From c4ced891a38718d89d0a2ef33289d6d0aa7e6ebb Mon Sep 17 00:00:00 2001 From: bodymindarts Date: Mon, 16 Oct 2023 21:37:07 +0200 Subject: [PATCH 1/2] chore: add tilt dev setup --- charts/galoy/Chart.lock | 2 +- charts/galoy/templates/_helpers.tpl | 15 ++ .../loop/charts/loopserver/templates/pvc.yml | 2 - dev/Tiltfile | 3 + dev/bitcoin/Tiltfile | 118 +++++++++ dev/galoy-deps/Tiltfile | 68 +++++ dev/galoy-deps/cert-manager-values.yml | 10 + dev/galoy-deps/ingress-nginx-values.yml | 16 ++ dev/galoy-deps/kafka-values.yml | 12 + dev/galoy/Tiltfile | 238 ++++++++++++++++++ dev/galoy/galoy-values.yml | 42 ++++ .../oathkeeper_mutator_id_token_jwks.json | 18 ++ dev/monitoring/Tiltfile | 14 ++ flake.nix | 2 + 14 files changed, 557 insertions(+), 3 deletions(-) create mode 100644 dev/Tiltfile create mode 100644 dev/bitcoin/Tiltfile create mode 100644 dev/galoy-deps/Tiltfile create mode 100644 dev/galoy-deps/cert-manager-values.yml create mode 100644 dev/galoy-deps/ingress-nginx-values.yml create mode 100644 dev/galoy-deps/kafka-values.yml create mode 100644 dev/galoy/Tiltfile create mode 100644 dev/galoy/galoy-values.yml create mode 100644 dev/galoy/oathkeeper_mutator_id_token_jwks.json create mode 100644 dev/monitoring/Tiltfile diff --git a/charts/galoy/Chart.lock b/charts/galoy/Chart.lock index 3635f23f03..285b0e1e37 100644 --- a/charts/galoy/Chart.lock +++ b/charts/galoy/Chart.lock @@ -21,4 +21,4 @@ dependencies: repository: oci://ghcr.io/apollographql/helm-charts version: 1.25.0 digest: sha256:bb886d7d909ea493a1113209c3544efde2497772abd7ca7f3466cb73060eb759 -generated: "2023-10-16T07:29:50.903201944Z" +generated: "2023-10-17T00:27:44.993098112+05:30" diff --git a/charts/galoy/templates/_helpers.tpl b/charts/galoy/templates/_helpers.tpl index a4f10ca459..c3ce450a67 100644 --- a/charts/galoy/templates/_helpers.tpl +++ b/charts/galoy/templates/_helpers.tpl @@ -283,3 +283,18 @@ Return Galoy environment variables for Geetest name: {{ .Values.galoy.geetestExistingSecret.name }} key: {{ .Values.galoy.geetestExistingSecret.secret_key }} {{- end -}} + +# TODO: Remove this once https://github.com/apollographql/router/issues/4002 is resolved +# This is copied from https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_tplvalues.tpl +{{- define "common.tplvalues.render" -}} +{{- $value := typeIs "string" .value | ternary .value (.value | toYaml) }} +{{- if contains "{{" (toJson .value) }} + {{- if .scope }} + {{- tpl (cat "{{- with $.RelativeScope -}}" $value "{{- end }}") (merge (dict "RelativeScope" .scope) .context) }} + {{- else }} + {{- tpl $value .context }} + {{- end }} +{{- else }} + {{- $value }} +{{- end }} +{{- end -}} diff --git a/charts/loop/charts/loopserver/templates/pvc.yml b/charts/loop/charts/loopserver/templates/pvc.yml index a2cb055c3f..0a0c8b8fbd 100644 --- a/charts/loop/charts/loopserver/templates/pvc.yml +++ b/charts/loop/charts/loopserver/templates/pvc.yml @@ -3,8 +3,6 @@ kind: PersistentVolumeClaim apiVersion: v1 metadata: name: {{ template "loopserver.fullname" $ }} - annotations: - "helm.sh/resource-policy": keep labels: {{- include "loopserver.labels" . | nindent 4 }} spec: diff --git a/dev/Tiltfile b/dev/Tiltfile new file mode 100644 index 0000000000..deab02ad3c --- /dev/null +++ b/dev/Tiltfile @@ -0,0 +1,3 @@ +# include('./galoy-deps/Tiltfile') +include('./bitcoin/Tiltfile') +include('./galoy/Tiltfile') diff --git a/dev/bitcoin/Tiltfile b/dev/bitcoin/Tiltfile new file mode 100644 index 0000000000..b84fa180bb --- /dev/null +++ b/dev/bitcoin/Tiltfile @@ -0,0 +1,118 @@ +load('ext://helm_resource', 'helm_resource') +load('ext://namespace', 'namespace_create') +load('ext://secret', 'secret_from_dict', 'secret_create_generic') + +name_prefix = "galoy-dev" +bitcoin_network = "regtest" +bitcoind_rpcpassword = "rpcpassword" +bitcoin_namespace = "{}-bitcoin".format(name_prefix) + +namespace_create(bitcoin_namespace) + +k8s_yaml(secret_from_dict( + name='bitcoind-rpcpassword', + namespace=bitcoin_namespace, + inputs={'password': bitcoind_rpcpassword}, +)) + +helm_resource( + name="bitcoind", + chart="../../charts/bitcoind", + namespace=bitcoin_namespace, + flags=['--values=./bitcoind-regtest-values.yml'], + labels="bitcoin" +) + +k8s_yaml(secret_from_dict( + name='bitcoind-onchain-rpcpassword', + namespace=bitcoin_namespace, + inputs={'password': bitcoind_rpcpassword}, +)) + +k8s_yaml(secret_from_dict( + name='bitcoind-signer-descriptor', + namespace=bitcoin_namespace, + inputs={ + 'descriptor_json_base64': local( + "base64 bitcoind_signers_descriptors.json | tr -d '\n\r'" + ) + }, +)) + +helm_resource( + name="bitcoind-onchain", + chart="../../charts/bitcoind", + namespace=bitcoin_namespace, + flags=[ + '--values=./bitcoind-regtest-values.yml', + '--values=./bitcoind-onchain-values.yml' + ], + labels="bitcoin" +) + +local_resource( + name="bitcoind-block-generator", + cmd='./generateBlock.sh', + labels="bitcoin", + resource_deps=["bitcoind-onchain", "bitcoind"] +) + +helm_resource( + name="lnd1", + chart="../../charts/lnd", + namespace=bitcoin_namespace, + flags=[ + '--values=./lnd-regtest-values.yml', + ], + labels="bitcoin" +) + +helm_resource( + name="loop1", + chart="../../charts/loop", + namespace=bitcoin_namespace, + flags=[ + '--values=./loop-values.yml', + ], + labels="bitcoin" +) + +# helm_resource( +# name="fulcrum", +# chart="../../charts/fulcrum", +# namespace=bitcoin_namespace, +# flags=[ +# '--values=./fulcrum-regtest-values.yml', +# ], +# labels="bitcoin" +# ) + +k8s_yaml(secret_from_dict( + name='bria', + namespace=bitcoin_namespace, + inputs={ + 'pg-con': 'postgres://bria:bria@bria-postgresql:5432/bria', + 'signer-encryption-key': local('openssl rand -hex 32'), + }, +)) + +helm_resource( + name="bria", + chart="../../charts/bria", + namespace=bitcoin_namespace, + flags=[ + '--values=./bria-values.yml', + ], + labels="bitcoin" +) + +# TODO: uncomment mempool when we actually use it +# helm_resource( +# name="mempool", +# chart="../../charts/mempool", +# namespace=bitcoin_namespace, +# flags=[ +# '--values=./mempool-regtest-values.yml', +# ], +# labels="bitcoin" +# ) diff --git a/dev/galoy-deps/Tiltfile b/dev/galoy-deps/Tiltfile new file mode 100644 index 0000000000..298e182a13 --- /dev/null +++ b/dev/galoy-deps/Tiltfile @@ -0,0 +1,68 @@ +load('ext://helm_resource', 'helm_resource') +load('ext://namespace', 'namespace_create') +update_settings(k8s_upsert_timeout_secs=120) + +name_prefix = "galoy-dev" +kafka_namespace = "{}-kafka".format(name_prefix) +ingress_namespace = "{}-ingress".format(name_prefix) +otel_namespace = "{}-otel".format(name_prefix) +kubemonkey_namespace = "{}-kubemonkey".format(name_prefix) + +namespace_create(kafka_namespace) + +# Attaching the namespace to the workload means that the namespace will be deleted when the workload is deleted +# k8s_resource(workload="kafka-operator", objects=["galoy-dev-kafka:namespace"]) + +helm_resource( + name="kafka", + chart="../../charts/galoy-deps", + namespace=kafka_namespace, + flags=['--values=./kafka-values.yml'], + labels="kafka" +) + +## cert-manager and ingress-nginx + +namespace_create(ingress_namespace) + +# TODO: