Describe the bug
While backups work, the purging of old backups doesn't

To Reproduce
Steps to reproduce the behavior:

1. Set up backups for the EventStore with retention
2. Watch that the backups pile up in S3 but never get purged

Expected behavior
Backups should be purged based on the set retention policy.

Additional context
Looking into it the implementation is generally there, but one piece is missing at here:

currently, whenever a pull request is opened all CI actions will run regardless if the actual targeted check is relevant.
for example if only go files were changed then no need to run the helm CI and vice verse.

AC:

• run only relevant CIs on changes
• do it for M8 and monoctl

Currently the backup is only to be configured via helm chart as cronjob. Restoring works via helm chart too, but is not very convenient. As a proposal it would be nice if an administrator could trigger a backup job from monoctl as well as restore a specific backup via monoctl.

AC:

• Trigger a backup via monoctl backup create as system admin
  • either to be stored on the already configured s3 storage
  • or to be downloaded by monoctl directly if the backup is finished
• Trigger a restore via monoctl backup restore as system admin
  • either from backups listed via monoctl backup list which shows which backups exist in s3
  • or by uploading an backup
• Add documentation for this

Describe the bug
When running monoctl create cubeconfig command an authentication window inside the browser is open. Once user is successfully authenticated there is a confirmation message. Tab doesn't close and message saying The window will be closed goes to negative seconds.

To Reproduce
Login with monoctl.

Expected behavior
Tab/Window should close after 10 seconds.

Describe the bug
Vault Operator (optional) link on the deployment doc does not resolve to a publicly available repository.

To Reproduce
Steps to reproduce the behavior:

1. Go to 'docs/deployment/README.md'
2. Click on 'vault-operator'
3. Don't be logged into gitlab.figo.systems
4. See authentication requirement to see the repository.

Expected behavior
I would expect the link to the repository to work.

Screenshots

Additional context
👋🏻

In newer clusters we can leverage VPA and Monoskope’s helm chart should make it possible to activate this to make best use of cloud resources.

AC:

• VPAs defined for all components
• Helm chart let you control if VPAs are rolled out or not

The split repo situation makes development and testing harder than it should be. Even versioning is harder this way. To align versions of server and client matching each other and making development easier I would merge both repos.

AC:

• monoctl code merged into m8 repo
• CI/CD properly configured
• Adjusted where necessary because of module changes
• monoctl repo archived and put a note to the readme about the change

Describe the bug
The referenced rabbitMQ chart is not available anymore. We need to update the base chart version to at least 9.x.x or already jump to 10.x.x.

Update notes: https://github.com/bitnami/charts/tree/master/bitnami/rabbitmq#to-900

This currently leads to failing builds.

Expected behavior
RabbitMQ chart is available and builds succeed.

Describe the bug
One example would be the admin user created manually for the gateway (see here) and it's "duplicate" created by the commandHandler for the queryHandler after defining the SUPER_USERS environment variable see here

To Reproduce
Steps to reproduce the behavior:

1. try getting the admin user through the queryHandler server by its email and check its ID against the admin user defined in the gateway test environment or see here.

Expected behavior
to follow the example both IDs must match but in general, the state should be the same.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

After the relation between tenants and clusters has been introduced and authorization on the QueryHandler is present, we need to cut down that everyone gets every cluster configured when using monoctl create kubeconfig. Instead only those clusters should be written to the users kubeconfig which they actually have access to with the actual roles only they have within each cluster.

AC:

• Update kubeconfig creation to only configure clusters the current user has access to
• Only configure login with roles the user has within each cluster

QueryHandler authorization is currently not available, but in the future it should definitely be tied to roles of a user what a user can query. The decision was made to proceed with Open Policy Agent (OPA) to manage command/query authorization.

AC:

• Gateway handles authorization via OPA
  • Command & Query get authorized by OPA
• Deploy OPA & define policies and make them deployable via helm chart
• Document with diagram and docs on how to set up

We propose to change how cluster access works in general:

Currently there is an aggregate TenantClusterBinding which grants access, but that is very specific to the Tenant stuff. I would like it better if we could give a single user access to a cluster too. Like a ClusterAccess which can point to a user or a tenant or all users to give all users access to a cluster.

AC:

• Create a new Aggregate called ClusterAccess
• Design this in a way that an admin can
  • give a single user access to a cluster
  • give a tenant access to a cluster
  • give all users access to a cluster (keep in mind that there are roles within a cluster, so there must be a role for this case part of the access too)

We discovered that for the feature to really work out all RBACs it has to know namespaces that exist in clusters. After a discussion we decided that namespaces should be something managed by m8 too.

AC:

• Namespaces manageable via monctl
  • Create server API
  • Implement Aggregate/Projection/Query
  • add/edit labels and annotations
• Tenant admins can create namespaces adhering to naming rules (prefixes) for their tenant
• System admins can create namespaces with any name
• Namespaces are connected to cluster(s) and a single tenant
• The git repo reconciler creates namespace yamls too
• The git repo reconciler creates rolebindings for tenant users in that namespace as needed for app oncall for example

Describe the bug
In one occasion a user had a trailing whitespace in his lastname field in OneLogin. This was apparently synchronized as is and lead to a malformed namespace setting in a generated kubeconfig.

To Reproduce
Steps to reproduce the behavior:

1. Setup Monoskope and OneLogin
2. Configure the SCIM integration
3. Create a user with trailing whitespaces in one of the name fields in OneLogin
4. Attempt to create a kubeconfig for that user

Expected behavior
Leading and trailing whitespaces in name fields are trimmed and ignored leading to working kubeconfig generation