valitydev/helmsdeep
14
0
Fork 0
mirror of https://github.com/valitydev/helmsdeep.git synced 2024-11-06 00:45:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Improove (#193)

Browse Source 
* add epic branch with java services

* Introduce analytics (#166)

* Introduce questionary (#175)

* Introduce questionary

* actualize questionary

* actualize questionary

* Introduce claim-management (#173)

* Introduce questionary-aggr-proxy (#176)

* management.endpoint.prometheus.enabled=true

* Change Claim database name for PG compatability

* move CH pasword from template

* Introduce magista (#169)

* Introduce magista-kafka

* Introduce magista-kafka

* Introduce magista-kafka

* Introduce mst

* move kafka comment to the end of file

* actualize magista

* actualize magista

* actualize mgista

* management.endpoint.prometheus.enabled=true

Co-authored-by: Dmitry Skokov <d.skokov@rbkmoney.com>
Co-authored-by: vilorij <vilorij@ya.ru>

* fix url in anapi for correct rendering in logs

* Add LE certs issuer to ingress

* erl default templating
disable ServiceMonitor

* new db init

* riak fix ConfigMap

* shortener config templating

* Dashboard fix realm, 404 error and add ingress

* disable SM in hooker

* add objectselector in vault

* Shumway add schema

* add ingress tls variable into defaults.values

* Fistful templatimg erl defaults
typo fix in MG address

* add default realms

* Consuela for MG
add namespace for payouts

* helmfile deps bump

* add fistful-magista

* add payouter

* add columbus

* add columbus

* disable SM

* analitics fix
clickhouse node for analytics

* claimmgmt add

* fix iddqd appconfig mounts

* deanonimus add

* add antifraud

* kafka scale and infinity retention

* KK realms readability
fix password for manager
add roles mapping

* disable consuella for the issues in consul

* typo fix in checkout

* DB for antifraud

* add schema setting for questionary

* shortener fix with KK public key

* HG ingress for iddqd

* Dominant ingress for iddqd

* messages add
disable vault password control because of foreign keys in DB

* papi add

* idkfa add

* dark-api add

* fix hooker DB name
add DB for fraudbusters

* add new services in helmfile and bump deps

* delete useless keycloak values

Co-authored-by: karleowne <a.karlov@rbkmoney.com>
Co-authored-by: Dmitry Skokov <d.skokov@rbkmoney.com>
This commit is contained in:
vilorij 2021-07-08 04:10:39 +03:00 committed by GitHub
parent 454142b7dd
commit 07132eea39
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
104 changed files with 8413 additions and 180 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
config/analytics/entrypoint.sh Normal file
View File

@ -0,0 +1,51 @@
#!/bin/sh
set -ue
java \
"-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \
-jar \
/opt/analytics/analytics.jar \
--logging.config=/opt/analytics/logback.xml \
--management.security.flag=false \
--management.metrics.export.statsd.flavor=etsy \
--management.metrics.export.statsd.enabled=true \
--management.metrics.export.prometheus.enabled=true \
--management.endpoint.health.show-details=always \
--management.endpoint.metrics.enabled=true \
--management.endpoint.prometheus.enabled=true \
--management.endpoints.web.exposure.include=health,info,prometheus \
--spring.application.name=analytics \
--kafka.bootstrap.servers=kafka:9092 \
--kafka.topic.event.sink.initial=mg-events-invoice \
--kafka.topic.payout.initial=payout \
--kafka.topic.party.initial=mg-events-party \
--kafka.consumer.concurrency=7 \
--kafka.consumer.prefix=analytics-v10 \
--kafka.max.poll.records=200 \
--kafka.max.poll.interval.ms=300000 \
--kafka.max.session.timeout.ms=300000 \
--spring.datasource.hikari.data-source-properties.prepareThreshold=0 \
--spring.datasource.hikari.leak-detection-threshold=5300 \
--spring.datasource.hikari.max-lifetime=300000 \
--spring.datasource.hikari.idle-timeout=30000 \
--spring.datasource.hikari.minimum-idle=2 \
--spring.datasource.hikari.maximum-pool-size=20 \
--spring.flyway.schemas=analytics \
--postgres.db.schema=analytics \
--flyway.schemas=analytics \
--columbus.url=http://columbus:8022/repo \
--columbus.networkTimeout=60000 \
--service.invoicing.url=http://hellgate:8022/v1/processing/invoicing \
--service.invoicing.networkTimeout=60000 \
--service.payouter.url=http://payouter:8022/payout/management \
--service.payouter.networkTimeout=60000 \
--service.dominant.url=http://dominant:8022/v1/domain/repository \
--service.dominant.networkTimeout=60000 \
--service.dominant.scheduler.enabled=true \
--service.dominant.scheduler.pollingDelay=10000 \
--service.dominant.scheduler.querySize=10 \
--logging.level.com.rbkmoney.analytics.service.PartyService=DEBUG \
--logging.level.com.rbkmoney.analytics.listener.handler.party.PartyMachineEventHandler=DEBUG \
--logging.level.com.rbkmoney.analytics.listener.mapper.party.ContractorCreatedHandler=DEBUG \
${@} \
--spring.config.additional-location=/vault/secrets/application.properties \

4
config/analytics/loggers.xml Normal file
View File

@ -0,0 +1,4 @@
<included>
<logger name="com.rbkmoney" level="INFO"/>
<logger name="com.rbkmoney.woody" level="INFO"/>
</included>

139
config/analytics/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,139 @@
# -*- mode: yaml -*-
replicaCount: 1
image:
repository: docker.io/rbkmoney/analytics
tag: b9da0376e15b3aabf89141b1343e7c68f3b5af05
pullPolicy: IfNotPresent
runopts:
command: ["/opt/analytics/entrypoint.sh"]
configMap:
data:
entrypoint.sh: |
{{- readFile "entrypoint.sh" | nindent 6 }}
loggers.xml: |
{{- readFile "loggers.xml" | nindent 6 }}
logback.xml: |
{{- readFile "../logs/logback.xml" | nindent 6 }}
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
volumeMounts:
- name: config-volume
mountPath: /opt/analytics/entrypoint.sh
subPath: entrypoint.sh
readOnly: true
- name: config-volume
mountPath: /opt/analytics/logback.xml
subPath: logback.xml
readOnly: true
- name: config-volume
mountPath: /opt/analytics/loggers.xml
subPath: loggers.xml
readOnly: true
service:
ports:
- name: api
port: 8022
- name: management
port: 8023
livenessProbe:
httpGet:
path: /actuator/health
port: management
readinessProbe:
httpGet:
path: /actuator/health
port: management
podAnnotations:
vault.hashicorp.com/role: "db-app"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-application.properties: "database/creds/db-app-analytics"
vault.hashicorp.com/agent-inject-template-application.properties: |
{{`{{- with secret "database/creds/db-app-analytics" -}}
spring.datasource.url=jdbc:postgresql://postgres-postgresql:5432/analytics?sslmode=disable
spring.datasource.username={{ .Data.username }}
spring.datasource.password={{ .Data.password }}
spring.flyway.url=jdbc:postgresql://postgres-postgresql:5432/analytics?sslmode=disable
spring.flyway.user={{ .Data.username }}
spring.flyway.password={{ .Data.password }}
spring.flyway.schemas=analytics
postgres.db.url=jdbc:postgresql://postgres-postgresql:5432/analytics?sslmode=disable
postgres.db.user={{ .Data.username }}
postgres.db.password={{ .Data.password }}
clickhouse.db.url=jdbc:clickhouse://chi-demo-cluster-0-0:8123/analytic
clickhouse.db.user=analytic
clickhouse.db.password=hackme
{{- end }}`}}
metrics:
serviceMonitor:
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
endpoints:
- port: "management"
path: /actuator/prometheus
scheme: http
ciliumPolicies:
- filters:
- port: 5432
type: TCP
name: postgres
namespace: {{ .Release.Namespace }}
- filters:
- port: 9092
rules:
kafka:
- role: consume
topics:
- mg-events-invoice
- payout
- mg-events-party
type: TCP
name: kafka
namespace: {{ .Release.Namespace }}
- filters:
- port: 8123
type: TCP
name: clickhouse
namespace: {{ .Release.Namespace }}
- filters:
- port: 8200
type: TCP
name: vault
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: columbus
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: hellgate
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: payouter
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: dominant
namespace: {{ .Release.Namespace }}

8
config/anapi/sys.config
View File

@ -77,10 +77,10 @@
{anapi_woody_client, [
{service_urls, #{
merchant_stat => "http://magista-kafka:8022/stat",
reporting => "http://reporter:8022/reports/new-proto",
analytics => "http://analytics:8022/analytics/v1",
party_shop => "http://party-shop:8022/party-shop/v1"
merchant_stat => <<"http://magista:8022/stat">>,
reporting => <<"http://reporter:8022/reports/new-proto">>,
analytics => <<"http://analytics:8022/analytics/v1">>,
party_shop => <<"http://party-shop:8022/party-shop/v1">>
}},
{service_deadlines, #{
merchant_stat => 30000, % milliseconds

20
config/anapi/values.yaml.gotmpl
View File

@ -12,7 +12,7 @@ configMap:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
{{- tpl (readFile "../vm/erl_inetrc.gotmpl") . | nindent 6 }}
fetchKeycloakPubkey: |
{{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 6 }}
oopsBody1: |
@ -66,21 +66,35 @@ service:
metrics:
serviceMonitor:
enabled: true
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
ingress:
enabled: true
annotations:
{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
{{- end }}
kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
nginx.ingress.kubernetes.io/enable-cors: "false"
nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Access-Control-Allow-Origin: $http_origin";
hosts:
- host: api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
paths:
- /lk/v1
{{- if .Values.services.ingress.tls.enabled }}
tls:
{{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
- secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
{{- else }}
- secretName: {{ .Values.services.ingress.tls.secretName }}
{{- end }}
hosts:
- api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
- api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
{{- end }}
servicePort: 8080

4
config/bender/values.yaml.gotmpl
View File

@ -12,13 +12,13 @@ configMap:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
{{- tpl (readFile "../vm/erl_inetrc.gotmpl") . | nindent 6 }}
vm.args: |
{{- tpl (readFile "../vm/erl_vm_args.gotmpl") . | nindent 6 }}
metrics:
serviceMonitor:
enabled: true
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus

18
config/binapi/values.yaml.gotmpl
View File

@ -12,7 +12,7 @@ configMap:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
{{- tpl (readFile "../vm/erl_inetrc.gotmpl") . | nindent 6 }}
fetchKeycloakPubkey: |
{{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 6 }}
oopsBody1: |
@ -66,20 +66,34 @@ service:
metrics:
serviceMonitor:
enabled: true
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
ingress:
enabled: true
annotations:
nginx.ingress.kubernetes.io/enable-cors: "true"
{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
{{- end }}
kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Access-Control-Allow-Origin: $http_origin";
hosts:
- host: api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
paths:
- /binbase/v1
{{- if .Values.services.ingress.tls.enabled }}
tls:
{{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
- secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
{{- else }}
- secretName: {{ .Values.services.ingress.tls.secretName }}
{{- end }}
hosts:
- api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
{{- end }}

28
config/capi-pcidss-v1/values.yaml.gotmpl
View File

@ -12,7 +12,7 @@ configMap:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
{{- tpl (readFile "../vm/erl_inetrc.gotmpl") . | nindent 6 }}
fetchKeycloakPubkey: |
{{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 6 }}
oopsBody1: |
@ -79,20 +79,44 @@ service:
metrics:
serviceMonitor:
enabled: true
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
ingress:
enabled: true
annotations:
nginx.ingress.kubernetes.io/enable-cors: "true"
{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
{{- end }}
kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Access-Control-Allow-Origin: $http_origin";
annotations:
nginx.ingress.kubernetes.io/enable-cors: "true"
{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
{{- end }}
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Access-Control-Allow-Origin: $http_origin";
hosts:
- host: api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
paths:
- /v1/processing/payment-resources
{{- if .Values.services.ingress.tls.enabled }}
tls:
{{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
- secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
{{- else }}
- secretName: {{ .Values.services.ingress.tls.secretName }}
{{- end }}
hosts:
- api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
{{- end }}

19
config/capi-pcidss-v2/values.yaml.gotmpl
View File

@ -12,7 +12,7 @@ configMap:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
{{- tpl (readFile "../vm/erl_inetrc.gotmpl") . | nindent 6 }}
fetchKeycloakPubkey: |
{{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 6 }}
oopsBody1: |
@ -79,20 +79,35 @@ service:
metrics:
serviceMonitor:
enabled: true
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
ingress:
enabled: true
annotations:
nginx.ingress.kubernetes.io/enable-cors: "true"
{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
{{- end }}
kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,X-Request-ID"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Access-Control-Allow-Origin: $http_origin";
hosts:
- host: api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
paths:
- /v2/processing/payment-resources
{{- if .Values.services.ingress.tls.enabled }}
tls:
{{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
- secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
{{- else }}
- secretName: {{ .Values.services.ingress.tls.secretName }}
{{- end }}
hosts:
- api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
{{- end }}

18
config/capi-v1/values.yaml.gotmpl
View File

@ -12,7 +12,7 @@ configMap:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
{{- tpl (readFile "../vm/erl_inetrc.gotmpl") . | nindent 6 }}
fetchKeycloakPubkey: |
{{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 6 }}
oopsBody1: |
@ -79,20 +79,34 @@ service:
metrics:
serviceMonitor:
enabled: true
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
ingress:
enabled: true
annotations:
nginx.ingress.kubernetes.io/enable-cors: "true"
{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
{{- end }}
kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Access-Control-Allow-Origin: $http_origin";
hosts:
- host: api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
paths:
- /v1
{{- if .Values.services.ingress.tls.enabled }}
tls:
{{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
- secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
{{- else }}
- secretName: {{ .Values.services.ingress.tls.secretName }}
{{- end }}
hosts:
- api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
{{- end }}

14
config/capi-v2/values.yaml.gotmpl
View File

@ -12,7 +12,7 @@ configMap:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
{{- tpl (readFile "../vm/erl_inetrc.gotmpl") . | nindent 6 }}
fetchKeycloakPubkey: |
{{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 6 }}
oopsBody1: |
@ -79,20 +79,30 @@ service:
metrics:
serviceMonitor:
enabled: true
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
ingress:
enabled: true
annotations:
{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
{{- end }}
nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,X-Request-ID"
kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
hosts:
- host: api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
paths:
- /v2
{{- if .Values.services.ingress.tls.enabled }}
tls:
{{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
- secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
{{- else }}
- secretName: {{ .Values.services.ingress.tls.secretName }}
{{- end }}
hosts:
- api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
{{- end }}

4
config/cds/values.yaml.gotmpl
View File

@ -12,7 +12,7 @@ configMap:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
{{- tpl (readFile "../vm/erl_inetrc.gotmpl") . | nindent 6 }}
vm.args: |
{{- tpl (readFile "../vm/erl_vm_args.gotmpl") . | nindent 6 }}
@ -50,7 +50,7 @@ volumes:
metrics:
serviceMonitor:
enabled: true
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus

37
config/claim-management/entrypoint.sh Normal file
View File

@ -0,0 +1,37 @@
#!/bin/sh
set -ue
java \
"-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \
-jar \
/opt/claim-management/claim-management.jar \
--logging.config=/opt/claim-management/logback.xml \
--management.security.flag=false \
--management.metrics.export.statsd.flavor=etsy \
--management.metrics.export.statsd.enabled=true \
--management.metrics.export.prometheus.enabled=true \
--management.endpoint.health.show-details=always \
--management.endpoint.metrics.enabled=true \
--management.endpoint.prometheus.enabled=true \
--management.endpoints.web.exposure.include=health,info,prometheus \
--spring.datasource.hikari.data-source-properties.prepareThreshold=0 \
--spring.datasource.hikari.leak-detection-threshold=5300 \
--spring.datasource.hikari.max-lifetime=300000 \
--spring.datasource.hikari.idle-timeout=30000 \
--spring.datasource.hikari.minimum-idle=2 \
--spring.datasource.hikari.maximum-pool-size=20 \
--spring.application.name=claim-management \
--claim-management.limit=1000 \
--kafka.bootstrap.servers=kafka:9092 \
--kafka.topics.claim-event-sink.enabled=true \
--kafka.topics.claim-event-sink.id=claim-event-sink \
--kafka.client-id=claim-management \
--kafka.consumer.group-id=claim-management-group-1 \
--claim-management.committers[0].id=hellgate \
--claim-management.committers[0].uri=http://hellgate:8022/v1/processing/claim_committer \
--claim-management.committers[0].timeout=60000 \
--claim-management.committers[1].id=cashier \
--claim-management.committers[1].uri=http://cashier:8022/claim-committer \
--claim-management.committers[1].timeout=10000 \
${@} \
--spring.config.additional-location=/vault/secrets/application.properties \

