernetes.default.svc
+      #   env: prod
+      #   hostname: busynix.srv.oceanbox.io
       - cluster: https://staging-vcluster.staging-vcluster
         env: staging
         hostname: busynix.beta.oceanbox.io
@@ -24,7 +24,7 @@ spec:
       source:
         repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: main
-        path: manifests/busynix
+        path: kustomizations/busynix
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

applications/cerbos.yaml

@@ -25,8 +25,8 @@ spec:
           chart: cerbos
           helm:
             valueFiles:
-              - $values/manifests/cerbos/values.yaml
-              - $values/manifests/cerbos/values-{{ env }}.yaml
+              - $values/kustomizations/cerbos/values.yaml
+              - $values/kustomizations/cerbos/values-{{ env }}.yaml
         - repoURL: https://gitlab.com/oceanbox/manifests.git
           targetRevision: main
           ref: values

applications/dex.yaml

@@ -11,5 +11,5 @@ spec:
   source:
     repoURL: https://gitlab.com/oceanbox/manifests.git
     targetRevision: main
-    path: manifests/dex/manifests
+    path: kustomizations/dex/manifests
 

applications/geoserver.yaml

@@ -24,7 +24,7 @@ spec:
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: main
-        path: manifests/geoserver
+        path: kustomizations/geoserver
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

applications/hipster.yaml

@@ -29,7 +29,7 @@ spec:
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: main
-        path: manifests/hipster
+        path: kustomizations/hipster
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

applications/jaeger.yaml

@@ -14,9 +14,9 @@ spec:
     chart: jaeger-operator
     helm:
       valueFiles:
-        - $values/manifests/jaeger/values.yaml
+        - $values/kustomizations/jaeger/values.yaml
   - repoURL: https://gitlab.com/oceanbox/manifests.git
     targetRevision: main
-    # path: manifests/jaeger/manifests
+    # path: kustomizations/jaeger/manifests
     ref: values
 

applications/keycloak.yaml

@@ -14,7 +14,7 @@ spec:
     chart: keycloak
     helm:
       valueFiles:
-        - $values/manifests/keycloak/values.yaml
+        - $values/kustomizations/keycloak/values.yaml
   - repoURL: https://gitlab.com/oceanbox/manifests.git
     targetRevision: main
     ref: values

applications/loki.yaml

@@ -0,0 +1,150 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: loki
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: loki
+    server: 'https://kubernetes.default.svc'
+  project: aux
+  ignoreDifferences:
+  - group: apps
+    kind: StatefulSet
+    jsonPointers:
+    - /spec/persistentVolumeClaimRetentionPolicy
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: https://gitlab.com/serit/k8s/serit-platform-manifests.git
+    path: network-policies/netpol-loki
+    targetRevision: HEAD
+  - repoURL: 'https://grafana.github.io/helm-charts'
+    targetRevision: 6.12.0
+    chart: loki
+    helm:
+      values: |
+        loki:
+          auth_enabled: false
+          storage:
+            bucketNames:
+              chunks: loki-chunks
+              ruler: loki-chunks
+              admin: loki-chunks
+            s3:
+              endpoint: http://10.255.241.30:30080
+              region: tos
+              secretAccessKey: ${S3SECRET}
+              accessKeyId: ${S3KEY}
+              s3ForcePathStyle: true
+              http_config:
+                insecure_skip_verify: true
+          schemaConfig:
+            configs:
+            - from: "2024-04-01"
+              index:
+                period: 24h
+                prefix: loki_index_
+              object_store: s3
+              schema: v13
+              store: tsdb
+          compactor:
+            compaction_interval: 10m
+            working_directory: /tmp/loki/compactor
+            retention_enabled: true
+            retention_delete_delay: 2h
+            retention_delete_worker_count: 150
+            delete_request_store: s3
+          limits_config:
+            retention_period: 744h
+        write:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_SECRET
+          tolerations:
+          - effect: "NoSchedule"
+            operator: "Equal"
+            key: "unschedulable"
+            value: "true"
+        read:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_SECRET
+          tolerations:
+          - effect: "NoSchedule"
+            operator: "Equal"
+            key: "unschedulable"
+            value: "true"
+        ingress:
+          enabled: true
+          ingressClassName: nginx
+          annotations:
+            cert-manager.io/cluster-issuer: letsencrypt-staging
+            nginx.ingress.kubernetes.io/ssl-redirect: "true"
+            atlantis.oceanbox.io/expose: internal
+          hosts:
+            - loki.adm.oceanbox.io
+          tls:
+            - hosts:
+               - loki.adm.oceanbox.io
+              secretName: loki-distributed-tls
+        compactor:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_SECRET
+        backend:
+          extraArgs:
+            - -config.expand-env=true
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: loki-s3
+                key: AWS_ACCESS_KEY_SECRET

applications/openfga.yaml

@@ -0,0 +1,47 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: openfga
+  namespace: argocd
+spec:
+  goTemplate: true
+  generators:
+  - list:
+      elements:
+      - cluster: https://kubernetes.default.svc
+        env: prod
+        hostname: openfga.adm.oceanbox.io
+        autoSync: false
+        prune: true
+      - cluster: https://kubernetes.default.svc
+        env: staging
+        hostname: openfga.dev.oceanbox.io
+        autoSync: true
+        prune: true
+  template:
+    metadata:
+      name: '{{ .env }}-openfga'
+    spec:
+      project: aux
+      destination:
+        namespace: idp
+        server: '{{ .cluster }}'
+      sources:
+        - repoURL: https://openfga.github.io/helm-charts
+          targetRevision: 0.2.12
+          chart: openfga
+          helm:
+            valueFiles:
+              - $values/kustomizations/openfga/values.yaml
+              - $values/kustomizations/openfga/values-{{ .env }}.yaml
+        - repoURL: https://gitlab.com/oceanbox/manifests.git
+          targetRevision: main
+          ref: values
+  templatePatch: |
+    {{- if .autoSync }}
+    spec:
+      syncPolicy:
+        automated:
+          prune: {{ .prune }}
+          selfHeal: false
+    {{- end }}

