diff --git a/.gitsecret/paths/mapping.cfg b/.gitsecret/paths/mapping.cfg index 7684edd..c2046a6 100644 --- a/.gitsecret/paths/mapping.cfg +++ b/.gitsecret/paths/mapping.cfg @@ -1,4 +1,4 @@ -bootstrap/.tfvars:c59bda3fb513eba7e5e6120e02e87b80029f25cc98c93221eb2d99543020082b +bootstrap/.tfvars:83081bb1ce10cc4de7a203841c123e60708e327f17802e4a8fd187613d4882f4 bootstrap/.env:3793cde571fad0241a4f0db335639628e23b819f9d25faf375f56d9ccaa833b4 bootstrap/network/.tfvars:d73c94a2a910dd569d65520c92b5cc326b02b3109fbe6db2b0276fe258856037 bootstrap/nodes/.tfvars:d73c94a2a910dd569d65520c92b5cc326b02b3109fbe6db2b0276fe258856037 @@ -6,15 +6,17 @@ bootstrap/talos/.tfvars:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b bootstrap/kubernetes-base/.tfvars:a977002750bf7f9c9c54170318d0339b9613bd5c6319771d10d4fa151d59f360 bootstrap/bastion/.tfvars:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 bootstrap/kubernetes-full/.tfvars:bf3d0052abdb32d1bf817bcebbc42f16aba73be4a492b27d074f8f4a0034a6ea -bootstrap/zitadel/.tfvars:7e5659619a1f5291374f810e341e2e431726b2d45e25342544cef59aaec9977f bootstrap/storage/.tfvars:9be541e805ac5327d4388aebc55b66ddf0d252826b64c91061ccfc8818b806ab bootstrap/mail/.tfvars:78f36831ee591ccaa2ee5e36384e10c55af37b7b7d45e45de5780d783daf6c8e bootstrap/forgejo/.tfvars:5a3644e635316695848ff645db21b142c46f5814a69f2fd88b22a85a06b7d43d bootstrap/cni/.tfvars:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 bootstrap/databases/.tfvars:d7427cfaefe5e1533c7f5d359ce59a9388acbcc3a43eee8f57369d57d53664a6 -bootstrap/monitoring/.tfvars:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 +bootstrap/monitoring/.tfvars:1fba86f67d89bf0be7a91b1340ba667fbb2a91ece56ea039ad399dc3e71a01b8 gitops/templates/forgejo-runner/secrets/forgejo-runner-token.yaml:33ebd61a116468ade762bd6f40ccf39203df8b6b79ff99a3a5c6038ce1e2e846 -gitops/templates/feedback-fusion/secrets/feedback-fusion-config.yaml:40d5622a64e25442669d3557132cd10311af08d7cfbe41eb91388499e57a92fd -gitops/templates/feedback-fusion/secrets/feedback-fusion-dashboard-config.yaml:aded3b3c42e18a6059d14dbb57004cd4d45bc94231646d243c1f765a63b2b955 +gitops/templates/feedback-fusion/secrets/feedback-fusion-config.yaml:d8ae48d8e6d9e48e58544540a9de4aca1596479247008952b5cae629ebb820e7 +gitops/templates/feedback-fusion/secrets/feedback-fusion-dashboard-config.yaml:5b916b41311fae423da3aa2b70ab0a803388c95a441f306e42464c54ca9037e4 gitops/templates/event/secrets/surrealdb-credentials.yaml:bb264af1a0b593d4d0a1e8a1b1501e5c0e5cbf9bffb5442de82aeb0ce55c0227 gitops/templates/dawarich/secrets/config.yaml:5e732977afa1674c91997ef43596053e9b67a101548d1a8c634bfbecd1d289bb +bootstrap/csi/.tfvars:e7507fc2b6a8b10f81389918e7d6f8fa65262273d5b06a8410c85a0f963ba4f6 +bootstrap/entra/.tfvars:8936d30a5b7021c5e33b1d20279006928f36c2215163fc64e2ba90f80e891e43 +bootstrap/gateway/.tfvars:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 diff --git a/bootstrap/.env.secret b/bootstrap/.env.secret index 258afab..ee94e5d 100644 Binary files a/bootstrap/.env.secret and b/bootstrap/.env.secret differ diff --git a/bootstrap/.tfvars.secret b/bootstrap/.tfvars.secret index 35001c1..0a9fdc5 100644 Binary files a/bootstrap/.tfvars.secret and b/bootstrap/.tfvars.secret differ diff --git a/bootstrap/bastion/.tfvars.secret b/bootstrap/bastion/.tfvars.secret index f6dbcda..9890c95 100644 Binary files a/bootstrap/bastion/.tfvars.secret and b/bootstrap/bastion/.tfvars.secret differ diff --git a/bootstrap/cni/.tfvars.secret b/bootstrap/cni/.tfvars.secret index 2461ec9..ba040e8 100644 Binary files a/bootstrap/cni/.tfvars.secret and b/bootstrap/cni/.tfvars.secret differ diff --git a/bootstrap/cni/ingress.tf b/bootstrap/cni/ingress.tf deleted file mode 100644 index e0c8f95..0000000 --- a/bootstrap/cni/ingress.tf +++ /dev/null @@ -1,21 +0,0 @@ -resource "kubectl_manifest" "ingress_certificate" { - depends_on = [kubectl_manifest.letsencrypt] - - yaml_body = yamlencode({ - apiVersion = "cert-manager.io/v1" - kind = "Certificate" - metadata = { - name = "cilium-ingress-tls" - namespace = kubernetes_namespace.cilium.metadata[0].name - } - spec = { - secretName = "cilium-ingress-tls" - issuerRef = { - name = "letsencrypt" - kind = "ClusterIssuer" - } - commonName = "*.${var.cluster_domain}" - dnsNames = ["*.${var.cluster_domain}"] - } - }) -} diff --git a/bootstrap/cni/main.tf b/bootstrap/cni/main.tf index 86c0798..64a373a 100644 --- a/bootstrap/cni/main.tf +++ b/bootstrap/cni/main.tf @@ -21,9 +21,14 @@ resource "helm_release" "cilium" { values = [yamlencode({ ipam = { mode = "kubernetes" + + operator = { + clusterPoolIPv4PodCIDRList = [var.pod_subnet_block] + } } - kubeProxyReplacement = true + kubeProxyReplacement = true + kubeProxyReplacementHealthzBindAddr = "0.0.0.0:10256" securityContext = { capabilities = { @@ -51,8 +56,6 @@ resource "helm_release" "cilium" { enabled = true } - kubeProxyReplacementHealthzBindAddr = "0.0.0.0:10256" - encryption = { enabled = true nodeEncryption = true @@ -95,15 +98,6 @@ resource "helm_release" "cilium" { ui = { enabled = true - - ingress = { - className = "internal" - enabled = true - hosts = ["hubble.internal.${var.cluster_domain}"] - annotations = { - "external-dns.alpha.kubernetes.io/cloudflare-proxied" = "false" - } - } } metrics = { @@ -121,118 +115,55 @@ resource "helm_release" "cilium" { } } } - - gatewayAPI = { - enabled = true - enableAlpn = true - hostNetwork = { - enabled = true - } - } })] } -resource "kubectl_manifest" "cilium_gateway" { - yaml_body = yamlencode({ - apiVersion = "gateway.networking.k8s.io/v1" - kind = "Gateway" - metadata = { - name = "cilium" - annotations = { - "cert-manager.io/cluster-issuer" = "letsencrypt" - "external-dns.alpha.kubernetes.io/target" = local.loadbalancer_ip - } - } - spec = { - gatewayClassName = "cilium" - listeners = [ - { - name = "http" - protocol = "HTTP" - port = var.services.http.node_port - }, - { - name = "https" - protocol = "HTTPS" - port = var.services.https.node_port - hostname = "*.${var.cluster_domain}" - - allowedRoutes = { - namespaces = { - from = "All" - } - } - - tls = { - certificateRefs = [ - { - name = "gateway-cluster-tls" - kind = "Secret" - group = "" - } - ] - } - }, - { - name = "https-public" - protocol = "HTTPS" - port = var.services.https.node_port - hostname = "*.${var.public_domain}" - - allowedRoutes = { - namespaces = { - from = "All" - } - } - - tls = { - certificateRefs = [ - { - name = "gateway-public-tls" - kind = "Secret" - group = "" - } - ] - } - } - ] - } - }) -} - -resource "kubectl_manifest" "gateway_https_redirect" { - depends_on = [kubectl_manifest.cilium_gateway] +resource "kubectl_manifest" "hubble_route" { + depends_on = [helm_release.cilium] yaml_body = yamlencode({ apiVersion = "gateway.networking.k8s.io/v1" kind = "HTTPRoute" metadata = { - name = "https-redirect" + name = "hubble" + namespace = kubernetes_namespace.cilium.metadata[0].name } spec = { parentRefs = [ { - name = "cilium" - sectionName = "http" + name = "private" + sectionName = "https" + namespace = "default" } ] - hostnames = [ - "*.${var.cluster_domain}", - "*.${var.public_domain}" - ] + hostnames = ["hubble.internal.${var.cluster_domain}"] rules = [ { - filters = [ + matches = [ { - type = "RequestRedirect" - requestRedirect = { - scheme = "https" - statusCode = 301 + path = { + type = "PathPrefix" + value = "/" } } ] + backendRefs = [ + { + name = "hubble-ui" + port = 80 + } + ] } ] } }) } + +module "hubble-oidc" { + source = "${var.module_path}/envoy-oidc-security-policy" + + cluster_name = var.cluster_name + route = "hubble" + hostname = "hubble.internal.${var.cluster_domain}" + namespace = kubernetes_namespace.cilium.metadata[0].name +} diff --git a/bootstrap/cni/nlb.tf b/bootstrap/cni/nlb.tf index dbd4395..4f89e73 100644 --- a/bootstrap/cni/nlb.tf +++ b/bootstrap/cni/nlb.tf @@ -1,5 +1,6 @@ + locals { - loadbalancer_ip = [for ip in oci_network_load_balancer_network_load_balancer.this.ip_addresses : ip.ip_address if ip.is_public][0] + public_loadbalancer_ip = [for ip in oci_network_load_balancer_network_load_balancer.this.ip_addresses : ip.ip_address if ip.is_public][0] } resource "oci_network_load_balancer_network_load_balancer" "this" { @@ -13,7 +14,7 @@ resource "oci_network_load_balancer_network_load_balancer" "this" { resource "oci_network_load_balancer_backend_set" "services" { - for_each = var.services + for_each = var.public_services name = "${replace(each.key, "_", "-")}-bs" # Eindeutiger Name pro Service, z.B. "http-bs" network_load_balancer_id = oci_network_load_balancer_network_load_balancer.this.id @@ -30,7 +31,7 @@ resource "oci_network_load_balancer_backend_set" "services" { # Erstellt für jeden Service einen eigenen Listener resource "oci_network_load_balancer_listener" "services" { - for_each = var.services + for_each = var.public_services network_load_balancer_id = oci_network_load_balancer_network_load_balancer.this.id name = replace(each.key, "_", "-") @@ -43,8 +44,8 @@ resource "oci_network_load_balancer_listener" "services" { resource "oci_network_load_balancer_backend" "nodes" { for_each = { - for pair in setproduct(keys(var.services), var.worker) : "${pair[0]}-${pair[1].id}" => { - service = var.services[pair[0]] + for pair in setproduct(keys(var.public_services), var.worker) : "${pair[0]}-${pair[1].id}" => { + service = var.public_services[pair[0]] service_key = pair[0] worker = pair[1] } diff --git a/bootstrap/cni/outputs.tf b/bootstrap/cni/outputs.tf index c8ca78f..9bad55d 100644 --- a/bootstrap/cni/outputs.tf +++ b/bootstrap/cni/outputs.tf @@ -1,30 +1,4 @@ -output "loadbalancer_ip" { +output "public_loadbalancer_ip" { sensitive = true - value = local.loadbalancer_ip + value = local.public_loadbalancer_ip } - -output "ca_volume" { - value = { - name = "certificates" - configMap = { - name = "cluster-authority" - optional = false - items = [ - { - key = "root-certs.pem" - path = "root-certs.pem" - } - ] - } - } -} - -output "ca_volume_mount" { - value = { - name = "certificates" - readOnly = true - mountPath = "/etc/ssl/certs/root-certs.pem" - subPath = "root-certs.pem" - } -} - diff --git a/bootstrap/cni/security.tf b/bootstrap/cni/security.tf index ab98686..08dd787 100644 --- a/bootstrap/cni/security.tf +++ b/bootstrap/cni/security.tf @@ -5,7 +5,7 @@ resource "oci_core_network_security_group" "nlb" { } resource "oci_core_network_security_group_security_rule" "service_ingress" { - for_each = var.services + for_each = var.public_services network_security_group_id = oci_core_network_security_group.nlb.id direction = "INGRESS" diff --git a/bootstrap/cni/terragrunt.hcl b/bootstrap/cni/terragrunt.hcl index 280b696..8cb7a71 100644 --- a/bootstrap/cni/terragrunt.hcl +++ b/bootstrap/cni/terragrunt.hcl @@ -10,6 +10,10 @@ include "kubernetes" { path = find_in_parent_folders("kubernetes.hcl") } +include "entra" { + path = find_in_parent_folders("entra.hcl") +} + dependency "talos" { config_path = "${get_terragrunt_dir()}/../talos" } @@ -26,6 +30,7 @@ inputs = { kubeconfig = dependency.talos.outputs.kubeconfig public_subnet = dependency.network.outputs.public_subnet + private_subnet = dependency.network.outputs.subnet vcn_id = dependency.network.outputs.vcn_id worker = dependency.nodes.outputs.worker diff --git a/bootstrap/cni/variables.tf b/bootstrap/cni/variables.tf index f729d56..f70997e 100644 --- a/bootstrap/cni/variables.tf +++ b/bootstrap/cni/variables.tf @@ -2,18 +2,12 @@ variable "public_subnet" { type = string } -variable "cluster_domain" { +variable "private_subnet" { type = string } -variable "cloudflare_api_token" { - type = string - sensitive = true -} - -variable "acme_email" { - type = string - sensitive = true +variable "cluster_domain" { + type = string } variable "worker" { @@ -56,3 +50,7 @@ variable "remote_wireguard_cidr" { variable "public_domain" { type = string } + +variable "pod_subnet_block" { + type = string +} diff --git a/bootstrap/csi/.tfvars.secret b/bootstrap/csi/.tfvars.secret new file mode 100644 index 0000000..3771b27 Binary files /dev/null and b/bootstrap/csi/.tfvars.secret differ diff --git a/bootstrap/csi/longhorn.tf b/bootstrap/csi/longhorn.tf new file mode 100644 index 0000000..7bf6f25 --- /dev/null +++ b/bootstrap/csi/longhorn.tf @@ -0,0 +1,76 @@ +resource "kubernetes_namespace" "longhorn" { + metadata { + name = "sys-longhorn" + + labels = { + "pod-security.kubernetes.io/enforce" = "privileged" + } + } +} + +resource "helm_release" "longhorn" { + depends_on = [kubernetes_namespace.longhorn] + + repository = "https://charts.longhorn.io" + chart = "longhorn" + version = "1.9.1" + + namespace = "sys-longhorn" + name = "longhorn" + + values = [yamlencode({ + longhornUI = { + replicas = 1 + } + })] +} + +resource "kubectl_manifest" "longhorn_route" { + depends_on = [helm_release.longhorn] + + yaml_body = yamlencode({ + apiVersion = "gateway.networking.k8s.io/v1" + kind = "HTTPRoute" + metadata = { + name = "longhorn" + namespace = kubernetes_namespace.longhorn.metadata[0].name + } + spec = { + parentRefs = [ + { + name = "private" + sectionName = "https" + namespace = "default" + } + ] + hostnames = ["longhorn.internal.${var.cluster_domain}"] + rules = [ + { + matches = [ + { + path = { + type = "PathPrefix" + value = "/" + } + } + ] + backendRefs = [ + { + name = "longhorn-frontend" + port = 80 + } + ] + } + ] + } + }) +} + +module "longhorn-oidc" { + source = "${var.module_path}/envoy-oidc-security-policy" + + cluster_name = var.cluster_name + route = "longhorn" + hostname = "longhorn.internal.