some usefull fixes

2024-11-06 08:55:21 +00:00 · 2020-10-22 23:17:10 +03:00 · 2020-10-22 23:17:10 +03:00 · 650a664ef5
commit 650a664ef5
parent bad3f30b1a
11 changed files with 252 additions and 22 deletions
--- a/config/ingress/pt-cm.yaml
+++ b/config/ingress/pt-cm.yaml
@ -0,0 +1,172 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ingress-pt-conf
+data:
+  nginx.tmpl: |
+    load_module /opt/ptaf/lib/ngx_wrapper.so;
+    worker_processes  {{.WorkerProcesses}};
+    {{- if .WorkerRlimitNofile}}
+    worker_rlimit_nofile {{.WorkerRlimitNofile}};{{end}}
+    {{- if .WorkerCPUAffinity}}
+    worker_cpu_affinity {{.WorkerCPUAffinity}};{{end}}
+    {{- if .WorkerShutdownTimeout}}
+    worker_shutdown_timeout {{.WorkerShutdownTimeout}};{{end}}
+    daemon off;
+    
+    error_log  /var/log/nginx/error.log {{.ErrorLogLevel}};
+    pid        /var/lib/nginx/nginx.pid;
+    
+    {{- if .OpenTracingLoadModule}}
+    load_module modules/ngx_http_opentracing_module.so;
+    {{- end}}
+    
+    {{- if .MainSnippets}}
+    {{range $value := .MainSnippets}}
+    {{$value}}{{end}}
+    {{- end}}
+    
+    events {
+        worker_connections  {{.WorkerConnections}};
+    }
+    
+    http {
+        ptaf_config tcp://eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJ0b2tlbl9pZCI6IjRhZTk1OWY1LTQ3N2UtNDZkZi05YzI3LTRkYzI1ZjU2ZjgyYiIsInRlbmFudF9pZCI6ImU4YzUxNGU2LWYyYjEtNDg3YS1hOTdjLTZmZjk4YjRlNTAzNCIsInJvbGVzIjpbImNvcmUiLCJ3c2MtYWdlbnQiXX0.09cHWzhb9nVtJHy3FCE_9USrXUnXmXbf-XdeA9n96ZBDORfnFFaF77SbiABvW-u4e_2_q4Js5_myhUp9bR-hsA@10.126.120.237:8443
+        include       /etc/nginx/mime.types;
+        default_type  application/octet-stream;
+    
+        {{- if .HTTPSnippets}}
+        {{range $value := .HTTPSnippets}}
+        {{$value}}{{end}}
+        {{- end}}
+    
+        {{if .LogFormat -}}
+        log_format  main {{if .LogFormatEscaping}}escape={{ .LogFormatEscaping }} {{end}}
+                         {{range $i, $value := .LogFormat -}}
+                         {{with $value}}'{{if $i}} {{end}}{{$value}}'
+                         {{end}}{{end}};
+        {{- else -}}
+        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                          '$status $body_bytes_sent "$http_referer" '
+                          '"$http_user_agent" "$http_x_forwarded_for"';
+        {{- end}}
+    
+        {{if .AccessLogOff}}
+        access_log off;
+        {{else}}
+        access_log  /var/log/nginx/access.log  main;
+        {{end}}
+    
+        sendfile        on;
+        #tcp_nopush     on;
+    
+        keepalive_timeout {{.KeepaliveTimeout}};
+        keepalive_requests {{.KeepaliveRequests}};
+    
+        #gzip  on;
+    
+        server_names_hash_max_size {{.ServerNamesHashMaxSize}};
+        {{if .ServerNamesHashBucketSize}}server_names_hash_bucket_size {{.ServerNamesHashBucketSize}};{{end}}
+    
+        variables_hash_bucket_size {{.VariablesHashBucketSize}};
+        variables_hash_max_size {{.VariablesHashMaxSize}};
+    
+        map $http_upgrade $connection_upgrade {
+            default upgrade;
+            ''      close;
+        }
+        map $http_upgrade $vs_connection_header {
+            default upgrade;
+            ''      $default_connection_header;
+        }
+        {{if .SSLProtocols}}ssl_protocols {{.SSLProtocols}};{{end}}
+        {{if .SSLCiphers}}ssl_ciphers "{{.SSLCiphers}}";{{end}}
+        {{if .SSLPreferServerCiphers}}ssl_prefer_server_ciphers on;{{end}}
+        {{if .SSLDHParam}}ssl_dhparam {{.SSLDHParam}};{{end}}
+    
+        {{if .OpenTracingEnabled}}
+        opentracing on;
+        {{end}}
+        {{if .OpenTracingLoadModule}}
+        opentracing_load_tracer {{ .OpenTracingTracer }} /var/lib/nginx/tracer-config.json;
+        {{end}}
+    
+        server {
+            # required to support the Websocket protocol in VirtualServer/VirtualServerRoutes
