feat: add consent to galoy chart (#4474)

* chore: add tilt dev setup * feat: add consent to galoy chart
GaloyMoney · Oct 17, 2023 · 31a60d0 · 31a60d0
1 parent fe13755
commit 31a60d0
Show file tree

Hide file tree

Showing 18 changed files with 699 additions and 3 deletions.
diff --git a/charts/galoy/Chart.lock b/charts/galoy/Chart.lock
@@ -21,4 +21,4 @@ dependencies:
   repository: oci://ghcr.io/apollographql/helm-charts
   version: 1.25.0
 digest: sha256:bb886d7d909ea493a1113209c3544efde2497772abd7ca7f3466cb73060eb759
-generated: "2023-10-16T07:29:50.903201944Z"
+generated: "2023-10-17T00:27:44.993098112+05:30"
diff --git a/charts/galoy/templates/_helpers.tpl b/charts/galoy/templates/_helpers.tpl
@@ -46,6 +46,14 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- default "trigger" .Values.galoy.trigger.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Create a default fully qualified consent name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "galoy.consent.fullname" -}}
+{{- default "consent" .Values.galoy.consent.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
 {{/*
 CronJob name
 */}}
@@ -283,3 +291,18 @@ Return Galoy environment variables for Geetest
       name: {{ .Values.galoy.geetestExistingSecret.name }}
       key: {{ .Values.galoy.geetestExistingSecret.secret_key }}
 {{- end -}}
+
+# TODO: Remove this once https://github.com/apollographql/router/issues/4002 is resolved
+# This is copied from https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_tplvalues.tpl
+{{- define "common.tplvalues.render" -}}
+{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }}
+{{- if contains "{{" (toJson .value) }}
+  {{- if .scope }}
+      {{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }}
+  {{- else }}
+    {{- tpl $value .context }}
+  {{- end }}
+{{- else }}
+    {{- $value }}
+{{- end }}
+{{- end -}}
diff --git a/charts/galoy/templates/consent-deployment.yaml b/charts/galoy/templates/consent-deployment.yaml
@@ -0,0 +1,52 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "galoy.consent.fullname" . }}
+  labels:
+    app: {{ template "galoy.consent.fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    app.kubernetes.io/managed-by: Helm
+
+    kube-monkey/enabled: enabled
+    kube-monkey/identifier: {{ template "galoy.trigger.fullname" . }}
+    kube-monkey/kill-mode: fixed
+    kube-monkey/kill-value: "1"
+    kube-monkey/mtbf: "8"
+spec:
+  selector:
+    matchLabels:
+      app: {{ template "galoy.consent.fullname" . }}
+      release: {{ .Release.Name }}
+  replicas: {{ .Values.galoy.consent.replicas }}
+  template:
+    metadata:
+      labels:
+        app: {{ template "galoy.consent.fullname" . }}
+        release: "{{ .Release.Name }}"
+        kube-monkey/enabled: enabled
+        kube-monkey/identifier: {{ template "galoy.trigger.fullname" . }}
+    spec:
+      serviceAccountName: {{ template "galoy.name" . }}
+      containers:
+      - name: consent
+        image: "{{ .Values.galoy.images.consent.repository }}@{{ .Values.galoy.images.consent.digest }}"
+        resources:
+          {{- toYaml .Values.resources | nindent 10 }}
+        ports:
+        - name: http
+          containerPort: {{ .Values.galoy.consent.port }}
+          protocol: TCP
+        env:
+        - name: PORT
+          value: "{{ .Values.galoy.consent.port }}"
+        - name: GRAPHQL_PUBLIC_API
+          value: {{ .Values.galoy.consent.graphqlPublicApi }}
+        - name: CORE_AUTH_URL
+          value: {{ .Values.galoy.consent.coreAuthUrl }}
+        - name: OTEL_EXPORTER_OTLP_ENDPOINT