${var.cluster_domain}" + namespace = kubernetes_namespace.longhorn.metadata[0].name +} diff --git a/bootstrap/csi/provider.tf b/bootstrap/csi/provider.tf new file mode 100644 index 0000000..6a47e04 --- /dev/null +++ b/bootstrap/csi/provider.tf @@ -0,0 +1,18 @@ +terraform { + required_providers { + kubernetes = { + source = "hashicorp/kubernetes" + version = "2.38.0" + } + + helm = { + source = "hashicorp/helm" + version = "2.17.0" + } + + kubectl = { + source = "alekc/kubectl" + version = "2.1.3" + } + } +} diff --git a/bootstrap/zitadel/terragrunt.hcl b/bootstrap/csi/terragrunt.hcl similarity index 68% rename from bootstrap/zitadel/terragrunt.hcl rename to bootstrap/csi/terragrunt.hcl index 770abca..2f62238 100644 --- a/bootstrap/zitadel/terragrunt.hcl +++ b/bootstrap/csi/terragrunt.hcl @@ -6,20 +6,23 @@ include "kubernetes" { path = find_in_parent_folders("kubernetes.hcl") } -dependency "talos" { - config_path = "${get_terragrunt_dir()}/../talos" +include "entra" { + path = find_in_parent_folders("entra.hcl") +} + +dependencies { + paths = ["${get_terragrunt_dir()}/../cni"] } dependency "nodes" { config_path = "${get_terragrunt_dir()}/../nodes" } -dependencies { - paths = ["${get_terragrunt_dir()}/../kubernetes-base"] +dependency "talos" { + config_path = "${get_terragrunt_dir()}/../talos" } inputs = { kubeconfig = dependency.talos.outputs.kubeconfig - - controlplane = dependency.nodes.outputs.controlplane + controlplane = dependency.nodes.outputs.controlplane } diff --git a/bootstrap/csi/variables.tf b/bootstrap/csi/variables.tf new file mode 100644 index 0000000..871d5f8 --- /dev/null +++ b/bootstrap/csi/variables.tf @@ -0,0 +1,25 @@ +variable "cluster_domain" { + type = string +} + +variable "cluster_name" { + type = string +} + +variable "bucket_access_key_id" { + type = string + sensitive = true +} + +variable "bucket_secret_access_key" { + type = string + sensitive = true +} + +variable "bucket_name" { + type = string +} + +variable "bucket_endpoint" { + type = string +} diff --git a/bootstrap/databases/.tfvars.secret b/bootstrap/databases/.tfvars.secret index 067878f..1baf209 100644 Binary files a/bootstrap/databases/.tfvars.secret and b/bootstrap/databases/.tfvars.secret differ diff --git a/bootstrap/databases/postgres.tf b/bootstrap/databases/postgres.tf index 14e3fa5..27126ca 100644 --- a/bootstrap/databases/postgres.tf +++ b/bootstrap/databases/postgres.tf @@ -218,6 +218,10 @@ resource "kubectl_manifest" "postgres_cluster" { managed = { roles = local.postgres_users } + + monitoring = { + enablePodMonitor = true + } } }) } diff --git a/bootstrap/databases/terragrunt.hcl b/bootstrap/databases/terragrunt.hcl index 8dd1e6c..054e937 100644 --- a/bootstrap/databases/terragrunt.hcl +++ b/bootstrap/databases/terragrunt.hcl @@ -27,7 +27,5 @@ inputs = { bucket_endpoint = dependency.storage.outputs.bucket_endpoint buckets = dependency.storage.outputs.buckets - loadbalancer_ip = dependency.cni.outputs.loadbalancer_ip - controlplane = dependency.nodes.outputs.controlplane } diff --git a/bootstrap/entra.hcl b/bootstrap/entra.hcl new file mode 100644 index 0000000..07b2295 --- /dev/null +++ b/bootstrap/entra.hcl @@ -0,0 +1,26 @@ +generate "entra" { +path = "entra.tf" +if_exists = "overwrite_terragrunt" +contents = < pair + } + + principal_object_id = azuread_group.this[each.value.group].object_id + resource_object_id = azuread_service_principal.additional[each.value.app_name].object_id + + app_role_id = lookup( + { + for r in azuread_application.additional[each.value.app_name].app_role : + r.value => r.id + }, + each.value.role, + null + ) +} + diff --git a/bootstrap/entra/main.tf b/bootstrap/entra/main.tf new file mode 100644 index 0000000..50e0086 --- /dev/null +++ b/bootstrap/entra/main.tf @@ -0,0 +1 @@ +data "azuread_client_config" "this" {} diff --git a/bootstrap/entra/outputs.tf b/bootstrap/entra/outputs.tf new file mode 100644 index 0000000..1ae7614 --- /dev/null +++ b/bootstrap/entra/outputs.tf @@ -0,0 +1,19 @@ +output "application_credentials" { + value = { + for app_name in keys(azuread_application.additional) : + app_name => { + client_id = azuread_application.additional[app_name].client_id + client_secret = azuread_application_password.additional[app_name].value + } + } + sensitive = true +} + +output "oidc_url" { + value = "https://login.microsoftonline.com/${var.azure_tenant_id}/v2.0" + sensitive = true +} + +output "groups" { + value = { for group in azuread_group.this: group.display_name => group.object_id } +} diff --git a/bootstrap/entra/provider.tf b/bootstrap/entra/provider.tf new file mode 100644 index 0000000..df2a694 --- /dev/null +++ b/bootstrap/entra/provider.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + azuread = { + source = "hashicorp/azuread" + version = "~> 3.1.0" + } + } +} diff --git a/bootstrap/entra/terragrunt.hcl b/bootstrap/entra/terragrunt.hcl new file mode 100644 index 0000000..5ecb407 --- /dev/null +++ b/bootstrap/entra/terragrunt.hcl @@ -0,0 +1,7 @@ +include "root" { + path = find_in_parent_folders("root.hcl") +} + +include "entra" { + path = find_in_parent_folders("entra.hcl") +} diff --git a/bootstrap/entra/variables.tf b/bootstrap/entra/variables.tf new file mode 100644 index 0000000..e2318d4 --- /dev/null +++ b/bootstrap/entra/variables.tf @@ -0,0 +1,26 @@ +variable "cluster_name" { + type = string +} + +variable "cluster_domain" { + type = string +} + +variable "public_domain" { + type = string +} + +variable "additional_applications" { + type = map(object({ + redirect_uris = list(string) + logout_uris = optional(list(string), []) + required_roles = list(string), + app_role_assignment_req = optional(bool, false) + sign_in_audience = optional(string, "AzureADMyOrg") + })) +} + + +variable "additional_groups" { + type = list(string) +} diff --git a/bootstrap/forgejo/.tfvars.secret b/bootstrap/forgejo/.tfvars.secret index 3967371..14920e7 100644 Binary files a/bootstrap/forgejo/.tfvars.secret and b/bootstrap/forgejo/.tfvars.secret differ diff --git a/bootstrap/gateway/.tfvars.secret b/bootstrap/gateway/.tfvars.secret new file mode 100644 index 0000000..e373ff5 Binary files /dev/null and b/bootstrap/gateway/.tfvars.secret differ diff --git a/bootstrap/cni/cert-manager.tf b/bootstrap/gateway/certificates.tf similarity index 87% rename from bootstrap/cni/cert-manager.tf rename to bootstrap/gateway/certificates.tf index 42c0bea..34fb30a 100644 --- a/bootstrap/cni/cert-manager.tf +++ b/bootstrap/gateway/certificates.tf @@ -183,3 +183,24 @@ resource "kubectl_manifest" "trust_bundle" { } }) } + +resource "kubectl_manifest" "ingress_certificate" { + depends_on = [kubectl_manifest.letsencrypt] + + yaml_body = yamlencode({ + apiVersion = "cert-manager.io/v1" + kind = "Certificate" + metadata = { + name = "gateway-tls" + } + spec = { + secretName = "gateway-tls" + issuerRef = { + name = "letsencrypt" + kind = "ClusterIssuer" + } + commonName = "*.${var.cluster_domain}" + dnsNames = ["*.${var.cluster_domain}", "*.${var.public_domain}", "*.internal.${var.cluster_domain}"] + } + }) +} diff --git a/bootstrap/gateway/main.tf b/bootstrap/gateway/main.tf new file mode 100644 index 0000000..480e08d --- /dev/null +++ b/bootstrap/gateway/main.tf @@ -0,0 +1,238 @@ +locals { + gateways = { + public = { + services = var.public_services, + hostnames = [ + { + name = "https", + value = "*.${var.cluster_domain}" + }, + { + name = "https-public", + value = "*.${var.public_domain}" + } + ] + }, + private = { + hostnames = [ + { + name = "https" + value = "*.internal.${var.cluster_domain}" + } + ] + } + } +} + +resource "kubernetes_namespace" "gateway" { + metadata { + name = "sys-gateway" + + labels = { + "pod-security.kubernetes.io/enforce" = "privileged" + } + } +} + +resource "helm_release" "gateway" { + depends_on = [kubectl_manifest.ingress_certificate] + + chart = "oci://docker.io/envoyproxy/gateway-helm" + version = "1.4.3" + + namespace = kubernetes_namespace.gateway.metadata[0].name + name = "envoy-gateway" +} + +resource "kubectl_manifest" "gateway_class" { + for_each = local.gateways + + yaml_body = yamlencode({ + apiVersion = "gateway.networking.k8s.io/v1" + kind = "GatewayClass" + metadata = { + name = "envoy-${each.key}" + } + spec = { + controllerName = "gateway.envoyproxy.io/gatewayclass-controller" + parametersRef = { + group = "gateway.envoyproxy.io" + kind = "EnvoyProxy" + name = each.key + namespace = kubernetes_namespace.gateway.metadata[0].name + } + } + }) +} + +resource "kubectl_manifest" "envoy_proxy" { + for_each = local.gateways + + yaml_body = yamlencode({ + apiVersion = "gateway.envoyproxy.io/v1alpha1" + kind = "EnvoyProxy" + metadata = { + name = each.key + namespace = kubernetes_namespace.gateway.metadata[0].name + } + spec = { + extraArgs = [ + "--use-dynamic-base-id" + ] + + provider = { + type = "Kubernetes" + kubernetes = { + envoyDeployment = { + replicas = 2 + } + envoyService = { + type = each.key == "public" ? "NodePort" : "ClusterIP" + patch = { + type = "StrategicMerge" + value = { + spec = { + ports = each.key == "public" ? [ + { + name = "http-${each.value.services.http.node_port}" + port = each.value.services.http.node_port + nodePort = each.value.services.http.node_port + target = each.value.services.http.node_port + protocol = "TCP" + }, + { + name = "https-${each.value.services.https.node_port}" + port = each.value.services.https.node_port + nodePort = each.value.services.https.node_port + target = each.value.services.https.node_port + protocol = "TCP" + } + ] : null + } + metadata = { + annotations = each.key == "private" ? { + "external-dns.alpha.kubernetes.io/hostname" = "*.internal.${var.cluster_domain}" + } : {} + } + } + } + } + } + } + + telemetry = { + # metrics = { + # prometheus = { + # disable = true + # } + # + # sinks = [ + # { + # type = "OpenTelemetry" + # openTelemetry = { + # host = "vector-agent-headless.sys-monitoring.svc.cluster.local" + # port = 4317 + # } + # } + # ] + # } + + tracing = { + samplingRate = 100 + provider = { + host = "vector-agent-headless.sys-monitoring.svc.cluster.local" + port = 4317 + } + } + } + } + }) +} + +resource "kubectl_manifest" "gateway" { + depends_on = [kubectl_manifest.gateway_class] + for_each = local.gateways + + yaml_body = yamlencode({ + apiVersion = "gateway.networking.k8s.io/v1" + kind = "Gateway" + metadata = { + name = each.key + } + spec = { + addresses = each.key == "public" ? [ + { + type = "IPAddress" + value = var.public_loadbalancer_ip + } + ] : [] + gatewayClassName = "envoy-${each.key}" + listeners = flatten([ + [{ + name = "http" + protocol = "HTTP" + port = each.key == "public" ? each.value.services.http.node_port : 80 + }], + [for hostname in each.value.hostnames : { + name = hostname.name + hostname = hostname.value + protocol = "HTTPS" + port = each.key == "public" ? each.value.services.https.node_port : 443 + + allowedRoutes = { + namespaces = { + from = "All" + } + } + + tls = { + certificateRefs = [ + { + name = "gateway-tls" + kind = "Secret" + group = "" + } + ] + } + }] + ]) + } + }) +} + +resource "kubectl_manifest" "gateway_https_redirect" { + depends_on = [kubectl_manifest.gateway] + for_each = local.gateways + + yaml_body = yamlencode({ + apiVersion = "gateway.networking.k8s.io/v1" + kind = "HTTPRoute" + metadata = { + name = "https-redirect-${each.key}" + } + spec = { + parentRefs = [ + { + name = each.key + sectionName = "http" + } + ] + hostnames = [ + for hostname in each.value.hostnames : hostname.value + ] + rules = [ + { + filters = [ + { + type = "RequestRedirect" + requestRedirect = { + scheme = "https" + statusCode = 301 + } + } + ] + } + ] + } + }) +} diff --git a/bootstrap/gateway/outputs.tf b/bootstrap/gateway/outputs.tf new file mode 100644 index 0000000..6b486f8 --- /dev/null +++ b/bootstrap/gateway/outputs.tf @@ -0,0 +1,25 @@ +output "ca_volume" { + value = { + name = "certificates" + configMap = { + name = "cluster-authority" + optional = false + items = [ + { + key = "root-certs.pem" + path = "root-certs.pem" + } + ] + } + } +} + +output "ca_volume_mount" { + value = { + name = "certificates" + readOnly = true + mountPath = "/etc/ssl/certs/root-certs.pem" + subPath = "root-certs.pem" + } +} + diff --git a/bootstrap/gateway/provider.tf b/bootstrap/gateway/provider.tf new file mode 100644 index 0000000..6a47e04 --- /dev/null +++ b/bootstrap/gateway/provider.tf @@ -0,0 +1,18 @@ +terraform { + required_providers { + kubernetes = { + source = "hashicorp/kubernetes" + version = "2.38.0" + } + + helm = { + source = "hashicorp/helm" + version = "2.17.0" + } + + kubectl = { + source = "alekc/kubectl" + version = "2.1.3" + } + } +} diff --git a/bootstrap/gateway/terragrunt.hcl b/bootstrap/gateway/terragrunt.hcl new file mode 100644 index 0000000..9b8dec9 --- /dev/null +++ b/bootstrap/gateway/terragrunt.hcl @@ -0,0 +1,25 @@ +include "root" { + path = find_in_parent_folders("root.hcl") +} + +include "kubernetes" { + path = find_in_parent_folders("kubernetes.hcl") +} + +dependency "cni" { + config_path = "${get_terragrunt_dir()}/../cni" +} + +dependency "talos" { + config_path = "${get_terragrunt_dir()}/../talos" +} + +dependency "nodes" { + config_path = "${get_terragrunt_dir()}/../nodes" +} + +inputs = { + kubeconfig = dependency.talos.outputs.kubeconfig + public_loadbalancer_ip = dependency.cni.outputs.public_loadbalancer_ip + controlplane = dependency.nodes.outputs.controlplane +} diff --git a/bootstrap/gateway/variables.tf b/bootstrap/gateway/variables.tf new file mode 100644 index 0000000..7a3b5bf --- /dev/null +++ b/bootstrap/gateway/variables.tf @@ -0,0 +1,22 @@ +variable "cloudflare_api_token" { + type = string + sensitive = true +} + +variable "acme_email" { + type = string + sensitive = true +} + +variable "cluster_domain" { + type = string +} + +variable "public_domain" { + type = string +} + +variable "public_loadbalancer_ip" { + sensitive = true + type = string +} diff --git a/bootstrap/kubernetes-base/.tfvars.secret b/bootstrap/kubernetes-base/.tfvars.secret index 958e607..5b13fcc 100644 Binary files a/bootstrap/kubernetes-base/.tfvars.secret and b/bootstrap/kubernetes-base/.tfvars.secret differ diff --git a/bootstrap/kubernetes-base/external-dns.tf b/bootstrap/kubernetes-base/external-dns.tf index b68c4da..33d1c79 100644 --- a/bootstrap/kubernetes-base/external-dns.tf +++ b/bootstrap/kubernetes-base/external-dns.tf @@ -32,6 +32,8 @@ resource "helm_release" "external_dns" { name = "cloudflare" } + policy = "sync" + serviceMonitor = { enabled = true } @@ -63,6 +65,6 @@ resource "helm_release" "external_dns" { ] } - extraArgs = ["--exclude-target-net=${var.public_subnet_cidr}", "--publish-internal-services", "--source=gateway-httproute", "--source=gateway-grpcroute"] + extraArgs = ["--publish-internal-services", "--source=gateway-httproute", "--source=gateway-grpcroute"] })] } diff --git a/bootstrap/kubernetes-base/ingress.tf b/bootstrap/kubernetes-base/ingress.tf deleted file mode 100644 index d0e5445..0000000 --- a/bootstrap/kubernetes-base/ingress.tf +++ /dev/null @@ -1,92 +0,0 @@ -locals { - internalIngress = "internal" - ingress = "nginx" -} - -resource "kubernetes_namespace" "ingress" { - metadata { - name = "sys-ingress-nginx" - } -} - -resource "kubectl_manifest" "ingress_certificate" { - yaml_body = yamlencode({ - apiVersion = "cert-manager.io/v1" - kind = "Certificate" - metadata = { - name = "ingress-tls" - namespace = kubernetes_namespace.ingress.metadata[0].name - } - spec = { - secretName = "ingress-tls" - issuerRef = { - name = "letsencrypt" - kind = "ClusterIssuer" - } - commonName = "*.${var.cluster_domain}" - dnsNames = ["*.${var.cluster_domain}", "*.internal.${var.cluster_domain}"] - } - }) -} - -locals { - ingresses = [ - { - name = "internal-ingress-nginx" - className = local.internalIngress - internal = true - annotations = { - "external-dns.alpha.kubernetes.io/internal-hostname" = "*.internal.${var.cluster_domain}" - "external-dns.alpha.kubernetes.io/cloudflare-proxied" = "false" - } - } - ] -} - -resource "helm_release" "ingress" { - depends_on = [kubernetes_namespace.ingress, kubectl_manifest.ingress_certificate] - for_each = { for i, data in local.ingresses : i => data } - - repository = "https://kubernetes.github.io/ingress-nginx" - chart = "ingress-nginx" - version = "4.13.0" - - namespace = kubernetes_namespace.ingress.metadata[0].name - name = each.value.name - - values = [yamlencode({ - controller = { - replicaCount = 2 - config = { - use-gzip = true - otlp-collector-host = "alloy.sys-monitoring.svc.cluster.local" - annotations-risk-level = "Critical" - } - ingressClass = each.value.className - ingressClassResource = { - name = each.value.className - controllerValue = each.value.internal ? "k8s.io/internal-ingress-nginx" : "k8s.io/nginx" - } - allowSnippetAnnotations = true - service = { - type = each.value.internal ? "ClusterIP" : "LoadBalancer" - annotations = each.value.annotations - } - extraArgs = { - default-ssl-certificate = "sys-ingress-nginx/ingress-tls" - enable-ssl-passthrough = true - } - metrics = { - enabled = true - serviceMonitor = { - enabled = true - } - } - resources = { - requests = { - cpu = "25m" - } - } - } - })] -} diff --git a/bootstrap/kubernetes-base/longhorn.tf b/bootstrap/kubernetes-base/longhorn.tf deleted file mode 100644 index 2d6171d..0000000 --- a/bootstrap/kubernetes-base/longhorn.tf +++ /dev/null @@ -1,93 +0,0 @@ -resource "kubernetes_namespace" "longhorn" { - metadata { - name = "sys-longhorn" - - labels = { - "pod-security.kubernetes.io/enforce" = "privileged" - } - } -} - -resource "kubernetes_secret" "longhorn_backup_credentials" { - metadata { - name = "longhorn-backup-credentials" - namespace = kubernetes_namespace.longhorn.metadata[0].name - } - - data = { - AWS_ACCESS_KEY_ID = var.backup_bucket_access_key_id - AWS_SECRET_ACCESS_KEY = var.backup_bucket_secret_access_key - AWS_ENDPOINTS = var.backup_bucket_endpoint - # VIRTUAL_HOSTED_STYLE = true - } -} - -resource "helm_release" "longhorn" { - depends_on = [kubernetes_namespace.longhorn, kubernetes_secret.longhorn_backup_credentials] - - repository = "https://charts.longhorn.io" - chart = "longhorn" - version = "1.9.1" - - namespace = "sys-longhorn" - name = "longhorn" - - values = [yamlencode({ - longhornUI = { - replicas = 1 - } - - ingress = { - enabled = true - ingressClassName = "internal" - host = "longhorn.internal.