valitydev/helmsdeep
14
0
Fork 0
mirror of https://github.com/valitydev/helmsdeep.git synced 2024-11-06 00:45:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Refactor (#157)

Browse Source 
* delete submodule

* stateless

* capi switch to genericchart

* default ports change

* all capi move to generic

* change api port in values of capi

* add command to chart

* ingress port in chart

* right ingress values in capis

* binbase to stateless

* hellgate move

* move holmes

* move hooker

* fix needs

* move shortener

* move payform

* move cds

* more fixes

* hook in chart

* add pvc

* fix pvc template

* move kds

* move shumway

* move machinegun

* delay for moket

* MG fix

* binbase fix resource

* capi fix volumes path

* prepare config for dominant

* hooks

* move bender

* proxy move

* payform liveness

* needs fix

* fix urls

* add env to chart

* fix machineid matcher

* last move mocket

* ingress bump from deprecation

* moket url in dominanta fix

* move wapi

* add api init to chart

* move wapi-pcidss

* log annotations refactor

* add volumes for hook

* move dominant

* typo fix in vault annotations

* use zookeeper from kafka chart

* zookeeper replicas

* move to githab charts from services folder

* bender statefull and consul label

* delete useless folder

* Apply suggestions from code review

Co-authored-by: vilorij <vilorij@ya.ru>

* fix mocket-mpi port

* metrics enable

* delete metrics from service without metrics

* fix indent in values

Co-authored-by: Andrey Fadeev <me@ciiol.net>

* drop empty lines

Co-authored-by: Andrey Fadeev <me@ciiol.net>

* fix comment and bump deps

* riak and bump deps chart

* Add missing services (#159)

* Add anapi

* Add bin-api

* Fix naming

* Fix oopsBody paths

* Update config/anapi/sys.config

Co-authored-by: Andrey Fadeev <me@ciiol.net>

* Update config/anapi/sys.config

Co-authored-by: Andrey Fadeev <me@ciiol.net>

* Update config/binapi/sys.config

Co-authored-by: Andrey Fadeev <me@ciiol.net>

* Update config/binapi/sys.config

Co-authored-by: Andrey Fadeev <me@ciiol.net>

* Use existing binbase for API

Co-authored-by: Andrey Fadeev <me@ciiol.net>

* grafana to refactor (#160)

* grafana to refactor

* clean values

* clean

Co-authored-by: ilya <Ilya Ivanov>

* network policies refactored (#158)

* cilium network policies added
Co-authored-by: vilorij <vilorij@ya.ru>

* Add ability deploy to not only "default" namespace

* change kafka chart from incubator to bitnamii (#164)

* change kafka chart from incubator to bitnamii

* road to default

Co-authored-by: ilya <Ilya Ivanov>

* options for disable CNP

* riak fix

* raw chart

* bump deps

* Update config/machinegun/values.yaml.gotmpl

* delete netpolicy

* riak hacks

* bump deps

* another try

* Enable IPv6 for riak

* KK ipv6

* consul switch to native chart

* MG to new consul

* ipv6 for erlangs services

* riak adopt to ipv6

* Add inet6 to vm.args

* global value for ipv6-only cluster

* Enable ipv6 for machinegun

* add ipv6 support to keycloak

* vault config for ipv6

* disable dashboard if elk disabled

* bump deps version
add wrapper around elk enabled

* add transactions values

* typo fix in values

* payform ipv6

* typo fix transaction

Co-authored-by: Dmitry Skokov <d.skokov@rbkmoney.com>
Co-authored-by: Pospolita Nikita <nikita7asics@gmail.com>
Co-authored-by: Andrey Fadeev <me@ciiol.net>
Co-authored-by: Sergey Yelin <elinsn@gmail.com>
Co-authored-by: TeadRIM <37904338+TeadRIM@users.noreply.github.com>
Co-authored-by: Ivan Panteleev <amalgamm@users.noreply.github.com>
This commit is contained in:
vilorij 2021-02-19 15:27:50 +03:00 committed by GitHub
parent a16237b954
commit d24b4db65a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
347 changed files with 4048 additions and 14905 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitmodules vendored
View File

@ -1,4 +0,0 @@
[submodule "config/prometheus/dashboards/src/grafonnet-lib"]
path = config/prometheus/dashboards/src/grafonnet-lib
url = https://github.com/grafana/grafonnet-lib.git
branch = master

12
config/_common/logging.yaml.gotmpl
View File

@ -1,12 +0,0 @@
{{ if eq (index .Release.Labels "logfmt") "json" }}
podAnnotations:
co.elastic.logs/enabled: "true"
co.elastic.logs/json.keys_under_root: "true"
co.elastic.logs/json.overwrite_keys: "true"
co.elastic.logs/json.add_error_key: "true"
co.elastic.logs/processors.1.decode_json_fields.fields: "log"
co.elastic.logs/processors.1.decode_json_fields.max_depth: "5"
co.elastic.logs/processors.1.decode_json_fields.target: ""
co.elastic.logs/processors.1.decode_json_fields.overwrite_keys: "true"
co.elastic.logs/processors.1.decode_json_fields.add_error_key: "true"
{{ end }}

106
config/anapi/sys.config Normal file
View File

@ -0,0 +1,106 @@
%% -*- mode: erlang -*-
[
{kernel, [
{logger_level, info},
{logger, [
{handler, default, logger_std_h, #{
level => info,
config => #{
type => standard_io,
sync_mode_qlen => 2000,
drop_mode_qlen => 2000,
flush_qlen => 3000
},
filters => [{access_log, {fun logger_filters:domain/2, {stop, equal, [cowboy_access_log]}}}],
formatter => {logger_logstash_formatter, #{}}
}},
{handler, access_logger, logger_std_h, #{
level => info,
config => #{
type => standard_io,
sync_mode_qlen => 2000,
drop_mode_qlen => 2000,
flush_qlen => 3000
},
filters => [{access_log, {fun logger_filters:domain/2, {stop, not_equal, [cowboy_access_log]}}}],
formatter => {logger_logstash_formatter, #{}}
}}
]}
]},
{scoper, [
{storage, scoper_storage_logger}
]},
{anapi, [
{ip, "::"},
{port, 8080},
{service_type, real},
{access_conf, #{
jwt => #{
signee => capi,
keyset => #{
keycloak => {pem_file, "/var/lib/anapi/keys/keycloak/keycloak.pubkey.pem"}
}
},
access => #{
service_name => <<"common-api">>,
resource_hierarchy => #{
invoices => #{},
payments => #{},
party => #{}
}
}
}},
{swagger_handler_opts, #{
validation_opts => #{
schema => #{
response => mild
}
}
}},
{oops_bodies, #{
500 => "/var/lib/anapi/oops-bodies/oopsBody1",
501 => "/var/lib/anapi/oops-bodies/oopsBody1",
502 => "/var/lib/anapi/oops-bodies/oopsBody1",
503 => "/var/lib/anapi/oops-bodies/oopsBody2",
504 => "/var/lib/anapi/oops-bodies/oopsBody2"
}},
{health_check, #{
disk => {erl_health, disk, ["/", 99]},
memory => {erl_health, cg_memory, [70]},
service => {erl_health, service, [<<"anapi">>]}
}},
{max_request_deadline, 60000} % milliseconds
]},
{anapi_woody_client, [
{service_urls, #{
merchant_stat => "http://magista-kafka:8022/stat",
reporting => "http://reporter:8022/reports/new-proto",
analytics => "http://analytics:8022/analytics/v1",
party_shop => "http://party-shop:8022/party-shop/v1"
}},
{service_deadlines, #{
merchant_stat => 30000, % milliseconds
reporting => 30000, % milliseconds
analytics => 30000, % milliseconds
party_shop => 10000 % milliseconds
}}
]},
{how_are_you, [
{metrics_publishers, []}
]},
{os_mon, [
{disksup_posix_only, true}
]},
{snowflake, [{machine_id, hostname_hash}]},
{prometheus, [
{collectors, [default]}
]}
].

80
config/anapi/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,80 @@
# -*- mode: yaml -*-
replicaCount: 1
image:
repository: docker.io/rbkmoney/anapi
tag: 86990bcc3ee81b909240b64d03f2575d5677c6ae
pullPolicy: IfNotPresent
configMap:
data:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
fetchKeycloakPubkey: |
{{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 6 }}
oopsBody1: |
{{- readFile "../api-common/oops-bodies/sad-kitty1" | nindent 6 }}
oopsBody2: |
{{- readFile "../api-common/oops-bodies/sad-kitty2" | nindent 6 }}
vm.args: |
{{- tpl (readFile "../vm/erl_vm_args.gotmpl") . | nindent 6 }}
apiInitContainers:
enabled: true
volumeMounts:
- name: config-volume
mountPath: /opt/anapi/releases/0.1.0/sys.config
subPath: sys.config
readOnly: true
- name: config-volume
mountPath: /opt/anapi/releases/0.1.0/vm.args
subPath: vm.args
readOnly: true
- name: config-volume
mountPath: /opt/anapi/erl_inetrc
subPath: erl_inetrc
readOnly: true
- name: config-volume
mountPath: /var/lib/anapi/oops-bodies/oopsBody1
subPath: oopsBody1
readOnly: true
- name: config-volume
mountPath: /var/lib/anapi/oops-bodies/oopsBody2
subPath: oopsBody2
readOnly: true
- name: keycloak-pubkey
mountPath: /var/lib/anapi/keys/keycloak
readOnly: true
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
- name: keycloak-pubkey
emptyDir: {}
service:
type: ClusterIP
ports:
- name: api
port: 8080
metrics:
serviceMonitor:
enabled: true
namespace: monitoring
additionalLabels:
release: prometheus
ingress:
enabled: true
hosts:
- host: api.rbk.dev
paths:
- /lk/v1
servicePort: 8080

44
config/bender/values.yaml.gotmpl
View File

@ -2,14 +2,50 @@
replicaCount: 1
appConfig: |
{{- readFile "sys.config" | nindent 2 }}
erlInetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 2 }}
image:
repository: docker.io/rbkmoney/bender
tag: b0eea3098f05606fa244cc8ffc1fa20d101d42b7
pullPolicy: IfNotPresent
configMap:
data:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
vm.args: |
{{- tpl (readFile "../vm/erl_vm_args.gotmpl") . | nindent 6 }}
metrics:
serviceMonitor:
enabled: true
namespace: monitoring
additionalLabels:
release: prometheus
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
volumeMounts:
- name: config-volume
mountPath: /opt/bender/releases/1.0.0/sys.config
subPath: sys.config
readOnly: true
- name: config-volume
mountPath: /opt/bender/releases/1.0.0/vm.args
subPath: vm.args
readOnly: true
- name: config-volume
mountPath: /opt/bender/erl_inetrc
subPath: erl_inetrc
readOnly: true
ciliumPolicies:
- filters:
- port: 8022
type: TCP
name: machinegun
namespace: default

96
config/binapi/sys.config Normal file
View File

@ -0,0 +1,96 @@
%% -*- mode: erlang -*-
[
{kernel, [
{logger_level, info},
{logger, [
{handler, default, logger_std_h, #{
level => info,
config => #{
type => standard_io,
sync_mode_qlen => 2000,
drop_mode_qlen => 2000,
flush_qlen => 3000
},
filters => [{access_log, {fun logger_filters:domain/2, {stop, equal, [cowboy_access_log]}}}],
formatter => {logger_logstash_formatter, #{}}
}},
{handler, access_logger, logger_std_h, #{
level => info,
config => #{
type => standard_io,
sync_mode_qlen => 2000,
drop_mode_qlen => 2000,
flush_qlen => 3000
},
filters => [{access_log, {fun logger_filters:domain/2, {stop, not_equal, [cowboy_access_log]}}}],
formatter => {logger_logstash_formatter, #{
message_redaction_regex_list => [
%% PAN
"(?<=\\W[2-6][0-9]{5})[0-9]{1,11}(?=[0-9]{2}\\W)",
%% Expiration date
"(?<=\\W)[0-9]{1,2}[\\s.,-/]([0-9]{2}|2[0-9]{3})(?=\\W)",
%% CVV / CVV2 / CSC
"(?<=\\W)[0-9]{3,4}(?=\\W)"
]
}}
}}
]}
]},
{scoper, [
{storage, scoper_storage_logger}
]},
{binapi, [
{ip, "::"},
{port, 8080},
{service_type, real},
{access_conf, #{
jwt => #{
signee => binapi,
keyset => #{
keycloak => {pem_file, "/var/lib/binapi/keys/keycloak/keycloak.pubkey.pem"}
}
}
}},
{oops_bodies, #{
500 => "/var/lib/binapi/oops-bodies/oopsBody1",
501 => "/var/lib/binapi/oops-bodies/oopsBody1",
502 => "/var/lib/binapi/oops-bodies/oopsBody1",
503 => "/var/lib/binapi/oops-bodies/oopsBody2",
504 => "/var/lib/binapi/oops-bodies/oopsBody2"
}},
{health_check, #{
disk => {erl_health, disk, ["/", 99]},
memory => {erl_health, cg_memory, [70]},
service => {erl_health, service, [<<"binapi">>]}
}},
{max_request_deadline, 60000} % milliseconds
]},
{binapi_woody_client, [
{service_urls, #{
binbase => "http://binbase:8022/v1/binbase"
}},
{service_deadlines, #{
merchant_stat => 30000, % milliseconds
reporting => 30000, % milliseconds
analytics => 30000, % milliseconds
party_shop => 10000 % milliseconds
}}
]},
{how_are_you, [
{metrics_publishers, []}
]},
{os_mon, [
{disksup_posix_only, true}
]},
{snowflake, [{machine_id, hostname_hash}]},
{prometheus, [
{collectors, [default]}
]}
].