+          value: {{ .Values.tracing.otelExporterOtlpEndpoint }}
+        - name: TRACING_SERVICE_NAME
+          value: "{{ .Values.tracing.prefix }}-{{ template "galoy.consent.fullname" . }}"
+        - name: HYDRA_ADMIN_URL
+          value: {{ .Values.galoy.consent.hydraAdminUrl }}
diff --git a/charts/galoy/templates/consent-ingress.yaml b/charts/galoy/templates/consent-ingress.yaml
@@ -0,0 +1,48 @@
+{{- if .Values.galoy.consent.ingress.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ template "galoy.consent.fullname" . }}
+  labels:
+    app: {{ template "galoy.consent.fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    cert-manager.io/cluster-issuer: {{ .Values.galoy.consent.ingress.clusterIssuer }}
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" # 1 hour
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" # 1 hour
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: "1s"
+    nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout"
+    nginx.ingress.kubernetes.io/proxy-next-upstream-tries: "3"
+    nginx.ingress.kubernetes.io/limit-rpm: "10"
+    nginx.ingress.kubernetes.io/limit-burst-multiplier: "2"
+    nginx.ingress.kubernetes.io/limit-connections: "10"
+    {{- with .Values.galoy.consent.ingress.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  ingressClassName: nginx
+  tls:
+    {{- range .Values.galoy.consent.ingress.hosts }}
+    - hosts:
+      - {{ . }}
+      secretName: {{ printf "%s-tls" . }}
+    {{- end }}
+  rules:
+  {{- range .Values.galoy.consent.ingress.hosts }}
+    - host: {{ . }}
+      http:
+        paths:
+          {{- if $.Values.galoy.consent.ingress.extraPaths }}
+          {{- toYaml $.Values.galoy.consent.ingress.extraPaths | nindent 10 }}
+          {{- end }}
+          - pathType: ImplementationSpecific
+            path: /
+            backend:
+              service:
+                name: {{ template "galoy.consent.fullname" $ }}
+                port:
+                  number: {{ $.Values.galoy.consent.port }}
+  {{- end -}}
+{{- end -}}
diff --git a/charts/galoy/templates/consent-service.yaml b/charts/galoy/templates/consent-service.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "galoy.consent.fullname" . }}
+  labels:
+    app: {{ template "galoy.consent.fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  type: {{ .Values.galoy.consent.serviceType }}
+  ports:
+    - port: {{ .Values.galoy.consent.port }}
+      targetPort: {{ .Values.galoy.consent.port }}
+      protocol: TCP
+      name: http
+  selector:
+    app: {{ template "galoy.consent.fullname" . }}
diff --git a/charts/galoy/values.yaml b/charts/galoy/values.yaml
@@ -61,6 +61,11 @@ galoy:
       ## Digest of the image
       ##
       digest: "sha256:aa16b25de59adef5b13b391394c9b637ce79c64e20ca36d0798968b5028a08d2"
+    consent:
+      repository: us.gcr.io/galoy-org/galoy-consent
+      ## Digest of the image
+      ##
+      digest: "sha256:f0a9190ad0b1f4accddc938c7ebd08ee7e9006011864d68cc1ad4aae6451ac46"
     ## Galoy Application MongoDB Migration Image details
     ##
     mongodbMigrate:
@@ -381,6 +386,17 @@ galoy:
         failureThreshold: 5
         successThreshold: 2
         timeoutSeconds: 1
+  consent:
+    resources: {}
+    port: 80
+    graphqlPublicApi: http://galoy-oathkeeper-proxy/graphql
+    coreAuthUrl: http://galoy-oathkeeper-proxy/auth
+    hydraAdminUrl: http://galoy-hydra-admin:4445
+    ingress:
+      enabled: false
+      hosts: [consent.staging.galoy.io]
+      clusterIssuer: letsencrypt-issuer
+      tlsSecretName: websocket-tls
   mongoBackupCron:
     resources: {}
   galoyCron:

