From 24ba37e10d39be67de746054ec1da09a722a532a Mon Sep 17 00:00:00 2001 From: Michael Moen Allport Date: Fri, 29 Nov 2024 12:27:19 +0100 Subject: [PATCH 01/21] NAIS deploy --- .github/.cruft.json | 17 ++ .github/labels.yml | 3 - .github/release-drafter.yml | 2 +- .github/workflows/build-deploy-app.yml | 104 +++++++++ .github/workflows/build-test.yml | 49 ++++ .github/workflows/build.yml | 100 --------- .github/workflows/deploy-to-nais.yml | 84 +++++++ .github/workflows/labeler.yml | 6 +- .../{release.yml => mvn-release.yml} | 72 +++--- .github/workflows/release-docker.yml | 71 ------ .github/workflows/release-drafter.yml | 1 + .nais/test/nais.yaml | 211 ++++++++++++++++++ pom.xml | 52 +++-- 13 files changed, 546 insertions(+), 226 deletions(-) create mode 100644 .github/.cruft.json create mode 100644 .github/workflows/build-deploy-app.yml create mode 100644 .github/workflows/build-test.yml delete mode 100644 .github/workflows/build.yml create mode 100644 .github/workflows/deploy-to-nais.yml rename .github/workflows/{release.yml => mvn-release.yml} (50%) delete mode 100644 .github/workflows/release-docker.yml create mode 100644 .nais/test/nais.yaml diff --git a/.github/.cruft.json b/.github/.cruft.json new file mode 100644 index 0000000..9788962 --- /dev/null +++ b/.github/.cruft.json @@ -0,0 +1,17 @@ +{ + "template": "https://github.com/statisticsnorway/cookiecutter-maven-build-deploy", + "commit": "fa739ee448b267b18bae8fe8a8e980cd9bd301fb", + "checkout": null, + "context": { + "cookiecutter": { + "repo_name": "dapla-dlp-pseudo-service", + "team_uniform_name": "dapla-stat", + "program_type": "APPLICATION", + "java_version": "21", + "default_branch_name": "master", + "__gha_folder_name": ".github", + "_template": "https://github.com/statisticsnorway/cookiecutter-maven-build-deploy" + } + }, + "directory": null +} diff --git a/.github/labels.yml b/.github/labels.yml index 82bb9b9..09becdd 100644 --- a/.github/labels.yml +++ b/.github/labels.yml @@ -43,9 +43,6 @@ - name: performance description: Performance color: "016175" -- name: python - description: Pull requests that update Python code - color: 2b67c6 - name: question description: Further information is requested color: d876e3 diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml index f86c79d..439d747 100644 --- a/.github/release-drafter.yml +++ b/.github/release-drafter.yml @@ -56,4 +56,4 @@ autolabeler: template: | ## Changes - $CHANGES + $CHANGES \ No newline at end of file diff --git a/.github/workflows/build-deploy-app.yml b/.github/workflows/build-deploy-app.yml new file mode 100644 index 0000000..21d8464 --- /dev/null +++ b/.github/workflows/build-deploy-app.yml @@ -0,0 +1,104 @@ +on: + release: + types: [ published ] + push: + branches: + - master + paths-ignore: + - "**/*.md" + - "Makefile" + - ".mvn" + - ".gitignore" + +jobs: + build-push: + name: Build and push to registries + # If triggering event is release, the commits on 'master' should build + # the image + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + + outputs: + nais-tag: ${{steps.nais-deploy-vars.outputs.nais_tag}} + nais-cluster: ${{steps.nais-deploy-vars.outputs.cluster}} + nais-config-path: ${{steps.nais-deploy-vars.outputs.nais_config_path}} + + steps: + - uses: actions/checkout@v4 + + - name: Set up JDK 21 + uses: actions/setup-java@v4 + with: + java-version: 21 + distribution: temurin + cache: maven + + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@v2 + with: + workload_identity_provider: "projects/${{secrets.GAR_PROJECT_NUMBER}}/locations/global/workloadIdentityPools/gh-actions/providers/gh-actions" + service_account: "gh-actions-dapla-stat@${{secrets.GAR_PROJECT_ID}}.iam.gserviceaccount.com" + token_format: access_token + + - name: Login to Artifact Registry + uses: docker/login-action@v3 + with: + registry: europe-north1-docker.pkg.dev/${{ secrets.NAIS_MANAGEMENT_PROJECT_ID }} + username: "oauth2accesstoken" + password: "${{ steps.auth.outputs.access_token }}" + + - name: Maven build and install + run: | + if [[ ${{github.event_name}} == "push" ]]; then + mvn --batch-mode -P dapla-artifact-registry deploy + else + mvn --batch-mode clean package + fi + + - name: Add optional extra tag + id: version-tag + run: | + if [ ${{ github.event_name }} == "release" ]; then + RELEASE_VERSION=${GITHUB_REF#refs/*/} + echo "version_tag=v${RELEASE_VERSION}" >> "$GITHUB_OUTPUT" + fi + + - name: Build and push image to NAIS Artifact Repository + uses: nais/docker-build-push@v0 + id: docker-push + with: + team: dapla-stat + tag: ${{ steps.version-tag.outputs.version_tag }} # Empty if not triggered by release + pull: false + project_id: ${{ secrets.NAIS_MANAGEMENT_PROJECT_ID }} + identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} + byosbom: target/bom.json + + - name: Generate image tags + id: nais-deploy-vars + run: | + if [[ ${{github.event_name}} == "release" ]]; then + echo "nais_tag=${{ steps.version-tag.outputs.version_tag }}" >> "$GITHUB_OUTPUT" + echo "cluster=prod" >> "$GITHUB_OUTPUT" + echo "nais_config_path=.nais/prod/nais.yaml" >> "$GITHUB_OUTPUT" + else + echo "nais_tag=${{ steps.docker-push.outputs.tag }}" >> "$GITHUB_OUTPUT" + echo "cluster=test" >> "$GITHUB_OUTPUT" + echo "nais_config_path=.nais/test/nais.yaml" >> "$GITHUB_OUTPUT" + fi + + deploy: + name: Deploy to NAIS + needs: build-push + uses: ./.github/workflows/deploy-to-nais.yml + with: + registry: europe-north1-docker.pkg.dev + repository: dapla-stat + image-name: pseudo-service + image-tag: ${{ needs.build-push.outputs.nais-tag }} + cluster: ${{needs.build-push.outputs.nais-cluster}} + nais-config-path: ${{needs.build-push.outputs.nais-config-path}} + secrets: inherit \ No newline at end of file diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml new file mode 100644 index 0000000..44911af --- /dev/null +++ b/.github/workflows/build-test.yml @@ -0,0 +1,49 @@ +on: + pull_request: + branches: + - master + paths-ignore: + - "**/*.md" + - "Makefile" + - ".mvn" + - ".gitignore" + +env: + DAPLA_REGISTRY: europe-north1-docker.pkg.dev/${{secrets.GAR_PROJECT_ID}}/dapla-stat-docker + +jobs: + build-test: + name: Build and test with Maven + if: ${{github.event_name == 