83
config/binapi/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,83 @@
# -*- mode: yaml -*-
replicaCount: 1
image:
repository: docker.io/rbkmoney/binapi
tag: bc5d6fd206c740a3075fd33228561928763d0995
pullPolicy: IfNotPresent
configMap:
data:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
fetchKeycloakPubkey: |
{{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 6 }}
oopsBody1: |
{{- readFile "../api-common/oops-bodies/sad-kitty1" | nindent 6 }}
oopsBody2: |
{{- readFile "../api-common/oops-bodies/sad-kitty2" | nindent 6 }}
vm.args: |
-sname {{ .Release.Name }}
-setcookie {{ .Release.Name }}_cookie
-proto_dist inet6_tcp
-kernel inetrc '"./erl_inetrc"'
apiInitContainers:
enabled: true
volumeMounts:
- name: config-volume
mountPath: /opt/binapi/releases/0.1.0/sys.config
subPath: sys.config
readOnly: true
- name: config-volume
mountPath: /opt/binapi/releases/0.1.0/vm.args
subPath: vm.args
readOnly: true
- name: config-volume
mountPath: /opt/binapi/erl_inetrc
subPath: erl_inetrc
readOnly: true
- name: config-volume
mountPath: /var/lib/binapi/oops-bodies/oopsBody1
subPath: oopsBody1
readOnly: true
- name: config-volume
mountPath: /var/lib/binapi/oops-bodies/oopsBody2
subPath: oopsBody2
readOnly: true
- name: keycloak-pubkey
mountPath: /var/lib/binapi/keys/keycloak
readOnly: true
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
- name: keycloak-pubkey
emptyDir: {}
service:
type: ClusterIP
ports:
- name: api
port: 8080
metrics:
serviceMonitor:
enabled: true
namespace: monitoring
additionalLabels:
release: prometheus
ingress:
enabled: true
hosts:
- host: api.rbk.dev
paths:
- /binbase/v1
servicePort: 8080

7
config/binbase/entrypoint.sh
View File

@ -9,4 +9,11 @@ trap onExit EXIT
pg_ctl -D /var/lib/postgresql/9.6/data start -w
java \
"-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \
-jar \
/opt/binbase/binbase.jar \
--management.security.enabled=false \
--spring.batch.job.enabled=false \
--client.cds.url=http://cds:8022/v2/storage \
--spring.flyway.enabled=false \
--spring.batch.initialize-schema=never \
${@}

44
config/binbase/values.yaml.gotmpl
View File

@ -2,5 +2,45 @@
replicaCount: 1
entrypoint: |
{{- readFile "entrypoint.sh" | nindent 2 }}
image:
repository: docker.io/rbkmoney/binbase-test-data
tag: 53e611d5881405f796f59abef843bcc8178a1343
pullPolicy: IfNotPresent
runopts:
command : ["/opt/binbase/entrypoint.sh"]
configMap:
data:
entrypoint.sh: |
{{- readFile "entrypoint.sh" | nindent 6 }}
volumeMounts:
- name: config-volume
mountPath: /opt/binbase/entrypoint.sh
subPath: entrypoint.sh
readOnly: true
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
livenessProbe:
httpGet:
path: /actuator/health
port: api
initialDelaySeconds: 30
timeoutSeconds: 3
initialDelaySeconds: 30
readinessProbe:
httpGet:
path: /actuator/health
port: api
resources:
requests:
cpu: 100m
memory: 512Mi

16
config/capi-pcidss-v1/sys.config
View File

@ -68,11 +68,11 @@
}
}},
{oops_bodies, #{
500 => "/var/lib/capi/oops-bodies/oops-body1",
501 => "/var/lib/capi/oops-bodies/oops-body1",
502 => "/var/lib/capi/oops-bodies/oops-body1",
503 => "/var/lib/capi/oops-bodies/oops-body2",
504 => "/var/lib/capi/oops-bodies/oops-body2"
500 => "/var/lib/capi/oops-bodies/oopsBody1",
501 => "/var/lib/capi/oops-bodies/oopsBody1",
502 => "/var/lib/capi/oops-bodies/oopsBody1",
503 => "/var/lib/capi/oops-bodies/oopsBody2",
504 => "/var/lib/capi/oops-bodies/oopsBody2"
}},
{health_checkers, [
{erl_health, disk , ["/", 99]},
@ -91,9 +91,9 @@
{capi_woody_client, [
{service_urls, #{
cds_storage => "http://cds.default.svc.cluster.local:8022/v2/storage",
binbase => "http://binbase.default.svc.cluster.local:8022/v1/binbase",
bender => "http://bender.default.svc.cluster.local:8022/v1/bender"
cds_storage => "http://cds:8022/v2/storage",
binbase => "http://binbase:8022/v1/binbase",
bender => "http://bender:8022/v1/bender"
}}
]},

118
config/capi-pcidss-v1/values.yaml.gotmpl
View File

@ -2,20 +2,80 @@
replicaCount: 1
appConfig: |
{{- readFile "sys.config" | nindent 2 }}
erlInetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 2 }}
fetchKeycloakPubkey: |
{{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 2 }}
oopsBody1: |
{{- readFile "../api-common/oops-bodies/sad-kitty1" | nindent 2 }}
oopsBody2: |
{{- readFile "../api-common/oops-bodies/sad-kitty2" | nindent 2 }}
tokenEncryptionKey1: |
{{- readFile "../api-common/keys/token-encryption-keys/1.jwk" | nindent 2 }}
capiPrivkey: |
{{- readFile "../api-common/keys/capi.privkey.pem" | nindent 2 }}
image:
repository: docker.io/rbkmoney/capi_pcidss-v1
tag: 3007bbf74504d9f9c709d5ace37cbcfce85c0f4e
pullPolicy: IfNotPresent
configMap:
data:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
fetchKeycloakPubkey: |
{{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 6 }}
oopsBody1: |
{{- readFile "../api-common/oops-bodies/sad-kitty1" | nindent 6 }}
oopsBody2: |
{{- readFile "../api-common/oops-bodies/sad-kitty2" | nindent 6 }}
vm.args: |
{{- tpl (readFile "../vm/erl_vm_args.gotmpl") . | nindent 6 }}
secret:
data:
token_encryption_key1.jwk: |
{{- readFile "../api-common/keys/token-encryption-keys/1.jwk" | nindent 6 }}
capi.privkey.pem: |
{{- readFile "../api-common/keys/capi.privkey.pem" | nindent 6 }}
apiInitContainers:
enabled: true
volumeMounts:
- name: config-volume
mountPath: /opt/capi_pcidss/releases/0.1.0/sys.config
subPath: sys.config
readOnly: true
- name: config-volume
mountPath: /opt/capi_pcidss/releases/0.1.0/vm.args
subPath: vm.args
readOnly: true
- name: config-volume
mountPath: /opt/capi_pcidss/erl_inetrc
subPath: erl_inetrc
readOnly: true
- name: config-volume
mountPath: /var/lib/capi/oops-bodies/oopsBody1
subPath: oopsBody1
readOnly: true
- name: config-volume
mountPath: /var/lib/capi/oops-bodies/oopsBody2
subPath: oopsBody2
readOnly: true
- name: secret
mountPath: /var/lib/capi/keys
readOnly: true
- name: keycloak-pubkey
mountPath: /var/lib/capi/keys/keycloak
readOnly: true
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
- name: secret
secret:
secretName: {{ .Release.Name }}
- name: keycloak-pubkey
emptyDir: {}
service:
type: ClusterIP
ports:
- name: api
port: 8080
metrics:
serviceMonitor:
@ -23,3 +83,33 @@ metrics:
namespace: monitoring
additionalLabels:
release: prometheus
ingress:
enabled: true
hosts:
- host: api.rbk.dev
paths:
- /v1/processing/payment-resources
servicePort: 8080
ciliumPolicies:
- filters:
- port: 8080
type: TCP
name: keycloak
namespace: default
- filters:
- port: 8022
type: TCP
name: binbase
namespace: default
- filters:
- port: 8022
type: TCP
name: bender
namespace: default
- filters:
- port: 8022
type: TCP
name: cds
namespace: default

18
config/capi-pcidss-v2/sys.config
View File

@ -68,11 +68,11 @@
}
}},
{oops_bodies, #{
500 => "/var/lib/capi/oops-bodies/oops-body1",
501 => "/var/lib/capi/oops-bodies/oops-body1",
502 => "/var/lib/capi/oops-bodies/oops-body1",
503 => "/var/lib/capi/oops-bodies/oops-body2",
504 => "/var/lib/capi/oops-bodies/oops-body2"
500 => "/var/lib/capi/oops-bodies/oopsBody1",
501 => "/var/lib/capi/oops-bodies/oopsBody1",
502 => "/var/lib/capi/oops-bodies/oopsBody1",
503 => "/var/lib/capi/oops-bodies/oopsBody2",
504 => "/var/lib/capi/oops-bodies/oopsBody2"
}},
{health_checkers, [
{erl_health, disk , ["/", 99]},
@ -92,7 +92,7 @@
{capi_woody_client, [
{services, #{
cds_storage => #{
url => "http://cds.default.svc.cluster.local:8022/v2/storage",
url => "http://cds:8022/v2/storage",
transport_opts => #{
pool => cds_storage,
timeout => 1000,
@ -100,14 +100,14 @@
}
},
tds_storage => #{
url => "http://cds.default.svc.cluster.local:8022/v1/token_storage",
url => "http://cds:8022/v1/token_storage",
transport_opts => #{
pool => tds_storage,
timeout => 1000
}
},
binbase => #{
url => "http://binbase.default.svc.cluster.local:8022/v1/binbase",
url => "http://binbase:8022/v1/binbase",
transport_opts => #{
pool => binbase,
timeout => 1000,
@ -115,7 +115,7 @@
}
},
bender => #{
url => "http://bender.default.svc.cluster.local:8022/v1/bender",
url => "http://bender:8022/v1/bender",
transport_opts => #{
pool => bender,
timeout => 1000,

117
config/capi-pcidss-v2/values.yaml.gotmpl
View File

@ -2,20 +2,80 @@
replicaCount: 1
appConfig: |
{{- readFile "sys.config" | nindent 2 }}
erlInetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 2 }}
fetchKeycloakPubkey: |
{{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 2 }}
oopsBody1: |
{{- readFile "../api-common/oops-bodies/sad-kitty1" | nindent 2 }}
oopsBody2: |
{{- readFile "../api-common/oops-bodies/sad-kitty2" | nindent 2 }}
tokenEncryptionKey1: |
{{- readFile "../api-common/keys/token-encryption-keys/1.jwk" | nindent 2 }}
capiPrivkey: |
{{- readFile "../api-common/keys/capi.privkey.pem" | nindent 2 }}
image:
repository: docker.io/rbkmoney/capi_pcidss-v2
tag: 54dde2dd6a7ce75437be334ee3adfcfb9b590d19
pullPolicy: IfNotPresent
configMap:
data:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
fetchKeycloakPubkey: |
{{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 6 }}
oopsBody1: |
{{- readFile "../api-common/oops-bodies/sad-kitty1" | nindent 6 }}
oopsBody2: |
{{- readFile "../api-common/oops-bodies/sad-kitty2" | nindent 6 }}
vm.args: |
{{- tpl (readFile "../vm/erl_vm_args.gotmpl") . | nindent 6 }}
secret:
data:
token_encryption_key1.jwk: |
{{- readFile "../api-common/keys/token-encryption-keys/1.jwk" | nindent 6 }}
capi.privkey.pem: |
{{- readFile "../api-common/keys/capi.privkey.pem" | nindent 6 }}
apiInitContainers:
enabled: true
volumeMounts:
- name: config-volume
mountPath: /opt/capi_pcidss/releases/0.1.0/sys.config
subPath: sys.config
readOnly: true
- name: config-volume
mountPath: /opt/capi_pcidss/releases/0.1.0/vm.args
subPath: vm.args
readOnly: true
- name: config-volume
mountPath: /opt/capi_pcidss/erl_inetrc
subPath: erl_inetrc
readOnly: true
- name: config-volume
mountPath: /var/lib/capi/oops-bodies/oopsBody1
subPath: oopsBody1
readOnly: true
- name: config-volume
mountPath: /var/lib/capi/oops-bodies/oopsBody2
subPath: oopsBody2
readOnly: true
- name: secret
mountPath: /var/lib/capi/keys
readOnly: true
- name: keycloak-pubkey
mountPath: /var/lib/capi/keys/keycloak
readOnly: true
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
- name: secret
secret:
secretName: {{ .Release.Name }}
- name: keycloak-pubkey
emptyDir: {}
service:
type: ClusterIP
ports:
- name: api
port: 8080
metrics:
serviceMonitor:
@ -23,3 +83,32 @@ metrics:
namespace: monitoring
additionalLabels:
release: prometheus
ingress:
enabled: true
hosts:
- host: api.rbk.dev
paths:
- /v2/processing/payment-resources
servicePort: 8080
ciliumPolicies:
- filters:
- port: 8080
type: TCP
name: keycloak
- filters:
- port: 8022
type: TCP
name: binbase
namespace: default
- filters:
- port: 8022
type: TCP
name: bender
namespace: default
- filters:
- port: 8022
type: TCP
name: cds
namespace: default

10
config/capi-v1/sys.config
View File

@ -50,11 +50,11 @@
blacklisted_keys_dir => "/opt/capi"
}},
{oops_bodies, #{
500 => "/var/lib/capi/oops-bodies/oops-body1",
501 => "/var/lib/capi/oops-bodies/oops-body1",
502 => "/var/lib/capi/oops-bodies/oops-body1",
503 => "/var/lib/capi/oops-bodies/oops-body2",
504 => "/var/lib/capi/oops-bodies/oops-body2"
500 => "/var/lib/capi/oops-bodies/oopsBody1",
501 => "/var/lib/capi/oops-bodies/oopsBody1",
502 => "/var/lib/capi/oops-bodies/oopsBody1",
503 => "/var/lib/capi/oops-bodies/oopsBody2",
504 => "/var/lib/capi/oops-bodies/oopsBody2"
}},
{swagger_handler_opts, #{
validation_opts => #{

