From 5c91f9a029b06affb78bb99bfdc0f08bdbfccc41 Mon Sep 17 00:00:00 2001 From: Kalin Krustev Date: Thu, 21 Mar 2024 06:29:47 +0000 Subject: [PATCH 001/201] fix: unreasonably high delays for probes --- .../mojaloop/values-mojaloop.yaml.tpl | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl index 468eecfc2..68341f48f 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl @@ -372,6 +372,15 @@ centralledger: config: prefix: *CL_MONITORING_PREFIX centralledger-handler-transfer-prepare: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 10 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 10 %{ if central_ledger_handler_transfer_prepare_affinity != null ~} affinity: ${indent(8, central_ledger_handler_transfer_prepare_affinity)} @@ -402,6 +411,15 @@ centralledger: config: prefix: *CL_MONITORING_PREFIX centralledger-handler-transfer-position: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 10 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 10 %{ if central_ledger_handler_transfer_position_affinity != null ~} affinity: ${indent(8, central_ledger_handler_transfer_position_affinity)} @@ -432,6 +450,15 @@ centralledger: prefix: *CL_MONITORING_PREFIX centralledger-handler-transfer-position-batch: enabled: *CL_BATCH_PROCESSING_ENABLED + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 10 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 10 %{ if central_ledger_handler_transfer_position_batch_affinity != null ~} affinity: ${indent(8, central_ledger_handler_transfer_position_batch_affinity)} @@ -463,6 +490,15 @@ centralledger: config: prefix: *CL_MONITORING_PREFIX centralledger-handler-transfer-get: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 10 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 10 %{ if central_ledger_handler_transfer_get_affinity != null ~} affinity: ${indent(8, central_ledger_handler_transfer_get_affinity)} @@ -492,6 +528,15 @@ centralledger: config: prefix: *CL_MONITORING_PREFIX centralledger-handler-transfer-fulfil: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 10 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 10 %{ if central_ledger_handler_transfer_fulfil_affinity != null ~} affinity: ${indent(8, central_ledger_handler_transfer_fulfil_affinity)} @@ -522,6 +567,15 @@ centralledger: config: prefix: *CL_MONITORING_PREFIX centralledger-handler-timeout: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 10 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 10 tolerations: *MOJALOOP_TOLERATIONS config: kafka_host: *KAFKA_HOST From 5949baad08db7a1c742d873e74064c95d2791c6b Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 21 Mar 2024 16:51:36 +0530 Subject: [PATCH 002/201] Adding refresh remplates for bootstrap --- .../ci-templates/bootstrap/.gitlab-ci.yml | 19 ++++++++++++ .../.gitlab/scripts/refresh-templates.sh | 31 +++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 terraform/gitlab/ci-templates/bootstrap/.gitlab/scripts/refresh-templates.sh diff --git a/terraform/gitlab/ci-templates/bootstrap/.gitlab-ci.yml b/terraform/gitlab/ci-templates/bootstrap/.gitlab-ci.yml index ace2f275f..705ef79bd 100644 --- a/terraform/gitlab/ci-templates/bootstrap/.gitlab-ci.yml +++ b/terraform/gitlab/ci-templates/bootstrap/.gitlab-ci.yml @@ -22,6 +22,7 @@ stages: - build - deploy - deploy-env-templates + - refresh-templates - cleanup variables: @@ -33,6 +34,10 @@ variables: TMP_TEMPLATES_DIR: /tmp/iac-templates TMP_GIT_REPO: /tmp/git-iac-templates ANSIBLE_BASE_OUTPUT_DIR: $TF_ROOT/ansible + CC_CI_TEMPLATE_PATH: terraform/gitlab/ci-templates/bootstrap + CC_TEMPLATE_PATH: terraform/control-center/init + CC_TMP_GIT_REPO: /tmp/git-cc-iac-templates + CC_TMP_TEMPLATES_DIR: /tmp/cc-iac-templates image: ${CI_REGISTRY_IMAGE}:${IMAGE_TAG} @@ -145,6 +150,20 @@ deploy-env-templates: - .gitlab/scripts/seedenvproject.sh $ENV_TO_UPDATE $TMP_GIT_REPO $TMP_TEMPLATES_DIR ${GITLAB_SEED_TOKEN} $IAC_MODULES_VERSION_TO_UPDATE when: manual +refresh-templates: + stage: refresh-templates + variables: + VAULT_ADDR: $VAULT_SERVER_URL + id_tokens: + VAULT_ID_TOKEN: + aud: $VAULT_SERVER_URL + script: + - !reference [.source, script] + - export VAULT_TOKEN="$(vault write -field=token auth/${VAULT_AUTH_PATH}/login role=$VAULT_AUTH_ROLE jwt=$VAULT_ID_TOKEN)" + - export GITLAB_SEED_TOKEN="$(vault kv get -field=value secret/bootstrap/gitlab_root_token)" + - .gitlab/scripts/refresh-templates.sh $CC_TMP_GIT_REPO $CC_TMP_TEMPLATES_DIR $GITLAB_TOKEN $IAC_TERRAFORM_MODULES_TAG + when: manual + #do nothing for now destroy: extends: .terraform:destroy diff --git a/terraform/gitlab/ci-templates/bootstrap/.gitlab/scripts/refresh-templates.sh b/terraform/gitlab/ci-templates/bootstrap/.gitlab/scripts/refresh-templates.sh new file mode 100644 index 000000000..1a67cdf5f --- /dev/null +++ b/terraform/gitlab/ci-templates/bootstrap/.gitlab/scripts/refresh-templates.sh @@ -0,0 +1,31 @@ +CC_TMP_GIT_REPO=$1 +CC_TMP_TEMPLATE_DIR=$2 +ROOT_TOKEN=$3 +WORKING_DIR=$PWD +BASE_GITLAB_URL=https://root:${ROOT_TOKEN}@${CI_SERVER_HOST}/iac +IAC_MODULES_TAG=$4 + + +rm -rf $CC_TMP_GIT_REPO +mkdir -p $CC_TMP_GIT_REPO +git clone ${TEMPLATE_REPO_URL} $CC_TMP_GIT_REPO +cd $CC_TMP_GIT_REPO && git checkout ${IAC_MODULES_TAG} + +rm -rf $CC_TMP_TEMPLATE_DIR +mkdir -p $CC_TMP_TEMPLATE_DIR +cp -r ${CC_CI_TEMPLATE_PATH}/. ${CC_TEMPLATE_PATH}/. $CC_TMP_TEMPLATE_DIR/ + + +CC_TMP_REPO_DIR=/tmp/gitclone-bootstrap +mkdir -p $CC_TMP_REPO_DIR +git clone ${BASE_GITLAB_URL}/bootstrap $CC_TMP_REPO_DIR +cd $CC_TMP_REPO_DIR + + +cp -r $CC_TMP_TEMPLATE_DIR/control-center-deploy/ $CC_TMP_TEMPLATE_DIR/control-center-pre-config/ $CC_TMP_TEMPLATE_DIR/control-center-post-config/ $CC_TMP_TEMPLATE_DIR/ansible-cc-deploy/ $CC_TMP_TEMPLATE_DIR/ansible-cc-post-deploy/ $CC_TMP_TEMPLATE_DIR/.gitlab $CC_TMP_TEMPLATE_DIR/.gitlab-ci.yml . + +git config --global user.email "root@${gitlab_hostname}" +git config --global user.name "root" +git add . +git commit -m "refreshing templates from release ${IAC_MODULES_TAG} to project" +git push \ No newline at end of file From 6e01e90b12058c4aa94e104b07997d95cc33f205 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 21 Mar 2024 17:00:44 +0530 Subject: [PATCH 003/201] Renaming GITLAB TOKEN --- terraform/gitlab/ci-templates/bootstrap/.gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gitlab/ci-templates/bootstrap/.gitlab-ci.yml b/terraform/gitlab/ci-templates/bootstrap/.gitlab-ci.yml index 705ef79bd..767a30cd1 100644 --- a/terraform/gitlab/ci-templates/bootstrap/.gitlab-ci.yml +++ b/terraform/gitlab/ci-templates/bootstrap/.gitlab-ci.yml @@ -160,7 +160,7 @@ refresh-templates: script: - !reference [.source, script] - export VAULT_TOKEN="$(vault write -field=token auth/${VAULT_AUTH_PATH}/login role=$VAULT_AUTH_ROLE jwt=$VAULT_ID_TOKEN)" - - export GITLAB_SEED_TOKEN="$(vault kv get -field=value secret/bootstrap/gitlab_root_token)" + - export GITLAB_TOKEN="$(vault kv get -field=value secret/bootstrap/gitlab_root_token)" - .gitlab/scripts/refresh-templates.sh $CC_TMP_GIT_REPO $CC_TMP_TEMPLATES_DIR $GITLAB_TOKEN $IAC_TERRAFORM_MODULES_TAG when: manual From 22315f60a6cb978c279fd297a2474d96fd8a3b7b Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 21 Mar 2024 17:03:44 +0530 Subject: [PATCH 004/201] Adding comments --- .../bootstrap/.gitlab/scripts/refresh-templates.