4
config/claim-management/loggers.xml Normal file
View File

@ -0,0 +1,4 @@
<included>
<logger name="com.rbkmoney" level="INFO"/>
<logger name="com.rbkmoney.woody" level="INFO"/>
</included>

140
config/claim-management/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,140 @@
# -*- mode: yaml -*-
replicaCount: 1
image:
repository: docker.io/rbkmoney/claim-management
tag: 0bce7ae059b37a2c12a6b8b0d2b9ad661da7b88e
pullPolicy: IfNotPresent
runopts:
command: ["/opt/claim-management/entrypoint.sh"]
configMap:
data:
entrypoint.sh: |
{{- readFile "entrypoint.sh" | nindent 6 }}
loggers.xml: |
{{- readFile "loggers.xml" | nindent 6 }}
logback.xml: |
{{- readFile "../logs/logback.xml" | nindent 6 }}
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
volumeMounts:
- name: config-volume
mountPath: /opt/claim-management/entrypoint.sh
subPath: entrypoint.sh
readOnly: true
- name: config-volume
mountPath: /opt/claim-management/logback.xml
subPath: logback.xml
readOnly: true
- name: config-volume
mountPath: /opt/claim-management/loggers.xml
subPath: loggers.xml
readOnly: true
service:
ports:
- name: api
port: 8022
- name: management
port: 8023
livenessProbe:
httpGet:
path: /actuator/health
port: management
readinessProbe:
httpGet:
path: /actuator/health
port: management
podAnnotations:
vault.hashicorp.com/role: "db-app"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-application.properties: "database/creds/db-app-claim-management"
vault.hashicorp.com/agent-inject-template-application.properties: |
{{`{{- with secret "database/creds/db-app-claim-management" -}}
spring.datasource.url=jdbc:postgresql://postgres-postgresql:5432/claimmng?sslmode=disable
spring.datasource.username={{ .Data.username }}
spring.datasource.password={{ .Data.password }}
spring.flyway.url=jdbc:postgresql://postgres-postgresql:5432/claimmng?sslmode=disable
spring.flyway.user={{ .Data.username }}
spring.flyway.password={{ .Data.password }}
spring.flyway.schemas=cm
flyway.schemas=cm
{{- end }}`}}
metrics:
serviceMonitor:
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
endpoints:
- port: "management"
path: /actuator/prometheus
scheme: http
ingress:
enabled: true
annotations:
{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
{{- end }}
kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
hosts:
- host: iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
paths:
- /v1/cm
{{- if .Values.services.ingress.tls.enabled }}
tls:
{{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
- secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
{{- else }}
- secretName: {{ .Values.services.ingress.tls.secretName }}
{{- end }}
hosts:
- iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
{{- end }}
servicePort: 8022
ciliumPolicies:
- filters:
- port: 5432
type: TCP
name: postgres
namespace: {{ .Release.Namespace }}
- filters:
- port: 9092
rules:
kafka:
- role: consume
topics:
- claim-event-sink
type: TCP
name: kafka
namespace: {{ .Release.Namespace }}
- filters:
- port: 8200
type: TCP
name: vault
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: hellgate
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: cashier
namespace: {{ .Release.Namespace }}

500
config/clickhouse/CH_db Normal file
View File

@ -0,0 +1,500 @@
CREATE DATABASE IF NOT EXISTS analytic;
CREATE TABLE analytic.chargeback (
timestamp Date,
eventTime UInt64,
eventTimeHour UInt64,
id String,
email String,
ip String,
fingerprint String,
bin String,
maskedPan String,
cardToken String,
paymentSystem String,
paymentTool String,
terminal String,
providerId String,
bankCountry String,
partyId String,
shopId String,
amount UInt64,
currency String,
payerType String,
tokenProvider String,
status Enum8('accepted' = 1, 'rejected' = 2, 'cancelled' = 3),
category Enum8('fraud' = 1, 'dispute' = 2, 'authorisation' = 3, 'processing_error' = 4),
chargebackCode String,
paymentId String
) ENGINE = ReplacingMergeTree()
PARTITION BY toYYYYMM(timestamp)
ORDER BY (eventTimeHour, partyId, shopId, category, status, currency, providerId, fingerprint, cardToken, id, paymentId);
CREATE TABLE analytic.events_p_to_p (
timestamp Date,
eventTime UInt64,
eventTimeHour UInt64,
identityId String,
transferId String,
ip String,
email String,
bin String,
fingerprint String,
amount UInt64,
currency String,
country String,
bankCountry String,
maskedPan String,
bankName String,
cardTokenFrom String,
cardTokenTo String,
resultStatus String,
checkedRule String,
checkedTemplate String
) ENGINE = MergeTree()
PARTITION BY toYYYYMM(timestamp)
ORDER BY (eventTimeHour, identityId, cardTokenFrom, cardTokenTo, bin, fingerprint, currency);
CREATE TABLE analytic.events_sink (
timestamp Date,
eventTime UInt64,
eventTimeHour UInt64,
partyId String,
shopId String,
email String,
providerName String,
amount UInt64,
guaranteeDeposit UInt64,
systemFee UInt64,
providerFee UInt64,
externalFee UInt64,
currency String,
status Enum8('pending' = 1, 'processed' = 2, 'captured' = 3, 'cancelled' = 4, 'failed' = 5),
errorReason String,
errorCode String,
invoiceId String,
paymentId String,
sequenceId UInt64,
ip String,
bin String,
maskedPan String,
paymentTool String,
fingerprint String,
cardToken String,
paymentSystem String,
digitalWalletProvider String,
digitalWalletToken String,
cryptoCurrency String,
mobileOperator String,
paymentCountry String,
bankCountry String,
paymentTime UInt64,
providerId String,
terminal String,
cardHolderName String DEFAULT 'UNKNOWN',
bankCardTokenProvider String,
riskScore String,
rrn String,
paymentTerminal String
) ENGINE = ReplacingMergeTree()
PARTITION BY toYYYYMM(timestamp)
ORDER BY (eventTimeHour, partyId, shopId, paymentTool, status, currency, providerName, fingerprint, cardToken, invoiceId, paymentId, sequenceId);
CREATE TABLE analytic.events_sink_payout (
payoutId String,
status Enum8('unpaid' = 1, 'paid' = 2, 'cancelled' = 3, 'confirmed' = 4),
payoutType Enum8('bank_account' = 1, 'wallet' = 2),
statusCancelledDetails String,
isCancelledAfterBeingPaid UInt8,
timestamp Date,
eventTime UInt64,
eventTimeHour UInt64,
payoutTime UInt64,
shopId String,
partyId String,
contractId String,
amount UInt64,
fee UInt64,
currency String,
walletId String,
accountType Enum8('russian_payout_account' = 1, 'international_payout_account' = 2, 'UNKNOWN' = 3),
purpose String,
legalAgreementSignedAt UInt64,
legalAgreementId String,
legalAgreementValidUntil UInt64,
russianAccount String,
russianBankName String,
russianBankPostAccount String,
russianBankBik String,
russianInn String,
internationalAccountHolder String,
internationalBankName String,
internationalBankAddress String,
internationalIban String,
internationalBic String,
internationalLocalBankCode String,
internationalLegalEntityLegalName String,
internationalLegalEntityTradingName String,
internationalLegalEntityRegisteredAddress String,
internationalLegalEntityActualAddress String,
internationalLegalEntityRegisteredNumber String,
internationalBankNumber String,
internationalBankAbaRtn String,
internationalBankCountryCode String,
internationalCorrespondentBankNumber String,
internationalCorrespondentBankAccount String,
internationalCorrespondentBankName String,
internationalCorrespondentBankAddress String,
internationalCorrespondentBankBic String,
internationalCorrespondentBankIban String,
internationalCorrespondentBankAbaRtn String,
internationalCorrespondentBankCountryCode String
) ENGINE = ReplacingMergeTree()
PARTITION BY toYYYYMM(timestamp)
ORDER BY (eventTimeHour, partyId, shopId, status, payoutId, currency, accountType, payoutType, contractId, walletId);
CREATE TABLE analytic.events_sink_refund (
timestamp Date,
eventTime UInt64,
eventTimeHour UInt64,
partyId String,
shopId String,
email String,
providerName String,
amount UInt64,
guaranteeDeposit UInt64,
systemFee UInt64,
providerFee UInt64,
externalFee UInt64,
currency String,
reason String,
status Enum8('pending' = 1, 'succeeded' = 2, 'failed' = 3),
errorReason String,
errorCode String,
invoiceId String,
refundId String,
paymentId String,
sequenceId UInt64,
ip String,
fingerprint String,
cardToken String,
paymentSystem String,
digitalWalletProvider String,
digitalWalletToken String,
cryptoCurrency String,
mobileOperator String,
paymentCountry String,
bankCountry String,
paymentTime UInt64,
providerId String,
terminal String
) ENGINE = ReplacingMergeTree()
PARTITION BY toYYYYMM(timestamp)
ORDER BY (eventTimeHour, partyId, shopId, status, currency, providerName, fingerprint, cardToken, invoiceId, paymentId, refundId, sequenceId);
CREATE TABLE analytic.events_unique (
timestamp Date,
eventTimeHour UInt64,
eventTime UInt64,
payerType String,
tokenProvider String,
partyId String,
shopId String,
ip String,
email String,
bin String,
fingerprint String,
resultStatus String,
amount UInt64,
country String,
checkedRule String,
bankCountry String,
currency String,
invoiceId String,
maskedPan String,
bankName String,
cardToken String,
paymentId String,
mobile UInt8,
recurrent UInt8,
checkedTemplate String
) ENGINE = MergeTree()
PARTITION BY toYYYYMM(timestamp)
ORDER BY (eventTimeHour, partyId, shopId, bin, resultStatus, cardToken, email, ip, fingerprint) TTL timestamp + toIntervalMonth(3);
CREATE TABLE analytic.fraud_payment (
timestamp Date,
id String,
eventTime String,
partyId String,
shopId String,
amount UInt64,
currency String,
payerType String,
paymentToolType String,
cardToken String,
paymentSystem String,
maskedPan String,
issuerCountry String,
email String,
ip String,
fingerprint String,
status String,
rrn String,
providerId UInt32,
terminalId UInt32,
tempalateId String,
description String,
fraudType String,
comment String
) ENGINE = MergeTree()
PARTITION BY toYYYYMM(timestamp)
ORDER BY (partyId, shopId, paymentToolType, status, currency, providerId, fingerprint, cardToken, id);
CREATE TABLE analytic.payment (
timestamp Date,
eventTime UInt64,
eventTimeHour UInt64,
id String,
email String,
ip String,
fingerprint String,
bin String,
maskedPan String,
cardToken String,
paymentSystem String,
paymentTool String,
terminal String,
providerId String,
bankCountry String,
partyId String,
shopId String,
payerType String,
tokenProvider String,
amount UInt64,
currency String,
checkedTemplate String,
checkedRule String,
resultStatus String,
checkedResultsJson String,
mobile UInt8,
recurrent UInt8,
status Enum8('pending' = 1, 'processed' = 2, 'captured' = 3, 'cancelled' = 4, 'failed' = 5),
errorReason String,
errorCode String,
paymentCountry String
) ENGINE = ReplacingMergeTree()
PARTITION BY toYYYYMM(timestamp)
ORDER BY (eventTimeHour, partyId, shopId, paymentTool, status, currency, providerId, fingerprint, cardToken, id);
CREATE TABLE analytic.refund (
timestamp Date,
eventTime UInt64,
eventTimeHour UInt64,
id String,
email String,
ip String,
fingerprint String,
bin String,
maskedPan String,
cardToken String,
paymentSystem String,
paymentTool String,
terminal String,
providerId String,
bankCountry String,
partyId String,
shopId String,
amount UInt64,
currency String,
payerType String,
tokenProvider String,
status Enum8('pending' = 1, 'succeeded' = 2, 'failed' = 3),
errorReason String,
errorCode String,
paymentId String
) ENGINE = ReplacingMergeTree()
PARTITION BY toYYYYMM(timestamp)
ORDER BY (eventTimeHour, partyId, shopId, status, currency, providerId, fingerprint, cardToken, id, paymentId);
CREATE DATABASE IF NOT EXISTS fraud;
CREATE TABLE fraud.chargeback (
timestamp Date,
eventTime UInt64,
eventTimeHour UInt64,
id String,
email String,
ip String,
fingerprint String,
bin String,
maskedPan String,
cardToken String,
paymentSystem String,
paymentTool String,
terminal String,
providerId String,
bankCountry String,
partyId String,
shopId String,
amount UInt64,
currency String,
payerType String,
tokenProvider String,
status Enum8('accepted' = 1, 'rejected' = 2, 'cancelled' = 3),
category Enum8('fraud' = 1, 'dispute' = 2, 'authorisation' = 3, 'processing_error' = 4),
chargebackCode String,
paymentId String
) ENGINE = ReplacingMergeTree()
PARTITION BY toYYYYMM(timestamp)
ORDER BY (eventTimeHour, partyId, shopId, category, status, currency, providerId, fingerprint, cardToken, id, paymentId);
CREATE TABLE fraud.events_p_to_p (
timestamp Date,
eventTime UInt64,
eventTimeHour UInt64,
identityId String,
transferId String,
ip String,
email String,
bin String,
fingerprint String,
amount UInt64,
currency String,
country String,
bankCountry String,
maskedPan String,
bankName String,
cardTokenFrom String,
cardTokenTo String,
resultStatus String,
checkedRule String,
checkedTemplate String
) ENGINE = MergeTree()
PARTITION BY toYYYYMM(timestamp)
ORDER BY (eventTimeHour, identityId, cardTokenFrom, cardTokenTo, bin, fingerprint, currency);
CREATE TABLE fraud.events_unique (
timestamp Date,
eventTimeHour UInt64,
eventTime UInt64,
payerType String,
tokenProvider String,
partyId String,
shopId String,
ip String,
email String,
bin String,
fingerprint String,
resultStatus String,
amount UInt64,
country String,
checkedRule String,
bankCountry String,
currency String,
invoiceId String,
maskedPan String,
bankName String,
cardToken String,
paymentId String,
mobile UInt8,
recurrent UInt8,
checkedTemplate String
) ENGINE = MergeTree()
PARTITION BY toYYYYMM(timestamp)
ORDER BY (eventTimeHour, partyId, shopId, bin, resultStatus, cardToken, email, ip, fingerprint) TTL timestamp + toIntervalMonth(3);
CREATE TABLE fraud.fraud_payment (
timestamp Date,
id String,
eventTime String,
partyId String,
shopId String,
amount UInt64,
currency String,
payerType String,
paymentToolType String,
cardToken String,
paymentSystem String,
maskedPan String,
issuerCountry String,
email String,
ip String,
fingerprint String,
status String,
rrn String,
providerId UInt32,
terminalId UInt32,
tempalateId String,
description String,
fraudType String,
comment String
) ENGINE = MergeTree()
PARTITION BY toYYYYMM(timestamp)
ORDER BY (partyId, shopId, paymentToolType, status, currency, providerId, fingerprint, cardToken, id);
CREATE TABLE fraud.payment (
timestamp Date,
eventTime UInt64,
eventTimeHour UInt64,
id String,
email String,
ip String,
fingerprint String,
bin String,
maskedPan String,
cardToken String,
paymentSystem String,
paymentTool String,
terminal String,
providerId String,
bankCountry String,
partyId String,
shopId String,
payerType String,
tokenProvider String,
amount UInt64,
currency String,
checkedTemplate String,
checkedRule String,
resultStatus String,
checkedResultsJson String,
mobile UInt8,
recurrent UInt8,
status Enum8('pending' = 1, 'processed' = 2, 'captured' = 3, 'cancelled' = 4, 'failed' = 5),
errorReason String,
errorCode String,
paymentCountry String
) ENGINE = ReplacingMergeTree()
PARTITION BY toYYYYMM(timestamp)
ORDER BY (eventTimeHour, partyId, shopId, paymentTool, status, currency, providerId, fingerprint, cardToken, id);
CREATE TABLE fraud.refund (
timestamp Date,
eventTime UInt64,
eventTimeHour UInt64,
id String,
email String,
ip String,
fingerprint String,
bin String,
maskedPan String,
cardToken String,
paymentSystem String,
paymentTool String,
terminal String,
providerId String,
bankCountry String,
partyId String,
shopId String,
amount UInt64,
currency String,
payerType String,
tokenProvider String,
status Enum8('pending' = 1, 'succeeded' = 2, 'failed' = 3),
errorReason String,
errorCode String,
paymentId String
) ENGINE = ReplacingMergeTree()
PARTITION BY toYYYYMM(timestamp)
ORDER BY (eventTimeHour, partyId, shopId, status, currency, providerId, fingerprint, cardToken, id, paymentId);