123
config/capi-v1/values.yaml.gotmpl
View File

@ -2,20 +2,80 @@
replicaCount: 1
appConfig: |
{{- readFile "sys.config" | nindent 2 }}
erlInetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 2 }}
fetchKeycloakPubkey: |
{{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 2 }}
oopsBody1: |
{{- readFile "../api-common/oops-bodies/sad-kitty1" | nindent 2 }}
oopsBody2: |
{{- readFile "../api-common/oops-bodies/sad-kitty2" | nindent 2 }}
tokenEncryptionKey1: |
{{- readFile "../api-common/keys/token-encryption-keys/1.jwk" | nindent 2 }}
capiPrivkey: |
{{- readFile "../api-common/keys/capi.privkey.pem" | nindent 2 }}
image:
repository: docker.io/rbkmoney/capi-v1
tag: b2b15a5b620cd7061f9e81fa44955e824ffdf806
pullPolicy: IfNotPresent
configMap:
data:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
fetchKeycloakPubkey: |
{{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 6 }}
oopsBody1: |
{{- readFile "../api-common/oops-bodies/sad-kitty1" | nindent 6 }}
oopsBody2: |
{{- readFile "../api-common/oops-bodies/sad-kitty2" | nindent 6 }}
vm.args: |
{{- tpl (readFile "../vm/erl_vm_args.gotmpl") . | nindent 6 }}
secret:
data:
token_encryption_key1.jwk: |
{{- readFile "../api-common/keys/token-encryption-keys/1.jwk" | nindent 6 }}
capi.privkey.pem: |
{{- readFile "../api-common/keys/capi.privkey.pem" | nindent 6 }}
apiInitContainers:
enabled: true
volumeMounts:
- name: config-volume
mountPath: /opt/capi/releases/0.1.0/sys.config
subPath: sys.config
readOnly: true
- name: config-volume
mountPath: /opt/capi/releases/0.1.0/vm.args
subPath: vm.args
readOnly: true
- name: config-volume
mountPath: /opt/capi/erl_inetrc
subPath: erl_inetrc
readOnly: true
- name: config-volume
mountPath: /var/lib/capi/oops-bodies/oopsBody1
subPath: oopsBody1
readOnly: true
- name: config-volume
mountPath: /var/lib/capi/oops-bodies/oopsBody2
subPath: oopsBody2
readOnly: true
- name: secret
mountPath: /var/lib/capi/keys
readOnly: true
- name: keycloak-pubkey
mountPath: /var/lib/capi/keys/keycloak
readOnly: true
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
- name: secret
secret:
secretName: {{ .Release.Name }}
- name: keycloak-pubkey
emptyDir: {}
service:
type: ClusterIP
ports:
- name: api
port: 8080
metrics:
serviceMonitor:
@ -23,3 +83,38 @@ metrics:
namespace: monitoring
additionalLabels:
release: prometheus
ingress:
enabled: true
hosts:
- host: api.rbk.dev
paths:
- /v1
servicePort: 8080
ciliumPolicies:
- filters:
- port: 8080
type: TCP
name: keycloak
namespace: default
- filters:
- port: 8022
type: TCP
name: bender
namespace: default
- filters:
- port: 8022
type: TCP
name: shumway
namespace: default
- filters:
- port: 8022
type: TCP
name: dominant
namespace: default
- filters:
- port: 8022
type: TCP
name: hellgate
namespace: default

10
config/capi-v2/sys.config
View File

@ -45,11 +45,11 @@
}
}},
{oops_bodies, #{
500 => "/var/lib/capi/oops-bodies/oops-body1",
501 => "/var/lib/capi/oops-bodies/oops-body1",
502 => "/var/lib/capi/oops-bodies/oops-body1",
503 => "/var/lib/capi/oops-bodies/oops-body2",
504 => "/var/lib/capi/oops-bodies/oops-body2"
500 => "/var/lib/capi/oops-bodies/oopsBody1",
501 => "/var/lib/capi/oops-bodies/oopsBody1",
502 => "/var/lib/capi/oops-bodies/oopsBody1",
503 => "/var/lib/capi/oops-bodies/oopsBody2",
504 => "/var/lib/capi/oops-bodies/oopsBody2"
}},
{api_key_blacklist, #{
update_interval => 50000, % milliseconds

123
config/capi-v2/values.yaml.gotmpl
View File

@ -2,20 +2,80 @@
replicaCount: 1
appConfig: |
{{- readFile "sys.config" | nindent 2 }}
erlInetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 2 }}
fetchKeycloakPubkey: |
{{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 2 }}
oopsBody1: |
{{- readFile "../api-common/oops-bodies/sad-kitty1" | nindent 2 }}
oopsBody2: |
{{- readFile "../api-common/oops-bodies/sad-kitty2" | nindent 2 }}
tokenEncryptionKey1: |
{{- readFile "../api-common/keys/token-encryption-keys/1.jwk" | nindent 2 }}
capiPrivkey: |
{{- readFile "../api-common/keys/capi.privkey.pem" | nindent 2 }}
image:
repository: docker.io/rbkmoney/capi-v2
tag: 10510c2148fb3aaf1bf8893f8ddd2b4de900e557
pullPolicy: IfNotPresent
configMap:
data:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
fetchKeycloakPubkey: |
{{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 6 }}
oopsBody1: |
{{- readFile "../api-common/oops-bodies/sad-kitty1" | nindent 6 }}
oopsBody2: |
{{- readFile "../api-common/oops-bodies/sad-kitty2" | nindent 6 }}
vm.args: |
{{- tpl (readFile "../vm/erl_vm_args.gotmpl") . | nindent 6 }}
secret:
data:
token_encryption_key1.jwk: |
{{- readFile "../api-common/keys/token-encryption-keys/1.jwk" | nindent 6 }}
capi.privkey.pem: |
{{- readFile "../api-common/keys/capi.privkey.pem" | nindent 6 }}
apiInitContainers:
enabled: true
volumeMounts:
- name: config-volume
mountPath: /opt/capi/releases/0.1.0/sys.config
subPath: sys.config
readOnly: true
- name: config-volume
mountPath: /opt/capi/releases/0.1.0/vm.args
subPath: vm.args
readOnly: true
- name: config-volume
mountPath: /opt/capi/erl_inetrc
subPath: erl_inetrc
readOnly: true
- name: config-volume
mountPath: /var/lib/capi/oops-bodies/oopsBody1
subPath: oopsBody1
readOnly: true
- name: config-volume
mountPath: /var/lib/capi/oops-bodies/oopsBody2
subPath: oopsBody2
readOnly: true
- name: secret
mountPath: /var/lib/capi/keys
readOnly: true
- name: keycloak-pubkey
mountPath: /var/lib/capi/keys/keycloak
readOnly: true
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
- name: secret
secret:
secretName: {{ .Release.Name }}
- name: keycloak-pubkey
emptyDir: {}
service:
type: ClusterIP
ports:
- name: api
port: 8080
metrics:
serviceMonitor:
@ -23,3 +83,38 @@ metrics:
namespace: monitoring
additionalLabels:
release: prometheus
ingress:
enabled: true
hosts:
- host: api.rbk.dev
paths:
- /v2
servicePort: 8080
ciliumPolicies:
- filters:
- port: 8080
type: TCP
name: keycloak
namespace: default
- filters:
- port: 8022
type: TCP
name: bender
namespace: default
- filters:
- port: 8022
type: TCP
name: shumway
namespace: default
- filters:
- port: 8022
type: TCP
name: dominant
namespace: default
- filters:
- port: 8022
type: TCP
name: hellgate
namespace: default

67
config/cds/values.yaml.gotmpl
View File

@ -2,14 +2,51 @@
replicaCount: 1
appConfig: |
{{- readFile "sys.config" | nindent 2 }}
caCrt: |
{{- readFile "ca.crt" | nindent 2 }}
clientCrt: |
{{- readFile "client.pem" | nindent 2 }}
erlInetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 2 }}
image:
repository: docker.io/rbkmoney/cds
tag: c0661c4d5abb85f7728bd0e816760670aa248251
pullPolicy: IfNotPresent
configMap:
data:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
vm.args: |
{{- tpl (readFile "../vm/erl_vm_args.gotmpl") . | nindent 6 }}
secret:
data:
ca.crt: |
{{- readFile "ca.crt" | nindent 6 }}
client.pem: |
{{- readFile "client.pem" | nindent 6 }}
volumeMounts:
- name: config-volume
mountPath: /opt/cds/releases/0.1.0/sys.config
subPath: sys.config
readOnly: true
- name: config-volume
mountPath: /opt/cds/releases/0.1.0/vm.args
subPath: vm.args
readOnly: true
- name: config-volume
mountPath: /opt/cds/erl_inetrc
subPath: erl_inetrc
readOnly: true
- name: secret
mountPath: /var/lib/cds/
readOnly: true
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
- name: secret
secret:
secretName: {{ .Release.Name }}
metrics:
serviceMonitor:
@ -17,3 +54,17 @@ metrics:
namespace: monitoring
additionalLabels:
release: prometheus
ciliumPolicies:
- filters:
- port: 8087
type: TCP
name: riak
namespace: default
- filters:
- port: 8022
type: TCP
- port: 8023
type: TCP
name: kds
namespace: default

1495
config/cilium/values.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

1
config/consul/values.yaml
View File

@ -1 +0,0 @@
Replicas: 1

15
config/consul/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,15 @@
# -*- mode: yaml -*-
global:
name: "consul"
client:
enabled: false
server:
replicas: 1
extraLabels:
selector.cilium.rbkmoney/release: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: {{ .Release.Name }}

4
config/dominant/init-script.sh
View File

@ -260,7 +260,7 @@ FIXTURE=$(cat <<END
"data": {
"name": "Mocketbank Proxy",
"description": "Mocked bank proxy for integration test purposes",
"url": "http://proxy-mocketbank-api:8022/proxy/mocketbank",
"url": "http://proxy-mocketbank:8022/proxy/mocketbank",
"options": {}
}
}}}},
@ -270,7 +270,7 @@ FIXTURE=$(cat <<END
"data": {
"name": "Mocket Inspector Proxy",
"description": "Mocked inspector proxy for integration test purposes",
"url": "http://proxy-mocket-inspector-api:8022/proxy/mocket/inspector",
"url": "http://proxy-mocket-inspector:8022/proxy/mocket/inspector",
"options": {"risk_score": "high"}
}
}}}},

90
config/dominant/values.yaml.gotmpl
View File

@ -2,15 +2,40 @@
replicaCount: 1
initializationTask:
create: true
script: |
{{- readFile "init-script.sh" | nindent 4 }}
image:
repository: docker.io/rbkmoney/dominant
tag: de2a937b3b92eb4fa6888be5aef3bde7d3c8b409
pullPolicy: IfNotPresent
appConfig: |
{{- readFile "sys.config" | nindent 2 }}
erlInetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 2 }}
configMap:
data:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
vm.args: |
{{- tpl (readFile "../vm/erl_vm_args.gotmpl") . | nindent 6 }}
init-script.sh: |
{{- readFile "init-script.sh" | nindent 6 }}
hook:
enabled: true
image:
repository: docker.io/rbkmoney/holmes
tag: 07f58e297c03bcd50dc4695ddbcfa4eb30c9928e
pullPolicy: IfNotPresent
kind: post-install
command: "/opt/initdominant/init-script.sh"
volumes:
- name: dom-init
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
volumeMounts:
- name: dom-init
mountPath: /opt/initdominant/init-script.sh
subPath: init-script.sh
readOnly: true
metrics:
serviceMonitor:
@ -18,3 +43,52 @@ metrics:
namespace: monitoring
additionalLabels:
release: prometheus
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
volumeMounts:
- name: config-volume
mountPath: /opt/dominant/releases/0.1/sys.config
subPath: sys.config
readOnly: true
- name: config-volume
mountPath: /opt/dominant/releases/0.1/vm.args
subPath: vm.args
readOnly: true
- name: config-volume
mountPath: /opt/dominant/erl_inetrc
subPath: erl_inetrc
readOnly: true
ciliumPolicies:
- filters:
- port: 8022
type: TCP
name: shumway
namespace: default
- filters:
- port: 8022
type: TCP
name: machinegun
namespace: default
- filters:
- port: 8022
type: TCP
name: dominant
namespace: default
- filters:
- port: 8022
type: TCP
name: proxy-mocket-inspector
namespace: default
- filters:
- port: 8022
type: TCP
name: proxy-mocketbank
namespace: default

63
config/hellgate/values.yaml.gotmpl
View File

@ -2,10 +2,19 @@
replicaCount: 1
appConfig: |
{{- readFile "sys.config" | nindent 2 }}
erlInetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 2 }}
image:
repository: docker.io/rbkmoney/hellgate
tag: efe0b67a7a048bfa17cac871ff2e7b797ea13796
pullPolicy: IfNotPresent
configMap:
data:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
vm.args: |
{{- tpl (readFile "../vm/erl_vm_args.gotmpl") . | nindent 6 }}
metrics:
serviceMonitor:
@ -13,3 +22,49 @@ metrics:
namespace: monitoring
additionalLabels:
release: prometheus
volumeMounts:
- name: config-volume
mountPath: /opt/hellgate/releases/0.1/sys.config
subPath: sys.config
readOnly: true
- name: config-volume
mountPath: /opt/hellgate/releases/0.1/vm.args
subPath: vm.args
readOnly: true
- name: config-volume
mountPath: /opt/hellgate/erl_inetrc
subPath: erl_inetrc
readOnly: true
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
ciliumPolicies:
- filters:
- port: 8022
type: TCP
name: shumway
namespace: default
- filters:
- port: 8022
type: TCP
name: machinegun
namespace: default
- filters:
- port: 8022
type: TCP
name: dominant
namespace: default
- filters:
- port: 8022
type: TCP
name: proxy-mocket-inspector
namespace: default
- filters:
- port: 8022
type: TCP
name: proxy-mocketbank
namespace: default