'pull_request'}} + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + + steps: + - uses: actions/checkout@v4 + + - name: Set up JDK 21 + uses: actions/setup-java@v4 + with: + java-version: 21 + distribution: temurin + cache: maven + + - name: Authenticate to Google Cloud + id: auth + uses: google-github-actions/auth@v2 + with: + workload_identity_provider: "projects/${{secrets.GAR_PROJECT_NUMBER}}/locations/global/workloadIdentityPools/gh-actions/providers/gh-actions" + service_account: "gh-actions-dapla-stat@${{secrets.GAR_PROJECT_ID}}.iam.gserviceaccount.com" + token_format: access_token + + - name: Login to Artifact Registry + uses: docker/login-action@v3 + with: + registry: ${{ env.DAPLA_REGISTRY }} + username: "oauth2accesstoken" + password: "${{ steps.auth.outputs.access_token }}" + + - name: Maven build and install + run: mvn --batch-mode clean install diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml deleted file mode 100644 index 9f3b66f..0000000 --- a/.github/workflows/build.yml +++ /dev/null @@ -1,100 +0,0 @@ -name: Build - -on: - push: - branches: - - master - paths: - - .github/** - - src/** - - conf/** - - Dockerfile - - pom.xml - pull_request: - branches: - - master - paths: - - .github/** - - src/** - - conf/** - - Dockerfile - - pom.xml - -env: - REGISTRY: europe-north1-docker.pkg.dev/artifact-registry-5n/dapla-pseudo-docker/ssb/dapla - IMAGE: dapla-dlp-pseudo-service - TAG: ${{ github.ref_name }}-${{ github.sha }} - -jobs: - build: - runs-on: ubuntu-latest - permissions: - contents: read - id-token: write - - steps: - - uses: actions/checkout@v4 - - - name: Set up JDK 21 - uses: actions/setup-java@v3 - with: - java-version: 21 - distribution: zulu - cache: maven - - - name: Authenticate to Google Cloud - id: auth - uses: google-github-actions/auth@v1.1.1 - with: - workload_identity_provider: "projects/848539402404/locations/global/workloadIdentityPools/gh-actions/providers/gh-actions" - service_account: "gh-actions-dapla-pseudo@artifact-registry-5n.iam.gserviceaccount.com" - token_format: access_token - - - name: Build with Maven and deploy to Artifact Registry - run: mvn --batch-mode -P ssb-bip deploy - - - name: Clean up artifacts that are no longer needed - run: | - rm -f target/dapla-dlp-pseudo-service-*-sources.jar - rm -f target/dapla-dlp-pseudo-service-*-javadoc.jar - ls -al target/dapla-dlp-pseudo-service-*.jar - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@v2 - - - name: Login to Artifact Registry - uses: docker/login-action@v2 - with: - registry: ${{ env.REGISTRY }} - username: "oauth2accesstoken" - password: "${{ steps.auth.outputs.access_token }}" - - - name: Docker meta - id: metadata - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE }} - # Docker tags based on the following events/attributes - tags: | - type=ref,event=branch - type=ref,event=pr,suffix=-${{ github.event.pull_request.head.sha }} - type=raw,value=latest,enable={{is_default_branch}} - type=raw,value={{branch}}-{{sha}}-{{date 'YYYYMMDDHHmmss'}},enable={{is_default_branch}} - type=semver,pattern=v{{version}} - type=semver,pattern=v{{major}}.{{minor}} - type=semver,pattern=v{{major}} - - - name: Build and push - id: docker_build - uses: docker/build-push-action@v4 - with: - file: Dockerfile - push: true - context: . - tags: | - ${{ steps.metadata.outputs.tags }} - labels: ${{ steps.metadata.outputs.labels }} - - - name: Image digest - run: echo ${{ steps.docker_build.outputs.digest }} diff --git a/.github/workflows/deploy-to-nais.yml b/.github/workflows/deploy-to-nais.yml new file mode 100644 index 0000000..5c8d8d2 --- /dev/null +++ b/.github/workflows/deploy-to-nais.yml @@ -0,0 +1,84 @@ +name: Deploy to NAIS + +on: + workflow_dispatch: + inputs: + registry: + description: Registry, for example "europe-north1-docker.pkg.dev" + required: true + type: string + repository: + description: Registry repository + required: true + type: string + image-name: + description: Image name + required: true + type: string + image-tag: + description: Tag for the image + required: true + type: string + cluster: + description: NAIS cluster environment + required: true + type: string + nais-config-path: + description: Path to the NAIS configuration file + required: true + type: string + ref: + description: Commit reference of the deployment + required: false + default: master + type: string + + workflow_call: + inputs: + registry: + description: Registry, for example "europe-north1-docker.pkg.dev" + required: true + type: string + repository: + description: Registry repository + required: true + type: string + image-name: + description: Image name + required: true + type: string + image-tag: + description: Tag for the image + required: true + type: string + cluster: + description: NAIS cluster environment + required: true + type: string + nais-config-path: + description: Path to the NAIS configuration file + required: true + type: string + ref: + description: Commit reference of the deployment + required: false + default: master + type: string + +jobs: + deploy: + name: Deploy to NAIS cluster + runs-on: ubuntu-latest + permissions: + contents: "read" + id-token: "write" + steps: + - uses: actions/checkout@v4 + + - uses: nais/deploy/actions/deploy@v2 + env: + CLUSTER: ${{ inputs.cluster }} + RESOURCE: ${{ inputs.nais-config-path }} + VAR: image=${{ inputs.registry }}/${{ secrets.NAIS_MANAGEMENT_PROJECT_ID }}/${{ inputs.repository }}/${{ inputs.image-name }}:${{ inputs.image-tag }} + DEPLOY_SERVER: deploy.ssb.cloud.nais.io:443 + REF: ${{ inputs.ref }} \ No newline at end of file diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 19d5246..7985cc2 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -10,10 +10,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Reads labels from .github/labels.yml - name: Run Labeler - uses: crazy-max/ghaction-github-labeler@v4 + uses: crazy-max/ghaction-github-labeler@v5 with: - skip-delete: true + skip-delete: true \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/mvn-release.yml similarity index 50% rename from .github/workflows/release.yml rename to .github/workflows/mvn-release.yml index 6f352fb..a94156d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/mvn-release.yml @@ -8,77 +8,85 @@ on: jobs: release: runs-on: ubuntu-latest + # Do not run workflow if the triggering commit created the 'release' branch + if: ${{github.event.created}} == false permissions: contents: write id-token: write packages: write steps: - - uses: actions/create-github-app-token@v1 + - name: Create DaplaBot app token + uses: actions/create-github-app-token@v1 id: app-token with: app-id: ${{ secrets.DAPLA_BOT_APP_ID }} private-key: ${{ secrets.DAPLA_BOT_PRIVATE_KEY }} - - - uses: actions/checkout@v3 + + - uses: actions/checkout@v4 with: token: ${{ steps.app-token.outputs.token }} ref: refs/heads/master - name: Set up JDK 21 - uses: actions/setup-java@v3 + uses: actions/setup-java@v4 with: java-version: 21 - distribution: zulu - server-id: github + distribution: temurin + cache: maven + overwrite-settings: false - name: Authenticate to Google Cloud id: auth - uses: google-github-actions/auth@v1.1.1 + uses: google-github-actions/auth@v2 with: - workload_identity_provider: "projects/848539402404/locations/global/workloadIdentityPools/gh-actions/providers/gh-actions" - service_account: "gh-actions-dapla-pseudo@artifact-registry-5n.iam.gserviceaccount.com" + workload_identity_provider: "projects/${{secrets.GAR_PROJECT_NUMBER}}/locations/global/workloadIdentityPools/gh-actions/providers/gh-actions" + service_account: "gh-actions-dapla-stat@${{secrets.GAR_PROJECT_ID}}.iam.gserviceaccount.com" token_format: access_token - - name: Cache Maven packages - uses: actions/cache@v3 - with: - path: ~/.m2 - key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} - restore-keys: ${{ runner.os }}-m2 + - name: Get bot variables + id: get-bot-vars + run: | + bot_name="dapla-bot" + bot_id=$(curl -s https://api.github.com/users/${bot_name}%5Bbot%5D | jq '.id') + bot_email="${dapla_bot_id}+${bot_name}[bot]@users.noreply.github.com" + echo "bot_name=${bot_name}[bot]" >> $GITHUB_OUTPUT + echo "bot_email=${bot_email}" >> $GITHUB_OUTPUT + - name: Configure Git user run: | - git config user.name "dapla-bot[bot]" - git config user.email "143391972+dapla-bot[bot]@users.noreply.github.com" + git config user.email ${{steps.get-bot-vars.outputs.bot_email}} + git config user.name ${{steps.get-bot-vars.outputs.bot_name}} - name: Setup Maven authentication to GitHub packages - uses: s4u/maven-settings-action@v2.8.0 - id: maven_settings + uses: s4u/maven-settings-action@v3.0.0 with: - servers: '[{"id": "github","configuration": {"httpHeaders": {"property": {"name": "Authorization","value": "Bearer ${{ secrets.GITHUB_TOKEN }}"}}}}]' - + override: true + githubServer: false + servers: >- + [{"id": "github","username": "${{steps.get-bot-vars.outputs.bot_email}}","password": "${{steps.app-token.outputs.token}}", + "configuration": {"httpHeaders": {"property": {"name": "Authorization","value": "Bearer ${{ secrets.GITHUB_TOKEN }}"}}}}] + - name: Maven release and deploy to GitHub packages - id: release_jar - env: - GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} + id: release-artifact run: | # Get the release version from the pom.xml before the next snapshot increment VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout | sed "s/-SNAPSHOT//") echo "version=${VERSION}" >> $GITHUB_OUTPUT # Perform the release/deploy and increment the version to the next snapshot - mvn --batch-mode release:prepare -Darguments="-Dmaven.deploy.skip=true -DskipTests" + mvn --batch-mode release:prepare -P github -Darguments="-Dmaven.test.skip=true -Dmaven.deploy.skip=true" mvn --batch-mode release:perform TAG=$(git describe --abbrev=0 --tags) echo "tag=${TAG}" >> $GITHUB_OUTPUT - + - name: Create GitHub release draft - uses: release-drafter/release-drafter@v5 - id: create_github_release + uses: release-drafter/release-drafter@v6 + id: create-github-release env: GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} with: - tag: ${{ steps.release_jar.outputs.tag }} + tag: ${{ steps.release-artifact.outputs.tag }} - name: Upload assets to GitHub release draft env: @@ -86,10 +94,10 @@ jobs: run: | ARTIFACT_ID=$(mvn help:evaluate -Dexpression=project.artifactId -q -DforceStdout) # Get all files matching the artifact id and version (source, javadoc, etc.) - ARTIFACT_GLOB=(./target/$ARTIFACT_ID-${{ steps.release_jar.outputs.version }}*.jar) + ARTIFACT_GLOB=(./target/$ARTIFACT_ID-${{ steps.release-artifact.outputs.version }}*.jar) for file in "${ARTIFACT_GLOB[@]}"; do echo "Uploading $file" - gh release upload ${{ steps.create_github_release.outputs.tag_name }} $file + gh release upload ${{ steps.create-github-release.outputs.tag_name }} $file done - name: Publish GitHub release @@ -97,4 +105,4 @@ jobs: env: GITHUB_TOKEN: ${{ steps.app-token.outputs.token }} with: - release_id: ${{ steps.create_github_release.outputs.id }} \ No newline at end of file + release_id: ${{ steps.create-github-release.outputs.id }} \ No newline at end of file diff --git a/.github/workflows/release-docker.yml b/.github/workflows/release-docker.yml deleted file mode 100644 index c49ad88..0000000 --- a/.github/workflows/release-docker.yml +++ /dev/null @@ -1,71 +0,0 @@ -name: Release docker image - -on: - release: - types: [ published ] - -env: - REGISTRY: europe-north1-docker.pkg.dev/artifact-registry-5n/dapla-pseudo-docker/ssb/dapla - IMAGE: dapla-dlp-pseudo-service - -jobs: - release-docker: - runs-on: ubuntu-latest - permissions: - contents: read - id-token: write - - steps: - - uses: actions/checkout@v4 - - - name: Authenticate to Google Cloud - id: auth - uses: google-github-actions/auth@v1.1.1 - with: - workload_identity_provider: "projects/848539402404/locations/global/workloadIdentityPools/gh-actions/providers/gh-actions" - service_account: "gh-actions-dapla-pseudo@artifact-registry-5n.iam.gserviceaccount.com" - token_format: access_token - - - name: Login to Artifact Registry - uses: docker/login-action@v2 - with: - registry: ${{ env.REGISTRY }} - username: "oauth2accesstoken" - password: "${{ steps.auth.outputs.access_token }}" - - - name: Docker meta - id: metadata - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE }} - # Docker tags based on the following events/attributes - tags: | - type=ref,event=branch - type=ref,event=pr,suffix=-${{ github.event.pull_request.head.sha }} - type=raw,value=latest,enable={{is_default_branch}} - type=raw,value={{branch}}-{{sha}},enable={{is_default_branch}} - type=semver,pattern=v{{version}} - type=semver,pattern=v{{major}}.