50
config/clickhouse/cluster-define.yaml Normal file
View File

@ -0,0 +1,50 @@
apiVersion: "clickhouse.altinity.com/v1"
kind: "ClickHouseInstallation"
metadata:
name: "demo"
spec:
configuration:
clusters:
- name: "cluster"
# Templates are specified for this cluster explicitly
templates:
podTemplate: pod-template-with-volumes
layout:
shardsCount: 1
replicasCount: 1
users:
analytic/networks/ip: "::/0"
analytic/password: hackme
analytic/profile: default
fraud/networks/ip: "::/0"
fraud/password: hackme
fraud/profile: default
templates:
podTemplates:
- name: pod-template-with-volumes
spec:
containers:
- name: clickhouse
image: yandex/clickhouse-server:19.17
volumeMounts:
- name: data-storage-vc-template
mountPath: /var/lib/clickhouse
- name: log-storage-vc-template
mountPath: /var/log/clickhouse-server
volumeClaimTemplates:
- name: data-storage-vc-template
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 3Gi
- name: log-storage-vc-template
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi

2264
config/clickhouse/operator.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

27
config/columbus-pg/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,27 @@
# -*- mode: yaml -*-
replicaCount: 1
image:
repository: docker.io/rbkmoney/postgres-geodata
tag: 0eb52256576ec22f89fadc3e7fe505b692e838a3
pullPolicy: IfNotPresent
env:
- name: POSTGRES_USER
value: postgres
- name: POSTGRES_PASSWORD
value: postgres
- name: POSTGRES_DB
value: columbus
service:
ports:
- name: psql
port: 5432
livenessProbe: null
readinessProbe: null

22
config/columbus/entrypoint.sh Normal file
View File

@ -0,0 +1,22 @@
#!/bin/sh
set -ue
java \
"-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \
-jar \
/opt/columbus/columbus.jar \
--logging.file=/var/log/columbus/columbus.json \
--logging.config=/opt/columbus/logback.xml \
--management.security.enabled=false \
--spring.datasource.url=jdbc:postgresql://columbus-pg:5432/columbus?sslmode=disable \
--spring.datasource.username=postgres \
--spring.datasource.password=postgres \
--spring.flyway.url=jdbc:postgresql://columbus-pg:5432/columbus?sslmode=disable \
--spring.flyway.user=postgres \
--spring.flyway.password=postgres \
--postgres.db.url=jdbc:postgresql://columbus-pg:5432/columbus?sslmode=disable \
--postgres.db.user=postgres \
--postgres.db.password=postgres \
${@} \
--spring.config.additional-location=/vault/secrets/application.properties

4
config/columbus/loggers.xml Normal file
View File

@ -0,0 +1,4 @@
<included>
<logger name="com.rbkmoney" level="INFO"/>
<logger name="com.rbkmoney.woody" level="INFO"/>
</included>

78
config/columbus/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,78 @@
# -*- mode: yaml -*-
replicaCount: 1
image:
repository: docker.io/rbkmoney/columbus
tag: 88be0cbccde15c7d4c88403d495f8d564f826160
pullPolicy: IfNotPresent
runopts:
command: ["/opt/columbus/entrypoint.sh"]
configMap:
data:
entrypoint.sh: |
{{- readFile "entrypoint.sh" | nindent 6 }}
loggers.xml: |
{{- readFile "loggers.xml" | nindent 6 }}
logback.xml: |
{{- readFile "../logs/logback.xml" | nindent 6 }}
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
volumeMounts:
- name: config-volume
mountPath: /opt/columbus/entrypoint.sh
subPath: entrypoint.sh
readOnly: true
- name: config-volume
mountPath: /opt/columbus/logback.xml
subPath: logback.xml
readOnly: true
- name: config-volume
mountPath: /opt/columbus/loggers.xml
subPath: loggers.xml
readOnly: true
service:
ports:
- name: api
port: 8022
livenessProbe:
httpGet:
path: /actuator/health
port: api
readinessProbe:
httpGet:
path: /actuator/health
port: api
metrics:
serviceMonitor:
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
endpoints:
- port: "management"
path: /actuator/prometheus
scheme: http
ciliumPolicies:
- filters:
- port: 5432
type: TCP
name: columbus-pg
namespace: {{ .Release.Namespace }}
- filters:
- port: 8200
type: TCP
name: vault
namespace: {{ .Release.Namespace }}

11
config/controlcenter/values.yaml.gotmpl
View File

@ -28,7 +28,7 @@ volumeMounts:
readOnly: true
- name: config-volume
mountPath: /usr/share/nginx/html/assets/authConfig.json
subPath: appConfig.json
subPath: authConfig.json
readOnly: true
- name: config-volume
mountPath: /etc/nginx/vhosts.d/control-center.conf
@ -55,13 +55,22 @@ readinessProbe:
ingress:
enabled: true
annotations:
{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
{{- end }}
kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
hosts:
- host: iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
paths:
- /
{{- if .Values.services.ingress.tls.enabled }}
tls:
{{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
- secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
{{- else }}
- secretName: {{ .Values.services.ingress.tls.secretName }}
{{- end }}
hosts:
- iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
{{- end }}

21
config/controlcenter/vhost.conf
View File

@ -2,6 +2,7 @@ server {
listen 8080;
listen [::]:8080;
server_name localhost;
ignore_invalid_headers off;
location / {
root /usr/share/nginx/html;
@ -9,8 +10,24 @@ server {
try_files $uri $uri/ /index.html =404;
}
location /v1 {
proxy_pass http://dominant:8022;
# location /v1 {
# proxy_pass http://dominant:8022;
# }
# location /v1/cm {
# proxy_pass http://claim-management:8022;
# }
# location /v1/processing/invoicing {
# proxy_pass http://hellgate:8022;
# }
location /v1/admin {
proxy_pass http://fistful:8022;
}
location /fistful/stat {
proxy_pass http://fistful-magista:8022;
}
error_page 500 502 503 504 /50x.html;

42
config/dark-api/entrypoint.sh Normal file
View File

@ -0,0 +1,42 @@
#!/bin/sh
set -ue
java \
"-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \
-jar \
/opt/dark-api/dark-api.jar \
--logging.config=/opt/dark-api/logback.xml \
--management.security.flag=false \
--management.metrics.export.statsd.flavor=etsy \
--management.metrics.export.statsd.enabled=true \
--management.metrics.export.prometheus.enabled=true \
--management.endpoint.health.show-details=always \
--management.endpoint.metrics.enabled=true \
--management.endpoint.prometheus.enabled=true \
--management.endpoints.web.exposure.include=health,info,prometheus \
--magista.client.adapter.url=http://magista:8022/v2/stat \
--magista.client.adapter.networkTimeout=90000 \
--claimmanagement.client.adapter.url=http://claim-management:8022/v1/cm \
--claimmanagement.client.adapter.networkTimeout=30000 \
--conversations.url=http://messages:8022/v1/messages \
--conversations.networkTimeout=30000 \
--questionary-aggr-proxy.url=http://questionary-aggr-proxy:8022/v1/questionary/proxy \
--questionary-aggr-prox.networkTimeout=30000 \
--questionary.url=http://questionary:8022/v1/questionary \
--questionary.networkTimeout=30000 \
--filestorage.client.adapter.url=http://file-storage:8022/file_storage \
--filestorage.client.adapter.networkTimeout=30000 \
--partyManagement.url=http://hellgate:8022/v1/processing/partymgmt \
--partyManagement.networkTimeout=30000 \
--cabi.url=http://cabi:8022/v1/cabi \
--cabi.networkTimeout=30000 \
--dominant.url=http://dominant:8022/v1/domain/repository \
--dominant.networkTimeout=30000 \
--dudoser.url=http://dudoser:8022/dudos \
--dudoser.networkTimeout=30000 \
--keycloak.realm-public-key.file-path="/var/lib/dark-api/keys/keycloak/keycloak.pubkey.pem" \
--keycloak.realm=external \
--keycloak.resource=common-api \
--server.servlet.context-path=/dark-api/v1 \
${@} \
--spring.config.additional-location=/vault/secrets/application.properties \

4
config/dark-api/loggers.xml Normal file
View File

@ -0,0 +1,4 @@
<included>
<logger name="com.rbkmoney" level="INFO"/>
<logger name="com.rbkmoney.woody" level="INFO"/>
</included>

162
config/dark-api/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,162 @@
# -*- mode: yaml -*-
replicaCount: 1
image:
repository: docker.io/rbkmoney/dark-api
tag: da3705fde0414af7e9e3eb60ba9b7b4ce88231fc
pullPolicy: IfNotPresent
runopts:
command: ["/opt/dark-api/entrypoint.sh"]
configMap:
data:
entrypoint.sh: |
{{- readFile "entrypoint.sh" | nindent 6 }}
loggers.xml: |
{{- readFile "loggers.xml" | nindent 6 }}
logback.xml: |
{{- readFile "../logs/logback.xml" | nindent 6 }}
fetchKeycloakPubkey: |
{{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 6 }}
env:
- name: LOGBACK_SERVICE_NAME
value: "dark-api"
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
- name: keycloak-pubkey
emptyDir: {}
volumeMounts:
- name: config-volume
mountPath: /opt/dark-api/entrypoint.sh
subPath: entrypoint.sh
readOnly: true
- name: config-volume
mountPath: /opt/dark-api/logback.xml
subPath: logback.xml
readOnly: true
- name: config-volume
mountPath: /opt/dark-api/loggers.xml
subPath: loggers.xml
readOnly: true
- name: keycloak-pubkey
mountPath: /var/lib/dark-api/keys/keycloak
readOnly: true
apiInitContainers:
enabled: true
service:
ports:
- name: api
port: 8080
- name: management
port: 8023
ingress:
enabled: true
annotations:
{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
{{- end }}
kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
hosts:
- host: api.{{ .Values.services.ingress.rootdomain | default "rbk.dev" }}
paths:
- /dark-api
{{- if .Values.services.ingress.tls.enabled }}
tls:
{{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
- secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
{{- else }}
- secretName: {{ .Values.services.ingress.tls.secretName }}
{{- end }}
hosts:
- api.{{ .Values.services.ingress.rootdomain | default "rbk.dev" }}
{{- end }}
servicePort: 8080
livenessProbe:
httpGet:
path: /actuator/health
port: management
readinessProbe:
httpGet:
path: /actuator/health
port: management
metrics:
serviceMonitor:
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
endpoints:
- port: "management"
path: /actuator/prometheus
scheme: http
ciliumPolicies:
- filters:
- port: 8022
type: TCP
name: magista
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: claim-management
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: messages
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: questionary-aggr-proxy
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: questionary
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: file-storage
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: hellgate
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: cabi
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: dominant
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: dudoser
namespace: {{ .Release.Namespace }}
- filters:
- port: 8080
type: TCP
name: keycloak
namespace: {{ .Release.Namespace }}

7
config/dashboard/appConfig.json.gotmpl
View File

@ -1,6 +1,6 @@
{
"apiEndpoint": "https://api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}",
"urlShortenerEndpoint": "https://rbk.mn",
"urlShortenerEndpoint": "https://shrt.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}",
"checkoutEndpoint": "https://checkout.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}",
"ext": {
"docsEndpoint": "https://rbkmoney.github.io/docs",
@ -13,10 +13,5 @@
"trackLinks": true,
"accurateTrackBounce": true,
"webvisor": true
},
"theme": {
"name": "persian-green",
"isMainBackgroundImages": false,
"logoName": "vrbcube"
}
}

2
config/dashboard/authConfig.json.gotmpl
View File

@ -1,5 +1,5 @@
{
"realm": "internal",
"realm": "external",
"auth-server-url": "https://auth.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/auth/",
"ssl-required": "external",
"resource": "koffing",

16
config/dashboard/values.yaml.gotmpl
View File

@ -3,7 +3,7 @@ replicaCount: 1
image:
repository: docker.io/rbkmoney/dashboard
tag: ec031a725d886488dcf38c71a8de28af68e2564d
tag: 380a2e2464ccec1e624d8972381622fcb3b5789a
pullPolicy: IfNotPresent
service:
@ -55,13 +55,27 @@ readinessProbe:
ingress:
enabled: true
annotations:
{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
{{- end }}
kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Access-Control-Allow-Origin: $http_origin";
hosts:
- host: dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
paths:
- /
{{- if .Values.services.ingress.tls.enabled }}
tls:
{{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
- secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
{{- else }}
- secretName: {{ .Values.services.ingress.tls.secretName }}
{{- end }}
hosts:
- dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
{{- end }}

1
config/dashboard/vhost.conf
View File

@ -6,6 +6,7 @@ server {
location / {
root /usr/share/nginx/html;
index index.html index.htm;
try_files $uri $uri/ /index.html =404;
}
error_page 500 502 503 504 /50x.html;

18
config/deanonimus-es/values.yaml Normal file
View File

@ -0,0 +1,18 @@
roles:
master: "true"
ingest: "true"
data: "true"
remote_cluster_client: "true"
ml: "false"
replicas: 1
minimumMasterNodes: 1
masterService: deanonimus-es
# extraEnvs:
# - name: discovery.type
# value: single-node
image: "docker.elastic.co/elasticsearch/elasticsearch"
imageTag: "7.10.2"
imagePullPolicy: "IfNotPresent"

22
config/deanonimus/entrypoint.sh Normal file
View File

@ -0,0 +1,22 @@
#!/bin/sh
set -ue
java \
"-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \
-jar \
/opt/deanonimus/deanonimus.jar \
--logging.file=/var/log/deanonimus/deanonimus.json \
--logging.config=/opt/deanonimus/logback.xml \
--spring.elasticsearch.rest.uris="deanonimus-es:9200" \
--spring.elasticsearch.rest.connection-timeout=5s \
--kafka.bootstrap-servers="kafka:9092" \
--kafka.client-id=deanonimus \
--kafka.topics.party-management.id=mg-events-party \
--kafka.topics.party-management.enabled=true \
--kafka.topics.party-management.consumer.group-id=deanonimus-group-1 \
--kafka.consumer.party-management.concurrency=7 \
--kafka.consumer.auto-offset-reset=earliest \
--kafka.error-handler.sleep-time-seconds=5 \
--kafka.error-handler.maxAttempts=-1 \
${@} \
--spring.config.additional-location=/vault/secrets/application.properties \

4
config/deanonimus/loggers.xml Normal file
View File

@ -0,0 +1,4 @@
<included>
<logger name="com.rbkmoney" level="INFO"/>
<logger name="com.rbkmoney.woody" level="INFO"/>
</included>

127
config/deanonimus/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,127 @@
# -*- mode: yaml -*-
replicaCount: 1
image:
repository: docker.io/rbkmoney/deanonimus
tag: 23481a728081af23c47c49d8cc11c2d80b160ec4
pullPolicy: IfNotPresent
runopts:
command: ["/opt/deanonimus/entrypoint.sh"]
configMap:
data:
entrypoint.sh: |
{{- readFile "entrypoint.sh" | nindent 6 }}
loggers.xml: |
{{- readFile "loggers.xml" | nindent 6 }}
logback.xml: |
{{- readFile "../logs/logback.xml" | nindent 6 }}
env:
- name: LOGBACK_SERVICE_NAME
value: "deanonimus"
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
volumeMounts:
- name: config-volume
mountPath: /opt/deanonimus/entrypoint.sh
subPath: entrypoint.sh
readOnly: true
- name: config-volume
mountPath: /opt/deanonimus/logback.xml
subPath: logback.xml
readOnly: true
- name: config-volume
mountPath: /opt/deanonimus/loggers.xml
subPath: loggers.xml
readOnly: true
service:
ports:
- name: api
port: 8022
- name: management
port: 8023
livenessProbe:
httpGet:
path: /actuator/health
port: api
readinessProbe:
httpGet:
path: /actuator/health
port: api
ingress:
enabled: true
annotations:
{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
{{- end }}
kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
hosts:
- host: iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
paths:
- /deanonimus
{{- if .Values.services.ingress.tls.enabled }}
tls:
{{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
- secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
{{- else }}
- secretName: {{ .Values.services.ingress.tls.secretName }}
{{- end }}
hosts:
- iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
{{- end }}
servicePort: 8022
metrics:
serviceMonitor:
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
endpoints:
- port: "management"
path: /actuator/prometheus
scheme: http
ciliumPolicies:
- filters:
- port: 5432
type: TCP
name: postgres
namespace: {{ .Release.Namespace }}
- filters:
- port: 9092
rules:
kafka:
- role: consume
topics:
- claim-event-sink
type: TCP
name: kafka
namespace: {{ .Release.Namespace }}
- filters:
- port: 8200
type: TCP
name: vault
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: hellgate
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: cashier
namespace: {{ .Release.Namespace }}