decide how to label the ingress namespace +# k8s_resource(workload="cert-manager?", objects=["galoy-dev-ingress:namespace"]) + +helm_resource( + name="cert-manager", + chart="../../charts/galoy-deps", + namespace=ingress_namespace, + flags=['--values=./cert-manager-values.yml'], + labels="cert-manager-and-ingress" +) + +helm_resource( + name="ingress-nginx", + chart="../../charts/galoy-deps", + namespace=ingress_namespace, + flags=['--values=./ingress-nginx-values.yml'], + labels="cert-manager-and-ingress" +) + +## opentelemetry-collector + +namespace_create(otel_namespace) + +helm_resource( + name="opentelemetry-collector", + chart="../../charts/galoy-deps", + namespace=otel_namespace, + flags=['--values=./otel-values.yml'], + labels="otel" +) + +# do we need kubemonkey in local dev? + +# helm_resource( +# name="kubemonkey", +# chart="../../charts/galoy-deps", +# namespace=kubemonkey_namespace, +# flags=['--values=./kubemonkey-values.yml'], +# labels="kubemonkey" +# ) + diff --git a/dev/galoy-deps/cert-manager-values.yml b/dev/galoy-deps/cert-manager-values.yml new file mode 100644 index 0000000000..66b03a92a7 --- /dev/null +++ b/dev/galoy-deps/cert-manager-values.yml @@ -0,0 +1,10 @@ +ingress-nginx: + enabled: false +kubemonkey: + enabled: false +opentelemetry-collector: + enabled: false +strimzi-kafka-operator: + enabled: false +cert-manager: + installCRDs: true diff --git a/dev/galoy-deps/ingress-nginx-values.yml b/dev/galoy-deps/ingress-nginx-values.yml new file mode 100644 index 0000000000..d058effa68 --- /dev/null +++ b/dev/galoy-deps/ingress-nginx-values.yml @@ -0,0 +1,16 @@ +cert-manager: + enabled: false +kubemonkey: + enabled: false +opentelemetry-collector: + enabled: false +strimzi-kafka-operator: + enabled: false +ingress-nginx: + controller: + config: + enable-opentracing: true + jaeger-service-name: galoy-dev-ingress + jaeger-collector-host: opentelemetry-collector.galoy-dev-otel.svc.cluster.local + service: + type: NodePort diff --git a/dev/galoy-deps/kafka-values.yml b/dev/galoy-deps/kafka-values.yml new file mode 100644 index 0000000000..69fbcf4129 --- /dev/null +++ b/dev/galoy-deps/kafka-values.yml @@ -0,0 +1,12 @@ +cert-manager: + enabled: false +ingress-nginx: + enabled: false +kubemonkey: + enabled: false +opentelemetry-collector: + enabled: false +strimzi-kafka-operator: + kafka: + listener: + type: nodeport diff --git a/dev/galoy/Tiltfile b/dev/galoy/Tiltfile new file mode 100644 index 0000000000..7428068b51 --- /dev/null +++ b/dev/galoy/Tiltfile @@ -0,0 +1,238 @@ +load('ext://helm_resource', 'helm_resource') +load('ext://namespace', 'namespace_create') +load('ext://secret', 'secret_from_dict', 'secret_create_generic') +update_settings(k8s_upsert_timeout_secs=120) + +name_prefix = 'galoy-dev' +galoy_namespace = '{}-galoy'.format(name_prefix) +bitcoin_namespace = '{}-bitcoin'.format(name_prefix) + +namespace_create(galoy_namespace) + +# TODO: Add labels for better grouping +def copy_secret(source_secret_name, source_namespace, target_namespace, resource_deps, target_secret_name=None): + if target_secret_name == None: + target_secret_name = source_secret_name + + delete_secret_cmd = 'kubectl -n {} delete secret {} --ignore-not-found=true'.format(target_namespace, target_secret_name) + generate_secret_json_cmd = 'kubectl -n {} get secret {} -o json | jq "del(.metadata.namespace, .metadata.name) | .metadata.name = \\"{}\\""'.format(source_namespace, source_secret_name, target_secret_name) + create_secret_cmd = 'kubectl -n {} apply -f -'.format(target_namespace) + + local_resource( + name='{}-secret-copier'.format(target_secret_name), + cmd='{} && {} | {}'.format(delete_secret_cmd, generate_secret_json_cmd, create_secret_cmd), + resource_deps=resource_deps + ) + +copy_secret( + source_secret_name='network', + source_namespace=bitcoin_namespace, + target_namespace=galoy_namespace, + resource_deps=['bitcoind'] +) + +copy_secret( + source_secret_name='bitcoind-rpcpassword', + source_namespace=bitcoin_namespace, + target_namespace=galoy_namespace, + resource_deps=['bitcoind'] +) + +# copy lnd1-pubkey secret +copy_secret( + source_secret_name='lnd1-pubkey', + source_namespace=bitcoin_namespace, + target_namespace=galoy_namespace, + resource_deps=['lnd1'] +) + +copy_secret( + source_secret_name='lnd1-pubkey', + source_namespace=bitcoin_namespace, + target_namespace=galoy_namespace, + target_secret_name='lnd2-pubkey', + resource_deps=['lnd1'] +) + +# copy lnd1-credentials secret +copy_secret( + source_secret_name='lnd1-credentials', + source_namespace=bitcoin_namespace, + target_namespace=galoy_namespace, + resource_deps=['lnd1'] +) + +# # reuse lnd1_credentials for lnd2 +copy_secret( + source_secret_name='lnd1-credentials', + source_namespace=bitcoin_namespace, + target_namespace=galoy_namespace, + target_secret_name='lnd2-credentials', + resource_deps=['lnd1'] +) + +# copy loop1-credentials secret +copy_secret( + source_secret_name='loop1-credentials', + source_namespace=bitcoin_namespace, + target_namespace=galoy_namespace, + resource_deps=['loop1'] +) + +# # reuse loop1_credentials for loop2 +copy_secret( + source_secret_name='loop1-credentials', + source_namespace=bitcoin_namespace, + target_namespace=galoy_namespace, + target_secret_name='loop2-credentials', + resource_deps=['loop1'] +) + +k8s_yaml(secret_from_dict( + name='gcs-sa-key', + namespace=galoy_namespace, + inputs={'key': 'dummy'} +)) + +k8s_yaml(secret_from_dict( + name='bria-api-key', + namespace=galoy_namespace, + inputs={'api-key': 'bria_dev_000000000000000000000'} +)) + +k8s_yaml(secret_from_dict( + name='geetest-key', + namespace=galoy_namespace, + inputs={'key': 'dummy', 'id': 'dummy'} +)) + +k8s_yaml(secret_from_dict( + name='galoy-mongodb', + namespace=galoy_namespace, + inputs={ + 'mongodb-password' : 'password', + 'mongodb-passwords' : 'password', + 'mongodb-root-password' : 'password', + 'mongodb-replica-set-key' : 'replica' + } +)) + +k8s_yaml(secret_from_dict( + name='galoy-mongodb-connection-string', + namespace=galoy_namespace, + inputs={ + 'mongodb-con' : 'mongodb://testGaloy:password@galoy-mongodb:27017/galoy' + } +)) + +# galoy-redis-pw secret +k8s_yaml(secret_from_dict( + name='galoy-redis-pw', + namespace=galoy_namespace, + inputs={'redis-password': 'redispw'} +)) + +# dropbox-access-token secret +k8s_yaml(secret_from_dict( + name='dropbox-access-token', + namespace=galoy_namespace, + inputs={'token': 'dummy'} +)) + +# twilio-secret secret +k8s_yaml(secret_from_dict( + name='twilio-secret', + namespace=galoy_namespace, + inputs={ + 'TWILIO_VERIFY_SERVICE_ID' : 'dummy', + 'TWILIO_ACCOUNT_SID' : 'ACdummy', + 'TWILIO_AUTH_TOKEN' : 'dummy' + } +)) + +# svix-secret secret +k8s_yaml(secret_from_dict( + name='svix-secret', + namespace=galoy_namespace, + inputs={ + 'svix-secret': 'dummy' + } +)) + +# proxy-check-api-key secret +k8s_yaml(secret_from_dict( + name='proxy-check-api-key', + namespace=galoy_namespace, + inputs={ + 'api-key': 'dummy' + } +)) + +# kratos-secret secret +k8s_yaml(secret_from_dict( + name='kratos-secret', + namespace=galoy_namespace, + inputs={ + 