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/gitlab/ci-templates/bootstrap/.gitlab/scripts/refresh-templates.sh b/terraform/gitlab/ci-templates/bootstrap/.gitlab/scripts/refresh-templates.sh index 1a67cdf5f..db8d9e0cc 100644 --- a/terraform/gitlab/ci-templates/bootstrap/.gitlab/scripts/refresh-templates.sh +++ b/terraform/gitlab/ci-templates/bootstrap/.gitlab/scripts/refresh-templates.sh @@ -5,7 +5,7 @@ WORKING_DIR=$PWD BASE_GITLAB_URL=https://root:${ROOT_TOKEN}@${CI_SERVER_HOST}/iac IAC_MODULES_TAG=$4 - +# checking out IAC-MODULES rm -rf $CC_TMP_GIT_REPO mkdir -p $CC_TMP_GIT_REPO git clone ${TEMPLATE_REPO_URL} $CC_TMP_GIT_REPO @@ -15,13 +15,13 @@ rm -rf $CC_TMP_TEMPLATE_DIR mkdir -p $CC_TMP_TEMPLATE_DIR cp -r ${CC_CI_TEMPLATE_PATH}/. ${CC_TEMPLATE_PATH}/. $CC_TMP_TEMPLATE_DIR/ - +#checking out bootstrap repo CC_TMP_REPO_DIR=/tmp/gitclone-bootstrap mkdir -p $CC_TMP_REPO_DIR git clone ${BASE_GITLAB_URL}/bootstrap $CC_TMP_REPO_DIR cd $CC_TMP_REPO_DIR - +#copying necessary files to local git repo cp -r $CC_TMP_TEMPLATE_DIR/control-center-deploy/ $CC_TMP_TEMPLATE_DIR/control-center-pre-config/ $CC_TMP_TEMPLATE_DIR/control-center-post-config/ $CC_TMP_TEMPLATE_DIR/ansible-cc-deploy/ $CC_TMP_TEMPLATE_DIR/ansible-cc-post-deploy/ $CC_TMP_TEMPLATE_DIR/.gitlab $CC_TMP_TEMPLATE_DIR/.gitlab-ci.yml . git config --global user.email "root@${gitlab_hostname}" From 429259933c95a7224ecb2d345dbae5f4d00b682c Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 21 Mar 2024 17:07:41 +0530 Subject: [PATCH 005/201] Change in permission --- .../ci-templates/bootstrap/.gitlab/scripts/refresh-templates.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 terraform/gitlab/ci-templates/bootstrap/.gitlab/scripts/refresh-templates.sh diff --git a/terraform/gitlab/ci-templates/bootstrap/.gitlab/scripts/refresh-templates.sh b/terraform/gitlab/ci-templates/bootstrap/.gitlab/scripts/refresh-templates.sh old mode 100644 new mode 100755 From 5366b247731d93845d0c07e524e019748c16d309 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 21 Mar 2024 17:24:11 +0530 Subject: [PATCH 006/201] including setcivars script --- .../ci-templates/bootstrap/.gitlab/scripts/refresh-templates.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gitlab/ci-templates/bootstrap/.gitlab/scripts/refresh-templates.sh b/terraform/gitlab/ci-templates/bootstrap/.gitlab/scripts/refresh-templates.sh index db8d9e0cc..3245cec9d 100755 --- a/terraform/gitlab/ci-templates/bootstrap/.gitlab/scripts/refresh-templates.sh +++ b/terraform/gitlab/ci-templates/bootstrap/.gitlab/scripts/refresh-templates.sh @@ -22,7 +22,7 @@ git clone ${BASE_GITLAB_URL}/bootstrap $CC_TMP_REPO_DIR cd $CC_TMP_REPO_DIR #copying necessary files to local git repo -cp -r $CC_TMP_TEMPLATE_DIR/control-center-deploy/ $CC_TMP_TEMPLATE_DIR/control-center-pre-config/ $CC_TMP_TEMPLATE_DIR/control-center-post-config/ $CC_TMP_TEMPLATE_DIR/ansible-cc-deploy/ $CC_TMP_TEMPLATE_DIR/ansible-cc-post-deploy/ $CC_TMP_TEMPLATE_DIR/.gitlab $CC_TMP_TEMPLATE_DIR/.gitlab-ci.yml . +cp -r $CC_TMP_TEMPLATE_DIR/control-center-deploy/ $CC_TMP_TEMPLATE_DIR/control-center-pre-config/ $CC_TMP_TEMPLATE_DIR/control-center-post-config/ $CC_TMP_TEMPLATE_DIR/ansible-cc-deploy/ $CC_TMP_TEMPLATE_DIR/ansible-cc-post-deploy/ $CC_TMP_TEMPLATE_DIR/.gitlab $CC_TMP_TEMPLATE_DIR/.gitlab-ci.yml $CC_TMP_TEMPLATE_DIR/setcivars.sh . git config --global user.email "root@${gitlab_hostname}" git config --global user.name "root" From 1c2be562041e02d0db8bdf6f96b9f999f6b17a82 Mon Sep 17 00:00:00 2001 From: muzammil360 Date: Fri, 22 Mar 2024 16:46:37 +0500 Subject: [PATCH 007/201] Integrate minio with Loki --- .../monitoring/install/kustomization.yaml.tpl | 1 + .../monitoring/install/loki-secret.yaml | 26 +++++++++++++++++++ .../monitoring/install/values-loki.yaml.tpl | 14 ++++++++++ .../gitops/k8s-cluster-config/monitoring.tf | 1 + 4 files changed, 42 insertions(+) create mode 100644 terraform/gitops/generate-files/templates/monitoring/install/loki-secret.yaml diff --git a/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl index eaed261cf..c9b4587ca 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl @@ -4,6 +4,7 @@ resources: - https://raw.githubusercontent.com/grafana/grafana-operator/v5.6.0/deploy/kustomize/base/crds.yaml - vault-secret.yaml - istio-gateway.yaml + - loki-secret.yaml helmCharts: - name: prometheus-operator-crds releaseName: prometheus-operator-crds diff --git a/terraform/gitops/generate-files/templates/monitoring/install/loki-secret.yaml b/terraform/gitops/generate-files/templates/monitoring/install/loki-secret.yaml new file mode 100644 index 000000000..9079b4bfd --- /dev/null +++ b/terraform/gitops/generate-files/templates/monitoring/install/loki-secret.yaml @@ -0,0 +1,26 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: loki-external-secret-custom-resource + annotations: + argocd.argoproj.io/sync-wave: "-11" +spec: + refreshInterval: 1h + + secretStoreRef: + kind: ClusterSecretStore + name: tenant-vault-secret-store + + target: + name: loki-secret # Name for the secret to be created on the cluster + creationPolicy: Owner + + data: + - secretKey: MINIO_LOKI_USERNAME + remoteRef: + key: ${cluster_name}/minio_loki_username + property: value + - secretKey: MINIO_LOKI_PASSWORD + remoteRef: + key: ${cluster_name}/minio_loki_password + property: value diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl index 35e1f87a0..5cfb65d2c 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl @@ -2,10 +2,24 @@ loki: overrideConfiguration: limits_config: retention_period: ${loki_ingester_retention_period} + storage_config: + boltdb_shipper: + shared_store: s3 + aws: + s3forcepathstyle: true + # TODO: check how the minio url will be formatted + endpoint: "haproxy.${cluster_name}.devbaremetal.moja-onprem.net:9000" + insecure: true + access_key_id: `${MINIO_LOKI_USERNAME}` + secret_access_key: `${MINIO_LOKI_PASSWORD}` + bucketnames: ${loki_minio_bucket} ingester: persistence: size: ${loki_ingester_pvc_size} storageClass: ${storage_class_name} + extraArgs: ["-config.expand-env"] + extraEnvVarsSecret: loki-secret + promtail: tolerations: - operator: "Exists" \ No newline at end of file diff --git a/terraform/gitops/k8s-cluster-config/monitoring.tf b/terraform/gitops/k8s-cluster-config/monitoring.tf index d2efc08e2..9572b515f 100644 --- a/terraform/gitops/k8s-cluster-config/monitoring.tf +++ b/terraform/gitops/k8s-cluster-config/monitoring.tf @@ -38,6 +38,7 @@ module "generate_monitoring_files" { loki_ingester_retention_period = try(var.common_var_map.loki_ingester_retention_period, local.loki_ingester_retention_period) prometheus_retention_period = try(var.common_var_map.prometheus_retention_period, local.prometheus_retention_period) alertmanager_enabled = try(var.common_var_map.alertmanager_enabled, false) + loki_minio_bucket = "${var.cluster_name}-loki" } file_list = [for f in fileset(local.monitoring_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.monitoring_app_file, f))] template_path = local.monitoring_template_path From 750430843ce3827993471ef3091e604d0e7c1e0e Mon Sep 17 00:00:00 2001 From: muzammil360 Date: Fri, 22 Mar 2024 17:54:01 +0500 Subject: [PATCH 008/201] refactor --- .../templates/monitoring/install/loki-secret.yaml | 12 ++++++------ .../monitoring/install/values-loki.yaml.tpl | 7 ++++--- terraform/gitops/k8s-cluster-config/monitoring.tf | 2 ++ 3 files changed, 12 insertions(+), 9 deletions(-) diff --git a/terraform/gitops/generate-files/templates/monitoring/install/loki-secret.yaml b/terraform/gitops/generate-files/templates/monitoring/install/loki-secret.yaml index 9079b4bfd..ca70cb711 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/loki-secret.yaml +++ b/terraform/gitops/generate-files/templates/monitoring/install/loki-secret.yaml @@ -1,7 +1,7 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: - name: loki-external-secret-custom-resource + name: loki-credentials-secret