applications/opentelemetry-collector.yaml

@@ -0,0 +1,106 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: opentelemetry-collector
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: otel
+    server: 'https://kubernetes.default.svc'
+  project: aux
+  syncPolicy:
+    # managedNamespaceMetadata:
+    #   labels:
+    #     component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: 'https://open-telemetry.github.io/opentelemetry-helm-charts'
+    targetRevision: 0.107.0
+    chart: opentelemetry-collector
+    helm:
+      values: |
+        mode: deployment
+        image:
+          repository: otel/opentelemetry-collector-k8s
+        config:
+          receivers:
+            prometheus/collector:
+              config:
+                scrape_configs:
+                  - job_name: 'opentelemetry-collector'
+                    static_configs:
+                      - targets:
+                         - ${env:MY_POD_IP}:8888
+            zipkin:
+              endpoint: ${env:MY_POD_IP}:9411
+          exporters:
+            otlp:
+              endpoint: "tempo.tempo.svc:4317"
+              tls:
+                insecure: true
+            otlphttp/metrics:
+              endpoint: http://prom-prometheus.prometheus:9090/api/v1/otlp
+              tls:
+                insecure: true
+            otlphttp/logs:
+              endpoint: http://loki-write-headless.loki:3100/otlp
+              tls:
+                insecure: true
+            debug/metrics:
+              verbosity: detailed
+            debug/traces:
+              verbosity: detailed
+            debug/logs:
+              verbosity: detailed
+          service:
+            telemetry:
+              logs:
+                level: "info"
+            pipelines:
+              traces:
+                receivers: [otlp,zipkin]
+                processors: [batch]
+                exporters: [otlp]
+                # exporters: [otlphttp/traces,debug/traces]
+              metrics:
+                receivers: [otlp,prometheus/collector]
+                processors: [batch]
+                exporters: [otlphttp/metrics]
+                # exporters: [otlphttp/metrics,debug/metrics]
+              logs:
+                receivers: [otlp]
+                processors: [batch]
+                exporters: [otlphttp/logs]
+                # exporters: [otlphttp/logs,debug/logs]
+        ports:
+          metrics:
+            enabled: true
+        # presets:
+        #   logsCollection:
+        #     enabled: true
+        ingress:
+          enabled: true
+          annotations:
+              cert-manager.io/cluster-issuer: letsencrypt-staging
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              atlantis.oceanbox.io/expose: internal
+          ingressClassName: nginx
+          hosts:
+            - host: collector.adm.oceanbox.io
+              paths:
+                - path: /
+                  pathType: Prefix
+                  port: 4318
+          tls:
+            - secretName: collector-tls
+              hosts:
+                - collector.adm.oceanbox.io

applications/osm-tile-server.yaml

@@ -22,9 +22,9 @@ spec:
         namespace: oceanbox
         server: '{{ cluster }}'
       source:
-        repoURL: https://gitlab.com/oceanbox/charts.git
+        repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: HEAD
-        path: manifests/osm-tile-server
+        path: kustomizations/osm-tile-server
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

applications/petimeter.yaml

@@ -29,7 +29,7 @@ spec:
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: main
-        path: manifests/petimeter
+        path: kustomizations/petimeter
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:
@@ -39,7 +39,7 @@ spec:
             string: '{{ .hostname }}'
       - repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: main
-        path: manifests/petimeter/manifests
+        path: kustomizations/petimeter/manifests
   templatePatch: |
     {{- if .autoSync }}
     spec:

applications/rabbitmq.yaml

@@ -27,8 +27,8 @@ spec:
           chart: rabbitmq
           helm:
             valueFiles:
-              - $values/manifests/rabbitmq/values-{{ env }}.yaml
+              - $values/kustomizations/rabbitmq/values-{{ env }}.yaml
         - repoURL: https://gitlab.com/oceanbox/manifests.git
           targetRevision: main
-          path: manifests/rabbitmq/{{ env }}
+          path: kustomizations/rabbitmq/{{ env }}
           ref: values

applications/redis.yaml

@@ -9,10 +9,8 @@ spec:
       elements:
       - cluster: https://kubernetes.default.svc
         env: prod
-        hostname: redis.srv.oceanbox.io
       - cluster: https://kubernetes.default.svc
         env: staging
-        hostname: redis.beta.oceanbox.io
   template:
     metadata:
       name: '{{ env }}-redis'
@@ -22,25 +20,20 @@ spec:
         server: https://kubernetes.default.svc
         namespace: redis
       sources:
-        # - repoURL: https://charts.bitnami.com/bitnami
-        #   targetRevision: 18.9.1
-        #   chart: redis
-        #   helm:
-        #     valueFiles:
-        #       - $values/redis/values.yaml
-        # - repoURL: https://gitlab.com/oceanbox/manifests.git
-        #   targetRevision: HEAD
-        #   path: manifests/redis/{{ env }}
-        #   ref: values
+        - repoURL: https://charts.bitnami.com/bitnami
+          targetRevision: 19.5.2
+          chart: redis
+          helm:
+            valueFiles:
+              - $values/kustomizations/redis/values-{{ env }}.yaml
+        - repoURL: https://gitlab.com/oceanbox/manifests.git
+          targetRevision: HEAD
+          ref: values
         - repoURL: https://gitlab.com/oceanbox/manifests.git
           targetRevision: main
-          path: manifests/redis
-          plugin:
-            name: kustomize-helm-with-rewrite
-            parameters:
-            - name: env
-              string: '{{ env }}'
-            - name: hostname
-              string: '{{ hostname }}'
-            - name: chart
-              string: bitnami/redis
+          path: kustomizations/redis/{{ env }}
+      ignoreDifferences:
+        - group: apps
+          kind: StatefulSet
+          jqPathExpressions:
+            - '.spec.template.spec.containers[].resources.limits.cpu'