+            set $default_connection_header "";
+    
+            listen 80 default_server{{if .ProxyProtocol}} proxy_protocol{{end}};
+    
+            listen 443 ssl default_server{{if .HTTP2}} http2{{end}}{{if .ProxyProtocol}} proxy_protocol{{end}};
+    
+            ssl_certificate /etc/nginx/secrets/default;
+            ssl_certificate_key /etc/nginx/secrets/default;
+    
+            server_name _;
+            server_tokens "{{.ServerTokens}}";
+            {{if .DefaultServerAccessLogOff}}
+            access_log off;
+            {{end}}
+    
+            {{if .OpenTracingEnabled}}
+            opentracing off;
+            {{end}}
+    
+            {{if .HealthStatus}}
+            location {{.HealthStatusURI}} {
+                default_type text/plain;
+                return 200 "healthy\n";
+            }
+            {{end}}
+    
+            location / {
+               return 404;
+            }
+        }
+    
+
+    
+        include /etc/nginx/config-version.conf;
+        include /etc/nginx/conf.d/*.conf;
+    
+
+    
+    }
+    
+    stream {
+        {{if .StreamLogFormat -}}
+        log_format  stream-main {{if .StreamLogFormatEscaping}}escape={{ .StreamLogFormatEscaping }} {{end}}
+                                {{range $i, $value := .StreamLogFormat -}}
+                                {{with $value}}'{{if $i}} {{end}}{{$value}}'
+                                {{end}}{{end}};
+        {{- else -}}
+        log_format  stream-main  '$remote_addr [$time_local] '
+                          '$protocol $status $bytes_sent $bytes_received '
+                          '$session_time "$ssl_preread_server_name"';
+        {{- end}}
+    
+        access_log  /var/log/nginx/stream-access.log  stream-main;
+    
+        {{range $value := .StreamSnippets}}
+        {{$value}}{{end}}
+    
+        {{if .TLSPassthrough}}
+        map $ssl_preread_server_name $dest_internal_passthrough  {
+            default unix:/var/lib/nginx/passthrough-https.sock;
+            include /etc/nginx/tls-passthrough-hosts.conf;
+        }
+    
+        server {
+            listen 443;
+    
+            ssl_preread on;
+    
+            proxy_protocol on;
+            proxy_pass $dest_internal_passthrough;
+        }
+        {{end}}
+    
+        include /etc/nginx/stream-conf.d/*.conf;
+    }
+
--- a/config/ingress/values.yaml
+++ b/config/ingress/values.yaml
@ -1,4 +1,30 @@
-ingress:
-  tls:
-    enabled: true
-    secret: default/standoff
+controller:
+  podSecurityContext:
+    fsGroup: 0
+  image:
+    repository: dmitryrbk/ptaf4-ingress
+    tag: "v4.0.4"
+    pullPolicy: IfNotPresent
+  defaultTLS:
+    secret: "default/standoff"
+  wildcardTLS:
+    secret: "default/standoff"
+  serviceAccount:
+    imagePullSecrets:
+      - name: hubkey
+  volumeMounts:
+    - name: config-volume
+      mountPath: /nginx.tmpl
+      subPath: nginx.tmpl
+      readOnly: false
+  volumes:
+    - name: config-volume
+      configMap:
+        name: ingress-pt-conf
+        items:
+          - key: nginx.tmpl
+            path: nginx.tmpl
+  service:
+    externalIPs:
+      - 10.126.120.135
+    externalTrafficPolicy: Cluster
--- a/config/keycloak/values.yaml
+++ b/config/keycloak/values.yaml
@ -39,10 +39,10 @@ ingress:
  enabled: true
  rules:
    -
-      host: 'auth.rbkmoney.standoff.city'
+      host: 'rbkmoney.standoff.city'
      paths: 
        - /
  tls:
    - hosts:
-        - auth.rbkmoney.standoff.city
+        - rbkmoney.standoff.city
      secretName: "default/standoff"
--- a/config/payform/appConfig.json
+++ b/config/payform/appConfig.json
@ -1,7 +1,7 @@
 {
    "applePayMerchantID": "merchant.money.rbk.checkout",
    "brandless": false,
-    "capiEndpoint": "https://api.rbk.money/",
+    "capiEndpoint": "https://api.rbkmoney.standoff.city",
