Dudoser (#245)

* add dudoser * add mail vars * enable dudoser * prod env vars Co-authored-by: Dmitry Skokov <d.skokov@rbkmoney.com>
2024-11-06 00:45:18 +00:00 · 2021-11-15 04:32:13 +03:00 · 2021-11-15 04:32:13 +03:00 · 01b16b6398
commit 01b16b6398
parent 8e423b22c7
8 changed files with 325 additions and 0 deletions
--- a/config/dudoser/entrypoint.sh.gotmpl
+++ b/config/dudoser/entrypoint.sh.gotmpl
@ -0,0 +1,33 @@
+#!/bin/sh
+set -ue
+
+java \
+    "-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \
+    -jar \
+        /opt/dudoser/dudoser.jar \
+        --logging.config=/opt/dudoser/logback.xml \
+        -Dwoody.node_id=dudos1 \
+        --server.port=8022 \
+        --spring.flyway.schemas=dudos \
+        --hellgate.url=http://party-management:8022/v1/processing/partymgmt \
+        --hellgate.networkTimeout=300 \
+        --invoicing-service.url=http://hellgate:8022/v1/processing/invoicing \
+        --invoicing-service.networkTimeout=300 \
+        --kafka.bootstrap-servers="{{ .Values.services.kafka.endpoint | default "kafka" }}:{{ .Values.services.kafka.port | default "9092" }}" \
+        --kafka.topics.invoice.id=mg-events-invoice \
+        --kafka.topics.invoice.enabled=true \
+        --kafka.client-id=dudoser \
+        --kafka.consumer.group-id=Dudoser-Invoicing \
+        --kafka.consumer.concurrency=7 \
+        --mail.host={{ .Values.services.mail.smtp.host }} \
+        --mail.port={{ .Values.services.mail.smtp.port | default "25" }} \
+        --mail.smtp.auth={{ .Values.services.mail.auth.enabled }} \
+        --mail.username={{ .Values.services.mail.auth.username }} \
+        --mail.password={{ .Values.services.mail.auth.password }} \
+        --mail.from={{ .Values.services.mail.smtp.from }} \
+        --notification.payment.paid.from={{ .Values.services.mail.smtp.from }} \
+        --notification.create.invoice.from={{ .Values.services.mail.smtp.from }} \
+        --subject.timezone.refund=Europe/Moscow \
+        --subject.timezone.payment=Europe/Moscow \
+    ${@} \
+    --spring.config.additional-location=optional:/vault/secrets/application.properties
--- a/config/dudoser/loggers.xml
+++ b/config/dudoser/loggers.xml
@ -0,0 +1,4 @@
+<included>
+    <logger name="com.rbkmoney" level="INFO"/>
+    <logger name="com.rbkmoney.woody" level="INFO"/>
+</included>
--- a/config/dudoser/values.yaml.gotmpl
+++ b/config/dudoser/values.yaml.gotmpl
@ -0,0 +1,175 @@
+# -*- mode: yaml -*-
+
+replicaCount: 1
+
+image:
+  repository: {{ .Values.services.global.registry.repository | default "docker.io/rbkmoney" }}/dudoser
+  tag: 39c2a816501ccc2cc508e18a9e3d2577504f03db
+  pullPolicy: IfNotPresent
+
+{{ if .Values.services.global.registry.imagePullSecret }}
+imagePullSecrets:
+  - name: {{ .Values.services.global.registry.imagePullSecret }}
+{{ end }}
+
+runopts:
+  command: ["/opt/dudoser/entrypoint.sh"]
+
+configMap:
+  data:
+    entrypoint.sh: |
+      {{- tpl (readFile "entrypoint.sh.gotmpl") . | nindent 6 }}
+    loggers.xml: |
+      {{- readFile "loggers.xml" | nindent 6 }}
+    logback.xml: |
+      {{- readFile "../logs/logback.xml" | nindent 6 }}
+
+{{- if or .Values.services.postgres.external .Values.services.kafka.ssl.enabled }}
+secret:
+  data:
+    db_config: |
+    {{- if .Values.services.postgres.external }}
+      spring.datasource.url=jdbc:postgresql://{{ .Values.services.postgres.endpoint | default "external-postgres" }}:5432/dudoser?sslmode=disable
+      spring.datasource.username={{ .Values.services.postgres.uniUser }}
+      spring.datasource.password={{ .Values.services.postgres.uniPassword }}
+      flyway.url=jdbc:postgresql://{{ .Values.services.postgres.endpoint | default "external-postgres" }}:5432/dudoser?sslmode=disable
+      flyway.user={{ .Values.services.postgres.uniUser }}
+      flyway.password={{ .Values.services.postgres.uniPassword }}
+    {{- end }}
+    {{- if .Values.services.kafka.ssl.enabled }}
+      kafka.ssl.enabled=true