annotations: argocd.argoproj.io/sync-wave: "-11" spec: @@ -12,15 +12,15 @@ spec: name: tenant-vault-secret-store target: - name: loki-secret # Name for the secret to be created on the cluster + name: loki-credentials-secret # Name for the secret to be created on the cluster creationPolicy: Owner data: - secretKey: MINIO_LOKI_USERNAME remoteRef: - key: ${cluster_name}/minio_loki_username - property: value + key: ${minio_loki_secret_credentials_ref} + property: username - secretKey: MINIO_LOKI_PASSWORD remoteRef: - key: ${cluster_name}/minio_loki_password - property: value + key: ${minio_loki_secret_credentials_ref} + property: password diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl index 5cfb65d2c..1e8b7a921 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl @@ -1,5 +1,6 @@ loki: overrideConfiguration: + # TODO: remove retention_period because it should be controlled by object store (minio) policies limits_config: retention_period: ${loki_ingester_retention_period} storage_config: @@ -8,7 +9,7 @@ loki: aws: s3forcepathstyle: true # TODO: check how the minio url will be formatted - endpoint: "haproxy.${cluster_name}.devbaremetal.moja-onprem.net:9000" + endpoint: ${loki_minio_endpoint} insecure: true access_key_id: `${MINIO_LOKI_USERNAME}` secret_access_key: `${MINIO_LOKI_PASSWORD}` @@ -18,8 +19,8 @@ ingester: size: ${loki_ingester_pvc_size} storageClass: ${storage_class_name} extraArgs: ["-config.expand-env"] - extraEnvVarsSecret: loki-secret - + extraEnvVarsSecret: loki-credentials-secret + promtail: tolerations: - operator: "Exists" \ No newline at end of file diff --git a/terraform/gitops/k8s-cluster-config/monitoring.tf b/terraform/gitops/k8s-cluster-config/monitoring.tf index 9572b515f..b7cc56a81 100644 --- a/terraform/gitops/k8s-cluster-config/monitoring.tf +++ b/terraform/gitops/k8s-cluster-config/monitoring.tf @@ -38,7 +38,9 @@ module "generate_monitoring_files" { loki_ingester_retention_period = try(var.common_var_map.loki_ingester_retention_period, local.loki_ingester_retention_period) prometheus_retention_period = try(var.common_var_map.prometheus_retention_period, local.prometheus_retention_period) alertmanager_enabled = try(var.common_var_map.alertmanager_enabled, false) + loki_minio_endpoint = "haproxy.${var.cluster_name}.devbaremetal.moja-onprem.net:9000" # TODO: how do we parametrize it properly? loki_minio_bucket = "${var.cluster_name}-loki" + minio_loki_secret_credentials_ref = "${var.cluster_name}/minio-loki-secret-credentials" } file_list = [for f in fileset(local.monitoring_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.monitoring_app_file, f))] template_path = local.monitoring_template_path From 684a249d40899e189db9251d93088001ec2a4309 Mon Sep 17 00:00:00 2001 From: David Fry Date: Tue, 19 Mar 2024 16:02:07 +0000 Subject: [PATCH 009/201] ensure only 1 nat gw --- terraform/aws/base-infra/infra.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/terraform/aws/base-infra/infra.tf b/terraform/aws/base-infra/infra.tf index 482065802..06eb9fe4e 100644 --- a/terraform/aws/base-infra/infra.tf +++ b/terraform/aws/base-infra/infra.tf @@ -18,6 +18,9 @@ module "vpc" { enable_dns_hostnames = true enable_dns_support = true enable_nat_gateway = true + single_nat_gateway = true + one_nat_gateway_per_az = false + reuse_nat_ips = false manage_default_security_group = false manage_default_network_acl = false manage_default_route_table = false From a6c3f440cb4cc3f0ddc7d7360590526579fbb7db Mon Sep 17 00:00:00 2001 From: David Fry Date: Fri, 22 Mar 2024 14:06:28 +0000 Subject: [PATCH 010/201] fix subnet ordering --- terraform/aws/base-infra/infra.tf | 2 +- terraform/aws/base-infra/variables.tf | 79 ++++++++++++++------------- 2 files changed, 41 insertions(+), 40 deletions(-) diff --git a/terraform/aws/base-infra/infra.tf