From 9e56811a8f8a2ee464534932149f3aaa8007bcdc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20J=C3=B6rg?= Date: Tue, 10 Jun 2025 20:06:01 +0200 Subject: [PATCH] chore: Checkout of previous helm config for atlantis, openfga, redis and rabbitmq --- values/atlantis/base/acl.json | 331 ++++++++++++++++++ values/atlantis/base/defaultbackend.yaml | 9 + values/atlantis/base/deployment_patch.yaml | 9 + values/atlantis/base/ingress_patch.yaml | 10 + values/atlantis/base/kustomization.yaml | 16 + values/atlantis/base/service_patch.yaml | 7 + values/atlantis/chart | 1 + values/atlantis/prod/appsettings.json | 96 +++++ values/atlantis/prod/barentswatch-api.env | 2 + values/atlantis/prod/bindings.yaml | 22 ++ values/atlantis/prod/configurations.yaml | 20 ++ values/atlantis/prod/default.env | 1 + values/atlantis/prod/deployment_patch.yaml | 10 + values/atlantis/prod/keyvault.yaml | 22 ++ values/atlantis/prod/kustomization.yaml | 24 ++ values/atlantis/prod/pubsub.yaml | 52 +++ values/atlantis/prod/rbac.yaml | 39 +++ values/atlantis/prod/redis.yaml | 23 ++ values/atlantis/prod/secrets.yaml | 9 + values/atlantis/prod/secretstore.yaml | 10 + values/atlantis/prod/statestore.yaml | 22 ++ values/atlantis/prod/subscriptions.yaml | 27 ++ values/atlantis/prod/tracing.yaml | 11 + values/atlantis/staging/appsettings.json | 97 +++++ values/atlantis/staging/auth | 1 + values/atlantis/staging/barentswatch-api.env | 2 + values/atlantis/staging/bindings.yaml | 22 ++ values/atlantis/staging/configuration.yaml | 20 ++ values/atlantis/staging/configurations.yaml | 20 ++ values/atlantis/staging/default.env | 1 + values/atlantis/staging/deployment_patch.yaml | 10 + values/atlantis/staging/keyvault.yaml | 22 ++ values/atlantis/staging/kustomization.yaml | 24 ++ values/atlantis/staging/pubsub.yaml | 52 +++ values/atlantis/staging/rbac.yaml | 40 +++ values/atlantis/staging/redis.yaml | 23 ++ values/atlantis/staging/secrets.yaml | 36 ++ values/atlantis/staging/secretstore.yaml | 10 + values/atlantis/staging/statestore.yaml | 22 ++ values/atlantis/staging/subscriptions.yaml | 27 ++ values/atlantis/staging/tracing.yaml | 11 + values/atlantis/values-prod.yaml | 79 +++++ values/atlantis/values-staging.yaml | 102 ++++++ values/atlantis/values.yaml | 12 + values/openfga/migration-job.yaml | 41 +++ values/openfga/postgres-secret.yaml | 19 + values/openfga/values-prod.yaml | 57 +++ values/openfga/values-staging.yaml | 78 +++++ values/rabbitmq/prod/nodeport.yaml | 22 ++ values/rabbitmq/staging/nodeport.yaml | 22 ++ values/rabbitmq/values-prod.yaml | 32 ++ values/rabbitmq/values-staging.yaml | 38 ++ values/redis/prod/nodeport.yaml | 17 + values/redis/staging/nodeport.yaml | 17 + values/redis/values-prod.yaml | 37 ++ values/redis/values-staging.yaml | 37 ++ 56 files changed, 1823 insertions(+) create mode 100644 values/atlantis/base/acl.json create mode 100644 values/atlantis/base/defaultbackend.yaml create mode 100644 values/atlantis/base/deployment_patch.yaml create mode 100644 values/atlantis/base/ingress_patch.yaml create mode 100644 values/atlantis/base/kustomization.yaml create mode 100644 values/atlantis/base/service_patch.yaml create mode 120000 values/atlantis/chart create mode 100644 values/atlantis/prod/appsettings.json create mode 100644 values/atlantis/prod/barentswatch-api.env create mode 100644 values/atlantis/prod/bindings.yaml create mode 100644 values/atlantis/prod/configurations.yaml create mode 100644 values/atlantis/prod/default.env create mode 100644 values/atlantis/prod/deployment_patch.yaml create mode 100644 values/atlantis/prod/keyvault.yaml create mode 100644 values/atlantis/prod/kustomization.yaml create mode 100644 values/atlantis/prod/pubsub.yaml create mode 100644 values/atlantis/prod/rbac.yaml create mode 100644 values/atlantis/prod/redis.yaml create mode 100644 values/atlantis/prod/secrets.yaml create mode 100644 values/atlantis/prod/secretstore.yaml create mode 100644 values/atlantis/prod/statestore.yaml create mode 100644 values/atlantis/prod/subscriptions.yaml create mode 100644 values/atlantis/prod/tracing.yaml create mode 100644 values/atlantis/staging/appsettings.json create mode 100644 values/atlantis/staging/auth create mode 100644 values/atlantis/staging/barentswatch-api.env create mode 100644 values/atlantis/staging/bindings.yaml create mode 100644 values/atlantis/staging/configuration.yaml create mode 100644 values/atlantis/staging/configurations.yaml create mode 100644 values/atlantis/staging/default.env create mode 100644 values/atlantis/staging/deployment_patch.yaml create mode 100644 values/atlantis/staging/keyvault.yaml create mode 100644 values/atlantis/staging/kustomization.yaml create mode 100644 values/atlantis/staging/pubsub.yaml create mode 100644 values/atlantis/staging/rbac.yaml create mode 100644 values/atlantis/staging/redis.yaml create mode 100644 values/atlantis/staging/secrets.yaml create mode 100644 values/atlantis/staging/secretstore.yaml create mode 100644 values/atlantis/staging/statestore.yaml create mode 100644 values/atlantis/staging/subscriptions.yaml create mode 100644 values/atlantis/staging/tracing.yaml create mode 100644 values/atlantis/values-prod.yaml create mode 100644 values/atlantis/values-staging.yaml create mode 100644 values/atlantis/values.yaml create mode 100644 values/openfga/migration-job.yaml create mode 100644 values/openfga/postgres-secret.yaml create mode 100644 values/openfga/values-prod.yaml create mode 100644 values/openfga/values-staging.yaml create mode 100644 values/rabbitmq/prod/nodeport.yaml create mode 100644 values/rabbitmq/staging/nodeport.yaml create mode 100644 values/rabbitmq/values-prod.yaml create mode 100644 values/rabbitmq/values-staging.yaml create mode 100644 values/redis/prod/nodeport.yaml create mode 100644 values/redis/staging/nodeport.yaml create mode 100644 values/redis/values-prod.yaml create mode 100644 values/redis/values-staging.yaml diff --git a/values/atlantis/base/acl.json b/values/atlantis/base/acl.json new file mode 100644 index 00000000..bd89d80b --- /dev/null +++ b/values/atlantis/base/acl.json @@ -0,0 +1,331 @@ +[ + { + "domain": "oceanbox.io", + "access": [ + { + "matching": ".*@oceanbox.io", + "group": "/oceanbox", + "roles": [ "admin" ], + "capabilities": [ + "run:*" + ] + } + ] + }, + { + "domain": "salmar.no", + "access": [ + { + "matching": ".*@salmar.no", + "group": "/salmar", + "roles": [ "user" ], + "capabilities": [ + "run:transport", + "run:sedimentation" + ] + } + ] + }, + { + "domain": "leroy.no", + "access": [ + { + "matching": "karstein@leroy.no", + "group": "/oceanbox", + "roles": [ "admin" ], + "capabilities": [ "run:*" ] + }, + { + "matching": ".