+      kafka.ssl.key-store-location=/vault/secrets/kafka-keystore.p12
+      kafka.ssl.key-store-password={{ .Values.services.kafka.ssl.keystorePass }}
+      kafka.ssl.key-store-type=PKCS12
+      kafka.ssl.key-password={{ .Values.services.kafka.ssl.keyPass }}
+      kafka.ssl.trust-store-location=/vault/secrets/kafka-truststore.p12
+      kafka.ssl.trust-store-password={{ .Values.services.kafka.ssl.truststorePass }}
+      kafka.ssl.trust-store-type=PKCS12
+    {{- end }}
+{{- end }}
+
+env:
+  - name: LOGBACK_SERVICE_NAME
+    value: "dudoser"
+
+volumes:
+  - name: config-volume
+    configMap:
+      name: {{ .Release.Name }}
+      defaultMode: 0755
+{{- if .Values.services.kafka.ssl.enabled }}
+  - name: kafka-cert
+    secret:
+      secretName: {{ .Release.Name }}-kafka-cert
+  - name: kafka-ca
+    secret:
+      secretName: java-ca-kafka
+{{- end }}
+{{- if or .Values.services.postgres.external .Values.services.kafka.ssl.enabled }}
+  - name: secret
+    secret:
+      secretName: {{ .Release.Name }}
+{{- end }}
+
+volumeMounts:
+  - name: config-volume
+    mountPath: /opt/dudoser/entrypoint.sh
+    subPath: entrypoint.sh
+    readOnly: true
+  - name: config-volume
+    mountPath: /opt/dudoser/logback.xml
+    subPath: logback.xml
+    readOnly: true
+  - name: config-volume
+    mountPath: /opt/dudoser/loggers.xml
+    subPath: loggers.xml
+    readOnly: true
+{{- if .Values.services.kafka.ssl.enabled }}
+  - name: kafka-ca
+    subPath: kafka-truststore.p12
+    mountPath: /vault/secrets/kafka-truststore.p12
+    readOnly: true
+  - name: kafka-cert
+    subPath: {{ .Release.Name }}.p12
+    mountPath: /vault/secrets/kafka-keystore.p12
+    readOnly: true
+{{- end }}
+{{- if or .Values.services.postgres.external .Values.services.kafka.ssl.enabled }}
+  - name: secret
+    subPath: db_config
+    mountPath: /vault/secrets/application.properties
+    readOnly: true
+{{- end }}
+
+service:
+  ports:
+    - name: api
+      port: 8022
+    - name: management
+      port: 8023
+
+livenessProbe:
+  httpGet:
+    path: /actuator/health
+    port: management
+
+readinessProbe:
+  httpGet:
+    path: /actuator/health
+    port: management
+
+{{- if .Values.services.vault.enabled }}
+podAnnotations:
+  vault.hashicorp.com/role: "db-app"
+  vault.hashicorp.com/agent-inject: "true"
+  vault.hashicorp.com/agent-inject-secret-application.properties: "database/creds/db-app-dudoser"
+  vault.hashicorp.com/agent-inject-template-application.properties: |
+    {{`{{- with secret "database/creds/db-app-dudoser" -}}
+    spring.datasource.url=jdbc:postgresql://postgres-postgresql:5432/magista?sslmode=disable
+    spring.datasource.username={{ .Data.username }}
+    spring.datasource.password={{ .Data.password }}
+    flyway.url=jdbc:postgresql://postgres-postgresql:5432/dudoser?sslmode=disable
+    flyway.user={{ .Data.username }}
+    flyway.password={{ .Data.password }}
+    {{- end }}`}}
+{{- end }}
+
+metrics:
+  serviceMonitor:
+    enabled: {{ .Values.services.global.metrics.enabled }}
+    namespace: {{ .Release.Namespace }}
+    additionalLabels:
+      release: prometheus
+    endpoints:
+      - port: "management"
+        path: /actuator/prometheus
+        scheme: http
+
+ciliumPolicies:
+  - filters:
+    - port: 5432
+      type: TCP
+    name: postgres
+  - filters:
+    - port: 9092
+{{/*
+      rules:
+        kafka:
+        - role: consume
+          topics:
+            - mg-events-invoice
+*/}}
+      type: TCP
+    name: kafka
+  - filters:
+    - port: 8200
+      type: TCP
+    name: vault
+  - filters:
+    - port: 8022
+      type: TCP
+    name: hellgate
+  - filters:
+    - port: 8022
+      type: TCP
+    name: party-management
--- a/config/postgres/values.yaml.gotmpl
+++ b/config/postgres/values.yaml.gotmpl
@ -27,6 +27,7 @@ initdbScripts:
     CREATE DATABASE fraudbusters;
     CREATE DATABASE "fraudbusters-management";
     CREATE DATABASE fb_notificator;
+     CREATE DATABASE dudoser;