11
config/holmes/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,11 @@
# -*- mode: yaml -*-
replicaCount: 1
image:
repository: docker.io/rbkmoney/holmes
tag: 07f58e297c03bcd50dc4695ddbcfa4eb30c9928e
pullPolicy: IfNotPresent
livenessProbe: null
readinessProbe: null

19
config/hooker/entrypoint.sh
View File

@ -3,5 +3,22 @@ set -ue
java \
"-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \
-jar \
/opt/hooker/hooker.jar \
--logging.config=/opt/hooker/logback.xml \
--spring.datasource.hikari.data-source-properties.prepareThreshold=0 \
--spring.datasource.hikari.leak-detection-threshold=5300 \
--spring.datasource.hikari.max-lifetime=300000 \
--spring.datasource.hikari.idle-timeout=30000 \
--spring.datasource.hikari.minimum-idle=2 \
--spring.datasource.hikari.maximum-pool-size=20 \
--kafka.bootstrap-servers=kafka-headless:9092 \
--kafka.topics.invoice.enabled=true \
--kafka.topics.customer.enabled=true \
--kafka.topics.invoice.concurrency=7 \
--kafka.topics.customer.concurrency=2 \
--kafka.topics.invoice.id=mg-events-invoice \
--kafka.topics.customer.id=mg-events-customer \
${@} \
--spring.config.additional-location=/vault/secrets/application.properties
--spring.config.additional-location=/vault/secrets/application.properties \

89
config/hooker/values.yaml.gotmpl
View File

@ -2,25 +2,94 @@
replicaCount: 1
entrypoint: |
{{- readFile "entrypoint.sh" | nindent 2 }}
loggers: |
{{- readFile "loggers.xml" | nindent 2 }}
logback: |
{{- readFile "../logs/logback.xml" | nindent 2 }}
image:
repository: docker.io/rbkmoney/hooker
tag: dc15f448d473c03b7c379a9f0338e8210bc1606a
pullPolicy: IfNotPresent
runopts:
command: ["/opt/hooker/entrypoint.sh"]
configMap:
data:
entrypoint.sh: |
{{- readFile "entrypoint.sh" | nindent 6 }}
loggers.xml: |
{{- readFile "loggers.xml" | nindent 6 }}
logback.xml: |
{{- readFile "../logs/logback.xml" | nindent 6 }}
livenessProbe:
httpGet:
path: /actuator/health
port: management
readinessProbe:
httpGet:
path: /actuator/health
port: management
service:
ports:
- name: api
port: 8022
- name: management
port: 8023
volumeMounts:
- name: config-volume
mountPath: /opt/hooker/entrypoint.sh
subPath: entrypoint.sh
readOnly: true
- name: config-volume
mountPath: /opt/hooker/logback.xml
subPath: logback.xml
readOnly: true
- name: config-volume
mountPath: /opt/hooker/loggers.xml
subPath: loggers.xml
readOnly: true
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
podAnnotations:
vault.hashicorp.com/role: "db-app"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-application.properties: "database/creds/db-app-hook"
vault.hashicorp.com/agent-inject-template-application.properties: |
{{`
{{- with secret "database/creds/db-app-hook" -}}
{{`{{- with secret "database/creds/db-app-hook" }}
spring.datasource.url=jdbc:postgresql://postgres-postgresql:5432/hook?sslmode=disable
spring.datasource.username={{ .Data.username }}
spring.datasource.password={{ .Data.password }}
spring.flyway.url=jdbc:postgresql://postgres-postgresql:5432/hook?sslmode=disable
spring.flyway.user={{ .Data.username }}
spring.flyway.password={{ .Data.password }}
{{- end }}
`}}
{{- end }}`}}
ciliumPolicies:
- filters:
- port: 8200
type: TCP
name: vault
namespace: default
- filters:
- port: 5432
type: TCP
name: postgres
namespace: default
- filters:
- port: 9092
rules:
kafka:
- role: consume
topics:
- mg-events-customer
- mg-events-invoice
type: TCP
name: kafka
namespace: default

10
config/kafka/values.yaml
View File

@ -1,10 +0,0 @@
replicas: 1
zookeeper:
## If true, install the Zookeeper chart alongside Kafka
## ref: https://github.com/kubernetes/charts/tree/master/incubator/zookeeper
enabled: false
## If the Zookeeper Chart is disabled a URL and port are required to connect
url: "zookeeper"
port: 2181

28
config/kafka/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,28 @@
replicas: 1
podLabels:
selector.cilium.rbkmoney/release: {{ .Release.Name }}
zookeeper:
## If true, install the Zookeeper chart alongside Kafka
## ref: https://github.com/kubernetes/charts/tree/master/incubator/zookeeper
enabled: true
## If the Zookeeper Chart is disabled a URL and port are required to connect
# url: "zookeeper"
# port: 2181
replicaCount: 1
persistence:
enabled: false
ciliumPolicies:
- filters:
- port: 2181
type: TCP
name: zookeeper
namespace: default
- filters:
- port: 9092
type: TCP
name: kafka
namespace: default

103
config/kds/values.yaml.gotmpl
View File

@ -2,17 +2,87 @@
replicaCount: 1
initializationTask:
create: true
image:
repository: docker.io/rbkmoney/kds
tag: df8a550af175177486ec49cf3bdab64cf5db2d33
pullPolicy: IfNotPresent
appConfig: |
{{- readFile "sys.config" | nindent 2 }}
caCrt: |
{{- readFile "ca.crt" | nindent 2 }}
serverCrt: |
{{- readFile "server.pem" | nindent 2 }}
erlInetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 2 }}
hook:
enabled: true
image:
repository: docker.io/rbkmoney/holmes
tag: 07f58e297c03bcd50dc4695ddbcfa4eb30c9928e
pullPolicy: IfNotPresent
kind: post-install
command: "/opt/holmes/scripts/cds/keyring.py -a kds init"
configMap:
data:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
vm.args: |
{{- tpl (readFile "../vm/erl_vm_args.gotmpl") . | nindent 6 }}
secret:
data:
ca.crt: |
{{- readFile "ca.crt" | nindent 6 }}
server.pem: |
{{- readFile "server.pem" | nindent 6 }}
service:
type: ClusterIP
ports:
- name: management
port: 8022
- name: storage
port: 8023
livenessProbe:
httpGet:
path: /health
port: management
readinessProbe:
httpGet:
path: /health
port: management
volumeMounts:
- name: config-volume
mountPath: /opt/kds/releases/0.1.0/sys.config
subPath: sys.config
readOnly: true
- name: config-volume
mountPath: /opt/kds/releases/0.1.0/vm.args
subPath: vm.args
readOnly: true
- name: config-volume
mountPath: /opt/kds/erl_inetrc
subPath: erl_inetrc
readOnly: true
- name: secret
mountPath: /var/lib/kds/
readOnly: true
- name: keyring
mountPath: /opt/kds/state/
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
- name: secret
secret:
secretName: {{ .Release.Name }}
- name: keyring
persistentVolumeClaim:
claimName: "{{ .Release.Name }}-keyring"
pvc:
enabled: true
name: "{{ .Release.Name }}-keyring"
storage: 3Mi
metrics:
serviceMonitor:
@ -20,3 +90,16 @@ metrics:
namespace: monitoring
additionalLabels:
release: prometheus
endpoints:
- port: "management"
path: /metrics
scheme: http
ciliumPolicies:
- filters:
- port: 8022
type: TCP
- port: 8023
type: TCP
name: kds
namespace: default

0
services/keycloak-realms/files/realms.json.gotmpl → config/keycloak-realms/realms.json.gotmpl
View File

6
config/keycloak-realms/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,6 @@
# -*- mode: yaml -*-
configMap:
data:
realms.json: |
{{- tpl (readFile "realms.json.gotmpl") . | nindent 6 }}

16
config/keycloak/values.yaml → config/keycloak/values.yaml.gotmpl
View File

@ -1,7 +1,9 @@
postgresql:
enabled: false
podLabels:
selector.cilium.rbkmoney/release: {{ .Release.Name }}
extraEnv: |
- name: DB_VENDOR
value: postgres
@ -19,7 +21,12 @@ extraEnv: |
value: >-
-XX:+UseContainerSupport
-XX:MaxRAMPercentage=50.0
{{- if .Values.services.global.ipv6only }}
-Djava.net.preferIPv4Stack=false
-Djava.net.preferIPv6Addresses=true
{{- else }}
-Djava.net.preferIPv4Stack=true
{{- end }}
-Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS
-Djava.awt.headless=true
- name: KEYCLOAK_IMPORT
@ -34,3 +41,10 @@ extraVolumeMounts: |
- name: keycloak-realms-volume
mountPath: "/realm/"
readOnly: true
ciliumPolicies:
- filters:
- port: 5432
type: TCP
name: postgres
namespace: default

8
config/machinegun/config.yaml
View File

@ -1,10 +1,12 @@
service_name: machinegun
erlang:
ipv6: true
disable_dns_cache: true
secret_cookie_file: /opt/machinegun/etc/cookie
woody_server:
ip: "0.0.0.0"
ip: "::"
port: 8022
max_concurrent_connections: 8000
http_keep_alive_timeout: 3000ms
@ -25,7 +27,7 @@ consuela:
presence:
check_interval: 5s
registry:
nodename: consul-0
nodename: consul-server-0
session_ttl: 30s
session_renewal_interval: 10s
discovery:
@ -37,7 +39,7 @@ logging:
# Consul client settings.
# Required when distributed machine registry is enabled.
consul:
url: http://consul:8500
url: http://consul-server:8500
connect_timeout: 200ms
recv_timeout: 1s

98
config/machinegun/values.yaml.gotmpl
View File

@ -2,8 +2,37 @@
replicaCount: 1
appConfig: |
{{- readFile "config.yaml" | nindent 2 }}
image:
repository: docker.io/rbkmoney/machinegun
tag: 54eff8de6e39b1102f1eafb44b6a5ce3eab6e9a2
pullPolicy: IfNotPresent
configMap:
data:
config.yaml: |
{{- readFile "config.yaml" | nindent 6 }}
secret:
data:
cookie: "SomeV3ryRand0mStringForCoock1e"
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
- name: cookie-secret
secret:
secretName: {{ .Release.Name }}
volumeMounts:
- name: config-volume
mountPath: /opt/machinegun/etc/config.yaml
subPath: config.yaml
readOnly: true
- name: cookie-secret
mountPath: /opt/machinegun/etc/cookie
subPath: cookie
readOnly: true
metrics:
serviceMonitor:
@ -11,3 +40,68 @@ metrics:
namespace: monitoring
additionalLabels:
release: prometheus
ciliumPolicies:
- filters:
- port: 8500
type: TCP
name: consul
namespace: default
- filters:
- port: 9092
rules:
kafka:
- role: produce
topics:
- mg-events-cashreg
- mg-events-customer
- mg-events-ff-deposit
- mg-events-ff-destination
- mg-events-ff-identity
- mg-events-ff-p2p-template
- mg-events-ff-p2p-transfer
- mg-events-ff-p2p-transfer-session
- mg-events-ff-source
- mg-events-ff-w2w-transfer
- mg-events-ff-wallet
- mg-events-ff-withdrawal
- mg-events-ff-withdrawal-session
- mg-events-invoice
- mg-events-invoice-template
- mg-events-party
- mg-events-rates
- mg-events-recurrent-paytools
- mg-events-schedulers
type: TCP
name: kafka
namespace: default
- filters:
- port: 8087
type: TCP
name: riak
namespace: default
- filters:
- port: 8022
type: TCP
name: bender
namespace: default
- filters:
- port: 8022
type: TCP
name: url-shortener
namespace: default
- filters:
- port: 8022
type: TCP
name: machinegun
namespace: default
- filters:
- port: 8022
type: TCP
name: dominant
namespace: default
- filters:
- port: 8022
type: TCP
name: hellgate
namespace: default

9
config/payform/values.yaml
View File

@ -1,9 +0,0 @@
replicaCount: 1
ingress:
enabled: true
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
# kubernetes.io/tls-acme: "true"
host: api.rbk.dev
path: /web(/|$)(.*)

59
config/payform/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,59 @@
# -*- mode: yaml -*-
replicaCount: 1
image:
repository: docker.io/rbkmoney/payform
tag: 5e8f3648568635398ea56075f19180eff28dad19
pullPolicy: IfNotPresent
service:
type: ClusterIP
ports:
- name: http
port: 8080
configMap:
data:
appConfig.json: |
{{- readFile "appConfig.json" | nindent 6 }}
payform.conf: |
{{- readFile "vhost.conf" | nindent 6 }}
volumeMounts:
- name: config-volume
mountPath: /usr/share/nginx/html/appConfig.json
subPath: appConfig.json
readOnly: true
- name: config-volume
mountPath: /etc/nginx/vhosts.d/payform.conf
subPath: payform.conf
readOnly: true
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
livenessProbe:
httpGet:
path: /appConfig.json
port: http
initialDelaySeconds: 30
timeoutSeconds: 3
readinessProbe:
httpGet:
path: /appConfig.json
port: http
initialDelaySeconds: 30
timeoutSeconds: 3
ingress:
enabled: true
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
# kubernetes.io/tls-acme: "true"
hosts:
- host: api.rbk.dev
paths:
- /web(/|$)(.*)
servicePort: 8080

15
config/payform/vhost.conf Normal file
View File

@ -0,0 +1,15 @@
server {
listen 8080;
listen [::]:8080;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}

5
config/postgres/values.yaml → config/postgres/values.yaml.gotmpl
View File

@ -8,3 +8,8 @@ initdbScripts:
CREATE DATABASE keycloak;
CREATE DATABASE shumway;
CREATE DATABASE hook;
#TODO: If bump version, change master to primary
master:
podLabels:
selector.cilium.rbkmoney/release: {{ .Release.Name }}