b/terraform/aws/base-infra/infra.tf index 06eb9fe4e..aa19d27bc 100644 --- a/terraform/aws/base-infra/infra.tf +++ b/terraform/aws/base-infra/infra.tf @@ -37,7 +37,7 @@ module "subnet_addrs" { base_cidr_block = var.vpc_cidr networks = [ - for subnet in concat(local.private_subnets_list, local.public_subnets_list) : { + for subnet in local.subnet_list : { name = subnet new_bits = var.block_size } diff --git a/terraform/aws/base-infra/variables.tf b/terraform/aws/base-infra/variables.tf index 48a96defa..bb933ae33 100644 --- a/terraform/aws/base-infra/variables.tf +++ b/terraform/aws/base-infra/variables.tf @@ -9,7 +9,7 @@ variable "cluster_name" { variable "domain" { description = "Domain to attach the cluster to." type = string - default = "" + default = "" } variable "tags" { @@ -25,33 +25,33 @@ variable "vpc_cidr" { } variable "configure_route_53" { - type = bool - default = true + type = bool + default = true description = "whether route53 is to be configured at all or not" } variable "create_public_zone" { - default = true - type = bool + default = true + type = bool description = "Whether to create public zone in route53. true or false, default true" } variable "create_private_zone" { - default = true - type = bool + default = true + type = bool description = "Whether to create private zone in route53. true or false, default true" } - variable "manage_parent_domain" { - default = false - type = bool +variable "manage_parent_domain" { + default = false + type = bool description = "whether parent domain should be created and managed here" - } +} - variable "manage_parent_domain_ns" { - default = false - type = bool +variable "manage_parent_domain_ns" { + default = false + type = bool description = "whether ns record should be created for parent domain in that parent's zone that should already exist" - } +} variable "az_count" { type = number @@ -70,48 +70,49 @@ variable "bastion_ami" { } variable "netmaker_ami" { description = "ami for netmaker" - default = "none for enable_netmaker false" + default = "none for enable_netmaker false" } variable "block_size" { - type = number + type = number default = 3 } variable "enable_netmaker" { - type = bool + type = bool default = false } variable "netmaker_vpc_cidr" { - type = string + type = string default = "10.26.0.0/24" } - variable "create_haproxy_dns_record" { - default = false - type = bool +variable "create_haproxy_dns_record" { + default = false + type = bool description = "whether to create public dns record for private ip of bastion for haproxy" - } +} ### # Local copies of variables to allow for parsing ### locals { - name = var.cluster_name - cluster_domain = "${replace(var.cluster_name, "-", "")}.${var.domain}" - cluster_parent_domain = join(".", [for idx, part in split(".", local.cluster_domain) : part if idx > 0]) - cluster_parent_parent_domain = join(".", [for idx, part in split(".", local.cluster_parent_domain) : part if idx > 0]) - identifying_tags = { Cluster = var.cluster_name, Domain = local.cluster_domain} - common_tags = merge(local.identifying_tags, var.tags) - azs = slice(data.aws_availability_zones.available.names, 0, var.az_count) - public_zone = var.configure_route_53 ? (var.create_public_zone ? aws_route53_zone.public[0] : data.aws_route53_zone.public[0]) : null - private_zone = var.configure_route_53 ? (var.create_private_zone ? aws_route53_zone.private[0] : data.aws_route53_zone.private[0]) : null - cluster_parent_zone_id = var.configure_route_53 ? (var.manage_parent_domain ? aws_route53_zone.cluster_parent[0].zone_id : data.aws_route53_zone.cluster_parent[0].zone_id) : null + name = var.cluster_name + cluster_domain = "${replace(var.cluster_name, "-", "")}.