bump rules

This commit is contained in:
Dmitry Skokov 2021-04-16 15:54:28 +03:00
parent 33cf3b2451
commit 786bc20e1c
15 changed files with 2074 additions and 15 deletions

View File

@ -124,3 +124,8 @@ ciliumPolicies:
type: TCP
name: hellgate
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: payouter
namespace: {{ .Release.Namespace }}

View File

@ -1,5 +1,5 @@
{
"realm": "internal",
"realm": "external",
"auth-server-url": "https://auth.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}:31337/auth/",
"ssl-required": "external",
"resource": "control-center",

View File

@ -1,5 +1,5 @@
{
"realm": "internal",
"realm": "external",
"auth-server-url": "https://auth.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}:31337/auth/",
"ssl-required": "external",
"resource": "koffing",

View File

@ -1529,10 +1529,10 @@
"clientAuthenticatorType": "client-secret",
"secret": "**********",
"redirectUris": [
"{{ .Values.services.keycloak.externalUrl }}/*"
"https://dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}:31337/*"
],
"webOrigins": [
"{{ .Values.services.keycloak.externalUrl }}"
"https://dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}:31337"
],
"notBefore": 0,
"bearerOnly": false,
@ -2225,10 +2225,10 @@
"clientAuthenticatorType": "client-secret",
"secret": "**********",
"redirectUris": [
"{{ .Values.services.keycloak.externalUrl }}/*"
"https://auth.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}:31337/*"
],
"webOrigins": [
"{{ .Values.services.keycloak.externalUrl }}"
"https://auth.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}:31337"
],
"notBefore": 0,
"bearerOnly": false,
@ -3133,10 +3133,10 @@
"ssl": "false",
"user": "no-reply@rbkmoney.com"
},
"loginTheme": "rbkmoney-hood",
"accountTheme": "rbkmoney",
"loginTheme": "keycloak",
"accountTheme": "keycloak",
"adminTheme": "keycloak",
"emailTheme": "rbkmoney-hood",
"emailTheme": "keycloak",
"eventsEnabled": true,
"eventsExpiration": 51840000,
"eventsListeners": [

File diff suppressed because it is too large Load Diff

View File

@ -1,6 +1,7 @@
# -*- mode: yaml -*-
configMap:
data:
realms.json: |
{{- tpl (readFile "realms.json.gotmpl") . | nindent 6 }}
internal.json: |
{{- tpl (readFile "internal.json.gotmpl") . | nindent 6 }}
external.json: |
{{- tpl (readFile "external.json.gotmpl") . | nindent 6 }}

View File

@ -4,6 +4,9 @@ postgresql:
podLabels:
selector.cilium.rbkmoney/release: {{ .Release.Name }}
image:
tag: 12.0.4
extraEnv: |
- name: PROXY_ADDRESS_FORWARDING
value: "true"
@ -32,7 +35,7 @@ extraEnv: |
-Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS
-Djava.awt.headless=true
- name: KEYCLOAK_IMPORT
value: /realm/realms.json
value: /realm/internal.json,/realm/external.json
extraVolumes: |
- name: keycloak-realms-volume

View File

@ -0,0 +1,21 @@
#!/bin/sh
set -ue
java \
"-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \
-jar /opt/payouter/payouter.jar \
--logging.file=/var/log/payouter/payouter.json \
--logging.config=/opt/payouter/logback.xml \
--management.security.enabled=false \
-Dwoody.node_id=346 \
--service.dominant.url=http://dominant:8022/v1/domain/repository_client \
--service.shumway.url=http://shumway:8022/shumpune \
--kafka.bootstrap-servers=kafka:9092 \
--kafka.topics.invoice.enabled=false \
--kafka.topics.party-management.enabled=false \
--kafka.topics.party-management.concurrency=5 \
--kafka.client-id=payouter \
--kafka.consumer.group-id=payouter-invoicing \
--kafka.consumer.concurrency=5 \
--kafka.consumer.auto-offset-reset=latest \
--spring.config.additional-location=/vault/secrets/application.properties

View File

@ -0,0 +1,4 @@
<included>
<logger name="com.rbkmoney" level="INFO"/>
<logger name="com.rbkmoney.woody" level="INFO"/>
</included>