    "fixedTheme": "",
    "googlePayGatewayMerchantID": "rbkmoneycheckout",
    "googlePayMerchantID": "15442243338125315447",
--- a/config/payform/values.yaml
+++ b/config/payform/values.yaml
@ -3,7 +3,9 @@ replicaCount: 1
 ingress:
  enabled: true
  annotations:
-    nginx.ingress.kubernetes.io/rewrite-target: /$2
-    # kubernetes.io/tls-acme: "true"
-  host: rbkmoney.standoff.city
-  path: /web(/|$)(.*)
+    kubernetes.io/ingress.class: nginx
+  host: checkout.rbkmoney.standoff.city
+  path: /
+  tls:
+    enabled: true
+    
--- a/helmfile.yaml
+++ b/helmfile.yaml
@ -28,7 +28,7 @@ templates:
        host: api.rbkmoney.standoff.city
        tls:
          enabled: true
-          secret: default/standoff
+          secret: stand-wild

 helmfiles:
 - # Path to the helmfile state file being processed BEFORE releases in this state file
@ -257,6 +257,7 @@ releases:
 - name: wapi-pcidss-v0
  <<: *default
  <<: *ingress
+  installed: false
  set:
  - name: fetchKeycloakPubkey
    file: config/api-common/fetch-keycloak-pubkey.sh
@ -273,6 +274,7 @@ releases:
 - name: wapi
  <<: *default
  <<: *ingress
+  installed: false
  set:
  - name: fetchKeycloakPubkey
    file: config/api-common/fetch-keycloak-pubkey.sh
@ -292,7 +294,16 @@ releases:
    - default/keycloak
 - name: payform
  <<: *default
-  <<: *ingress
+  values:
+  - ingress:
+      enabled: true
+      annotations:
+        kubernetes.io/ingress.class: nginx
+      host: checkout.rbkmoney.standoff.city
+      path: /
+      tls:
+        enabled: true
+        secret: stand-wild
  set:
  - name: appconfig
    file: config/payform/appConfig.json
--- a/services/capi-pcidss-v1/templates/ingress.yaml
+++ b/services/capi-pcidss-v1/templates/ingress.yaml
@ -1,7 +1,11 @@
 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1beta1
 kind: Ingress
 metadata:
+{{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+{{- end }}
  name: {{ include "capi-pcidss-v1.fullname" . }}
  labels:
    {{- include "capi-pcidss-v1.labels" . | nindent 4 }}
--- a/services/capi-pcidss-v1/values.yaml
+++ b/services/capi-pcidss-v1/values.yaml
@ -59,4 +59,9 @@ affinity: {}
 ingress:
  host: api.rbk.dev
  path: /v1/processing/payment-resources
-
+  annotations:
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+    nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
+    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+       more_set_headers "Access-Control-Allow-Origin: $http_origin";
--- a/services/capi-pcidss-v2/templates/ingress.yaml
+++ b/services/capi-pcidss-v2/templates/ingress.yaml
@ -1,7 +1,11 @@
 ---
-apiVersion: extensions/v1beta1
+apiVersion: networking.k8s.io/v1beta1
 kind: Ingress
 metadata:
+{{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+{{- end }}  
  name: {{ include "capi-pcidss-v2.fullname" . }}
  labels:
    {{- include "capi-pcidss-v2.labels" . | nindent 4 }}
--- a/services/capi-pcidss-v2/values.yaml
+++ b/services/capi-pcidss-v2/values.yaml
@ -59,4 +59,10 @@ affinity: {}
 ingress:
  host: api.rbk.dev
  path: /v2/processing/payment-resources
-
+  annotations:
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+    nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
+    nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,X-Request-ID"
+    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+       more_set_headers "Access-Control-Allow-Origin: $http_origin";
--- a/services/payform/values.yaml
+++ b/services/payform/values.yaml
@ -61,13 +61,13 @@ tolerations: []
 affinity: {}

 ingress:
-  enabled: false
-  annotations: {}
+  # enabled: false
+  # annotations: {}
    # nginx.ingress.kubernetes.io/rewrite-target: /
    # kubernetes.io/tls-acme: "true"
-  host: api.rbk.dev
-  path: /
-  tls: []
+  # host: api.rbk.dev
+  # path: /
+  # tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local