1
config/prometheus/dashboards/src/grafonnet-lib

@ -1 +0,0 @@
Subproject commit 356bd73e4792ffe107725776ca8946895969c191

6
config/prometheus/values.yaml.gotmpl
View File

@ -47,6 +47,7 @@ grafana:
sha: ""
pullPolicy: IfNotPresent
{{- if .Values.elk.enabled }}
extraEmptyDirMounts:
- name: dashboard-dir
mountPath: /var/lib/grafana/dashboards/general
@ -82,10 +83,6 @@ grafana:
path: synckey
mode: 0600
plugins: []
# - digrich-bubblechart-panel
# - grafana-clock-panel
datasources:
datasources.yaml:
apiVersion: 1
@ -124,6 +121,7 @@ grafana:
machinegun-namespace:
json: |
{{- readFile "dashboards/result/machinegun-namespace.json" | nindent 10 }}
{{- end }}
grafana.ini:
paths:

9
config/proxy-mocket-inspector/entrypoint.sh Normal file
View File

@ -0,0 +1,9 @@
#!/bin/sh
set -ue
java \
"-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \
-jar \
/opt/proxy-mocket-inspector/proxy-mocket-inspector.jar \
--server.port=8022 \
${@}

1
config/proxy-mocket-inspector/values.yaml
View File

@ -1 +0,0 @@
replicaCount: 1

41
config/proxy-mocket-inspector/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,41 @@
# -*- mode: yaml -*-
replicaCount: 1
image:
repository: docker.io/rbkmoney/proxy-mocket-inspector
tag: 0ea276f2bb2ff2d25ba69c3c729552b81a75ece2
pullPolicy: IfNotPresent
configMap:
data:
entrypoint.sh: |
{{- readFile "entrypoint.sh" | nindent 6 }}
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
volumeMounts:
- name: config-volume
mountPath: /opt/proxy-mocket-inspector/entrypoint.sh
subPath: entrypoint.sh
readOnly: true
runopts:
command: ["/opt/proxy-mocket-inspector/entrypoint.sh"]
livenessProbe:
httpGet:
path: /actuator/health
port: api
initialDelaySeconds: 30
timeoutSeconds: 3
readinessProbe:
httpGet:
path: /actuator/health
port: api
initialDelaySeconds: 30
timeoutSeconds: 3

5
config/proxy-mocketbank-mpi/entrypoint.sh
View File

@ -3,4 +3,7 @@ set -ue
java \
"-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \
${@} \
-jar \
/opt/proxy-mocketbank-mpi/proxy-mocketbank-mpi.jar \
--server.port=8080 \
${@}

49
config/proxy-mocketbank-mpi/values.yaml.gotmpl
View File

@ -2,7 +2,48 @@
replicaCount: 1
entrypoint: |
{{- readFile "entrypoint.sh" | nindent 2 }}
knownCards: |
{{- readFile "cards.csv" | nindent 2 }}
image:
repository: docker.io/rbkmoney/proxy-mocketbank-mpi
tag: e43b6f00eca01eb57a6e917704bff608de57336a
pullPolicy: IfNotPresent
configMap:
data:
entrypoint.sh: |
{{- readFile "entrypoint.sh" | nindent 6 }}
cards.csv: |
{{- readFile "cards.csv" | nindent 6 }}
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
volumeMounts:
- name: config-volume
mountPath: /opt/proxy-mocketbank-mpi/entrypoint.sh
subPath: entrypoint.sh
readOnly: true
- name: config-volume
mountPath: /opt/proxy-mocketbank-mpi/fixture/cards.csv
subPath: cards.csv
readOnly: true
runopts:
command: ["/opt/proxy-mocketbank-mpi/entrypoint.sh"]
service:
type: ClusterIP
ports:
- name: api
port: 8080
livenessProbe:
httpGet:
path: /actuator/health
port: api
readinessProbe:
httpGet:
path: /actuator/health
port: api

13
config/proxy-mocketbank/entrypoint.sh Normal file
View File

@ -0,0 +1,13 @@
#!/bin/sh
set -ue
java \
"-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \
-jar \
/opt/proxy-mocketbank/proxy-mocketbank.jar \
--server.secondary.ports=8080 \
--server.port=8022 \
--cds.client.storage.url=http://cds:8022/v2/storage \
--hellgate.client.adapter.url=http://hellgate:8022/v1/proxyhost/provider \
--adapter-mock-mpi.url=http://proxy-mocketbank-mpi:8080 \
${@}

61
config/proxy-mocketbank/values.yaml.gotmpl
View File

@ -2,7 +2,60 @@
replicaCount: 1
knownCards: |
{{- readFile "cards.csv" | nindent 2 }}
errorMapping: |
{{- readFile "errors.json" | nindent 2 }}
image:
repository: docker.io/rbkmoney/proxy-mocketbank
tag: 91953e1e9874a851816474b47ad0f123c7c936d1
pullPolicy: IfNotPresent
configMap:
data:
entrypoint.sh: |
{{- readFile "entrypoint.sh" | nindent 6 }}
cards.csv: |
{{- readFile "cards.csv" | nindent 6 }}
errors.json: |
{{- readFile "errors.json" | nindent 6 }}
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
volumeMounts:
- name: config-volume
mountPath: /opt/proxy-mocketbank/entrypoint.sh
subPath: entrypoint.sh
readOnly: true
- name: config-volume
mountPath: /opt/proxy-mocketbank/fixture/errors.json
subPath: errors.json
readOnly: true
- name: config-volume
mountPath: /opt/proxy-mocketbank/fixture/cards.csv
subPath: cards.csv
readOnly: true
runopts:
command: ["/opt/proxy-mocketbank/entrypoint.sh"]
service:
type: ClusterIP
ports:
- name: api
port: 8022
- name: callback
port: 8080
livenessProbe:
httpGet:
path: /actuator/health
port: api
initialDelaySeconds: 30
timeoutSeconds: 3
readinessProbe:
httpGet:
path: /actuator/health
port: api
initialDelaySeconds: 30
timeoutSeconds: 3

70
config/riak/cm.yaml Normal file
View File

@ -0,0 +1,70 @@
#!/bin/bash
#
# Cluster start script to bootstrap a Riak cluster.
#
sleep 10
set -ex
if [[ -x /usr/sbin/riak ]]; then
export RIAK=/usr/sbin/riak
else
export RIAK=$RIAK_HOME/bin/riak
fi
export RIAK_CONF=/etc/riak/riak.conf
export USER_CONF=/etc/riak/user.conf
export RIAK_ADVANCED_CONF=/etc/riak/advanced.config
if [[ -x /usr/sbin/riak-admin ]]; then
export RIAK_ADMIN=/usr/sbin/riak-admin
else
export RIAK_ADMIN=$RIAK_HOME/bin/riak-admin
fi
export SCHEMAS_DIR=/etc/riak/schemas/
# Set ports for PB and HTTP
export PB_PORT=${PB_PORT:-8087}
export HTTP_PORT=${HTTP_PORT:-8098}
# CLUSTER_NAME is used to name the nodes and is the value used in the distributed cookie
export CLUSTER_NAME=${CLUSTER_NAME:-riak}
# The COORDINATOR_NODE is the first node in a cluster to which other nodes will eventually join
export COORDINATOR_NODE=${COORDINATOR_NODE:-$(hostname -s).riak-headless}
if [[ ! -z "$ipv6" ]]; then
export COORDINATOR_NODE_HOST=$(ping -c1 $COORDINATOR_NODE | awk '/^PING/ {print $3}' | sed -r 's/\((.*)\):/\1/g')||'::1'
else
export COORDINATOR_NODE_HOST=$(ping -c1 $COORDINATOR_NODE | awk '/^PING/ {print $3}' | sed -r 's/\((.*)\):/\1/g')||'127.0.0.1'
fi
# Use ping to discover our HOSTNAME because it's easier and more reliable than other methods
export HOST=${NODENAME:-$(hostname -s).riak-headless}
export HOSTIP=$(ping -c1 $HOST | awk '/^PING/ {print $3}' | sed -r 's/\((.*)\):/\1/g')
# Run all prestart scripts
PRESTART=$(find /etc/riak/prestart.d -name *.sh -print | sort)
for s in $PRESTART; do
. $s
done
# Start the node and wait until fully up
$RIAK start
$RIAK_ADMIN wait-for-service riak_kv
# Run all poststart scripts
POSTSTART=$(find /etc/riak/poststart.d -name *.sh -print | sort)
for s in $POSTSTART; do
. $s
done
# Trap SIGTERM and SIGINT and tail the log file indefinitely
tail -n 1024 -f /var/log/riak/console.log &
PID=$!
trap "$RIAK stop; kill $PID" SIGTERM SIGINT
# avoid log spamming and unnecessary exit once `riak ping` fails
set +ex
while :
do
riak ping >/dev/null 2>&1
if [ $? -ne 0 ]; then
exit 1
fi
sleep 10
done

35
config/riak/pre.yaml Normal file
View File

@ -0,0 +1,35 @@
#!/bin/bash
# Add standard config items
cat <<END >>$RIAK_CONF
nodename = $CLUSTER_NAME@$HOST
distributed_cookie = $CLUSTER_NAME
listener.protobuf.internal = $HOSTIP:$PB_PORT
listener.http.internal = $HOSTIP:$HTTP_PORT
mdc.cluster_manager = $HOSTIP:9080
handoff.ip = $HOSTIP
END
rm /etc/riak/advanced.config
cat<< END > /etc/riak/vm.args
+scl false
+sfwi 500
+P 256000
+e 256000
-env ERL_CRASH_DUMP /var/log/riak/erl_crash.dump
-env ERL_FULLSWEEP_AFTER 0
+Q 262144
+A 64
-setcookie riak
-name $CLUSTER_NAME@$HOST
+K true
+W w
-smp enable
+zdbbl 32768
-proto_dist inet6_tcp
END
# Maybe add user config items
if [ -s $USER_CONF ]; then
cat $USER_CONF >>$RIAK_CONF
fi

87
config/riak/values.yaml.gotmpl
View File

@ -2,6 +2,87 @@
replicaCount: 1
config:
user: |
{{- readFile "user.yaml" | nindent 4 }}
image:
repository: docker.io/rbkmoney/riak-base
tag: f5b757c2ec73c7db1460c94a17a20a3b5799fde6
configMap:
data:
user.conf: |
{{- readFile "user.yaml" | nindent 6 }}
riak-cluster.sh: |
{{- readFile "cm.yaml" | nindent 6 }}
00-update-riak-conf.sh: |
{{- readFile "pre.yaml" | nindent 6 }}
service:
type: ClusterIP
headless: true
ports:
- name: http
port: 8098
- name: protobuf
port: 8087
livenessProbe:
httpGet: null
exec:
command: ["riak", "ping"]
initialDelaySeconds: 60
periodSeconds: 20
timeoutSeconds: 15
readinessProbe:
httpGet:
path: /types/default/props
port: http
initialDelaySeconds: 60
periodSeconds: 15
timeoutSeconds: 5
env:
- name: CLUSTER_NAME
value: "riak"
- name: COORDINATOR_NODE
value: {{ .Release.Name }}-0.{{ .Release.Name }}-headless
- name: ipv6
value: yep
- name: WAIT_FOR_ERLANG
value: 400
volumeMounts:
- name: config-volume
mountPath: /etc/riak/user.conf
subPath: user.conf
readOnly: true
- name: data
mountPath: /var/lib/riak
- name: config-volume
mountPath: /riak-cluster.sh
subPath: riak-cluster.sh
readOnly: true
- name: config-volume
mountPath: /etc/riak/prestart.d/00-update-riak-conf.sh
subPath: 00-update-riak-conf.sh
readOnly: true
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
- name: data
emptyDir: {}
storage:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 3Gi
podSecurityContext:
fsGroup: 102
securityContext:
capabilities:
add:
- "SYS_CHROOT"
- "NET_RAW"

5
config/shumway/entrypoint.sh
View File

@ -3,5 +3,10 @@ set -ue
java \
"-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \
-jar \
/opt/shumway/shumway.jar \
--logging.config=/opt/shumway/logback.xml \
--spring.flyway.table=schema_version \
--spring.flyway.schemas=shm \
${@} \
--spring.config.additional-location=/vault/secrets/application.properties

76
config/shumway/values.yaml.gotmpl
View File

@ -2,25 +2,81 @@
replicaCount: 1
entrypoint: |
{{- readFile "entrypoint.sh" | nindent 2 }}
loggers: |
{{- readFile "loggers.xml" | nindent 2 }}
logback: |
{{- readFile "../logs/logback.xml" | nindent 2 }}
image:
repository: docker.io/rbkmoney/shumway
tag: 13ad29447e8d8057b28d15905fad77b3299655c2
pullPolicy: IfNotPresent
runopts:
command : ["/opt/shumway/entrypoint.sh"]
configMap:
data:
entrypoint.sh: |
{{- readFile "entrypoint.sh" | nindent 6 }}
loggers.xml: |
{{- readFile "loggers.xml" | nindent 6 }}
logback.xml: |
{{- readFile "../logs/logback.xml" | nindent 6 }}
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
volumeMounts:
- name: config-volume
mountPath: /opt/shumway/entrypoint.sh
subPath: entrypoint.sh
readOnly: true
- name: config-volume
mountPath: /opt/shumway/logback.xml
subPath: logback.xml
readOnly: true
- name: config-volume
mountPath: /opt/shumway/loggers.xml
subPath: loggers.xml
readOnly: true
service:
type: ClusterIP
ports:
- name: api
port: 8022
- name: management
port: 8023
livenessProbe:
httpGet:
path: /actuator/health
port: management
readinessProbe:
httpGet:
path: /actuator/health
port: management
podAnnotations:
vault.hashicorp.com/role: "db-app"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-application.properties: "database/creds/db-app"
vault.hashicorp.com/agent-inject-template-application.properties: |
{{`
{{- with secret "database/creds/db-app" -}}
{{`{{- with secret "database/creds/db-app" -}}
spring.datasource.url=jdbc:postgresql://postgres-postgresql:5432/shumway?sslmode=disable
spring.datasource.username={{ .Data.username }}
spring.datasource.password={{ .Data.password }}
spring.flyway.url=jdbc:postgresql://postgres-postgresql:5432/shumway?sslmode=disable
spring.flyway.user={{ .Data.username }}
spring.flyway.password={{ .Data.password }}
{{- end }}
`}}
{{- end }}`}}
ciliumPolicies:
- filters:
- port: 8200
type: TCP
name: vault
namespace: default
- filters:
- port: 5432
type: TCP
name: postgres
namespace: default