View File

@ -0,0 +1,131 @@
# -*- mode: yaml -*-
replicaCount: 1
image:
repository: docker.io/rbkmoney/payouter
tag: a0e37ad47ee5563008d2af47c58a9f117e941db0
pullPolicy: IfNotPresent
runopts:
command: ["/opt/payouter/entrypoint.sh"]
env:
- name: LOGBACK_SERVICE_NAME
value: "payouter"
configMap:
data:
entrypoint.sh: |
{{- readFile "entrypoint.sh" | nindent 6 }}
loggers.xml: |
{{- readFile "loggers.xml" | nindent 6 }}
logback.xml: |
{{- readFile "../logs/logback.xml" | nindent 6 }}
volumes:
- name: config-volume
configMap:
name: {{ .Release.Name }}
defaultMode: 0755
volumeMounts:
- name: config-volume
mountPath: /opt/payouter/entrypoint.sh
subPath: entrypoint.sh
readOnly: true
- name: config-volume
mountPath: /opt/payouter/logback.xml
subPath: logback.xml
readOnly: true
- name: config-volume
mountPath: /opt/payouter/loggers.xml
subPath: loggers.xml
readOnly: true
service:
ports:
- name: api
port: 8022
- name: management
port: 8023
livenessProbe: null
# httpGet:
# path: /actuator/health
# port: management
readinessProbe: null
# httpGet:
# path: /actuator/health
# port: management
podAnnotations:
vault.hashicorp.com/role: "db-app"
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-application.properties: "database/creds/db-app-payouter"
vault.hashicorp.com/agent-inject-template-application.properties: |
{{`{{- with secret "database/creds/db-app-payouter" -}}
spring.datasource.url=jdbc:postgresql://postgres-postgresql:5432/payouter?sslmode=disable
spring.datasource.username={{ .Data.username }}
spring.datasource.password={{ .Data.password }}
spring.flyway.url=jdbc:postgresql://postgres-postgresql:5432/payouter?sslmode=disable
spring.flyway.user={{ .Data.username }}
spring.flyway.password={{ .Data.password }}
spring.datasource.hikari.data-source-properties.prepareThreshold=0
spring.datasource.hikari.leak-detection-threshold=5300
flyway.url=jdbc:postgresql://postgres-postgresql:5432/payouter?sslmode=disable
flyway.user={{ .Data.username }}
flyway.password={{ .Data.password }}
flyway.schemas=sht
{{- end }}`}}
metrics:
serviceMonitor:
enabled: true
namespace: {{ .Release.Namespace }}
additionalLabels:
release: prometheus
endpoints:
- port: "management"
path: /actuator/prometheus
scheme: http
ciliumPolicies:
- filters:
- port: 5432
type: TCP
name: postgres
namespace: {{ .Release.Namespace }}
- filters:
- port: 9092
type: TCP
name: kafka
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: shumway
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: dominant
namespace: {{ .Release.Namespace }}
- filters:
- port: 8200
type: TCP
name: vault
namespace: {{ .Release.Namespace }}
- filters:
- port: 8022
type: TCP
name: hellgate
namespace: {{ .Release.Namespace }}
{{- /*
- filters:
- port: 8022
type: TCP
name: fault-detector
namespace: {{ .Release.Namespace }}
*/ -}}

View File

@ -8,6 +8,7 @@ initdbScripts:
CREATE DATABASE keycloak;
CREATE DATABASE shumway;
CREATE DATABASE hooker;
CREATE DATABASE payouter;
#TODO: If bump version, change master to primary
master:

View File

@ -47,3 +47,10 @@ readinessProbe:
httpGet:
path: /actuator/health
port: api
ciliumPolicies:
- filters:
- port: 8022
type: TCP
name: cds
namespace: {{ .Release.Namespace }}

View File

@ -4,7 +4,7 @@ replicaCount: 1
image:
repository: docker.io/rbkmoney/proxy-mocketbank
tag: 91953e1e9874a851816474b47ad0f123c7c936d1
tag: 42361269e9a3b49c9e9dbfad0c04674e9d3787fb
pullPolicy: IfNotPresent
configMap:

View File

@ -36,6 +36,23 @@ configMap:
default_ttl="1h" \
max_ttl="240h"
vault write database/config/payouter \
plugin_name=postgresql-database-plugin \
allowed_roles="*" \
connection_url="postgresql://{{username}}:{{password}}@postgres-postgresql:5432/payouter?sslmode=disable" \
username="postgres" \
password="H@ckM3"
vault write database/roles/db-app-payouter \
db_name=payouter \
creation_statements="CREATE SCHEMA IF NOT EXISTS sht;
CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';
GRANT CREATE ON DATABASE payouter TO \"{{name}}\";
GRANT ALL ON SCHEMA sht TO \"{{name}}\";
GRANT ALL ON ALL TABLES IN SCHEMA sht TO \"{{name}}\";
GRANT ALL ON ALL SEQUENCES IN SCHEMA sht TO \"{{name}}\";" \
default_ttl="1h" \
max_ttl="240h"
vault auth enable kubernetes
vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
@ -56,3 +73,6 @@ configMap:
path "database/creds/db-app-hooker" {
capabilities = ["read"]
}
path "database/creds/db-app-payouter" {
capabilities = ["read"]
}

View File

@ -203,3 +203,6 @@ releases:
tier: front
needs:
- {{ .Namespace | default "default" }}/keycloak
- name: payouter
<<: *generic_stateless_json