applications/seq.yaml

@@ -14,7 +14,7 @@ spec:
     chart: seq
     helm:
       valueFiles:
-        - $values/manifests/seq/values.yaml
+        - $values/kustomizations/seq/values.yaml
   - repoURL: https://gitlab.com/oceanbox/manifests.git
     targetRevision: main
     ref: values

applications/sorcerer.yaml

@@ -29,7 +29,7 @@ spec:
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: main
-        path: manifests/sorcerer
+        path: kustomizations/sorcerer
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

applications/tempo.yaml

@@ -0,0 +1,75 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tempo
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: tempo
+    server: 'https://kubernetes.default.svc'
+  project: aux
+  syncPolicy:
+    # managedNamespaceMetadata:
+    #   labels:
+    #     component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: 'https://grafana.github.io/helm-charts'
+    targetRevision: 1.10.3
+    chart: tempo
+    helm:
+      values: |
+        tempo:
+          storage:
+            trace:
+              backend: s3
+              s3:
+                bucket: tempo-traces
+                endpoint: http://10.255.241.30:30080
+                access_key: ${S3SECRET}
+                secret_key: ${S3KEY}
+                insecure: true
+              backend: local
+              local:
+                path: /var/tempo/traces
+              wal:
+                path: /var/tempo/wal
+          metricsGenerator:
+            enabled: true
+            remoteWriteUrl: "http://prom-prometheus.prometheus:9090/api/v1/write"
+          extraEnv:
+          - name: S3KEY
+            valueFrom:
+              secretKeyRef:
+                name: tempo-s3
+                key: AWS_ACCESS_KEY_ID
+          - name: S3SECRET
+            valueFrom:
+              secretKeyRef:
+                name: tempo-s3
+                key: AWS_ACCESS_KEY_SECRET
+        tempoQuery:
+          ingress:
+            enabled: true
+            ingressClassName: nginx
+            annotations:
+              cert-manager.io/cluster-issuer: letsencrypt-staging
+              nginx.ingress.kubernetes.io/ssl-redirect: "true"
+              atlantis.oceanbox.io/expose: internal
+            path: /
+            pathType: Prefix
+            hosts:
+              - query.tempo.adm.oceanbox.io
+            tls:
+             - secretName: tempo-query-tls
+               hosts:
+                 - query.tempo.adm.oceanbox.io

applications/yolo-dl.yaml

@@ -0,0 +1,14 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: yolo-dl
+  namespace: argocd
+spec:
+  project: aux
+  destination:
+    server: https://10.255.241.99:4443
+    namespace: oceanbox
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    path: charts/yolo-dl

argo/staging-vcluster.yaml

@@ -1,16 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    managed-by: argocd.argoproj.io
-  labels:
-    argocd.argoproj.io/secret-type: cluster
-  name: cluster-staging-vcluster
-  namespace: argocd
-stringData:
-  config: |
-    {"bearerToken":"eyJhbGciOiJSUzI1NiIsImtpZCI6InhKNmNNemw4V01jR0cxUHJ4ajE3bTdQRDlKd1ZyQUQ0cDFPcXRuVDBFbWsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi10b2tlbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImUyNjQ2MDgzLTNjMDMtNDc0Ni1iMGIxLWViOGRmMzY3NTNiMiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbiJ9.hXQzh4mus2yPwXz-EyowgSpOKgOk7uDU8z-dH-sZJ-UgzxQFOxABfkjD4Kb4JYlXrr_zkMO7n_zkaDOl3iFDCDS2Pury7hsIlJNKETYk-_llH0RYI9DYzAB5PkeOyuKhmRq8eklynq5ObPtk7WVuj3Bp-64uSqfX-WvxqoE0dfh0erSVcU7BwwjRdeDnO01xzv5zXXAYkOmk6e5DGOLBdUMD8kDZE0_NEa-MKCVkl78sc2mCsOMOUhzXoCduvc92hfnoFEfoTKe7xHwLeUim4HvVfD9czXOpRtHKXgEsk0UGtj0xg7D70uftUIxpr4a8rbWceM4eyGtXpjPUm1mh1Q","tlsClientConfig":{"insecure":true}}
-  name: staging-vcluster
-  server: https://staging-vcluster.staging-vcluster
-type: Opaque
-

argocd/ekman.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+stringData:
+  config: |
+    {"bearerToken":"","tlsClientConfig":{"insecure":true}}
+  name: ekman
+  server: https://10.255.241.99:4443
+kind: Secret
+metadata:
+  labels:
+    argocd.argoproj.io/secret-type: cluster
+  name: cluster-10.255.241.99-4046803085
+  namespace: argocd
+type: Opaque
+

argocd/kustomize-helm-with-rewrite/Dockerfile

@@ -4,4 +4,4 @@ RUN mkdir -p /home/argocd/cmp-server/config/
 COPY plugin.yaml /home/argocd/cmp-server/config/
 
 WORKDIR /plugin
-COPY init.sh get-values.sh generate.sh ./
+COPY init-helm-repos.sh init.sh get-values.sh generate.sh ./

argocd/kustomize-helm-with-rewrite/generate.sh

@@ -1,23 +1,24 @@
 #!/bin/sh
 
-export HOME=/tmp
+export HOME=/helm-working-dir
 
 env > /tmp/$ARGOCD_APP_NAME.env
 
 echo "$ARGOCD_APP_PARAMETERS" | jq '.[] | select(.name == "helm-parameters") | .map' | yq -P -oy > parameters.yaml
 cp parameters.yaml /tmp/$ARGOCD_APP_NAME-parameters.yaml
 
-if [ -d chart ]; then
-    CHART=chart
-elif [ -f chart -a "$PARAM_CHART" = "." ]; then
-    CHART=$(cat chart)
-elif [ -n "$PARAM_CHART" ]; then
+if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then
     CHART=$PARAM_CHART
+elif [ -d chart ]; then
+    CHART=chart
+elif [ -f chart ]; then
+    CHART=$(cat chart)
 else
     CHART="."
 fi
 