3
config/test-transaction/values.yaml.gotmpl Normal file
View File

@ -0,0 +1,3 @@
{{- if .Values.services.global.ipv6only }}
useIPv4: false
{{- end }}

43
config/url-shortener/values.yaml.gotmpl
View File

@ -2,10 +2,38 @@
replicaCount: 1
appConfig: |
{{- readFile "sys.config" | nindent 2 }}
erlInetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 2 }}
image:
repository: docker.io/rbkmoney/url-shortener
tag: bf8673d8ed5629c393ae9c9b7f7f4c54689008bb
pullPolicy: IfNotPresent
configMap:
data:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
vm.args: |
{{- tpl (readFile "../vm/erl_vm_args.gotmpl") . | nindent 6 }}
volumeMounts:
- name: config-volume
mountPath: /opt/shortener/releases/0.1/sys.config
subPath: sys.config
readOnly: true
- name: config-volume
mountPath: /opt/shortener/releases/0.1/vm.args
subPath: vm.args
readOnly: true
- name: config-volume
mountPath: /opt/shortener/erl_inetrc
subPath: erl_inetrc
readOnly: true
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
metrics:
serviceMonitor:
@ -13,3 +41,10 @@ metrics:
namespace: monitoring
additionalLabels:
release: prometheus
ciliumPolicies:
- filters:
- port: 8022
type: TCP
name: machinegun
namespace: default

58
config/vault-cm/values.yaml Normal file
View File

@ -0,0 +1,58 @@
configMap:
data:
init.vault.sh: |
vault secrets enable database
sleep 1
vault write database/config/shumway \
plugin_name=postgresql-database-plugin \
allowed_roles="*" \
connection_url="postgresql://{{username}}:{{password}}@postgres-postgresql.default:5432/shumway?sslmode=disable" \
username="postgres" \
password="H@ckM3"
vault write database/roles/db-app \
db_name=shumway \
creation_statements="Create schema if not exists shm;
CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
GRANT CREATE ON DATABASE shumway TO \"{{name}}\";
GRANT ALL ON schema shm TO \"{{name}}\";
GRANT ALL ON ALL TABLES IN SCHEMA shm TO \"{{name}}\";
GRANT ALL ON ALL SEQUENCES IN SCHEMA shm TO \"{{name}}\";" \
default_ttl="1h" \
max_ttl="240h"
vault write database/config/hook \
plugin_name=postgresql-database-plugin \
allowed_roles="*" \
connection_url="postgresql://{{username}}:{{password}}@postgres-postgresql.default:5432/hook?sslmode=disable" \
username="postgres" \
password="H@ckM3"
vault write database/roles/db-app-hook \
db_name=hook \
creation_statements="Create schema if not exists hook;
CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
GRANT CREATE ON DATABASE hook TO \"{{name}}\";
GRANT ALL ON schema hook TO \"{{name}}\";
GRANT ALL ON ALL TABLES IN SCHEMA hook TO \"{{name}}\";
GRANT ALL ON ALL SEQUENCES IN SCHEMA hook TO \"{{name}}\";" \
default_ttl="1h" \
max_ttl="240h"
vault auth enable kubernetes
vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
vault write auth/kubernetes/role/db-app \
bound_service_account_names="*" \
bound_service_account_namespaces=default \
policies=db-app \
ttl=1h
vault policy write db-app /vault-init/db-policy.hcl
db-policy.hcl: |
path "database/creds/db-app" {
capabilities = ["read"]
}
path "database/creds/db-app-hook" {
capabilities = ["read"]
}

67
config/vault/init-cm.yaml
View File

@ -1,67 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: vault-cm
labels:
app: vault
data:
init.vault.sh: |
# TODO WHACK! Replace line below with helm hook
# to ensure init.vault.sh run AFTER Vault has been started
sleep 15
vault secrets enable database
sleep 15
vault write database/config/shumway \
plugin_name=postgresql-database-plugin \
allowed_roles="*" \
connection_url="postgresql://{{username}}:{{password}}@postgres-postgresql.default:5432/shumway?sslmode=disable" \
username="postgres" \
password="H@ckM3"
vault write database/roles/db-app \
db_name=shumway \
creation_statements="Create schema if not exists shm;
CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
GRANT CREATE ON DATABASE shumway TO \"{{name}}\";
GRANT ALL ON schema shm TO \"{{name}}\";
GRANT ALL ON ALL TABLES IN SCHEMA shm TO \"{{name}}\";
GRANT ALL ON ALL SEQUENCES IN SCHEMA shm TO \"{{name}}\";" \
default_ttl="1h" \
max_ttl="240h"
vault write database/config/hook \
plugin_name=postgresql-database-plugin \
allowed_roles="*" \
connection_url="postgresql://{{username}}:{{password}}@postgres-postgresql.default:5432/hook?sslmode=disable" \
username="postgres" \
password="H@ckM3"
vault write database/roles/db-app-hook \
db_name=hook \
creation_statements="Create schema if not exists hook;
CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
GRANT CREATE ON DATABASE hook TO \"{{name}}\";
GRANT ALL ON schema hook TO \"{{name}}\";
GRANT ALL ON ALL TABLES IN SCHEMA hook TO \"{{name}}\";
GRANT ALL ON ALL SEQUENCES IN SCHEMA hook TO \"{{name}}\";" \
default_ttl="1h" \
max_ttl="24h"
vault auth enable kubernetes
vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
vault write auth/kubernetes/role/db-app \
bound_service_account_names="*" \
bound_service_account_namespaces=default \
policies=db-app \
ttl=1h
vault policy write db-app /vault-init/db-policy.hcl
db-policy.hcl: |
path "database/creds/db-app" {
capabilities = ["read"]
}
path "database/creds/db-app-hook" {
capabilities = ["read"]
}

30
config/vault/values.yaml → config/vault/values.yaml.gotmpl
View File

@ -1,9 +1,19 @@
server:
dev:
standalone:
enabled: true
readinessProbe:
enabled: true
path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"
config: |
api_addr = "http://POD_IP:8200"
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
}
storage "file" {
path = "/vault/data"
}
extraLabels:
selector.cilium.rbkmoney/release: {{ .Release.Name }}
volumes:
- name: vault-init
configMap:
@ -16,7 +26,11 @@ server:
- mountPath: /vault-init
name: vault-init
postStart:
- /bin/sh
- -c
- "/vault-init/init.vault.sh"
ciliumPolicies:
- filters:
- port: 5432
type: TCP
name: postgres
namespace: default

4
config/vm/erl_inetrc
View File

@ -1,2 +1,4 @@
{cache_size, 0 }.
{inet6 , true }.
{tcp , inet6_tcp}.
{cache_size, 0 }.

7
config/vm/erl_vm_args.gotmpl Normal file
View File

@ -0,0 +1,7 @@
-sname {{ .Release.Name }}
-setcookie {{ .Release.Name }}_cookie
{{- if .Values.services.global.ipv6only }}
-proto_dist inet6_tcp
{{- end }}
-kernel inetrc '"./erl_inetrc"'

6
config/wapi-pcidss-v0/sys.config
View File

@ -63,9 +63,9 @@
}
}},
{service_urls, #{
cds_storage => "http://cds.default.svc.cluster.local:8022/v2/storage",
binbase => "http://binbase.default.svc.cluster.local:8022/v1/binbase",
identdoc_storage => "http://cds.default.svc.cluster.local:8022/v1/identity_document_storage"
cds_storage => "http://cds:8022/v2/storage",
binbase => "http://binbaser:8022/v1/binbase",
identdoc_storage => "http://cds:8022/v1/identity_document_storage"
}},
{health_checkers, [
{erl_health, disk , ["/", 99] },

87
config/wapi-pcidss-v0/values.yaml.gotmpl
View File

@ -1,14 +1,79 @@
# -*- mode: yaml -*-
replicaCount: 1
image:
repository: docker.io/rbkmoney/wapi
tag: d115d1933b58fcc2e94c1af7df5a58e1e04dc364
pullPolicy: IfNotPresent
appConfig: |
{{- readFile "sys.config" | nindent 2 }}
erlInetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 2 }}
fetchKeycloakPubkey: |
{{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 2 }}
tokenEncryptionKey1: |
{{- readFile "../api-common/token-encryption-keys/1.jwk" | nindent 2 }}
capiPrivkey: |
{{- readFile "../api-common/capi.privkey.pem" | nindent 2 }}
configMap:
data:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
fetchKeycloakPubkey: |
{{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 6 }}
vm.args: |
{{- tpl (readFile "../vm/erl_vm_args.gotmpl") . | nindent 6 }}
secret:
data:
token_encryption_key1.jwk: |
{{- readFile "../api-common/keys/token-encryption-keys/1.jwk" | nindent 6 }}
capi.privkey.pem: |
{{- readFile "../api-common/keys/capi.privkey.pem" | nindent 6 }}
apiInitContainers:
enabled: true
volumeMounts:
- name: config-volume
mountPath: /opt/wapi/releases/0.1.0/sys.config
subPath: sys.config
readOnly: true
- name: config-volume
mountPath: /opt/wapi/releases/0.1.0/vm.args
subPath: vm.args
readOnly: true
- name: config-volume
mountPath: /opt/wapi/erl_inetrc
subPath: erl_inetrc
readOnly: true
- name: secret
mountPath: /var/lib/wapi/keys
readOnly: true
- name: keycloak-pubkey
mountPath: /var/lib/wapi/keys/keycloak
readOnly: true
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
- name: secret
secret:
secretName: {{ .Release.Name }}
- name: keycloak-pubkey
emptyDir: {}
ingress:
enabled: true
hosts:
- host: api.rbk.dev
paths:
- /privdoc/v0
- /payres/v0
ciliumPolicies:
- filters:
- port: 8022
type: TCP
name: bender
namespace: default
- filters:
- port: 8022
type: TCP
name: cds
namespace: default

10
config/wapi/sys.config
View File

@ -442,11 +442,11 @@
}},
{signee, wapi},
{oops_bodies, #{
500 => "/var/lib/wapi/oops-bodies/oops-body1",
501 => "/var/lib/wapi/oops-bodies/oops-body1",
502 => "/var/lib/wapi/oops-bodies/oops-body1",
503 => "/var/lib/wapi/oops-bodies/oops-body2",
504 => "/var/lib/wapi/oops-bodies/oops-body2"
500 => "/var/lib/wapi/oops-bodies/oopsBody1",
501 => "/var/lib/wapi/oops-bodies/oopsBody1",
502 => "/var/lib/wapi/oops-bodies/oopsBody1",
503 => "/var/lib/wapi/oops-bodies/oopsBody2",
504 => "/var/lib/wapi/oops-bodies/oopsBody2"
}},
{health_check, #{
service => {erl_health, service, [<<"wapi">>]}

145
config/wapi/values.yaml.gotmpl
View File

@ -1,18 +1,133 @@
# -*- mode: yaml -*-
replicaCount: 1
image:
repository: docker.io/rbkmoney/fistful-server
tag: 280324f9b10146ab7a641b42ca987e1272db30e2
pullPolicy: IfNotPresent
appConfig: |
{{- readFile "sys.config" | nindent 2 }}
erlInetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 2 }}
fetchKeycloakPubkey: |
{{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 2 }}
oopsBody1: |
{{- readFile "../api-common/oops-bodies/sad-kitty1" | nindent 2 }}
oopsBody2: |
{{- readFile "../api-common/oops-bodies/sad-kitty2" | nindent 2 }}
tokenEncryptionKey1: |
{{- readFile "../api-common/token-encryption-keys/1.jwk" | nindent 2 }}
capiPrivkey: |
{{- readFile "../api-common/capi.privkey.pem" | nindent 2 }}
configMap:
data:
sys.config: |
{{- readFile "sys.config" | nindent 6 }}
erl_inetrc: |
{{- readFile "../vm/erl_inetrc" | nindent 6 }}
fetchKeycloakPubkey: |
{{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 6 }}
oopsBody1: |
{{- readFile "../api-common/oops-bodies/sad-kitty1" | nindent 6 }}
oopsBody2: |
{{- readFile "../api-common/oops-bodies/sad-kitty2" | nindent 6 }}
vm.args: |
{{- tpl (readFile "../vm/erl_vm_args.gotmpl") . | nindent 6 }}
secret:
data:
token_encryption_key1.jwk: |
{{- readFile "../api-common/keys/token-encryption-keys/1.jwk" | nindent 6 }}
capi.privkey.pem: |
{{- readFile "../api-common/keys/capi.privkey.pem" | nindent 6 }}
apiInitContainers:
enabled: true
volumeMounts:
- name: config-volume
mountPath: /opt/wapi/releases/0.1.0/sys.config
subPath: sys.config
readOnly: true
- name: config-volume
mountPath: /opt/wapi/releases/0.1.0/vm.args
subPath: vm.args
readOnly: true
- name: config-volume
mountPath: /opt/wapi/erl_inetrc
subPath: erl_inetrc
readOnly: true
- name: config-volume
mountPath: /var/lib/wapi/oops-bodies/oopsBody1
subPath: oopsBody1
readOnly: true
- name: config-volume
mountPath: /var/lib/wapi/oops-bodies/oopsBody2
subPath: oopsBody2
readOnly: true
- name: secret
mountPath: /var/lib/wapi/keys
readOnly: true
- name: keycloak-pubkey
mountPath: /var/lib/wapi/keys/keycloak
readOnly: true
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
- name: secret
secret:
secretName: {{ .Release.Name }}
- name: keycloak-pubkey
emptyDir: {}
service:
type: ClusterIP
ports:
- name: api
port: 8080
- name: management
port: 8022
livenessProbe:
httpGet:
path: /health
port: management
readinessProbe:
httpGet:
path: /health
port: management
ingress:
enabled: true
hosts:
- host: api.rbk.dev
paths:
- /wapi
servicePort: 8080
ciliumPolicies:
- filters:
- port: 8080
type: TCP
name: keycloak
namespace: default
- filters:
- port: 8022
type: TCP
name: binbase
namespace: default
- filters:
- port: 8022
type: TCP
name: cds
namespace: default
- filters:
- port: 8022
type: TCP
name: shumway
namespace: default
- filters:
- port: 8022
type: TCP
name: machinegun
namespace: default
- filters:
- port: 8022
type: TCP
name: dominant
namespace: default
- filters:
- port: 8022
type: TCP
name: hellgate
namespace: default