'master_user_password': 'dummy', + 'callback_api_key': 'dummy', + } +)) + +# galoy-oathkeeper secret +k8s_yaml(secret_from_dict( + name='galoy-oathkeeper', + namespace=galoy_namespace, + inputs={ + 'mutator.id_token.jwks.json': local( + "cat oathkeeper_mutator_id_token_jwks.json | jq -c" + ) + } +)) + +helm_resource( + name='postgresql', + chart='bitnami/postgresql', + namespace=galoy_namespace, + flags=[ + '--values=./postgresql-values.yml', + ], + labels='galoy', + resource_deps=[ + 'network-secret-copier', + 'bitcoind-rpcpassword-secret-copier', + 'lnd1-pubkey-secret-copier', + 'lnd1-credentials-secret-copier', + 'lnd2-pubkey-secret-copier', + 'lnd2-credentials-secret-copier', + 'loop1-credentials-secret-copier', + 'loop2-credentials-secret-copier', + ] +) + +k8s_yaml(secret_from_dict( + name='galoy-price-history-postgres-creds', + namespace=galoy_namespace, + inputs={ + 'username': 'price-history', + 'password': 'price-history', + 'database': 'price-history' + } +)) + +# helm_resource( +# name='galoy', +# chart='../../charts/galoy', +# namespace=galoy_namespace, +# flags=[ +# '--values=./galoy-values.yml', +# '--values=./galoy-regtest-values.yml', +# ], +# labels='galoy' +# ) + +k8s_yaml(helm( + '../../charts/galoy', + name = 'galoy', + namespace = galoy_namespace, + values = ['./galoy-values.yml', './galoy-regtest-values.yml'], +)) diff --git a/dev/galoy/galoy-values.yml b/dev/galoy/galoy-values.yml new file mode 100644 index 0000000000..53eb868bd9 --- /dev/null +++ b/dev/galoy/galoy-values.yml @@ -0,0 +1,42 @@ +galoy: + bria: + host: bria-api.galoy-dev-bitcoin.svc.cluster.local +kratos: + kratos: + config: + dsn: postgresql://kratos-pg:kratos-pg@postgresql.galoy-dev-galoy.svc.cluster.local/kratos-pg + selfservice: + flows: + settings: + after: + profile: + hooks: + - hook: web_hook + config: + url: http://invalid-because-we-dont-want-profile-to-be-updated + method: POST + body: base64://ZnVuY3Rpb24oY3R4KSB7CiAgICBpZGVudGl0eV9pZDogaWYgc3RkLm9iamVjdEhhcyhjdHgsICJpZGVudGl0eSIpIHRoZW4gY3R4LmlkZW50aXR5LmlkIGVsc2UgbnVsbCwKICAgIHBob25lOiBpZiBzdGQub2JqZWN0SGFzKGN0eC5pZGVudGl0eS50cmFpdHMsICJwaG9uZSIpIHRoZW4gY3R4LmlkZW50aXR5LnRyYWl0cy5waG9uZSBlbHNlIG51bGwsCiAgICB0cmFuc2llbnRfcGF5bG9hZDogaWYgc3RkLm9iamVjdEhhcyhjdHguZmxvdywgInRyYW5zaWVudF9wYXlsb2FkIikgdGhlbiBjdHguZmxvdy50cmFuc2llbnRfcGF5bG9hZCBlbHNlIG51bGwsCiAgICBzY2hlbWFfaWQ6IGN0eC5pZGVudGl0eS5zY2hlbWFfaWQsCiAgICBmbG93X2lkOiBjdHguZmxvdy5pZCwKICAgIGZsb3dfdHlwZTogY3R4LmZsb3cudHlwZQp9Cg== + auth: + type: api_key + config: + name: Authorization + value: dummy + in: header + registration: + after: + password: + hooks: + - hook: web_hook + config: + url: http://api:4002/kratos/registration + method: POST + response: + parse: false + body: base64://ZnVuY3Rpb24oY3R4KSB7CiAgICBpZGVudGl0eV9pZDogaWYgc3RkLm9iamVjdEhhcyhjdHgsICJpZGVudGl0eSIpIHRoZW4gY3R4LmlkZW50aXR5LmlkIGVsc2UgbnVsbCwKICAgIHBob25lOiBpZiBzdGQub2JqZWN0SGFzKGN0eC5pZGVudGl0eS50cmFpdHMsICJwaG9uZSIpIHRoZW4gY3R4LmlkZW50aXR5LnRyYWl0cy5waG9uZSBlbHNlIG51bGwsCiAgICB0cmFuc2llbnRfcGF5bG9hZDogaWYgc3RkLm9iamVjdEhhcyhjdHguZmxvdywgInRyYW5zaWVudF9wYXlsb2FkIikgdGhlbiBjdHguZmxvdy50cmFuc2llbnRfcGF5bG9hZCBlbHNlIG51bGwsCiAgICBzY2hlbWFfaWQ6IGN0eC5pZGVudGl0eS5zY2hlbWFfaWQsCiAgICBmbG93X2lkOiBjdHguZmxvdy5pZCwKICAgIGZsb3dfdHlwZTogY3R4LmZsb3cudHlwZQp9Cg== + auth: + type: api_key + config: + name: Authorization + value: dummy + in: header + - hook: session diff --git a/dev/galoy/oathkeeper_mutator_id_token_jwks.json b/dev/galoy/oathkeeper_mutator_id_token_jwks.json new file mode 100644 index 0000000000..2441adc010 --- /dev/null +++ b/dev/galoy/oathkeeper_mutator_id_token_jwks.json @@ -0,0 +1,18 @@ +{ + "keys": [ + { + "alg": "RS256", + "d": "WABQlnmXZ1n_prLInVVVh0lY52KlY7MxtqLKPoWZCV1Rt5nWwLhp9xMXhcYHcmck3aSMHD26Wkt1fbbtoNSB5hywmfD9nnxPc1EjbkkLNyQ8V4pcX5NpZhcLhRz8ODgIYWr4wNoXNTbVhHSMQMVUYTdA4FfAokjIXcYCCcjwlcXe-GxzIgDj0T5PjmWty6KDbbj3i8Dtas-npjgbhkS7_vJAnrMOB5baEm-j9BkWRnDkZMh_jpagXJ-lWc_d_f6-7-YcQK1Twg0wn34BVL2bbN9ekqbYdnw8LqfuVv2jjEHPOCHCpF8HvRR-xfxeXgjmFj-PE3MKV5qg3DHUL9-WsD2wMBXIKXr6D37MJnCa4j40W2747ORB_llP0XeDlTXlOSB8H87W3T2TVSWlsUlLE5Kx67GNIPfpbXnvck6GewqhZPdzQESONoe7gxlQWAq7v4b_k1BvFJLg0O6IK1m0Hb5k2Grb_1TZfsdZ-NOK9aEraOzCHfrQ0Nnvg191edCEfl2YXF--SHonv73lKhGT_D8iaf3gBSzmuEVPHh_U4Y1B9uqZpYP9Ei0PHkzifvJ5fAaL3XHxKXJVU60glSnC2ouFYIpQpEDFVWaPuDxfVg7iEuaZqpsw1AGZb4nrHhMPbjIs-7MwOich_iN8YiE27DwPE-nSw4y2LEOu1ukWDg0", + "dp": "HTpfnqsgU15rfde7Isw6H8zRqoEUxDM0N-Zo8iKrCUWq6wd8x-xBnoSv_r5lH0a6abGDwh4CHP5QZzxThn2C0ijBaEDXfqqVnX9z_68nNHuABOT9Aju6qRLPCy-djZoj86ui32F_3PShKFLnLCd3eeodVghhNYa6WSEZwC0MdjHs6vSA-eV8vP8JaOfuL2l81ilVr7-vo0HHgyaN1eHAqd8nau0qhDvgnVsWwWGAANvbODaL7b1YZh2ZdR-i0hfIRRESVzlCeEowqJtqZ8t1o0BDCFwdjvkp-T558Vm4R2rdzqoRBIWGzzdExhH-AraBLQUHGvIR0-7XIfqaY76aOQ", + "dq": "MwxEH6L5gokAP1U04_kz9HhWdUUfzpyPcB9JRNTUhVgrZIYg5awFRZKPou18sxmMzeJ29Er9Q_Ro3huCcOqZTHv5VMWj2jPCxgie6__98QKTS4vieLTXwX3Nfx6KA5EXuKnle1MuPylvQk8O11wcC2JqCML02DDlJ92YR125AIEx3FA3GFNXul1myhQBeXp3Z-Yv1DQ3_s2ev3ZQK9Z5jAoMZmOPLe7BFsZWE-tYOTb97f9BQRfQca7TmCiRXZo6OaiE90dgHVQuggp8FV4VpwIHePj3NhRUflBLbMKQY4WBxZilLVtcHzkXunzk4_uIYdQkzZwqhmcIukvk4DBbBQ", + "e": "AQAB", + "kid": "VAu6VmE6y-qU7M3Bhn1_nuj7oTwzL-GyuETHGfB6TtY=", + "kty": "RSA", + "n": "xG2w1oHymSvJfpz0TwvkPnQWStKtKdAcIEy8PP9BSbSJj0sv_F2Yo9KdJGpiDuW0qCaEw1uL5bgZ0ZDladvxwittVWq-VQ_7QOsf2H1J02fvbo4RQ17GnZeK2iwlvx1zD3z0RXabEimCUUMZaPuAlaaLGaXw1ETVdvCXgBmeqrAmEedkFwS7nh7-lcBwl4FAcc3yP2RAzDWgTHJN85qQnIJUHLwyxJZdoum1cylbknJU2dgxGQQ8rZQyjF6v6hG-H95YhcyCU7GWNYFsjMkzxOjCRy1f-2_zHvrSIxpK6cUAmeHfq8Dx3gzQ006xR3soWmDqQTgxRKvE8cAXuww83UcSt1Eb4HPgAhvs3xqD-bdLZB3VtcAjtNtzrW8tgSTQuTrc6BD_ddsnt2mUt2K3SIdSmuabedXaABV9IwaXg9gxqtyFZtxu-bQdq-vEWeGXgBIE_JioKIskcoCfV8g67hMK0c05sBrdh6aDurb_Q41fXqRLkU-jdWUP6RiRz1zW1fFDSRdsc8Yik4FpXZO-j2bv0toh8Ti7k0i9ylwPUGCrZcCHLmCU0E9pmz_6lkz4XR_vQULLvLzSRzgW_aH-o8dk9GBiS1hW2JnsEeFet4D6Dmhtkm2cWuEgNWNLE-Re-woLlQ6IpkRnKSo28FT6XW48vPKxGsRzclTcaIHSPpU", + "p": "-6T0mbghT7sVzUIVm-R0GHKqBCDMp53PrPPJZsOA31WQXj99OPBQADZMQZgCEvaBbTs9VKzfJHhyQ2vY0EdXkHcKH43qMMSMtx-p4BbU8J7j5c02uaslJ95fceWody2n8oiguUCuSq15GqNLtJ7cZcEEcbsZFezkr84Nw7FTHFSWBjxmL00JXZ8Wu5J3b4J_P5GM4i6GWreVn1ivTMyygFSGU0pOVx4peZmhcfNmuLKEPWcM7Ilr3tb0qDE76-isFdaL6lQADVcRt35rdV43HJVDr8t3KHLqbCw7L1dcdN98fJC80yeHFmakTKMuTNSt7JFs1FGurhjbCIiOAJJLUw", + "q": "x9QSaKMUXCaTWRtfxQJajDD5wVy1tnyuwTI0uYqGiCkc-LbW7PYqxxWzci3OSHO4TsR4WdFbJeqa9zqSjepSIOzqBerJKhrtR-NzhE-K03NEcaEa4_IvIbHBoJXeNXF6Ym_W-lo9gVNPqV3ff3q3LVRGQ6l6Z-Hd8YvaRtuk1tcGqMgt4YREWIVaqsAL8xf1hBtlqOdifSpRfIO9m_oWm5gHWKfq-4i3VJxogHcWbMxF7NARIZCFufTjRKiXC8SL4RfdAukVwSDfduLzAB_5OkDfDFTGhbJM7ElsPrkZM2AzDs7WGl6kgh0JYdcxxRshsPwYXrIr5L6x0qBMBw15dw", + "qi": "zm1XgPMkeTjOQgD3piw046-P3eG1bgQKBCO70V9QH-3wRtGtYF-5VVrpOuSwVjs0hYWGqgWADOAwNJXKQqIiokguXyTtRxLTuLuDRBoFQp4J_RJJI9CkWr8GRMlH_2pctqstVLrcCVgWkUAa_uZ2UZGqNP5tdP8GGb_q4EZ91Te28xy88x044Vn013u861LvNLslWQbPTmh82seBpnsP_GDd3tdESWTwK278HeqqN8bkgrRlf1Kd_QUGevyoj6MDxOv8E_6GFPcZlDi8xxQsQ3-C3Q-Yged40_1QZpQB0jUSsmOV0HomQwqsFolk95VeGqgj49mhGRQ21rynhS9Q0Q", + "use": "sig" + } + ] +} diff --git a/dev/monitoring/Tiltfile b/dev/monitoring/Tiltfile new file mode 100644 index 0000000000..b438b2ae62 --- /dev/null +++ b/dev/monitoring/Tiltfile @@ -0,0 +1,14 @@ +load('ext://namespace', 