${var.cluster_domain}" - annotations = { - "nginx.ingress.kubernetes.io/auth-response-headers" = "Authorization" - "nginx.ingress.kubernetes.io/auth-signin" = "https://secure.${var.cluster_domain}/oauth2/start?rd=$scheme://$host$escaped_request_uri" - "nginx.ingress.kubernetes.io/auth-url" = "https://secure.${var.cluster_domain}/oauth2/auth" - "external-dns.alpha.kubernetes.io/cloudflare-proxied" = "false" - } - } - - defaultBackupStore = { - backupTarget = "s3://${var.backup_bucket_name}@default/${var.cluster_name}" - backupTargetCredentialSecret = kubernetes_secret.longhorn_backup_credentials.metadata[0].name - } - })] -} - -resource "kubectl_manifest" "longhorn_snapshots" { - yaml_body = yamlencode({ - apiVersion = "longhorn.io/v1beta2" - kind = "RecurringJob" - metadata = { - name = "longhorn-snapshot" - namespace = kubernetes_namespace.longhorn.metadata[0].name - } - spec = { - cron = "0 0 * * *" - task = "snapshot" - groups = ["default"] - retain = 3 - concurrency = 2 - } - }) -} - -resource "kubectl_manifest" "longhorn_backups" { - yaml_body = yamlencode({ - apiVersion = "longhorn.io/v1beta2" - kind = "RecurringJob" - metadata = { - name = "longhorn-backup" - namespace = kubernetes_namespace.longhorn.metadata[0].name - } - spec = { - cron = "0 0 * * 0" - task = "backup" - groups = ["default"] - retain = 3 - concurrency = 2 - } - }) -} diff --git a/bootstrap/kubernetes-base/terragrunt.hcl b/bootstrap/kubernetes-base/terragrunt.hcl index 54258fb..0d811ab 100644 --- a/bootstrap/kubernetes-base/terragrunt.hcl +++ b/bootstrap/kubernetes-base/terragrunt.hcl @@ -18,8 +18,8 @@ dependency "storage" { config_path = "${get_terragrunt_dir()}/../storage" } -dependency "cni" { - config_path = "${get_terragrunt_dir()}/../cni" +dependency "gateway" { + config_path = "${get_terragrunt_dir()}/../gateway" } dependency "databases" { @@ -38,9 +38,8 @@ inputs = { bucket_endpoint = dependency.storage.outputs.bucket_endpoint buckets = dependency.storage.outputs.buckets - loadbalancer_ip = dependency.cni.outputs.loadbalancer_ip - ca_volume = dependency.cni.outputs.ca_volume - ca_volume_mount = dependency.cni.outputs.ca_volume_mount + ca_volume = dependency.gateway.outputs.ca_volume + ca_volume_mount = dependency.gateway.outputs.ca_volume_mount postgres_host = dependency.databases.outputs.postgres_host postgres_databases = dependency.databases.outputs.postgres_databases diff --git a/bootstrap/kubernetes-base/variables.tf b/bootstrap/kubernetes-base/variables.tf index 9e25cbf..029ebcc 100644 --- a/bootstrap/kubernetes-base/variables.tf +++ b/bootstrap/kubernetes-base/variables.tf @@ -39,30 +39,6 @@ variable "public_domain" { type = string } -variable "zitadel_admin_mail" { - type = string -} - -variable "zitadel_smtp_tls" { - type = bool -} - -variable "zitadel_smtp_host" { - type = string -} - -variable "zitadel_smtp_username" { - type = string -} - -variable "zitadel_smtp_password" { - type = string -} - -variable "zitadel_smtp_sender" { - type = string -} - variable "bucket_endpoint" { type = string sensitive = true @@ -77,11 +53,6 @@ variable "buckets" { sensitive = true } -variable "loadbalancer_ip" { - sensitive = true - type = string -} - variable "postgres_admin_password" { sensitive = true type = string diff --git a/bootstrap/kubernetes-base/zitadel.tf b/bootstrap/kubernetes-base/zitadel.tf deleted file mode 100644 index f925ee3..0000000 --- a/bootstrap/kubernetes-base/zitadel.tf +++ /dev/null @@ -1,197 +0,0 @@ -locals { - zitadel_database = var.postgres_databases.zitadel -} - -resource "kubernetes_namespace" "zitadel" { - metadata { - name = "sys-zitadel" - } -} - -resource "random_password" "zitadel_admin" { - length = 40 - special = true -} - -resource "random_password" "zitadel_masterkey" { - length = 32 - special = false -} - -resource "kubernetes_secret" "zitadel" { - metadata { - name = "zitadel-config" - namespace = kubernetes_namespace.zitadel.metadata[0].name - } - - data = { - config-yaml = < pair + } + + principal_object_id = azuread_group.this[each.value.group].object_id + resource_object_id = azuread_service_principal.this[each.value.app_name].object_id + + app_role_id = lookup( + { + for r in azuread_application.this[each.value.app_name].app_role : + r.value => r.id + }, + each.value.role, + null + ) +} + diff --git a/bootstrap/modules/envoy-oidc-security-policy/entra/main.tf b/bootstrap/modules/envoy-oidc-security-policy/entra/main.tf new file mode 100644 index 0000000..50e0086 --- /dev/null +++ b/bootstrap/modules/envoy-oidc-security-policy/entra/main.tf @@ -0,0 +1 @@ +data "azuread_client_config" "this" {} diff --git a/bootstrap/modules/envoy-oidc-security-policy/entra/outputs.tf b/bootstrap/modules/envoy-oidc-security-policy/entra/outputs.tf new file mode 100644 index 0000000..937fada --- /dev/null +++ b/bootstrap/modules/envoy-oidc-security-policy/entra/outputs.tf @@ -0,0 +1,19 @@ +output "application_credentials" { + value = { + for app_name in keys(azuread_application.this) : + app_name => { + client_id = azuread_application.this[app_name].client_id + client_secret = azuread_application_password.this[app_name].value + } + } + sensitive = true +} + +output "oidc_url" { + value = "https://login.microsoftonline.com/${data.azuread_client_config.this.tenant_id}/v2.0" + sensitive = true +} + +output "groups" { + value = { for group in azuread_group.this : group.display_name => group.object_id } +} diff --git a/bootstrap/modules/envoy-oidc-security-policy/entra/provider.tf b/bootstrap/modules/envoy-oidc-security-policy/entra/provider.tf new file mode 100644 index 0000000..df2a694 --- /dev/null +++ b/bootstrap/modules/envoy-oidc-security-policy/entra/provider.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + azuread = { + source = "hashicorp/azuread" + version = "~> 3.1.0" + } + } +} diff --git a/bootstrap/modules/envoy-oidc-security-policy/entra/variables.tf b/bootstrap/modules/envoy-oidc-security-policy/entra/variables.tf new file mode 100644 index 0000000..9b6c41a --- /dev/null +++ b/bootstrap/modules/envoy-oidc-security-policy/entra/variables.tf @@ -0,0 +1,13 @@ +variable "applications" { + type = map(object({ + redirect_uris = list(string) + logout_uris = optional(list(string), []) + required_roles = list(string), + app_role_assignment_req = optional(bool, false) + sign_in_audience = optional(string, "AzureADMyOrg") + })) +} + +variable "groups" { + type = list(string) +} diff --git a/bootstrap/modules/envoy-oidc-security-policy/main.tf b/bootstrap/modules/envoy-oidc-security-policy/main.tf new file mode 100644 index 0000000..0c01cab --- /dev/null +++ b/bootstrap/modules/envoy-oidc-security-policy/main.tf @@ -0,0 +1,50 @@ +locals { + credentials_given = var.client_secret != null && var.client_secret != null +} + +resource "kubernetes_secret" "this" { + depends_on = [module.entra] + + metadata { + name = "${var.route}-oidc" + namespace = var.namespace + } + + data = { + client-secret = local.credentials_given ? var.client_secret : values(module.entra[0].application_credentials)[0].client_secret + } +} + +resource "kubectl_manifest" "this" { + depends_on = [kubernetes_secret.this] + + yaml_body = yamlencode({ + apiVersion = "gateway.envoyproxy.io/v1alpha1" + kind = "SecurityPolicy" + metadata = { + name = "${var.route}-oidc" + namespace = var.namespace + } + spec = { + targetRefs = [ + { + group = "gateway.networking.k8s.io" + kind = "HTTPRoute" + name = var.route + } + ] + + oidc = { + provider = { + issuer = (local.credentials_given && var.issuer != null) ? var.issuer : module.entra[0].oidc_url + } + clientID = local.credentials_given ? var.client_id : values(module.entra[0].application_credentials)[0].client_id + clientSecret = { + name = "${var.route}-oidc" + } + redirectURL = "https://${var.hostname}/envoy/callback" + logoutPath = "/envoy/logout" + } + } + }) +} diff --git a/bootstrap/modules/envoy-oidc-security-policy/oidc.tf b/bootstrap/modules/envoy-oidc-security-policy/oidc.tf new file mode 100644 index 0000000..3a3d512 --- /dev/null +++ b/bootstrap/modules/envoy-oidc-security-policy/oidc.tf @@ -0,0 +1,20 @@ +locals { + identifier = "${var.cluster_name}-${var.route}" +} + +module "entra" { + source = "./entra" + + count = local.credentials_given ? 0 : 1 + + applications = { + (local.identifier) = { + redirect_uris = ["https://${var.hostname}/envoy/callback"] + logout_uris = ["https://${var.hostname}/envoy/logout"] + required_roles = [local.identifier] + app_role_assignment_req = true + sign_in_audience = "AzureADMyOrg" + } + } + groups = [local.identifier] +} diff --git a/bootstrap/modules/envoy-oidc-security-policy/outputs.tf b/bootstrap/modules/envoy-oidc-security-policy/outputs.tf new file mode 100644 index 0000000..06c6bfd --- /dev/null +++ b/bootstrap/modules/envoy-oidc-security-policy/outputs.tf @@ -0,0 +1,12 @@ +output "credentials" { + sensitive = true + value = length(module.entra) == 1 ? module.entra[0].application_credentials : null +} + +output "entra_issuer" { + value = length(module.entra) == 1 ? module.entra[0].oidc_url : null +} + +output "groups" { + value = length(module.entra) == 1 ? module.entra[0].groups : null +} diff --git a/bootstrap/modules/envoy-oidc-security-policy/provider.tf b/bootstrap/modules/envoy-oidc-security-policy/provider.tf new file mode 100644 index 0000000..d0fc2fd --- /dev/null +++ b/bootstrap/modules/envoy-oidc-security-policy/provider.tf @@ -0,0 +1,13 @@ +terraform { + required_providers { + kubernetes = { + source = "hashicorp/kubernetes" + version = "2.38.0" + } + + kubectl = { + source = "alekc/kubectl" + version = "2.1.3" + } + } +} diff --git a/bootstrap/modules/envoy-oidc-security-policy/variables.tf b/bootstrap/modules/envoy-oidc-security-policy/variables.tf new file mode 100644 index 0000000..e69d4f4 --- /dev/null +++ b/bootstrap/modules/envoy-oidc-security-policy/variables.tf @@ -0,0 +1,34 @@ +variable "client_id" { + type = string + nullable = true + default = null +} + +variable "client_secret" { + type = string + sensitive = true + nullable = true + default = null +} + +variable "route" { + type = string +} + +variable "hostname" { + type = string +} + +variable "issuer" { + type = string + nullable = true + default = null +} + +variable "namespace" { + type = string +} + +variable "cluster_name" { + type = string +} diff --git a/bootstrap/monitoring/.tfvars.secret b/bootstrap/monitoring/.tfvars.secret index 54170ee..022ad91 100644 Binary files a/bootstrap/monitoring/.tfvars.secret and b/bootstrap/monitoring/.tfvars.secret differ diff --git a/bootstrap/monitoring/alerting.tf b/bootstrap/monitoring/alerting.tf new file mode 100644 index 0000000..9fd767e --- /dev/null +++ b/bootstrap/monitoring/alerting.tf @@ -0,0 +1,301 @@ +locals { + rules = { + "Container cpu throttling is high" = { + description = "Alert when container is being throttled > 25% of the time for more than 5 minutes" + violation_time_limit_seconds = 21600 + query = "from K8sContainerSample select sum(containerCpuCfsThrottledPeriodsDelta) / sum(containerCpuCfsPeriodsDelta) * 100 where clusterName in ('${var.cluster_name}') facet containerName, podName, namespaceName, clusterName" + critical = { + operator = "above" + threshold = 90 + threshold_duration = 300 + threshold_occurrences = "all" + } + } + + "Container high cpu utilization" = { + description = "Alert when the average container cpu utilization (vs. Limit) is > 90% for more than 5 minutes" + violation_time_limit_seconds = 21600 + query = "from K8sContainerSample select average(cpuCoresUtilization) where clusterName in ('${var.cluster_name}') facet containerName, podName, namespaceName, clusterName" + critical = { + operator = "above" + threshold = 90 + threshold_duration = 300 + threshold_occurrences = "all" + } + } + + "Container high memory utilization" = { + description = "Alert when the average container memory utilization (vs. Limit) is > 90% for more than 5 minutes" + violation_time_limit_seconds = 21600 + query = "from K8sContainerSample select average(memoryWorkingSetUtilization) where clusterName in ('${var.cluster_name}') facet containerName, podName, namespaceName, clusterName" + critical = { + operator = "above" + threshold = 90 + threshold_duration = 300 + threshold_occurrences = "all" + } + } + + "Container is Restarting" = { + description = "Alert when the container restart count is greater than 0 in a sliding 5 minute window" + violation_time_limit_seconds = 21600 + query = "from K8sContainerSample select sum(restartCountDelta) where clusterName in ('${var.cluster_name}') FACET containerName, podName, namespaceName, clusterName" + critical = { + operator = "above" + threshold = 0 + threshold_duration = 300 + threshold_occurrences = "all" + } + } + + "Container is Waiting" = { + description = "Alert when a container is Waiting for more than 5 minutes" + violation_time_limit_seconds = 21600 + query = "from K8sContainerSample select uniqueCount(podName) WHERE status = 'Waiting' and clusterName in ('${var.cluster_name}') FACET containerName, podName, namespaceName, clusterName" + critical = { + operator = "above" + threshold = 0 + threshold_duration = 300 + threshold_occurrences = "all" + } + } + + "Daemonset is missing Pods" = { + description = "Alert when Daemonset is missing Pods for > 5 minutes" + violation_time_limit_seconds = 21600 + query = "from K8sDaemonsetSample select latest(podsMissing) where clusterName in ('${var.cluster_name}') facet daemonsetName, namespaceName, clusterName" + critical = { + operator = "above" + threshold = 0 + threshold_duration = 300 + threshold_occurrences = "all" + } + } + + "Deployment is missing Pods" = { + description = "Alert when Deployment is missing Pods for > 5 minutes" + violation_time_limit_seconds = 21600 + query = "from K8sDeploymentSample select latest(podsMissing) where clusterName in ('${var.cluster_name}') facet deploymentName, namespaceName, clusterName" + critical = { + operator = "above" + threshold = 0 + threshold_duration = 300 + threshold_occurrences = "all" + } + } + + "Etcd file descriptor utilization is high" = { + description = "Alert when Etcd file descriptor utilization is > 90% for more than 5 minutes" + violation_time_limit_seconds = 21600 + query = "from K8sEtcdSample select max(processFdsUtilization) where clusterName in ('${var.cluster_name}') facet displayName, clusterName" + critical = { + operator = "below" + threshold = 1 + threshold_duration = 60 + threshold_occurrences = "all" + } + } + + "Etcd has no leader" = { + description = "Alert when Etcd has no leader for more than 1 minute" + violation_time_limit_seconds = 21600 + query = "from K8sEtcdSample select min(etcdServerHasLeader) where clusterName in ('${var.cluster_name}') facet displayName, clusterName" + critical = { + operator = "below" + threshold = 1 + threshold_duration = 60 + threshold_occurrences = "all" + } + } + + "HPA