1
config/zookeeper/values.yaml
View File

@ -1 +0,0 @@
replicaCount: 1 # Desired quantity of ZooKeeper pods. This should always be (1,3,5, or 7)

10
default.values.yaml Normal file
View File

@ -0,0 +1,10 @@
cilium:
enabled: false
elk:
enabled: false
keycloakExtUrl: "https://some-site.example.com"
services:
global:
ipv6only: true

6
environments.yaml Normal file
View File

@ -0,0 +1,6 @@
environments:
default:
values:
- default.values.yaml
devstand:
production:

14
helmfile-infra.lock
View File

@ -1,7 +1,13 @@
version: v0.132.0
version: v0.137.0
dependencies:
- name: elk
repository: https://rbkmoney.github.io/charts
version: 0.1.1
- name: kube-prometheus-stack
repository: https://prometheus-community.github.io/helm-charts
version: 12.1.0
digest: sha256:f546085e97716d6a910025c43d416c86c8c95b584c92c946c3996b96f4524ac0
generated: "2020-11-23T14:08:29.249338448+03:00"
version: 13.10.0
- name: netpolicy
repository: https://rbkmoney.github.io/charts
version: 0.1.14
digest: sha256:37098407fb69a1528c2ee37311dc0a608ef9c334167c0b5d5b45d01908922787
generated: "2021-02-19T14:05:37.142917+03:00"

33
helmfile-infra.yaml
View File

@ -1,21 +1,36 @@
bases:
- environments.yaml
---
{{ readFile "hf-templates.yaml" }}
repositories:
- name: prometheus-community
url: https://prometheus-community.github.io/helm-charts
- name: rbkmoney
url: https://rbkmoney.github.io/charts
{{ if .Values.elk.enabled }}
releases:
- name: prometheus
<<: *default
<<: *infra_default
chart: prometheus-community/kube-prometheus-stack
version: 12.1.0
namespace: monitoring
needs:
- monitoring/logs
# - default/logs
- name: logs
# Change to installed: true if you need ECK installed
installed: false
<<: *default
- monitoring/logs
{{ else }}
releases:
- name: prometheus
<<: *infra_default
chart: prometheus-community/kube-prometheus-stack
namespace: monitoring
chart: ./services/elk
{{ end }}
- name: logs
installed: {{ .Values.elk.enabled }}
<<: *infra_default
namespace: monitoring
chart: rbkmoney/elk
- name: netpolicy
installed: {{ .Values.cilium.enabled }}
<<: *infra_default
chart: rbkmoney/netpolicy

35
helmfile.lock
View File

@ -1,22 +1,31 @@
version: v0.132.0
version: v0.137.0
dependencies:
- name: consul
repository: https://charts.helm.sh/stable
version: 3.9.5
repository: https://helm.releases.hashicorp.com
version: 0.30.0
- name: kafka
repository: https://charts.helm.sh/incubator
version: 0.21.2
repository: https://charts.bitnami.com/bitnami
version: 12.7.3
- name: keycloak
repository: https://codecentric.github.io/helm-charts
version: 9.0.1
version: 9.9.3
- name: postgresql
repository: https://charts.bitnami.com/bitnami
version: 9.2.0
version: 9.7.2
- name: raw
repository: https://rbkmoney.github.io/charts
version: 0.1.1
- name: statefull
repository: https://rbkmoney.github.io/charts
version: 0.1.18
- name: stateless
repository: https://rbkmoney.github.io/charts
version: 0.1.13
- name: test-transaction
repository: https://rbkmoney.github.io/charts
version: 0.1.2
- name: vault
repository: https://helm.releases.hashicorp.com
version: 0.7.0
- name: zookeeper
repository: https://charts.helm.sh/incubator
version: 2.1.3
digest: sha256:f640cc46a54fc0fa8eaf0462bf71395928ffe08f4d5893f72fe4c24d1693d425
generated: "2020-10-28T19:52:52.6139374+03:00"
version: 0.9.1
digest: sha256:876b3658a8a67fd25b08119565e480f92b0e73453ba6c21cd7a76711a9783ac7
generated: "2021-02-19T14:18:35.150327+03:00"

187
helmfile.yaml
View File

@ -1,185 +1,160 @@
bases:
- environments.yaml
---
{{ if .Values.cilium.enabled }}
{{ readFile "hf-templates.yaml" }}
{{ else }}
{{ readFile "hf-templates-cnp-disabled.yaml" }}
{{ end }}
repositories:
- name: stable
url: https://charts.helm.sh/stable
- name: incubator
url: https://charts.helm.sh/incubator
- name: bitnami
url: https://charts.bitnami.com/bitnami
- name: hashicorp
url: https://helm.releases.hashicorp.com
- name: codecentric
url: https://codecentric.github.io/helm-charts
- name: rbkmoney
url: https://rbkmoney.github.io/charts
# Path to the helmfile state file being processed BEFORE releases in this state file
helmfiles:
- # Path to the helmfile state file being processed BEFORE releases in this state file
path: helmfile-infra.yaml
- path: helmfile-infra.yaml
releases:
- name: zookeeper
<<: *default
chart: incubator/zookeeper
version: 2.1.3
#External releases
- name: kafka
<<: *default
needs:
- default/zookeeper
chart: incubator/kafka
version: 0.21.2
chart: bitnami/kafka
version: 12.7.3
- name: consul
<<: *default
chart: stable/consul
version: 3.9.5
chart: hashicorp/consul
- name: postgres
<<: *default
chart: bitnami/postgresql
version: 9.2.0
version: 9.7.2
wait: true
- name: vault-cm
<<: *default
chart: rbkmoney/raw
- name: vault
<<: *default
chart: hashicorp/vault
version: 0.7.0
needs:
- default/postgres
- {{ .Namespace | default "default" }}/postgres
- {{ .Namespace | default "default" }}/vault-cm
wait: true
- name: keycloak-realms
<<: *default
chart: rbkmoney/raw
- name: keycloak
<<: *default
chart: codecentric/keycloak
version: 9.0.1
needs:
- default/postgres
- {{ .Namespace | default "default" }}/postgres
- {{ .Namespace | default "default" }}/keycloak-realms
wait: true
#Rbkmoney processing releases
- name: holmes
<<: *default
<<: *generic_stateless
- name: riak
<<: *default
labels:
logfmt: json
chart: ./services/riak
set:
- name: config.user
file: config/riak/user.yaml
<<: *generic_statefull_json
- name: machinegun
<<: *default
labels:
logfmt: json
<<: *generic_stateless_json
needs:
- default/consul
- default/riak
- default/kafka
- {{ .Namespace | default "default" }}/consul
- {{ .Namespace | default "default" }}/riak
- {{ .Namespace | default "default" }}/kafka
- name: bender
<<: *default
labels:
logfmt: json
<<: *generic_statefull_json
- name: kds
<<: *default
labels:
logfmt: json
<<: *generic_stateless_json
- name: cds
<<: *default
labels:
logfmt: json
<<: *generic_stateless_json
needs:
- default/kds
- default/riak
- {{ .Namespace | default "default" }}/kds
- {{ .Namespace | default "default" }}/riak
- name: shumway
<<: *default
labels:
logfmt: json
<<: *generic_stateless_json
needs:
- default/vault
- default/postgres
- {{ .Namespace | default "default" }}/vault
- {{ .Namespace | default "default" }}/postgres
wait: true
- name: hooker
<<: *default
<<: *generic_stateless
needs:
- default/vault
- default/kafka
- {{ .Namespace | default "default" }}/vault
- {{ .Namespace | default "default" }}/kafka
- name: dominant
<<: *default
labels:
logfmt: json
<<: *generic_stateless_json
needs:
- default/shumway
- {{ .Namespace | default "default" }}/shumway
wait: true
- name: binbase
<<: *default
<<: *generic_stateless
- name: proxy-mocketbank
<<: *default
labels:
logfmt: json
<<: *generic_stateless_json
needs:
- default/hellgate
- {{ .Namespace | default "default" }}/hellgate
- name: proxy-mocketbank-mpi
<<: *default
labels:
logfmt: json
<<: *generic_stateless_json
needs:
- default/proxy-mocketbank
- {{ .Namespace | default "default" }}/proxy-mocketbank
- name: proxy-mocket-inspector
<<: *default
labels:
logfmt: json
<<: *generic_stateless_json
needs:
- default/hellgate
- {{ .Namespace | default "default" }}/hellgate
- name: hellgate
<<: *default
labels:
logfmt: json
<<: *generic_stateless_json
needs:
- default/dominant
- {{ .Namespace | default "default" }}/dominant
- name: capi-pcidss-v2
<<: *default
labels:
logfmt: json
<<: *generic_stateless_json
needs:
- default/keycloak
- {{ .Namespace | default "default" }}/keycloak
- name: capi-pcidss-v1
<<: *default
labels:
logfmt: json
<<: *generic_stateless_json
needs:
- default/keycloak
- {{ .Namespace | default "default" }}/keycloak
- name: url-shortener
<<: *default
<<: *generic_stateless
- name: capi-v1
<<: *default
labels:
logfmt: json
<<: *generic_stateless_json
needs:
- default/keycloak
- {{ .Namespace | default "default" }}/keycloak
- name: capi-v2
<<: *default
labels:
logfmt: json
<<: *generic_stateless_json
needs:
- default/keycloak
- {{ .Namespace | default "default" }}/keycloak
- name: wapi-pcidss-v0
installed: false
<<: *default
labels:
logfmt: json
<<: *generic_stateless_json
needs:
- default/keycloak
- {{ .Namespace | default "default" }}/keycloak
- name: wapi
installed: false
<<: *default
labels:
logfmt: json
<<: *generic_stateless_json
needs:
- default/keycloak
- {{ .Namespace | default "default" }}/keycloak
- name: payform
<<: *default
set:
- name: appconfig
file: config/payform/appConfig.json
<<: *generic_stateless
- name: test-transaction
<<: *default
chart: rbkmoney/test-transaction
needs:
- default/shumway
- default/dominant
- default/cds
- default/keycloak
- {{ .Namespace | default "default" }}/shumway
- {{ .Namespace | default "default" }}/dominant
- {{ .Namespace | default "default" }}/cds
- {{ .Namespace | default "default" }}/keycloak
- name: anapi
<<: *generic_stateless_json
needs:
- {{ .Namespace | default "default" }}/keycloak
- name: binapi
<<: *generic_stateless_json
needs:
- {{ .Namespace | default "default" }}/keycloak

35
hf-templates-cnp-disabled.yaml Normal file
View File

@ -0,0 +1,35 @@
templates:
default: &default
chart: ./services/{{ .Release.Name }}
namespace: '{{ .Namespace | default "default" }}'
missingFileHandler: Warn
values:
- config/{{ .Release.Name }}/values.yaml
- config/{{ .Release.Name }}/values.yaml.gotmpl
- ciliumPolicies: []
default_generic: &generic_stateless
<<: *default
chart: rbkmoney/stateless
generic_json: &generic_stateless_json
<<: *default
chart: rbkmoney/stateless
values:
- config/{{ .Release.Name }}/values.yaml.gotmpl
- logs:
json: true
- ciliumPolicies: []
generic_statefull: &generic_statefull
<<: *default
chart: rbkmoney/statefull
generic_statefull_json: &generic_statefull_json
<<: *default
chart: rbkmoney/statefull
values:
- config/{{ .Release.Name }}/values.yaml.gotmpl
- logs:
json: true
- ciliumPolicies: []

35
hf-templates.yaml
View File

@ -1,10 +1,41 @@
templates:
default: &default
chart: ./services/{{ .Release.Name }}
namespace: default
namespace: '{{ .Namespace | default "default" }}'
missingFileHandler: Warn
timeout: 900
values:
- config/_common/logging.yaml.gotmpl
- default.values.yaml
- config/{{ .Release.Name }}/values.yaml
- config/{{ .Release.Name }}/values.yaml.gotmpl
infra: &infra_default
missingFileHandler: Warn
timeout: 900
values:
- config/{{ .Release.Name }}/values.yaml
- config/{{ .Release.Name }}/values.yaml.gotmpl
default_generic: &generic_stateless
<<: *default
chart: rbkmoney/stateless
generic_json: &generic_stateless_json
<<: *default
chart: rbkmoney/stateless
values:
- config/{{ .Release.Name }}/values.yaml.gotmpl
- logs:
json: true
generic_statefull: &generic_statefull
<<: *default
chart: rbkmoney/statefull
generic_statefull_json: &generic_statefull_json
<<: *default
chart: rbkmoney/statefull
values:
- config/{{ .Release.Name }}/values.yaml.gotmpl
- logs:
json: true

23
services/bender/.helmignore
View File

@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

6
services/bender/Chart.yaml
View File

@ -1,6 +0,0 @@
apiVersion: v2
name: bender
description: Service for binding external IDs to internal IDs
type: application
version: 0.1.0
appVersion: b0eea3098f05606fa244cc8ffc1fa20d101d42b7

2
services/bender/templates/NOTES.txt
View File

@ -1,2 +0,0 @@
You can use {{ template "bender.fullname" . }}:{{ .Values.service.port }} to connect to the bender woody interface.

