From 01b16b63980fdfe60529cfea05810a8ebb66270d Mon Sep 17 00:00:00 2001 From: vilorij Date: Mon, 15 Nov 2021 04:32:13 +0300 Subject: [PATCH] Dudoser (#245) * add dudoser * add mail vars * enable dudoser * prod env vars Co-authored-by: Dmitry Skokov --- config/dudoser/entrypoint.sh.gotmpl | 33 ++++++ config/dudoser/loggers.xml | 4 + config/dudoser/values.yaml.gotmpl | 175 ++++++++++++++++++++++++++++ config/postgres/values.yaml.gotmpl | 1 + config/vault-cm/values.yaml.gotmpl | 21 ++++ default.values.yaml | 10 ++ helmfile.yaml | 5 + prod.values.yaml | 76 ++++++++++++ 8 files changed, 325 insertions(+) create mode 100644 config/dudoser/entrypoint.sh.gotmpl create mode 100644 config/dudoser/loggers.xml create mode 100644 config/dudoser/values.yaml.gotmpl create mode 100644 prod.values.yaml diff --git a/config/dudoser/entrypoint.sh.gotmpl b/config/dudoser/entrypoint.sh.gotmpl new file mode 100644 index 0000000..4ffcb50 --- /dev/null +++ b/config/dudoser/entrypoint.sh.gotmpl @@ -0,0 +1,33 @@ +#!/bin/sh +set -ue + +java \ + "-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \ + -jar \ + /opt/dudoser/dudoser.jar \ + --logging.config=/opt/dudoser/logback.xml \ + -Dwoody.node_id=dudos1 \ + --server.port=8022 \ + --spring.flyway.schemas=dudos \ + --hellgate.url=http://party-management:8022/v1/processing/partymgmt \ + --hellgate.networkTimeout=300 \ + --invoicing-service.url=http://hellgate:8022/v1/processing/invoicing \ + --invoicing-service.networkTimeout=300 \ + --kafka.bootstrap-servers="{{ .Values.services.kafka.endpoint | default "kafka" }}:{{ .Values.services.kafka.port | default "9092" }}" \ + --kafka.topics.invoice.id=mg-events-invoice \ + --kafka.topics.invoice.enabled=true \ + --kafka.client-id=dudoser \ + --kafka.consumer.group-id=Dudoser-Invoicing \ + --kafka.consumer.concurrency=7 \ + --mail.host={{ .Values.services.mail.smtp.host }} \ + --mail.port={{ .Values.services.mail.smtp.port | default "25" }} \ + --mail.smtp.auth={{ .Values.services.mail.auth.enabled }} \ + --mail.username={{ .Values.services.mail.auth.username }} \ + --mail.password={{ .Values.services.mail.auth.password }} \ + --mail.from={{ .Values.services.mail.smtp.from }} \ + --notification.payment.paid.from={{ .Values.services.mail.smtp.from }} \ + --notification.create.invoice.from={{ .Values.services.mail.smtp.from }} \ + --subject.timezone.refund=Europe/Moscow \ + --subject.timezone.payment=Europe/Moscow \ + ${@} \ + --spring.config.additional-location=optional:/vault/secrets/application.properties diff --git a/config/dudoser/loggers.xml b/config/dudoser/loggers.xml new file mode 100644 index 0000000..6bbae6f --- /dev/null +++ b/config/dudoser/loggers.xml @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/config/dudoser/values.yaml.gotmpl b/config/dudoser/values.yaml.gotmpl new file mode 100644 index 0000000..0025689 --- /dev/null +++ b/config/dudoser/values.yaml.gotmpl @@ -0,0 +1,175 @@ +# -*- mode: yaml -*- + +replicaCount: 1 + +image: + repository: {{ .Values.services.global.registry.repository | default "docker.io/rbkmoney" }}/dudoser + tag: 39c2a816501ccc2cc508e18a9e3d2577504f03db + pullPolicy: IfNotPresent + +{{ if .Values.services.global.registry.imagePullSecret }} +imagePullSecrets: + - name: {{ .Values.services.global.registry.imagePullSecret }} +{{ end }} + +runopts: + command: ["/opt/dudoser/entrypoint.sh"] + +configMap: + data: + entrypoint.sh: | + {{- tpl (readFile "entrypoint.sh.gotmpl") . | nindent 6 }} + loggers.xml: | + {{- readFile "loggers.xml" | nindent 6 }} + logback.xml: | + {{- readFile "../logs/logback.xml" | nindent 6 }} + +{{- if or .Values.services.postgres.external .Values.services.kafka.ssl.enabled }} +secret: + data: + db_config: | + {{- if .Values.services.postgres.external }} + spring.datasource.url=jdbc:postgresql://{{ .Values.services.postgres.endpoint | default "external-postgres" }}:5432/dudoser?sslmode=disable + spring.datasource.username={{ .Values.services.postgres.uniUser }} + spring.datasource.password={{ .Values.services.postgres.uniPassword }} + flyway.url=jdbc:postgresql://{{ .Values.services.postgres.endpoint | default "external-postgres" }}:5432/dudoser?sslmode=disable + flyway.user={{ .Values.services.postgres.uniUser }} + flyway.password={{ .Values.services.postgres.uniPassword }} + {{- end }} + {{- if .Values.services.kafka.ssl.enabled }} + kafka.ssl.enabled=true + kafka.ssl.key-store-location=/vault/secrets/kafka-keystore.p12 + kafka.ssl.key-store-password={{ .Values.services.kafka.ssl.keystorePass }} + kafka.ssl.key-store-type=PKCS12 + kafka.ssl.key-password={{ .Values.services.kafka.ssl.keyPass }} + kafka.ssl.trust-store-location=/vault/secrets/kafka-truststore.p12 + kafka.ssl.trust-store-password={{ .Values.services.kafka.ssl.truststorePass }} + kafka.ssl.trust-store-type=PKCS12 + {{- end }} +{{- end }} + +env: + - name: LOGBACK_SERVICE_NAME + value: "dudoser" + +volumes: + - name: config-volume + configMap: + name: {{ .Release.Name }} + defaultMode: 0755 +{{- if .Values.services.kafka.ssl.enabled }} + - name: kafka-cert + secret: + secretName: {{ .Release.Name }}-kafka-cert + - name: kafka-ca + secret: + secretName: java-ca-kafka +{{- end }} +{{- if or .Values.services.postgres.external .Values.services.kafka.ssl.enabled }} + - name: secret + secret: + secretName: {{ .Release.Name }} +{{- end }} + +volumeMounts: + - name: config-volume + mountPath: /opt/dudoser/entrypoint.sh + subPath: entrypoint.sh + readOnly: true + - name: config-volume + mountPath: /opt/dudoser/logback.xml + subPath: logback.xml + readOnly: true + - name: config-volume + mountPath: /opt/dudoser/loggers.xml + subPath: loggers.xml + readOnly: true +{{- if .Values.services.kafka.ssl.enabled }} + - name: kafka-ca + subPath: kafka-truststore.p12 + mountPath: /vault/secrets/kafka-truststore.p12 + readOnly: true + - name: kafka-cert + subPath: {{ .Release.Name }}.p12 + mountPath: /vault/secrets/kafka-keystore.p12 + readOnly: true +{{- end }} +{{- if or .Values.services.postgres.external .Values.services.kafka.ssl.enabled }} + - name: secret + subPath: db_config + mountPath: /vault/secrets/application.properties + readOnly: true +{{- end }} + +service: + ports: + - name: api + port: 8022 + - name: management + port: 8023 + +livenessProbe: + httpGet: + path: /actuator/health + port: management + +readinessProbe: + httpGet: + path: /actuator/health + port: management + +{{- if .Values.services.vault.enabled }} +podAnnotations: + vault.hashicorp.com/role: "db-app" + vault.hashicorp.com/agent-inject: "true" + vault.hashicorp.com/agent-inject-secret-application.properties: "database/creds/db-app-dudoser" + vault.hashicorp.com/agent-inject-template-application.properties: | + {{`{{- with secret "database/creds/db-app-dudoser" -}} + spring.datasource.url=jdbc:postgresql://postgres-postgresql:5432/magista?sslmode=disable + spring.datasource.username={{ .Data.username }} + spring.datasource.password={{ .Data.password }} + flyway.url=jdbc:postgresql://postgres-postgresql:5432/dudoser?sslmode=disable + flyway.user={{ .Data.username }} + flyway.password={{ .Data.password }} + {{- end }}`}} +{{- end }} + +metrics: + serviceMonitor: + enabled: {{ .Values.services.global.metrics.enabled }} + namespace: {{ .Release.Namespace }} + additionalLabels: + release: prometheus + endpoints: + - port: "management" + path: /actuator/prometheus + scheme: http + +ciliumPolicies: + - filters: + - port: 5432 + type: TCP + name: postgres + - filters: + - port: 9092 +{{/* + rules: + kafka: + - role: consume + topics: + - mg-events-invoice +*/}} + type: TCP + name: kafka + - filters: + - port: 8200 + type: TCP + name: vault + - filters: + - port: 8022 + type: TCP + name: hellgate + - filters: + - port: 8022 + type: TCP + name: party-management diff --git a/config/postgres/values.yaml.gotmpl b/config/postgres/values.yaml.gotmpl index 96a9739..20e5e93 100644 --- a/config/postgres/values.yaml.gotmpl +++ b/config/postgres/values.yaml.gotmpl @@ -27,6 +27,7 @@ initdbScripts: CREATE DATABASE fraudbusters; CREATE DATABASE "fraudbusters-management"; CREATE DATABASE fb_notificator; + CREATE DATABASE dudoser; #TODO: If bump version, change master to primary master: diff --git a/config/vault-cm/values.yaml.gotmpl b/config/vault-cm/values.yaml.gotmpl index 4cc7c94..f3a85aa 100644 --- a/config/vault-cm/values.yaml.gotmpl +++ b/config/vault-cm/values.yaml.gotmpl @@ -233,6 +233,24 @@ configMap: default_ttl="240h" \ max_ttl="240h" + vault write database/config/dudoser \ + plugin_name=postgresql-database-plugin \ + allowed_roles="*" \ + connection_url="postgresql://{{`{{username}}`}}:{{`{{password}}`}}@postgres-postgresql:5432/dudoser?sslmode=disable" \ + username="postgres" \ + password="H@ckM3" + vault write database/roles/db-app-dudoser \ + db_name=dudoser \ + revocation_statements="REASSIGN OWNED BY \"{{`{{name}}`}}\" to postgres; ALTER ROLE \"{{`{{name}}`}}\" NOLOGIN;" \ + creation_statements="Create schema if not exists dudos; + CREATE ROLE \"{{`{{name}}`}}\" WITH LOGIN PASSWORD '{{`{{password}}`}}' VALID UNTIL '{{`{{expiration}}`}}'; + GRANT CREATE ON DATABASE dudoser TO \"{{`{{name}}`}}\"; + GRANT ALL ON SCHEMA dudos TO \"{{`{{name}}`}}\"; + GRANT ALL ON ALL TABLES IN SCHEMA dudos TO \"{{`{{name}}`}}\"; + GRANT ALL ON ALL SEQUENCES IN SCHEMA dudos TO \"{{`{{name}}`}}\";" \ + default_ttl="240h" \ + max_ttl="240h" + vault secrets enable kv vault kv put secret/xrates \ @@ -302,3 +320,6 @@ configMap: path "database/creds/db-app-fb-notificator" { capabilities = ["read"] } + path "database/creds/db-app-dudoser" { + capabilities = ["read"] + } diff --git a/default.values.yaml b/default.values.yaml index e09c1b4..020b641 100644 --- a/default.values.yaml +++ b/default.values.yaml @@ -88,6 +88,16 @@ services: accessKey: user_01 secretKey: SomeSecretKeyFromS3AdminConsole + mail: + smtp: + host: mail + port: 25 + from: no-reply@test.ru + auth: + enabled: false + username: user + password: password + ingress: # Ingressclass if have more than one controller: class: "nginx" diff --git a/helmfile.yaml b/helmfile.yaml index f4994b7..c1caefe 100644 --- a/helmfile.yaml +++ b/helmfile.yaml @@ -308,3 +308,8 @@ releases: - {{ .Namespace | default "default" }}/claim-management - name: file-storage <<: *generic_stateless +- name: dudoser + <<: *generic_stateless_json + needs: + - {{ .Namespace | default "default" }}/hellgate + - {{ .Namespace | default "default" }}/kafka diff --git a/prod.values.yaml b/prod.values.yaml new file mode 100644 index 0000000..d21cbd1 --- /dev/null +++ b/prod.values.yaml @@ -0,0 +1,76 @@ +cilium: + enabled: true +elk: + enabled: false +prometheus: + enabled: false +ingress: + enabled: false + ip: 'someip' +certmanager: + enabled: false +services: + global: + ipv6only: true + metrics: + enabled: true + registry: + repository: docker.io/rbkmoney + imagePullSecret: {} + pcidss: + taints: + enabled: false + key: pcidss + value: true + replicas: 1 + statelessReplicas: 1 + + vault: + enabled: true + dev: true + injectorNamespaced: true + transitUnseal: + enabled: false + address: http://another.vault.local:8200 + + riak: + riakMgAddress: riak + riakCdAddress: riak + riakWblAddress: riak + + postgres: + external: false + # Values below uses only if postgres.external is true + endpoint: postgres-postgresql + uniUser: postgres + uniPassword: H@ckM3 + + kafka: + external: false + endpoint: kafka + port: 9092 + ssl: + enabled: false + keystorePass: 12341234 + # Set if differ from keystore password + keyPass: 12341234 + truststorePass: 43214321 + + s3: + endpoint: minio:9000 + region: EU + bucket: bucket-files + accessKey: user_01 + secretKey: SomeSecretKeyFromS3AdminConsole + + ingress: + class: "nginx-external" + rootDomain: prod.rbk.mn + namespacedDomain: false + tls: + enabled: true + letsEncrypt: + enabled: true + issuer: "letsencrypt-staging" + secretName: prodtls +