diff --git a/charts/loop/charts/loopserver/templates/pvc.yml b/charts/loop/charts/loopserver/templates/pvc.yml
@@ -3,8 +3,6 @@ kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
   name: {{ template "loopserver.fullname" $ }}
-  annotations:
-    "helm.sh/resource-policy": keep
   labels:
     {{- include "loopserver.labels" . | nindent 4 }}
 spec:

diff --git a/dev/Tiltfile b/dev/Tiltfile
@@ -0,0 +1,3 @@
+# include('./galoy-deps/Tiltfile')
+include('./bitcoin/Tiltfile')
+include('./galoy/Tiltfile')
diff --git a/dev/bitcoin/Tiltfile b/dev/bitcoin/Tiltfile
@@ -0,0 +1,118 @@
+load('ext://helm_resource', 'helm_resource')
+load('ext://namespace', 'namespace_create')
+load('ext://secret', 'secret_from_dict', 'secret_create_generic')
+
+name_prefix = "galoy-dev"
+bitcoin_network = "regtest"
+bitcoind_rpcpassword = "rpcpassword"
+bitcoin_namespace = "{}-bitcoin".format(name_prefix)
+
+namespace_create(bitcoin_namespace)
+
+k8s_yaml(secret_from_dict(
+  name='bitcoind-rpcpassword',
+  namespace=bitcoin_namespace,
+  inputs={'password': bitcoind_rpcpassword},
+))
+
+helm_resource(
+  name="bitcoind",
+  chart="../../charts/bitcoind",
+  namespace=bitcoin_namespace,
+  flags=['--values=./bitcoind-regtest-values.yml'],
+  labels="bitcoin"
+)
+
+k8s_yaml(secret_from_dict(
+  name='bitcoind-onchain-rpcpassword',
+  namespace=bitcoin_namespace,
+  inputs={'password': bitcoind_rpcpassword},
+))
+
+k8s_yaml(secret_from_dict(
+  name='bitcoind-signer-descriptor',
+  namespace=bitcoin_namespace,
+  inputs={
+    'descriptor_json_base64': local(
+      "base64 bitcoind_signers_descriptors.json | tr -d '\n\r'"
+    )
+  },
+))
+
+helm_resource(
+  name="bitcoind-onchain",
+  chart="../../charts/bitcoind",
+  namespace=bitcoin_namespace,
+  flags=[
+    '--values=./bitcoind-regtest-values.yml',
+    '--values=./bitcoind-onchain-values.yml'
+  ],
+  labels="bitcoin"
+)
+
+local_resource(
+  name="bitcoind-block-generator",
+  cmd='./generateBlock.sh',
+  labels="bitcoin",
+  resource_deps=["bitcoind-onchain", "bitcoind"]
+)
+
+helm_resource(
+  name="lnd1",
+  chart="../../charts/lnd",
+  namespace=bitcoin_namespace,
+  flags=[
+    '--values=./lnd-regtest-values.yml',
+  ],
+  labels="bitcoin"
+)
+
+helm_resource(
+  name="loop1",
+  chart="../../charts/loop",
+  namespace=bitcoin_namespace,
+  flags=[
+    '--values=./loop-values.yml',
+  ],
+  labels="bitcoin"
+)
+
+# helm_resource(
+#   name="fulcrum",
+#   chart="../../charts/fulcrum",
+#   namespace=bitcoin_namespace,
+#   flags=[
+#     '--values=./fulcrum-regtest-values.yml',
+#   ],
+#   labels="bitcoin"
+# )
+
+k8s_yaml(secret_from_dict(
+  name='bria',
+  namespace=bitcoin_namespace,
+  inputs={
+    'pg-con': 'postgres://bria:bria@bria-postgresql:5432/bria',
+    'signer-encryption-key': local('openssl rand -hex 32'),
+  },
+))
+
+helm_resource(
+  name="bria",
+  chart="../../charts/bria",
+  namespace=bitcoin_namespace,
+  flags=[
+    '--values=./bria-values.yml',
+  ],
+  labels="bitcoin"
+)
+
+# TODO: uncomment mempool when we actually use it
+# helm_resource(
+#   name="mempool",
+#   chart="../../charts/mempool",
+#   namespace=bitcoin_namespace,
+#   flags=[
+#     '--values=./mempool-regtest-values.yml',
+#   ],
+#   labels="bitcoin"
+# )
diff --git a/dev/galoy-deps/Tiltfile b/dev/galoy-deps/Tiltfile
@@ -0,0 +1,68 @@
+load('ext://helm_resource', 'helm_resource')
+load('ext://namespace', 'namespace_create')
+update_settings(k8s_upsert_timeout_secs=120)
+
+name_prefix = "galoy-dev"
+kafka_namespace = "{}-kafka".format(name_prefix)
+ingress_namespace = "{}-ingress".format(name_prefix)
+otel_namespace = "{}-otel".format(name_prefix)
+kubemonkey_namespace = "{}-kubemonkey".format(name_prefix)
+
+namespace_create(kafka_namespace)
+
+# Attaching the namespace to the workload means that the namespace will be deleted when the workload is deleted
+# k8s_resource(workload="kafka-operator", objects=["galoy-dev-kafka:namespace"])
+
+helm_resource(
+  name="kafka",
+  chart="../../charts/galoy-deps",
+  namespace=kafka_namespace,
+  flags=['--values=./kafka-values.yml'],
+  labels="kafka"
+)
+
+## cert-manager and ingress-nginx
+
+namespace_create(ingress_namespace)
+
+# TODO: decide how to label the ingress namespace
+# k8s_resource(workload="cert-manager?", objects=["galoy-dev-ingress:namespace"])
+
+helm_resource(
+  name="cert-manager",
+  chart="../../charts/galoy-deps",
+  namespace=ingress_namespace,
+  flags=['--values=./cert-manager-values.yml'],
+  labels="cert-manager-and-ingress"
+)
+
+helm_resource(
+  name="ingress-nginx",
+  chart="../../charts/galoy-deps",
+  namespace=ingress_namespace,
+  flags=['--values=./ingress-nginx-values.yml'],
+  labels="cert-manager-and-ingress"
+)
+
+## opentelemetry-collector
+
+namespace_create(otel_namespace)
+
+helm_resource(
+  name="opentelemetry-collector",
+  chart="../../charts/galoy-deps",
+  namespace=otel_namespace,
+  flags=['--values=./otel-values.yml'],
+  labels="otel"
+)
+
+# do we need kubemonkey in local dev?
+
+# helm_resource(
+#   name="kubemonkey",
+#   chart="../../charts/galoy-deps",
+#   namespace=kubemonkey_namespace,
+#   flags=['--values=./kubemonkey-values.yml'],
+#   labels="kubemonkey"
+# )
+