 [ -f chart/values.yaml ] && VALUES="-f chart/values.yaml"
+[ -f values-chart.yaml ] && VALUES="$VALUES -f values-chart.yaml"
 [ -f values.yaml ] && VALUES="$VALUES -f values.yaml"
 [ -f values-$PARAM_ENV.yaml ] && VALUES="$VALUES -f values-$PARAM_ENV.yaml"
 VALUES="$VALUES -f parameters.yaml"

argocd/kustomize-helm-with-rewrite/get-values.sh

@@ -2,6 +2,8 @@
 
 if [ -f values.yaml ]; then
     VALUES="values.yaml"
+elif [ -f values-chart.yaml ]; then
+    VALUES="values-chart.yaml"
 elif [ -f chart/values.yaml ]; then
     VALUES="chart/values.yaml"
 else

argocd/kustomize-helm-with-rewrite/init-helm-repos.sh

@@ -1,12 +1,15 @@
 #!/bin/sh
 
-export HOME=/tmp
+export HOME=/helm-working-dir
+
+helm repo add --username argocd-helm --password "$OCEANBOX_HELM_ACCESS_TOKEN" oceanbox \
+    https://gitlab.com/api/v4/projects/54396343/packages/helm/stable
 
 helm repo add bitnami https://charts.bitnami.com/bitnami
 helm repo add cerbos https://download.cerbos.dev/helm-charts
 helm repo add dapr https://dapr.github.io/helm-charts/
 helm repo add ncsa https://opensource.ncsa.illinois.edu/charts
 helm repo add dex https://charts.dexidp.io
+helm repo add openfga https://openfga.github.io/helm-charts
 
 helm repo update
-

argocd/kustomize-helm-with-rewrite/init.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+export HOME=/helm-working-dir
+
+helm repo update oceanbox
+
+if [ -n "$PARAM_CHART" -a "$PARAM_CHART" != "." ]; then
+    helm show values $PARAM_CHART > values-chart.yaml
+elif [ -f chart ]; then
+    CHART=$(cat chart)
+    helm show values $CHART > values-chart.yaml
+fi

argocd/staging-vcluster.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    managed-by: argocd.argoproj.io
+  labels:
+    argocd.argoproj.io/secret-type: cluster
+  name: cluster-staging-vcluster
+  namespace: argocd
+stringData:
+  config: |
+    {"bearerToken":"","tlsClientConfig":{"insecure":true}}
+  name: staging-vcluster
+  server: https://staging-vcluster.staging-vcluster
+type: Opaque
+

charts/archmeister/Chart.yaml

@@ -12,8 +12,7 @@ description: Archive management for Atlantis
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v6.19.5
+version: v6.20.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v6.19.5
-
+appVersion: v6.20.0

charts/archmeister/templates/deployment.yaml

@@ -84,8 +84,8 @@ spec:
         emptyDir: {}
       {{- end }}
       - name: appsettings
-        secret:
-          secretName: {{ template "Archmeister.fullname" . }}-appsettings
+        configMap:
+          name: {{ template "Archmeister.fullname" . }}-appsettings
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/archmeister/values.yaml

@@ -5,7 +5,7 @@
 replicaCount: 1
 image:
   repository: registry.gitlab.com/oceanbox/oceanbox.dataagent
-  tag: v6.19.5
+  tag: v6.20.0
   pullPolicy: IfNotPresent
 init:
   enabled: false

charts/atlantis/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: redis
+  repository: https://charts.bitnami.com/bitnami
+  version: 20.1.7
+digest: sha256:9c9be148366bb3d50f7394ba5a33e1a00a087b5ed61d2bcf1faec9b369e76582
+generated: "2024-10-08T13:21:10.374993273+02:00"

charts/atlantis/Chart.yaml

@@ -1,18 +1,12 @@
 apiVersion: v2
 name: atlantis
 description: Atlantis map and simulation service
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-version: v2.78.15
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application.
-appVersion: v2.78.15
+version: v2.87.1
+appVersion: v2.87.1
+dependencies:
+  - name: redis
+    version: 20.1.7
+    repository: https://charts.bitnami.com/bitnami
+    condition: redis.enabled
+    alias: redis

charts/atlantis/templates/cluster.yaml

@@ -2,14 +2,15 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
-  name: {{ include "Atlantis.fullname" . }}
+  name: {{ include "Atlantis.fullname" . }}-db
+  namespace: {{ .Release.Namespace }}
   annotations:
     linkerd.io/inject: disabled
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
 spec:
-  instances: {{ .Values.cluster.instances | default "2" }}
-
+  instances: {{ .Values.cluster.instances | default "1" }}
+  imageName: ghcr.io/cloudnative-pg/postgis:15-3.3
   # Example of rolling update strategy:
   # - unsupervised: automated update of the primary once all
   #                 replicas have been upgraded (default)
@@ -18,9 +19,36 @@ spec:
   primaryUpdateStrategy: unsupervised
   backup:
     retentionPolicy: {{ .Values.cluster.backupRetention | default "60d" }}
-
   storage:
     size: {{ .Values.cluster.size | default "5Gi" }}
+{{- with .Values.cluster.bootstrap }}
+  bootstrap:
+{{- if .enabled }}
+    pg_basebackup:
+      source: archmaester
+  externalClusters:
+  - name: archmaester
+    connectionParameters:
+      host: {{ .source.db }}-rw.{{ .source.namespace }}
+      user: streaming_replica
+      sslmode: verify-full
+    sslKey:
+      name: {{ .source.db }}-replication
+      key: tls.key
+    sslCert:
+      name: {{ .source.db }}-replication
+      key: tls.crt
+    sslRootCert:
+      name: {{ .source.db }}-ca
+      key: ca.crt
+{{- else }}
+    initdb:
+      postInitTemplateSQL:
+        - CREATE EXTENSION postgis;
+        - CREATE EXTENSION postgis_topology;
+        - CREATE EXTENSION fuzzystrmatch;
+        - CREATE EXTENSION postgis_tiger_geocoder;
+        - ALTER USER app WITH SUPERUSER;
+{{- end }}
+{{- end }}
 {{- end }}
-
-

charts/atlantis/templates/deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
 spec:
@@ -83,8 +84,8 @@ spec:
         emptyDir: {}
       {{- end }}
       - name: appsettings
-        secret:
-          secretName: {{ template "Atlantis.fullname" . }}-appsettings
+        configMap:
+          name: {{ template "Atlantis.fullname" . }}-appsettings
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/atlantis/templates/hpa.yaml