27
config/dominant/values.yaml.gotmpl
View File

@ -12,7 +12,7 @@ configMap:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
{{- tpl (readFile "../vm/erl_inetrc.gotmpl") . | nindent 6 }}
vm.args: |
{{- tpl (readFile "../vm/erl_vm_args.gotmpl") . | nindent 6 }}
init-script.sh: |
@ -39,7 +39,7 @@ hook:
metrics:
serviceMonitor:
enabled: true
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
@ -64,7 +64,28 @@ volumeMounts:
subPath: erl_inetrc
readOnly: true
ingress:
enabled: true
annotations:
{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
{{- end }}
kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
hosts:
- host: iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
paths:
- /v1
{{- if .Values.services.ingress.tls.enabled }}
tls:
{{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
- secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
{{- else }}
- secretName: {{ .Values.services.ingress.tls.secretName }}
{{- end }}
hosts:
- iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
{{- end }}
servicePort: 8022
ciliumPolicies:
- filters:

42
config/fistful-magista/entrypoint.sh Normal file
View File

@ -0,0 +1,42 @@
#!/bin/sh
set -ue
java \
"-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \
-jar \
/opt/fistful-magista/fistful-magista.jar \
--logging.config=/opt/fistful-magista/logback.xml \
--management.security.flag=false \
--management.metrics.export.statsd.flavor=etsy \
--management.metrics.export.statsd.enabled=true \
--management.metrics.export.prometheus.enabled=true \
--management.endpoint.health.show-details=always \
--management.endpoint.metrics.enabled=true \
--management.endpoint.prometheus.enabled=true \
--management.endpoints.web.exposure.include=health,info,prometheus \
--spring.datasource.hikari.data-source-properties.prepareThreshold=0 \
--spring.datasource.hikari.leak-detection-threshold=5300 \
--spring.datasource.hikari.max-lifetime=300000 \
--spring.datasource.hikari.idle-timeout=30000 \
--spring.datasource.hikari.minimum-idle=2 \
--spring.datasource.hikari.maximum-pool-size=20 \
--spring.application.name=fistful-magista \
--flyway.schemas=mst \
--identity-management.url=http://wapi:8022/v1/identity \
--identity-management.timeout=5000 \
--kafka.bootstrap-servers=kafka:9092 \
--kafka.consumer.group-id=fistful-magista \
--kafka.consumer.concurrency=7 \
--kafka.max-poll-records=1 \
--kafka.max-session-timeout-ms=300000 \
--kafka.max-poll-interval-ms=300000 \
--kafka.topic.deposit.name=mg-events-ff-deposit \
--kafka.topic.deposit.listener.enabled=true \
--kafka.topic.identity.name=mg-events-ff-identity \
--kafka.topic.identity.listener.enabled=true \
--kafka.topic.wallet.name=mg-events-ff-wallet \
--kafka.topic.wallet.listener.enabled=true \
--kafka.topic.withdrawal.name=mg-events-ff-withdrawal \
--kafka.topic.withdrawal.listener.enabled=true \
${@} \
--spring.config.additional-location=/vault/secrets/application.properties \

4
config/fistful-magista/loggers.xml Normal file
View File

@ -0,0 +1,4 @@
<included>
<logger name="com.rbkmoney" level="INFO"/>
<logger name="com.rbkmoney.woody" level="INFO"/>
</included>

123
config/fistful-magista/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,123 @@
# -*- mode: yaml -*-
replicaCount: 1
image:
repository: docker.io/rbkmoney/fistful-magista
tag: dd17699f8b18f4ac904b1f0d134b3d192100d03f
pullPolicy: IfNotPresent
runopts:
command: ["/opt/fistful-magista/entrypoint.sh"]
configMap:
data:
entrypoint.sh: |
{{- readFile "entrypoint.sh" | nindent 6 }}
loggers.xml: |
{{- readFile "loggers.xml" | nindent 6 }}
logback.xml: |
{{- readFile "../logs/logback.xml" | nindent 6 }}
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
volumeMounts:
- name: config-volume
mountPath: /opt/fistful-magista/entrypoint.sh
subPath: entrypoint.sh
readOnly: true
- name: config-volume
mountPath: /opt/fistful-magista/logback.xml
subPath: logback.xml
readOnly: true
- name: config-volume
mountPath: /opt/fistful-magista/loggers.xml
subPath: loggers.xml
readOnly: true
service:
ports:
- name: api
port: 8022
- name: management
port: 8023
livenessProbe:
httpGet:
path: /actuator/health
port: management
readinessProbe:
httpGet:
path: /actuator/health
port: management
podAnnotations:
vault.hashicorp.com/role: "db-app"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-application.properties: "database/creds/db-app-fistful-magista"
vault.hashicorp.com/agent-inject-template-application.properties: |
{{`{{- with secret "database/creds/db-app-fistful-magista" -}}
spring.datasource.url=jdbc:postgresql://postgres-postgresql:5432/fistful-magista?sslmode=disable
spring.datasource.username={{ .Data.username }}
spring.datasource.password={{ .Data.password }}
flyway.url=jdbc:postgresql://postgres-postgresql:5432/fistful-magista?sslmode=disable
flyway.user={{ .Data.username }}
flyway.password={{ .Data.password }}
flyway.schemas=mst
spring.flyway.schemas=mst
{{- end }}`}}
metrics:
serviceMonitor:
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
endpoints:
- port: "management"
path: /actuator/prometheus
scheme: http
ciliumPolicies:
- filters:
- port: 5432
type: TCP
name: postgres
namespace: {{ .Release.Namespace }}
- filters:
- port: 9092
rules:
kafka:
- role: consume
topics:
- mg-events-ff-deposit
- mg-events-ff-identity
- mg-events-ff-wallet
- mg-events-ff-withdrawal
type: TCP
name: kafka
namespace: {{ .Release.Namespace }}
- filters:
- port: 8200
type: TCP
name: vault
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: wapi
namespace: {{ .Release.Namespace }}
##In case of kafka mTLS auth move it to vault template
# {{- /*
# kafka.ssl.enabled={{ kafka.ssl.enable }}
# kafka.ssl.key-store-location=/opt/{{ service_name }}/kafka-keystore.p12
# kafka.ssl.key-store-password="{{ service.keystore.pass }}"
# kafka.ssl.key-password="{{ service.keystore.pass }}"
# kafka.ssl.trust-store-location=/opt/{{ service_name }}/kafka-truststore.p12
# kafka.ssl.trust-store-password="{{ kafka.truststore.java.pass }}"
# */ -}}

4
config/fistful/sys.config
View File

@ -147,8 +147,8 @@
'accounter' => "http://shumway:8022/shumpune",
'identification' => "http://identification:8022/v1/identification",
'binbase' => "http://binbase:8022/v1/binbase",
'eventsink' => "http://mg:8022/v1/event_sink",
'automaton' => "http://mg:8022/v1/automaton"
'eventsink' => "http://machinegun:8022/v1/event_sink",
'automaton' => "http://machinegun:8022/v1/automaton"
}}
]},

2
config/fistful/values.yaml.gotmpl
View File

@ -10,7 +10,7 @@ configMap:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
{{- tpl (readFile "../vm/erl_inetrc.gotmpl") . | nindent 6 }}
vm.args: |
{{- tpl (readFile "../vm/erl_vm_args.gotmpl") . | nindent 6 }}

14
config/fraudbusters-mgmt/entrypoint.sh Normal file
View File

@ -0,0 +1,14 @@
#!/bin/sh
set -ue
java \
"-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \
-jar \
/opt/fraudbusters-management/fraudbusters-management.jar \
--logging.config=/opt/fraudbusters-management/logback.xml \
--management.security.enabled=false \
--kafka.ssl.enable=false \
--kafka.bootstrap.servers=kafka:9092 \
--service.payment.url=http://fraudbusters:8022/fraud_payment/v1/ \
${@} \
--spring.config.additional-location=/vault/secrets/application.properties

3
config/fraudbusters-mgmt/loggers.xml Normal file
View File

@ -0,0 +1,3 @@
<included>
<logger name="com.rbkmoney" level="INFO"/>
</included>

112
config/fraudbusters-mgmt/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,112 @@
# -*- mode: yaml -*-
replicaCount: 1
image:
repository: docker.io/rbkmoney/fraudbusters-management
tag: 91fe3772f946c7a76a982adfd4d23411607dee5f
pullPolicy: IfNotPresent
runopts:
command: ["/opt/fraudbusters-management/entrypoint.sh"]
configMap:
data:
entrypoint.sh: |
{{- readFile "entrypoint.sh" | nindent 6 }}
loggers.xml: |
{{- readFile "loggers.xml" | nindent 6 }}
logback.xml: |
{{- readFile "../logs/logback.xml" | nindent 6 }}
env:
- name: LOGBACK_SERVICE_NAME
value: "fraudbusters-management"
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
volumeMounts:
- name: config-volume
mountPath: /opt/fraudbusters-management/entrypoint.sh
subPath: entrypoint.sh
readOnly: true
- name: config-volume
mountPath: /opt/fraudbusters-management/logback.xml
subPath: logback.xml
readOnly: true
- name: config-volume
mountPath: /opt/fraudbusters-management/loggers.xml
subPath: loggers.xml
readOnly: true
service:
ports:
- name: api
port: 8022
livenessProbe:
httpGet:
path: /actuator/health
port: api
readinessProbe:
httpGet:
path: /actuator/health
port: api
podAnnotations:
vault.hashicorp.com/role: "db-app"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-application.properties: "database/creds/db-app-fbmgmt"
vault.hashicorp.com/agent-inject-template-application.properties: |
{{`{{- with secret "database/creds/db-app-fbmgmt" -}}
spring.datasource.url=jdbc:postgresql://postgres-postgresql:5432/fraudbusters?sslmode=disable
spring.datasource.username={{ .Data.username }}
spring.datasource.password={{ .Data.password }}
spring.flyway.url=jdbc:postgresql://postgres-postgresql:5432/fraudbusters?sslmode=disable
spring.flyway.user={{ .Data.username }}
spring.flyway.password={{ .Data.password }}
spring.flyway.schemas=af
{{- end }}`}}
metrics:
serviceMonitor:
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
endpoints:
- port: "api"
path: /actuator/prometheus
scheme: http
ciliumPolicies:
- filters:
- port: 5432
type: TCP
name: postgres
namespace: {{ .Release.Namespace }}
- filters:
- port: 9092
type: TCP
name: kafka
namespace: {{ .Release.Namespace }}
- filters:
- port: 8200
type: TCP
name: vault
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: hellgate
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: fault-detector
namespace: {{ .Release.Namespace }}

23
config/fraudbusters/entrypoint.sh Normal file
View File

@ -0,0 +1,23 @@
#!/bin/sh
set -ue
java \
"-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \
-jar \
/opt/fraudbusters/fraudbusters.jar \
--logging.config=/opt/fraudbusters/logback.xml \
--management.security.enabled=false \
--geo.ip.service.url=http://columbus:8022/repo \
--kafka.ssl.enable=false \
--kafka.bootstrap.servers=kafka:9092 \
--wb.list.service.url=http://wb-list-manager:8022/v1/wb_list \
--clickhouse.db.url=jdbc:clickhouse://chi-demo-cluster-0-0:8123/fraud \
--clickhouse.db.user=fraud \
--clickhouse.db.password=hackme \
--fraud.management.url=http://fraudbusters-mgmt:8022 \
--spring.profiles.active=full-prod \
--kafka.topic.event.sink.payment=payment_event \
--kafka.topic.event.sink.refund=refund_event \
--kafka.topic.event.sink.chargeback=chargeback_event \
${@}

4
config/fraudbusters/loggers.xml Normal file
View File

@ -0,0 +1,4 @@
<included>
<logger name="com.rbkmoney" level="INFO"/>
<logger name="com.rbkmoney.woody" level="INFO"/>
</included>

82
config/fraudbusters/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,82 @@
# -*- mode: yaml -*-
replicaCount: 1
image:
repository: docker.io/rbkmoney/fraudbusters
tag: fbe14fec347e5e6312a5e726e17e8b8c2b749b89
pullPolicy: IfNotPresent
runopts:
command: ["/opt/fraudbusters/entrypoint.sh"]
env:
- name: LOGBACK_SERVICE_NAME
value: "fraudbusters"
configMap:
data:
entrypoint.sh: |
{{- readFile "entrypoint.sh" | nindent 6 }}
loggers.xml: |
{{- readFile "loggers.xml" | nindent 6 }}
logback.xml: |
{{- readFile "../logs/logback.xml" | nindent 6 }}
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
volumeMounts:
- name: config-volume
mountPath: /opt/fraudbusters/entrypoint.sh
subPath: entrypoint.sh
readOnly: true
- name: config-volume
mountPath: /opt/fraudbusters/logback.xml
subPath: logback.xml
readOnly: true
- name: config-volume
mountPath: /opt/fraudbusters/loggers.xml
subPath: loggers.xml
readOnly: true
service:
ports:
- name: api
port: 8022
livenessProbe:
httpGet:
path: /actuator/health
port: api
readinessProbe:
httpGet:
path: /actuator/health
port: api
metrics:
serviceMonitor:
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
endpoints:
- port: "api"
path: /actuator/prometheus
scheme: http
ciliumPolicies:
- filters:
- port: 5432
type: TCP
name: postgres
namespace: {{ .Release.Namespace }}
- filters:
- port: 8200
type: TCP
name: vault
namespace: {{ .Release.Namespace }}

27
config/hellgate/values.yaml.gotmpl
View File

@ -12,13 +12,13 @@ configMap:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
{{- tpl (readFile "../vm/erl_inetrc.gotmpl") . | nindent 6 }}
vm.args: |
{{- tpl (readFile "../vm/erl_vm_args.gotmpl") . | nindent 6 }}
metrics:
serviceMonitor:
enabled: true
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
@ -42,6 +42,29 @@ volumes:
configMap:
name: {{ .Release.Name }}
ingress:
enabled: true
annotations:
{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
{{- end }}
kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
hosts:
- host: iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
paths:
- /v1/processing/invoicing
{{- if .Values.services.ingress.tls.enabled }}
tls:
{{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
- secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
{{- else }}
- secretName: {{ .Values.services.ingress.tls.secretName }}
{{- end }}
hosts:
- iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
{{- end }}
servicePort: 8022
ciliumPolicies:
- filters:
- port: 8022

14
config/hooker/entrypoint.sh
View File

@ -6,6 +6,14 @@ java \
-jar \
/opt/hooker/hooker.jar \
--logging.config=/opt/hooker/logback.xml \
--management.security.flag=false \
--management.metrics.export.statsd.flavor=etsy \
--management.metrics.export.statsd.enabled=true \
--management.metrics.export.prometheus.enabled=true \
--management.endpoint.health.show-details=always \
--management.endpoint.metrics.enabled=true \
--management.endpoint.prometheus.enabled=true \
--management.endpoints.web.exposure.include=health,info,prometheus \
--spring.datasource.hikari.data-source-properties.prepareThreshold=0 \
--spring.datasource.hikari.leak-detection-threshold=5300 \
--spring.datasource.hikari.max-lifetime=300000 \
@ -25,12 +33,6 @@ java \
--kafka.client-id=hooker \
--kafka.consumer.group-id=Hooker-Invoicing \
--kafka.consumer.max-poll-records=500 \
--kafka.ssl.enabled=false \
--kafka.ssl.key-store-location=/opt/hooker/kafka-keystore.p12 \
--kafka.ssl.key-store-password=test \
--kafka.ssl.trust-store-location=/opt/hooker/kafka-truststore.p12 \
--kafka.ssl.trust-store-password=test \
--kafka.ssl.key-password=test \
--spring.application.name=hooker \
--logging.level.com.rbkmoney.hooker.scheduler.MessageScheduler=DEBUG \
${@} \