 #TODO: If bump version, change master to primary
 master:
--- a/config/vault-cm/values.yaml.gotmpl
+++ b/config/vault-cm/values.yaml.gotmpl
@ -233,6 +233,24 @@ configMap:
        default_ttl="240h" \
        max_ttl="240h"

+      vault write database/config/dudoser \
+        plugin_name=postgresql-database-plugin \
+        allowed_roles="*" \
+        connection_url="postgresql://{{`{{username}}`}}:{{`{{password}}`}}@postgres-postgresql:5432/dudoser?sslmode=disable" \
+        username="postgres" \
+        password="H@ckM3"
+      vault write database/roles/db-app-dudoser \
+        db_name=dudoser \
+        revocation_statements="REASSIGN OWNED BY \"{{`{{name}}`}}\" to postgres; ALTER ROLE \"{{`{{name}}`}}\" NOLOGIN;" \
+        creation_statements="Create schema if not exists dudos;
+        CREATE ROLE \"{{`{{name}}`}}\" WITH LOGIN PASSWORD '{{`{{password}}`}}' VALID UNTIL '{{`{{expiration}}`}}';
+        GRANT CREATE ON DATABASE dudoser TO \"{{`{{name}}`}}\";
+        GRANT ALL ON SCHEMA dudos TO \"{{`{{name}}`}}\";
+        GRANT ALL ON ALL TABLES IN SCHEMA dudos TO \"{{`{{name}}`}}\";
+        GRANT ALL ON ALL SEQUENCES IN SCHEMA dudos TO \"{{`{{name}}`}}\";" \
+        default_ttl="240h" \
+        max_ttl="240h"
+
      vault secrets enable kv

      vault kv put secret/xrates \
@ -302,3 +320,6 @@ configMap:
      path "database/creds/db-app-fb-notificator" {
          capabilities = ["read"]
      }
+      path "database/creds/db-app-dudoser" {
+          capabilities = ["read"]
+      }
--- a/default.values.yaml
+++ b/default.values.yaml
@ -88,6 +88,16 @@ services:
    accessKey: user_01
    secretKey: SomeSecretKeyFromS3AdminConsole

+  mail:
+    smtp:
+      host: mail
+      port: 25
+      from: no-reply@test.ru
+    auth:
+      enabled: false
+      username: user
+      password: password
+
  ingress:
 # Ingressclass if have more than one controller:
    class: "nginx"
--- a/helmfile.yaml
+++ b/helmfile.yaml
@ -308,3 +308,8 @@ releases:
    - {{ .Namespace | default "default" }}/claim-management
 - name: file-storage
  <<: *generic_stateless
+- name: dudoser
+  <<: *generic_stateless_json
+  needs:
+    - {{ .Namespace | default "default" }}/hellgate
+    - {{ .Namespace | default "default" }}/kafka
--- a/prod.values.yaml
+++ b/prod.values.yaml
@ -0,0 +1,76 @@
+cilium:
+  enabled: true
+elk:
+  enabled: false
+prometheus:
+  enabled: false
+ingress:
+  enabled: false
+  ip: 'someip'
+certmanager:
+  enabled: false
+services:
+  global:
+    ipv6only: true
+    metrics:
+      enabled: true
+    registry:
+      repository: docker.io/rbkmoney
+      imagePullSecret: {}
+    pcidss:
+      taints:
+        enabled: false
+        key: pcidss
+        value: true
+      replicas: 1
+    statelessReplicas: 1
+
+  vault:
+    enabled: true
+    dev: true
+    injectorNamespaced: true
+    transitUnseal:
+      enabled: false
+      address: http://another.vault.local:8200
+
+  riak:
+    riakMgAddress: riak
+    riakCdAddress: riak
+    riakWblAddress: riak
+
+  postgres:
+    external: false
+  # Values below uses only if postgres.external is true
+    endpoint: postgres-postgresql
+    uniUser: postgres
+    uniPassword: H@ckM3
+
+  kafka:
+    external: false
+    endpoint: kafka
+    port: 9092
+    ssl:
+      enabled: false
+      keystorePass: 12341234
+      # Set if differ from keystore password
+      keyPass: 12341234
+      truststorePass: 43214321
+
+  s3:
+    endpoint: minio:9000
+    region: EU
+    bucket: bucket-files
+    accessKey: user_01
+    secretKey: SomeSecretKeyFromS3AdminConsole
+
+  ingress:
+    class: "nginx-external"
+    rootDomain: prod.rbk.mn
+    namespacedDomain: false
+    tls:
+      enabled: true
+      letsEncrypt:
+        enabled: true
+        issuer: "letsencrypt-staging"
+      secretName: prodtls
+