*@leroy.no", + "group": "/leroy", + "roles": [ "user" ], + "capabilities": [ + "run:transport", + "run:sedimentation" + ] + } + ] + }, + { + "domain": "serit.no", + "access": [ + { + "matching": ".*@tromso.serit.no", + "group": "/oceanbox", + "roles": [ "admin" ], + "capabilities": [] + } + ] + }, + { + "domain": "aqua-kompetanse.no", + "access": [ + { + "matching": ".*@aqua-kompetanse.no", + "group": "/aqua-kompetanse", + "roles": [ "user" ], + "capabilities": [ + "run:transport", + "run:sedimentation" + ] + } + ] + }, + { + "domain": "kelpinor.no", + "access": [ + { + "matching": ".*@kelpinor.no", + "group": "/kelpinor", + "roles": [ "user" ], + "capabilities": [ + "run:transport", + "run:sedimentation" + ] + } + ] + }, + { + "domain": "bkmanimalhealth.com", + "access": [ + { + "matching": ".*@bkmanimalhealth.com", + "group": "/bkmanimalhealth", + "roles": [ "user" ], + "capabilities": [ + "run:transport", + "run:sedimentation" + ] + } + ] + }, + { + "domain": "uio.no", + "access": [ + { + "matching": ".*@geo.uio.no", + "group": "/demo", + "roles": [ "user" ], + "capabilities": [ + "run:transport", + "run:sedimentation" + ] + } + ] + }, + { + "domain": "nord.no", + "access": [ + { + "matching": ".*@.*.nord.no", + "group": "/uni-nord", + "roles": [ "user" ], + "capabilities": [ + "run:transport", + "run:sedimentation" + ] + } + ] + }, + { + "domain": "argusmiljo.no", + "access": [ + { + "matching": ".*@argusmiljo.no", + "group": "/argusmiljo", + "roles": [ "user" ], + "capabilities": [ + "run:transport", + "run:sedimentation" + ] + } + ] + }, + { + "domain": "bakkafrost.com", + "access": [ + { + "matching": ".*@bakkafrost.com", + "group": "/bakkafrost", + "roles": [ "user" ], + "capabilities": [ + "run:transport", + "run:sedimentation" + ] + } + ] + }, + { + "domain": "multiconsult.no", + "access": [ + { + "matching": ".*@multiconsult.no", + "group": "/multiconsult", + "roles": [ "user" ], + "capabilities": [ + "run:transport", + "run:sedimentation" + ] + } + ] + }, + { + "domain": "kpmg.no", + "access": [ + { + "matching": ".*@kpmg.no", + "group": "/kpmg", + "roles": [ "user" ], + "capabilities": [ + "run:transport", + "run:sedimentation" + ] + } + ] + }, + { + "domain": "synfaring.no", + "access": [ + { + "matching": ".*@synfaring.no", + "group": "/synfaring", + "roles": [ "user" ], + "capabilities": [ + "run:transport", + "run:sedimentation" + ] + } + ] + }, + { + "domain": "boehareide.no", + "access": [ + { + "matching": ".*@boehareide.no", + "group": "/boehareide", + "roles": [ "user" ], + "capabilities": [ + "run:transport", + "run:sedimentation" + ] + } + ] + }, + { + "domain": "sinkaberg.no", + "access": [ + { + "matching": ".*@sinkaberg.no", + "group": "/sinkaberg", + "roles": [ "user" ], + "capabilities": [ + "run:transport", + "run:sedimentation" + ] + } + ] + }, + { + "domain": "akerbla.no", + "access": [ + { + "matching": ".*@akerbla.no", + "group": "/akerbla", + "roles": [ "user" ], + "capabilities": [ + "run:transport" + ] + } + ] + }, + { + "domain": "nr.no", + "access": [ + { + "matching": ".*@nr.no", + "group": "/nr", + "roles": [ "user" ], + "capabilities": [ + "run:transport" + ] + } + ] + }, + { + "domain": "sjomatnorge.no", + "access": [ + { + "matching": ".*@sjomatnorge.no", + "group": "/sjomatnorge", + "roles": [ "user" ], + "capabilities": [ + "run:transport" + ] + } + ] + }, + { + "domain": "tatidentilbake.no", + "access": [ + { + "matching": ".*@tatidentilbake.no", + "group": "/tatidentilbake", + "roles": [ "user" ], + "capabilities": [ + "run:transport" + ] + } + ] + }, + { + "domain": "oceandata.earth", + "access": [ + { + "matching": ".*@oceandata.earth", + "group": "/hubocean", + "roles": [ "user" ], + "capabilities": [ + "run:transport", + "run:sedimentation" + ] + } + ] + }, + { + "domain": "masoval.no", + "access": [ + { + "matching": ".*@masoval.no", + "group": "/masoval", + "roles": [ "user" ], + "capabilities": [ + "run:transport", + "run:sedimentation" + ] + } + ] + }, + { + "domain": "gmail.com", + "access": [ + { + "matching": "jonas.juselius@gmail.com", + "group": "/bakkafrost", + "roles": [ "user" ], + "capabilities": [ + "run:transport", + "run:sedimentation" + ] + }, + { + "matching": ".*@gmail.com", + "group": "/demo", + "roles": [ "user" ], + "capabilities": [ + "run:transport", + "run:sedimentation" + ] + } + ] + } +] diff --git a/values/atlantis/base/defaultbackend.yaml b/values/atlantis/base/defaultbackend.yaml new file mode 100644 index 00000000..4e5b177c --- /dev/null +++ b/values/atlantis/base/defaultbackend.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Service +metadata: + name: defaultbackend +spec: + type: ExternalName + externalName: main-ingress-nginx-defaultbackend.ingress-nginx.svc.cluster.local + ports: + - port: 80 \ No newline at end of file diff --git a/values/atlantis/base/deployment_patch.yaml b/values/atlantis/base/deployment_patch.yaml new file mode 100644 index 00000000..44752fa1 --- /dev/null +++ b/values/atlantis/base/deployment_patch.yaml @@ -0,0 +1,9 @@ +- op: replace + path: /spec/template/spec/containers/0/livenessProbe/httpGet/path + value: /healthz +- op: replace + path: /spec/template/spec/containers/0/readinessProbe/httpGet/path + value: /healthz +- op: add + path: /spec/template/spec/containers/0/envFrom + value: [] \ No newline at end of file diff --git a/values/atlantis/base/ingress_patch.yaml b/values/atlantis/base/ingress_patch.yaml new file mode 100644 index 00000000..18723a63 --- /dev/null +++ b/values/atlantis/base/ingress_patch.yaml @@ -0,0 +1,10 @@ +- op: add + path: /spec/rules/0/http/paths/- + value: + path: /events + pathType: ImplementationSpecific + backend: + service: + name: defaultbackend + port: + number: 80 diff --git a/values/atlantis/base/kustomization.yaml b/values/atlantis/base/kustomization.yaml new file mode 100644 index 00000000..166df33c --- /dev/null +++ b/values/atlantis/base/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +patches: + - target: + version: v1 + group: apps + kind: Deployment + path: deployment_patch.yaml + - target: + group: networking.k8s.io + version: v1 + kind: Ingress + path: ingress_patch.yaml +resources: + - _manifest.yaml + - defaultbackend.yaml diff --git a/values/atlantis/base/service_patch.yaml b/values/atlantis/base/service_patch.yaml new file mode 100644 index 00000000..ccfa03cc --- /dev/null +++ b/values/atlantis/base/service_patch.yaml @@ -0,0 +1,7 @@ +- op: add + path: /spec/ports/- + value: + name: intra + port: 8000 + protocol: TCP + targetPort: 8000 diff --git a/values/atlantis/chart b/values/atlantis/chart new file mode 120000 index 00000000..f0d03fc1 --- /dev/null +++ b/values/atlantis/chart @@ -0,0 +1 @@ +../../charts/atlantis \ No newline at end of file diff --git