{{minor}} - type=semver,pattern=v{{major}} - - - name: Download Java asset - env: - GH_TOKEN: ${{ github.token }} - run: | - mkdir -p target - # Download just the jar file (no javadoc or sources) - gh release download -p "*${{ github.event.release.tag_name }}.jar" -D target - - - name: Build and push - id: docker_build - uses: docker/build-push-action@v4 - with: - file: Dockerfile - push: true - context: . - tags: | - ${{ steps.metadata.outputs.tags }} - labels: ${{ steps.metadata.outputs.labels }} - - - name: Image digest - run: echo ${{ steps.docker_build.outputs.digest }} \ No newline at end of file diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 5dea360..7a9f414 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -25,6 +25,7 @@ jobs: runs-on: ubuntu-latest steps: # Draft the next Release notes as Pull Requests are merged into main + - uses: release-drafter/release-drafter@v5 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.nais/test/nais.yaml b/.nais/test/nais.yaml new file mode 100644 index 0000000..1064f84 --- /dev/null +++ b/.nais/test/nais.yaml @@ -0,0 +1,211 @@ +apiVersion: nais.io/v1alpha1 +kind: Application +metadata: + name: pseudo-service + namespace: dapla-stat + labels: + team: {{team}} +spec: + image: "{{ image }}" # Injected from the GitHub Action + port: 10210 + replicas: + max: 5 + min: 1 + resources: + requests: + cpu: 100m + memory: 2Gi + limits: + memory: 12Gi + + ingresses: + - https://pseudo-service.intern.test.ssb.no + + accessPolicy: + outbound: + external: + - host: "cloudkms.googleapis.com" + - host: "secretmanager.googleapis.com" + - host: "www.googleapis.com" + - host: "cloudidentity.googleapis.com" + + liveness: + path: /health/liveness + port: 10210 + readiness: + path: /health/readiness + port: 10210 + startup: + path: /health/readiness + port: 10210 + + env: + - name: MICRONAUT_CONFIG_FILES + value: /conf/bootstrap.yaml,/conf/application.yaml + - name: LOGBACK_CONFIGURATION_FILE + value: /conf/logback-test.xml + + envFrom: + - secret: pseudo-key-config + + filesFrom: + - configmap: pseudo-application-test-configmap + mountPath: /conf + +--- + +apiVersion: v1 +kind: ConfigMap +metadata: + name: pseudo-application-test-configmap + namespace: {{team}} + labels: + team: {{team}} +data: + bootstrap-test.yml: |- + micronaut: + application: + name: pseudo-service + config-client: + enabled: true + gcp: + project-id: staging-dapla-pseudo-6485 + + application-test.yml: |- + micronaut: + application: + name: pseudo-service + server: + port: 10210 + cors.enabled: true + idle-timeout: 60m + read-idle-timeout: 60m + write-idle-timeout: 60m + thread-selection: AUTO + max-request-size: 2gb + multipart: + max-file-size: 2gb + + netty: + event-loops: + other: + num-threads: 100 + prefer-native-transport: true + + http: + client: + event-loop-group: other + read-timeout: 60s + + services: + sid-service: + url: 'http://reg-freg-t-sid-lookup-service.freg.svc.cluster.local' + path: '/v2' + read-timeout: 60s + pool: + enabled: true + max-connections: 50 + cloud-identity-service: + url: 'https://cloudidentity.googleapis.com' + path: '/v1' + read-timeout: 60s + + caches: + secrets: + expire-after-access: 15m + cloud-identity-service-cache: + expire-after-write: 1m + + router: + static-resources: + swagger: + paths: classpath:META-INF/swagger + mapping: /api-docs/** + swagger-ui: + paths: classpath:META-INF/swagger/views/swagger-ui + mapping: /api-docs/swagger-ui/** + rapidoc: + paths: classpath:META-INF/swagger/views/rapidoc + mapping: /api-docs/rapidoc/** + redoc: + paths: classpath:META-INF/swagger/views/redoc + mapping: /api-docs/redoc/** + + security: + enabled: true + intercept-url-map: + - pattern: /api-docs/** + httpMethod: GET + access: + - isAnonymous() + token: + name-key: email + jwt: + signatures: + jwks: + keycloak-nais-test: + url: 'https://auth.test.ssb.no/realms/ssb/protocol/openid-connect/certs' + keycloak-bip-staging: + url: 'https://keycloak.staging-bip-app.ssb.no/auth/realms/ssb/protocol/openid-connect/certs' + google: + url: 'https://www.googleapis.com/oauth2/v3/certs' + + basic-auth: + enabled: false + + endpoints: + prometheus: + sensitive: false + info: + enabled: true + sensitive: false + + logger: + levels: + io.micronaut.security: INFO + no.ssb.dlp.pseudo.service: INFO + io.micronaut.security.token.jwt.validator: DEBUG + + services: + secrets: + impl: GCP + + gcp: + kms: + key-uris: + - ${PSEUDO_KEK_URI} + + http: + client: + filter: + project-id: 'staging-dapla-pseudo-6485' + services: + cloud-identity-service: + audience: "https://www.googleapis.com/auth/cloud-identity.groups.readonly" + + pseudo.secrets: + ssb-common-key-1: + id: ${SSB-COMMON-KEY-1-KEY-ID} + type: TINK_WDEK + ssb-common-key-2: + id: ${SSB-COMMON-KEY-2-KEY-ID} + type: TINK_WDEK + papis-common-key-1: + id: ${PAPIS-COMMON-KEY-1-KEY-ID} + type: TINK_WDEK + + export: + default-target-root: gs://ssb-staging-dapla-pseudo-service-data-export/felles + + sid.mapper.partition.size: 100000 + + app-roles: + # When using isAuthenticated() the JWT token must be signed by this trusted-issuer + trusted-issuers: + - https://keycloak.staging-bip-app.ssb.no/auth/realms/ssb + users: + - isAuthenticated() + admins: + - isAuthenticated() + users-group: pseudo-service-user-t@ssb.no + admins-group: pseudo-service-admin-t@ssb.no \ No newline at end of file diff --git a/pom.xml b/pom.xml index 1214a09..233e996 100644 --- a/pom.xml +++ b/pom.xml @@ -4,7 +4,7 @@ no.ssb.dapla.dlp.pseudo dapla-dlp-pseudo-service 3.1.11-SNAPSHOT - dapla-dlp-pseudo-service + pseudo-service io.micronaut.platform @@ -18,7 +18,7 @@ ${jdk.version} UTF-8 UTF-8 - artifactregistry://europe-north1-maven.pkg.dev/artifact-registry-5n/dapla-pseudo-maven + artifactregistry://europe-north1-maven.pkg.dev/artifact-registry-5n/dapla-pseudo-maven statisticsnorway/dapla-dlp-pseudo-service no.ssb.dlp.pseudo.service.Application 1.2 @@ -39,6 +39,7 @@ 3.2.2 1.18.30 5.7.0 + 2.8.1 @@ -53,8 +54,8 @@ https://repo.maven.apache.org/maven2 - artifact-registry - ${artifact-registry.url} + dapla-artifact-registry + ${dapla-artifact-registry.url} true always @@ -485,6 +486,19 @@ + + org.cyclonedx + cyclonedx-maven-plugin + ${cyclonedx-maven-plugin.version} + + + package + + makeAggregateBom + + + + @@ -595,25 +609,31 @@ - ssb-bip + github + + + github + GitHub Packages + https://maven.pkg.github.com/${github.repository} + + + + + dapla-artifact-registry - artifact-registry - ${artifact-registry.url} + dapla-artifact-registry + ${dapla-artifact-registry.url} - artifact-registry-snapshots - ${artifact-registry.url} + dapla-artifact-registry-snapshots + ${dapla-artifact-registry.url} + + true + - - - github - GitHub Packages - https://maven.pkg.github.com/${github.repository} - - From c3eb29b5d31d3a4bbe23827f12637bd9e55cdbb1 Mon Sep 17 00:00:00 2001 From: Michael Moen Allport Date: Wed, 4 Dec 2024 14:22:17 +0100 Subject: [PATCH 02/21] Temporarily deploy on PR commit --- .github/workflows/build-deploy-app.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-deploy-app.yml b/.github/workflows/build-deploy-app.yml index d4987c2..637168f 100644 --- a/.github/workflows/build-deploy-app.yml +++ b/.github/workflows/build-deploy-app.yml @@ -1,6 +1,8 @@ on: release: types: [ published ] + pull_request: ## ONLY FOR TESTING, SHOULD BE REMOVED AFTER DEPLOY PR IS MERGED + branches: [nais-deploy] push: branches: - master @@ -52,10 +54,10 @@ jobs: - name: Maven build and install run: | - if [[ ${{github.event_name}} == "push" ]]; then - mvn --batch-mode -P dapla-artifact-registry deploy - else + if [[ ${{github.event_name}} == "release" ]]; then mvn --batch-mode clean package + else + mvn --batch-mode -P dapla-artifact-registry deploy fi - name: Add optional extra tag From 86887cff24173ea88766a4c0f2753fc0c2fcca19 Mon Sep 17 00:00:00 2001 From: Michael Moen Allport Date: Wed, 4 Dec 2024 14:30:55 +0100 Subject: [PATCH 03/21] Add NAIS Keycloak as trusted issuer --- .nais/test/nais.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.nais/test/nais.yaml b/.nais/test/nais.yaml index 1064f84..a01fe99 100644 --- a/.nais/test/nais.yaml +++ b/.nais/test/nais.yaml @@ -203,6 +203,7 @@ data: # When using isAuthenticated() the JWT token must be signed by this trusted-issuer trusted-issuers: - https://keycloak.staging-bip-app.ssb.no/auth/realms/ssb + - https://auth.test.ssb.no/realms/ssb users: - isAuthenticated() admins: From 5b40d460823b25149e11b7e18ed9af569b12f899 Mon Sep 17 00:00:00 2001 From: Michael Moen Allport Date: Wed, 4 Dec 2024 14:32:41 +0100 Subject: [PATCH 04/21] Fix PR deploy branch --- .github/workflows/build-deploy-app.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-deploy-app.yml b/.github/workflows/build-deploy-app.yml index 637168f..4542b3b 100644 --- a/.github/workflows/build-deploy-app.yml +++ b/.github/workflows/build-deploy-app.yml @@ -2,7 +2,8 @@ on: release: types: [ published ] pull_request: ## ONLY FOR TESTING, SHOULD BE REMOVED AFTER DEPLOY PR IS MERGED - branches: [nais-deploy] + branches: + - master push: branches: - master From 933325b90e4da3469cfac484de81f727e24872cf Mon Sep 17 00:00:00 2001 From: Michael Moen Allport Date: Wed, 4 Dec 2024 14:36:02 +0100 Subject: [PATCH 05/21] Forgor to save --- .github/workflows/build-deploy-app.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/build-deploy-app.yml b/.github/workflows/build-deploy-app.yml index 7780504..4542b3b 100644 --- a/.github/workflows/build-deploy-app.yml +++ b/.github/workflows/build-deploy-app.yml @@ -2,12 +2,8 @@ on: release: types: [ published ] pull_request: ## ONLY FOR TESTING, SHOULD BE REMOVED AFTER DEPLOY PR IS MERGED -<<<<<<< HEAD branches: - master -======= - branches: [nais-deploy] ->>>>>>> master push: branches: - master From 7aeae39ff818190a6ef244482b7b0b5b4884badf Mon Sep 17 00:00:00 2001 From: Michael Moen Allport Date: Wed, 4 Dec 2024 14:59:45 +0100 Subject: [PATCH 06/21] Fix application config. Add variable for templating --- .github/workflows/deploy-to-nais.yml | 2 +- .nais/test/nais.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deploy-to-nais.yml b/.github/workflows/deploy-to-nais.yml index 5c8d8d2..9a1c092 100644 --- a/.github/workflows/deploy-to-nais.yml +++ b/.github/workflows/deploy-to-nais.yml @@ -79,6 +79,6 @@ jobs: env: CLUSTER: ${{ inputs.cluster }} RESOURCE: ${{ inputs.nais-config-path }} - VAR: image=${{ inputs.registry }}/${{ secrets.NAIS_MANAGEMENT_PROJECT_ID }}/${{ inputs.repository }}/${{ inputs.image-name }}:${{ inputs.image-tag }} + VAR: image=${{ inputs.registry }}/${{ secrets.NAIS_MANAGEMENT_PROJECT_ID }}/${{ inputs.repository }}/${{ inputs.image-name }}:${{ inputs.image-tag }},team=dapla-stat DEPLOY_SERVER: deploy.ssb.cloud.nais.io:443 REF: ${{ inputs.ref }} \ No newline at end of file diff --git a/.nais/test/nais.yaml b/.nais/test/nais.yaml index a01fe99..785e53b 100644 --- a/.nais/test/nais.yaml +++ b/.nais/test/nais.yaml @@ -41,7 +41,7 @@ spec: env: - name: MICRONAUT_CONFIG_FILES - value: /conf/bootstrap.yaml,/conf/application.yaml + value: /conf/bootstrap-test.yaml,/conf/application-test.yaml - name: LOGBACK_CONFIGURATION_FILE value: /conf/logback-test.xml From ccc50e5a3ac51c80685730384be95541b779031a Mon Sep 17 00:00:00 2001 From: Michael Moen Allport Date: Wed, 4 Dec 2024 15:00:24 +0100 Subject: [PATCH 07/21] Add team as templated variable --- .nais/test/nais.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.nais/test/nais.yaml b/.nais/test/nais.yaml index 785e53b..5486393 100644 --- a/.nais/test/nais.yaml +++ b/.nais/test/nais.yaml @@ -2,7 +2,7 @@ apiVersion: nais.io/v1alpha1 kind: Application metadata: name: pseudo-service - namespace: dapla-stat + namespace: {{team}} labels: team: {{team}} spec: From 0092d99968059d6c778113c7b26fc4f5c445e403 Mon Sep 17 00:00:00 2001 From: Michael Moen Allport Date: Wed, 4 Dec 2024 15:16:57 +0100 Subject: [PATCH 08/21] yaml -> yml --- .nais/test/nais.