@@ -3,6 +3,7 @@ apiVersion: autoscaling/v2beta1
 kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
 spec:

charts/atlantis/templates/ingress.yaml

@@ -16,6 +16,7 @@ apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
   name: {{ $fullName }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
   {{- with .Values.ingress.annotations }}

charts/atlantis/templates/networkpolicies.yaml

@@ -0,0 +1,26 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-atlantis-services
+  namespace: {{ .Release.Namespace }}
+spec:
+  egress:
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: dapr-system
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: {{ .Values.rabbitmq.namespace | default "rabbitmq" }}
+  - toEndpoints:
+    - matchLabels:
+        k8s:io.kubernetes.pod.namespace: {{ .Values.tracing.namespace | default "otel" }}
+  - toFQDNs:
+    - matchName: '*.oceanbox.io'
+    - matchName: api.github.com
+    - matchName: dapr.github.io
+    - matchName: gitlab.com
+    - matchPattern: '*.gitlab.com'
+    - matchPattern: "*.k1.itpartner.no"
+    - matchName: analytics.loft.rocks
+  endpointSelector:
+    matchLabels: {}

charts/atlantis/templates/pubsub.yaml

@@ -2,21 +2,21 @@ apiVersion: dapr.io/v1alpha1
 kind: Component
 metadata:
   name: pubsub
-  namespace: atlantis
+  namespace: {{ .Release.Namespace }}
 spec:
-  type: pubsub.rabbitmq
   version: v1
+  type: pubsub.rabbitmq
   metadata:
   - name: hostname
-    value: prod-rabbitmq.rabbitmq.svc
-  - name: protocol
-    value: amqp
+    value: {{ .Values.rabbitmq.service }}.{{ .Values.rabbitmq.namespace | default "rabbitmq" }}
   - name: username
-    value: user
+    value: {{ .Values.rabbitmq.username }}
   - name: password
     secretKeyRef:
-      name: prod-rabbitmq
+      name: {{ .Values.rabbitmq.secretName | default (printf "%s-rabbitmq" .Release.Name) }}
       key:  rabbitmq-password
+  - name: protocol
+    value: amqp
   - name: durable
     value: true
   - name: deletedWhenUnused
@@ -49,3 +49,6 @@ spec:
     value: 10485760
   - name: exchangeKind
     value: fanout
+  - name: clientName
+    value: "{appID}"
+

charts/atlantis/templates/pvc.yaml

@@ -3,6 +3,7 @@ kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
   name: {{ template "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
 {{- with .Values.persistence.annotations  }}
   annotations:
 {{ toYaml . | indent 4 }}

charts/atlantis/templates/secrets.yaml

@@ -0,0 +1,57 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ .Release.Name }}-rabbitmq
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+---
+{{- if not .Values.redis.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ .Release.Name }}-redis
+type: Opaque
+data:
+{{- end }}
+---
+{{- if not .Values.cluster.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ include "Atlantis.fullname" . }}-db-superuser
+  namespace: {{ .Release.Namespace }}
+type: kubernetes.io/basic-auth
+data:
+  username:
+  password:
+{{- else }}
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ .Values.cluster.bootstrap.source.db }}-replication
+type: kubernetes.io/tls
+data:
+  tls.crt: ""
+  tls.key: ""
+---
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  annotations:
+    kyverno/clone: "true"
+  name: {{ .Values.cluster.bootstrap.source.db }}-ca
+  namespace: {{ .Release.Namespace }}
+data:
+  ca.crt: ""
+  ca.key: ""
+{{- end }}

charts/atlantis/templates/service.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
 spec:

charts/atlantis/templates/serviceaccount.yaml

@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "Atlantis.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "Atlantis.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}

charts/atlantis/templates/statestore.yaml

@@ -2,23 +2,21 @@ apiVersion: dapr.io/v1alpha1
 kind: Component
 metadata:
   name: statestore
-  namespace: atlantis
+  namespace: {{ .Release.Namespace }}
 spec:
   type: state.redis
   version: v1
   metadata:
   - name: redisHost
-    value: prod-redis-master.redis.svc:6379
+    value: {{ .Release.Name }}-redis-master:6379
   - name: redisUsername
     value: default
   - name: redisPassword
     secretKeyRef:
-      name: prod-redis
+      name: {{ .Release.Name }}-redis
       key:  redis-password
   - name: actorStateStore
     value: "true"
 scopes:
-  - prod-atlantis
-  - prod-petimeter
-  - prod-hipster
-  - prod-archmeister
+  - atlantis
+  - {{ .Release.Name }}-atlantis

charts/atlantis/templates/subscriptions.yaml

@@ -0,0 +1,31 @@
+apiVersion: dapr.io/v2alpha1
+kind: Subscription
+metadata:
+  name: hipster-events
+  namespace: {{ .Release.Namespace }}
+spec:
+  topic: hipster
+  routes:
+    default: /hipster-events
+  pubsubname: pubsub
+  metadata:
+    queueType: quorum
+scopes:
+- atlantis
+- {{ .Release.Name}}-atlantis
+---
+apiVersion: dapr.io/v2alpha1
+kind: Subscription
+metadata:
+  name: inbox-events
+  namespace: {{ .Release.Namespace }}
+spec:
+  topic: inbox
+  routes:
+    default: /inbox-events
+  pubsubname: pubsub
+  metadata:
+    queueType: quorum
+scopes:
+- atlantis
+- {{ .Release.Name}}-atlantis

charts/atlantis/templates/tracing.yaml

@@ -2,10 +2,10 @@ apiVersion: dapr.io/v1alpha1
 kind: Configuration
 metadata:
   name: tracing
-  namespace: atlantis
+  namespace: {{ .Release.Namespace }}
 spec:
   tracing:
     samplingRate: "1"
     zipkin:
-      endpointAddress: "http://jaeger-collector:9411/api/v2/spans"
+      endpointAddress: {{ .Values.tracing.endpoint }}
 

charts/atlantis/values.yaml

@@ -3,21 +3,28 @@
 # Declare variables to be passed into your templates.
 