a/values/atlantis/prod/appsettings.json b/values/atlantis/prod/appsettings.json new file mode 100644 index 00000000..dc76aae8 --- /dev/null +++ b/values/atlantis/prod/appsettings.json @@ -0,0 +1,96 @@ +{ + "oidc": { + "issuer": "https://auth.oceanbox.io/realms/oceanbox", + "authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth", + "token_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/token", + "jwks_uri": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/certs", + "userinfo_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/userinfo", + "end_session_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/logout", + "device_authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth/device", + "clientId": "atlantis", + "clientSecret": "", + "scopes": [ + "openid", + "email", + "offline_access", + "profile" + ], + "audiences": [ + "atlantis", + "atlantis_dev", + "sorcerer", + "sorcerer_dev" + ] + }, + "sso": { + "cookieDomain": ".oceanbox.io", + "cookieName": ".obx.prod", + "ttl": 12.0, + "signedOutRedirectUri": "https://maps.beta.oceanbox.io", + "realm": "atlantis", + "environment": "prod", + "keyStore": { + "kind": "azure", + "uri": "https://atlantis.blob.core.windows.net", + "key": "dataprotection-keys" + }, + "keyVault": { + "kind": "azure", + "uri": "https://atlantisvault.vault.azure.net", + "key": "dataencryption-keys" + } + }, + "fga": { + "apiUrl": "http://prod-openfga.openfga.svc.cluster.local:8080", + "apiKey": "", + "storeId": "01JKTZXMP7ANN4GG2P5W8Y56M6", + "modelId": "01JKTZYMCZZBVSBG66W27XMW0A" + }, + "plainAuthUsers": [ + { + "username": "admin", + "password": "en-to-tre-fire", + "groups": [ "/oceanbox" ], + "roles": [ "admin" ] + }, + { + "username": "sorcerer", + "password": "fire tre to en", + "groups": [ "/oceanbox" ], + "roles": [ "admin" ] + }, + { + "username": "archivist", + "password": "en-to-tre-fire", + "groups": [ "/oceanbox" ], + "roles": [ "admin" ] + } + ], + "redis": "prod-atlantis-redis-master:6379", + "objectStore": "https://atlantis.blob.core.windows.net", + "connString": "Username=postgres;Password=secret;Host=localhost;Port=5432;Database=app;Pooling=true;", + "sorcerer" : "https://sorcerer.data.oceanbox.io", + "allowedOrigins": [ + "https://maps.oceanbox.io", + "https://maps.beta.oceanbox.io", + ], + "appName": "atlantis", + "appEnv": "prod", + "appNamespace": "atlantis", + "appVersion": "2.95.1", + "otelCollector": "http://opentelemetry-collector.otel.svc:4317", + "pubsubName": "pubsub", + "pubsubTopic": "hipster-atlantis", + "slurm": { + "baseUrl": "https://hipster-slurmrestd.ekman.oceanbox.io/", + "slurmApi": "slurm/v0.0.39/", + "dbdApi": "slurmdbd/v0.0.39/", + "user": "serf", + "password": "wooqueiLee3ao0ha" + }, + "amqp": { + "auth": "user:hunny-bunny", + "host": "10.255.241.201:30673" + }, + "fenceRadius": 1250.0 +} diff --git a/values/atlantis/prod/barentswatch-api.env b/values/atlantis/prod/barentswatch-api.env new file mode 100644 index 00000000..fc399a85 --- /dev/null +++ b/values/atlantis/prod/barentswatch-api.env @@ -0,0 +1,2 @@ +client-id=simen.kirkvik@tromso.serit.no:simkir-tilt-atlantis +secret=d9tInZ1XpeDAxD.DySv'*SB=P \ No newline at end of file diff --git a/values/atlantis/prod/bindings.yaml b/values/atlantis/prod/bindings.yaml new file mode 100644 index 00000000..8a95c563 --- /dev/null +++ b/values/atlantis/prod/bindings.yaml @@ -0,0 +1,22 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: slurm-events +spec: + type: bindings.rabbitmq + version: v1 + metadata: + - name: host + secretKeyRef: + name: prod-atlantis-rabbitmq + key: connString + - name: queueName + value: prod-slurm-job-events + - name: durable + value: true + - name: contentType + value: "application/json" + - name: route + value: /events/slurm +scopes: + - prod-atlantis diff --git a/values/atlantis/prod/configurations.yaml b/values/atlantis/prod/configurations.yaml new file mode 100644 index 00000000..705e1b48 --- /dev/null +++ b/values/atlantis/prod/configurations.yaml @@ -0,0 +1,20 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: configstore +spec: + type: configuration.redis + version: v1 + metadata: + - name: redisHost + value: prod-atlantis-redis-master:6379 + - name: redisUsername + value: default + - name: redisPassword + secretKeyRef: + name: prod-atlantis-redis + key: redis-password + - name: redisDB + value: "1" +scopes: + - prod-atlantis diff --git a/values/atlantis/prod/default.env b/values/atlantis/prod/default.env new file mode 100644 index 00000000..85c5abe3 --- /dev/null +++ b/values/atlantis/prod/default.env @@ -0,0 +1 @@ +OIDC_CLIENT_SECRET=KOJ6bDHzE5vdyfSrzgwLjtM5PzA809Zm diff --git a/values/atlantis/prod/deployment_patch.yaml b/values/atlantis/prod/deployment_patch.yaml new file mode 100644 index 00000000..dd4c92da --- /dev/null +++ b/values/atlantis/prod/deployment_patch.yaml @@ -0,0 +1,10 @@ +- op: add + path: /spec/template/spec/containers/0/envFrom/- + value: + secretRef: + name: azure-keyvault +- op: add + path: /spec/template/spec/containers/0/envFrom/- + value: + secretRef: + name: prod-atlantis-env \ No newline at end of file diff --git a/values/atlantis/prod/keyvault.yaml b/values/atlantis/prod/keyvault.yaml new file mode 100644 index 00000000..145adf98 --- /dev/null +++ b/values/atlantis/prod/keyvault.yaml @@ -0,0 +1,22 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: azure-keyvault +spec: + type: secretstores.azure.keyvault + version: v1 + metadata: + - name: vaultName + value: atlantisvault + - name: azureTenantId + secretKeyRef: + name: azure-keyvault + key: AZURE_TENANT_ID + - name: azureClientId + secretKeyRef: + name: azure-keyvault + key: AZURE_CLIENT_ID + - name: azureClientSecret + secretKeyRef: + name: azure-keyvault + key: AZURE_CLIENT_SECRET diff --git a/values/atlantis/prod/kustomization.yaml b/values/atlantis/prod/kustomization.yaml new file mode 100644 index 00000000..f0e148c2 --- /dev/null +++ b/values/atlantis/prod/kustomization.yaml @@ -0,0 +1,24 @@ +generatorOptions: + disableNameSuffixHash: true +configMapGenerator: +- name: prod-atlantis-appsettings + files: + - appsettings.json +patches: + - target: + group: apps + version: v1 + kind: Deployment + path: deployment_patch.yaml +resources: + - ../base + - secrets.yaml + - rbac.yaml + - tracing.yaml + - bindings.yaml + - pubsub.yaml + - statestore.yaml + - subscriptions.yaml + - configurations.yaml + - secretstore.yaml + - keyvault.yaml diff --git a/values/atlantis/prod/pubsub.yaml b/values/atlantis/prod/pubsub.yaml new file mode 100644 index 00000000..b7aeda01 --- /dev/null +++ b/values/atlantis/prod/pubsub.yaml @@ -0,0 +1,52 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: pubsub +spec: + version: v1 + type: pubsub.rabbitmq + metadata: + - name: hostname + value: prod-rabbitmq.rabbitmq + - name: username + value: user + - name: password + secretKeyRef: + name: prod-atlantis-rabbitmq + key: rabbitmq-password + - name: protocol + value: amqp + - name: durable + value: true + - name: deletedWhenUnused + value: false + - name: autoAck + value: false + - name: deliveryMode + value: 1 + - name: requeueInFailure + value: false + - name: prefetchCount + value: 0 + - name: reconnectWait + value: 0 + - name: concurrencyMode + value: parallel + - name: publisherConfirm + value: false + - name: backOffPolicy + value: exponential + - name: backOffInitialInterval + value: 100 + - name: backOffMaxRetries + value: 16 + - name: enableDeadLetter # Optional enable dead Letter or not + value: true + - name: maxLen # Optional max message count in a queue + value: 3000 + - name: maxLenBytes # Optional maximum length in bytes of a queue. + value: 10485760 + - name: exchangeKind + value: fanout + - name: clientName + value: "{appID}" diff --git a/values/atlantis/prod/rbac.yaml b/values/atlantis/prod/rbac.yaml new file mode 100644 index 00000000..772c7a95 --- /dev/null +++ b/values/atlantis/prod/rbac.yaml @@ -0,0 +1,39 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: prod-atlantis + namespace: prod-atlantis +rules: +- apiGroups: + - "" + resourceNames: + - prod-atlantis-appsettings + resources: + - configmaps + verbs: + - get + - watch +- apiGroups: + - "" + resourceNames: + - azure-keyvault + - prod-atlantis-redis + resources: + - secrets + verbs: + - get + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: prod-atlantis + namespace: prod-atlantis +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: prod-atlantis +subjects: +- kind: ServiceAccount + name: prod-atlantis + namespace: prod-atlantis diff --git a/values/atlantis/prod/redis.yaml b/values/atlantis/prod/redis.yaml new file mode 100644 index 00000000..f9ca65a9 --- /dev/null +++ b/values/atlantis/prod/redis.yaml @@ -0,0 +1,23 @@ +architecture: replication + +replica: + replicaCount: 2 + +auth: + enabled: true + sentinel: true + password: "" + usePasswordFiles: false + existingSecretPasswordKey: "" + existingSecret: prod-atlantis-redis + +master: + resources: + limits: + ephemeral-storage: 1024Mi + memory: 192Mi + requests: + cpu: 150m + ephemeral-storage: 50Mi + memory: 128Mi + diff --git a/values/atlantis/prod/secrets.yaml b/values/atlantis/prod/secrets.yaml new file mode 100644 index 00000000..a956c207 --- /dev/null +++ b/values/atlantis/prod/secrets.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + annotations: + kyverno/clone: "true" + kyverno/env: "prod" + name: prod-atlantis-rabbitmq +type: Opaque +data: diff --git a/values/atlantis/prod/secretstore.yaml b/values/atlantis/prod/secretstore.yaml new file mode 100644 index 00000000..afa9a4cd --- /dev/null +++ b/values/atlantis/prod/secretstore.yaml @@ -0,0 +1,10 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: secretstore +spec: + type: secretstores.kubernetes + version: v1 + metadata: + - name: defaultNamespace + value: prod-atlantis \ No newline at end of file diff --git a/values/atlantis/prod/statestore.yaml b/values/atlantis/prod/statestore.yaml new file mode 100644 index 00000000..beb6ee64 --- /dev/null +++ b/values/atlantis/prod/statestore.yaml @@ -0,0 +1,22 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: statestore +spec: + type: state.redis + version: v1 + metadata: + - name: redisHost + value: prod-atlantis-redis-master:6379 + - name: redisUsername + value: default + - name: redisPassword + secretKeyRef: + name: prod-atlantis-redis + key: redis-password + - name: actorStateStore + value: "true" + - name: redisDB + value: "0" +scopes: + - prod-atlantis diff --git a/values/atlantis/prod/subscriptions.yaml b/values/atlantis/prod/subscriptions.yaml new file mode 100644 index 00000000..d0d0dcce --- /dev/null +++ b/values/atlantis/prod/subscriptions.yaml @@ -0,0 +1,27 @@ +apiVersion: dapr.io/v2alpha1 +kind: Subscription +metadata: + name: hipster-events +spec: + topic: hipster + routes: + default: /events/hipster + pubsubname: pubsub + metadata: + queueType: quorum +scopes: +- prod-atlantis +--- +apiVersion: dapr.io/v2alpha1 +kind: Subscription +metadata: + name: inbox-events +spec: + topic: inbox + routes: + default: /events/inbox + pubsubname: pubsub + metadata: + queueType: quorum +scopes: +- prod-atlantis diff --git a/values/atlantis/prod/tracing.yaml b/values/atlantis/prod/tracing.yaml new file mode 100644 index 00000000..5d9bffd1 --- /dev/null +++ b/values/atlantis/prod/tracing.yaml @@ -0,0 +1,11 @@ +apiVersion: dapr.io/v1alpha1 +kind: Configuration +metadata: + name: tracing +spec: + tracing: + samplingRate: "1" + otel: + endpointAddress: "opentelemetry-collector.otel.svc.cluster.local:4317" + protocol: grpc + isSecure: false diff --git a/values/atlantis/staging/appsettings.json b/values/atlantis/staging/appsettings.json new file mode 100644 index 00000000..529a47b9 --- /dev/null +++ b/values/atlantis/staging/appsettings.json @@ -0,0 +1,97 @@ +{ + "oidc": { + "issuer": "https://auth.oceanbox.io/realms/oceanbox", + "authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth", + "token_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/token", + "jwks_uri": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/certs", + "userinfo_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/userinfo", + "end_session_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/logout", + "device_authorization_endpoint": "https://auth.oceanbox.io/realms/oceanbox/protocol/openid-connect/auth/device", + "clientId": "atlantis_dev", + "clientSecret": "", + "scopes": [ + "openid", + "email", + "offline_access", + "profile" + ], + "audiences": [ + "atlantis", + "atlantis_dev", + "sorcerer", + "sorcerer_dev" + ] + }, + "sso": { + "cookieDomain": ".oceanbox.io", + "cookieName": ".obx.staging", + "ttl": 12.0, + "signedOutRedirectUri": "https://atlantis.beta.oceanbox.io", + "realm": "atlantis", + "environment": "staging", + "keyStore": { + "kind": "azure", + "uri": "https://atlantis.blob.core.windows.net", + "key": "dataprotection-keys" + }, + "keyVault": { + "kind": "azure", + "uri": "https://atlantisvault.vault.azure.net", + "key": "dataencryption-keys" + } + }, + "fga": { + "apiUrl": "http://staging-openfga.openfga.svc.cluster.local:8080", + "apiKey": "", + "storeId": "01JKTQKHSGJH4RW04WFVCPWNTE", + "modelId": "01JKTQMXBE7219XRYE3NGYNXSR" + }, + "plainAuthUsers": [ + { + "username": "admin", + "password": "en-to-tre-fire", + "groups": [ "/oceanbox" ], + "roles": [ "admin" ] + }, + { + "username": "sorcerer", + "password": "fire tre to en", + "groups": [ "/oceanbox" ], + "roles": [ "admin" ] + }, + { + "username": "archivist", + "password": "en-to-tre-fire", + "groups": [ "/oceanbox" ], + "roles": [ "admin" ] + } + ], + "redis": "staging-atlantis-redis-master:6379", + "objectStore": "https://atlantis.blob.core.windows.net", + "connString": "Username=postgres;Password=secret;Host=localhost;Port=5432;Database=app;Pooling=true;", + "sorcerer" : "https://sorcerer.ekman.oceanbox.io", + "allowedOrigins": [ + "https://atlantis.beta.oceanbox.io", + "https://atlantis.dev.oceanbox.io", + "https://atlantis.local.oceanbox.io:8080" + ], + "appName": "atlantis", + "appEnv": "staging", + "appNamespace": "atlantis", + "appVersion": "0.0.0", + "otelCollector": "http://opentelemetry-collector.otel.svc:4317", + "pubsubName": "pubsub", + "pubsubTopic": "hipster-atlantis", + "slurm": { + "baseUrl": "https://hipster-slurmrestd.ekman.oceanbox.io/", + "slurmApi": "slurm/v0.0.39/", + "dbdApi": "slurmdbd/v0.0.39/", + "user": "serf", + "password": "wooqueiLee3ao0ha" + }, + "amqp": { + "auth": "user:hunny-bunny", + "host": "10.255.241.201:31673" + }, + "fenceRadius": 1250.0 +} diff --git a/values/atlantis/staging/auth b/values/atlantis/staging/auth new file mode 100644 index 00000000..c5302c42 --- /dev/null +++ b/values/atlantis/staging/auth @@ -0,0 +1 @@ +oceanbox:$apr1$4njCUY7A$fmWQSymNJ6abSHvwDpNGU/ diff --git a/values/atlantis/staging/barentswatch-api.env b/values/atlantis/staging/barentswatch-api.env new file mode 100644 index 00000000..fc399a85 --- /dev/null +++ b/values/atlantis/staging/barentswatch-api.env @@ -0,0 +1,2 @@ +client-id=simen.kirkvik@tromso.serit.no:simkir-tilt-atlantis +secret=d9tInZ1XpeDAxD.DySv'*SB=P \ No newline at end of file diff --git a/values/atlantis/staging/bindings.yaml b/values/atlantis/staging/bindings.yaml new file mode 100644 index 00000000..b8528054 --- /dev/null +++ b/values/atlantis/staging/bindings.yaml @@ -0,0 +1,22 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: slurm-events +spec: + type: bindings.rabbitmq + version: v1 + metadata: + - name: host + secretKeyRef: + name: staging-atlantis-rabbitmq + key: connString + - name: queueName + value: staging-slurm-job-events + - name: durable + value: true + - name: contentType + value: "application/json" + - name: route + value: /events/slurm +scopes: + - staging-atlantis diff --git a/values/atlantis/staging/configuration.yaml b/values/atlantis/staging/configuration.yaml new file mode 100644 index 00000000..2c7efc91 --- /dev/null +++ b/values/atlantis/staging/configuration.yaml @@ -0,0 +1,20 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: configstore +spec: + type: configuration.redis + version: v1 + metadata: + - name: redisHost + value: staging-atlantis-redis-master:6379 + - name: redisUsername + value: default + - name: redisPassword + secretKeyRef: + name: staging-atlantis-redis + key: redis-password + - name: redisDB + value: "1" +scopes: + - staging-atlantis diff --git a/values/atlantis/staging/configurations.yaml b/values/atlantis/staging/configurations.yaml new file mode 100644 index 00000000..90c68955 --- /dev/null +++ b/values/atlantis/staging/configurations.yaml @@ -0,0 +1,20 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: configstore +spec: + type: configuration.redis + version: v1 + metadata: + - name: redisHost + value: staging-atlantis-redis-master:6379 + - name: redisUsername + value: default + - name: redisPassword + secretKeyRef: + name: staging-atlantis-redis + key: redis-password + - name: redisDB + value: "2" +scopes: + - staging-atlantis diff --git a/values/atlantis/staging/default.env b/values/atlantis/staging/default.env new file mode 100644 index 00000000..c73591f5 --- /dev/null +++ b/values/atlantis/staging/default.env @@ -0,0 +1 @@ +OIDC_CLIENT_SECRET=3QjfSPmAemjn34XVA2o1fvoS7I4gKvOR diff --git a/values/atlantis/staging/deployment_patch.yaml b/values/atlantis/staging/deployment_patch.yaml new file mode 100644 index 00000000..1dc573da --- /dev/null +++ b/values/atlantis/staging/deployment_patch.yaml @@ -0,0 +1,10 @@ +- op: add + path: /spec/template/spec/containers/0/envFrom/- + value: + secretRef: + name: azure-keyvault +- op: add + path: /spec/template/spec/containers/0/envFrom/- + value: + secretRef: + name: staging-atlantis-env \ No newline at end of file diff --git a/values/atlantis/staging/keyvault.yaml b/values/atlantis/staging/keyvault.yaml new file mode 100644 index 00000000..a8b2ce2a --- /dev/null +++ b/values/atlantis/staging/keyvault.yaml @@ -0,0 +1,22 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: azure-keyvault +spec: + type: secretstores.azure.keyvault + version: v1 + metadata: + - name: vaultName + value: atlantisvault + - name: azureTenantId + secretKeyRef: + name: azure-keyvault + key: AZURE_TENANT_ID + - name: azureClientId + secretKeyRef: + name: azure-keyvault + key: AZURE_CLIENT_ID + - name: azureClientSecret + secretKeyRef: + name: azure-keyvault + key: AZURE_CLIENT_SECRET \ No newline at end of file diff --git a/values/atlantis/staging/kustomization.yaml b/values/atlantis/staging/kustomization.yaml new file mode 100644 index 00000000..081d2a18 --- /dev/null +++ b/values/atlantis/staging/kustomization.yaml @@ -0,0 +1,24 @@ +generatorOptions: + disableNameSuffixHash: true +configMapGenerator: +- name: staging-atlantis-appsettings + files: + - appsettings.json +patches: + - target: + group: apps + version: v1 + kind: Deployment + path: deployment_patch.yaml +resources: + - ../base + - rbac.yaml + - secrets.yaml + - tracing.yaml + - bindings.yaml + - pubsub.yaml + - statestore.yaml + - subscriptions.yaml + - configurations.yaml + - secretstore.yaml + - keyvault.yaml \ No newline at end of file diff --git a/values/atlantis/staging/pubsub.yaml b/values/atlantis/staging/pubsub.yaml new file mode 100644 index 00000000..05a40ff1 --- /dev/null +++ b/values/atlantis/staging/pubsub.yaml @@ -0,0 +1,52 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: pubsub +spec: + version: v1 + type: pubsub.rabbitmq + metadata: + - name: hostname + value: staging-rabbitmq.rabbitmq + - name: username + value: user + - name: password + secretKeyRef: + name: staging-atlantis-rabbitmq + key: rabbitmq-password + - name: protocol + value: amqp + - name: durable + value: true + - name: deletedWhenUnused + value: false + - name: autoAck + value: false + - name: deliveryMode + value: 1 + - name: requeueInFailure + value: false + - name: prefetchCount + value: 0 + - name: reconnectWait + value: 0 + - name: concurrencyMode + value: parallel + - name: publisherConfirm + value: false + - name: backOffPolicy + value: exponential + - name: backOffInitialInterval + value: 100 + - name: backOffMaxRetries + value: 16 + - name: enableDeadLetter # Optional enable dead Letter or not + value: true + - name: maxLen # Optional max message count in a queue + value: 3000 + - name: maxLenBytes # Optional maximum length in bytes of a queue. + value: 10485760 + - name: exchangeKind + value: fanout + - name: clientName + value: "{appID}" diff --git a/values/atlantis/staging/rbac.yaml b/values/atlantis/staging/rbac.yaml new file mode 100644 index 00000000..665b0a7e --- /dev/null +++ b/values/atlantis/staging/rbac.yaml @@ -0,0 +1,40 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: staging-atlantis + namespace: staging-atlantis +rules: +- apiGroups: + - "" + resourceNames: + - staging-atlantis-appsettings + resources: + - configmaps + verbs: + - get + - watch +- apiGroups: + - "" + resourceNames: + - azure-keyvault + - staging-atlantis-redis + resources: + - secrets + verbs: + - get + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: staging-atlantis + namespace: staging-atlantis +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: staging-atlantis +subjects: +- kind: ServiceAccount + name: staging-atlantis + namespace: staging-atlantis + diff --git a/values/atlantis/staging/redis.yaml b/values/atlantis/staging/redis.yaml new file mode 100644 index 00000000..c81761f8 --- /dev/null +++ b/values/atlantis/staging/redis.yaml @@ -0,0 +1,23 @@ +architecture: standalone + +replica: + replicaCount: 1 + +auth: + enabled: true + sentinel: true + password: "" + usePasswordFiles: false + existingSecretPasswordKey: "" + existingSecret: staging-atlantis-redis + +master: + resources: + limits: + ephemeral-storage: 1024Mi + memory: 192Mi + requests: + cpu: 150m + ephemeral-storage: 50Mi + memory: 128Mi + diff --git a/values/atlantis/staging/secrets.yaml b/values/atlantis/staging/secrets.yaml new file mode 100644 index 00000000..1c27062b --- /dev/null +++ b/values/atlantis/staging/secrets.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: Secret +metadata: + name: staging-atlantis-env +type: Opaque +data: +--- +apiVersion: v1 +kind: Secret +metadata: + annotations: + kyverno/clone: "true" + name: azure-keyvault +type: Opaque +data: +--- +apiVersion: v1 +kind: Secret +metadata: + annotations: + kyverno/clone: "true" + name: dapr-api-token +type: Opaque +data: +--- +apiVersion: v1 +kind: Secret +metadata: + annotations: + kyverno/clone: "true" + kyverno/env: "staging" + name: staging-atlantis-rabbitmq +type: Opaque +data: + + diff --git a/values/atlantis/staging/secretstore.yaml b/values/atlantis/staging/secretstore.yaml new file mode 100644 index 00000000..7eedf1a2 --- /dev/null +++ b/values/atlantis/staging/secretstore.yaml @@ -0,0 +1,10 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: secretstore +spec: + type: secretstores.kubernetes + version: v1 + metadata: + - name: defaultNamespace + value: staging-atlantis \ No newline at end of file diff --git a/values/atlantis/staging/statestore.yaml b/values/atlantis/staging/statestore.yaml new file mode 100644 index 00000000..1ecaf35b --- /dev/null +++ b/values/atlantis/staging/statestore.yaml @@ -0,0 +1,22 @@ +apiVersion: dapr.io/v1alpha1 +kind: Component +metadata: + name: statestore +spec: + type: state.redis + version: v1 + metadata: + - name: redisHost + value: staging-atlantis-redis-master:6379 + - name: redisUsername + value: default + - name: redisPassword + secretKeyRef: + name: staging-atlantis-redis + key: redis-password + - name: actorStateStore + value: "true" + - name: redisDB + value: "0" +scopes: + - staging-atlantis diff --git a/values/atlantis/staging/subscriptions.yaml b/values/atlantis/staging/subscriptions.yaml new file mode 100644 index 00000000..91b3117a --- /dev/null +++ b/values/atlantis/staging/subscriptions.yaml @@ -0,0 +1,27 @@ +apiVersion: dapr.io/v2alpha1 +kind: Subscription +metadata: + name: hipster-events +spec: + topic: hipster + routes: + default: /events/hipster + pubsubname: pubsub + metadata: + queueType: quorum +scopes: +- staging-atlantis +--- +apiVersion: dapr.io/v2alpha1 +kind: Subscription +metadata: + name: inbox-events +spec: + topic: inbox + routes: + default: /events/inbox + pubsubname: pubsub + metadata: + queueType: quorum +scopes: +- staging-atlantis diff --git a/values/atlantis/staging/tracing.yaml b/values/atlantis/staging/tracing.yaml new file mode 100644 index 00000000..5d9bffd1 --- /dev/null +++ b/values/atlantis/staging/tracing.yaml @@ -0,0 +1,11 @@ +apiVersion: dapr.io/v1alpha1 +kind: Configuration +metadata: + name: tracing +spec: + tracing: + samplingRate: "1" + otel: + endpointAddress: "opentelemetry-collector.otel.svc.cluster.local:4317" + protocol: grpc + isSecure: false diff --git a/values/atlantis/values-prod.yaml b/values/atlantis/values-prod.yaml new file mode 100644 index 00000000..52fd3e65 --- /dev/null +++ b/values/atlantis/values-prod.yaml @@ -0,0 +1,79 @@ +replicaCount: 2 + +podAnnotations: + dapr.io/app-id: "prod-atlantis" + +env: + - name: APP_NAMESPACE + value: prod-atlantis + - name: APP_VERSION + value: "2.97.4" + - name: LOG_LEVEL + value: "2" + - name: REDIS_USER + value: default + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: prod-atlantis-redis + key: redis-password + - name: DB_HOST + value: prod-atlantis-db-rw + - name: DB_PORT + value: "5432" + - name: DB_USER + valueFrom: + secretKeyRef: + name: prod-atlantis-db-superuser + key: username + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: prod-atlantis-db-superuser + key: password + - name: DAPR_API_TOKEN + valueFrom: + secretKeyRef: + name: dapr-api-token + key: token + +ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + nginx.ingress.kubernetes.io/proxy-buffer-size: 128k + hosts: + - host: maps.oceanbox.io + paths: + - path: / + pathType: ImplementationSpecific + internal: + - path: /internal + pathType: ImplementationSpecific + - path: /dapr + pathType: ImplementationSpecific + - path: /actors + pathType: ImplementationSpecific + - path: /job + pathType: ImplementationSpecific + - path: /events + pathType: ImplementationSpecific + - path: /metrics + pathType: ImplementationSpecific + tls: + - hosts: + - maps.oceanbox.io + secretName: prod-atlantis-tls + +cluster: + instances: 2 + bootstrap: + enabled: false + +resources: + limits: + cpu: 250m + memory: 1Gi + requests: + cpu: 250m + memory: 1Gi diff --git a/values/atlantis/values-staging.yaml b/values/atlantis/values-staging.yaml new file mode 100644 index 00000000..f1135680 --- /dev/null +++ b/values/atlantis/values-staging.yaml @@ -0,0 +1,102 @@ +replicaCount: 1 +image: + tag: 77d6efd6-debug +podAnnotations: + dapr.io/app-id: "staging-atlantis" +env: + - name: APP_NAMESPACE + value: staging-atlantis + - name: APP_VERSION + value: "2.95.1" + - name: LOG_LEVEL + value: "1" + - name: REDIS_USER + value: default + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: staging-atlantis-redis + key: redis-password + - name: DB_HOST + value: staging-atlantis-db-rw + - name: DB_PORT + value: "5432" + - name: DB_USER + valueFrom: + secretKeyRef: + name: staging-atlantis-db-superuser + key: username + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: staging-atlantis-db-superuser + key: password + - name: DAPR_API_TOKEN + valueFrom: + secretKeyRef: + name: dapr-api-token + key: token +ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + nginx.ingress.kubernetes.io/proxy-buffer-size: 128k + # nginx.ingress.kubernetes.io/affinity: "cookie" + # nginx.ingress.kubernetes.io/session-cookie-name: "http-affinity" + # nginx.ingress.kubernetes.io/session-cookie-expires: "86400" + # nginx.ingress.kubernetes.io/session-cookie-max-age: "86400" + # atlantis.oceanbox.io/expose: internal + hosts: + - host: atlantis.beta.oceanbox.io + paths: + - path: / + pathType: ImplementationSpecific + internal: + - path: /internal + pathType: ImplementationSpecific + - path: /dapr + pathType: ImplementationSpecific + - path: /actors + pathType: ImplementationSpecific + - path: /job + pathType: ImplementationSpecific + - path: /events + pathType: ImplementationSpecific + - path: /metrics + pathType: ImplementationSpecific + - host: atlas.oceanbox.io + paths: + - path: / + pathType: ImplementationSpecific + internal: + - path: /internal + pathType: ImplementationSpecific + - path: /dapr + pathType: ImplementationSpecific + - path: /actors + pathType: ImplementationSpecific + - path: /job + pathType: ImplementationSpecific + - path: /events + pathType: ImplementationSpecific + - path: /metrics + pathType: ImplementationSpecific + tls: + - hosts: + - atlantis.beta.oceanbox.io + - atlas.oceanbox.io + secretName: staging-atlantis-tls +cluster: + instances: 1 + bootstrap: + enabled: true + source: + db: prod-atlantis-db + namespace: prod-atlantis +resources: + limits: + cpu: 250m + memory: 1Gi + requests: + cpu: 250m + memory: 1Gi diff --git a/values/atlantis/values.yaml b/values/atlantis/values.yaml new file mode 100644 index 00000000..d13d6170 --- /dev/null +++ b/values/atlantis/values.yaml @@ -0,0 +1,12 @@ + +podAnnotations: + dapr.io/enabled: "true" + dapr.io/app-port: "8085" + dapr.io/api-token-secret: "dapr-api-token" + dapr.io/config: "tracing" + dapr.io/app-protocol: "http" + dapr.io/log-as-json: "true" + dapr.io/sidecar-cpu-request: "10m" + dapr.io/sidecar-memory-request: "50Mi" + # dapr.io/sidecar-cpu-limit: "100m" + # dapr.io/sidecar-memory-limit: "1000Mi" diff --git a/values/openfga/migration-job.yaml b/values/openfga/migration-job.yaml new file mode 100644 index 00000000..2b565ec7 --- /dev/null +++ b/values/openfga/migration-job.yaml @@ -0,0 +1,41 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: staging-openfga-migrate + labels: + helm.sh/chart: openfga-0.2.12 + app.kubernetes.io/name: openfga + app.kubernetes.io/instance: staging + app.kubernetes.io/version: "v1.5.9" + app.kubernetes.io/managed-by: Helm + annotations: + helm.sh/hook: post-install, post-upgrade, post-rollback, post-delete + helm.sh/hook-delete-policy: before-hook-creation + helm.sh/hook-weight: "-5" +spec: + template: + metadata: + annotations: + helm.sh/hook: post-install, post-upgrade, post-rollback, post-delete + helm.sh/hook-delete-policy: before-hook-creation + helm.sh/hook-weight: "-5" + spec: + serviceAccountName: staging-openfga + containers: + - name: migrate-database + securityContext: + {} + image: "openfga/openfga:v1.5.9" + args: ["migrate"] + env: + - name: OPENFGA_DATASTORE_ENGINE + value: "postgres" + - name: OPENFGA_DATASTORE_URI + valueFrom: + secretKeyRef: + name: "staging-openfga-db-superuser" + key: "uri" + resources: + {} + restartPolicy: Never + backoffLimit: 1 diff --git a/values/openfga/postgres-secret.yaml b/values/openfga/postgres-secret.yaml new file mode 100644 index 00000000..0a0ad2f7 --- /dev/null +++ b/values/openfga/postgres-secret.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +stringData: + postgres-password: blT6zzv37KyFvzb1Ct3bhfAwPxhTG2fBO1EiIASQWI4wnEOB8AOWvmVa2sogGexr + uri: postgres://postgres:blT6zzv37KyFvzb1Ct3bhfAwPxhTG2fBO1EiIASQWI4wnEOB8AOWvmVa2sogGexr@prod-openfga-rw.openfga.svc.cluster.local:5432/postgres?sslmode=disable +kind: Secret +metadata: + name: prod-openfga-postgresql + namespace: openfga +type: Opaque +--- +apiVersion: v1 +stringData: + postgres-password: iAnMHs3eEuQM0D4jeAP1dwEoLWUBSwNXwhBuPDOgmfoeZ58iV0zogQ77U3GNUbwa + uri: postgres://postgres:iAnMHs3eEuQM0D4jeAP1dwEoLWUBSwNXwhBuPDOgmfoeZ58iV0zogQ77U3GNUbwa@staging-openfga-rw.openfga.svc.cluster.local:5432/postgres?sslmode=disable +kind: Secret +metadata: + name: staging-openfga-postgresql + namespace: openfga +type: Opaque diff --git a/values/openfga/values-prod.yaml b/values/openfga/values-prod.yaml new file mode 100644 index 00000000..73650055 --- /dev/null +++ b/values/openfga/values-prod.yaml @@ -0,0 +1,57 @@ +replicaCount: 2 + +datastore: + engine: postgres + uriSecret: prod-openfga-db-superuser + migrationType: initContainer + +postgresql: + enabled: false + +playground: + enabled: false + +telemetry: + metrics: + enabled: true + serviceMonitor: + enabled: true + enableRPCHistograms: true + trace: + enabled: true + otlp: + endpoint: opentelemetry-collector.otel.svc.cluster.local:4317 + sampleRatio: 0.1 + +ingress: + enabled: true + className: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 + hosts: + - host: openfga.srv.oceanbox.io + paths: + - path: / + pathType: ImplementationSpecific + tls: + - secretName: prod-openfga-tls + hosts: + - openfga.srv.oceanbox.io + +extraObjects: + - apiVersion: postgresql.cnpg.io/v1 + kind: Cluster + metadata: + name: prod-openfga-db + namespace: openfga + spec: + instances: 2 + imageName: ghcr.io/cloudnative-pg/postgresql:17-bookworm + storage: + resizeInUseVolumes: true + size: 10Gi + backup: + retentionPolicy: 60d + target: prefer-standby diff --git a/values/openfga/values-staging.yaml b/values/openfga/values-staging.yaml new file mode 100644 index 00000000..d91044ab --- /dev/null +++ b/values/openfga/values-staging.yaml @@ -0,0 +1,78 @@ +replicaCount: 1 + +datastore: + engine: postgres + uriSecret: staging-openfga-db-superuser + migrationType: initContainer + +postgresql: + enabled: false + +playground: + enabled: false + +telemetry: + metrics: + enabled: true + serviceMonitor: + enabled: true + enableRPCHistograms: true + trace: + enabled: true + otlp: + endpoint: opentelemetry-collector.otel.svc.cluster.local:4317 + sampleRatio: 0.1 + +ingress: + enabled: true + className: nginx + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 + hosts: + - host: openfga.dev.oceanbox.io + paths: + - path: / + pathType: ImplementationSpecific + tls: + - secretName: staging-openfga-tls + hosts: + - openfga.dev.oceanbox.io + +extraObjects: + - apiVersion: postgresql.cnpg.io/v1 + kind: Cluster + metadata: + name: staging-openfga-db + namespace: openfga + spec: + instances: 1 + imageName: ghcr.io/cloudnative-pg/postgresql:17-bookworm + storage: + resizeInUseVolumes: true + size: 10Gi + backup: + retentionPolicy: 60d + target: prefer-standby + bootstrap: + pg_basebackup: + database: "" + owner: "" + source: openfga + enableSuperuserAccess: true + externalClusters: + - name: openfga + connectionParameters: + host: prod-openfga-db-rw.openfga + sslmode: verify-full + user: streaming_replica + sslCert: + key: tls.crt + name: prod-openfga-db-replication + sslKey: + key: tls.key + name: prod-openfga-db-replication + sslRootCert: + key: ca.crt + name: prod-openfga-db-ca diff --git a/values/rabbitmq/prod/nodeport.yaml b/values/rabbitmq/prod/nodeport.yaml new file mode 100644 index 00000000..7a95a11a --- /dev/null +++ b/values/rabbitmq/prod/nodeport.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: prod-rabbitmq-nodeport + namespace: rabbitmq +spec: + ports: + - name: amqp + nodePort: 30672 + port: 5672 + protocol: TCP + targetPort: 5672 + - name: amqp-http + nodePort: 30673 + port: 15672 + protocol: TCP + targetPort: 15672 + selector: + app.kubernetes.io/instance: prod-rabbitmq + app.kubernetes.io/name: rabbitmq + type: NodePort + diff --git a/values/rabbitmq/staging/nodeport.yaml b/values/rabbitmq/staging/nodeport.yaml new file mode 100644 index 00000000..884d4926 --- /dev/null +++ b/values/rabbitmq/staging/nodeport.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + name: staging-rabbitmq-nodeport + namespace: rabbitmq +spec: + ports: + - name: amqp + nodePort: 31672 + port: 5672 + protocol: TCP + targetPort: 5672 + - name: amqp-http + nodePort: 31673 + port: 15672 + protocol: TCP + targetPort: 15672 + selector: + app.kubernetes.io/instance: staging-rabbitmq + app.kubernetes.io/name: rabbitmq + type: NodePort + diff --git a/values/rabbitmq/values-prod.yaml b/values/rabbitmq/values-prod.yaml new file mode 100644 index 00000000..e57e74a2 --- /dev/null +++ b/values/rabbitmq/values-prod.yaml @@ -0,0 +1,32 @@ +replicaCount: 3 +auth: + erlangCookie: prod-rabbitmq + existingErlangSecret: prod-rabbitmq + existingPasswordSecret: prod-rabbitmq + password: "" + username: user +clusterDomain: cluster.local +ingress: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + nginx.ingress.kubernetes.io/ssl-redirect: "true" + atlantis.oceanbox.io/expose: internal + enabled: true + extraHosts: [] + extraPaths: [] + extraRules: [] + hostname: rabbitmq.srv.oceanbox.io + ingressClassName: "" + path: / + pathType: ImplementationSpecific + secrets: [] + selfSigned: false + tls: true +persistence: + accessModes: + - ReadWriteOnce + enabled: true + existingClaim: "" + size: 8Gi + storageClass: "" + diff --git a/values/rabbitmq/values-staging.yaml b/values/rabbitmq/values-staging.yaml new file mode 100644 index 00000000..95a10da8 --- /dev/null +++ b/values/rabbitmq/values-staging.yaml @@ -0,0 +1,38 @@ +replicaCount: 1 +auth: + erlangCookie: staging-rabbitmq + existingErlangSecret: staging-rabbitmq + existingPasswordSecret: staging-rabbitmq + password: "" + username: user +clusterDomain: cluster.local +ingress: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-staging + nginx.ingress.kubernetes.io/ssl-redirect: "true" + atlantis.oceanbox.io/expose: internal + enabled: true + ingressClassName: "" + extraHosts: + - name: rabbitmq.dev.oceanbox.io + path: / + extraTls: + - hosts: + - rabbitmq.dev.oceanbox.io + secretName: rabbitmq.dev.oceanbox.io-tls + extraPaths: [] + extraRules: [] + hostname: rabbitmq.beta.oceanbox.io + path: / + pathType: ImplementationSpecific + secrets: [] + selfSigned: false + tls: true +persistence: + accessModes: + - ReadWriteOnce + enabled: true + existingClaim: "" + size: 8Gi + storageClass: "" + diff --git a/values/redis/prod/nodeport.yaml b/values/redis/prod/nodeport.yaml new file mode 100644 index 00000000..e65efac6 --- /dev/null +++ b/values/redis/prod/nodeport.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + name: prod-redis-nodeport +spec: + externalTrafficPolicy: Cluster + ports: + - name: redis + nodePort: 30379 + port: 6379 + protocol: TCP + targetPort: 6379 + selector: + app.kubernetes.io/instance: prod-redis + app.kubernetes.io/name: redis + sessionAffinity: None + type: NodePort diff --git a/values/redis/staging/nodeport.yaml b/values/redis/staging/nodeport.yaml new file mode 100644 index 00000000..1708ca08 --- /dev/null +++ b/values/redis/staging/nodeport.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + name: stagin-redis-nodeport +spec: + externalTrafficPolicy: Cluster + ports: + - name: redis + nodePort: 31379 + port: 6379 + protocol: TCP + targetPort: 6379 + selector: + app.kubernetes.io/instance: staging-redis + app.kubernetes.io/name: redis + sessionAffinity: None + type: NodePort diff --git a/values/redis/values-prod.yaml b/values/redis/values-prod.yaml new file mode 100644 index 00000000..bfb9a53d --- /dev/null +++ b/values/redis/values-prod.yaml @@ -0,0 +1,37 @@ +# image: +# repository: redis/redis-stack-server +# tag: 7.2.0-v10 + +architecture: replication + +replica: + replicaCount: 2 + # command: + # - "/opt/redis-stack/bin/redis-server" + # - "--loadmodule" + # - "/opt/redis-stack/lib/redisearch.so" + # - "MAXSEARCHRESULTS" + # - "10000" + # - "MAXAGGREGATERESULTS" + # - "10000" + # - "--loadmodule" + # - "/opt/redis-stack/lib/rejson.so" + +auth: + enabled: true + sentinel: true + password: "" + usePasswordFiles: false + existingSecretPasswordKey: "" + # existingSecret: staging-redis + +master: + resources: + limits: + ephemeral-storage: 1024Mi + memory: 192Mi + requests: + cpu: 150m + ephemeral-storage: 50Mi + memory: 128Mi + diff --git a/values/redis/values-staging.yaml b/values/redis/values-staging.yaml new file mode 100644 index 00000000..9041beab --- /dev/null +++ b/values/redis/values-staging.yaml @@ -0,0 +1,37 @@ +# image: +# repository: redis/redis-stack-server +# tag: 7.2.0-v10 + +architecture: standalone + +replica: + replicaCount: 1 + # command: + # - "/opt/redis-stack/bin/redis-server" + # - "--loadmodule" + # - "/opt/redis-stack/lib/redisearch.so" + # - "MAXSEARCHRESULTS" + # - "10000" + # - "MAXAGGREGATERESULTS" + # - "10000" + # - "--loadmodule" + # - "/opt/redis-stack/lib/rejson.so" + +auth: + enabled: true + sentinel: true + password: "" + usePasswordFiles: false + existingSecretPasswordKey: "" + # existingSecret: staging-redis + +master: + resources: + limits: + ephemeral-storage: 1024Mi + memory: 192Mi + requests: + cpu: 150m + ephemeral-storage: 50Mi + memory: 128Mi + -- 2.52.0