Skip to content

Commit

Permalink
feat: vault (#45)
Browse files Browse the repository at this point in the history
* CMAN poc.

* use jvm at this point.

* use jvm at this point.

* use jvm at this point.

* use jvm at this point.

* use jvm at this point.

* use jvm at this point.

* use jvm at this point.

* native mode.

* native mode.

* Add access logging.

* CMAN related changes.

* try reading from vault.

* revert back on certs.

* update to java 21.

* update to java 21.

* fix path of vault.

* fix path of vault.

* fix network policy name for HELM ownership.

* fix helm component name

* add compatibility

* updating the version.

* port

* disable access logs by default

* update versions.
  • Loading branch information
mishraomp authored Nov 16, 2023
1 parent 733d1aa commit 9040a1e
Show file tree
Hide file tree
Showing 13 changed files with 88 additions and 18 deletions.
39 changes: 38 additions & 1 deletion .github/workflows/on-pr-main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -57,8 +57,35 @@ jobs:
needs:
- builds
runs-on: ubuntu-22.04
environment: test
env:
project_name: nr-oracle
app_name: nr-oracle-service
environment: development
secret_path_env: dev # this path is different from the path in the broker
steps:
- uses: actions/checkout@v4
- name: Broker
id: broker
uses: bcgov-nr/[email protected]
with:
broker_jwt: ${{ secrets.BROKER_JWT }}
provision_role_id: ${{ secrets.PROVISION_ROLE }}
project_name: ${{ env.project_name }}
app_name: ${{ env.app_name }}
environment: ${{ env.environment }}
- name: Import Secrets
id: secrets
uses: hashicorp/[email protected]
with:
url: https://vault-iit.apps.silver.devops.gov.bc.ca
token: ${{ steps.broker.outputs.vault_token }}
exportEnv: 'false'
secrets: |
apps/data/${{ env.secret_path_env }}/${{ env.project_name }}/${{ env.app_name }}/rar dbHost | DB_HOST;
apps/data/${{ env.secret_path_env }}/${{ env.project_name }}/${{ env.app_name }}/rar dbName | DB_NAME;
apps/data/${{ env.secret_path_env }}/${{ env.project_name }}/${{ env.app_name }}/rar dbPassword | DB_PWD;
apps/data/${{ env.secret_path_env }}/${{ env.project_name }}/${{ env.app_name }}/rar dbUser | DB_USER;
- name: Deploy to OpenShift
shell: bash
run: |
Expand All @@ -70,4 +97,14 @@ jobs:
oc project ${{ vars.oc_namespace }}
# Deploy Helm Chart
helm upgrade --install --wait --atomic nr-oracle-service-${{ github.event.number }} --set nameOverride=nr-oracle-service-${{ github.event.number }} --set image.tag=pr-${{ github.event.number }} --set app.envs.DB_HOST=${{ secrets.DB_HOST }} --set app.envs.DB_NAME=${{ secrets.DB_NAME }} --set app.envs.DB_PASSWORD=${{ secrets.DB_PASSWORD }} --set app.envs.DB_USER=${{ secrets.DB_USER }} --set image.repository=ghcr.io/${{ github.repository }}/nr-oracle-service --set image.repositoryInit=ghcr.io/${{ github.repository }}/nr-oracle-service-init --set namespace=${{ vars.oc_namespace }} --timeout 10m charts/nr-oracle-service --debug
helm upgrade --install nr-oracle-service-${{ github.event.number }} \
--set-string image.tag=${{ github.sha }} \
--set-string app.envs.DB_HOST=${{ steps.secrets.outputs.DB_HOST }} \
--set-string app.envs.DB_NAME=${{ steps.secrets.outputs.DB_NAME }} \
--set-string app.envs.DB_PASSWORD=${{ steps.secrets.outputs.DB_PWD }} \
--set-string app.envs.DB_USER=${{ steps.secrets.outputs.DB_USER }} \
--set-string app.envs.DB_PORT="${{ secrets.DB_PORT }}" \
--set-string image.repository="ghcr.io/${{ github.repository }}/nr-oracle-service" \
--set-string image.repositoryInit="ghcr.io/${{ github.repository }}/nr-oracle-service-init" \
--set-string namespace=${{ vars.oc_namespace }} \
--timeout 10m charts/nr-oracle-service
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -41,3 +41,4 @@ nb-configuration.xml

# Plugin directory
/.quarkus/cli/plugins/
cman_certificate.crt
24 changes: 23 additions & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM quay.io/quarkus/ubi-quarkus-native-image:22.3.0-java17 AS build
FROM quay.io/quarkus/ubi-quarkus-mandrel-builder-image:jdk-21 AS build
COPY --chown=quarkus:quarkus mvnw /code/mvnw
COPY --chown=quarkus:quarkus .mvn /code/.mvn
COPY --chown=quarkus:quarkus pom.xml /code/
Expand All @@ -8,6 +8,7 @@ RUN chmod +x mvnw
RUN ./mvnw -B org.apache.maven.plugins:maven-dependency-plugin:3.1.2:go-offline
COPY src /code/src
RUN ./mvnw package -Pnative -DskipTests
#RUN ./mvnw package -DskipTests for JVM mode
HEALTHCHECK --interval=300s --timeout=30s CMD ./mvnw --version || exit 1
###
FROM quay.io/quarkus/quarkus-micro-image:2.0
Expand All @@ -21,3 +22,24 @@ EXPOSE 3000
USER 1001
HEALTHCHECK --interval=300s --timeout=3s CMD curl -f http://localhost:3000/ || exit 1
CMD ["./application", "-Dquarkus.http.host=0.0.0.0"]



#
#FROM registry.access.redhat.com/ubi8/openjdk-17:1.16

#ENV LANGUAGE='en_US:en'


# We make four distinct layers so if there are application changes the library layers can be re-used
#COPY --chown=185 --from=build /code/target/quarkus-app/lib/ /deployments/lib/
#COPY --chown=185 --from=build /code/target/quarkus-app/*.jar /deployments/
#COPY --chown=185 --from=build /code/target/quarkus-app/app/ /deployments/app/
#COPY --chown=185 --from=build /code/target/quarkus-app/quarkus/ /deployments/quarkus/

#EXPOSE 8080
#USER 185
#ENV JAVA_OPTS="-Dquarkus.http.host=0.0.0.0 -Djava.util.logging.manager=org.jboss.logmanager.LogManager"
#ENV JAVA_APP_JAR="/deployments/quarkus-run.jar"
#HEALTHCHECK --interval=300s --timeout=3s CMD curl -f http://localhost:3000/ || exit 1
#ENTRYPOINT [ "/opt/jboss/container/java/run/run-java.sh" ]
2 changes: 1 addition & 1 deletion Dockerfile.certs
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
#This Dockerfile mounts the certs
FROM eclipse-temurin:17.0.8_7-jdk-alpine AS buildCert
FROM eclipse-temurin:21-jdk-alpine AS buildCert

ENV LANG en_CA.UTF-8
ENV LANGUAGE en_CA.UTF-8
Expand Down
4 changes: 2 additions & 2 deletions charts/nr-oracle-service/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,11 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.18
version: 0.2.0

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "0.1.18"
appVersion: "3.5.2"

2 changes: 1 addition & 1 deletion charts/nr-oracle-service/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
Expand the name of the chart.
*/}}
{{- define "component.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- default .Release.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}