 replicaCount: 1
+
 image:
   repository: registry.gitlab.com/oceanbox/atlantis
-  tag: v2.78.15
+  tag: v2.87.1
   pullPolicy: IfNotPresent
+
 init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+
 env:
   - name: LOG_LEVEL
     value: "3"
+
 imagePullSecrets:
   - name: gitlab-pull-secret
+
 nameOverride: ""
+
 fullnameOverride: ""
+
 serviceAccount:
   create: true
   # Annotations to add to the service account
@@ -25,9 +32,12 @@ serviceAccount:
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
   name: ""
+
 podAnnotations: {}
+
 podSecurityContext:
   fsGroup: 2000
+
 securityContext:
   capabilities:
     drop:
@@ -35,11 +45,13 @@ securityContext:
   readOnlyRootFilesystem: false
   runAsNonRoot: true
   runAsUser: 1000
+
 service:
   type: ClusterIP
   port: 8085
+
 ingress:
-  enabled: true
+  enabled: false
   className: "nginx"
   annotations:
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
@@ -53,17 +65,71 @@ ingress:
     - hosts:
         - atlantis.srv.oceanbox.io
       secretName: atlantis-tls
+
 persistence:
   enabled: false
   size: 1G
   storageClass: ""
   accessMode: ReadWriteOnce
+
 cluster:
-  enabled: false
-  instances: 2
+  enabled: true
+  instances: 1
   backupEnabled: true
   backupRetention: 60d
   size: 5Gi
+  bootstrap:
+    enabled: true
+    source:
+      db: prod-archmeister
+      namespace: atlantis
+
+redis:
+  enabled: true
+  image:
+    repository: redis/redis-stack-server
+    tag: 7.2.0-v10
+  architecture: standalone
+  replica:
+    replicaCount: 1
+    command:
+      - "/opt/redis-stack/bin/redis-server"
+      - "--loadmodule"
+      - "/opt/redis-stack/lib/redisearch.so"
+      - "MAXSEARCHRESULTS"
+      - "10000"
+      - "MAXAGGREGATERESULTS"
+      - "10000"
+      - "--loadmodule"
+      - "/opt/redis-stack/lib/rejson.so"
+  auth:
+    enabled: true
+    sentinel: true
+    password: ""
+    usePasswordFiles: false
+    existingSecretPasswordKey: ""
+    # existingSecret: staging-redis
+  master:
+    resources:
+      limits:
+        cpu: null
+        ephemeral-storage: 1024Mi
+        memory: 192Mi
+      requests:
+        cpu: 150m
+        ephemeral-storage: 50Mi
+        memory: 128Mi
+
+tracing:
+  namespace: otel
+  endpoint: "http://opentelemetry-collector.otel:9411/api/v2/spans"
+
+rabbitmq:
+  namespace: rabbitmq
+  service: staging-rabbitmq
+  username: user
+  # secretName: staging-rabbitmq
+
 resources: {}
 # We usually recommend not to specify default resources and to leave this as a conscious
 # choice for the user. This also increases chances charts run on environments with little
@@ -82,6 +148,7 @@ autoscaling:
   maxReplicas: 100
   targetCPUUtilizationPercentage: 80
   # targetMemoryUtilizationPercentage: 80
+
 nodeSelector: {}
 tolerations: []
 affinity: {}

charts/hipster/Chart.yaml

@@ -12,7 +12,7 @@ description: A Helm chart for Kubernetes
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v2.6.4
+version: v2.7.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v2.6.4
+appVersion: v2.7.0

charts/hipster/templates/deployment.yaml

@@ -81,8 +81,8 @@ spec:
         emptyDir: {}
       {{- end }}
       - name: appsettings
-        secret:
-          secretName: {{ template "Hipster.fullname" . }}-appsettings
+        configMap:
+          name: {{ template "Hipster.fullname" . }}-appsettings
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/hipster/values.yaml

@@ -5,7 +5,7 @@
 replicaCount: 1
 image:
   repository: registry.gitlab.com/oceanbox/hipster
-  tag: v2.6.4
+  tag: v2.7.0
   pullPolicy: IfNotPresent
 init:
   enabled: false

charts/petimeter/Chart.yaml

@@ -12,7 +12,7 @@ description: A Helm chart for Kubernetes
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v1.9.8
+version: v1.9.9
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v1.9.8
+appVersion: v1.9.9

charts/petimeter/base/deployment_patch.yaml

@@ -1,19 +0,0 @@
-- op: replace
-  path: /spec/template/spec/containers/0/livenessProbe/httpGet/path
-  value: /healthz
-- op: replace
-  path: /spec/template/spec/containers/0/readinessProbe/httpGet/path
-  value: /healthz
-- op: add
-  path: /spec/template/spec/containers/0/volumeMounts/-
-  value:
-    name: acl
-    mountPath: /app/acl.json
-    subPath: acl.json
-    readOnly: true
-- op: add
-  path: /spec/template/spec/volumes/-
-  value:
-    name: acl
-    configMap:
-      name: petimeter-acl

charts/petimeter/base/kustomization.yaml

@@ -1,16 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: oceanbox
-patches:
-  - target:
-      version: v1
-      group: apps
-      kind: Deployment
-      name: petimeter
-    path: deployment_patch.yaml
-# configMapGenerator:
-#   - name: petimeter-acl
-#     files:
-#       - acl.json
-resources:
-  - _manifest.yaml

charts/petimeter/templates/deployment.yaml

@@ -84,8 +84,8 @@ spec:
         emptyDir: {}
       {{- end }}
       - name: appsettings
-        secret:
-          secretName: {{ template "Petimeter.fullname" . }}-appsettings
+        configMap:
+          name: {{ template "Petimeter.fullname" . }}-appsettings
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/petimeter/values.yaml