16
config/hooker/values.yaml.gotmpl
View File

@ -61,7 +61,7 @@ podAnnotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-application.properties: "database/creds/db-app-hooker"
vault.hashicorp.com/agent-inject-template-application.properties: |
{{`{{- with secret "database/creds/db-app-hooker" }}
{{`{{- with secret "database/creds/db-app-hooker" -}}
spring.datasource.url=jdbc:postgresql://postgres-postgresql:5432/hooker?sslmode=disable
spring.datasource.username={{ .Data.username }}
spring.datasource.password={{ .Data.password }}
@ -72,7 +72,7 @@ podAnnotations:
metrics:
serviceMonitor:
enabled: true
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
@ -108,10 +108,18 @@ ciliumPolicies:
type: TCP
name: hellgate
namespace: {{ .Release.Namespace }}
{{- /*
- filters:
- port: 8022
type: TCP
name: fault-detector
namespace: {{ .Release.Namespace }}
*/ -}}
##In case of kafka mTLS auth move it to vault template
# {{- /*
# kafka.ssl.enabled={{ kafka.ssl.enable }}
# kafka.ssl.key-store-location=/opt/{{ service_name }}/kafka-keystore.p12
# kafka.ssl.key-store-password="{{ service.keystore.pass }}"
# kafka.ssl.key-password="{{ service.keystore.pass }}"
# kafka.ssl.trust-store-location=/opt/{{ service_name }}/kafka-truststore.p12
# kafka.ssl.trust-store-password="{{ kafka.truststore.java.pass }}"
# */ -}}

8
config/kafka/values.yaml.gotmpl
View File

@ -1,4 +1,8 @@
replicas: 1
replicas: 3
deleteTopicEnable: true
logRetentionBytes: _-1
logRetentionHours: -1
podLabels:
selector.cilium.rbkmoney/release: {{ .Release.Name }}
@ -11,7 +15,7 @@ zookeeper:
## If the Zookeeper Chart is disabled a URL and port are required to connect
# url: "zookeeper"
# port: 2181
replicaCount: 1
replicaCount: 3
persistence:
enabled: false

6
config/kds/values.yaml.gotmpl
View File

@ -21,7 +21,7 @@ configMap:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
{{- tpl (readFile "../vm/erl_inetrc.gotmpl") . | nindent 6 }}
vm.args: |
{{- tpl (readFile "../vm/erl_vm_args.gotmpl") . | nindent 6 }}
@ -82,11 +82,11 @@ volumes:
pvc:
enabled: true
name: "{{ .Release.Name }}-keyring"
storage: 3Mi
storage: 10Mi
metrics:
serviceMonitor:
enabled: true
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus

54
config/keycloak-realms/realms.json.gotmpl → config/keycloak-realms/external.json.gotmpl
View File

@ -605,34 +605,6 @@
"webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false,
"webAuthnPolicyPasswordlessAcceptableAaguids": [],
"users": [
{
"id": "ea2ab1c5-5e8d-411d-a013-fdee5122b0eb",
"createdTimestamp": 1601602713434,
"username": "service-account-realm-management",
"enabled": true,
"totp": false,
"emailVerified": false,
"serviceAccountClientId": "realm-management",
"disableableCredentialTypes": [],
"requiredActions": [],
"realmRoles": [
"uma_authorization",
"offline_access"
],
"clientRoles": {
"realm-management": [
"uma_protection"
],
"account": [
"manage-account",
"view-profile"
]
},
"notBefore": 0,
"groups": [
"/merchant"
]
},
{
"id": "281220eb-a4ef-4d03-b666-bdec4b26c5f7",
"createdTimestamp": 1479212158721,
@ -1467,12 +1439,12 @@
"clientAuthenticatorType": "client-secret",
"secret": "**********",
"redirectUris": [
"https://beta.dashboard.rbk.money/*",
"https://dashboard.rbk.money/*"
"https://beta.dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/*",
"https://dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/*"
],
"webOrigins": [
"https://beta.dashboard.rbk.money",
"https://dashboard.rbk.money"
"https://beta.dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}",
"https://dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}"
],
"notBefore": 0,
"bearerOnly": false,
@ -1529,10 +1501,10 @@
"clientAuthenticatorType": "client-secret",
"secret": "**********",
"redirectUris": [
"{{ .Values.services.keycloak.externalUrl }}/*"
"https://dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/*"
],
"webOrigins": [
"{{ .Values.services.keycloak.externalUrl }}"
"https://dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}"
],
"notBefore": 0,
"bearerOnly": false,
@ -2225,10 +2197,10 @@
"clientAuthenticatorType": "client-secret",
"secret": "**********",
"redirectUris": [
"{{ .Values.services.keycloak.externalUrl }}/*"
"https://auth.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/*"
],
"webOrigins": [
"{{ .Values.services.keycloak.externalUrl }}"
"https://auth.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}"
],
"notBefore": 0,
"bearerOnly": false,
@ -3117,8 +3089,8 @@
"contentSecurityPolicyReportOnly": "",
"xContentTypeOptions": "nosniff",
"xRobotsTag": "none",
"xFrameOptions": "ALLOW-FROM https://dashboard.rbk.money https://beta.dashboard.rbk.money",
"contentSecurityPolicy": "child-src 'self', frame-ancestors https://dashboard.rbk.money https://beta.dashboard.rbk.money;",
"xFrameOptions": "ALLOW-FROM https://dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}",
"contentSecurityPolicy": "child-src 'self', frame-ancestors https://dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }} ;",
"xXSSProtection": "1; mode=block",
"strictTransportSecurity": "max-age=31536000; includeSubDomains"
},
@ -3133,10 +3105,10 @@
"ssl": "false",
"user": "no-reply@rbkmoney.com"
},
"loginTheme": "rbkmoney-hood",
"accountTheme": "rbkmoney",
"loginTheme": "keycloak",
"accountTheme": "keycloak",
"adminTheme": "keycloak",
"emailTheme": "rbkmoney-hood",
"emailTheme": "keycloak",
"eventsEnabled": true,
"eventsExpiration": 51840000,
"eventsListeners": [

2223
config/keycloak-realms/internal.json.gotmpl Normal file
View File

File diff suppressed because it is too large Load Diff

7
config/keycloak-realms/values.yaml.gotmpl
View File

@ -1,6 +1,7 @@
# -*- mode: yaml -*-
configMap:
data:
realms.json: |
{{- tpl (readFile "realms.json.gotmpl") . | nindent 6 }}
external.json: |
{{ tpl (readFile "external.json.gotmpl") . | nindent 6 }}
internal.json: |
{{ tpl (readFile "internal.json.gotmpl") . | nindent 6 }}

27
config/keycloak/values.yaml.gotmpl
View File

@ -4,7 +4,13 @@ postgresql:
podLabels:
selector.cilium.rbkmoney/release: {{ .Release.Name }}
image:
tag: 12.0.4
extraEnv: |
- name: KEYCLOAK_USER
value: true_admin
- name: KEYCLOAK_PASSWORD
value: "K46t7q@fHqcHfhys676dkfk"
- name: PROXY_ADDRESS_FORWARDING
value: "true"
- name: DB_VENDOR
@ -32,7 +38,7 @@ extraEnv: |
-Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS
-Djava.awt.headless=true
- name: KEYCLOAK_IMPORT
value: /realm/realms.json
value: /realm/internal.json,/realm/external.json
extraVolumes: |
- name: keycloak-realms-volume
@ -46,12 +52,17 @@ extraVolumeMounts: |
ingress:
enabled: true
annotations:
{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
{{- end }}
kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Access-Control-Allow-Origin: $http_origin";
servicePort: http
annotations: {}
## Resolve HTTP 502 error using ingress-nginx:
## See https://www.ibm.com/support/pages/502-error-ingress-keycloak-response
# nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
rules:
- host: 'auth.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}'
paths:
@ -60,7 +71,11 @@ ingress:
tls:
- hosts:
- 'auth.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}'
{{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
{{- else }}
secretName: {{ .Values.services.ingress.tls.secretName }}
{{- end }}
{{- end }}
ciliumPolicies:

201
config/machinegun/config.yaml.gotmpl
View File

@ -1,4 +1,6 @@
service_name: machinegun
dist_node_name:
hostpart: ip
erlang:
{{- if .Values.services.global.ipv6only }}
@ -20,32 +22,32 @@ storage:
host: riak
port: 8087
pool:
size: 10
queue_max: 100
size: 100
queue_max: 500
batch_concurrency_limit: 10
connect_timeout: 500ms
request_timeout: 10s
index_query_timeout: 60s
consuela:
presence:
check_interval: 5s
registry:
nodename: consul-server-0
session_ttl: 30s
session_renewal_interval: 10s
discovery:
tags: []
# consuela:
# presence:
# check_interval: 5s
# registry:
# nodename: consul-server-0
# session_ttl: 30s
# session_renewal_interval: 10s
# discovery:
# tags: []
logging:
out_type: stdout
# Consul client settings.
# Required when distributed machine registry is enabled.
consul:
url: http://consul-server:8500
connect_timeout: 200ms
recv_timeout: 1s
# consul:
# url: http://consul-server:8500
# connect_timeout: 200ms
# recv_timeout: 1s
namespaces:
domain-config:
@ -77,7 +79,12 @@ namespaces:
pool_size: 300
http_keep_alive_timeout: 3000ms
invoice:
timers: *default_timers_config
timers:
&default_timers_config
scan_interval: 60s
scan_limit: 5000
capacity: 2000
min_scan_delay: 5s
overseer: *default_overseer_config
event_sinks:
kafka:
@ -141,6 +148,168 @@ namespaces:
processor:
url: http://url-shortener:8022/v1/stateproc
http_keep_alive_timeout: 3000ms
ff/identity:
timers: *default_timers_config
overseer: *default_overseer_config
event_sinks:
machine:
type: machine
machine_id: ff/identity
kafka:
type: kafka
topic: mg-events-ff-identity
client: default_kafka_client
processor:
url: http://fistful:8022/v1/stateproc/ff/identity
http_keep_alive_timeout: 3000ms
ff/wallet_v2:
timers: *default_timers_config
overseer: *default_overseer_config
event_sinks:
machine:
type: machine
machine_id: ff/wallet_v2
kafka:
type: kafka
topic: mg-events-ff-wallet
client: default_kafka_client
processor:
url: http://fistful:8022/v1/stateproc/ff/wallet_v2
http_keep_alive_timeout: 3000ms
ff/source_v1:
timers: *default_timers_config
overseer: *default_overseer_config
event_sinks:
machine:
type: machine
machine_id: ff/source_v1
kafka:
type: kafka
topic: mg-events-ff-source
client: default_kafka_client
processor:
url: http://fistful:8022/v1/stateproc/ff/source_v1
http_keep_alive_timeout: 3000ms
ff/destination_v2:
timers: *default_timers_config
overseer: *default_overseer_config
event_sinks:
machine:
type: machine
machine_id: ff/destination_v2
kafka:
type: kafka
topic: mg-events-ff-destination
client: default_kafka_client
processor:
url: http://fistful:8022/v1/stateproc/ff/destination_v2
http_keep_alive_timeout: 3000ms
ff/deposit_v1:
timers: *default_timers_config
overseer: *default_overseer_config
event_sinks:
machine:
type: machine
machine_id: ff/deposit_v1
kafka:
type: kafka
topic: mg-events-ff-deposit
client: default_kafka_client
processor:
url: http://fistful:8022/v1/stateproc/ff/deposit_v1
http_keep_alive_timeout: 3000ms
ff/withdrawal_v2:
timers: *default_timers_config
overseer: *default_overseer_config
event_sinks:
machine:
type: machine
machine_id: ff/withdrawal_v2
kafka:
type: kafka
topic: mg-events-ff-withdrawal
client: default_kafka_client
processor:
url: http://fistful:8022/v1/stateproc/ff/withdrawal_v2
http_keep_alive_timeout: 3000ms
ff/withdrawal/session_v2:
timers: *default_timers_config
overseer: *default_overseer_config
event_sinks:
machine:
type: machine
machine_id: ff/withdrawal/session_v2
processor:
url: http://fistful:8022/v1/stateproc/ff/withdrawal/session_v2
http_keep_alive_timeout: 3000ms
ff/sequence:
timers: disabled
overseer: *default_overseer_config
processor:
url: http://fistful:8022/v1/stateproc/ff/sequence
http_keep_alive_timeout: 3000ms
ff/external_id:
timers: disabled
overseer: *default_overseer_config
processor:
url: http://fistful:8022/v1/stateproc/ff/external_id
http_keep_alive_timeout: 3000ms
ff/p2p_transfer_v1:
timers: *default_timers_config
overseer: *default_overseer_config
event_sinks:
machine:
type: machine
machine_id: ff/p2p_transfer_v1
kafka:
type: kafka
topic: mg-events-ff-p2p-transfer
client: default_kafka_client
processor:
url: http://fistful:8022/v1/stateproc/ff/p2p_transfer_v1
http_keep_alive_timeout: 3000ms
ff/p2p_transfer/session_v1:
timers: *default_timers_config
overseer: *default_overseer_config
event_sinks:
machine:
type: machine
machine_id: ff/p2p_transfer/session_v1
kafka:
type: kafka
topic: mg-events-ff-p2p-transfer-session
client: default_kafka_client
processor:
url: http://fistful:8022/v1/stateproc/ff/p2p_transfer/session_v1
http_keep_alive_timeout: 3000ms
ff/w2w_transfer_v1:
timers: *default_timers_config
overseer: *default_overseer_config
event_sinks:
machine:
type: machine
machine_id: ff/w2w_transfer_v1
kafka:
type: kafka
topic: mg-events-ff-w2w-transfer
client: default_kafka_client
processor:
url: http://fistful:8022/v1/stateproc/ff/w2w_transfer_v1
http_keep_alive_timeout: 3000ms
ff/p2p_template_v1:
timers: *default_timers_config
overseer: *default_overseer_config
event_sinks:
machine:
type: machine
machine_id: ff/p2p_template_v1
kafka:
type: kafka
topic: mg-events-ff-p2p-template
client: default_kafka_client
processor:
url: http://fistful:8022/v1/stateproc/ff/p2p_template_v1
http_keep_alive_timeout: 3000ms
kafka:
default_kafka_client:

4
config/machinegun/values.yaml.gotmpl
View File

@ -4,7 +4,7 @@ replicaCount: 1
image:
repository: docker.io/rbkmoney/machinegun
tag: 54eff8de6e39b1102f1eafb44b6a5ce3eab6e9a2
tag: b7a4e8e938a9857ed47d43701e7672fc9fefdf00
pullPolicy: IfNotPresent
configMap:
@ -36,7 +36,7 @@ volumeMounts:
metrics:
serviceMonitor:
enabled: true
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus

36
config/magista/entrypoint.sh Normal file
View File

@ -0,0 +1,36 @@
#!/bin/sh
set -ue
java \
"-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \
-jar \
/opt/magista/magista.jar \
--logging.config=/opt/magista/logback.xml \
--management.security.flag=false \
--management.metrics.export.statsd.flavor=etsy \
--management.metrics.export.statsd.enabled=true \
--management.metrics.export.prometheus.enabled=true \
--management.endpoint.health.show-details=always \
--management.endpoint.metrics.enabled=true \
--management.endpoint.prometheus.enabled=true \
--management.endpoints.web.exposure.include=health,info,prometheus \
--spring.application.name=magista \
--spring.datasource.hikari.data-source-properties.prepareThreshold=0 \
--spring.datasource.hikari.leak-detection-threshold=5300 \
--spring.datasource.hikari.max-lifetime=300000 \
--spring.datasource.hikari.idle-timeout=30000 \
--spring.datasource.hikari.minimum-idle=2 \
--spring.datasource.hikari.maximum-pool-size=20 \
--flyway.schemas=mst \
--payouter.pooling.url=http://payouter:8022/repo \
--hellgate.url=http://hellgate:8022/v1/processing/partymgmt \
--hellgate.timeout=30000 \
--columbus.url=http://columbus:8022/repo \
--retry-policy.maxAttempts=-1 \
--kafka.bootstrap-servers=kafka:9092 \
--kafka.topics.invoicing=mg-events-invoice \
--kafka.client-id=magista \
--kafka.consumer.group-id=magista-invoicing-1 \
--kafka.consumer.concurrency=7 \
${@} \
--spring.config.additional-location=/vault/secrets/application.properties \