'namespace_create') +load('ext://helm_resource', 'helm_resource') + +name_prefix = 'galoy-dev' +monitoring_namespace = '{}-monitoring'.format(name_prefix) + +namespace_create(monitoring_namespace) + +helm_resource( + name='monitoring', + chart='../../charts/monitoring', + namespace=monitoring_namespace, + labels='monitoring' +) diff --git a/flake.nix b/flake.nix index f55493270a..e5f20afd0c 100644 --- a/flake.nix +++ b/flake.nix @@ -24,7 +24,9 @@ nativeBuildInputs = [ alejandra kubectl + python3 tilt + jq k3d vendir ytt From efe0b33be5442454939d19125944d2ce530ebdb7 Mon Sep 17 00:00:00 2001 From: bodymindarts Date: Mon, 16 Oct 2023 20:49:45 +0200 Subject: [PATCH 2/2] feat: add consent to galoy chart --- charts/galoy/templates/_helpers.tpl | 8 +++ .../galoy/templates/consent-deployment.yaml | 52 +++++++++++++++++++ charts/galoy/templates/consent-ingress.yaml | 48 +++++++++++++++++ charts/galoy/templates/consent-service.yaml | 18 +++++++ charts/galoy/values.yaml | 16 ++++++ 5 files changed, 142 insertions(+) create mode 100644 charts/galoy/templates/consent-deployment.yaml create mode 100644 charts/galoy/templates/consent-ingress.yaml create mode 100644 charts/galoy/templates/consent-service.yaml diff --git a/charts/galoy/templates/_helpers.tpl b/charts/galoy/templates/_helpers.tpl index c3ce450a67..20defa2e8b 100644 --- a/charts/galoy/templates/_helpers.tpl +++ b/charts/galoy/templates/_helpers.tpl @@ -46,6 +46,14 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- default "trigger" .Values.galoy.trigger.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Create a default fully qualified consent name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "galoy.consent.fullname" -}} +{{- default "consent" .Values.galoy.consent.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{/* CronJob name */}} diff --git a/charts/galoy/templates/consent-deployment.yaml b/charts/galoy/templates/consent-deployment.yaml new file mode 100644 index 0000000000..0d75509786 --- /dev/null +++ b/charts/galoy/templates/consent-deployment.yaml @@ -0,0 +1,52 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "galoy.consent.fullname" . }} + labels: + app: {{ template "galoy.consent.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + app.kubernetes.io/managed-by: Helm + + kube-monkey/enabled: enabled + kube-monkey/identifier: {{ template "galoy.trigger.fullname" . }} + kube-monkey/kill-mode: fixed + kube-monkey/kill-value: "1" + kube-monkey/mtbf: "8" +spec: + selector: + matchLabels: + app: {{ template "galoy.consent.fullname" . }} + release: {{ .Release.Name }} + replicas: {{ .Values.galoy.consent.replicas }} + template: + metadata: + labels: + app: {{ template "galoy.consent.fullname" . }} + release: "{{ .Release.Name }}" + kube-monkey/enabled: enabled + kube-monkey/identifier: {{ template "galoy.trigger.fullname" . }} + spec: + serviceAccountName: {{ template "galoy.name" . }} + containers: + - name: consent + image: "{{ .Values.galoy.images.consent.repository }}@{{ .Values.galoy.images.consent.digest }}" + resources: + {{- toYaml .Values.resources | nindent 10 }} + ports: + - name: http + containerPort: {{ .Values.galoy.consent.port }} + protocol: TCP + env: + - name: PORT + value: "{{ .Values.galoy.consent.port }}" + - name: GRAPHQL_PUBLIC_API + value: {{ .Values.galoy.consent.graphqlPublicApi }} + - name: CORE_AUTH_URL + value: {{ .Values.galoy.consent.coreAuthUrl }} + - name: OTEL_EXPORTER_OTLP_ENDPOINT + value: {{ .Values.tracing.otelExporterOtlpEndpoint }} + - name: TRACING_SERVICE_NAME + value: "{{ .Values.tracing.prefix }}-{{ template "galoy.consent.fullname" . }}" + - name: HYDRA_ADMIN_URL + value: {{ .Values.galoy.consent.hydraAdminUrl }} diff --git a/charts/galoy/templates/consent-ingress.yaml b/charts/galoy/templates/consent-ingress.yaml new file mode 100644 index 0000000000..d064ef56fb --- /dev/null +++ b/charts/galoy/templates/consent-ingress.yaml @@ -0,0 +1,48 @@ +{{- if .Values.galoy.consent.