current replicas < desired replicas" = { + description = "Alert when a Horizontal Pod Autoscaler's current replicas < desired replicas for > 5 minutes" + violation_time_limit_seconds = 21600 + query = "FROM K8sHpaSample select latest(desiredReplicas - currentReplicas) where clusterName in ('${var.cluster_name}') facet displayName, namespaceName, clusterName" + critical = { + operator = "equals" + threshold = 0 + threshold_duration = 300 + threshold_occurrences = "all" + } + } + + "HPA has reached maximum replicas" = { + description = "Alert when a Horizontal Pod Autoscaler has reached its maximum replicas for > 5" + violation_time_limit_seconds = 21600 + query = "FROM K8sHpaSample select latest(maxReplicas - currentReplicas) where clusterName in ('${var.cluster_name}') facet displayName, namespaceName, clusterName" + critical = { + operator = "equals" + threshold = 0 + threshold_duration = 300 + threshold_occurrences = "all" + } + } + + "Job Failed" = { + description = "Alert when a Job reports a failed status" + violation_time_limit_seconds = 21600 + query = "from K8sJobSample select uniqueCount(jobName) where failed = 'true' and clusterName in ('${var.cluster_name}') facet jobName, namespaceName, clusterName, failedPodsReason" + critical = { + operator = "above" + threshold = 0 + threshold_duration = 60 + threshold_occurrences = "at_least_once" + } + } + + "Node is not ready" = { + description = "Alert when a Node is not ready for > 5 minutes" + violation_time_limit_seconds = 21600 + query = "from K8sNodeSample select latest(condition.Ready) where clusterName in ('${var.cluster_name}') facet nodeName, clusterName" + critical = { + operator = "below" + threshold = 1 + threshold_duration = 300 + threshold_occurrences = "all" + } + } + + "Node root file system capacity utilization is high" = { + description = "Alert when the average Node root file system capacity utilization is > 90% for more than 5 minutes" + violation_time_limit_seconds = 21600 + query = "from K8sNodeSample select average(fsCapacityUtilization) where clusterName in ('${var.cluster_name}') facet nodeName, clusterName" + critical = { + operator = "above" + threshold = 90 + threshold_duration = 300 + threshold_occurrences = "all" + } + } + + "Persistent Volume has errors" = { + description = "Alert when Persistent Volume is in a Failed or Pending state for more than 5 minutes" + violation_time_limit_seconds = 21600 + query = "from K8sPersistentVolumeSample select uniqueCount(volumeName) where statusPhase in ('Failed','Pending') and clusterName in ('${var.cluster_name}') facet volumeName, clusterName" + critical = { + operator = "above" + threshold = 0 + threshold_duration = 300 + threshold_occurrences = "all" + } + } + + "Pod cannot be scheduled" = { + description = "Alert when a Pod cannot be scheduled for more than 5 minutes" + violation_time_limit_seconds = 21600 + query = "from K8sPodSample select latest(isScheduled) where clusterName in ('${var.cluster_name}') facet podName, namespaceName, clusterName" + critical = { + operator = "below" + threshold = 1 + threshold_duration = 300 + threshold_occurrences = "all" + } + } + + "Pod is not ready" = { + description = "Alert when a Pod is not ready for > 5 minutes" + violation_time_limit_seconds = 21600 + query = "FROM K8sPodSample select latest(isReady) where status not in ('Failed', 'Succeeded') where clusterName in ('${var.cluster_name}') facet podName, namespaceName, clusterName" + critical = { + operator = "below" + threshold = 1 + threshold_duration = 300 + threshold_occurrences = "all" + } + } + + "Statefulset is missing Pods" = { + description = "Alert when Statefulset is missing Pods for > 5 minutes" + violation_time_limit_seconds = 21600 + query = "from K8sStatefulsetSample select latest(podsMissing) where clusterName in ('${var.cluster_name}') facet daemonsetName, namespaceName, clusterName" + critical = { + operator = "above" + threshold = 0 + threshold_duration = 300 + threshold_occurrences = "all" + } + } + } +} + +resource "newrelic_alert_policy" "this" { + name = var.cluster_name +} + +resource "newrelic_nrql_alert_condition" "this" { + for_each = local.rules + + policy_id = newrelic_alert_policy.this.id + type = "static" + name = each.key + + enabled = true + violation_time_limit_seconds = each.value.violation_time_limit_seconds + + nrql { + query = each.value.query + data_account_id = var.new_relic_account_id + } + + critical { + operator = each.value.critical.operator + threshold = each.value.critical.threshold + threshold_duration = each.value.critical.threshold_duration + threshold_occurrences = each.value.critical.threshold_occurrences + } + + fill_option = "none" + aggregation_window = 300 + aggregation_method = "event_flow" + aggregation_delay = 60 + slide_by = 60 + expiration_duration = 300 + open_violation_on_expiration = false + close_violations_on_expiration = true + ignore_on_expected_termination = false +} + +resource "newrelic_notification_destination" "this" { + name = "Notify admin" + type = "MOBILE_PUSH" + + property { + key = "userId" + value = var.new_relic_admin + } +} + +resource "newrelic_notification_channel" "this" { + name = "Notifications" + type = "MOBILE_PUSH" + destination_id = newrelic_notification_destination.this.id + product = "IINT" + + property { + key = "foo" + value = "bar" + } +} + +resource "newrelic_workflow" "workflow" { + name = "Notify ${var.cluster_name}" + enabled = true + muting_rules_handling = "DONT_NOTIFY_FULLY_MUTED_ISSUES" + + issues_filter { + name = "workflow_filter" + type = "FILTER" + + predicate { + attribute = "labels.policyIds" + operator = "EXACTLY_MATCHES" + values = [newrelic_alert_policy.this.id] + } + } + + destination { + channel_id = newrelic_notification_channel.this.id + notification_triggers = ["ACKNOWLEDGED", "ACTIVATED", "CLOSED"] + update_original_message = true + } +} diff --git a/bootstrap/monitoring/newrelic.tf b/bootstrap/monitoring/newrelic.tf new file mode 100644 index 0000000..c02dfce --- /dev/null +++ b/bootstrap/monitoring/newrelic.tf @@ -0,0 +1,98 @@ +locals { + metrics_to_ignore = [ + "rest_client_rate_limiter_duration", + "rest_client_response_size", + "rest_client_request_size", + "container_blkio", + "container_memory_failures", + "container_fs_writes", + "container_fs_reads", + "container_network_transmit_bytes", + "container_network_receive_bytes", + "apiserver_flowcontrol_priority_level", + "coredns_proxy_request_duration_seconds", + "coredns_dns_request_duration_seconds", + "rest_client_request_duration", + "envoy_" + ] +} + +resource "helm_release" "newrelic_bundle" { + name = "newrelic" + namespace = kubernetes_namespace.monitoring.metadata[0].name + + chart = "nri-bundle" + repository = "https://helm-charts.newrelic.com" + + values = [yamlencode({ + global = { + licenseKey = var.new_relic_token + cluster = var.cluster_name + lowDataMode = true + } + + kube-state-metrics = { + enabled = true + image = { + tag = "v2.13.0" + } + } + + kubeEvents = { + enabled = true + } + + newrelic-prometheus-agent = { + enabled = true + lowDataMode = true + + config = { + kubernetes = { + integrations_filter = { + enabled = false + } + } + + newrelic_remote_write = { + extra_write_relabel_configs = [ + { + source_labels = ["__name__"] + regex = "(${join("|", local.metrics_to_ignore)}).*" + action = "drop" + } + ] + } + } + } + + logging = { + enabled = false + } + + newrelic-infrastructure = { + controlPlane = { + tolerations = [ + { + key = "node-role.kubernetes.io/control-plane" + operator = "Exists" + effect = "NoSchedule" + }, + ] + + resources = { + requests = { + cpu = "10m" + } + } + } + + kubelet = { + resources = { + requests = { + cpu = "10m" + } + } + } + } + })] +} diff --git a/bootstrap/monitoring/prometheus.tf b/bootstrap/monitoring/prometheus.tf deleted file mode 100644 index f8b5ceb..0000000 --- a/bootstrap/monitoring/prometheus.tf +++ /dev/null @@ -1,82 +0,0 @@ -resource "kubernetes_secret" "thanos_credentials" { - depends_on = [kubernetes_namespace.monitoring] - - metadata { - name = "thanos-credentials" - namespace = "sys-monitoring" - } - - data = { - username = var.thanos_username - password = var.thanos_password - } -} - -resource "helm_release" "prometheus" { - depends_on = [kubernetes_namespace.monitoring] - - repository = "https://prometheus-community.github.io/helm-charts" - chart = "kube-prometheus-stack" - version = "75.18.1" - - namespace = "sys-monitoring" - name = "prometheus" - - values = [yamlencode({ - alertmanager = { - enabled = false - } - - grafana = { - enabled = false - } - - nodeExporter = { - enabled = false - } - - kubeScheduler = { - enabled = false - } - - kubeControllerManager = { - enabled = false - } - - kubeProxy = { - enabled = false - } - - prometheus = { - prometheusSpec = { - podMetadata = { - labels = { - wireguard = "true" - } - } - serviceMonitorSelectorNilUsesHelmValues = false - podMonitorSelectorNilUsesHelmValues = false - probeSelectorNilUsesHelmValues = false - - retention = "3d" - retentionSize = "3GB" - - remoteWrite = [ - { - url = "${var.thanos_endpoint}" - basicAuth = { - username = { - name = "thanos-credentials" - key = "username" - } - password = { - name = "thanos-credentials" - key = "password" - } - } - } - ] - } - } - })] -} diff --git a/bootstrap/monitoring/provider.tf b/bootstrap/monitoring/provider.tf index 6a47e04..ddf8319 100644 --- a/bootstrap/monitoring/provider.tf +++ b/bootstrap/monitoring/provider.tf @@ -14,5 +14,16 @@ terraform { source = "alekc/kubectl" version = "2.1.3" } + + newrelic = { + source = "newrelic/newrelic" + version = "3.66.0" + } } } + +provider "newrelic" { + account_id = var.new_relic_account_id + api_key = var.new_relic_api_token + region = "EU" +} diff --git a/bootstrap/monitoring/terragrunt.hcl b/bootstrap/monitoring/terragrunt.hcl index be0c487..ae99995 100644 --- a/bootstrap/monitoring/terragrunt.hcl +++ b/bootstrap/monitoring/terragrunt.hcl @@ -10,8 +10,8 @@ dependency "talos" { config_path = "${get_terragrunt_dir()}/../talos" } -dependency "cni" { - config_path = "${get_terragrunt_dir()}/../cni" +dependency "gateway" { + config_path = "${get_terragrunt_dir()}/../gateway" } dependency "nodes" { @@ -21,8 +21,8 @@ dependency "nodes" { inputs = { kubeconfig = dependency.talos.outputs.kubeconfig - ca_volume = dependency.cni.outputs.ca_volume - ca_volume_mount = dependency.cni.outputs.ca_volume_mount + ca_volume = dependency.gateway.outputs.ca_volume + ca_volume_mount = dependency.gateway.outputs.ca_volume_mount controlplane = dependency.nodes.outputs.controlplane } diff --git a/bootstrap/monitoring/variables.tf b/bootstrap/monitoring/variables.tf index 922c8e0..e8dc720 100644 --- a/bootstrap/monitoring/variables.tf +++ b/bootstrap/monitoring/variables.tf @@ -1,54 +1,43 @@ -variable "loki_endpoint" { - type = string -} - -variable "loki_username" { - type = string +variable "ca_volume" { + type = any } -variable "loki_password" { - type = string - sensitive = true +variable "ca_volume_mount" { + type = any } -variable "tempo_endpoint" { +variable "cluster_name" { type = string } -variable "tempo_username" { +variable "cluster_domain" { type = string } -variable "tempo_password" { +variable "new_relic_token" { type = string sensitive = true } -variable "thanos_endpoint" { - type = string -} - -variable "thanos_username" { - type = string -} - -variable "thanos_password" { +variable "new_relic_api_token" { type = string sensitive = true } -variable "ca_volume" { - type = any +variable "new_relic_account_id" { + type = string + sensitive = true } -variable "ca_volume_mount" { - type = any +variable "new_relic_prometheus_endpoint" { + type = string } -variable "cluster_name" { +variable "new_relic_otlp_endpoint" { type = string } -variable "cluster_domain" { - type = string +variable "new_relic_admin" { + type = string + sensitive = true } diff --git a/bootstrap/monitoring/vector.tf b/bootstrap/monitoring/vector.tf index e246e64..ecf5a14 100644 --- a/bootstrap/monitoring/vector.tf +++ b/bootstrap/monitoring/vector.tf @@ -20,14 +20,8 @@ resource "kubernetes_secret" "vector_credentials" { } data = { - THANOS_USER = var.thanos_username - THANOS_PASSWORD = var.thanos_password - - LOKI_USER = var.loki_username - LOKI_PASSWORD = var.loki_password - - TEMPO_USER = var.tempo_username - TEMPO_PASSWORD = var.tempo_password + NEW_RELIC_ACCOUNT_ID = var.new_relic_account_id + NEW_RELIC_TOKEN = var.new_relic_token } } @@ -89,10 +83,6 @@ resource "helm_release" "vector_agent" { data_dir = "/vector-data" sources = { - node = { - type = "host_metrics" - } - logs = { type = "kubernetes_logs" } @@ -121,12 +111,7 @@ resource "helm_release" "vector_agent" { inputs = ["deduped_logs"] source = < { - for trigger in local.triggers : trigger => - [for action, action_data in local.merged_actions : (action == "flatRoles" ? zitadel_action.roles.id : zitadel_action.additional_actions[action].id) if contains(action_data.trigger, trigger)] - } - } -} - -resource "zitadel_action" "roles" { - org_id = local.zitadel_org - name = "flatRoles" - script = < { - claim.roles.forEach(role => { - groups.push(claim.projectId + ':' + role); - api.v1.claims.setClaim(claim.projectId + ':' + role, true); - }) - }) - api.v1.claims.setClaim('groups', groups); -} -EOT - timeout = "10s" - allowed_to_fail = true -} - -resource "zitadel_action" "additional_actions" { - for_each = var.additional_actions - - org_id = local.zitadel_org - name = each.key - script = replace(each.value.script, "PROJECT", zitadel_project.this.id) - - timeout = "10s" - allowed_to_fail = each.value.can_fail -} - -resource "zitadel_trigger_actions" "this" { - for_each = { for idx, data in flatten([for flow, flow_data in local.action_triggers : [ - for trigger, action_ids in flow_data : { - flow_type = flow, - trigger_type = trigger, - action_ids = action_ids - } - ]]) : idx => data } - - org_id = local.zitadel_org - flow_type = each.value.flow_type - trigger_type = each.value.trigger_type - action_ids = each.value.action_ids -} diff --git a/bootstrap/zitadel/application.tf b/bootstrap/zitadel/application.tf deleted file mode 100644 index 309c13b..0000000 --- a/bootstrap/zitadel/application.tf +++ /dev/null @@ -1,96 +0,0 @@ -resource "zitadel_application_oidc" "oauth2_proxy" { - org_id = local.zitadel_org - project_id = zitadel_project.this.id - - name = "OAuth2Proxy" - redirect_uris = ["https://secure.${var.cluster_domain}/oauth2/callback"] - response_types = ["OIDC_RESPONSE_TYPE_CODE"] - grant_types = ["OIDC_GRANT_TYPE_AUTHORIZATION_CODE"] - post_logout_redirect_uris = [] - app_type = "OIDC_APP_TYPE_WEB" - auth_method_type = "OIDC_AUTH_METHOD_TYPE_BASIC" - version = "OIDC_VERSION_1_0" - clock_skew = "0s" - access_token_type = "OIDC_TOKEN_TYPE_BEARER" - access_token_role_assertion = true - id_token_role_assertion = true - id_token_userinfo_assertion = false -} - -resource "zitadel_application_oidc" "argocd" { - org_id = local.zitadel_org - project_id = zitadel_project.this.id - - name = "ArgoCD" - redirect_uris = ["https://argocd.internal.${var.cluster_domain}/auth/callback"] - response_types = ["OIDC_RESPONSE_TYPE_CODE"] - grant_types = ["OIDC_GRANT_TYPE_AUTHORIZATION_CODE"] - post_logout_redirect_uris = [] - app_type = "OIDC_APP_TYPE_WEB" - auth_method_type = "OIDC_AUTH_METHOD_TYPE_BASIC" - version = "OIDC_VERSION_1_0" - clock_skew = "0s" - access_token_type = "OIDC_TOKEN_TYPE_BEARER" - access_token_role_assertion = true - id_token_role_assertion = true - id_token_userinfo_assertion = false -} - -resource "zitadel_application_oidc" "feedback_fusion" { - org_id = local.zitadel_org - project_id = zitadel_project.this.id - - name = "feedback-fusion" - redirect_uris = ["https://feedback-fusion.