4
config/magista/loggers.xml Normal file
View File

@ -0,0 +1,4 @@
<included>
<logger name="com.rbkmoney" level="INFO"/>
<logger name="com.rbkmoney.woody" level="INFO"/>
</included>

129
config/magista/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,129 @@
# -*- mode: yaml -*-
replicaCount: 1
image:
repository: docker.io/rbkmoney/magista
tag: 84f2ad8875317497db97ee6902bb624e47906164
pullPolicy: IfNotPresent
runopts:
command: ["/opt/magista/entrypoint.sh"]
configMap:
data:
entrypoint.sh: |
{{- readFile "entrypoint.sh" | nindent 6 }}
loggers.xml: |
{{- readFile "loggers.xml" | nindent 6 }}
logback.xml: |
{{- readFile "../logs/logback.xml" | nindent 6 }}
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
volumeMounts:
- name: config-volume
mountPath: /opt/magista/entrypoint.sh
subPath: entrypoint.sh
readOnly: true
- name: config-volume
mountPath: /opt/magista/logback.xml
subPath: logback.xml
readOnly: true
- name: config-volume
mountPath: /opt/magista/loggers.xml
subPath: loggers.xml
readOnly: true
service:
ports:
- name: api
port: 8022
- name: management
port: 8023
livenessProbe:
httpGet:
path: /actuator/health
port: management
readinessProbe:
httpGet:
path: /actuator/health
port: management
podAnnotations:
vault.hashicorp.com/role: "db-app"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-application.properties: "database/creds/db-app-magista"
vault.hashicorp.com/agent-inject-template-application.properties: |
{{`{{- with secret "database/creds/db-app-magista" -}}
spring.datasource.url=jdbc:postgresql://postgres-postgresql:5432/magista?sslmode=disable
spring.datasource.username={{ .Data.username }}
spring.datasource.password={{ .Data.password }}
flyway.url=jdbc:postgresql://postgres-postgresql:5432/magista?sslmode=disable
flyway.user={{ .Data.username }}
flyway.password={{ .Data.password }}
{{- end }}`}}
metrics:
serviceMonitor:
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
endpoints:
- port: "management"
path: /actuator/prometheus
scheme: http
ciliumPolicies:
- filters:
- port: 5432
type: TCP
name: postgres
namespace: {{ .Release.Namespace }}
- filters:
- port: 9092
rules:
kafka:
- role: consume
topics:
- mg-events-invoice
type: TCP
name: kafka
namespace: {{ .Release.Namespace }}
- filters:
- port: 8200
type: TCP
name: vault
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: columbus
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: hellgate
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: payouter
namespace: {{ .Release.Namespace }}
# add it to vault tamlate if kafka mTLS auth enable
#{{- /*
# --kafka.ssl.enabled={{ kafka.ssl.enable }}
# --kafka.ssl.key-store-location=/opt/{{ service_name }}/kafka-keystore.p12
# --kafka.ssl.key-store-password="{{ service.keystore.pass }}"
# --kafka.ssl.key-password="{{ service.keystore.pass }}"
# --kafka.ssl.trust-store-location=/opt/{{ service_name }}/kafka-truststore.p12
# --kafka.ssl.trust-store-password="{{ kafka.truststore.java.pass }}"
# */ -}}

20
config/messages/entrypoint.sh Normal file
View File

@ -0,0 +1,20 @@
#!/bin/sh
set -ue
java \
"-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \
-jar \
/opt/messages/messages.jar \
--logging.file=/var/log/messages/messages.json \
--logging.config=/opt/messages/logback.xml \
-Dwoody.node_id=1 \
--spring.datasource.url=jdbc:postgresql://postgres-postgresql:5432/messages?sslmode=disable \
--spring.datasource.username=postgres \
--spring.datasource.password=H@ckM3 \
--spring.flyway.url=jdbc:postgresql://postgres-postgresql:5432/messages?sslmode=disable \
--spring.flyway.user=postgres \
--spring.flyway.password=H@ckM3 \
--spring.flyway.schemas=msgs \
--flyway.schemas=msgs \
${@} \
--spring.config.additional-location=/vault/secrets/application.properties

4
config/messages/loggers.xml Normal file
View File

@ -0,0 +1,4 @@
<included>
<logger name="com.rbkmoney" level="INFO"/>
<logger name="com.rbkmoney.woody" level="INFO"/>
</included>

141
config/messages/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,141 @@
# -*- mode: yaml -*-
replicaCount: 1
image:
repository: docker.io/rbkmoney/messages
tag: d85a804962402f64cbdc5cbbae0805af51474243
pullPolicy: IfNotPresent
runopts:
command: ["/opt/messages/entrypoint.sh"]
configMap:
data:
entrypoint.sh: |
{{- readFile "entrypoint.sh" | nindent 6 }}
loggers.xml: |
{{- readFile "loggers.xml" | nindent 6 }}
logback.xml: |
{{- readFile "../logs/logback.xml" | nindent 6 }}
env:
- name: LOGBACK_SERVICE_NAME
value: "messages"
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
volumeMounts:
- name: config-volume
mountPath: /opt/messages/entrypoint.sh
subPath: entrypoint.sh
readOnly: true
- name: config-volume
mountPath: /opt/messages/logback.xml
subPath: logback.xml
readOnly: true
- name: config-volume
mountPath: /opt/messages/loggers.xml
subPath: loggers.xml
readOnly: true
service:
ports:
- name: api
port: 8022
livenessProbe:
httpGet:
path: /actuator/health
port: api
readinessProbe:
httpGet:
path: /actuator/health
port: api
# podAnnotations:
# vault.hashicorp.com/role: "db-app"
# vault.hashicorp.com/agent-inject: "true"
# vault.hashicorp.com/agent-inject-secret-application.properties: "database/creds/db-app-messages"
# vault.hashicorp.com/agent-inject-template-application.properties: |
# {{`{{- with secret "database/creds/db-app-messages" -}}
# spring.datasource.url=jdbc:postgresql://postgres-postgresql:5432/messages?sslmode=disable
# spring.datasource.username={{ .Data.username }}
# spring.datasource.password={{ .Data.password }}
# spring.flyway.url=jdbc:postgresql://postgres-postgresql:5432/messages?sslmode=disable
# spring.flyway.user={{ .Data.username }}
# spring.flyway.password={{ .Data.password }}
# spring.flyway.schemas=msgs
# flyway.schemas=msgs
# {{- end }}`}}
ingress:
enabled: true
annotations:
{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
{{- end }}
kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
hosts:
- host: iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
paths:
- /v1/messages
{{- if .Values.services.ingress.tls.enabled }}
tls:
{{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
- secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
{{- else }}
- secretName: {{ .Values.services.ingress.tls.secretName }}
{{- end }}
hosts:
- iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
{{- end }}
servicePort: 8022
metrics:
serviceMonitor:
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
endpoints:
- port: "management"
path: /actuator/prometheus
scheme: http
ciliumPolicies:
- filters:
- port: 5432
type: TCP
name: postgres
namespace: {{ .Release.Namespace }}
- filters:
- port: 9092
rules:
kafka:
- role: consume
topics:
- claim-event-sink
type: TCP
name: kafka
namespace: {{ .Release.Namespace }}
- filters:
- port: 8200
type: TCP
name: vault
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: hellgate
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: cashier
namespace: {{ .Release.Namespace }}

35
config/papi/entrypoint.sh.gotmpl Normal file
View File

@ -0,0 +1,35 @@
#!/bin/sh
set -ue
mkdir -p /opt/papi/bin/
cp -pr /var/lib/papi/keys/keycloak/keycloak.pubkey.pem /opt/papi/bin/secret
java \
"-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \
-jar \
/opt/papi/papi.jar \
--logging.config=/opt/papi/logback.xml \
--management.security.flag=false \
--management.metrics.export.statsd.flavor=etsy \
--management.metrics.export.statsd.enabled=true \
--management.metrics.export.prometheus.enabled=true \
--management.endpoint.health.show-details=always \
--management.endpoint.metrics.enabled=true \
--management.endpoint.prometheus.enabled=true \
--management.endpoints.web.exposure.include=health,info,prometheus \
--magista.client.adapter.url=http://magista:8022/v2/stat \
--magista.client.adapter.networkTimeout=90000 \
-Dwoody.node_id=papi123 \
--dmt.url=http://dominant:8022/v1/domain/repository \
--dmt.timeout=300 \
--hellgate.timeout=300 \
--walker.timeout=300 \
--payouter.timeout=300 \
--magista.url=http://magista:8022/stat \
--shitter.url=http://payouter:8022/payout/management \
--walker.url=http://walker:8022/walker \
--keycloak.auth-server-url=https://auth.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/auth \
--keycloak.realm-public-key.file-path="/opt/papi/bin/secret" \
--keycloak.realm=internal \
--keycloak.resource=private-api \
${@} \
--spring.config.additional-location=/vault/secrets/application.properties \

61
config/papi/fetch-keycloak-pubkey.sh.gotmpl Normal file
View File

@ -0,0 +1,61 @@
#!/bin/sh
set -o pipefail
KK_HOST=${KK_HOST:-keycloak-headless}
KK_PORT=${KK_PORT:-8080}
KK_REALM=${KK_REALM:-external}
TARGET=${TARGET:-secret}
MAX_RETRY_TIMEOUT=${MAX_RETRY_TIMEOUT:-10}
TIMEOUT=0
LOG_FILE=${SCRIPT_LOGFILE:-/dev/null}
function log() {
local severity=$1
local msg=$2
local log_msg="$(date -Iseconds) [ $severity ] $msg"
echo "$0: $log_msg"
echo $log_msg >> $LOG_FILE
}
while true; do
REALM_FAIL=false
log INFO "Attempting to fetch Keycloak key..."
REALM_DATA=$(wget --quiet --timeout=10 "https://auth.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/auth/realms/internal" -O -)
EXIT_CODE=$?
if [ "${EXIT_CODE}" -ne "0" ]; then
REALM_FAIL=true
log ERROR "Keycloak realm data fetching failed with exit code: ${EXIT_CODE}"
fi
if [ -z "${REALM_DATA}" ]; then
REALM_FAIL=true
log ERROR "Keycloak realm data is empty"
fi
if [ "$REALM_FAIL" == false ]; then
break
else
TIMEOUT=$((TIMEOUT + 1))
TIMEOUT=$([ $TIMEOUT -le $MAX_RETRY_TIMEOUT ] && echo "$TIMEOUT" || echo "$MAX_RETRY_TIMEOUT")
fi
log ERROR "Keycloak request timeout: ${TIMEOUT}"
sleep $TIMEOUT
done
log INFO "Keycloak realm data fetched successfully"
log DEBUG "${REALM_DATA}"
log INFO "Writing public key to: ${TARGET} ..."
echo "-----BEGIN PUBLIC KEY-----" > ${TARGET}
echo "${REALM_DATA}" | \
sed -E -e 's/^.*"public_key":"([^"]*)".*$/\1/' | \
fold -w80 \
>> ${TARGET}
echo "-----END PUBLIC KEY-----" >> ${TARGET}
log INFO "Everything is ok"

4
config/papi/loggers.xml Normal file
View File

@ -0,0 +1,4 @@
<included>
<logger name="com.rbkmoney" level="INFO"/>
<logger name="com.rbkmoney.woody" level="INFO"/>
</included>

146
config/papi/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,146 @@
# -*- mode: yaml -*-
replicaCount: 1
image:
repository: docker.io/rbkmoney/papi
tag: cce1062e1eabf71810bd585856c37c63cca61df5
pullPolicy: IfNotPresent
runopts:
command: ["/opt/papi/entrypoint.sh"]
configMap:
data:
entrypoint.sh: |
{{- tpl (readFile "entrypoint.sh.gotmpl") . | nindent 6 }}
loggers.xml: |
{{- readFile "loggers.xml" | nindent 6 }}
logback.xml: |
{{- readFile "../logs/logback.xml" | nindent 6 }}
fetchKeycloakPubkey: |
{{- tpl (readFile "fetch-keycloak-pubkey.sh.gotmpl") . | nindent 6 }}
env:
- name: LOGBACK_SERVICE_NAME
value: "papi"
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
- name: keycloak-pubkey
emptyDir: {}
volumeMounts:
- name: config-volume
mountPath: /opt/papi/entrypoint.sh
subPath: entrypoint.sh
readOnly: true
- name: config-volume
mountPath: /opt/papi/logback.xml
subPath: logback.xml
readOnly: true
- name: config-volume
mountPath: /opt/papi/loggers.xml
subPath: loggers.xml
readOnly: true
- name: keycloak-pubkey
mountPath: /var/lib/papi/keys/keycloak
readOnly: true
apiInitContainers:
enabled: true
service:
ports:
- name: api
port: 8080
ingress:
enabled: true
annotations:
{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
{{- end }}
nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,X-Request-ID"
kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
nginx.ingress.kubernetes.io/rewrite-target: /api/v1/$1
# nginx.ingress.kubernetes.io/app-root: /api/v1
hosts:
- host: iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
paths:
- /papi/v1/(.+)
- host: idkfa.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
paths:
- /papi/v1
- host: dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
paths:
- /papi/v1
{{- if .Values.services.ingress.tls.enabled }}
tls:
{{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
- secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
{{- else }}
- secretName: {{ .Values.services.ingress.tls.secretName }}
{{- end }}
hosts:
- iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
- dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
- iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
{{- end }}
servicePort: 8080
livenessProbe:
httpGet:
path: /actuator/health
port: "api"
readinessProbe:
httpGet:
path: /actuator/health
port: "api"
metrics:
serviceMonitor:
enabled: true
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
endpoints:
- port: "api"
path: /actuator/prometheus
scheme: http
ciliumPolicies:
- filters:
- port: 8022
type: TCP
name: magista
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: hellgate
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: dominant
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: cabi
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: dudoser
namespace: {{ .Release.Namespace }}
- filters:
- port: 8080
type: TCP
name: keycloak
namespace: {{ .Release.Namespace }}

2
config/payform/appConfig.json.gotmpl
View File

@ -1,7 +1,7 @@
{
"applePayMerchantID": "merchant.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}",
"brandless": false,
"capiEndpoint": "https://api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/",
"capiEndpoint": "https://api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}",
"fixedTheme": "",
"googlePayGatewayMerchantID": "rbkmoneydevcheckout",
"googlePayMerchantID": "15442243338125315447",

14
config/payform/values.yaml.gotmpl
View File

@ -49,13 +49,27 @@ readinessProbe:
ingress:
enabled: true
annotations:
{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
{{- end }}
kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Access-Control-Allow-Origin: $http_origin";
hosts:
- host: checkout.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
paths:
- /
{{- if .Values.services.ingress.tls.enabled }}
tls:
{{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
- secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
{{- else }}
- secretName: {{ .Values.services.ingress.tls.secretName }}
{{- end }}
hosts:
- checkout.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
{{- end }}

22
config/payouter/entrypoint.sh Normal file
View File

@ -0,0 +1,22 @@
#!/bin/sh
set -ue
java \
"-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \
-jar /opt/payouter/payouter.jar \
--logging.file=/var/log/payouter/payouter.json \
--logging.config=/opt/payouter/logback.xml \
--management.security.enabled=false \
-Dwoody.node_id=346 \
--service.dominant.url=http://dominant:8022/v1/domain/repository_client \
--service.shumway.url=http://shumway:8022/shumpune \
--kafka.bootstrap-servers=kafka:9092 \
--kafka.topics.invoice.enabled=false \
--kafka.topics.party-management.enabled=false \
--kafka.topics.party-management.concurrency=5 \
--kafka.client-id=payouter \
--kafka.consumer.group-id=payouter-invoicing \
--kafka.consumer.concurrency=5 \
--kafka.consumer.auto-offset-reset=latest \
${@} \
--spring.config.additional-location=/vault/secrets/application.properties

4
config/payouter/loggers.xml Normal file
View File

@ -0,0 +1,4 @@
<included>
<logger name="com.rbkmoney" level="INFO"/>
<logger name="com.rbkmoney.woody" level="INFO"/>
</included>