@@ -5,7 +5,7 @@
 replicaCount: 1
 image:
   repository: registry.gitlab.com/oceanbox/petimeter
-  tag: v1.9.8
+  tag: v1.9.9
   pullPolicy: IfNotPresent
 init:
   enabled: false

charts/sorcerer/Chart.yaml

@@ -12,7 +12,7 @@ description: A Helm chart for Kubernetes
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
-version: v4.7.7
+version: v4.9.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
-appVersion: v4.7.7
+appVersion: v4.9.0

charts/sorcerer/templates/deployment.yaml

@@ -84,8 +84,8 @@ spec:
         emptyDir: {}
       {{- end }}
       - name: appsettings
-        secret:
-          secretName: {{ template "Sorcerer.fullname" . }}-appsettings
+        configMap:
+          name: {{ template "Sorcerer.fullname" . }}-appsettings
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/sorcerer/values.yaml

@@ -5,7 +5,7 @@
 replicaCount: 1
 image:
   repository: registry.gitlab.com/oceanbox/sorcerer
-  tag: v4.7.7
+  tag: v4.9.0
   pullPolicy: IfNotPresent
 init:
   enabled: false

charts/vcluster/templates/jaeger.yaml

@@ -1,14 +0,0 @@
-apiVersion: jaegertracing.io/v1
-kind: Jaeger
-metadata:
-  name: jaeger
-  namespace: {{ .Release.Namespace }}
-spec:
-  strategy: allInOne
-  ingress:
-    enabled: false
-  allInOne:
-    image: jaegertracing/all-in-one:1.22
-    options:
-      query:
-        base-path: /jaeger

charts/vcluster/templates/rbac.yaml

@@ -11,16 +11,3 @@ subjects:
 - kind: ServiceAccount
   namespace: {{ $fullname }}
   name: {{ $fullname }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: vcluster-jaegers
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: vcluster-jaegers
-subjects:
-- kind: ServiceAccount
-  namespace: {{ $fullname }}
-  name: {{ $fullname }}

charts/vcluster/templates/vcluster.yaml

@@ -69,8 +69,10 @@ spec:
               to: "rabbitmq/{{ .Values.environment }}-rabbitmq"
             - from: "{{ .Release.Namespace }}/staging-archmeister-rw"
               to: "atlantis/staging-archmeister-rw"
-            - from: "{{ .Release.Namespace }}/jaeger-collector"
-              to: "atlantis/jaeger-collector"
+            - from: "idp/{{ .Values.environment }}-openfga"
+              to: "idp/{{ .Values.environment }}-openfga"
+            - from: "otel/opentelemetry-collector"
+              to: "otel/opentelemetry-collector"
             - from: "idp/{{ .Values.environment }}-cerbos"
               to: "idp/{{ .Values.environment }}-cerbos"
           sync:
@@ -94,9 +96,6 @@ spec:
                   - apiGroups: [ "cilium.io" ]
                     resources: [ "ciliumnetworkpolicies" ]
                     verbs: [ "get", "list", "watch", "create", "patch" ]
-                  # - apiGroups: [ "jaegertracing.io" ]
-                  #   resources: [ "jaegers" ]
-                  #   verbs: [ "get", "list", "watch", "create", "patch" ]
               config: |-
                 version: v1beta1
                 import:
@@ -110,15 +109,11 @@ spec:
                 #   apiVersion: dapr.io/v1alpha1
                 # - kind: Subscription
                 #   apiVersion: dapr.io/v1alpha1
-                # - kind: Jaeger
-                #   apiVersion: jaegertracing.io/v1
                 # - kind: CiliumNetworkPolicy
                 #   apiVersion: cilium.io/v2
                 export:
                 - kind: CiliumNetworkPolicy
                   apiVersion: cilium.io/v2
-                # - kind: Jaeger
-                #   apiVersion: jaegertracing.io/v1
           init:
             manifests: |-
               ---
@@ -161,6 +156,13 @@ spec:
                 annotations:
                   kubernetes.io/service-account.name: admin
               type: kubernetes.io/service-account-token
+              ---
+              apiVersion: v1
+              kind: Namespace
+              metadata:
+                labels:
+                  kubernetes.io/metadata.name: atlantis
+                name: atlantis
 
             # The contents of manifests-template will be templated using helm
             # this allows you to use helm values inside, e.g.: {{ .Release.Name }}
@@ -172,7 +174,7 @@ spec:
             helm:
               - chart:
                   name: dapr
-                  version: 1.13.3
+                  version: 1.14.0
                   repo: https://dapr.github.io/helm-charts/
                 release:
                   name: dapr

charts/yolo-dl/deployment.yaml

@@ -0,0 +1,49 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: yolo-dl
+  name: yolo-dl
+  namespace: oceanbox
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: yolo-dl
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: yolo-dl
+    spec:
+      containers:
+      - command:
+        - /bin/sh
+        - -c
+        - httpd -p 8000 -f
+        image: busybox:latest
+        imagePullPolicy: IfNotPresent
+        name: yolo-dl
+        ports:
+        - containerPort: 8000
+          protocol: TCP
+        resources: {}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /data
+          name: data
+        workingDir: /data
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      securityContext: {}
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: yolo-dl-data
+