{{/*
Expand Down
14 changes: 8 additions & 6 deletions charts/nr-oracle-service/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,14 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "component.name" . }}
labels:
labels:
{{- include "component.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
matchLabels:
{{- include "component.selectorLabels" . | nindent 6 }}
template:
metadata:
Expand All @@ -29,7 +29,7 @@ spec:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
initContainers:
- name: {{ .Chart.Name }}-init
image: "image-registry.openshift-image-registry.svc:5000/{{.Release.Namespace}}/{{ include "component.fullname" . }}-init:{{ .Values.image.tag | default .Chart.AppVersion }}"
image: "image-registry.openshift-image-registry.svc:5000/{{.Release.Namespace}}/{{ include "component.name" . }}-init:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
Expand All @@ -45,15 +45,15 @@ spec:
key: certSecret
name: {{ include "component.name" . }}
- name: DB_PORT
value: "1543"
value: '1543'
volumeMounts:
- name: {{ include "component.name" . }}
mountPath: /app/cert
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "image-registry.openshift-image-registry.svc:5000/{{.Release.Namespace}}/{{ include "component.fullname" . }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
image: "image-registry.openshift-image-registry.svc:5000/{{.Release.Namespace}}/{{ include "component.name" . }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
Expand Down Expand Up @@ -120,6 +120,8 @@ spec:
value: {{ required "A valid .Values.app.envs.POOL_MAX_LIFETIME entry required!" .Values.app.envs.POOL_MAX_LIFETIME | quote }}
- name: POOL_LEAK_DETECTION_INTERVAL
value: {{ required "A valid .Values.app.envs.POOL_LEAK_DETECTION_INTERVAL entry required!" .Values.app.envs.POOL_LEAK_DETECTION_INTERVAL | quote }}
- name: ACCESS_LOG_ENABLED
value: {{ required "A valid .Values.app.envs.ACCESS_LOG_ENABLED entry required!" .Values.app.envs.ACCESS_LOG_ENABLED | quote }}
volumeMounts:
- name: {{ include "component.name" . }}
mountPath: /app/cert
mountPath: /app/cert
4 changes: 2 additions & 2 deletions charts/nr-oracle-service/templates/networkpolicy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-apps-to-connect-to-{{ include "component.name" . }}
name: allow-apps-to-connect-to-{{ .Release.Name }}
labels:
{{- include "component.labels" . | nindent 6 }}
spec:
Expand All @@ -11,4 +11,4 @@ spec:
- from:
- podSelector: {}
policyTypes:
- Ingress
- Ingress
3 changes: 2 additions & 1 deletion charts/nr-oracle-service/templates/secret.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace $secretName) | default dict }}
{{- $secretData := (get $secretObj "data") | default dict }}
# set below to existing secret data or generate a random one when not exists
{{- $certSecret := (get $secretData "certSecret") | default (randAlpha 10 | lower | b64enc) }}
{{- $certSecret := (get $secretData "certSecret") | default (randAlpha 10 | lower | b64enc) }}
{{- $apiKey := (get $secretData "apiKey") | default (randAlphaNum 32 | b64enc) }}
---
apiVersion: v1
Expand All @@ -15,6 +15,7 @@ data:
dbUser: {{ .Values.app.envs.DB_USER | b64enc | quote }}
dbPassword: {{ .Values.app.envs.DB_PASSWORD | b64enc | quote }}
dbHost: {{ .Values.app.envs.DB_HOST | b64enc | quote }}
dbPort: {{ .Values.app.envs.DB_PORT | b64enc | quote }}
dbName: {{ .Values.app.envs.DB_NAME | b64enc | quote }}
certSecret: {{ $certSecret | quote }} # cert secret is reused.
apiKey: {{ $apiKey | quote }}
4 changes: 3 additions & 1 deletion charts/nr-oracle-service/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -192,10 +192,12 @@
"type": "string",
"default": "1"
}

},
"required": [
"DB_HOST", "DB_NAME", "DB_PASSWORD", "DB_USER"
]
],
"additionalProperties": true
},
"ports": {
"type": "object",
Expand Down
3 changes: 3 additions & 0 deletions charts/nr-oracle-service/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -72,15 +72,18 @@ affinity: {}
app:
envs:
DB_HOST: ~
DB_PORT: ~
DB_NAME: ~
DB_PASSWORD: ~
DB_USER: ~
CMAN_CERT: ~
HTTP_PORT: "3000"
POOL_IDLE_TIMEOUT: "60000"
POOL_INITIAL_SIZE: "1"
POOL_LEAK_DETECTION_INTERVAL: "45000"
POOL_MAX_LIFETIME: "180000"
POOL_MAX_SIZE: "1"
POOL_MIN_SIZE: "1"
ACCESS_LOG_ENABLED: "false"
ports:
http: 3000
4 changes: 2 additions & 2 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,12 @@
<version>0.1.18</version>
<properties>
<compiler-plugin.version>3.11.0</compiler-plugin.version>
<maven.compiler.release>17</maven.compiler.release>
<maven.compiler.release>21</maven.compiler.release>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<quarkus.platform.artifact-id>quarkus-bom</quarkus.platform.artifact-id>
<quarkus.platform.group-id>io.quarkus.platform</quarkus.platform.group-id>
<quarkus.platform.version>3.5.1</quarkus.platform.version>
<quarkus.platform.version>3.5.2</quarkus.platform.version>
<skipITs>true</skipITs>
<surefire-plugin.version>3.2.2</surefire-plugin.version>
</properties>
Expand Down
2 changes: 2 additions & 0 deletions src/main/resources/application.properties
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ quarkus.datasource.jdbc.leak-detection-interval=${POOL_LEAK_DETECTION_INTERVAL:4
quarkus.http.port=${HTTP_PORT:3000}
%dev.quarkus.datasource.jdbc.url=jdbc:oracle:thin:@${DB_HOST}:1521/${DB_NAME}
api.key=${API_KEY}
quarkus.http.access-log.enabled=${ACCESS_LOG_ENABLED:false}
quarkus.native.additional-build-args=-march=compatibility
# Trigger build.


0 comments on commit 9040a1e

Please sign in to comment.