132
config/payouter/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,132 @@
# -*- mode: yaml -*-
replicaCount: 1
image:
repository: docker.io/rbkmoney/payouter
tag: a0e37ad47ee5563008d2af47c58a9f117e941db0
pullPolicy: IfNotPresent
runopts:
command: ["/opt/payouter/entrypoint.sh"]
env:
- name: LOGBACK_SERVICE_NAME
value: "payouter"
configMap:
data:
entrypoint.sh: |
{{- readFile "entrypoint.sh" | nindent 6 }}
loggers.xml: |
{{- readFile "loggers.xml" | nindent 6 }}
logback.xml: |
{{- readFile "../logs/logback.xml" | nindent 6 }}
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
volumeMounts:
- name: config-volume
mountPath: /opt/payouter/entrypoint.sh
subPath: entrypoint.sh
readOnly: true
- name: config-volume
mountPath: /opt/payouter/logback.xml
subPath: logback.xml
readOnly: true
- name: config-volume
mountPath: /opt/payouter/loggers.xml
subPath: loggers.xml
readOnly: true
service:
ports:
- name: api
port: 8022
- name: management
port: 8023
livenessProbe: null
# httpGet:
# path: /actuator/health
# port: management
readinessProbe: null
# httpGet:
# path: /actuator/health
# port: management
podAnnotations:
vault.hashicorp.com/role: "db-app"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-application.properties: "database/creds/db-app-payouter"
vault.hashicorp.com/agent-inject-template-application.properties: |
{{`{{- with secret "database/creds/db-app-payouter" -}}
spring.datasource.url=jdbc:postgresql://postgres-postgresql:5432/payouter?sslmode=disable
spring.datasource.username={{ .Data.username }}
spring.datasource.password={{ .Data.password }}
spring.flyway.url=jdbc:postgresql://postgres-postgresql:5432/payouter?sslmode=disable
spring.flyway.user={{ .Data.username }}
spring.flyway.password={{ .Data.password }}
spring.datasource.hikari.data-source-properties.prepareThreshold=0
spring.datasource.hikari.leak-detection-threshold=5300
flyway.url=jdbc:postgresql://postgres-postgresql:5432/payouter?sslmode=disable
flyway.user={{ .Data.username }}
flyway.password={{ .Data.password }}
flyway.schemas=sht
spring.flyway.schemas=sht
{{- end }}`}}
metrics:
serviceMonitor:
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
endpoints:
- port: "management"
path: /actuator/prometheus
scheme: http
ciliumPolicies:
- filters:
- port: 5432
type: TCP
name: postgres
namespace: {{ .Release.Namespace }}
- filters:
- port: 9092
type: TCP
name: kafka
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: shumway
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: dominant
namespace: {{ .Release.Namespace }}
- filters:
- port: 8200
type: TCP
name: vault
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: hellgate
namespace: {{ .Release.Namespace }}
{{- /*
- filters:
- port: 8022
type: TCP
name: fault-detector
namespace: {{ .Release.Namespace }}
*/ -}}

16
config/postgres/values.yaml.gotmpl
View File

@ -8,6 +8,22 @@ initdbScripts:
CREATE DATABASE keycloak;
CREATE DATABASE shumway;
CREATE DATABASE hooker;
CREATE DATABASE analytics;
CREATE DATABASE questionary;
CREATE DATABASE magista;
CREATE DATABASE claimmng;
CREATE role messages WITH CREATEDB CREATEROLE;
CREATE DATABASE messages with owner messages;
\connect messages;
Create schema if not exists messages.msgs AUTHORIZATION messages;
#GRANT CREATE ON DATABASE messages TO "messages";
#GRANT ALL ON schema msgs TO "messages";
#GRANT ALL ON ALL TABLES IN SCHEMA msgs TO "messages";
#GRANT ALL ON ALL SEQUENCES IN SCHEMA msgs TO "messages";
CREATE DATABASE payouter;
CREATE DATABASE reporter;
CREATE DATABASE "fistful-magista";
CREATE DATABASE fraudbusters;
#TODO: If bump version, change master to primary
master:

18
config/questionary-aggr-proxy/entrypoint.sh Normal file
View File

@ -0,0 +1,18 @@
#!/bin/sh
set -ue
java \
"-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \
-jar \
/opt/questionary-aggr-proxy/questionary-aggr-proxy.jar \
--logging.config=/opt/questionary-aggr-proxy/logback.xml \
--management.security.flag=false \
--management.metrics.export.statsd.flavor=etsy \
--management.metrics.export.statsd.enabled=true \
--management.metrics.export.prometheus.enabled=true \
--management.endpoint.health.show-details=always \
--management.endpoint.metrics.enabled=true \
--management.endpoint.prometheus.enabled=true \
--management.endpoints.web.exposure.include=health,info,prometheus \
--logging.level.com.rbkmoney.woody.api.proxy.MethodCallInterceptors=DEBUG \
--logging.level.com.rbkmoney.woody.thrift.impl.http.interceptor.ext.TransportExtensionBundles=DEBUG \

4
config/questionary-aggr-proxy/loggers.xml Normal file
View File

@ -0,0 +1,4 @@
<included>
<logger name="com.rbkmoney" level="INFO"/>
<logger name="com.rbkmoney.woody" level="INFO"/>
</included>

68
config/questionary-aggr-proxy/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,68 @@
# -*- mode: yaml -*-
replicaCount: 1
image:
repository: docker.io/rbkmoney/questionary-aggr-proxy
tag: 78b6d2f972a9f175ff075a3d9809439c190548d1
pullPolicy: IfNotPresent
runopts:
command: ["/opt/questionary-aggr-proxy/entrypoint.sh"]
configMap:
data:
entrypoint.sh: |
{{- readFile "entrypoint.sh" | nindent 6 }}
loggers.xml: |
{{- readFile "loggers.xml" | nindent 6 }}
logback.xml: |
{{- readFile "../logs/logback.xml" | nindent 6 }}
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
volumeMounts:
- name: config-volume
mountPath: /opt/questionary-aggr-proxy/entrypoint.sh
subPath: entrypoint.sh
readOnly: true
- name: config-volume
mountPath: /opt/questionary-aggr-proxy/logback.xml
subPath: logback.xml
readOnly: true
- name: config-volume
mountPath: /opt/questionary-aggr-proxy/loggers.xml
subPath: loggers.xml
readOnly: true
service:
ports:
- name: api
port: 8022
- name: management
port: 8023
livenessProbe:
httpGet:
path: /actuator/health
port: management
readinessProbe:
httpGet:
path: /actuator/health
port: management
metrics:
serviceMonitor:
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
endpoints:
- port: "management"
path: /actuator/prometheus
scheme: http

25
config/questionary/entrypoint.sh Normal file
View File

@ -0,0 +1,25 @@
#!/bin/sh
set -ue
java \
"-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \
-jar \
/opt/questionary/questionary.jar \
--logging.config=/opt/questionary/logback.xml \
--management.security.flag=false \
--management.metrics.export.statsd.flavor=etsy \
--management.metrics.export.statsd.enabled=true \
--management.metrics.export.prometheus.enabled=true \
--management.endpoint.health.show-details=always \
--management.endpoint.metrics.enabled=true \
--management.endpoint.prometheus.enabled=true \
--management.endpoints.web.exposure.include=health,info,prometheus \
--spring.datasource.hikari.data-source-properties.prepareThreshold=0 \
--spring.datasource.hikari.leak-detection-threshold=5300 \
--spring.datasource.hikari.max-lifetime=300000 \
--spring.datasource.hikari.idle-timeout=30000 \
--spring.datasource.hikari.minimum-idle=2 \
--spring.datasource.hikari.maximum-pool-size=20 \
${@} \
--spring.config.additional-location=/vault/secrets/application.properties \

4
config/questionary/loggers.xml Normal file
View File

@ -0,0 +1,4 @@
<included>
<logger name="com.rbkmoney" level="INFO"/>
<logger name="com.rbkmoney.woody" level="INFO"/>
</included>

97
config/questionary/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,97 @@
# -*- mode: yaml -*-
replicaCount: 1
image:
repository: docker.io/rbkmoney/questionary
tag: 954dbc039eb011f32d6edf661d874eca9cea9c77
pullPolicy: IfNotPresent
runopts:
command: ["/opt/questionary/entrypoint.sh"]
configMap:
data:
entrypoint.sh: |
{{- readFile "entrypoint.sh" | nindent 6 }}
loggers.xml: |
{{- readFile "loggers.xml" | nindent 6 }}
logback.xml: |
{{- readFile "../logs/logback.xml" | nindent 6 }}
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
volumeMounts:
- name: config-volume
mountPath: /opt/questionary/entrypoint.sh
subPath: entrypoint.sh
readOnly: true
- name: config-volume
mountPath: /opt/questionary/logback.xml
subPath: logback.xml
readOnly: true
- name: config-volume
mountPath: /opt/questionary/loggers.xml
subPath: loggers.xml
readOnly: true
service:
ports:
- name: api
port: 8022
- name: management
port: 8023
livenessProbe:
httpGet:
path: /actuator/health
port: management
readinessProbe:
httpGet:
path: /actuator/health
port: management
podAnnotations:
vault.hashicorp.com/role: "db-app"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-application.properties: "database/creds/db-app-questionary"
vault.hashicorp.com/agent-inject-template-application.properties: |
{{`{{- with secret "database/creds/db-app-questionary" -}}
spring.datasource.url=jdbc:postgresql://postgres-postgresql:5432/questionary?sslmode=disable
spring.datasource.username={{ .Data.username }}
spring.datasource.password={{ .Data.password }}
spring.flyway.url=jdbc:postgresql://postgres-postgresql:5432/questionary?sslmode=disable
spring.flyway.user={{ .Data.username }}
spring.flyway.password={{ .Data.password }}
spring.flyway.schemas=qs
flyway.schemas=qs
postgres.db.schema=qs
{{- end }}`}}
metrics:
serviceMonitor:
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
endpoints:
- port: "management"
path: /actuator/prometheus
scheme: http
ciliumPolicies:
- filters:
- port: 5432
type: TCP
name: postgres
namespace: {{ .Release.Namespace }}
- filters:
- port: 8200
type: TCP
name: vault
namespace: {{ .Release.Namespace }}

20
config/riak/cm.yaml → config/riak/cm.yaml.gotmpl
View File

@ -38,6 +38,26 @@ fi
# Use ping to discover our HOSTNAME because it's easier and more reliable than other methods
export HOST=${NODENAME:-$(hostname -s).riak-headless}
export HOSTIP=$(ping -c1 $HOST | awk '/^PING/ {print $3}' | sed -r 's/\((.*)\):/\1/g')
# Add vm.args
cat<< END > /etc/riak/vm.args
+sbwt none
+scl false
+sfwi 500
+P 256000
+e 256000
-env ERL_CRASH_DUMP /var/log/riak/erl_crash.dump
-env ERL_FULLSWEEP_AFTER 0
+Q 262144
+A 64
-setcookie riak
-name $CLUSTER_NAME@$HOST
+K true
+W w
-smp enable
+zdbbl 32768
END
# Run all prestart scripts
PRESTART=$(find /etc/riak/prestart.d -name *.sh -print | sort)
for s in $PRESTART; do

19
config/riak/pre.yaml
View File

@ -10,25 +10,6 @@ mdc.cluster_manager = $HOSTIP:9080
handoff.ip = $HOSTIP
END
rm /etc/riak/advanced.config
cat<< END > /etc/riak/vm.args
+scl false
+sfwi 500
+P 256000
+e 256000
-env ERL_CRASH_DUMP /var/log/riak/erl_crash.dump
-env ERL_FULLSWEEP_AFTER 0
+Q 262144
+A 64
-setcookie riak
-name $CLUSTER_NAME@$HOST
+K true
+W w
-smp enable
+zdbbl 32768
-proto_dist inet6_tcp
END
# Maybe add user config items
if [ -s $USER_CONF ]; then
cat $USER_CONF >>$RIAK_CONF

2
config/riak/values.yaml.gotmpl
View File

@ -11,7 +11,7 @@ configMap:
user.conf: |
{{- readFile "user.yaml" | nindent 6 }}
riak-cluster.sh: |
{{- readFile "cm.yaml" | nindent 6 }}
{{- tpl (readFile "cm.yaml.gotmpl") . | nindent 6 }}
00-update-riak-conf.sh: |
{{- readFile "pre.yaml" | nindent 6 }}

9
config/shumway/entrypoint.sh
View File

@ -6,6 +6,15 @@ java \
-jar \
/opt/shumway/shumway.jar \
--logging.config=/opt/shumway/logback.xml \
--spring.flyway.table=schema_version \
--management.security.flag=false \
--management.metrics.export.statsd.flavor=etsy \
--management.metrics.export.statsd.enabled=true \
--management.metrics.export.prometheus.enabled=true \
--management.endpoint.health.show-details=always \
--management.endpoint.metrics.enabled=true \
--management.endpoint.prometheus.enabled=true \
--management.endpoints.web.exposure.include=health,info,prometheus \
--spring.datasource.hikari.data-source-properties.prepareThreshold=0 \
--spring.datasource.hikari.leak-detection-threshold=5300 \
--spring.datasource.hikari.max-lifetime=300000 \

3
config/shumway/values.yaml.gotmpl
View File

@ -69,11 +69,12 @@ podAnnotations:
spring.flyway.url=jdbc:postgresql://postgres-postgresql:5432/shumway?sslmode=disable
spring.flyway.user={{ .Data.username }}
spring.flyway.password={{ .Data.password }}
spring.flyway.schemas=shm
{{- end }}`}}
metrics:
serviceMonitor:
enabled: true
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus

6
config/url-shortener/sys.config → config/url-shortener/sys.config.gotmpl
View File

@ -10,11 +10,13 @@
ip => "::",
port => 8080,
authorizer => #{
keyset => #{}
keyset => #{
keycloak => {pem_file, "/var/lib/shortener/keys/keycloak/keycloak.pubkey.pem"}
}
},
short_url_template => #{
scheme => https,
netloc => "rbk.mn",
netloc => "shrt.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}",
path => "/"
},
source_url_whitelist => [

50
config/url-shortener/values.yaml.gotmpl
View File

@ -10,11 +10,16 @@ image:
configMap:
data:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
{{- tpl (readFile "sys.config.gotmpl") . | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
{{- tpl (readFile "../vm/erl_inetrc.gotmpl") . | nindent 6 }}
vm.args: |
{{- tpl (readFile "../vm/erl_vm_args.gotmpl") . | nindent 6 }}
fetchKeycloakPubkey: |
{{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 6 }}
apiInitContainers:
enabled: true
volumeMounts:
- name: config-volume
@ -29,19 +34,58 @@ volumeMounts:
mountPath: /opt/shortener/erl_inetrc
subPath: erl_inetrc
readOnly: true
- name: keycloak-pubkey
mountPath: /var/lib/shortener/keys/keycloak
readOnly: true
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
- name: keycloak-pubkey
emptyDir: {}
metrics:
serviceMonitor:
enabled: true
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
service:
type: ClusterIP
ports:
- name: api
port: 8080
- name: internal
port: 8022
ingress:
enabled: true
annotations:
{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
{{- end }}
nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,X-Request-ID"
kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
nginx.ingress.kubernetes.io/enable-cors: "false"
hosts:
- host: shrt.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
paths:
- /
{{- if .Values.services.ingress.tls.enabled }}
tls:
{{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
- secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
{{- else }}
- secretName: {{ .Values.services.ingress.tls.secretName }}
{{- end }}
hosts:
- shrt.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
{{- end }}
servicePort: 8080
ciliumPolicies:
- filters:
- port: 8022