${var.public_domain}/auth/oidc/callback"] - response_types = ["OIDC_RESPONSE_TYPE_CODE"] - grant_types = ["OIDC_GRANT_TYPE_AUTHORIZATION_CODE"] - post_logout_redirect_uris = [] - app_type = "OIDC_APP_TYPE_WEB" - auth_method_type = "OIDC_AUTH_METHOD_TYPE_BASIC" - version = "OIDC_VERSION_1_0" - clock_skew = "0s" - access_token_type = "OIDC_TOKEN_TYPE_BEARER" - access_token_role_assertion = true - id_token_role_assertion = true - id_token_userinfo_assertion = false -} - -resource "zitadel_application_oidc" "forgejo" { - org_id = local.zitadel_org - project_id = zitadel_project.this.id - - name = "forgejo" - redirect_uris = ["https://git.${var.public_domain}/user/oauth2/Zitadel/callback"] - response_types = ["OIDC_RESPONSE_TYPE_CODE"] - grant_types = ["OIDC_GRANT_TYPE_AUTHORIZATION_CODE"] - post_logout_redirect_uris = [] - app_type = "OIDC_APP_TYPE_WEB" - auth_method_type = "OIDC_AUTH_METHOD_TYPE_BASIC" - version = "OIDC_VERSION_1_0" - clock_skew = "0s" - access_token_type = "OIDC_TOKEN_TYPE_BEARER" - access_token_role_assertion = true - id_token_role_assertion = true - id_token_userinfo_assertion = false -} - -resource "zitadel_application_oidc" "additional_application" { - for_each = var.additional_applications - - org_id = local.zitadel_org - project_id = zitadel_project.this.id - - name = each.key - redirect_uris = each.value.redirect_uris - response_types = each.value.response_types - grant_types = each.value.grant_types - post_logout_redirect_uris = each.value.post_logout_redirect_uris - app_type = each.value.app_type - auth_method_type = "OIDC_AUTH_METHOD_TYPE_BASIC" - version = "OIDC_VERSION_1_0" - clock_skew = "0s" - access_token_type = "OIDC_TOKEN_TYPE_BEARER" - access_token_role_assertion = true - id_token_role_assertion = true - id_token_userinfo_assertion = false -} diff --git a/bootstrap/zitadel/org.tf b/bootstrap/zitadel/org.tf deleted file mode 100644 index 9e9d6f3..0000000 --- a/bootstrap/zitadel/org.tf +++ /dev/null @@ -1,10 +0,0 @@ -locals { - zitadel_org = data.zitadel_orgs.this.ids[0] -} - -data "zitadel_orgs" "this" { - name = var.cluster_name - name_method = "TEXT_QUERY_METHOD_EQUALS_IGNORE_CASE" - - state = "ORG_STATE_ACTIVE" -} diff --git a/bootstrap/zitadel/outputs.tf b/bootstrap/zitadel/outputs.tf deleted file mode 100644 index 882422d..0000000 --- a/bootstrap/zitadel/outputs.tf +++ /dev/null @@ -1,54 +0,0 @@ -output "oauth2_proxy_client_id" { - sensitive = true - value = zitadel_application_oidc.oauth2_proxy.client_id -} - -output "oauth2_proxy_client_secret" { - sensitive = true - value = zitadel_application_oidc.oauth2_proxy.client_secret -} - -output "argocd_client_id" { - sensitive = true - value = zitadel_application_oidc.argocd.client_id -} - -output "argocd_client_secret" { - sensitive = true - value = zitadel_application_oidc.argocd.client_secret -} - -output "zitadel_project" { - value = zitadel_project.this.id -} - -output "feedback_fusion_client_id" { - sensitive = true - value = zitadel_application_oidc.feedback_fusion.client_id -} - -output "feedback_fusion_client_secret" { - sensitive = true - value = zitadel_application_oidc.feedback_fusion.client_secret -} - -output "zitadel_feedback_fusion_id" { - value = zitadel_application_oidc.feedback_fusion.id -} - -output "forgejo_client_id" { - value = zitadel_application_oidc.forgejo.client_id - sensitive = true -} - -output "forgejo_client_secret" { - value = zitadel_application_oidc.forgejo.client_secret - sensitive = true -} - -output "additional_applications" { - sensitive = true - value = { - for idx, application in zitadel_application_oidc.additional_application : application.name => application - } -} diff --git a/bootstrap/zitadel/project.tf b/bootstrap/zitadel/project.tf deleted file mode 100644 index 6a3f214..0000000 --- a/bootstrap/zitadel/project.tf +++ /dev/null @@ -1,8 +0,0 @@ -resource "zitadel_project" "this" { - org_id = local.zitadel_org - - name = var.cluster_name - - has_project_check = true - project_role_assertion = true -} diff --git a/bootstrap/zitadel/provider.tf b/bootstrap/zitadel/provider.tf deleted file mode 100644 index 530e938..0000000 --- a/bootstrap/zitadel/provider.tf +++ /dev/null @@ -1,35 +0,0 @@ -terraform { - required_providers { - zitadel = { - source = "zitadel/zitadel" - version = "2.2.0" - } - - kubernetes = { - source = "hashicorp/kubernetes" - version = "2.38.0" - } - - helm = { - source = "hashicorp/helm" - version = "2.17.0" - } - - kubectl = { - source = "alekc/kubectl" - version = "2.1.3" - } - } -} - -data "kubernetes_secret" "zitadel_machine" { - metadata { - name = "terraform" - namespace = "sys-zitadel" - } -} - -provider "zitadel" { - domain = "secure.${var.public_domain}" - jwt_profile_json = data.kubernetes_secret.zitadel_machine.data["terraform.json"] -} diff --git a/bootstrap/zitadel/roles.tf b/bootstrap/zitadel/roles.tf deleted file mode 100644 index a46ea5b..0000000 --- a/bootstrap/zitadel/roles.tf +++ /dev/null @@ -1,17 +0,0 @@ -resource "zitadel_project_role" "admin" { - org_id = local.zitadel_org - project_id = zitadel_project.this.id - - role_key = "admin" - display_name = "Administrator" -} - -resource "zitadel_project_role" "additional_roles" { - for_each = var.additional_roles - - org_id = local.zitadel_org - project_id = zitadel_project.this.id - - role_key = each.key - display_name = each.value -} diff --git a/bootstrap/zitadel/variables.tf b/bootstrap/zitadel/variables.tf deleted file mode 100644 index 8cddccd..0000000 --- a/bootstrap/zitadel/variables.tf +++ /dev/null @@ -1,34 +0,0 @@ -variable "cluster_name" { - type = string -} - -variable "cluster_domain" { - type = string -} - -variable "public_domain" { - type = string -} - -variable "additional_applications" { - type = map(object({ - redirect_uris = list(string) - response_types = list(string) - grant_types = list(string) - post_logout_redirect_uris = list(string) - app_type = string - })) -} - -variable "additional_roles" { - type = map(string) -} - -variable "additional_actions" { - type = map(object({ - script = string - flow_type = string - trigger = list(string) - can_fail = bool - })) -} diff --git a/gitops/templates/dawarich/deployment.yaml b/gitops/templates/dawarich/deployment.yaml index a8de675..6dca97f 100644 --- a/gitops/templates/dawarich/deployment.yaml +++ b/gitops/templates/dawarich/deployment.yaml @@ -104,53 +104,31 @@ spec: --- # dawarich does not support oidc and gateway api does not support http auth yet therefore we just expose # it internally as of now -# apiVersion: gateway.networking.k8s.io/v1 -# kind: HTTPRoute -# metadata: -# annotations: -# external-dns.alpha.kubernetes.io/target: {{ .Values.loadBalancerIp }} -# name: dawarich -# namespace: dawarich -# spec: -# hostnames: -# - dawarich.{{ .Values.domain }} -# parentRefs: -# - group: gateway.networking.k8s.io -# kind: Gateway -# name: cilium -# namespace: default -# sectionName: https -# rules: -# - backendRefs: -# - group: "" -# kind: Service -# name: dawarich -# port: 3000 -# weight: 1 -# matches: -# - path: -# type: PathPrefix -# value: / -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute metadata: name: dawarich namespace: dawarich - annotations: - external-dns.alpha.kubernetes.io/cloudflare-proxied: "false" spec: - ingressClassName: internal + hostnames: + - dawarich.internal.{{ .Values.clusterDomain }} + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: private + namespace: default + sectionName: https rules: - - host: dawarich.internal.{{ .Values.clusterDomain }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: dawarich - port: - number: 3000 + - backendRefs: + - group: "" + kind: Service + name: dawarich + port: 3000 + weight: 1 + matches: + - path: + type: PathPrefix + value: / --- apiVersion: v1 kind: PersistentVolumeClaim diff --git a/gitops/templates/dawarich/secrets/config-sealed.yaml b/gitops/templates/dawarich/secrets/config-sealed.yaml index 51d948c..331a59f 100644 --- a/gitops/templates/dawarich/secrets/config-sealed.yaml +++ b/gitops/templates/dawarich/secrets/config-sealed.yaml @@ -7,26 +7,26 @@ metadata: namespace: dawarich spec: encryptedData: - APPLICATION_HOSTS: AgAJGgJ2ZbihSCQCyXFVuOoD83ri/qB6B8FcE8PtQM/vHFoao1goqM49l/DE3YJT2regkQhS6hDshVkY/wfFaFTj/MrYwV4lgtqLcR+RzXE2y787qsb4DlKDDueTrb/SkzDS12OExmWTcb+1AcMDvozBa+PsE2p8yiVUyXJkQRwUj5e3+rp7Sh1ubPlMrH3d0oiJsqPfqkUvF33otgUJNLBYn358SLaUpZFNRtrv7QqvKAWZPi1Me92oDFUnUpQdjReL3PObPXjBDObO/sAnnLudx/iLyKoVyZi4yfIaBOlRbXBAEFHu7y2qDms4/4pPQcFR2WQqeF6HW+zGG1rvplbWDRKoN5+M5ehN2s4OcO+HXgyHaFRWMVOHbOS69CZ0cQv3CjKls4OgSty5rFpgJmiVo1aK16tFhlVoxl3NXeSsmCv1bEkpfM4028834EygGMxXXGxr3WMzQqPxoIBbjFGbx7iBFTtQcXRxnsxWWfWQq8yzdk1+X76l/lgexhPDgSskKvoHm4jVip0oTVRjIjLUXQ4hR4SeODC/s9DeUCvHebFseM6qE2Tx55ghx/ZeWwyiIhMP+6K/I9lBUwdBwIEtJBmVgBcFV7qB0gGWWAe9Pu4Jin9fkhXBvRPE7eaXB/Bbz9SM7PY4udwUxBhXU/dE9i3INSwXIh7HY6WQ/vihKhGw+GrhPZhkWULacf8BgEYqwHP3rSOow9C29ap4uSbgxf92JYP9oSMCP1gDmkNpYYFmC9em2f1ZPnc5oqW4bdvbGk1xUGQy+TUYrQlV4Cf9vUHpmyogGTpd - APPLICATION_PROTOCOL: AgCwHsICyDJMAThofTPqelkFQs3NEA1ZV7G1xkZP8NgoFZlcAQxfDZdOvdtMgBVjUfO1T0apv4UfcF4ytuGGZFiHohOVbyEl4+lGNJZ5KrpBSe7X/aIpeK49jnJ6S0i27V+TqiOwMKZMN0VlSIORJSlwKm+DPYnpc4EqzCuxB0XT8XqUDXxxe39R3E/7lbusPKMKywRUMTo1oO/ss+nrternHCIhok/tQEPZxKlhlZ8/g/eu/426RWzyouZxFRBsh0NpXHth7SZVWfPXL0clbUeblWBrnZNyza4KkF13lwS9uCVOcZ/wWH2knJzqdss1T3etG6XSOOAhjwWedixoVAqVj5rmnHTX/wOobNqRZ35ABIi4JTPAvuFFpccUX/yCq7oZmHSYCi/rwL/NpvbBtepsYL111z7Q60JfHUBmeJ5pJoXnxcrRGJeRPVyf+nkYgCeQWnSj5VRZqrAKqtlklWaAQxm1JZ+M1cF6xxLQFf2EJLHoVVMM9npPmSO336tprfnzF02f1Yh98ij45JD3p1xNC5HG7xyBIiYrN5I091wUY5teax2YX7r+YUe2EtqgPgbOvdaUTe3wp9IrPWBYYnq2SykySAXtsQjzV39cjC5U0c4H3iN/OPz6aJWF/j4yBfpFaR3ehb2jgaFAMqpLyVVx2OAzUMUf8B3PR/WhP/OIi3BsJxHUkOmUEQSdITyT7MxXAoYN - DATABASE_HOST: AgC3/YE6qtCJQ9dRgalHaPLCH7CcpYst81U/v2sIg6gEEEZPFpEC8ErmNUYlNWkxjEvufsD9FMjUDksT9j1BS8YMbudm5FcRJreYxqrU/GPujmfNY9zpnuJcIYfbffYa0ZTMop8sx303QQyVDl8yjOwTX88VUtDUoHsPjHjufL2rVVjUWxCSKzTwSt0IXBc3DAJEWMYbFi79CMwES+bmfJtgcRrdG+Er9FMijRlK/x8/+mmtpVGNDF/RrSaGxlGkW6XSTb6EZLG9FF1f70gAOIIvSF3xZwUZlASPMyRsdzBdF98K42v4oMtb9sfr524uUx17XorF9e0S9iCjEAvntEuD4rXT4FSsNcY2pCLsCmxuIUAARDm7sHdrv4ohEVRa3ab8DZ9XeqQGrEgqMPeikW5zzsFhF/XfMkVsAQdBR7OUL+X9qeXLsWcj48lBYwjSFEZtCBqGGnCVKt2uXYLSyoXc1z5jlM4RU/v35LWeQJDNAnuFQF4mPBehx2o/wgov2WVaIWAXMFxgJ061eyAEoxur0s1MLOWNHMC35s4RmSrAe8mh9NJ7eRk4+aaH+132g6qBTiuvJf/alZbCZ/1AwoROzDPIOF/Eqm/ceuCKhvQKQvItkVaWLA0bPayv5WOh/U9M3rTka64L8E5yxYpIDzHu2bDiO8nWqhuCtVLAp3FRKWWQTSc9D/BAibl/NYKNBGnQ83UFC/kD60cOz2E0ro9S+vb/X9nV8lKOpSHGWFMSI/HKSa6u77DHVFfhwOtlLuXxaKjU - DATABASE_NAME: AgB0eyVh8JTtiuQC5ql+YzalOluJnGlG7DcVJM+W9an3CC5jezoM2NylzGOrS/V/y+V0rnZU7b0DXOp+IxOlbuxnx+0vUYvor05RJ0A7BV62eIEzSVBHDENgBaRegKVNgNCRwobt55bBSvL8guZFLKOAtnFFYT7Gj2U4cYRthdhOJYhyJxnQuzmR6/tNBT+cDvt+5Ta5NrybJ4ZFxmkn4bxt4zqd/yzw38GWKRJjoOgWCMfFjvozJnGIexXY8fx4I5IIlr0Ndv5s+AVLhC1UTvRkXpcRozwKKWL95mdiulE25ySuxoTEGTv6eQjHkVUPzhHK7ALEpI/2wcUyvnk2iIWEI000/F+gnjD4Uek1HJNjWig9dZccwoB17xz6IyjqB54vrB94weqWYqrEjHyqso0Xn2+zyhU5I8xwRr5lCJM9yr4GyJ3BMbGxCBGo3/OYqgAyfN+BztKvmuaL4ntYLH/+6hFuGnbJZAAEZpvvTb/hWFcRBIJIaceIvh/qoo5k7TGg9ucqQjlAB6Sys4thPcyA+TRpzafm7kWfGWsMfH7jLGiJHd64XFQZwmT7YblqP5Zr3hOEVewPh14wDSG/Gs5NmRyrZ5Ck7w/pWnF+NPbxvTvBLKS5Q+EB443ZwLv1CFAhiTzI1lI/FFFfLrMS/RzJPQOeKbj+3payG8ZVZUkI9LOHb655T0DrM4liQL8nvv575NRHdz7Suw== - DATABASE_PASSWORD: AgAFrbTk3wqtPv+w1h25WNCKjer9TOQOTm7VGe/7Ld34OSW8dgrPepDbGD1WSpCTne+TXADa1qCLAQ1sAEF2qeTdyxiwpsH0++7Ar9gPtbDe/CJD0s5HOmaUaerMKJ1gDz16Offe6Tt6Apun+uhu4PHLgxjb2oLbYynV5V+zyYgj7wIxeOgRWUUql/YD4ro93MELc/JwVp+yLq0QfOwBPT9WgSADC8sxtElU9wZIHeZjeCGyPALVA6zdGbtlW+gNzz3kBSjLtZeqjrUes2LPrmZeWa38E+GdmSlwG+Pmi+Nv3Yh2zHDxotIuKdB0wUvekl1xKqHZB2GN3VWWspRnAeLzMqarUdPTr+W7Lqmzn8y75OZ1vjlVEf9iEJxgTfyoWe1N4k59Zcid1hcvSTOYEExePG7Ln00A6P8zWV8SGEtNJdKFiIA4Rvf9ZdP8DXtu5jxBFXpr58+cpn3OBGdhXoNLLTGUb+aD397RbU7HEMAQIiNpDBAgqt70VehaRWkxlprfcwH/MH1jtejRxkWlKocfdob7QuMrrAmN7zTM4gXVaVQZW2i2aCe8xiIaSAwfbq5YgP8f8upI7XstYKjch8h77q9Kmm6o9pkeL081chSbfi3n/fawcmUhmQc6v3LmdTRrnrNNwfeSyewT+6XSltK08A+twl87FiDaIgnUzvIT2eWIdb9ry2syM7d/KMVcDEj79yaEZKdyMGYy04hLAM/gyhVQIen6093UQ9EK6+vi0JtwstjtPXF9fy66DPqEzS+8SWKDiGR2ITj1UwGWu3jaVn17RrzOMCLKyg9/gF2mjQ== - DATABASE_PORT: AgAjKtly4yAUbmMa5rIljp0drziW8hUpTc7sg1SJXCvP8Axyywa0YThP3rPNQFFBM23KiIZND1Aw7o0ozCOAyrQROwnARGoG+9grUOjxuSTyrTND/5upVx12v65/3QQ01/WddSp4ZqkJ44TBKuguLKPWIu8izTh8TuGKKKyhv64oIxFqKKl1FClZrJJjdgsJlKsAL/Ta2S5GK+AlT24NEomTfdkGTOQvEAR3tvPzTWagQ+PSIuCKmsKVBJX3uWPXmt7UZkYAXAAP780bGsHROElo4ijUJ3CdvgCZ3CkEUIXi003ILlGwTO2g4TkDSdr+3hfAQnd/JeYax1f/SUqfEEGi9IsN8JmerEa7AjNxusRNFlSObrb0CVCyRNvWsJPJ2FkwE+xpT7qPTtrjR7tRemQW4WgvilCVJ5BMxtftZI+Kfxi+2QEz/cwN4dhxv/WP2VGlVGhymkLTvGQ2wUodhd6Q1uTN1P8IAk0n9P1TZqhdVxfbCMsEUQ92l52Ea3YSxbr1c8+oXKQf/QZ3qLKK+Ju3AbKjCWeT6ZRD2P+VqSRerAKJTCQSOoZJpRDmt8TkevquaguN2+d7T0q3UITqoXG27Ajs4voSD/pDlt10MdkasuXohlfHdAGZFBtX7++Lr5CN5owvV6rNOAtT/ihABmZiiRV3i0rLECReCXLbDcNhK/xcgS7g4rt1hx1tDf1VYN97KAjf - DATABASE_USERNAME: AgBS4jsDK2jOyHm99Zqrr4SIT5s7avurHvZS9wa+L63eBAZ34apZ7PNtzSxUPg9Q7XtSttRmMpKUBSFd+uUsJO3bazHsKsWIXk0ry2UTQbJrTjpFOMjUneBcHHc/UeQsPf/gg69Gs/Npcpt6TfT7qFWQ39cswQoJpn5RBI+/hd6he9BvvEhWXPfnvQfII/9yQR+P4GmXHF3bdX1naY4L2ro0FgdsQ3T9T9+cpyD/v22ymzTuFDgXXTHID7cLwCQ3Q0409u70cygTJpwD8dSglEOngAgJaIrEIYAQU1Fw3WRTF9LVNLoWahMrxTV9OzStRRuSrpJGWaxzv6jtojVvCw2loydps8lj8rCaQPgmzB+SZyNJgzbJ4SicH6K8I8imK/oVsPqNlSoulmrhkAOsXiWBldIittHmT9lI9rhS4PKqduQpxDSgFEvN1UPjSTFAeTeqwZ34rXlkWdX3KdkI21yahVTqs3HfqNL+lGo8Yq54ueZZN3u/mqSjcGmImOzW5r2k5oZOJLaeTAMLbD9oBLRGiiY+QpGWMP6lnh2vczjM7rywbnwQysT1KOb40oNhQ4vcHJyKBSW90DiueT3uXKDbIMvp2rUen5iwoEv/8xchKIcVoMiTUKTr8KVdof8+2xNT9y99v2ihk8iGeaKw0M1SYHyDX9Hh+5xUwrD4oEMjygpV33TJuusMQ5Dyi0CzdclmMf9ufQKPNQ== - MIN_MINUTES_SPENT_IN_CITY: AgBVaScyYt/Nd7aztWj1pdWSAF/ubv/uMT4IkFNJPx2G6MLiZDzPKvNHFu1IaIRg+sd8hv+diW3OXz4hkj2Un0mBWdiYz503T1t2sWaN9wj+bTnj7sPVOxtIJ+389/1kGQiiq4ix+k6BU0+oc2wlo3flkj/TITx/CMqRTdxcUqNuZgA7Q05d+A4an+1vLXCNb4pdRBRDLHheoVQ++mxFqdsVB06LmgsXMTLxd/Uz+57k4IGkX4GUs8bKBPbOBhOXATXixgE6cuBXfVHkhdYDLWjROxMK6f8VUL49UBI1TcjtS+z1UENqCxKKWdoez/TDnWFmvIFPvgAdR5F+HzPY86SBX+KnGbhOdJIvQsOcMJQ15oWeLw1Op4VKiqhFdNRAkV/aL5OXuxs+cTTFZnQDBS4U2lQQcczoD5rHcVDczZQlxWRSWn1zwnZd90oNgj5RFUlh7A0fJglaKkejB9XB7yjn6Qf6G770gWVRIfA9MFuCViTaho2YMj+DE6d+dq1Dg/jExHguQJEFQtXr1j7jl9i66Onxq7rbGze0as41o/TmIpVaVwoJ3zU0RM1iMaKXe66ooohMWPk1wb8PSaY1QltZRHvjcjrw75PRPRCf3aDLvsX4t8qPF/LLl5JcMIlvar4Dl/R6JC0aOqqoNkvfWgQGN7Fa3NA2O7r5LROUq0tieLJYBIF+wlLjoKbNQrOfKv2nzA== - PROMETHEUS_EXPORTER_ENABLED: AgA+tBvbYEAkHlZ2AJsec4Xq/SYxzl2+L5ez7OXNwm86qbR01Liop8XR8HRvHlTbM0K+WZgL5QtaWuFG6FsVStNqMsvRzkE06kIuBxFImWcHuq5SR0lh2PZZ8/ZaQHirhvNdvZYsV6ESdxZXFqO+fVXFw2+EDoUHAZ1zu4JTNqCOlh0bVuEWvDbQ3je8hkmRDQCUFVNGvXYEmJ4o3AdXzNUtZ2vKd7hZGoRTtBdkuUx1s/r5fo2P++aHSrdkEwSXqGfmfrNb3cZmCknQVaa71hX1bhxKNI0Kk3yB2hxuWwCZw+uUqYcFOu0EaATKA+DwEFzHtDUYGvyfZwSisF5+XI1IrPm+XncfT4KMV4TWZFVGFAS7ninCBFfh2bh99A5ARoRktb3tyS97tzOUXAeshvxGasCyo1ozb/clf3NkPZPlZ5596O10XCx6EoEEBOUJKSNYqbFMEQeufydwsrZnaQ67xp0ljA5gvy7nbuXp+B2OCZcB2r2Nxzwb3ZaQTqoAbnOgENXv05TIxytX8onBXGpxsOwMv6hp5bs1EMfLX+MsC2Po7xHqJqi6yxjcJ2c/XLm7n2yHogJ6MflS49TtNlSM6LJ9vItw8nN27GqN0kiTJL60O3kTgysUqe+C6BumIP/DbRIULjswjlDlWeX6RpZD1H1LBVDBpQSCh+RzHEBdcC92HnbdVHYS0mvyv25KiGXxASRBqw== - PROMETHEUS_EXPORTER_HOST: AgDKI1gqtU24rdYf7gQltN8gblBy1hjPf4+JqhPnpn4dZthKtQTdpmg6UgzYn9Y7UwyMs3qY0xjTqQnLDe/8nhCm2irmtoZ5Xo75EUNywGcnQNvOhe1Yl7rZeIJcFB0kvGDzVG5DU6EO7jC3EyKNz5tz/Pu2qslxfG9G8M+xQEj/H2KzulEE1L4Kn51aAFYP7OGCmQpCT2twoqUTD08Ck3Defp4eciRqEbCTm5/OMVnYaxORUyQuqkxGNyOxvo9EE1o9Dqj7CGIjB//N+roJAanMdPgYpI/NS/Jl/F4CxFxkcJOimUkECvxehGcAHWbQR07qxY29Z3OtzWSs9NRQeOljAk0aLQxH18KoL2M5YPjC7LMiZvRe5IrFfYRYRkiztkrcBpB7auH/q/fuUw+mTpDk3hShqeujw7Nx6znkenKf4CYHTDvwmKorD2+4OPKfb9ZBQT++0f/bA3Xso7qsEecZ3uPY1IeTMxx9GgOJU5YEaHHOcsnhu7EHR+NC9QILys9+MklYeUwiGglT3mS04MsniEpHTqaUjCKcd5RJq+WBEwAP1PgeHzx/PtzWjqZ+KRKzUTMxpkFqqKAbTCCDj+FYJlJRywaFWsmGZb98LSIBbpAfAGjKMrCfn4BIAUNb9y6CcrZSuDr3r6Z5WAwUu2NoOwbWvhXvIFsWNI3/bVGCQe8SAKH3A9ffdXb35Dm8mOrDWkKwi2pu - PROMETHEUS_EXPORTER_PORT: AgCr9vOm8uN44Z0dfuGbTamAHgqGOE2Ezxy7nPJvDFFqbdoscKBUH2pw8drH8HogObYi4C0ZT1V6rKHefPQhCey5gnXvz6J7YS3+Ujnc48GWb9vzCzhvae1wI8FMnWYi/TrdXzEjxn5flMDRfjZMcPgyqR78SKS8ZHPWnTb7zoWWy5BBBHlW/+SKOvQKGFW8N8PbrxdVSaYg+RxuSCty0Jn9VFz049IWviAy1ELEhuUN7gYEbgQC7eAkRSwOVpecMN1xv6ungwVvwmfuHwGq92kzKRk3WQ4zMem3q1iWiJwKxq0+8mRP8D4rrDRXVZOit4BbQxn2ONXFChHlTBTIpjEy8wzzCp9c5OBXncuRcp1X6y/fjiOYoNMLW1GkxMHOGTTPFNsfSdNRinSm/jSL9ZbPDCyeRDgzSH3UM1/iDizTwnN+wPfUZDtwCfIGABVOANe+ZjyUC8dlwJL8yt5njboXaD6SQLQuuzDHTzCaA6uOVnJZPf+bDTvlhAmlhN9pN6jOxW5yAR/+PKPV+jtibk5vx0V0FApEZ2QVuZOdm6DSoFuR+lCl2/aSpYHcaLp5HrLS0s1ZTUl2H0Z/f+j10Nln0YbcPxM/Enf0j8It8UD/MM1UjzKg/fLauSyXHjp6XiSWuRkUhY/HcGvQpfeDtG0lz0eLuaReka+q1qAPVC1baU3sMkHaOM5FJZyzB2G7W3OPatJ0 - RAILS_CACHE_DB: AgCNgu08h9V3CfLmyNYRCA3SCAML1SafZGDs4oa4D5eJ9FqSv36o41EqMNuTi4NAvK3ypzcvhUSpCVmD2KqC5jMEMmxnjROvKlFSeThi/wwklZKer5qUzlsnemQy75eMt85WFD1fnuf9UvaSEfbEyHn/Igj435yAmLNGW03QWHCgQR8pS6EiDqfsjsEtMwUJwEepoSNucZB8kpT0WsammGObBNz2wWHYzc1P/QaC0lwLIMIUZd6P1ylALJW2hBFWqQeE5ipc3aiheeyV2ssLfN0to03qYJRv8mFA1U8H/F6XiHKOgnuzlzrkA60aXOo0N6uif/giQK+iIQxZ1rGeuUnGcbyh1zStpwfX+p6FIhx1msh+x45grlokcWce6Pyj95nCHXQbb1oSHr07323sEPKrxyCjSSA3xv4rRFsDHiPFYx5I0+QysH4cEsOsOYnDA2odZzr4ZiI+rTTXSI8VnE+jwf2EJe9cmpZZ1pE7fsINxRUobZ+Fef97eiHYju8GTfjHus0hDjXmX/TsHGbo4kO1EVBoPxEtbUqe15NNTv71xS7aCsvhsi+BYB8olkSOtbbjIoOILiDYsdBK+YrgPNR8gtfNzzLvkdzewaFvHHBdBB5sEYUKPpXimNqsKcGpfWN8QXSUbSRnbda/1JCEkaxuDvxsROpDVDQe7AAoCi9g2phMn2HctzDD79hwKWCxGuqg - RAILS_ENV: AgBKzBmUfH1e6y0hsJVM58fQQEygoXmStqLU72UqPEfVkk3/NzeNbRDdfQ1Zpk0/qt/AA8eSzvYuY2ve25H6+NL0yuStYyw4vxdhAzAK2pz1vjZ800rvRsXHd0WzZLs0FVmCdPB+D6BJWNzcFsM1/rH6RVeHuQfkCa7B1wrbLAGBPUiIYcI6tgaeut5/R/AuQ/xL5sUIMVxpMWnpatmzH7i5KwDao+MyJNIUjrEk49V2pd4EFp6xv4aRjwybr76oSFUjqp5RfaEI73tVz/6dQBHUD8vh6ARxD96YFERhqUonxMBNTgFTd8IEsJKeW07267wzpItXIzHN2kvCDdsO51RNFJLwWeDWmCBHnq4LG/G2VPp7rjcF4vUQoqEBFPeS0jgGtPjdU3SjlMNZr3G+FJK5EueByN11otQdHVy6ivikqezqkRX/Aj9OP5bKW8Cf/LrO2ltOfQKXTw2umI1mfckDgEZGOv8wAAy+xPpoS76jAr2z/cLxoizyAPo9opmO11tUyXhjudEN49/ZJelWdnJyE6xUbd+1vol2rhyDK5ObkcEhW0g0Yyc8tfX13vKJ2Ks+naXoAUnkl5fWgF+OXj9j/zK35V7fOsXxex7W+e5I3AIaoJGHhSRL7caZ29F5hNnZRSB5/P2EXu5pOATmCsS4H3ZmnvplNiCmKGp+6h8YAoR1myvs63vFa7qORIQiGbECokZFVT5THAbW - RAILS_JOB_QUEUE_DB: AgByt8lAHiRFvQDs+pE2BV9KlcLvOYJSwMRXdLA3wX84dVt7Mq2jDMTb3NPjO3rib6yr3ncu/Y5LhOijsa1/o1jEzvASSS4yzvDuIYCpbyG5xYZbTtfqNe04V5e1SjIEo1c5Cu3gR/itpaHf0IiviXCBsZS6gBv4OkipvCDhHc2w6CeyFq1lXwQTZr2X6axWhAy87q4Wm+jG/ENKz0Am5t3SzsrlkyBJg8a1BbqehrR5E6lW4zv93dVcTcmgJdBj8NiRucms6kxt+9eJIH2zNx+kOO2OxeKmBt/ngiomJQGA9I7Md/wMSto7dFsrkO+Zs9OoxW9LcRimKjOOUYUHHXbs3Cn575LDyikiNW2mGfBAD2af8ppvUeuujlOq9JIdNTBTVJqre59MiEwxeCp2dbgKxk8bRNopGg1oui+o2pM5yhbb0rXoP3QhfSVd/rHXDwO9LuoYXwNu6gfhBQsZqqVf8q00tbVaMuXp3nRJ0SpKWPLLSD/wF2Fnb1MW1oJFvUqme5P9uBBIJxeOKipHDuiuP0QbF2slz6x0dLCG+rEL3yVWq1nAUsxY4Em4yXN2TaC8XUX+E3CkUIcfvQj0XwRGgTSE5OtS4NnQxqDI1jAPlAYnUcXfH5Fv+H/BEN8MkeqrXfmDjFVSCyxAAPJZrH7+FcMhXEiNdT7LeH7KqdC1VqqOv0YI8SJfkThU0QGrCNkV - RAILS_LOG_TO_STDOUT: AgATuWb+tAquSu/TObeOk8NGsN634uhSNQYHiTJVTEoSGmeL4DhNWbz3J1OyfxBJtCvyrfeP0TurMyOCmbjjLvk96egsnbLaq8u7oxY/xB1jiutDyMk8oHe102rXD1CSadEvIXRGuXDVen5TjWFS+Esoqxf1w6LsNU69L4OsQ2ngny1p9i//cEcDRgI4XaLVNLp0hWW0EVe0QP3he1oQsBdOgkD9wsEU8IonNOm1qlJLZKG5aUDk/k4i+6d5ZA7tt3lew6DzSaLGsihQfjvta48DgdWpcQBvsllseYhye76+pKkyzxHagvLBIBZycQnivLUUHTEubSkjx0jFTz6N9Rp5uBx4pGbsKjJAdqw6Tu700a/E7LilLyjQZDtII9I3fbjrmKjHVd5jYcCekRiH0vMZBRWtNGlpOS2iwZ8PaBi3ayHweMav/qqlmyW2r13ytLSeHa84iBAsSzrBISIdsniyq8plnEC3b/GWqvaFuT2uZYPssl6TSz7S2niQgQgh6w5Hc9n7HEZAfsWT46ZIEbrV82izflF2MZw3ooszI54rzh8nxEX/z1aYicDDG+TppwvDtTCHnvOq0zWEUGIyG5vmpNvNn9gpjRjADRxGrhReKY8tTKrMpQgSVu31hmkANqoO4pWQFjVw0NnCIQzUbQRjSYhBgELfHc2y3oXjBiqRApo4Kqe49buRQMDKHxSGHp4Fdqh6 - REDIS_URL: AgBr/hUVXukjr2HKs9QjMy2dzF9IHZ00Ody2/pcdZsrRLyWujFYNhfSSwU7sT0gVZpREnow09s5AIsXvXJAgEM2SXC2qvqKDaHe3VR6w58k+FQiieMe0/wC3Tr39cihudahhZetVCrEM858plC5G0T1puYLtmVFPNf6h/k5rgUPnt0WsIjEGTcbjae0s9MZnz0PPqgsTApaa/US8MmGIVuQfDnkytbi1vcbCQRCxIlxDMW63eXUidRo2ZSxXRgR5jZ+jMNRKDhOBOL8fnccJUfEIDQo0blidim3374ULZ+wcDwy6L8kTlayY6m9MiMHRVh4nFbfHfetGI44Vcm3yW2jllSnl8R5BJPDxKPTbtk2ZT326O0S+Fl5YU034LQicJ2Pw876EOks2GaPLWF43aKz7zltS/6I4iWIMm2JCgWCZJQsK/mtjDmtcn0UvlFry0F3AE8srqGrwLCxt6Mkc7mDcURc47h3QfvIFQoHrt38UTburMJaXRKc1fSz7duHFnFpK9Z2ua2qI5i6k8OHCRzr+V7xEAUn+Resx4iDVaHJYVUCfOeeadHUTMwFrMeDuzbasmEyaKQ3lsqHT1F38QQWw/GNECuENxHLZkQpnWbU7Z6qnARqEOxvJqgdVzyjsIxrpCtC3HegQys6VnyTy49wJWbFxwaetSH5u8Jmk35i+z5IdoL+92OkzAz7PHYhhVCCpc91dxgO/EovxvdRYLlLGVleKHeF1b4OV8twdiuHexxnz4Fzq7pag0ReV3Be1nFRvLkjYo6OeGv5VQnofdwovBHZRwxwC2+2sniYPWqGK2f1b1bE4jCRrQh+vG8TXA6n8p+NbARckcPQFKoCJtveb/LF5787r2g7FT4WPgibOi3FTJNQo - SECRET_KEY_BASE: AgAw620Elp897i8+VOdMklb8qF68Mj+HqTFqkZwykh2ftM/Kw1x8xpjAkr8qieQvBN5P1BnBbxWTkEH/IqHiFU4novPBBODKYNHyZYmSZgtuQAJRUdT2Q3r6nyz+VxVRxMg9HK8m3dOsEDKkKk/Zks7dhpis6ymMiEU+v+Ow8aX+csZYRy17CYZA/HLHFdPTtqsZyRP2m4XGKgtu4o2DHFI0K/Cv+XDlSYFjnym6UXOmtQXXR8jXkerdaDcMC+oHcfBqCuj8tXouGDvCEVa/XuXvYhLSMmQeqwgul/wSiP2bW5XmbDNgFPM63zCtW1tZVsNtugk1ULvSZttL1CBTAVuJcvVFw8+ju8/0+vZMJGUoiLzQD58iM8+YvrmNxmAYzIROca9kTRUDKcsK/cZ+mz8ZRefC4qSd1N69pwC3BbJVvgbFvxLxuMcPQ0AEkQDPK8LKh1rFWZ4SIMrQd8vQV/t234YwqpdvWYsmdTuqlA7dmhnFSuq+Ks9xMD5H6/efxJX+oTl6+wNPNaA45W/rZsGt11xYLhMO2N10OfBKfUD2845unwT9TBGReEd3EoNQEmAfsvMgHCcOeR3siqfbYkPCESrA0F06NNmiTk8wmmNzGJIOJ1Nsy7RLC8guF7Km+gAiNSzpJP4lvMAdPCnZ/yzEudELPWP5JYDI5btFjGdQnfPY7DTheQoO3FnGKeuvIXE2jefzzF3LxJetrzkBcNyi7BjDag0pnOBG2zM/hKXIQy7Ydlj/Rl3H+mnXZ7Y3VZWKjM+JmlOnOg== - SSL_CERT_FILE: AgCrIcJletglahf4P45Ej979O4Y/vOHEl/no6o5JI8uHQIjdXNgB0dTDvALDaQqLHavkr3SG5HKvKsQcjfNJnPxxrQA+m/9qSYr8nPJ5SD1Up+17OGS2tTsa/bm2v9F1+JmF19nSbob2+/I51bvsS0UcxESmF4o7fv8HZ3EuaNtrhpcilXJiyEtc4pSvpfTp7iHpNOh0JzZ54N4tprAV2bME+FD5KFEVE687cSXPtwMY+nF8ozPw70aeLgZzNoHkiAdKA9xQ8j6UZd5Kh+EusHE8TLMUtcc8Hq0msU22ogR2IvDqyTSNmk7bFVnHd8rbE8kkPyXud0Pqb7e0n93a1OnhE0y44h0lT2JEWbTa8Nz/mQznFA+qo6GKCapEwHEEVt8CFvzPsRS/DUpyhdQMTTgpjXPQL4/MFVjSnxx+UlcbI+7l9IUedBHbpruqWv0WuVHFKdJEUlBpd28ARCOUy7aAx5xazpV8TWusc2w2tUB8Ou82LYlJojK2JKLB8N+BjUsT8na/vBoqGw3YmVIRnddM2QNd7F6XpGDu5n4+GGYFHVU6FhLWFowLglglbjADMigsS8NsMnQCGlLf8z80Ql2uHtMv//Go02IY2LE75txWocTQ4U/wNrw9FCcWmWtHsuekDHY/pnVNNK8hNA+H0DC527YeSeYCG56lKz/caASXCTmvlx4Bs376G+gnt9lZZPb9WItIxZEN9yERrzG7uGTR8EOjUNhkKgXH9Rn7eQ== - STORE_GEODATA: AgAJSxdJQCiZTq/oFLN77NMUk5Hg9nplVC88eqFApQ/DckTFuF2hl33xr5BGjbRC6ZZqONIcQtLZL3/NQHv3OoD0xsMhnrqSMnCqURFRbpYTXMwrLn8EsUNVWq9htNzhBEeTI6h4lP5OQGdLpMvsfwEan0UCdp+gSaDi2PnBKRgaS54ffNTeQMmV8sr2J+jK0YClDpOmb83Ca2wXuemS384O6joNGg18s33VUpDPZ+dDsHhm+N9BUAXj88rjiSvk7sxYpkY3SvGFscxUN+rOkS4CsaptL9xSXNTauPfNlkxFntjnDH9ZoKrQp3hj5IzE5WsXbg4Jvo0EMJoSA2Az0SPe/Xc6UmajmH0i0Av//d6HITjRgIqLxtk3Lrrtjkinel1/40a6bK/jgSg7jyDBpzZ+Jnmq7PNv1P985oEER+BHavlycoC9YgIvoxJUqynAQnUTV93iXhC/m7+9CMx3F2WeCGS0HMcja3iBfmBb5x/6gSTTjQuUkpZ62Cbo1wjVC/Sje9GxbKEL2zPvGFhDj1rbFvLvVxe9eo65eSK97AiuDE92NKfpTTlDG/WyiO2H+fs9VTJX88+8Iy5y1VL+qvcdHGRpo+1Pv9CF4ZRCsNFxVbDO+WCzeySu3BJgGhAReSTfwteGnHtt3GEGDpHZ8BBy3cEpP/3KSIkoJW9EQwdIMlE5bmtvVj8b/7czBBdu1WellKLG - TIME_ZONE: AgDCSEH4mGOzJ3U6cktCzU1VPWkhstSCNG4T8vSD/cIYl1o54LoSiI1pFsHdFVPmdLXdY6tBNwAX7wDt6BhQjE4ASF2sfM7E9MMiwVeVU0X/VWG1xxdJPEv2TRzpoFr3KDwjtKeN7VQwgo6d7MQFxxNQxAYPF+xQqOPKcema3ITkCUZe4Fo75+RQDk/kC3NQaOmUnGASthLd3/iZ0BzpmgnbTupZq4C5Gx8s9cdNR63b7PhRY+wENA1eXL6Dn/6w1/rY405TajRmD4s5ci5x8B+bxdwb7X7JX/u/upKgTSibQr+AQ1UOx/KrQKTW1MO8U3KPCUb44aS6CJq07N5CWeoq2ijzpUX740CNUd3eydpBJ8QpSQCOMgZ4GpHCyEuy0z0ErTDQO7lAIxqEBqGYoLjl4VKgeEWNVRJzpyw+6ro8k52BRxd7a6lPihCdVhiSbt5XF/VqO2FEG0O9Eq7NnPk5BwdpUqDlJQC2ScNi+1YDCyi0C/KkiDjihy6x7+c6OEhXt6Qj1/D4zyOiTfsKYzQyFOfw9y+dZS2+cb4khnsrrrbidBEnoROM66r8hVRLNjrnkZeWSx7GSmH72d/CmG+HJ/ayenzzNZNVAUHjedDOPzQapGcTU2S8WnyIqiaeyXOO5MKHcq8W7keBnaAdITBEZKzupck41IfDxJw7pVI+JgTSebM+teu4sZsvLPP5kTr7FIRjin44Y+pzTofQ + APPLICATION_HOSTS: AgAkfMDgK+zY35lixe6g8CQmIZLqWdDQH3DJbf7b6h1OqSs+HXv1VqlFCOrMnOp0ORYC5EJPiKGFZEtmlvi6QyliOSVU7Ljuj1iQ9OhNKxNtsvWMalFYrLkHjY/zvffaXgLjbhhfE2PiMA5yIr5/FgDjeTSnTKSc5B9i0/U6Fp9knuV21dfOlKjVzjUGvsy+jfwynaCqqgofpUhCAbYSjE0RHFnLuPA7k7fpr97CImy6uUk7rIhjD15e78vqAchjVJoWT1c9T9NucRcnlN3kg5s1KROsnzUxzXdQFgMC9O6jBy/y9UM+JsbkYnWO+vOjKEd3DvG8KCY+E4dOHfmAjpy3hCknv9lb8wQQ/cWoseGFHTEBTQt1HUhyJNHNgihV7uirCV2xQDF+YtCImWTWwOcrGhI+N78+ne/N7QTrYxLsBU3HzY/xL2UmCf2LOHUJhrOw3mXKrtNas941w7IdERRb9t1o7sCnsQMnaKPIXoEbv81sfZI9Rm5BstBgwXx8NMg+5EGigTm8Usm8ygP25dql4oZtzhaDNivbu+YWVXi/GzVAPPRJsSC550XlTCgNjH3xJVojlP6piMQM8BDn+b/ZS3JTNuwCBVQNrZg/7BICn1xQhAQkErGaMNIFspfeO5ydqAkyvN7iy6f76EcT+jrZajHuykLf40QPgMu2PONaRgVdcvQocDja6TPSzGJ7n37TBnOCR9KgEnz4g79oiiAyeMPoh8Y7uKCWKvZ2wMr58uYIOgjKVunxETQgowGgWfNjTTBsMNJ0PcFHSgykyN2Kpm5Warlm5Vbd + APPLICATION_PROTOCOL: AgCNOrDrny8ynyDUn3RYGK6zfYrsWsOsAHxf6oNUonYwsj4FqoIqkY2lab5DhDb/Pr+k5uH39UzM6uD4HhRIflMgQxBlfyI7wsrC7yHMWY3qqu+e8UsuDdPDEKMwk/syIsHwiH6XkXK4vgprce/D7E6V0PjesSMhkP8rQMnkHxHhc4QydJo5/3mnQK+IT06e8z30+TgL88SxM5OHCJ2LaVIRZJJi+4xFPaYKAaCqb9vPjIfQmOAkhPquQWmiS6l/AY7x3nrIlXMcdr/RNSAfefb1oF4RhJ8CJ6Mimq4TkEeDP3BmFXLS/zZQzZclU3uaC7UtPxnFHijGwzXk7y6waf4wrF/5xpJ+j3pAgo6cRs4qcRyGz9/6ldq/rQxzcBS2bxVcBWHjt+1HrfgU40dwRkWRj0Xo+HAUjLjynh2VosL+qKLDIc3HmBzs3/eTiHHUMHpEiuVUHmmqVj9JLrv/1kC5QYwzrqew45WGMp6e3Imqq3WAznQgoDTYNC6ceihZB5NUYa2WlSbKK00792Wq6sZHCzFAteSk5loNcXT6vZRwEGfgWByOjDxhMJ60r80zl94b6Ml4aF1os2CVtN9Nj0SMq+wA9rupkN3rixUZX+Lik1fth2HJZCyN8XcRgP8WJdbGs/FD0AE2+B9JQUJxBM9UtNEN8wyB4YsjRc+WD8pL0n3G2aa+bqW3L4OjnU1t1Szy9DV5 + DATABASE_HOST: AgAA6j50EQW0sHPsdUy0pr1NxsYo5VG8Jz1aMPgjqxb4JnLHgjrGFPgu5rg0XWH9/df/7H8MWNhhx4DaHpNjk7eKG0TPDcRUS4fXCyoEyOifSDmgbtkhOqTq80GuKKBWYF5UU8Nysth+QhAZN6FeH7U6grDT60JUr1AcUGQOr6Wh2naVptdaZ+yUraglpOaWbNDc6+7OsHNo+uPg/sDGM13k+uTN2IMUu5cZvRcdS6T3vpNmB4K/bU61IuHEjSIuoRqiEJuXIlWpWt1iSoq8Ml5/XgplCcT5f3j6TkVUF/ZsP79xQWUb0aviRXLxzJSSYAErB0ER2DduRdZOJWWKnHir9yI4wq7Dash10bwBCr2FtAnS0yBjh4II2QjS1I/f+WfmyXFx5WpxuAaeVsmSSnuUmsnWO0Tc4HpI7SDWDdt0MS+mzLZuK/zQrMIS5FCRv3wo3HtOOzocIMIgsk2lfHZGghJa09+5uGpnvFeKtiSJNCMdLt5yk97TNSBbpe381ZX969g30hIt3B9MTV7HxnvoDIQ+RX2vrxP0tX1unzWInehz1MMq2Jw5Id+p/HuR7Op2NNGZ61V6RDaHPgpBDE1KCBy5/3uEOynAEog9/gLJY+PA05UAqX/J2vASXcj3yNj66Nl0oTpXaw5i8FCWgwb79CIU+r5y1pm9jAVc6QvKXGHryn5MiOwKgYZzPEUw/v8YmWvTaqQ0nMOws6E6TabxmXRiIuXQvASzIPuG4LT/lWmpnY2ElW2w6VPpKwbOS05G1m7a + DATABASE_NAME: AgASlznro99gobFiB/NKqj3o8SDSCXhCvK8NxB0JAPKiKuPNNwi12CYxVKZyRMnuq14z3So4oGNuraOhMVg7e1nAKib2HfDTPVExMuEMkvI4dhGTCizw631/l/j+bKKiWt1M0j5fVT7+jqbRgY1qheR//HCTlAcR5bKEwOhi45jVHf12e+h9zHOikugmsPYoKLk7dhj9B+spAGUnIVLLCfoiLRN9zOdz/biBgr+FX9OhmLusLfeqkntmolLAZyx/jXxdNCkaFugk1kY8CylK9VuZOOeqyUnRZ61xV2mwpWiQuA6P6gwfLmItb2BI0T0FFlLZFCiUtoVv5lgGWbl9D5/DvLKOV5DkqVesaRvW7jyuqL/bar+JCY3nk0J1ANaw1+t90n1xsHxpAs2r8EDZlJMgR72DXK53lJWRDeWrDhK6ZTCJvLEuP0c/sHCBgIKfBDq6xhF/N8vJuFS6GbGzgv1D5814vzSy7IW9qODwuzWVbiGPN7V+x5o2TZ3Hk1KRPo2uTAl3cV1oMNmz3JiEU3+K7MeQs/7OHHr1EDEVuqB42X9YVLwbojsCfB45dox2n1gLEUQ+6oSssuJq7RDD5jykXyBVfcd1Z9yoduKWZvViKo6EsbuF2ZHkQesEutkuuMda12tDDCZ6nLPA5AuLIw+B1JIo3AmCw+DtPc9tGNQweM34fZa9FRmND85sVOnGCLxzLtfMil5N5w== + DATABASE_PASSWORD: AgBfbzb6Wnw5p/btvQH8elbeWyeqtyvILTik4yn3N4ochJbZaw1OBDv9XNYDofXcmWarwM1P5FWv8SdAMUI5K9KEE/jaMnXBKqQT/WjpWRQ9qI85ghI/n9O/EeK3pZ3tHWLsrLYmI5XTnImFsNEdNiGU15QX9YJHvfKGxljzeEa9Uy+oT8+ggVKV8UABGIdyptcFeWsDbmnRHACrCT9EJiiyDKPJQBRz24o5yp+jOJAslJ1ZgFG4URnXEDm1J3Kk/SXK+ukUGNRA8L+def0Wt57E6ArPAFINCZg5tlnwhrd0zdCd8JtKt629jWwKoQJyfh70OMgnGC4Vv3zu9TYoJiYvvAJTvqpoD7m3RrJ+aAjMM8EEHII44yI0AAZ4LXmdDEBzEgZ2MlO/v+Z0sjxFg2hkX0tKoeD0eAsmTaTMHOOlq08b8M5bkbPMBFuV7SV3yP/o8PntHImWcIyMI5G/u/YikhGMOIsiSFrq08fKHxzCsikCM3MBHjP6IoTMlQ/HaAJomT964BSS07Fs8HAi8NnV06+sADA4QMhJWpmiB0jqH971KxFqOm6Dmi6dddQBP/YuAj7PPSUNqqNXPxeQw6hSyXN9EUz+nYp0tu2k1/1EgptzPQoZJpXFYi4H0G7X2p7vEfxLT9FPHBvjDMiHjLItachkRa3tuw1vx/8+KFJM3KvX3nX3GN7z7pomu7pQEPtArwfGEnTmJAC4gyGbnIfHmym1wZkmU0d8DFzvtm7nBB/3dUHvwiK4fQykFW9fQ1S4WbSMvlK41a2bGWiO25OzsMoF9UPFlYBayrRy95YIDw== + DATABASE_PORT: AgAEV9bx8t1NYml9Anbmgq/QZq15thSTngcxiBnNRXTTuISTjBXHfOkCCscg7gnTKU89xOc3k2mEE4Z4XV81XGdrJz03dVnvlPKXpoRPYDkygXn2QZZsmsRe+R4ulHVx7Z7NBxY26Yxi+ZMs1lRB2uSUBq7lOnf/bdT9Jmpn2SdG5n6+NW49bvoVV9/jVPDLi10LC7GbU+57VWRCwF68GfJ0XKDYmiItMBNJ8VwClptrT2X+2I9K24a0myerV13J0pfoeanuaj9bPb6kYrdvQQpTDezixy7WHzj90AYG7/Fo07e9k8UdLnERryTnebcZ+jNP4pq2BZrT8NpSyR5QZUUn+qvP63SWioROG1SUGYHVUFjyD5B1nbJKjOn5zOxhdHnb6mbBCXVSAeatJbbAqpbvJ3ZXUxTyr4DLiaLAQj76/YNEAL4/BQ7ssDQPX1gACJwrS6q2XYvZRyRaEJ0lFyMIf46t8COuDDOC/FK0vQjDOSQVGp17FRWelNu472TGUvfYIL5Rz/voI6FpvI/TTyXdHNhEy9iZEWlVkVlqKKJRXe/E22Qi81n/cQAfh+OKmehifskNmoFkMeYtFzZgPZ4O4yJbSErAtqwrFjO/p7gI7JqY84gOBkcgh0hI091xEvtnP0Ahrg0EiS589JVINGxBVyUdc0ARjSjVB2+3qYlmO8PDPdy6VB7d6S9amBz/RP0dTu1e + DATABASE_USERNAME: AgA0wgX2X15oKRH7tfz0pxP0OXdiKhr8WPl8DsA9VoHEQpnm2AVAlniqln20xYQNTQTn6xwhWJyY1TXvqAQH701zKrC7B6PMoIXqUzbb2y862RzPGaCwTGSTG23oAQvNRW6jIKWas5+Mg8aigah1ePsrDgeucUmcsXIXyOL1rY1l1DecATWxRJRtRwLaeXulLASBrbzDFLB9VUHXaetm9j/LVebVnCM8FGF7WwJ+W5EpN3S9qU2Bt7t7PdjTP7fBd+ACzuoPo5cqANisQQjB/ogleTr7NnIa7RQ+cpz/pKIOun61tDP+LmsOUdwQsjHdHIV/c7LzLsVvqaxDemoilc5e4Px4mSj2E5cGSb9Z3inutHLX8hstF+LSi0cAxdbDhD1fajX04qCXGrZe2dARrGiHKeVmTdyyxxCs6TcNKzQuyzZaLfEIec30U3xgD1vI46Isf9xtAFLPgdRn0NX131pRtq/VSzn3sdiySnBGtnoPythPkEK3KVUy+q++crsKFnK0HZpcrkISHvcjlyvfjm/rVWZcY1AJNjdL16Ed0TERQw3RvKTube1xkI/ETIRbw6i6GuIILjsWALGCbF82TpvnRrfq+XTlHUFnVVCrRVRc6Nk3bXnTzoJ0y5tixdjvUXqHtiuh1qWVoRvvd3eUqPteiqOTTTDjxjaWJ8gbpJwH0PmfquH0WVhCGcLSfmVwDu8WpGnKHPkWgQ== + MIN_MINUTES_SPENT_IN_CITY: AgB8PAz99tUZd3WRJtKwO8YzNnra3gEsTM5buQHX3L5TY7IXUImcR46t7ckMbet7JIkKXjcEjsKcbs/ox8hhybzr1J9gJZPwC5btBaen0i8gKHfclMg6NZHF/HigqLY3kSjWkBp/JPqLbqviRCx/f3LsRUZACla/MAX36LDsfCv6dRKOc/QmQkx42UDo2j+s0vAKVj3ViMpHwQMogMcaBnoXHaHPYUTg8oce11HKXvWH8qXUskehdCGr/cf6G6wtRuPWp/RK2RngtOO0uHEoC08hwdF7CWDrSnlkp7Z/lL2ozueJ/IdnW61aQTOGfXad8uRt/KdQP0CtJxQmpYExKoSqZdQS50AxYiuGkn48NnILpwALhGpP3HSoLwexga/KkW2WTw8ZdV5xe5xzgd1DU1O8F7TjyJHFJNsY8/+wZm3ccVXrbaJCgRusOYk6ayB/r3kEeVwBi9mBcyM+7PSi3DhI2vokiL0rNYeNI8d7PtNjtiocRw6Hko6xsPQ8nHxdvO3Ox/8VIHqtKlCR7EjvhIlnlr9UMKNDasevckhSqACMzO9AYSrt9naNJMf5zAb7XEsAOmteGf5IGNNow+8amXbcbE2bU5P/Qx7/8IGXduGazzmZEt1idwf1196YXdOLrmUxcTAwi9LldIDJs9zXU2r0y48epbQGG4Q6+Wue+7auc3co4nCh24OXLSkvzYu+GME6pQ== + PROMETHEUS_EXPORTER_ENABLED: AgA7QZGkb06JOqQyT8Jp7o3dod2m92qUQ4RaAi+xA5DPzK9p3+x6Vcen2PQk7wlV0gsTc9ets2FjjqWqWnudl+XbfXSauYBmr/pxHF6pcFxBlVLKpeMxfqtP3nJzGcMwFyPHt3zqF8TX122IisPAOFoONxUvAu5xamsi9OsFDVqH8ewyt4Hol/zrl0Z7G/8kLT8yOCAow0Zyihv1bUGXDKitQoyZG1wf6lwZeLP4ap95kOyje7DwIYWsc/tKxP+fwW4udev3/OVZLKXM7UbDJtyuE10Ob9Bh/nmt7kcECrf7nvdH+bzOneT5ETwXZZuVvsXL8gS0ic00/KxfGNNGPhz+s/Vx06ATJYxB+pSQr3aqjazXq/n3rH1SZRp5F4BUwd6slm3NiWdv7ao1IiBxFZQOtiZEi7MCWKfXYk0RM2JzDGqCtuRLQXJ7lYA63BpPLj3xNR2AvtmjN/UgH3msSmV+KQ/9uNIOFkixcj3061GyuZiDyDWpB1Ptld5OsnQBwew6AHttPw9O6DDkB2ymBKgGUZoW4zqm21lJuyKMUljMN+vcRSso6nyxcz26jla7phi3gKrZwauoC1j9pfoTZSdxNLnpS2bA0BFhCqotxNEWtOv2iopk8Wzz7cGPEuclWG8vOL2aoi8kUk5L/HMp6msUkMCxg6Nb1drHe1hlK84qU1vKVfZpcuI/oV8B3XihOouEFrN93g== + PROMETHEUS_EXPORTER_HOST: AgAFv4IzVUfRjCq13DvN1aZqksfyNVy6ePBVVDaCj5S/0s6rxs3dW4rlQmL3D13JXLGBBr8WdV/te25cMXPDAmvN+r13wtvq+tWripDC1nhHPVVuQMHuBKb6Qs6INaIAxX6fEWxu8+Dgkxc5IFDz7UGrwnfz2dvLWlVmdWMQJiOmZtP8kPtWe1FZ5/oSDx8ogwDYU8h7Usat5EMjBA4fHOr5/PovLuvVSTtYKo9ygBSHfdaXjDagCWh6dHwsKDAjhUWccB/seNkBbTXTOwB7YH765jr4FIvDVn4e63uK3LUkrRniZGEMNFywapIxVoCr+mQDw5xyp+HJGeGfQFW2aTH2tgryaA0v1KbKnGHBrgrd9KJZxhcD0+Bs79f8LXbfPs2yC/TIEmTxxO8zuF3hIGtVFo+UplKlPOS8OcFt5gZR0y5zOU/T3K8+rVTJY5Tx/Phi8Wr9iP4CK0u/M8ZIgvdzdpHtWysJMwQITlujNbtmEiOVe1zOZkPNXObnxgt+Mtrn0E4g6xW3c8BH2q+zQtr1YItIqDm0OJb2/029dLW8RfNdF6QxEdGD8Vv3dczba+MX92fl+0cjAMT1TnxX7FFMK+YMWVW5RoPX4plLk5oisDJWR3M1708QaH7NgqnCYsVixIJXSOyEZoOlTmtDsS25tJhyeLNHtJRaw93QFekpG35FqufIGoI90blDYnMNf9LFiH9r17Os + PROMETHEUS_EXPORTER_PORT: AgBGYOs1EMmHWeEON1xe2aVc9fXlYK4rPHnsvXIMRgBc4ZbBkOxL9uN/Mx4gJFJCbeGc4QMWZV83ef5THW0SNGee8eUdhraDxMjMSMv9zjBwX+HGZN50h+Oj73n2qm1uXxf57fGSlYkKQ7Gk3UGGs/X0kFg3e11P1yLIn8MVRdLcNPut12urjNpiir7ymPBnoIBWLxuAtgsumt3qKIIpOm+hsFl04dUZiPsYlUN+y3pS/Lrq6FA6HLLG6f/2kYUuNiyULgvDcbFPbANXdI6b71+nFIlHOM7P+iMkwr4bFzgictpLKYBTphcEd5/RGTVRAW8S6qy9OYIIlfsKAHqJLp/lhpJ5w3HO7J7xtQxmzBnKTQejx5juTfpbXTKifwjIyHzGaGT9qHwYjbhgtjHEWrdiCUNDS65l1mA+WhUt51FrultjIpUAWJ1dNSdXHuMEJDvokwYmfC0jO46k3FfpG/uAQ1iLiOaFKjBIyaEqAFYJp108+z1Jc/4UNxmnmjENY2LG6zchCdbxHogZQbJ3N4/xG6DfoH0JwV1NKos6/PneXxuM92QY74BWWDJ3yVB9A1UUdR/iogPS79anHKihsv02XkWl+1pjEDU1jaRrL6Q7Bh+bpGNFD/YLaeuCMwwxri/I1Kjhxi/H5eTk6/1tEiKC/6BajuM4EMB7GzR4prEKa0im2EmfJBozkvlb8KHaSiaFDy5B + RAILS_CACHE_DB: AgBd96fWnf/X/LGa4DnJ1aCeq+XdWJQcwbLRoRZWibEnYTrVO2Q8IgiIANwQdVVwJPNbk/17zU9sWoLhVmkmURtKVL8m8zIt9Z3s4zVsho0y0MwbV4JoerLSltLmHjuVwumvz0IyhlhoXDRS6J8GEVs1ApJCaZUNpAIAV+HJeMnLdq7R0kDOXcPvaFXsrWlaj0MhW+rRfWcEWsEyDRt3Be9m4b3gkcUdoJ+fCrB5uzxTRJD2DFFs1Ph/bxAHjn9oGtW0/WhoI3dXR4R+nO1PSKgFALdKx4tEa+2+cgjddH0TUu8fAjhN2cIxvbhp+lidKY5fNaYKeRhyaCnc/RbdTGjudS328izx4CI/hHbwL6M4UEBmgt4JbkdCy4MX43riOQS+4V6YpPC40c+OwgMV+VCe0RB/GEAmSsk1GmTTddby0gLMb5LdL1Sr4LxvAqtnWlsWpb8Tha0QWVutLAC8IN87tFTmqiKCifTp6SpCArG2K7I4id0XcaqkepkAu3VN9gvwwwZyPF0p5tFczTuw7MLJ1qqJEbECWibFsAs9Y+uNSp3jHvhdx9JCf1hC2trONp/xNM69ocP3pA1LsVPYvwy2aSNQqLJObF6hw7EutbXSfq01vpf9f9mSnVkToyNU+XNKJXenaNeARsaIa7laVO1PWrT4tkRJM3Wu0nBqzxTCQXjRyioXI72Np131zDhY6vRe + RAILS_ENV: AgAUSGQvEeUVuWJP4hHSUQhTuS+UlTXqRJTZ1ZqYXRMdC4sGJ7EZ+K4MHQvd2Xa/TKriOUm7rS8u2hGnV7nUASQPDZWwOAca17ooRDSnL0eWoKPK7mtepjtzYAXHri1tXAamscuMAjQeA2q1JRfDe/4iZcE/K2sbmgbyLLgDBd8aU3k/MIDWbe7N0P7cDJ0Iqb6G2RgN7muArjwNqWxAEoXFMunoPhb8K2hQIfaykrKvQuESs3jAaTtlmUlMpAGdH6MIv88BbGQNG0DYzLzejiPqJIOxJmm4yJgjv32QU9liMauqWcFfYpDe75RWbwZIZtLfLoJiujGASAoijrYWry11dhyG9bP06IWDbhM8CsSx5OXtfImwp4zl4VsxIwI8ZbtAsxRVqoSLpy8w7vX8Zc9E6RxjzZJ+BU3FQfRE7YNiqnnUWGXE5RSpkmS8fB5f/iYF1UlRhKA3cQJR5NGvEkMBZeDx+5+CoKYn2FXhgbOc5rDskvov01ClxqM5XGPxIUeWgDjdxeLMCQPRtGP3wuXOayvCJ856teQWr0R65a6JfCYJCatQO6qc006nmVRyxDVvfu1dADPmQtHIMWCt+4I8obtDTsQFRf7l+Et1DrU9ALjt7/973ZUIJvJiIZ6R3mdrBh/qL5xT1duWpGhMISJpWoraBB6Q2oFKs4PMqXdSRrR0q2eQ/pRhME5KVbJQSjjM+mCyiep4TRdx + RAILS_JOB_QUEUE_DB: AgA381W1rKCI2Y9n/vzL2h0MsXeDWQUv4lZCY5frvzRf9G2a1JwjmHf08Z/pAvI+VMGrP8eIA8O54bJlsgSYD8B106P84m+GYpvAD/AFlZMEo8RhHT5zZLcyEri4VzVGRF+lqLh0+5u38Nfb4INkIYSD49bkENshAZr7MxSOnymci+c++Lu2o4tgl9VnXocZMqVDiaN74hxSQlWEZ6zS6FsfsXTrxWRNGg5dEXs3Uy+e8+IqJCcWQsiZzSiVGpvYObLRAN3aOj3A2kVV4yCQymDgT9m7S0wEtmI/0ESUK7zEWu24sVVU92Bt4rx0LKctddcBkz3oJ2dRj0nKFZa92X0SgSY/wRWs0zhExWwULUdissuycQa7wDsj1AC6FX5N1JfQyyCwxtTT7kTcm9omO4oCKeT7b8D6yoL0XimSvAVBPJ6sf73OS+rEyR0cEyjUL4BFZMRqPC51AJ4+y3PrRCwIR47DPDrWXBaHj9XMmuKd+pJJVOO5rsuGnT/YfX/wTfQnL1Scua00vBGPTfriKqn21Js+IOUuj4DugPt+xyQ8A6uWlJmYOmDs7oKoOiusmpTJd8+otCGAtuRmJG5LknJ0i1NyImOVglI9eagqy8H2sb2LCPf63EAVdPZKBZ9wZOpHgE75VeMcWUEs5e6bH4r/W20Plvf6oeERZtJrCI6Prs0Q40ImWiXPTWh613u8YDAl + RAILS_LOG_TO_STDOUT: AgAKliD6/QHdggAVLuzDXHHW3e7K+4XvWEGjDAgStKMPc3ie7vUWQruxVHFa3mZBsHXcuLmRDAbtADbwt8gywPOHKDymYvlL/sAinMiLlPvGhDRLaWfRC/5JX74EJf8gpp5J/VNS8tS6KELTucVc8jaEFrW3BRi/ulFglwnHc4cQ1PKeyxg3833dYmgjwmPP/aYnBVR7FBMT1BGAsBfU3DhuW6Zqsto3EsB7oyAEqVFctCYnblTmQStKp/WWxYGvdrUVNBK05Xghl7y+DZQ5lHDMmWsizHp+NX/kxwNrU4tw2Yl11S/zlLS+bRg6zNsmlBm/bE//2VGkffNbM8uKwU3WvnH2mrd6Yaw8DIXsieDqwD4g6xENUMf99K7c4Pu22REhgb6hJFD8Rom2fZzV6Bc0u3UjC9Amsr1bG1m+PL344/tiTwQwOY3qIYC1jv/76lk+dSeSqVR5gxqL4CCv3Zg6239LwHfav5ya0bdP0E0wQqbm3AvMPfDfwuzRRg9hNCoQ9RNQshTwTj9NPHYsgeeKllOgZpTv/j1dzFjZ4slZSP7WE0b5556dsgk82U62bqpUgzEAJnFPZ4fuf5mxHyq3B7wZSGEWhuIF0mjRROYi26xQXnmo9wf0sxoy8MYJpRSn0vhlyhDLySJI8EefX/orSoBRcqt83SiHH2+oNxOs02Bdo//V1p/s1zzYJe633sXOiDS9 + REDIS_URL: AgB1KrUNXt5NPEtxwAWmJ1tahGs91nwfs6KayXeM4nWGxmKU3yMuP/JWI/9Kue/YxbPLvkPUT0mT0hF8iG8qgl6h48f+A0afpxCgkkg1bwFCEQfaoIQUYhEy1Co6QWniSANUyFacyuw1Xop1qVzmdZGlm7fipQCehJQHaLMKyMDuLzSht0mTMl1nxMZGQd8dVvsXfmuE/SMcwp/OQUc7DEeZi0L3lD9i/tMHTSdhoh6neaDwijR2SRIhdhlTPoJVUM2MdbGjj0wS//mxqmw993qjcihdMdcW8WxQqY/XnISBELaRsoZR73Iu39j4RWSizGT24B2KOswJaNqK9UQKZlIeo/iuoSTvqFcC2YJasU1zg5hhMDDyVl8AsGWnTFdLIBN0dR7TVqdYXjGdLA9I5TrLxa6nAO7TpB1BBbIGAJXyAAa3CdKXiFzy/pBVVzyvO2/Phr6OtZikkgfnuCcb3AG1jT/cXMpHQFsvuTD1DLd2pL/YqIUX+s9WmvIKpqk8bITFWyH0RwIzBKr49D4hBivgbN+lbrBneYkIS8hZFJaiThwqhV+Gbv/ZKv6sML/CZzijRSydBACcNxJSajXkoGyAihOhZ18QPMWckqIvAuUu5P4KfPP0sR9BDU8OdYSQnzXVc/+JOBguHb1i0T4Bl/yTgXlMk7J7UUoT0Vm5Srp4OW0FevVTHwlwgNygnpfsBXAxAJN1TrYIO3VQspZkp3hEF9gr8qjzxc5H1EUw+A+sn3aFKgIiKowE6wwnCXD1NnUNkonszptBsC/67SBQLGfPv5i6U8ncJPvebEdhFfxe5T81IIzjNJh4+dSNNMrIV4aF8Zp+oMeSC1zPVtu2IyBdl8KnyN9muy6AXrEOF0tQqjE4wRQf + SECRET_KEY_BASE: AgCfLX8go33GT+e/sfkHzAnTbwND5aQHG73ORVI3y9XvqZqk6w9JY/5kImxIxLWWTFvNUkENpG05cawpUF5nmP6toqwgRCM+6gWUfClMjcsyqOZKt14eUA/ZGRYO0aJqnE/+RoJOWeoKgJuo1Ssyee6u3WgntfSdDUSxlWcMZ8Ywr0pdaQG/Qt0kvcKVOyF9jmzwkX5jl3J+a2ZAAmn+86jNqPoO8SYgI5gSfowYuPCB6zWfuEbRhl8H67HcCE8ubEd4u7ahw3iqo1RpZ6C137hoEOa5BYRW/ze4W111x+BOwzykQrZLZhNHG0IGfAPR1yyGLKdRojM65HlK+la0+I3cgmpCdYcZkUUrGHT7yXErtbB7CwgS46+tikHhdsBSo/U9i6VylfI5olkmW/plNcKBs8YiiAM4RKmw3y8SLDjZMEdhYw7XC5M7dDrKLNAA+c17WyO4gdqXVCz8W5qUmIUdvlM5o/fzPxq7TMcPZh3MCYp4ZLGad/k0sfx/l07H6VjvYy1luOeKyEiRuv0XTTJ9zmlppuQHaRpwVoF9Bq1dlR1nliwNEcC3zW6JlU48+apNk9th9Hes6fxtYvS5Pxu7evBYsmoOpPI9kLRF/NbqwlsJR5OrcMchIpM02tk5HuTObfY27fXZQffCdSLHm70kNuwHZ8Wqe7xaFvMSm3OAz4cDuvvV7JaYmy8/qqDjIT5c+uPFHhezA4ZU4qoufRd5sx1Saj1tswoKaoX4lHnEtTCiXOponEBGFwJbbQstCtj4ZP5FAcctPw== + SSL_CERT_FILE: AgBCziDmcgilbZWWwCwyLE1gxZcgfUGzsDdwAV2LP0+gTJBWTT3QbsX1bJFmPHGPxdQ2O5CkpfMpGiBThVvlPh2mL0RHt4MNS6U6gtcPkAbRsQDsOiY3JiCPjkVw54zoibb/J2Sn5fSsW+YyP/IhTcWwsX7T+JgeyXQiEwXfCqOr3GvdD1sgqNz8zIvFD59d1Me7by2z262vcuNxBDIYNa6LXY56ep28829q3RhwvMZDx9xQp+HcyYPFcT3L5rALkn0JgjBvt/ZM2EyVqP8IMVGGpekrwXB168k3cKLfbjgXNxVXc/DRUugzG7+aeG4waAnHP37kMj8ugFcrJday26PJBeDMkH7Nkh+HGXmkvE1SI1xRkwcTAmQFVPRCCc6J123fmU5aVHeWoANtpggcCN+R/YvX2QsBbc59t7i9isyWddytmpMwjWxDjC+Dfpve/w6hBy2jdoYSx5zLDZW25S1EwUcfMXV92gU0V3CfOPUUdUKRldCMyD5GWiMBjmgSmRZ/17uPWROeUMEmW2MTb75/HXRlwzuRmNo1IneA4Dq/V+H4MTjL/AU0wt81gw7SMxdz6TCL/aAjjXFAQZ2E4AGldNDv6TNf1xxnLRsqp+KuuNnqlnFl97M0Fho6t/lMVJGXIdXqqu+nZpJQdHxvG7y5bOXx7JUaNhVV7NE61XU0yG/B5t45XuIMic4lgle7cEZSGlpGLrannmJC8QnClNvTeiqeZCYW+4+ltjX8bA== + STORE_GEODATA: AgAmYNszJ7VnHPB9S7E4GZQpvPeDF236sKpNuPIGa4EabN0GNPRtwzlxn8myn2rSMfVOZfZHHpUsIiihtZdGAcpG+h4dcQ8apJkOoOgeq9XyV9DnMPYE877Z0qLgPmOPy5bDAXq8jxoL1svnDq0bxWj37jK/9pB+yQCGcsBigfLjz71FqD4gXrvUkeOvs7IO9SBwi9VN+WsS4eOFaRuUoUvyEvz6kElyGwjk+c3w8QGcq75q6Pxp6NEPtNjlsSwVHj9YTT/F/6hf8leMGKZMkB5s8xyEjTHbgCTBcFgi4nWbf9SxtSoJpAAFVQ0XWB5gy1Hc5x8ATZnoKAj7jWgbmmNWVRcfu6NX8K3Q8XLnQFyFRxXGauI/q9Wdg7HviwSqab3xCSgmYQHfAXt7lCdgRMYfPXTuEuWnyDAawnrkfrUpMAvVJWXEalq45oCZ388tBVPVbMKkRasp4vmyiOEyj8+0rR0d3JDjxr8tfBzwxccfRu8yZSA3OyJ7nFjiZ7eam/r3prBiDCpT9O218w2IrRD5o8BFSg38Z4QneOzm/Zw4FhuXQdmPkLK6ZM3/r7AbI6w0io6vTIB/AzqMym2YC6VMhwVrPmY16Mnm5YwvfN5XthfR/0DkA6nBfZ0AKPb8xwn3K/t46aa8YEukwr+uLhqhQP1YNXmc5I64ZUNYZwHk5FF7zy2AOH8yT93AD7/Y3aE8B2kA + TIME_ZONE: AgBi1uzVfQ2r1y7VlJg5ffNkAp2XO4A79dgA6h2RcqxBy6G53Tdf97B3px3Z8NTEj4WmA6v1GF90QBDvNPojb4gFKcuk/1vNwTsihNpqNgAyJxZ69UeyLioEWBNa7ALfeWUBk8eD5ugscguy4Ealqrd/FFvNfS9HrwkxZ+1YCVTsK2zEOiDPkee3CjHUlsa+P2MF2Sc6+8SmhKndMkRwtLd/mf7SnOa5q7oBboDK85yA5ZV2FHs/c9EJQPoDWa26crjPlhfZe50hEaGGtZFKtYPZ40BAi2+Iu1R/Zgz6oL8pnnj4CAbFSnvS4c/WvGNnOeVaK1sF/hnY4hAuKyP/BiMM5RaLJHEgLODx+vFBeIiJQt2of42LYcli/4HMVkq/A5prI7/tHRRJM/78RUKmvLcLvYhhvSKUs0WsjgltefOe3XyI0u2Wl1+jnUCy+04s/sVTze6Obkl6DdGP59xrSRfUaQLu89UtPAdY0On16ReBeVE29dlkobI9nJPDlwWHWFJZz49194cmWQIVJS0JFcrd89CeXEwmhvnCVd1YnhxUQnzUj6tqSt3aewwFD6sRSBV5A52WhkVB/3a3JZkVNnqh9ZMs5nFuHIMbhteeb9pjWM01gsVdO0nIZEO9j/bzb9gDu5kg7RqjVDQng/wayxBg6FbmjPWnWnmdRuGF1HWbt9zU2+3isF0HKMFRhkFrX4drQaGjINKIozZg1gsO template: metadata: creationTimestamp: null diff --git a/gitops/templates/dawarich/secrets/config.yaml.secret b/gitops/templates/dawarich/secrets/config.yaml.secret index 51157f6..30ad2f9 100644 Binary files a/gitops/templates/dawarich/secrets/config.yaml.secret and b/gitops/templates/dawarich/secrets/config.yaml.secret differ diff --git a/gitops/templates/event/secrets/surrealdb-credentials-sealed.yaml b/gitops/templates/event/secrets/surrealdb-credentials-sealed.yaml index c38c2e4..400c007 100644 --- a/gitops/templates/event/secrets/surrealdb-credentials-sealed.yaml +++ b/gitops/templates/event/secrets/surrealdb-credentials-sealed.yaml @@ -7,8 +7,8 @@ metadata: namespace: event spec: encryptedData: - password: AgAqvR9Dm1dUozvXrCcqK7qJ8H1nZYlU6XukZqPKGRBdE/2Q3RclBo8pj1JurFmZUuCL5I/bCYRbkKUqFV7G4yr5mLxjL4KZg+fqnn+CRpeWmXQtHxfAoDi8M/cV+142lbKAQBFWcEUbY9hOUlm8WaRBgk6zAOyA2JDNZcRxA5kjzRaDPT8lMsz0GWljiLn/+VpwixhHDkqfza48/EOOaKTk5QzNrdFJjgkzGcJeCok+liv5NwighvNXpBBIpzFGSuGSbwhvJp8Cpfqd/dfPBxOZn/AwdVxGSsVWls2wkCtXfnRed5sHpf8WXgU8DzlDJCvIxQ+RsTD+roXmOC8nIc2zt0TU+nypL4gmJABu7f/IJ4kIIawt98ZDPp5ORrF4qls6l5S7LmQqCvkq0y1uhgSi6x7zGqVttfTFRAAAWFJshRfttTLfyncRN2BY1yleTVK8Fa97IBk6PsfLSwDqe2XvlWLeJEqufTSNZVN3YA25k0++009JloOBh45T/fLTrMh1FXakyy3SeuFu7yRpa7FN9yuwWooIzz9kLSXxfr3HnLfe8UOFtrsnyjC2uraHunobMJsyeoYb1Ozw+99/v/Ca+u5Zen30lgJoAWK9GNRBEcUkkKTFAEG4t9wQZIkF7mAuucjgP5XTsnsRNqo7ezCryO8zRkMyzg7l027hEXHA3sUKApRC9A8uv9V8BgA++7U+SBW9zX0KMwMdF5kYDEhbanzj8bKtF4ykxZge54V/kyfjb4qhCZ+KhjiveRit7UvuEIlNGXehuV9nfJYksM1+vu24/6uHYNFH1CBzRdO/Xw== - username: AgAS5d9gMjSlcSE70OHds8xHisKt1bFjeth6D0MBW+LUaWlv83n322rTHMERwb+qvea7nFdfL8oB8/0qEXWYMSaZxXWGYw7ZKuklwISEP6L+AGt8XP0Mt6qfrhykfgNNkVJfiTyq9659fjr5X9ZjNzUxenz1Otak39SHXETmXsRth27LBV/+d6Czm8GsD1cMcq1mPqRj36hSUwI9+iKrZXQu2SgBiv2Kk+NcCejEEiGrj+R6ap23bgRCBF9dbBbvjr7rvoV+OYMH1UDr1SZYFT5Jm53y6NTvZ/15s8umNpdU3acOAXAHFOnoc09JgNWEqZ+4K9BSJs2qQl4Qw0RAmTKL6XCsO6yJbROlPrVb4PP3rhTzzBbSmErF7jeGUgnd4RHC3Wj891Pq9oJNzI06kpiTZTmbVModv/j7bFlf0St+Lnsi3u2WgR0wv2rU4gtDbqdfklV9dsjyqsurR9ATL72KO+1bz7wl+3hEr4nqf94GWW8ZNX1OI8yQMJLxnD60r73Gz5KXP0WBxAjPLddKg41HZcRNYCbxO12Gh7mOzgInX/g2q6P3muqAnuXQa17aRCfO2XmbroFw3jA1pOA8ZTTQXQ4I1XVxf3opjrweVPLpd9qCifSfDXwL4LQ4T6HOtleO7f5OE07MzYyh4GKVylqSwpxRsTP2t9rISeqSVE4BH8K004tMU60mJk29tNoEMl33LVTFEzhm+W/CKQ== + password: AgBdYdxJ4AM2oLssayaaphVsaCU0wzRIXeq1erp1VzGnVdaRnxRj10NL6ipN3Q1ZOzARI1HROF6P4AWo0TXlkcuzvn1j7o1ihKYPCrsx6FOmEK0a5zaCCvLolZcxNh5cjFlLQdrgb9SVtUk2wxhs0mrKJUP6ZTRFa1dVcB3CHgCtmJ9EcDOWj7ocubrBJDHuwBx5UWrY0GPZXjuiDeC5gIft5Qsu6YpdpBfE+v1R7MyubLxjIEjj0z3khQwHnJX2ix1nj605apWmacwvuRK6nw3vQ7Y6uYn6xtCUd6cRTUcxhq8cPIzAzL4/AMn03BPZesNITzQv7LOxjw/nABFKE37ibT6DUNFom/Y53abxA7tyogMpk4eIgfqSgRl7K9XVaTLzj9bS4bWnsM+CsDTKREuIsR1I07LxaDLFVq/C13TKolbjUmadQLG3gA/IUQMHn+3hAUhkG0wTkdLFDeMFJvqPLXmpmLooNBsohY7kIoZ4npQGLdV6wJrD8zzm4qNVN/MdPNZOE235i3sQYV/j13bwfKrU/o6HwA6WsoUnaiu6kLZ0/Ob7hJHPn2i6i2YryA7+Vgt0r271zSphGl2nMeLt94U6g+mpLD0lTfBUByTMp8oHrMxemNarKW7tXmZ6AWzf4lT/P5M7Ik1cE2mmxUlxM8tRzc3EWjp+Gt4lowsiJlKIcNRKFBCa71U+CptWS022+LYyPg0bqnnGQgxDa+QQQN9HCp/2P1pm5hDRjkv8CmH6zFSnsSz8UgkVaN2egI6gaMM8iMghvAW7cwahxwQpjOeFKKZ25tyt29ZJgyWyJw== + username: AgBkwrlMdcdGILYPet9O/mgW3J+a3e6LLx8iU2XrpaEyJduq+eNm5oc2074MDY8RHMQ/xXQy58sJJFj2zFCqixXYXjLzfn0bA73aUxtAJ7O44MXECmTXeG3TT4gK7HUPcpVzGpysam0h0GGj1kQ5hdDdcat4BgAkY2J+EVYt0ULRmdRHHl/sCR3HkBpjG45Mo10hWEbLc40Hs7M7glBnknYZ8fGydtHgUdW+sTsFNApzJt5u8EgxT0v3OW/n6XGk7TnNqwBjB9bow+x9LQNQPcWQAJUOjbqfU4/go1QP0DHbx70TZUiz2aZKjy8jAwf6ZWoYqXM4svJBRCdEcYYQV4Iog5tJ7siz4Hfi0O24/3hfZH2toAhtVewhpa4yaKzxuDgjhLnpK7WPUXZ6Kfrq4ZZPxMgmycPISpqAVUbrD2peZGWbClfOj+nxX1dIoPzu2COom/OBUOi0Evps0Y6Y8FqDZJUX9sg5Ye/W53hULkCBPiHOqDKWDxl1E+43218BI2EU2oOB0fJ5qJN+mHF2XZALOz+cp3T0SMoWopYUTfasoRr+a/HSrOTzVN24Lt+lJzs+KFFIC4x6MRbcPI8QEi7u480+HX8BL+YyKGVAzl3hPymBECH09pscfbVrBrDpWoam2tMcBdkBbVzQAqsfmid+zGJqI5x7sfXNerGQjwP5MUn5ngu8qAZjdh0WKw/Yy0Dfzd1EHSt3fhqg6Q== template: metadata: creationTimestamp: null diff --git a/gitops/templates/event/secrets/surrealdb-credentials.yaml.secret b/gitops/templates/event/secrets/surrealdb-credentials.yaml.secret index 53f7ff0..df7ecb7 100644 Binary files a/gitops/templates/event/secrets/surrealdb-credentials.yaml.secret and b/gitops/templates/event/secrets/surrealdb-credentials.yaml.secret differ diff --git a/gitops/templates/feedback-fusion/secrets/feedback-fusion-config-sealed.yaml b/gitops/templates/feedback-fusion/secrets/feedback-fusion-config-sealed.yaml index f657f43..a3ab8aa 100644 --- a/gitops/templates/feedback-fusion/secrets/feedback-fusion-config-sealed.yaml +++ b/gitops/templates/feedback-fusion/secrets/feedback-fusion-config-sealed.yaml @@ -7,7 +7,7 @@ metadata: namespace: feedback-fusion spec: encryptedData: - config.yaml: AgCNomI6nliFPrVtKiGfTjjI2hftlx0QSDXBhaLaVhM6cHwl7o8PU1CtbwSmK5rJy5mQn89fvXaV2OfZ8+FHOxs444x9qVGOzAAAQtBrojOj0Ypt12yo3sEwb/UqIWk5xzwDqdKDRa0q2/eg6ze9yQnnJs+WVhyPOds8/zkSN22DDraILTaQ7mHpAdKrNf3F09MSnXrO7kCVj+b3hW7MLfoV6fUnR8kC9TivObqnWeBqOpYwjTOL0a65Pd67lvQ0BCD/zJGSKEXGXtiOHts3p4LHXlxNYId4iAX+Evfg8ChDfDCG4n35cTCNc/U2lRcHl1Dbv2fkFJPAMC8jOxDG34jqWz3cvLD7A8bL0yGnoeHNFbtIxKx4ddCfUo60Gn5cYRtfgZjwsMxmh9oQfj8vIuvUfY+Q9BYXEskVU8RAn7RFIfEGFnYqezJ3/xstthb/ivjtkKFWtg7G3/R3cfoo09st3LqDzMoyrQAOBwoa67X3PlaZ5wYEUXHVmD6C9AxlZCGsUDdqHBzEHSBpGYGdEjuiGU3ql1bnv027Q56b7ezkYhZDlZ9IYFkVQnQ/x4oHyQosdFpIwzo7AiECbp8MJMibN7c0Pkwl8reeRIav0zPGmWspic/BhUB1VCU8IOP0xL917ZozoCNFLl8OpDOWgg9HHFakr3pHoQ07dYCtEfr9DxDK/Nyl+q2nf94inPYvYlK4n8420L4jEaywci2St4coPvYos6cXlevt4RySc7jJQNj++Ms86LiT9edMDuIdVeIZ40vatGLq5ZY1Ou1qf8ivJkwrnznzxVrkJEocEoXVJTqv01mGmR7dLJnVHK9zkDR+QHiewSdOR/Cwt77aQhHnCukAyD6KJoE/pxJw9xqY+eK7ajPzG6A6dQGdnah3xGDKYo+Et5o0zWpQ+/8+ALOO51VYrSpQfbZp5MoHJN3OxCCZUyuHtVZBNeDfoyWqtmKoSn0GKTHbNt2hhLcfhwnyNstzJX+Tlafo/oZ678l1kkhFYNbq60EI7HUhwZr2XKBzwGP3LZ8DfyJNR0KY19Jj8i4G6smQXadw/2wGZFTFWX3M8zRHi7u3H5SiirjDNXy4ANXSzRVRFCEmhThQA9MpSdN1JtQk4IEdStkBzcY3vIoN/NpbhKbZGP9kt3AFQEkX9IG7FL75XPch0HtpDfiafl+0goFPm6QVfGCJzdPyqxB6bOw74Wsa3PWWUwypFnrwBgI172E1xkkC0XwaOmy/P4UWZfZPx6UohpFcxc+HTABBFMz0/EbyTMlIuGeiW4UqsxWhjxJqFl0oWmlb3JMmNJmsXaHe3R7Q7b3qVM6/R/1Vv05qIiARunUkCWN6m/mMFHL87QHGNBBRhS4HTiyjOXgFTxDWk22S1kACZOArBHYqY6QG6/k4WaxaBWVKFNxwVEy5HInq2TDj+QseLPUDp3LXxVHS0sVxtM6mqSMNXLJcUm28FnJFP8iJim8a3XoLzyCeBqGou3J0dihSBaFdaThqgU1sNeMH1Fsx2bzEK25ZwaOccax+Jj5zrKWWtEwQ8gDYw/rS8b/IICy3bCszga4Y4w9itpp1rgkS/7SDbprRayEOsdysyUIgtccOr0x8XdMs9IEKxzMP732jv8loZ2AHk2Nfagx40vAgwt6YWNPYtl+Ovy39pFr50E8cR9kPBj/7IjPn/1JHsF4cyaSKzqY4Xi3+qjhtPjbXTWkEuRHnkSs= + config.yaml: AgAcwTl+l9iR//CMI17nlfpK/gXz04rYdhKW9s1kt2Gdx2euMnXbI9YIHTkaP6MHsY7siTgmGEDYXxCYpZVxv+ez1DsROVr61xLxPebrBTqc4sFLc4bIoVWNRirk0+6tBsKhHkUem7ApSnnop2Ek5KspgnJbu5/rmW3R8v9ft8+8BSj0ZQHIMtTYq8lMaakybR31z2U/v7KHquBIQ9EVjz+vVbEJpZjOQsInYc5WVMeGf18o30cT5KeQXKTlqbsAU3bep/4lE/2zz5CMQ+SWgbdIdFZ5rvyYx6DjRXaR40R2eZbXBfIEUwk42uY1CmwdVAQV5ejyEuYgcHeRAXrfUmthIRulYtPQ5p9YkX8NgeQNTHFy6a0hggjNcX7z3PKNB6mfvbgrGyV90GCUUy5pXNqk/uqeOTqiS99VaNzlFLlD81LQ0imJolkV50v71JY+AukZK0Yo9Fc6R6zUrS8cQNEnxLVQtqCxekW3ZL2HaF1kKEtJ/l6Vgy9PGzqE61LnuI5W4ynR/Bi+igR8s67lphkXkYGPFVxfwluZnyGftfOTNShie6qq+wowvQriMrxXQgVGQyTvS6qE3hRYeK1B6vXAhXnsfK2x/9MmqFj8J6jSpaEjCdPSz/pG2vvNYsWLMrKZTK7LJ+9OF2EaxcAb2LT6sj79LS7/82tpVzyL2Ll6oruNE9g1rugDX6zh2xjkNXSaukMb/X22JmNS3aea2cyOiT63oC0NFrVobvUTFPB3GlAdrmb3Q1V2jYJlwvJecz/k/dRKuYlA9G1RUG8i6JUE5KPI1m8t+X5UzB1Q/AGLEybbeQ0JISoE0wU1SvskmgZ3voMe6yrhrWmxgdQTExlWANIp3/F2aDDDRwuDQWeDkBhA/NUGuQyhKz41psOTpEd2E1mu/N9/vyGvjE/dvYIxZdLfYjHf8Vq+2gVdoh2hmlkxz2dGt+TUf3OVD+egomSyELRS0gWj9kNMqF77diXJTvmi6fpVCGyfRjWkyX56XoMLDw8OIjyTXpmGqNWm10YZdccmsxcML4viHmNGr0wpulNP3H/QP1C+5XR+zcxUAoAnn7oMRQxfmpPtzQIYN9ySty3S6LqCab3lU5X+GEJF9DQM8TmpUQv3ly/iR8ZCXE9Qauzkem7zS7dbB6cMFFFbkV//dR8PlTiRo6ynGbTBm2fmMp4hoPCAneftBYukswN2u7c4tSiqIPVStXD0kU2wIHuT4X2A3ndM6624egmgmSACJ9DLRdq5Eq2qD+Tw1pmRTLtK6JpBntr4MUe3GZyeu9hizqB3zhukbrO0GS0aMHNM6pa0ZaCeXqiRTKo1LbjUBYpAKUs1PvEz7mCYT9/vCz74SVUKiGX1F+KSHqt4JVcjUt/I8Q/c2J5pvBKzQ1gHDiGxL/oDIyIPvVaulLkJ60afFTxIDwhTKNiPJG57XSfIcI2QwXbcPBSZTpUPB8q/55fxJdzWa17rRLMTcxGROTnLLrL7mI6uD7cKg6ibk0uGDgUd2yOjH3EHJOkeArkLwkKMBBvcNITNOgTEjdNFyI64kGC1AhGila4ypv8ytam+DhckrPPIj0SeVivFwYpowvpYVMU2q+bCkF9T02Im6Y9F/zFIpX79rHZ06vUehQH/R0lvZEy3FvQc3PbrP8hsDk98rB/u7mwx/f+u1rIy5Ij87IVG3YXQF8xipHThQPLrXTtVGjWfWPH0iU5xTVqEh4vGeft+8lTnEBYw4oa06Ix8RDbw5bPK36vyNzOKdlnARIrtBNv4P5tahI8N2jfXFnYJjB9vuI9CcZzPpNwaEOZ2KGPuxCr2mMfre7q+miT4QnJc2gLokoZ7sTFKC2Ch