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ template "galoy.consent.fullname" . }} + labels: + app: {{ template "galoy.consent.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + app.kubernetes.io/managed-by: Helm + annotations: + cert-manager.io/cluster-issuer: {{ .Values.galoy.consent.ingress.clusterIssuer }} + nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" # 1 hour + nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" # 1 hour + nginx.ingress.kubernetes.io/proxy-connect-timeout: "1s" + nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout" + nginx.ingress.kubernetes.io/proxy-next-upstream-tries: "3" + nginx.ingress.kubernetes.io/limit-rpm: "10" + nginx.ingress.kubernetes.io/limit-burst-multiplier: "2" + nginx.ingress.kubernetes.io/limit-connections: "10" + {{- with .Values.galoy.consent.ingress.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ingressClassName: nginx + tls: + {{- range .Values.galoy.consent.ingress.hosts }} + - hosts: + - {{ . }} + secretName: {{ printf "%s-tls" . }} + {{- end }} + rules: + {{- range .Values.galoy.consent.ingress.hosts }} + - host: {{ . }} + http: + paths: + {{- if $.Values.galoy.consent.ingress.extraPaths }} + {{- toYaml $.Values.galoy.consent.ingress.extraPaths | nindent 10 }} + {{- end }} + - pathType: ImplementationSpecific + path: / + backend: + service: + name: {{ template "galoy.consent.fullname" $ }} + port: + number: {{ $.Values.galoy.consent.port }} + {{- end -}} +{{- end -}} diff --git a/charts/galoy/templates/consent-service.yaml b/charts/galoy/templates/consent-service.yaml new file mode 100644 index 0000000000..0c190114e1 --- /dev/null +++ b/charts/galoy/templates/consent-service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "galoy.consent.fullname" . }} + labels: + app: {{ template "galoy.consent.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + app.kubernetes.io/managed-by: Helm +spec: + type: {{ .Values.galoy.consent.serviceType }} + ports: + - port: {{ .Values.galoy.consent.port }} + targetPort: {{ .Values.galoy.consent.port }} + protocol: TCP + name: http + selector: + app: {{ template "galoy.consent.fullname" . }} diff --git a/charts/galoy/values.yaml b/charts/galoy/values.yaml index 8e0b770ebc..7585059b35 100644 --- a/charts/galoy/values.yaml +++ b/charts/galoy/values.yaml @@ -61,6 +61,11 @@ galoy: ## Digest of the image ## digest: "sha256:aa16b25de59adef5b13b391394c9b637ce79c64e20ca36d0798968b5028a08d2" + consent: + repository: us.gcr.io/galoy-org/galoy-consent + ## Digest of the image + ## + digest: "sha256:f0a9190ad0b1f4accddc938c7ebd08ee7e9006011864d68cc1ad4aae6451ac46" ## Galoy Application MongoDB Migration Image details ## mongodbMigrate: @@ -381,6 +386,17 @@ galoy: failureThreshold: 5 successThreshold: 2 timeoutSeconds: 1 + consent: + resources: {} + port: 80 + graphqlPublicApi: http://galoy-oathkeeper-proxy/graphql + coreAuthUrl: http://galoy-oathkeeper-proxy/auth + hydraAdminUrl: http://galoy-hydra-admin:4445 + ingress: + enabled: false + hosts: [consent.staging.galoy.io] + clusterIssuer: letsencrypt-issuer + tlsSecretName: websocket-tls mongoBackupCron: resources: {} galoyCron: