bump rules

config/capi-v2/values.yaml.gotmpl

@@ -124,3 +124,8 @@ ciliumPolicies:
       type: TCP
     name: hellgate
     namespace: {{ .Release.Namespace }}
+  - filters:
+    - port: 8022
+      type: TCP
+    name: payouter
+    namespace: {{ .Release.Namespace }}

config/controlcenter/authConfig.json.gotmpl

@@ -1,5 +1,5 @@
 {
-    "realm": "internal",
+    "realm": "external",
     "auth-server-url": "https://auth.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}:31337/auth/",
     "ssl-required": "external",
     "resource": "control-center",

config/dashboard/authConfig.json.gotmpl

@@ -1,5 +1,5 @@
 {
-    "realm": "internal",
+    "realm": "external",
     "auth-server-url": "https://auth.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}:31337/auth/",
     "ssl-required": "external",
     "resource": "koffing",

config/keycloak-realms/external.json.gotmpl

@@ -1529,10 +1529,10 @@
       "clientAuthenticatorType": "client-secret",
       "secret": "**********",
       "redirectUris": [
-        "{{ .Values.services.keycloak.externalUrl }}/*"
+        "https://dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}:31337/*"
       ],
       "webOrigins": [
-        "{{ .Values.services.keycloak.externalUrl }}"
+        "https://dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}:31337"
       ],
       "notBefore": 0,
       "bearerOnly": false,
@@ -2225,10 +2225,10 @@
       "clientAuthenticatorType": "client-secret",
       "secret": "**********",
       "redirectUris": [
-        "{{ .Values.services.keycloak.externalUrl }}/*"
+        "https://auth.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}:31337/*"
       ],
       "webOrigins": [
-        "{{ .Values.services.keycloak.externalUrl }}"
+        "https://auth.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}:31337"
       ],
       "notBefore": 0,
       "bearerOnly": false,
@@ -3133,10 +3133,10 @@
     "ssl": "false",
     "user": "no-reply@rbkmoney.com"
   },
-  "loginTheme": "rbkmoney-hood",
-  "accountTheme": "rbkmoney",
+  "loginTheme": "keycloak",
+  "accountTheme": "keycloak",
   "adminTheme": "keycloak",
-  "emailTheme": "rbkmoney-hood",
+  "emailTheme": "keycloak",
   "eventsEnabled": true,
   "eventsExpiration": 51840000,
   "eventsListeners": [

config/keycloak-realms/values.yaml.gotmpl

@@ -1,6 +1,7 @@
 # -*- mode: yaml -*-
 configMap:
   data:
-    realms.json: |
-      {{- tpl (readFile "realms.json.gotmpl") . | nindent 6 }}
-
+    internal.json: |
+      {{- tpl (readFile "internal.json.gotmpl") . | nindent 6 }}
+    external.json: |
+      {{- tpl (readFile "external.json.gotmpl") . | nindent 6 }}

config/keycloak/values.yaml.gotmpl

@@ -4,6 +4,9 @@ postgresql:
 podLabels:
   selector.cilium.rbkmoney/release: {{ .Release.Name }}
 
+image:
+  tag: 12.0.4
+
 extraEnv: |
   - name: PROXY_ADDRESS_FORWARDING
     value: "true"
@@ -32,7 +35,7 @@ extraEnv: |
       -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS
       -Djava.awt.headless=true
   - name: KEYCLOAK_IMPORT
-    value: /realm/realms.json
+    value: /realm/internal.json,/realm/external.json
 
 extraVolumes: |
   - name: keycloak-realms-volume

config/payouter/entrypoint.sh

@@ -0,0 +1,21 @@
+#!/bin/sh
+set -ue
+
+java \
+    "-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \
+-jar /opt/payouter/payouter.jar \
+--logging.file=/var/log/payouter/payouter.json \
+--logging.config=/opt/payouter/logback.xml \
+--management.security.enabled=false \
+-Dwoody.node_id=346 \
+--service.dominant.url=http://dominant:8022/v1/domain/repository_client \
+--service.shumway.url=http://shumway:8022/shumpune \
+--kafka.bootstrap-servers=kafka:9092 \
+--kafka.topics.invoice.enabled=false \
+--kafka.topics.party-management.enabled=false \
+--kafka.topics.party-management.concurrency=5 \
+--kafka.client-id=payouter \
+--kafka.consumer.group-id=payouter-invoicing \
+--kafka.consumer.concurrency=5 \
+--kafka.consumer.auto-offset-reset=latest \
+--spring.config.additional-location=/vault/secrets/application.properties

config/payouter/loggers.xml

@@ -0,0 +1,4 @@
+<included>
+    <logger name="com.rbkmoney" level="INFO"/>
+    <logger name="com.rbkmoney.woody" level="INFO"/>
+</included>

config/payouter/values.yaml.gotmpl

@@ -0,0 +1,131 @@
+# -*- mode: yaml -*-
+
+replicaCount: 1
+
+image:
+  repository: docker.io/rbkmoney/payouter
+  tag: a0e37ad47ee5563008d2af47c58a9f117e941db0
+  pullPolicy: IfNotPresent
+
+runopts:
+  command: ["/opt/payouter/entrypoint.sh"]
+
+env:
+  - name: LOGBACK_SERVICE_NAME
+    value: "payouter"
+
+configMap:
+  data: 
+    entrypoint.sh: |
+      {{- readFile "entrypoint.sh" | nindent 6 }}
+    loggers.xml: |
+      {{- readFile "loggers.xml" | nindent 6 }}
+    logback.xml: |
+      {{- readFile "../logs/logback.xml" | nindent 6 }}
+
+volumes:
+  - name: config-volume
+    configMap:
+      name: {{ .Release.Name }}
+      defaultMode: 0755
+
+volumeMounts:
+  - name: config-volume
+    mountPath: /opt/payouter/entrypoint.sh
+    subPath: entrypoint.sh
+    readOnly: true
+  - name: config-volume
+    mountPath: /opt/payouter/logback.xml
+    subPath: logback.xml
+    readOnly: true
+  - name: config-volume
+    mountPath: /opt/payouter/loggers.xml
+    subPath: loggers.xml
+    readOnly: true
+
+service:
+  ports:
+    - name: api
+      port: 8022
+    - name: management
+      port: 8023
+
+livenessProbe: null
+  # httpGet:
+  #   path: /actuator/health
+  #   port: management
+
+readinessProbe: null
+  # httpGet:
+  #   path: /actuator/health
+  #   port: management
+
+podAnnotations:
+  vault.hashicorp.com/role: "db-app"
+  vault.hashicorp.com/agent-inject: "true"
+  vault.hashicorp.com/agent-inject-secret-application.properties: "database/creds/db-app-payouter"
+  vault.hashicorp.com/agent-inject-template-application.properties: |
+    {{`{{- with secret "database/creds/db-app-payouter" -}}
+    spring.datasource.url=jdbc:postgresql://postgres-postgresql:5432/payouter?sslmode=disable
+    spring.datasource.username={{ .Data.username }}
+    spring.datasource.password={{ .Data.password }}
+    spring.flyway.url=jdbc:postgresql://postgres-postgresql:5432/payouter?sslmode=disable
+    spring.flyway.user={{ .Data.username }}
+    spring.flyway.password={{ .Data.password }}
+    spring.datasource.hikari.data-source-properties.prepareThreshold=0
+    spring.datasource.hikari.leak-detection-threshold=5300
+    flyway.url=jdbc:postgresql://postgres-postgresql:5432/payouter?sslmode=disable
+    flyway.user={{ .Data.username }}
+    flyway.password={{ .Data.password }}
+    flyway.schemas=sht 
+    {{- end }}`}}
+
+metrics:
+  serviceMonitor:
+    enabled: true
+    namespace: {{ .Release.Namespace }}
+    additionalLabels:
+      release: prometheus
+    endpoints:
+      - port: "management"
+        path: /actuator/prometheus
+        scheme: http
+
+ciliumPolicies:
+  - filters:
+    - port: 5432
+      type: TCP
+    name: postgres
+    namespace: {{ .Release.Namespace }}
+  - filters:
+    - port: 9092
+      type: TCP
+    name: kafka
+    namespace: {{ .Release.Namespace }}
+  - filters:
+    - port: 8022
+      type: TCP
+    name: shumway
+    namespace: {{ .Release.Namespace }}
+  - filters:
+    - port: 8022
+      type: TCP
+    name: dominant
+    namespace: {{ .Release.Namespace }}
+  - filters:
+    - port: 8200
+      type: TCP
+    name: vault
+    namespace: {{ .Release.Namespace }}
+  - filters:
+    - port: 8022
+      type: TCP
+    name: hellgate
+    namespace: {{ .Release.Namespace }}
+{{- /*
+  - filters:
+    - port: 8022
+      type: TCP
+    name: fault-detector
+    namespace: {{ .Release.Namespace }}
+*/ -}}

config/postgres/values.yaml.gotmpl

@@ -8,6 +8,7 @@ initdbScripts:
      CREATE DATABASE keycloak;
      CREATE DATABASE shumway;
      CREATE DATABASE hooker;
+     CREATE DATABASE payouter;
 
 #TODO: If bump version, change master to primary
 master:

config/proxy-mocketbank-mpi/values.yaml.gotmpl

@@ -47,3 +47,10 @@ readinessProbe:
   httpGet:
     path: /actuator/health
     port: api
+
+ciliumPolicies:
+  - filters:
+    - port: 8022
+      type: TCP
+    name: cds
+    namespace: {{ .Release.Namespace }}

config/proxy-mocketbank/values.yaml.gotmpl

@@ -4,7 +4,7 @@ replicaCount: 1
 
 image:
   repository: docker.io/rbkmoney/proxy-mocketbank
-  tag: 91953e1e9874a851816474b47ad0f123c7c936d1
+  tag: 42361269e9a3b49c9e9dbfad0c04674e9d3787fb
   pullPolicy: IfNotPresent
 
 configMap:
@@ -65,4 +65,4 @@ ciliumPolicies:
     - port: 8022
       type: TCP
     name: cds
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ .Release.Namespace }}

config/vault-cm/values.yaml

@@ -35,6 +35,23 @@ configMap:
           GRANT ALL ON ALL SEQUENCES IN SCHEMA hook TO \"{{name}}\";" \
           default_ttl="1h" \
           max_ttl="240h"
+
+      vault write database/config/payouter \
+          plugin_name=postgresql-database-plugin \
+          allowed_roles="*" \
+          connection_url="postgresql://{{username}}:{{password}}@postgres-postgresql:5432/payouter?sslmode=disable" \
+          username="postgres" \
+          password="H@ckM3"
+      vault write database/roles/db-app-payouter \
+          db_name=payouter \
+          creation_statements="CREATE SCHEMA IF NOT EXISTS sht;
+          CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
+          GRANT CREATE ON DATABASE payouter TO \"{{name}}\";
+          GRANT ALL ON SCHEMA sht TO \"{{name}}\";
+          GRANT ALL ON ALL TABLES IN SCHEMA sht TO \"{{name}}\";
+          GRANT ALL ON ALL SEQUENCES IN SCHEMA sht TO \"{{name}}\";" \
+          default_ttl="1h" \
+          max_ttl="240h"
   
       vault auth enable kubernetes
       vault write auth/kubernetes/config \
@@ -56,3 +73,6 @@ configMap:
       path "database/creds/db-app-hooker" {
         capabilities = ["read"]
       }
+      path "database/creds/db-app-payouter" {
+        capabilities = ["read"]
+      }

helmfile.yaml

@@ -203,3 +203,6 @@ releases:
     tier: front
   needs:
     - {{ .Namespace | default "default" }}/keycloak
+- name: payouter
+  <<: *generic_stateless_json
+