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.nais/test/nais.yaml b/.nais/test/nais.yaml index 5486393..b79a213 100644 --- a/.nais/test/nais.yaml +++ b/.nais/test/nais.yaml @@ -41,7 +41,7 @@ spec: env: - name: MICRONAUT_CONFIG_FILES - value: /conf/bootstrap-test.yaml,/conf/application-test.yaml + value: /conf/bootstrap-test.yml,/conf/application-test.yml - name: LOGBACK_CONFIGURATION_FILE value: /conf/logback-test.xml From e806f4d531995b5703e22a7004e3cc46057754ab Mon Sep 17 00:00:00 2001 From: Michael Moen Allport Date: Wed, 4 Dec 2024 15:59:36 +0100 Subject: [PATCH 09/21] Add Keycloak for egress --- .nais/test/nais.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.nais/test/nais.yaml b/.nais/test/nais.yaml index b79a213..fd34777 100644 --- a/.nais/test/nais.yaml +++ b/.nais/test/nais.yaml @@ -24,6 +24,7 @@ spec: accessPolicy: outbound: external: + - host: "auth.test.ssb.no" - host: "cloudkms.googleapis.com" - host: "secretmanager.googleapis.com" - host: "www.googleapis.com" From 60eae1b42001a5372f985548c51ca12a0f0e6349 Mon Sep 17 00:00:00 2001 From: Michael Moen Allport Date: Wed, 4 Dec 2024 16:01:32 +0100 Subject: [PATCH 10/21] Add Keycloak BIP for egres --- .nais/test/nais.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.nais/test/nais.yaml b/.nais/test/nais.yaml index fd34777..f96bb7c 100644 --- a/.nais/test/nais.yaml +++ b/.nais/test/nais.yaml @@ -25,6 +25,7 @@ spec: outbound: external: - host: "auth.test.ssb.no" + - host: "keycloak.staging-bip-app.ssb.no" - host: "cloudkms.googleapis.com" - host: "secretmanager.googleapis.com" - host: "www.googleapis.com" From 74c3ab7c7d83edffaa2b446b3b64057a32e5ccaa Mon Sep 17 00:00:00 2001 From: Michael Moen Allport Date: Tue, 10 Dec 2024 07:37:52 +0100 Subject: [PATCH 11/21] add prod release --- .github/workflows/build-deploy-app.yml | 14 +- .nais/prod/nais.yaml | 211 +++++++++++++++++++++++++ 2 files changed, 214 insertions(+), 11 deletions(-) create mode 100644 .nais/prod/nais.yaml diff --git a/.github/workflows/build-deploy-app.yml b/.github/workflows/build-deploy-app.yml index 4542b3b..f3474ea 100644 --- a/.github/workflows/build-deploy-app.yml +++ b/.github/workflows/build-deploy-app.yml @@ -1,6 +1,4 @@ on: - release: - types: [ published ] pull_request: ## ONLY FOR TESTING, SHOULD BE REMOVED AFTER DEPLOY PR IS MERGED branches: - master @@ -83,15 +81,9 @@ jobs: - name: Generate image tags id: nais-deploy-vars run: | - if [[ ${{github.event_name}} == "release" ]]; then - echo "nais_tag=${{ steps.version-tag.outputs.version_tag }}" >> "$GITHUB_OUTPUT" - echo "cluster=prod" >> "$GITHUB_OUTPUT" - echo "nais_config_path=.nais/prod/nais.yaml" >> "$GITHUB_OUTPUT" - else - echo "nais_tag=${{ steps.docker-push.outputs.tag }}" >> "$GITHUB_OUTPUT" - echo "cluster=test" >> "$GITHUB_OUTPUT" - echo "nais_config_path=.nais/test/nais.yaml" >> "$GITHUB_OUTPUT" - fi + echo "nais_tag=${{ steps.docker-push.outputs.tag }}" >> "$GITHUB_OUTPUT" + echo "cluster=prod" >> "$GITHUB_OUTPUT" + echo "nais_config_path=.nais/prod/nais.yaml" >> "$GITHUB_OUTPUT" deploy: name: Deploy to NAIS diff --git a/.nais/prod/nais.yaml b/.nais/prod/nais.yaml new file mode 100644 index 0000000..277e8fb --- /dev/null +++ b/.nais/prod/nais.yaml @@ -0,0 +1,211 @@ +apiVersion: nais.io/v1alpha1 +kind: Application +metadata: + name: pseudo-service + namespace: {{team}} + labels: + team: {{team}} +spec: + image: "{{ image }}" # Injected from the GitHub Action + port: 10210 + replicas: + max: 5 + min: 1 + resources: + requests: + cpu: 100m + memory: 2Gi + limits: + memory: 12Gi + + accessPolicy: + outbound: + external: + - host: "auth.ssb.no" + - host: "keycloak.prod-bip-app.ssb.no" + - host: "cloudkms.googleapis.com" + - host: "secretmanager.googleapis.com" + - host: "www.googleapis.com" + - host: "cloudidentity.googleapis.com" + + liveness: + path: /health/liveness + port: 10210 + readiness: + path: /health/readiness + port: 10210 + startup: + path: /health/readiness + port: 10210 + + env: + - name: MICRONAUT_CONFIG_FILES + value: /conf/bootstrap-prod.yml,/conf/application-prod.yml + - name: LOGBACK_CONFIGURATION_FILE + value: /conf/logback-prod.xml + + envFrom: + - secret: pseudo-key-config + + filesFrom: + - configmap: pseudo-application-prod-configmap + mountPath: /conf + +--- + +apiVersion: v1 +kind: ConfigMap +metadata: + name: pseudo-application-prod-configmap + namespace: {{team}} + labels: + team: {{team}} +data: + bootstrap-prod.yml: |- + micronaut: + application: + name: pseudo-service + config-client: + enabled: true + gcp: + project-id: prod-dapla-pseudo-1530 + + application-prod.yml: |- + micronaut: + application: + name: pseudo-service + server: + port: 10210 + cors.enabled: true + idle-timeout: 60m + read-idle-timeout: 60m + write-idle-timeout: 60m + thread-selection: AUTO + max-request-size: 2gb + multipart: + max-file-size: 2gb + + netty: + event-loops: + other: + num-threads: 100 + prefer-native-transport: true + + http: + client: + event-loop-group: other + read-timeout: 60s + + services: + sid-service: + url: 'http://reg-freg-p-sid-lookup-service.freg.svc.cluster.local' + path: '/v2' + read-timeout: 60s + pool: + enabled: true + max-connections: 50 + cloud-identity-service: + url: 'https://cloudidentity.googleapis.com' + path: '/v1' + read-timeout: 60s + + caches: + secrets: + expire-after-access: 15m + cloud-identity-service-cache: + expire-after-write: 1m + + router: + static-resources: + swagger: + paths: classpath:META-INF/swagger + mapping: /api-docs/** + swagger-ui: + paths: classpath:META-INF/swagger/views/swagger-ui + mapping: /api-docs/swagger-ui/** + rapidoc: + paths: classpath:META-INF/swagger/views/rapidoc + mapping: /api-docs/rapidoc/** + redoc: + paths: classpath:META-INF/swagger/views/redoc + mapping: /api-docs/redoc/** + + security: + enabled: true + intercept-url-map: + - pattern: /api-docs/** + httpMethod: GET + access: + - isAnonymous() + token: + name-key: email + jwt: + signatures: + jwks: + keycloak-nais: + url: 'https://auth.ssb.no/realms/ssb/protocol/openid-connect/certs' + keycloak-bip: + url: 'https://keycloak.prod-bip-app.ssb.no/auth/realms/ssb/protocol/openid-connect/certs' + google: + url: 'https://www.googleapis.com/oauth2/v3/certs' + + basic-auth: + enabled: false + + endpoints: + prometheus: + sensitive: false + info: + enabled: true + sensitive: false + + logger: + levels: + io.micronaut.security: INFO + no.ssb.dlp.pseudo.service: INFO + io.micronaut.security.token.jwt.validator: DEBUG + + services: + secrets: + impl: GCP + + gcp: + kms: + key-uris: + - ${PSEUDO_KEK_URI} + + http: + client: + filter: + project-id: 'prod-dapla-pseudo-1530' + services: + cloud-identity-service: + audience: "https://www.googleapis.com/auth/cloud-identity.groups.readonly" + + pseudo.secrets: + ssb-common-key-1: + id: ${SSB-COMMON-KEY-1-KEY-ID} + type: TINK_WDEK + ssb-common-key-2: + id: ${SSB-COMMON-KEY-2-KEY-ID} + type: TINK_WDEK + papis-common-key-1: + id: ${PAPIS-COMMON-KEY-1-KEY-ID} + type: TINK_WDEK + + export: + default-target-root: gs://ssb-prod-dapla-pseudo-service-data-export/felles + + sid.mapper.partition.size: 100000 + + app-roles: + # When using isAuthenticated() the JWT token must be signed by this trusted-issuer + trusted-issuers: + - https://keycloak.prod-bip-app.ssb.no/auth/realms/ssb + - https://auth.ssb.no/realms/ssb + users: + - isAuthenticated() + admins: + - isAuthenticated() + users-group: pseudo-service-user-p@ssb.no + admins-group: pseudo-service-admin-p@ssb.no \ No newline at end of file From 36fcc0c5fc0d25da6a572a24de56542bf2b6c28f Mon Sep 17 00:00:00 2001 From: Michael Moen Allport Date: Tue, 10 Dec 2024 07:55:46 +0100 Subject: [PATCH 12/21] Use pseudo users --- .nais/prod/nais.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.nais/prod/nais.yaml b/.nais/prod/nais.yaml index 277e8fb..daee64e 100644 --- a/.nais/prod/nais.yaml +++ b/.nais/prod/nais.yaml @@ -46,6 +46,7 @@ spec: envFrom: - secret: pseudo-key-config + - secret: pseudo-elevated-users filesFrom: - configmap: pseudo-application-prod-configmap @@ -203,9 +204,8 @@ data: trusted-issuers: - https://keycloak.prod-bip-app.ssb.no/auth/realms/ssb - https://auth.ssb.no/realms/ssb - users: - - isAuthenticated() - admins: - - isAuthenticated() + users: ${PSEUDO_USERS} + # admins: + # - isAuthenticated() users-group: pseudo-service-user-p@ssb.no admins-group: pseudo-service-admin-p@ssb.no \ No newline at end of file From 20fc4301099ad25158c81a791c1936eea89851d8 Mon Sep 17 00:00:00 2001 From: Michael Moen Allport Date: Tue, 10 Dec 2024 08:06:32 +0100 Subject: [PATCH 13/21] Use pseudo admins --- .nais/prod/nais.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.nais/prod/nais.yaml b/.nais/prod/nais.yaml index daee64e..b15b4e9 100644 --- a/.nais/prod/nais.yaml +++ b/.nais/prod/nais.yaml @@ -205,7 +205,6 @@ data: - https://keycloak.prod-bip-app.ssb.no/auth/realms/ssb - https://auth.ssb.no/realms/ssb users: ${PSEUDO_USERS} - # admins: - # - isAuthenticated() + # admins: ${PSEUDO_ADMINS} users-group: pseudo-service-user-p@ssb.no admins-group: pseudo-service-admin-p@ssb.no \ No newline at end of file From aee750aa7c12e8d14cea9755381abde60d5b5c2a Mon Sep 17 00:00:00 2001 From: Michael Moen Allport Date: Tue, 10 Dec 2024 08:10:28 +0100 Subject: [PATCH 14/21] Lower resources in test --- .nais/prod/nais.yaml | 2 +- .nais/test/nais.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.nais/prod/nais.yaml b/.nais/prod/nais.yaml index b15b4e9..246bae6 100644 --- a/.nais/prod/nais.yaml +++ b/.nais/prod/nais.yaml @@ -13,7 +13,7 @@ spec: min: 1 resources: requests: - cpu: 100m + cpu: 200m memory: 2Gi limits: memory: 12Gi diff --git a/.nais/test/nais.yaml b/.nais/test/nais.yaml index f96bb7c..09f2112 100644 --- a/.nais/test/nais.yaml +++ b/.nais/test/nais.yaml @@ -16,7 +16,7 @@ spec: cpu: 100m memory: 2Gi limits: - memory: 12Gi + memory: 6Gi ingresses: - https://pseudo-service.intern.test.ssb.no From fe8395e9455fc45be9554b4770d7315cbf4510d6 Mon Sep 17 00:00:00 2001 From: Michael Moen Allport Date: Tue, 10 Dec 2024 08:25:27 +0100 Subject: [PATCH 15/21] Add internal ingress for prod. Add external egress for test --- .nais/prod/nais.yaml | 3 +++ .nais/test/nais.yaml | 1 + 2 files changed, 4 insertions(+) diff --git a/.nais/prod/nais.yaml b/.nais/prod/nais.yaml index 246bae6..92caf37 100644 --- a/.nais/prod/nais.yaml +++ b/.nais/prod/nais.yaml @@ -18,6 +18,9 @@ spec: limits: memory: 12Gi + ingresses: + - https://pseudo-service.intern.test.ssb.no + accessPolicy: outbound: external: diff --git a/.nais/test/nais.yaml b/.nais/test/nais.yaml index 09f2112..b48a5b6 100644 --- a/.nais/test/nais.yaml +++ b/.nais/test/nais.yaml @@ -20,6 +20,7 @@ spec: ingresses: - https://pseudo-service.intern.test.ssb.no + - https://pseudo-service.test.ssb.no accessPolicy: outbound: From 0cd43b3d221e5eb78af2144ce7f18915c64d479b Mon Sep 17 00:00:00 2001 From: Michael Moen Allport Date: Tue, 10 Dec 2024 08:57:11 +0100 Subject: [PATCH 16/21] Remove test subdomain from ingress URL --- .nais/prod/nais.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.nais/prod/nais.yaml b/.nais/prod/nais.yaml index 92caf37..cd13012 100644 --- a/.nais/prod/nais.yaml +++ b/.nais/prod/nais.yaml @@ -19,7 +19,7 @@ spec: memory: 12Gi ingresses: - - https://pseudo-service.intern.test.ssb.no + - https://pseudo-service.intern.ssb.no accessPolicy: outbound: From f641eeb3dcbff88461a6b4c04ee93712b208bca0 Mon Sep 17 00:00:00 2001 From: Johnny Niklasson Date: Fri, 10 Jan 2025 13:15:26 +0100 Subject: [PATCH 17/21] add alerts for pseudo-service (#119) --- .nais/alerts.yaml | 75 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 .nais/alerts.yaml diff --git a/.nais/alerts.yaml b/.nais/alerts.yaml new file mode 100644 index 0000000..ad9c97d --- /dev/null +++ b/.nais/alerts.yaml @@ -0,0 +1,75 @@ +apiVersion: "monitoring.coreos.com/v1" +kind: PrometheusRule +metadata: + name: alert-pseudo-service + namespace: dapla-stat + labels: + team: dapla-stat +spec: + groups: + - name: dapla-stat + rules: + # This alert checks if no replicas of pseudo-service are available, indicating the service is unavailable. + - alert: PseudoServiceUnavailable + expr: kube_deployment_status_replicas_available{deployment="pseudo-service"} == 0 + for: 1m + annotations: + title: "Pseudo-service is unavailable" + consequence: "The service is unavailable to users. Immediate investigation required." + action: "Check the deployment status and logs for issues." + labels: + service: pseudo-service + namespace: dapla-stat + severity: critical + + # This alert detects high CPU usage by calculating the CPU time used over 5 minutes. + - alert: HighCPUUsage + expr: rate(process_cpu_seconds_total{app="pseudo-service"}[5m]) > 0.8 + for: 5m + annotations: + title: "High CPU usage detected" + consequence: "The service might experience performance degradation." + action: "Investigate the cause of high CPU usage and optimize if necessary." + labels: + service: pseudo-service + namespace: dapla-stat + severity: warning + + # This alert checks if memory usage exceeds 90% of the 12GB limit, which could cause instability. + - alert: HighMemoryUsage + expr: process_resident_memory_bytes{app="pseudo-service"} > (0.9 * 12 * 1024 * 1024 * 1024) + for: 5m + annotations: + title: "High memory usage detected" + consequence: "The service might experience instability due to high memory usage." + action: "Check memory utilization and consider increasing resources or optimizing the service." + labels: + service: pseudo-service + namespace: dapla-stat + severity: warning + + # This alert detects a high number of error logs in pseudo-service. + - alert: HighNumberOfErrors + expr: (100 * sum by (app, namespace) (rate(log_messages_errors{app="pseudo-service", level=~"Error"}[3m])) / sum by (app, namespace) (rate(log_messages_total{app="pseudo-service"}[3m]))) > 10 + for: 3m + annotations: + title: "High number of errors logged in pseudo-service" + consequence: "The application is logging a significant number of errors." + action: "Check the service logs for errors and address the root cause." + labels: + service: pseudo-service + namespace: dapla-stat + severity: critical + + # This alert monitors the number of pod restarts for pseudo-service and triggers if more than 3 restarts occur within 15 minutes. + - alert: HighPodRestarts + expr: increase(kube_pod_container_status_restarts_total{namespace="dapla-stat", app="pseudo-service"}[15m]) > 3 + for: 15m + annotations: + title: "High number of pod restarts" + consequence: "The service may be unstable or misconfigured." + action: "Investigate the cause of pod restarts and fix configuration or resource issues." + labels: + service: pseudo-service + namespace: dapla-stat + severity: warning From 94a56013451e91221a156d7ff5ee2883cd4091df Mon Sep 17 00:00:00 2001 From: Johnny Niklasson Date: Fri, 10 Jan 2025 13:19:27 +0100 Subject: [PATCH 18/21] alert-deploy.yml (#120) --- .github/workflows/alert-deploy.yml | 40 ++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 .github/workflows/alert-deploy.yml diff --git a/.github/workflows/alert-deploy.yml b/.github/workflows/alert-deploy.yml new file mode 100644 index 0000000..68eae11 --- /dev/null +++ b/.github/workflows/alert-deploy.yml @@ -0,0 +1,40 @@ +name: Deploy alerts +run-name: Deploy alerts for pseudo-service to dev and prod + +on: + push: + branches: + - master + - nais-deploy + paths: + - '.nais/alerts.yaml' + - '.github/workflows/alert-deploy.yml' +permissions: + id-token: write + +jobs: + test-deploy: + name: Deploy alerts to test + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Deploy to test + uses: nais/deploy/actions/deploy@v2 + env: + CLUSTER: test + RESOURCE: .nais/alerts.yaml + DEPLOY_SERVER: deploy.ssb.cloud.nais.io:443 + + prod-deploy: + name: Deploy alerts to prod + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + - name: Deploy to prod + uses: nais/deploy/actions/deploy@v2 + env: + CLUSTER: prod + RESOURCE: .nais/alerts.yaml + DEPLOY_SERVER: deploy.ssb.cloud.nais.io:443 \ No newline at end of file From 772643deedcb8873bc7ef9cd2602114f5fb84970 Mon Sep 17 00:00:00 2001 From: ssb-jnk Date: Fri, 10 Jan 2025 13:23:49 +0100 Subject: [PATCH 19/21] change high memory usage to fetch memory dynamically --- .nais/alerts.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.nais/alerts.yaml b/.nais/alerts.yaml index ad9c97d..fc442b3 100644 --- a/.nais/alerts.yaml +++ b/.nais/alerts.yaml @@ -35,9 +35,9 @@ spec: namespace: dapla-stat severity: warning - # This alert checks if memory usage exceeds 90% of the 12GB limit, which could cause instability. + # This alert checks if memory usage exceeds 90% of the memory limit assigned to the pseudo-service pod. - alert: HighMemoryUsage - expr: process_resident_memory_bytes{app="pseudo-service"} > (0.9 * 12 * 1024 * 1024 * 1024) + expr: process_resident_memory_bytes{app="pseudo-service"} > (0.9 * on(pod, namespace) group_left kube_pod_container_resource_limits_memory_bytes{pod=~"pseudo-service.*"}) for: 5m annotations: title: "High memory usage detected" From 3ae70135c4c47e5a7bfa27bdba7eec766e1eb70b Mon Sep 17 00:00:00 2001 From: ssb-jnk Date: Fri, 10 Jan 2025 13:31:15 +0100 Subject: [PATCH 20/21] edit high memory alert --- .nais/alerts.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.nais/alerts.yaml b/.nais/alerts.yaml index fc442b3..436ead1 100644 --- a/.nais/alerts.yaml +++ b/.nais/alerts.yaml @@ -37,7 +37,7 @@ spec: # This alert checks if memory usage exceeds 90% of the memory limit assigned to the pseudo-service pod. - alert: HighMemoryUsage - expr: process_resident_memory_bytes{app="pseudo-service"} > (0.9 * on(pod, namespace) group_left kube_pod_container_resource_limits_memory_bytes{pod=~"pseudo-service.*"}) + expr: process_resident_memory_bytes{app="pseudo-service"} > (0.9 * on(app) group_left(container_memory_limit_bytes) container_memory_limit_bytes{app="pseudo-service"}) for: 5m annotations: title: "High memory usage detected" From 3ee443c8e6a4bee3005df648501959b42082a237 Mon Sep 17 00:00:00 2001 From: ssb-jnk Date: Fri, 10 Jan 2025 13:34:34 +0100 Subject: [PATCH 21/21] revert to putting max memory manually --- .nais/alerts.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.nais/alerts.yaml b/.nais/alerts.yaml index 436ead1..ad9c97d 100644 --- a/.nais/alerts.yaml +++ b/.nais/alerts.yaml @@ -35,9 +35,9 @@ spec: namespace: dapla-stat severity: warning - # This alert checks if memory usage exceeds 90% of the memory limit assigned to the pseudo-service pod. + # This alert checks if memory usage exceeds 90% of the 12GB limit, which could cause instability. - alert: HighMemoryUsage - expr: process_resident_memory_bytes{app="pseudo-service"} > (0.9 * on(app) group_left(container_memory_limit_bytes) container_memory_limit_bytes{app="pseudo-service"}) + expr: process_resident_memory_bytes{app="pseudo-service"} > (0.9 * 12 * 1024 * 1024 * 1024) for: 5m annotations: title: "High memory usage detected"