template: metadata: creationTimestamp: null diff --git a/gitops/templates/feedback-fusion/secrets/feedback-fusion-config.yaml.secret b/gitops/templates/feedback-fusion/secrets/feedback-fusion-config.yaml.secret index a2b94bb..b82af5b 100644 Binary files a/gitops/templates/feedback-fusion/secrets/feedback-fusion-config.yaml.secret and b/gitops/templates/feedback-fusion/secrets/feedback-fusion-config.yaml.secret differ diff --git a/gitops/templates/feedback-fusion/secrets/feedback-fusion-dashboard-config-sealed.yaml b/gitops/templates/feedback-fusion/secrets/feedback-fusion-dashboard-config-sealed.yaml index f630e61..159a8a5 100644 --- a/gitops/templates/feedback-fusion/secrets/feedback-fusion-dashboard-config-sealed.yaml +++ b/gitops/templates/feedback-fusion/secrets/feedback-fusion-dashboard-config-sealed.yaml @@ -7,13 +7,13 @@ metadata: namespace: feedback-fusion spec: encryptedData: - NUXT_OIDC_PROVIDERS_OIDC_AUTHORIZATION_URL: AgDNMTG/afhyk2hH6bxFyD6/bAN8VcNrME4psvos1FWaISIk1QkK3H4l+EQZI5tnnHDBsxBiGvEZ/iOP3CNDmRvP2AIEux6afAzNWjUv9yXNQ3OQfyfgw0btBIbkiEhZgttwETv7Q5Lf7cHCVie/JV7Y2CisWYjgkYYrydgNTiy8QzKGdX8CUD9XL/fe4W1iwhemp2x+3da1WPzB+t3Sy0SHWWMKY9B8QWceEINHKiw1jhwpiPnYFvZL1N7NX3chtHSnyc/9EeAh24x9DfkjmRUq/NtEwPHDVMiAg8QbOpiHSK6IGAuy8ELJssOYh2m3EN9dxnvSsv4HwLs48CeqUIgaPeY8PEljT+TO0vx0NocIWeiMpqwAvUin6gJfNQzNZ7BVnw+DtNcBV68Nm2r374dnYKDeRlRMAOENyV4ZjJtQwjgXqyLGXb/wP2ECN31VzI/dNkh7KUamPWKOpTwfu1j63AfHdg5vd0NVmyoQXR6Jk9rZ4BKD6owzdyN1zS16oswpCmtpQAoqjAxuKnt22wUfn9e+5qNMS69rnmw1fd847LKtpbev0mOJ9BORmw/IAXkqL2da4iFQJwaOEWp1YFlvtrOgp4WcQ4M/NSQt+WwOpBKrMcLDp67YvaqieIsjKDpl8nEL5ekavbJyPwPQyEw8k+N7EfsXgInz/G7woM6Ua6fVixwaWYsyOGt+7Fqh3eUR2wQzuL4WzUIMMsg3mO3PgPYI3CFIk4QebMiObIVS6kajWHuuH0N0HHS/SDCiuw== - NUXT_OIDC_PROVIDERS_OIDC_CLIENT_ID: AgAwOFUpMwejDjHMuyww65tR1ho7BWZpNj6k9MygbYf78dGED5V58h8ZE4gOM9j5l8QIbTRzkDYTl+6EwbJ+BlUX2y3k4Dv1uqVXBwuvjZmM+xGAMYDqAC71zvY8WLrvzHa3c8VFBBr5OttHFrmNjtbErx7eNdlsmLv9jT12MyC5d8Sc3DYbjZDBj8ACDKOJbB4G6MOKmp2mICIuu8A2QT2/vEnGZxBiwPGiG6WqMdzuRt9Pbchx/hwMFbv6f+y0WS32Pt8b39nPMl1f5/Jbs/zYLlQMSlpAFpTjOJOsH3HrXwN1nDLXjS3a996ZbHzwRuXD4frp8L+Bl3qxvrZFKXSn/1lLK7W8+JIPebSaw5QS5g+jGAWCSUsYa+g73MT7iWk3PPTgu6cxzz21NHfrTue0JDBqbXWbOzcspSM6BWufYiz7qdrX9QGsZj0+ZiCbFOEarXzg6AfyRqIVzx0BpIR1bj+1eMHhdGZHPwjFU1bKaqpMnggzyOyrncaq+EqLxp1n5UoeCypqlax6iOjg0Kc3Lj/GxtYJZeLTvsIesVT3mg/xZIrzQoBb3cJ55I8EWhkGEf4FK4FwpWRSxqUiyBV6aAisFAg3W5AqRQugVvMAWtDeFMXuoktbEljkpdGr1G63f+Uv0I9Xd+MlCkbN8KzErwCudFnDmfBtSljhij6K5YQZPO7OcB4Wx4NTwYlsnHtYN3rPsxpXxqtkX8EI7zpQbGQ= - NUXT_OIDC_PROVIDERS_OIDC_CLIENT_SECRET: AgB32XIV6QZsLUNav7k0geA22vnyBHLMDEhLNrRQbSAEcKZ38x6/lFvQ5V0TJJ53fXinRWluFYDxKnFOG9MHS/Cme9gxsGLaS0uQsxybz7DbJ8LUqRHCdX7aDmzPr8d3McHV1W5+kx4hw/6QQYrBlfGqNlUt7C7ADjq8vT1lT1rAu22pk8x7Z32RVoPKfZsrqXMdQQEZ1ZJvY87qZjmZJHQQD/WEGV1L51IO8t/nRK++sVL6F+BZwd1eMhlv3pWdgAThwD/pAQUuG1dPXAOoXlDVpRXAp1dTpXxjE+O/bibaBilCzSsy31Pkn1EPPcxkOvPG8XE3URwEAUiwjP6kEEmiIv2wzDkAG/dW90tOsUc1VYJ06oR4KyuLXBdU0+xhaW4Ia5NngVPHG6PItBppGgo8tAtF8ZylWVk2OzYTXdFUzJrkKqW3srx+LetB3LrMRDLz9dDkJGHff94PydhkvCCOBusZYWojROf8ws9ELZJ2qIJfjVtlY3UD/Uwu1HHO2K44jLn/d1l6L9lirNFZTikub2pLMtu/jbYEBTjR5hy9vbLlCfgwgOQgaNnv7HSEJBMIxfE/7Z7wbfqK0jtFapRW/9SA/mtsj+BCEOxcuBg3uLgKcafw5W1fjQXmLsysuDdKoe3ppaEEDSeBKdAo0RQDDzjETGoBy/9Hp7755TW5CL1uByF5zrv3Not94CT1UK7DKIOLT5FpkoDCh6XJ2KW+/2BfpX8Qa7Zu4EqcVgXgYZUZRrw1thGOnwRuGIVDJKNuq5APY2iYSPtE0r8lse0Z - NUXT_OIDC_PROVIDERS_OIDC_OPEN_ID_CONFIGURATION: AgB6KYg8QC91ycuB92zmdVP6CjwLw55+YOZoITrGkPVIePAfj1CngfbZN26dM0gYPK3dmQsZKR6dDZHI7HFw0AscAZzdzbZZLZMXqwkjDuigB4Vhw5GigRiLhnsLhNjEUqC584ti1f7QVA18wNUJt9/NtxYENmDoDFmw+zkQ4gQlk1Nj7DDjuaO/jy5e+uRp/XQZFjMQRXg+deSuufK+cymnsCYDX8G/QYQ6BROiNPmUn+XJPZzEsdAbPCGY5ZPJrXwpThAQz02hpihDAzp0YHnF8Qe8tf+6Agcor+ZLwK78MO6mGvESTfF7QM+px0JsTDN7imL02ulta2z0cJ5cmpGihNb/JQcHUrTpmfvWZtkXfpcz5DoDipSrD6HIh0MLML49JRLYtbz/cC6UHpHicZXp0x7Xm9yWTmk2wn1fwAAMZkK57j9sCQ9mf2PVdDI3aRxediXmWi6RNmyJ8dT1bXsMwsPn6O9GI5X9NKlj0kB/GRxJqIrcAxquCht62TkDo/kBEPwEqVHB0HZ6yCJ0JQTaQLyCl++j8meJtHros4yXkxouuCaAiFkn8zg/csip9Kagq1naLps/0wOpxhyZZquv8nl66tDKP+MJqyvK7JPBU553I/dzhLSP0DvSN6PWJRgdlj2YWEbIIL/hG/ZX8XzlrZ+YRfQV+cDgDljgD2KQiyWjb87JuwJARwKjNho01RTtFNruLzyP7yLSaQWgsYq3iYjYaMFZEA2egfdVsPVPzkNQMGyjOROqtccJ8yWBAtO7+26n8PNnkl/MrDck - NUXT_OIDC_PROVIDERS_OIDC_REDIRECT_URI: AgAQ9icLyFRHIH5dkaxsowTjM11XQJlP7eS5+yMc8rb934lzny76mnQOGnAiPMFzMwJdfqNezug8XAn81RiQDALLafI1JcJxP6dgjlSi/U/tZZ3q3/Ujq7pESpnnhpWQo9K2Vj2SHuwBqS5yUlrrBPKN/Dstj8ecejiHGNydJE3ET9ejTntfUmhMbduQEU2iZDP9WrJ/2L1tbikUH6bTS06hlLVGyLXMvhD2cwKOwGksyoB8Hlm0/3QwDQcchMthlo5AdAQ6yKbT+wBl/XVdBltP+fC5uRHADk6KK6DHITL6dH5FV9J85U2KvbxG4K1fZjaLEF5/Jei6NxoQwAqrB7q+xpfLfGUKthMJCyT3YT1ihpdydhHXq7p6Ho0VuOf5yIqkZ/dAh1oUKfgE+z2h/lzEa7J/lTWwh28nDfc5bbCHs9zj80/JOazV/aLQqdMEF3iz1HObNYL7GbTrAprDxYmCzHALMk897yZk4DIFM+hlDQORXaeI0TaA/lIbpbEUMF7FbmsuelI7vodi8CIgo+64X5IMOTXNRaoHO2YuZDeMqbBlqFWOBoV6HHYATL+GGu71HYMNOOWo1YG1li2r2O8TmcCjnrM/wGYlwKijFSzpzsED70WsggxglztHHuCyCu7Ra/ohCfUF+0h1Tz/dFwxOiUw32n1Ma/7VHEC/0K4lQSWTpHrm5CrNa8l7Z5OgbysphVo6hc0+Y9DQ9Ewm2zP5lh4sqKgu6f8w+xOGNK46tAOMvp/zUcdJqmNaJefogVox3O+AG7v5Gg== - NUXT_OIDC_PROVIDERS_OIDC_TOKEN_URL: AgCGKJMEOs7n8lXSB90q1Ywe441yw2vU5mHKH6T+ryYoLTByGLlwSUsSSV1UNK/8TuRKp/Zmalq8iB5VH0ZquX+3kY/K6SR2knQhn/0L4dJ0/7JoaJA4lXbbW1/ouYUmXIbiTETOiWd90Uoo6fLf/uwL7yTBgpE83SWwEkTFfia0XnMOxIgi5PpmSr/NLni39AGwo4BieRnPccoXn9+Cquvcik8x4iNSyfSmpMzXm9VKPbksPtM77XY598p5eo2q3odXhpsCIUVcj37fapDMmQdJdRJPPqnzUCfc/orMayacEHScqJcTHLbHMMGt0KxZ0MqyJnPLDiJKIHnkjGUPgpG/3tIfS9kwPWzkrFNUkflVMpyoOWdNbE7jVQ7yAt6tYUI07e9okcezxScX/nzt5RFot0MIbAD4n61ps1jlZND/ZUFlT/uGGpt+3/WuKACUP2LQxHfEPidEBXm4SqgMj3HcuHSuyXgDjOR31Mf0FLPO+bIeZ1u069t0dM+MgQT24QW4W8iaWj8OohxvWGCrzIut9nU2bQY52CaVF9ObAAvkFGhcvHYzh2SXMy5XDgcsVPrfQ2MouxR2jgjsXw9/QJrq29qh8dldAeVERCwwGvpgplQq8enL/3es3F2j06TZK3/Z5UOToEikoP9Rq7t/YJfwjky++FsIjhVgCdjI7Illpht0wmr8DVJ36wpfq1se58m95oSAU8OsCYeD66uCOYz2MvACNv5nIqqW8znQ9I0CnUsRCi/Jky2DxSoX - NUXT_PUBLIC_FEEDBACK_FUSION_ENDPOINT: AgBNn+EXKWKD/UHteTJNc8z9iCIKPqM6B+7p1XCzNRE+SmYZs518Yv86QUj/j3xAdxLDY6WhdSSsaKc9PCbFZoWTgPQrDGN9knnCA8pB+bQpcIcdoSRMfk+xmmG5Vje/ovnrlOrcr82E0+lJeEcFFx2DArYkTYniSiYBd4tzuKtJKolPEX8hx8Vb2jTCaRdUthZgIA6hvtI03aVec7euKXGfnxnEZwIeohsHroxrNT6NJktCmSP+jHCjnkLbdDKi/EeaYc0tdtj1Ym2ivBHQ6bg5P79hp1Xy9Wa2iw/rloq6CtpsMqFik11Cy5GMA4bzDssWyA01OFGxDtPQYGSSaozd9UJbHmhhiZIHUbdBybz80Xg4pHnyGaPJfADdvRUaPY4jDVvZa+4MzxVW2Df4531xwHcNjbKbvvLe4FzdowXpaPPic6ZaRgrc4UhDnoDGXdDoU5PL8RRzJ8Neh4tWs0Lv28b9Lsr0sratjHt51yUewqUrkbzYCY6bpV5Isr3cQbUyyxEcxErENj83QuatY6L8GTwXqT/UEjYPLllhenvNece1+/xSQR9s9eJq47CKRvuHzrrydSJcbLd3I7h6CF5OGm5zCk6pjLm3PmlJpDt6r36kCf13f1hA9X6ZlbmoeVAlE6x+jAdMehZFF+HyZD/WhNlaJi1Cke82cgbgNDx1hjhaJuhOB3O1Vwagzw+wzvc2p35TQB74U/+NdV4nvZljpiPM7KFJI7znMG0rBoch6g== + NUXT_OIDC_PROVIDERS_OIDC_AUTHORIZATION_URL: AgAqTkNaNWhMChNUDAFj3bCUGynp9GG2RJM8NiK7RlpGPP7pqEpQ8BK44B2dfljGMGdK0vdPit6H0zIl2CDSndO0ZBvF7VJH2FgZuzZyW5hkQBYH1T3AesgQtwxoHcU8LDS/fzzGY+6c/O4Ia95aKOxkTIfFAmEF33n1MO5peR8zpuPU2yQShGQvHX3GaUvlvYBSoOdJSZPxHx0UIPEtyeT/asU1zsOcK5VSpQJf1fnFu9JU2Xp1OpXTiBeZEiXH0MPsmnBVEwYWi5C8CxJbnUFh5aoqTPOM8sw0rH6z6qMNxlq/eoYj9E1O71/Kth3V99NWw/Ywau41jiH0HQaEFEvQxIFsgh5G8U3p4wWxAci4rGrimaFin754AU9pafcr+mGmNdhYOevwgaM3KBs2bitPtYkp+zclp6wo6Tmtl+l2SGUV07tpvMOhPrV0xFZsDCh80NtEm3D+At77G0sVOoRizGbsVPKgoZ17YKjlxIs+iznlNCH2qhxpW5U8lyz3RnkDw/70/VOcjJbEGRSf2XTIpbqFGB5y8uFtdRZkR0O0zo+KjMMyI6z0HQZXNkR03n+1A3npCciUz5JxnOrmRqVBgLQJcaMvwQEIVtv5UCcBwbjJQZR5yRVNU79dE9dZhz9ey26yHHMU6ei2NwkzqMCwcxFLqC6Rg4CQokaWcM9Tedb3VFS+B0ri6o+fY/eW4yc7X5n687yAbYalZFqVruS4A6y751yyM0FEdAf9rMVIQXyR8bQHkmP8lxBKvZT3oUcUCs3GWHu1atwLuNtHJY7aWseD+71vOuOtb8ACCcg/ujgUR+ry9KE= + NUXT_OIDC_PROVIDERS_OIDC_CLIENT_ID: AgB2bogm1piwXoHEJzXw+vSpMkENy2yDZXzjvIA5GIal+uyG13VSVLI6borUmWdD0BpPnKWChcq9yo/2HaSMWgftbzprjWS6fhape/wpRaUMvL8Cyx2i14Mp8QxUjtrLWpwMUxCCutaTXyF24weMCWx5biYYku8vLfEqWLulXpJ4DNeCVYUQesS/FfmAATp5vybndfv7ohwP5ua9dzYxd19Upu1hUjGQABampFxn0Jjcu2w2CvqXVs8U3kvhDTqAVhQrfnB8VRPABpjZA2sjhwwolAAxNFKZZapssEsOe3hmNM6nrdmr5dWdjTu13ZA1LYasjoizdQvswu+YgqEU7uJVuuH2PF5tGJxSpLX+eA1HJ0+blmr/xhPJ+0kmKu+DK3+c78A7g1TM4ULyrey4cXfnziOkXnQt4NKzDAOkW1UI/lB4Q3qu7PkI9KhCsx8HNDYG9SPOyjClW+g+sV+x5s79c/S5Xc4ycLlHOI0tJlkyZWocmExaDBUs7kWqdnDg8eECsUiSNpqLpvu5loWatbrtIR+P24czlFaKkINd6SVjCLAy+gMu7IKVIKdxVnU6Vp2JGcOihYyyHo+1PMt6mSPuGYhgVpSvkjFguwiLMMML7DuNKbjJiD1zXmauTQcIRVBh9cSJZuDbgW0KFA0F1MaiDmrdfdUusAUPOmmEEaiJ9Ixqgs1QXqJ+FRRigkpYDX/XhSgSPEMAPkudMwghQshlrWNuxwIoCBMjgq7SH8oK6j0sXkE= + NUXT_OIDC_PROVIDERS_OIDC_CLIENT_SECRET: AgCfRHqaJMvLSYjE+liurFoSfNJD0P+hGMNJGUTnM5xGkBjcAZFXqXiQhapynSSOpyDaVXX585QSXQ3weQ40SeN0AjUFyDWzIe6epQG+pTh/uq4pjqZdrE86WFtWpIi1aM/kGHKIlUsOrVzYfXngVFmA82Tjw0dti3p/vZg6w4eE5PNiVAVgos/LQkKHyGLX0agoOZ0KXQZZG2oi77288LNUtPSQ/hhNWeq653zHv11mutNX3DgHv1cTqqcNYz2qxgIph7hGtGJ52tp8tSCrqK8Nmh78H6UPheqJ4eULqACHSMvCQL5cjQv0nBJf9+y1lDX0zq42zrJ7nOc+PFUtjSNoLFHRMQqpu5hvMMRrpV4DhY6rl04VIKt4wk9MWOe5aCZOvVI1U+4jgQttYi7AqmU9cIPFIAcgdr0MuRXT/Va5SEtWxPq1pkEXnOvloKfeS8p3IlAxLhx/YyB9bgKKuAqJrgHAiFG83MBQcZqwoUXUjp3eG5ExWS0eQh1L6KvSW+ApuT3+mVd1MDff9wNy0re85ZW54RgNc6SZrQ3HdbKxYHWnaStiQ9r5Xa1HlPxFeeA2H1sOp0n4n67TkzvQESswWeP+JmZZK1REEzt6d30VCo8hN6oh62Aq2iN+axJA+M0TgOc7HswTM3oxlG+X8J/ugy0oISdlR1omHyxPYWz0RD/PgQfatP+cz7W8tDiOnU7noqpFimx/+McO1s8ftuOcrTwPWk8mLx4+1YhQ/tTb6Kj9kSkZMIZS + NUXT_OIDC_PROVIDERS_OIDC_OPEN_ID_CONFIGURATION: AgBRsHXID+Y07ERYlf86YlTnHlDuqENAzK4HkG4Gnya3fDxC7H+BlyRpMCyTE9rR27SlzyWi4F21FSbP/qs2mRNcmACNGDibRPODDtNyuRGhlk0tHP5ybtSSLyl8SkiJa0/4/ztGh/IunZVeK0GzcQDsVt3R/89m7aSZJdRKFU92xGrP1i5HuYLZ9LpLC2jSspRJPczKlqxi0mZIaQNtkA2AgDPS8oCW4AxwUR+WnKxE6raEfeNS6PufbP1T+5fD34W7P3Ib4JYWhvwfBJ4wFai18lzp2YWFPd9oL9lu95vc5wjV2iloNYnu+FNfkowprSWSNQ6O4Jj+/c12RXeIN5//DU14KYx3i2/3vd29qisvvIQFyySCD7oTF0mQoEsQHetjR9NkezFTp3bdaPZ+DYrXUyC3y8fmSDrZjn3qCeLDTj6k3RpKpfQ2GZqAUHnjqKemnL16DwMRfiRnZL4wmoQWblBF10nm9aHKwInImiTaiR7aOOU+8zTFE4Oe390J0iZPt4EqDB7DWjeTQuYSi7N3OeGku7lSdGhiPP0KPwrVDK7VRRfZVEJ3HhmoOvMRI1pAGKAQLhfhqxWqCxakG1OtqRXX82VjHQhUgNEQg5z1OuInoXFyayZx3KCvtbiWbPQ8KezI42VLft48wd918yCqQgq0v303I55ASI9Q2M0y26d6GPShDgLyomgPnKOCSfNTS63l8n1LIq6An+sT4O3yNtxY/OjqIsdHjZfG+KoB7OhG6CABAK9TOIeY4mASQvCuYUBQ6RK/BdsVwVLWbmfBxfKlgh9TG+64G0rcpmWPVFgMtTuEMoHiuAYyyzd2NEzqJYdTrwfdQo8b66M= + NUXT_OIDC_PROVIDERS_OIDC_REDIRECT_URI: AgAsXumOKoe7IwPctIRCfAfTZic8X2zr6VIB4veSbGBXSr6FfZJ9LNp8VxIQ82msIVlDF//esNodJZpVBxI/IkHID6DFrh0t0NTX2iAPjFz8WJm3XAKltU4hf/NRdEIr9UTrYVM8DtYgBqtjMAOe5QXHOey350X3G/Z4+UHhszmprYFmoYaA5T1n0/rMsM2rfilqXZ1x4kROr7rzv9VBUBsSaz0UczTlb4Epfh362uG2yjzp4ArEYqkKkMmGgdn0QbvShOSbvS/d/OXCyMEEisQobH6x7W/ynDmcgyai00UMJ1S4nbNLoRiJHhuUUgPZx5aZ24hEYy4tT7xywyqR2Tsx4m6lc+FDQwJbM6GYnxoLymZgEl8IMDjRFyTabZ57l75VNWDDJWK1c6p8CwOX4Xj9Cvco6fwqJdT84CYu53hMrhMgE8lQSeydlp7qQrwMeYH5KpO5Bwx2EKVzHelM5FUXTBAqRSRBLRbtf0mcVeYWf+3zSVaOdDeMtVl9GbrKvYdEhyCettUPxFdxaQuIRtVD+urTzreHLMHmWHfWdIESnyXvqPzfF3r7PJE+msO8VIpDyr/4RCgXN7KHSW7R4bOiOfQPtuyAsSGw23I4BIvioCa58Z5KO3nqXhGs0dmvr/e+ppjJ3KSgQgTDpSE1NfGNosWQNAvuzGKWJ/HqotLvMMzA8eN6qFDQyzCJMnC02fmlEBce/dfz9Q2yIABGl1SJ9IITpTRLsAsokqLMSAQbiyTQIDVSVxbaxAY/E6VnEXNu07PfU0eAmQ== + NUXT_OIDC_PROVIDERS_OIDC_TOKEN_URL: AgCbQbRJXaH1jBu1WySPO0NMXGajnLn3uY+Uo+nmvcPsA3+lrqzOO1eTBpRHjuoVOmozkO/YX2MD0MtkjQ7DJ5OePj/nur0kvFpzUomC8JflOxsNSbr06pK8CrxzP9cMBKds8Fn8TCa3nk0/UNh5s4j3GUSRR12wYSAkYl2GPZiTg+qLzjp0fKeHJoLt5KCieaN2SoyrHLU4hd2V5Kkdk4oHCQ+9oOcWaREVSbltUN2H8hVE1JvumW/I2UJ0UZiBYkhY/R4/D4G3nV7UIbes9Gx8u5AE2KH7zn5SOonMeXW7sJydoD4VxgkQcR5KnpoXTXkIyDI02AmA7qnej7qbijnEoRo4UNwj6wuYTJMsJUCwa0lzyQA4qgbBgOOlNyaVEDQHdjadyiyjElu5ERMYf5CJi1rJy6kOU843FkBTEchqH3h3XI0vBmPt85pbs5MhlFlAcFY8T4tOeReHXZj/rzc7MNKJfSoxrWBGAavPPgjQhBW/BoeKHm0GKP0cyRwbFkrOP0hrG3cNb1nD1jgdeH7taEM4XBQsApwIy/y8rByBajr1aSvjt5Jhy7EUY/AuzgJRLOM/grZ08ByUMp746fkVXXCHYToOJtDmlmjb+EQWbQW3mlS1QmXAdOyPIfy/C3rQh39xOs1upovGjmqz1Bv7ySBJqJt1q6NIzY440sljQip3MiJhVCeFlrW0kqDIKJ9IN66B1Y5Wg+gcahsZN3gOzDwdtJ3D/tLhH9NyRNMmFekqHfN+zBU1PEFlTxSH0s2aBxPLPQrApwuaFfctIF9sdOdW/pgzSHwasEAVc4Pxj6KSKQ== + NUXT_PUBLIC_FEEDBACK_FUSION_ENDPOINT: AgCNbpTRhsT5r/8ECXJBonmOVUqvbIAYW6Hp6GQbmmKzue2otWU4Uju8qRRQ+MI2xaycPUHEl8k2jgUdfVwAn5U3RrYcdmTtPVj6pCQIrGpUIyRUXyHUqJ7BtufQSNGToh8n6K7cDfA+atrkDt9Op+/B5O04qXZiOo1NCd5BAYYpjBYkIzU996cNc1dsdLSQL+MR4NrGg120qaVEn/9+4gLxg2+a0ychjqPp68jkYJgNaAX6dhePRJMqBp5XlviKLt+hhxIkz+6xhcoR2aVZ2dMrg8H1jYx0rV7BX3WlukgwjXaXmYNV0+lI4SncnZRRoRBtrUouxzlOLDRapTBX8R199lOO+x7XjOrSVF4ljO0NUHMWNepkpLE6g2DemTegtuCTop/LBTX6tdMRgP+b0CtG1XAeZV0au3gVtO/RAsVIzcZW0I1TEKeoGj73M1/r21arK7CDuNVlZY709mG0f8GXqw+y9FNhX28gv7QJvfDQOqoTF30g6CBSMA2izRXLcojdpPpDIR5lCpncw7qEEwyS0sb0c0C7tZystwfu8glGWDL935Xq7JjBvLVY/08R3E+LzM7tl/LNX3Q8sLVTjOp+1yQ4BO1TEME2SnvR3Fy8+/LlzIYNlXJECmkzZd+QEWWmxqNVnOFenKYAUqoFbtkAan/A7KnMwC5G3BcsSZYb2hITtO2RJkpm66rDFpBq76obPz5wSSCFLcO+LSIzr5QjeX2Tw3iOyjVPRNelQY6Ptw== template: metadata: creationTimestamp: null diff --git a/gitops/templates/feedback-fusion/secrets/feedback-fusion-dashboard-config.yaml.secret b/gitops/templates/feedback-fusion/secrets/feedback-fusion-dashboard-config.yaml.secret index 21591c6..6869420 100644 Binary files a/gitops/templates/feedback-fusion/secrets/feedback-fusion-dashboard-config.yaml.secret and b/gitops/templates/feedback-fusion/secrets/feedback-fusion-dashboard-config.yaml.secret differ diff --git a/gitops/templates/forgejo-runner/secrets/forgejo-runner-token-sealed.yaml b/gitops/templates/forgejo-runner/secrets/forgejo-runner-token-sealed.yaml index dbbd9bc..ca7fd0c 100644 --- a/gitops/templates/forgejo-runner/secrets/forgejo-runner-token-sealed.yaml +++ b/gitops/templates/forgejo-runner/secrets/forgejo-runner-token-sealed.yaml @@ -7,7 +7,7 @@ metadata: namespace: forgejo spec: encryptedData: - token: AgCHOPr/gUSskoCDcDLJTKmwEqKDlcotB8Ts3dyDGsx2QCOUGfzxch6yLL6Fb+23WO8O6Crd98VWQnatUTzbTvznBXeJoosoRhXn4wV1wYWVUbRo6969AMav3ToF7tk3FXSSWYfZsLu6it0jMbWNhJpI+cGIal1K1A0Wq87nR3RKHBRdg7jX6bJn2uQyOvZ7NQv1CJRsVDIWSbaXxctC48iFr+3Z1y2pr3ECYwm4Tvb+x5tr2DlKr+B/STHc6xgZhoQfoDkj2jB/+r5W3YL15w8+LonFCxpgnfWaQAcnkWmI8iiy0fhotBfxIUQfk/vkr7OWToO1yBR+nWgp0IHBwvLrUi/QNDVzRkFdduX+m3QtpTPw09w1nHsWun5xY1Iyd0XY/ADhLH6oR4Af2mLzqeatP7b+la52Z4fXGgy8ys+Gvjux3O9MXI/73QhcoStrwqXGB2UJ/rRb3sJqMxs0QbjDf3XnHnKtLB2X4NrT5A5iO1eMxYVoqxMoYsRtZCoLvsOVTges+63wPS34kkadhj4UaQzO8F43ByP70j4bDVOeYbpiDTtgUt23I5rkSyt3YxhHRAITH3CbiHtuDaXwNeTyKmMYOZjSQvHADMqh1Je6fygs2+MnopiQ2vJo4OPl/ZQPnY4lSHCHCbV+EHRq32S5HwnQ2V5XZ3hm9tO3i6aKTRyGbkw3rwhjWA/6HQqjwhjVAVdpOnzKS6DhIC0AD8sjAiFN9y4Lvpi16RyjCH0xQa5dcjSKjmuf + token: AgAjjwY4BO0Im2jXRS0NjBBmIegsG3Wi0AxDXNDxcp5UE8mMDnOCwLloMomvyTyDuLZ80OMRfKntsmquYel2LLR61cZwLkQsFUMnZazLXEw3qyhnqachpo2db7Qo1VjUmaZvKH/J9u58s9G8ckOHLe4DAc6/1PQMvG6fGhIgt5C3UNwtYr4xxcyXi3uWnt8r0IZukSBbkf9NLcWA1e4KXdCzi0pNOs6GV6cHRoyi4Q/8WccXsBdomsUzv+DH6va+/2g1BzzjW1ZyTgM6l4gANzLhBsB0A7IrmCtqCreEIE6O4je77bRPK/r4YQZeWAyrH+V8cvjeC7D4NscMp2PDd6ieeUHdm82IroLr5RK5yrpU/Z5xjX5LX0Bf/wY3GHkC+JC5jmNx4Ps4r3qe2V8/e/qmD9CNPw9Wjkzt356Nwn/URj1SjtOVqMsinXeNoAR7gKhcKuGFWtCU1NiAVIyZ4DsHziK0o3yl1GrU/ZpUl2yEqEewmCRo7x5/uLKA6K1KI3VKqWei6A5oYZsYjZEUWD15i0dvc/BybeaYd7nQjHbkyfmw+uYst3GiURaYwbvP2JZkh2DGO98mnxVojrx1fhdSMfFA6K7S10Wg1v7cBjs/M7QecKy4fZczyDWWUfZwUvU4cEVUisE+xfgwi/5CZ66eUPZdNJSqM1mBlycG7ABXScTDRqzAKyHHTks9jWpsmE4a81Mk7m/0jzlSqpK7MUxiCpKXEspqRwTOmXgTdn8atjobjxoZOHzF template: metadata: creationTimestamp: null diff --git a/gitops/templates/forgejo-runner/secrets/forgejo-runner-token.yaml.secret b/gitops/templates/forgejo-runner/secrets/forgejo-runner-token.yaml.secret index df138e6..7fdb4ae 100644 Binary files a/gitops/templates/forgejo-runner/secrets/forgejo-runner-token.yaml.secret and b/gitops/templates/forgejo-runner/secrets/forgejo-runner-token.yaml.secret differ