71
services/bender/templates/_helpers.tpl
View File

@ -1,71 +0,0 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "bender.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "bender.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "bender.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "bender.labels" -}}
helm.sh/chart: {{ include "bender.chart" . }}
{{ include "bender.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Selector labels
*/}}
{{- define "bender.selectorLabels" -}}
app.kubernetes.io/name: {{ include "bender.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "bender.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "bender.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create the configs hash
*/}}
{{- define "bender.propertiesHash" -}}
{{- $config := include (print $.Template.BasePath "/configmap.yaml") . | sha256sum -}}
{{- print $config -}}
{{- end -}}

19
services/bender/templates/configmap.yaml
View File

@ -1,19 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "bender.fullname" . }}
labels:
{{- include "bender.labels" . | nindent 4 }}
data:
sys.config: |
{{- .Values.appConfig | nindent 4 }}
vm.args: |
-sname {{ include "bender.fullname" . }}
-setcookie {{ include "bender.fullname" . }}_cookie
{{- if .Values.beam.disableSBWT }}
+sbwt none
{{- end }}
-kernel inetrc '"./erl_inetrc"''
erl_inetrc: |
{{- .Values.erlInetrc | nindent 4 }}

15
services/bender/templates/service.yaml
View File

@ -1,15 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "bender.fullname" . }}
labels:
{{- include "bender.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: bender
protocol: TCP
name: bender
selector:
{{- include "bender.selectorLabels" . | nindent 4 }}

12
services/bender/templates/serviceaccount.yaml
View File

@ -1,12 +0,0 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "bender.serviceAccountName" . }}
labels:
{{- include "bender.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

25
services/bender/templates/servicemonitor.yaml
View File

@ -1,25 +0,0 @@
{{- if .Values.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "bender.fullname" . }}
{{- with .Values.metrics.serviceMonitor.namespace }}
namespace: {{ toYaml . }}
{{- end }}
labels:
{{- include "bender.labels" . | nindent 4 }}
{{- with .Values.metrics.serviceMonitor.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
endpoints:
- port: "bender"
path: /metrics
scheme: http
namespaceSelector:
matchNames:
- "{{ $.Release.Namespace }}"
selector:
matchLabels:
{{- include "bender.selectorLabels" . | nindent 6 }}
{{- end }}

87
services/bender/templates/statefulset.yaml
View File

@ -1,87 +0,0 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ include "bender.fullname" . }}
labels:
{{- include "bender.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicaCount }}
updateStrategy:
type: RollingUpdate
serviceName: {{ include "bender.fullname" . }}
selector:
matchLabels:
{{- include "bender.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "bender.selectorLabels" . | nindent 8 }}
annotations:
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
bender/properties-hash: {{ include "bender.propertiesHash" . }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "bender.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: bender
containerPort: {{ .Values.service.port }}
protocol: TCP
livenessProbe:
httpGet:
path: /health
port: bender
readinessProbe:
httpGet:
path: /health
port: bender
volumeMounts:
- name: config-volume
mountPath: /opt/bender/releases/1.0.0/sys.config
subPath: sys.config
readOnly: true
- name: config-volume
mountPath: /opt/bender/releases/1.0.0/vm.args
subPath: vm.args
readOnly: true
- name: config-volume
mountPath: /opt/bender/erl_inetrc
subPath: erl_inetrc
readOnly: true
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumes:
- name: config-volume
configMap:
name: {{ include "bender.fullname" . }}
items:
- key: sys.config
path: sys.config
- key: vm.args
path: vm.args
- key: erl_inetrc
path: erl_inetrc
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

15
services/bender/templates/tests/test-connection.yaml
View File

@ -1,15 +0,0 @@
apiVersion: v1
kind: Pod
metadata:
name: '{{ include "bender.fullname" . }}-test-connection'
labels:
{{- include "bender.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test-success
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['{{ include "bender.fullname" . }}:{{ .Values.service.port }}/health']
restartPolicy: Never

69
services/bender/values.yaml
View File

@ -1,69 +0,0 @@
# Default values for bender.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
image:
repository: docker.io/rbkmoney/bender
pullPolicy: IfNotPresent
imagePullSecrets: []
beam:
disableSBWT: false
metrics:
serviceMonitor:
enabled: false
namespace: default
# Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with
# ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#prometheusspec
additionalLabels: {}
nameOverride: ""
fullnameOverride: ""
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 8022
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}

23
services/binbase/.helmignore
View File

@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

6
services/binbase/Chart.yaml
View File

@ -1,6 +0,0 @@
apiVersion: v2
name: binbase
description: Bank card information retrieval service
type: application
version: 0.1.0
appVersion: 53e611d5881405f796f59abef843bcc8178a1343

70
services/binbase/templates/_helpers.tpl
View File

@ -1,70 +0,0 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "binbase.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "binbase.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "binbase.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "binbase.labels" -}}
helm.sh/chart: {{ include "binbase.chart" . }}
{{ include "binbase.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "binbase.selectorLabels" -}}
app.kubernetes.io/name: {{ include "binbase.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "binbase.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "binbase.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Configs hash
*/}}
{{- define "binbase.propertiesHash" -}}
{{- include (print $.Template.BasePath "/configmap.yaml") . | sha256sum -}}
{{- end -}}

10
services/binbase/templates/configmap.yaml
View File

@ -1,10 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "binbase.fullname" . }}
labels:
{{- include "binbase.labels" . | nindent 4 }}
data:
entrypoint.sh: |
{{- .Values.entrypoint | nindent 4 }}

82
services/binbase/templates/deployment.yaml
View File

@ -1,82 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "binbase.fullname" . }}
labels:
{{- include "binbase.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
{{- include "binbase.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "binbase.selectorLabels" . | nindent 8 }}
annotations:
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
binbase/properties-hash: {{ include "binbase.propertiesHash" . }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "binbase.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: api
containerPort: 8022
protocol: TCP
livenessProbe:
httpGet:
path: /actuator/health
port: api
readinessProbe:
httpGet:
path: /actuator/health
port: api
volumeMounts:
- name: config-volume
mountPath: /opt/binbase/entrypoint.sh
subPath: entrypoint.sh
readOnly: true
command: ["/opt/binbase/entrypoint.sh"]
args:
- -jar
- /opt/binbase/binbase.jar
- --management.security.enabled=false
- --spring.batch.job.enabled=false
- --client.cds.url={{ .Values.cdsUrl }}
- --spring.flyway.enabled=false
- --spring.batch.initialize-schema=never
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumes:
- name: config-volume
configMap:
name: {{ include "binbase.fullname" . }}
items:
- key: entrypoint.sh
path: entrypoint.sh
mode: 0755
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

15
services/binbase/templates/service.yaml
View File

@ -1,15 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "binbase.fullname" . }}
labels:
{{- include "binbase.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: 8022
protocol: TCP
name: api
selector:
{{- include "binbase.selectorLabels" . | nindent 4 }}

12
services/binbase/templates/serviceaccount.yaml
View File

@ -1,12 +0,0 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "binbase.serviceAccountName" . }}
labels:
{{- include "binbase.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

15
services/binbase/templates/tests/test-connection.yaml
View File

@ -1,15 +0,0 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ include "binbase.fullname" . }}-test-connection"
labels:
{{- include "binbase.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test-success
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['{{ include "binbase.fullname" . }}:{{ .Values.service.port }}/actuator/health']
restartPolicy: Never

56
services/binbase/values.yaml
View File

@ -1,56 +0,0 @@
image:
repository: docker.io/rbkmoney/binbase-test-data
pullPolicy: IfNotPresent
imagePullSecrets: []
replicaCount: 1
cdsUrl: http://cds.default.svc.cluster.local:8022/v2/storage
nameOverride: ""
fullnameOverride: ""
podSecurityContext: {}
# fsGroup: 2000
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 8022
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}

23
services/capi-pcidss-v1/.helmignore
View File

@ -1,23 +0,0 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

6
services/capi-pcidss-v1/Chart.yaml
View File

@ -1,6 +0,0 @@
apiVersion: v2
name: capi-pcidss-v1
description: Common api pcidss
type: application
version: 0.1.0
appVersion: 3007bbf74504d9f9c709d5ace37cbcfce85c0f4e

74
services/capi-pcidss-v1/templates/_helpers.tpl
View File

@ -1,74 +0,0 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "capi-pcidss-v1.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "capi-pcidss-v1.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "capi-pcidss-v1.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "capi-pcidss-v1.labels" -}}
helm.sh/chart: {{ include "capi-pcidss-v1.chart" . }}
{{ include "capi-pcidss-v1.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "capi-pcidss-v1.selectorLabels" -}}
app.kubernetes.io/name: {{ include "capi-pcidss-v1.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the configs hash
*/}}
{{- define "capi-pcidss-v1.propertiesHash" -}}
{{- $configmap_path := print $.Template.BasePath "/configmap.yaml" -}}
{{- $oopsbodies_path := print $.Template.BasePath "/oops-bodies.yaml" -}}
{{- $config := cat (include $configmap_path .) (include $oopsbodies_path .) | sha256sum -}}
{{- $secret := include (print $.Template.BasePath "/secret.yaml") . | sha256sum -}}
{{- print $secret $config | sha256sum -}}
{{- end -}}
{{/*
Create the name of the service account
*/}}
{{- define "capi-pcidss-v1.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "capi-pcidss-v1.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

21
services/capi-pcidss-v1/templates/configmap.yaml
View File

@ -1,21 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "capi-pcidss-v1.fullname" . }}
labels:
{{- include "capi-pcidss-v1.labels" . | nindent 4 }}
data:
fetch-keycloak-pubkey.sh: |
{{- .Values.fetchKeycloakPubkey | nindent 4 }}
sys.config: |
{{- .Values.appConfig | nindent 4 }}
vm.args: |
-sname {{ include "capi-pcidss-v1.fullname" . }}
-setcookie {{ include "capi-pcidss-v1.fullname" . }}_cookie
{{- if .Values.beam.disableSBWT }}
+sbwt none
{{- end }}
# -kernel inetrc '"./erl_inetrc"''
erl_inetrc: |
{{- .Values.erlInetrc | nindent 4 }}

121
services/capi-pcidss-v1/templates/deployment.yaml
View File

@ -1,121 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "capi-pcidss-v1.fullname" . }}
labels:
{{- include "capi-pcidss-v1.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
{{- include "capi-pcidss-v1.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "capi-pcidss-v1.selectorLabels" . | nindent 8 }}
annotations:
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
capi-pcidss-v1/properties-hash: {{ include "capi-pcidss-v1.propertiesHash" . }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "capi-pcidss-v1.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
initContainers:
- name: fetch-keycloack-pubkey
image: busybox:1.32
env:
- name: TARGET
value: "/var/keycloak/keycloak.pubkey.pem"
command:
- /bin/sh
- -c
- /opt/keycloak/fetch-keycloak-pubkey.sh
volumeMounts:
- name: config-volume
mountPath: /opt/keycloak/fetch-keycloak-pubkey.sh
subPath: fetch-keycloak-pubkey.sh
readOnly: true
- name: keycloak-pubkey
mountPath: /var/keycloak
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: api
containerPort: {{ .Values.service.port }}
protocol: TCP
livenessProbe:
httpGet:
path: /health
port: api
readinessProbe:
httpGet:
path: /health
port: api
volumeMounts:
- name: config-volume
mountPath: /opt/capi_pcidss/releases/0.1.0/sys.config
subPath: sys.config
readOnly: true
- name: config-volume
mountPath: /opt/capi_pcidss/releases/0.1.0/vm.args
subPath: vm.args
readOnly: true
- name: config-volume
mountPath: /opt/capi_pcidss/erl_inetrc
subPath: erl_inetrc
readOnly: true
- name: oops-bodies
mountPath: /var/lib/capi/oops-bodies
readOnly: true
- name: secret
mountPath: /var/lib/capi/keys
readOnly: true
- name: keycloak-pubkey
mountPath: /var/lib/capi/keys/keycloak
readOnly: true
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumes:
- name: config-volume
configMap:
name: {{ include "capi-pcidss-v1.fullname" . }}
items:
- key: fetch-keycloak-pubkey.sh
path: fetch-keycloak-pubkey.sh
mode: 0755
- key: sys.config
path: sys.config
- key: vm.args
path: vm.args
- key: erl_inetrc
path: erl_inetrc
- name: oops-bodies
configMap:
name: {{ include "capi-pcidss-v1.fullname" . }}-oops-bodies
- name: secret
secret:
secretName: {{ include "capi-pcidss-v1.fullname" . }}
- name: keycloak-pubkey
emptyDir: {}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

16
services/capi-pcidss-v1/templates/ingress.yaml
View File

@ -1,16 +0,0 @@
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: {{ include "capi-pcidss-v1.fullname" . }}
labels:
{{- include "capi-pcidss-v1.labels" . | nindent 4 }}
spec:
rules:
- host: {{ .Values.ingress.host }}
http:
paths:
- path: {{ .Values.ingress.path }}
backend:
serviceName: {{ include "capi-pcidss-v1.fullname" . }}
servicePort: {{ .Values.service.port }}

12
services/capi-pcidss-v1/templates/oops-bodies.yaml
View File

@ -1,12 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "capi-pcidss-v1.fullname" . }}-oops-bodies
labels:
{{- include "capi-pcidss-v1.labels" . | nindent 4 }}
data:
oops-body1: |
{{ .Values.oopsBody1 | nindent 4 }}
oops-body2: |
{{ .Values.oopsBody2 | nindent 4 }}

Some files were not shown because too many files have changed in this diff Show More