charts/yolo-dl/pv.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: pv-yolo-dl
+spec:
+  accessModes:
+  - ReadWriteMany
+  capacity:
+    storage: 1Gi
+  csi:
+    driver: rook-ceph.cephfs.csi.ceph.com
+    nodeStageSecretRef:
+      name: rook-csi-cephfs-node
+      namespace: rook-ceph
+    volumeAttributes:
+      fsName: data
+      clusterID: rook-ceph
+      staticVolume: "true"
+      rootPath: /ssd/dl
+    volumeHandle: pv-yolo-dl
+  persistentVolumeReclaimPolicy: Retain
+  volumeMode: Filesystem

charts/yolo-dl/pvc.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: yolo-dl-data
+  namespace: oceanbox
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: ""
+  volumeMode: Filesystem
+  volumeName: pv-yolo-dl

kustomizations/archmeister/prod/kustomization.yaml

@@ -1,9 +1,10 @@
 generatorOptions:
   disableNameSuffixHash: true
-secretGenerator:
+configMapGenerator:
 - name: prod-archmeister-appsettings
   files:
   - appsettings.json
+secretGenerator:
 - name: prod-archmeister-env
   envs:
   - default.env

kustomizations/archmeister/staging/ingress_patch.yaml

@@ -0,0 +1,6 @@
+- op: replace
+  path: /spec/rules/0/http/paths/0/path
+  value: /internal
+- op: add
+  path: /metadata/annotations/nginx.ingress.kubernetes.io~1whitelist-source-range
+  value: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

kustomizations/archmeister/staging/kustomization.yaml

@@ -1,9 +1,10 @@
 generatorOptions:
   disableNameSuffixHash: true
-secretGenerator:
+configMapGenerator:
 - name: staging-archmeister-appsettings
   files:
     - appsettings.json
+secretGenerator:
 - name: staging-archmeister-env
   envs:
   - default.env

kustomizations/archmeister/values-prod.yaml

@@ -1,3 +1,5 @@
+replicaCount: 2
+
 podAnnotations:
   dapr.io/app-id: "prod-archmeister"
   dapr.io/enabled: "true"

kustomizations/archmeister/values-staging.yaml

@@ -1,3 +1,4 @@
+replicaCount: 1
 podAnnotations:
   dapr.io/app-id: "staging-archmeister"
   dapr.io/enabled: "true"
@@ -14,13 +15,12 @@ podAnnotations:
   dapr.io/sidecar-cpu-limit: "300m"
   dapr.io/sidecar-memory-limit: "1000Mi"
   dapr.io/log-as-json: "true"
-
 image:
-  tag: f8c27a74-debug
+  tag: 16390a0c-debug
 ingress:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-production
-    atlantis.oceanbox.io/expose: global
+    # atlantis.oceanbox.io/expose: internal
   hosts:
     - host: archmeister.beta.oceanbox.io
       paths:

kustomizations/atlantis/prod/appsettings.json

@@ -15,10 +15,10 @@
             "profile"
         ]
     },
+    "redis": "prod-redis-master.redis.svc,user=default,password=secret",
     "sso": {
         "cookieDomain": ".oceanbox.io",
         "signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html",
-        "redis": "prod-redis-master.redis.svc,user=default,password=secret",
         "appDomain": "atlantis",
         "dataProtectionKeys": "DataProtection-Keys"
     },
@@ -32,5 +32,6 @@
     ],
     "logService" : "https://seq.adm.oceanbox.io",
     "logApiKey": "",
-    "deployEnv": "prod"
+    "deployEnv": "prod",
+    "plainAuthUsers": []
 }

kustomizations/atlantis/prod/default.env

@@ -1,2 +1,3 @@
 OIDC_CLIENT_SECRET=KOJ6bDHzE5vdyfSrzgwLjtM5PzA809Zm
 SEQ_APIKEY=v9RfeLBD9Si7OkFlkjPm
+DEPLOY_NAME=prod-atlantis

kustomizations/atlantis/prod/kustomization.yaml

@@ -1,9 +1,10 @@
 generatorOptions:
   disableNameSuffixHash: true
-secretGenerator:
+configMapGenerator:
 - name: prod-atlantis-appsettings
   files:
     - appsettings.json
+secretGenerator:
 - name: prod-atlantis-env
   envs:
   - default.env

kustomizations/atlantis/prod/subscriptions.yaml

@@ -1,23 +1,25 @@
-apiVersion: dapr.io/v1alpha1
+apiVersion: dapr.io/v2alpha1
 kind: Subscription
 metadata:
   name: hipster-events
 spec:
   topic: hipster
-  route: /hipster-events
+  routes:
+    default: /hipster-events
   pubsubname: pubsub
   metadata:
     queueType: quorum
 scopes:
 - prod-atlantis
 ---
-apiVersion: dapr.io/v1alpha1
+apiVersion: dapr.io/v2alpha1
 kind: Subscription
 metadata:
   name: inbox-events
 spec:
   topic: inbox
-  route: /inbox-events
+  routes:
+    default: /inbox-events
   pubsubname: pubsub
   metadata:
     queueType: quorum

kustomizations/atlantis/staging/appsettings.json

@@ -15,10 +15,10 @@
             "profile"
         ]
     },
+    "redis": "staging-redis-master.redis.svc,user=default,password=secret",
     "sso": {
         "cookieDomain": ".oceanbox.io",
         "signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html",
-        "redis": "staging-redis-master.redis.svc,user=default,password=secret",
         "appDomain": "atlantis",
         "dataProtectionKeys": "DataProtection-Keys"
     },
@@ -30,5 +30,6 @@
     ],
     "logService" : "https://seq.adm.oceanbox.io",
     "logApiKey": "",
-    "deployEnv": "staging"
+    "deployEnv": "staging",
+    "plainAuthUsers": []
 }

kustomizations/atlantis/staging/default.env

@@ -1,2 +1,3 @@
 OIDC_CLIENT_SECRET=3QjfSPmAemjn34XVA2o1fvoS7I4gKvOR
 SEQ_APIKEY=v9RfeLBD9Si7OkFlkjPm
+DEPLOY_NAME=staging-atlantis