190
config/vault-cm/values.yaml
View File

@ -1,7 +1,7 @@
configMap:
data:
init.vault.sh: |
sleep 2
sleep 5
vault secrets enable database
vault write database/config/shumway \
plugin_name=postgresql-database-plugin \
@ -11,14 +11,15 @@ configMap:
password="H@ckM3"
vault write database/roles/db-app-shumway \
db_name=shumway \
creation_statements="CREATE SCHEMA IF NOT EXISTS shm;
creation_statements="Create schema if not exists shm;
CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
GRANT CREATE ON DATABASE shumway TO \"{{name}}\";
GRANT ALL ON SCHEMA shm TO \"{{name}}\";
GRANT ALL ON schema shm TO \"{{name}}\";
GRANT ALL ON ALL TABLES IN SCHEMA shm TO \"{{name}}\";
GRANT ALL ON ALL SEQUENCES IN SCHEMA shm TO \"{{name}}\";" \
default_ttl="1h" \
max_ttl="240h"
vault write database/config/hooker \
plugin_name=postgresql-database-plugin \
allowed_roles="*" \
@ -27,15 +28,164 @@ configMap:
password="H@ckM3"
vault write database/roles/db-app-hooker \
db_name=hooker \
creation_statements="CREATE SCHEMA IF NOT EXISTS hook;
creation_statements="Create schema if not exists hook;
CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
GRANT CREATE ON DATABASE hooker TO \"{{name}}\";
GRANT ALL ON SCHEMA hook TO \"{{name}}\";
GRANT ALL ON schema hook TO \"{{name}}\";
GRANT ALL ON ALL TABLES IN SCHEMA hook TO \"{{name}}\";
GRANT ALL ON ALL SEQUENCES IN SCHEMA hook TO \"{{name}}\";" \
default_ttl="1h" \
max_ttl="240h"
vault write database/config/messages \
plugin_name=postgresql-database-plugin \
allowed_roles="*" \
connection_url="postgresql://{{username}}:{{password}}@postgres-postgresql:5432/messages?sslmode=disable" \
username="postgres" \
password="H@ckM3"
vault write database/roles/db-app-messages \
db_name=messages \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' IN ROLE messages VALID UNTIL '{{expiration}}';" \
default_ttl="1h" \
max_ttl="240h"
vault write database/config/payouter \
plugin_name=postgresql-database-plugin \
allowed_roles="*" \
connection_url="postgresql://{{username}}:{{password}}@postgres-postgresql:5432/payouter?sslmode=disable" \
username="postgres" \
password="H@ckM3"
vault write database/roles/db-app-payouter \
db_name=payouter \
creation_statements="CREATE SCHEMA IF NOT EXISTS sht;
CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
GRANT CREATE ON DATABASE payouter TO \"{{name}}\";
GRANT ALL ON SCHEMA sht TO \"{{name}}\";
GRANT ALL ON ALL TABLES IN SCHEMA sht TO \"{{name}}\";
GRANT ALL ON ALL SEQUENCES IN SCHEMA sht TO \"{{name}}\";" \
default_ttl="1h" \
max_ttl="240h"
vault write database/config/magista \
plugin_name=postgresql-database-plugin \
allowed_roles="*" \
connection_url="postgresql://{{username}}:{{password}}@postgres-postgresql:5432/magista?sslmode=disable" \
username="postgres" \
password="H@ckM3"
vault write database/roles/db-app-magista \
db_name=magista \
creation_statements="CREATE SCHEMA IF NOT EXISTS mst;
CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
GRANT CREATE ON DATABASE magista TO \"{{name}}\";
GRANT ALL ON SCHEMA mst TO \"{{name}}\";
GRANT ALL ON ALL TABLES IN SCHEMA mst TO \"{{name}}\";
GRANT ALL ON ALL SEQUENCES IN SCHEMA mst TO \"{{name}}\";" \
default_ttl="1h" \
max_ttl="240h"
vault write database/config/analytics \
plugin_name=postgresql-database-plugin \
allowed_roles="*" \
connection_url="postgresql://{{username}}:{{password}}@postgres-postgresql:5432/analytics?sslmode=disable" \
username="postgres" \
password="H@ckM3"
vault write database/roles/db-app-analytics \
db_name=analytics \
creation_statements="CREATE SCHEMA IF NOT EXISTS analytics;
CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
GRANT CREATE ON DATABASE analytics TO \"{{name}}\";
GRANT ALL ON SCHEMA analytics TO \"{{name}}\";
GRANT ALL ON ALL TABLES IN SCHEMA analytics TO \"{{name}}\";
GRANT ALL ON ALL SEQUENCES IN SCHEMA analytics TO \"{{name}}\";" \
default_ttl="1h" \
max_ttl="240h"
vault write database/config/claim-management \
plugin_name=postgresql-database-plugin \
allowed_roles="*" \
connection_url="postgresql://{{username}}:{{password}}@postgres-postgresql:5432/claimmng?sslmode=disable" \
username="postgres" \
password="H@ckM3"
vault write database/roles/db-app-claim-management \
db_name=claim-management \
creation_statements="CREATE SCHEMA IF NOT EXISTS cm;
CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
GRANT CREATE ON DATABASE claimmng TO \"{{name}}\";
GRANT ALL ON SCHEMA cm TO \"{{name}}\";
GRANT ALL ON ALL TABLES IN SCHEMA cm TO \"{{name}}\";
GRANT ALL ON ALL SEQUENCES IN SCHEMA cm TO \"{{name}}\";" \
default_ttl="1h" \
max_ttl="240h"
vault write database/config/questionary \
plugin_name=postgresql-database-plugin \
allowed_roles="*" \
connection_url="postgresql://{{username}}:{{password}}@postgres-postgresql:5432/questionary?sslmode=disable" \
username="postgres" \
password="H@ckM3"
vault write database/roles/db-app-questionary \
db_name=questionary \
creation_statements="CREATE SCHEMA IF NOT EXISTS qs;
CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
GRANT CREATE ON DATABASE questionary TO \"{{name}}\";
GRANT ALL ON SCHEMA qs TO \"{{name}}\";
GRANT ALL ON ALL TABLES IN SCHEMA qs TO \"{{name}}\";
GRANT ALL ON ALL SEQUENCES IN SCHEMA qs TO \"{{name}}\";" \
default_ttl="1h" \
max_ttl="240h"
vault write database/config/reporter \
plugin_name=postgresql-database-plugin \
allowed_roles="*" \
connection_url="postgresql://{{username}}:{{password}}@postgres-postgresql:5432/reporter?sslmode=disable" \
username="postgres" \
password="H@ckM3"
vault write database/roles/db-app-reporter \
db_name=reporter \
creation_statements="CREATE SCHEMA IF NOT EXISTS rpt;
CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
GRANT CREATE ON DATABASE reporter TO \"{{name}}\";
GRANT ALL ON SCHEMA rpt TO \"{{name}}\";
GRANT ALL ON ALL TABLES IN SCHEMA rpt TO \"{{name}}\";
GRANT ALL ON ALL SEQUENCES IN SCHEMA rpt TO \"{{name}}\";" \
default_ttl="1h" \
max_ttl="240h"
vault write database/config/fistful-magista \
plugin_name=postgresql-database-plugin \
allowed_roles="*" \
connection_url="postgresql://{{username}}:{{password}}@postgres-postgresql:5432/fistful-magista?sslmode=disable" \
username="postgres" \
password="H@ckM3"
vault write database/roles/db-app-fistful-magista \
db_name=fistful-magista \
creation_statements="CREATE SCHEMA IF NOT EXISTS mst;
CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
GRANT CREATE ON DATABASE \"fistful-magista\" TO \"{{name}}\";
GRANT ALL ON SCHEMA mst TO \"{{name}}\";
GRANT ALL ON ALL TABLES IN SCHEMA mst TO \"{{name}}\";
GRANT ALL ON ALL SEQUENCES IN SCHEMA mst TO \"{{name}}\";" \
default_ttl="1h" \
max_ttl="240h"
vault write database/config/fbmgmt \
plugin_name=postgresql-database-plugin \
allowed_roles="*" \
connection_url="postgresql://{{username}}:{{password}}@postgres-postgresql:5432/fraudbusters?sslmode=disable" \
username="postgres" \
password="H@ckM3"
vault write database/roles/db-app-fbmgmt \
db_name=fbmgmt \
creation_statements="CREATE SCHEMA IF NOT EXISTS af;
CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
GRANT CREATE ON DATABASE fraudbusters TO \"{{name}}\";
GRANT ALL ON SCHEMA af TO \"{{name}}\";
GRANT ALL ON ALL TABLES IN SCHEMA af TO \"{{name}}\";
GRANT ALL ON ALL SEQUENCES IN SCHEMA af TO \"{{name}}\";" \
default_ttl="1h" \
max_ttl="240h"
vault auth enable kubernetes
vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
@ -56,3 +206,33 @@ configMap:
path "database/creds/db-app-hooker" {
capabilities = ["read"]
}
path "database/creds/db-app-fbmgmt" {
capabilities = ["read"]
}
path "database/creds/db-app-analytics" {
capabilities = ["read"]
}
path "database/creds/db-app-fistful-magista" {
capabilities = ["read"]
}
path "database/creds/db-app-questionary" {
capabilities = ["read"]
}
path "database/creds/db-app-claim-management" {
capabilities = ["read"]
}
path "database/creds/db-app-magista" {
capabilities = ["read"]
}
path "database/creds/db-app-payouter" {
capabilities = ["read"]
}
path "database/creds/db-app-messages" {
capabilities = ["read"]
}
path "database/creds/db-app-reporter" {
capabilities = ["read"]
}
first_init_and_unseal.sh: |
vault operator init | tee -a /tmp/key
cat /tmp/key | grep -e "Unseal.*:.*$" | cut -d " " -f 4 | xargs vault operator unseal

5
config/vault/values.yaml.gotmpl
View File

@ -34,10 +34,9 @@ server:
name: vault-init
injector:
namespaceSelector:
objectSelector:
matchLabels:
vaultname: {{ .Release.Namespace }}
selector.vaultinject.rbkmoney: {{ .Release.Namespace }}
ciliumPolicies:
- filters:
- port: 5432

2
config/vm/erl_inetrc → config/vm/erl_inetrc.gotmpl
View File

@ -1,4 +1,6 @@
{{- if .Values.services.global.ipv6only }}
{inet6 , true }.
{tcp , inet6_tcp}.
{{- end }}
{cache_size, 0 }.

7
config/vm/erl_vm_args.gotmpl
View File

@ -5,3 +5,10 @@
-proto_dist inet6_tcp
{{- end }}
-kernel inetrc '"./erl_inetrc"'
+sbwt none
+sbwtdcpu none
+sbwtdio none
+swt very_low
+swtdcpu very_low
+swtdio very_low

16
config/wapi-pcidss-v0/values.yaml.gotmpl
View File

@ -10,7 +10,7 @@ configMap:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
{{- tpl (readFile "../vm/erl_inetrc.gotmpl") . | nindent 6 }}
fetchKeycloakPubkey: |
{{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 6 }}
vm.args: |
@ -59,6 +59,16 @@ volumes:
ingress:
enabled: true
annotations:
nginx.ingress.kubernetes.io/enable-cors: "true"
{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
{{- end }}
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Access-Control-Allow-Origin: $http_origin";
hosts:
- host: api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
paths:
@ -66,7 +76,11 @@ ingress:
- /payres/v0
{{- if .Values.services.ingress.tls.enabled }}
tls:
{{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
- secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
{{- else }}
- secretName: {{ .Values.services.ingress.tls.secretName }}
{{- end }}
hosts:
- api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
{{- end }}

18
config/wapi-v0/values.yaml.gotmpl
View File

@ -10,7 +10,7 @@ configMap:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
{{- tpl (readFile "../vm/erl_inetrc.gotmpl") . | nindent 6 }}
fetchKeycloakPubkey: |
{{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 6 }}
oopsBody1: |
@ -86,13 +86,27 @@ readinessProbe:
ingress:
enabled: true
annotations:
nginx.ingress.kubernetes.io/enable-cors: "true"
{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
{{- end }}
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Access-Control-Allow-Origin: $http_origin";
hosts:
- host: api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
paths:
- /wapi
{{- if .Values.services.ingress.tls.enabled }}
tls:
tls:
{{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
- secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
{{- else }}
- secretName: {{ .Values.services.ingress.tls.secretName }}
{{- end }}
hosts:
- api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
{{- end }}

16
config/wb-list-manager/entrypoint.sh Normal file
View File

@ -0,0 +1,16 @@
#!/bin/sh
set -ue
java \
"-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \
-jar \
/opt/wb-list-manager/wb-list-manager.jar \
--logging.config=/opt/wb-list-manager/logback.xml \
--logging.file=/var/log/wb-list-manager/wb-list-manager.json \
--management.security.enabled=false \
--riak.address=riak \
--riak.port=8087 \
--kafka.bootstrap.servers=kafka:9092 \
--management.metrics.export.statsd.enabled=false \
${@}

4
config/wb-list-manager/loggers.xml Normal file
View File

@ -0,0 +1,4 @@
<included>
<logger name="com.rbkmoney" level="INFO"/>
<logger name="com.rbkmoney.woody" level="INFO"/>
</included>

79
config/wb-list-manager/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,79 @@
# -*- mode: yaml -*-
replicaCount: 1
image:
repository: docker.io/rbkmoney/wb-list-manager
tag: dc7f451945194441357177fd3153ac82a0333eac
pullPolicy: IfNotPresent
runopts:
command: ["/opt/wb-list-manager/entrypoint.sh"]
configMap:
data:
entrypoint.sh: |
{{- readFile "entrypoint.sh" | nindent 6 }}
loggers.xml: |
{{- readFile "loggers.xml" | nindent 6 }}
logback.xml: |
{{- readFile "../logs/logback.xml" | nindent 6 }}
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
volumeMounts:
- name: config-volume
mountPath: /opt/wb-list-manager/entrypoint.sh
subPath: entrypoint.sh
readOnly: true
- name: config-volume
mountPath: /opt/wb-list-manager/logback.xml
subPath: logback.xml
readOnly: true
- name: config-volume
mountPath: /opt/wb-list-manager/loggers.xml
subPath: loggers.xml
readOnly: true
service:
ports:
- name: api
port: 8022
livenessProbe:
httpGet:
path: /actuator/health
port: api
readinessProbe:
httpGet:
path: /actuator/health
port: api
metrics:
serviceMonitor:
enabled: false
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
endpoints:
- port: "management"
path: /actuator/prometheus
scheme: http
ciliumPolicies:
- filters:
- port: 5432
type: TCP
name: postgres
namespace: {{ .Release.Namespace }}
- filters:
- port: 8200
type: TCP
name: vault
namespace: {{ .Release.Namespace }}

7
config/weezing/appConfig.json.gotmpl Normal file
View File

@ -0,0 +1,7 @@
{
{{- if .Values.services.ingress.tls.enabled }}
"papiEndpoint": "https://idkfa.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/papi/v1"
{{- else }}
"papiEndpoint": "http://idkfa.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/papi/v1"
{{- end }}
}

7
config/weezing/authConfig.json.gotmpl Normal file
View File

@ -0,0 +1,7 @@
{
"realm": "internal",
"auth-server-url": "https://auth.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/auth/",
"ssl-required": "external",
"resource": "weezing",
"public-client": true
}

83
config/weezing/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,83 @@
# -*- mode: yaml -*-
replicaCount: 1
image:
repository: docker.io/rbkmoney/weezing
tag: 1423ee2f169b38553ab3f997e1621ef78cbd345d
pullPolicy: IfNotPresent
service:
type: ClusterIP
ports:
- name: http
port: 8080
configMap:
data:
appConfig.json: |
{{- tpl (readFile "appConfig.json.gotmpl") . | nindent 6 }}
authConfig.json: |
{{- tpl (readFile "authConfig.json.gotmpl") . | nindent 6 }}
weezing.conf: |
{{- readFile "vhost.conf" | nindent 6 }}
volumeMounts:
- name: config-volume
mountPath: /usr/share/nginx/html/appConfig.json
subPath: appConfig.json
readOnly: true
- name: config-volume
mountPath: /usr/share/nginx/html/authConfig.json
subPath: authConfig.json
readOnly: true
- name: config-volume
mountPath: /etc/nginx/vhosts.d/weezing.conf
subPath: weezing.conf
readOnly: true
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
livenessProbe:
httpGet:
path: /appConfig.json
port: http
initialDelaySeconds: 30
timeoutSeconds: 3
readinessProbe:
httpGet:
path: /appConfig.json
port: http
initialDelaySeconds: 30
timeoutSeconds: 3
ingress:
enabled: true
annotations:
{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
{{- end }}
nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,X-Request-ID"
kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
nginx.org/mergeable-ingress-type: "minion"
nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Access-Control-Allow-Origin: $http_origin";
hosts:
- host: idkfa.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
paths:
- /
{{- if .Values.services.ingress.tls.enabled }}
tls:
{{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
- secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
{{- else }}
- secretName: {{ .Values.services.ingress.tls.secretName }}
{{- end }}
hosts:
- idkfa.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
{{- end }}
servicePort: 8080

22
config/weezing/vhost.conf Normal file
View File

@ -0,0 +1,22 @@
server {
listen 8080;
listen [::]:8080;
server_name localhost;
ignore_invalid_headers off;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
try_files $uri $uri/ /index.html =404;
}
location /v1 {
proxy_pass http://dominant:8022;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}

Some files were not shown because too many files have changed in this diff Show More