${var.domain}" + cluster_parent_domain = join(".", [for idx, part in split(".", local.cluster_domain) : part if idx > 0]) + cluster_parent_parent_domain = join(".", [for idx, part in split(".", local.cluster_parent_domain) : part if idx > 0]) + identifying_tags = { Cluster = var.cluster_name, Domain = local.cluster_domain } + common_tags = merge(local.identifying_tags, var.tags) + azs = slice(data.aws_availability_zones.available.names, 0, var.az_count) + public_zone = var.configure_route_53 ? (var.create_public_zone ? aws_route53_zone.public[0] : data.aws_route53_zone.public[0]) : null + private_zone = var.configure_route_53 ? (var.create_private_zone ? aws_route53_zone.private[0] : data.aws_route53_zone.private[0]) : null + cluster_parent_zone_id = var.configure_route_53 ? (var.manage_parent_domain ? aws_route53_zone.cluster_parent[0].zone_id : data.aws_route53_zone.cluster_parent[0].zone_id) : null cluster_parent_parent_zone_id = var.configure_route_53 ? ((var.manage_parent_domain && var.manage_parent_domain_ns) ? data.aws_route53_zone.cluster_parent_parent[0].zone_id : null) : null - ssh_keys = [] - public_subnets_list = [for az in local.azs : "public-${az}"] - private_subnets_list = [for az in local.azs : "private-${az}"] - public_subnet_cidrs = [for subnet_name in local.public_subnets_list : module.subnet_addrs.network_cidr_blocks[subnet_name]] - private_subnet_cidrs = [for subnet_name in local.private_subnets_list : module.subnet_addrs.network_cidr_blocks[subnet_name]] -} \ No newline at end of file + ssh_keys = [] + public_subnets_list = [for az in local.azs : "public-${az}"] + private_subnets_list = [for az in local.azs : "private-${az}"] + subnet_list = flatten([for az in local.azs : concat(["private-${az}", "public-${az}"])]) + public_subnet_cidrs = [for subnet_name in local.public_subnets_list : module.subnet_addrs.network_cidr_blocks[subnet_name]] + private_subnet_cidrs = [for subnet_name in local.private_subnets_list : module.subnet_addrs.network_cidr_blocks[subnet_name]] +} From bd5d8102701234c4c32b0f0758f09b69a8116d89 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Fri, 22 Mar 2024 22:16:37 +0530 Subject: [PATCH 011/201] Adding generation of custom config for pm4ml --- .../ci-templates/bootstrap/.gitlab/scripts/seedenvproject.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/terraform/gitlab/ci-templates/bootstrap/.gitlab/scripts/seedenvproject.sh b/terraform/gitlab/ci-templates/bootstrap/.gitlab/scripts/seedenvproject.sh index 7b37b717f..6260ed01d 100755 --- a/terraform/gitlab/ci-templates/bootstrap/.gitlab/scripts/seedenvproject.sh +++ b/terraform/gitlab/ci-templates/bootstrap/.gitlab/scripts/seedenvproject.sh @@ -40,6 +40,10 @@ cp -r $TMP_TEMPLATE_DIR/${ENV_NAME}/. . if [ ! -d custom-config ]; then mkdir -p custom-config yq eval '.envs | .[] | select(.env == '\"$ENV_NAME\"')' $TMP_BOOTSTRAP_REPO/environment.yaml > custom-config/cluster-config.yaml + echo "pm4mls: +- pm4ml: pm4mltest1 + pm4ml_enabled: false +"> custom-config/pm4mls-vars.yaml fi git config --global user.email "root@${gitlab_hostname}" git config --global user.name "root" From 4eadd6845d2781069679217e12c3f8521f644b09 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Fri, 22 Mar 2024 22:27:34 +0530 Subject: [PATCH 012/201] Adding default config tag changes --- .../ci-templates/bootstrap/.gitlab/scripts/seedenvproject.sh | 2 +- terraform/k8s/default-config/cluster-config.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/gitlab/ci-templates/bootstrap/.gitlab/scripts/seedenvproject.sh b/terraform/gitlab/ci-templates/bootstrap/.gitlab/scripts/seedenvproject.sh index 6260ed01d..71acd748b 100755 --- a/terraform/gitlab/ci-templates/bootstrap/.gitlab/scripts/seedenvproject.sh +++ b/terraform/gitlab/ci-templates/bootstrap/.gitlab/scripts/seedenvproject.sh @@ -43,7 +43,7 @@ if [ ! -d custom-config ]; then echo "pm4mls: - pm4ml: pm4mltest1 pm4ml_enabled: false -"> custom-config/pm4mls-vars.yaml +"> custom-config/pm4ml-vars.yaml fi git config --global user.email "root@${gitlab_hostname}" git config --global user.name "root" diff --git a/terraform/k8s/default-config/cluster-config.yaml b/terraform/k8s/default-config/cluster-config.yaml index 622218cc7..79823e5e1 100644 --- a/terraform/k8s/default-config/cluster-config.yaml +++ b/terraform/k8s/default-config/cluster-config.yaml @@ -7,8 +7,8 @@ cloud_platform_client_secret_name: AWS_SECRET_ACCESS_KEY k8s_cluster_module: base-k8s cloud_region: eu-west-1 k8s_cluster_type: microk8s -ansible_collection_tag: v0.18.11 -iac_terraform_modules_tag: v0.40.51sgtest +ansible_collection_tag: v5.0.0 +iac_terraform_modules_tag: v5.0.0 letsencrypt_email: test@mojalabs.io dns_zone_force_destroy: true longhorn_backup_object_store_destroy: true From 44b2635de7fb2c3647dd0e85cb481b4423a4d5d6 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Fri, 22 Mar 2024 23:06:22 +0530 Subject: [PATCH 013/201] Revert "Merge pull request #196 from mojaloop/muz/iprod-502/integrate-minio-with-loki" This reverts commit 3f6325a8a4173bdb00f10a1ce59de36c73b16c92, reversing changes made to c156aa689ab284180fc07c6d1592f36b1fd0d91c. --- .../monitoring/install/kustomization.yaml.tpl | 1 - .../monitoring/install/loki-secret.yaml | 26 ------------------- .../monitoring/install/values-loki.yaml.tpl | 15 ----------- .../gitops/k8s-cluster-config/monitoring.tf | 3 --- 4 files changed, 45 deletions(-) delete mode 100644 terraform/gitops/generate-files/templates/monitoring/install/loki-secret.yaml diff --git a/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl index c9b4587ca..eaed261cf 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl @@ -4,7 +4,6 @@ resources: - https://raw.githubusercontent.com/grafana/grafana-operator/v5.6.0/deploy/kustomize/base/crds.yaml - vault-secret.yaml - istio-gateway.yaml - - loki-secret.yaml helmCharts: - name: prometheus-operator-crds releaseName: prometheus-operator-crds diff --git a/terraform/gitops/generate-files/templates/monitoring/install/loki-secret.yaml b/terraform/gitops/generate-files/templates/monitoring/install/loki-secret.yaml deleted file mode 100644 index ca70cb711..000000000 --- a/terraform/gitops/generate-files/templates/monitoring/install/loki-secret.yaml +++ /dev/null @@ -1,26 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: loki-credentials-secret - annotations: - argocd.argoproj.io/sync-wave: "-11" -spec: - refreshInterval: 1h - - secretStoreRef: - kind: ClusterSecretStore - name: tenant-vault-secret-store - - target: - name: loki-credentials-secret # Name for the secret to be created on the cluster - creationPolicy: Owner - - data: - - secretKey: MINIO_LOKI_USERNAME - remoteRef: - key: ${minio_loki_secret_credentials_ref} - property: username - - secretKey: MINIO_LOKI_PASSWORD - remoteRef: - key: ${minio_loki_secret_credentials_ref} - property: password diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl index 1e8b7a921..35e1f87a0 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl @@ -1,26 +1,11 @@ loki: overrideConfiguration: - # TODO: remove retention_period because it should be controlled by object store (minio) policies limits_config: retention_period: ${loki_ingester_retention_period} - storage_config: - boltdb_shipper: - shared_store: s3 - aws: - s3forcepathstyle: true - # TODO: check how the minio url will be formatted - endpoint: ${loki_minio_endpoint} - insecure: true - access_key_id: `${MINIO_LOKI_USERNAME}` - secret_access_key: `${MINIO_LOKI_PASSWORD}` - bucketnames: ${loki_minio_bucket} ingester: persistence: size: ${loki_ingester_pvc_size} storageClass: ${storage_class_name} - extraArgs: ["-config.expand-env"] - extraEnvVarsSecret: loki-credentials-secret - promtail: tolerations: - operator: "Exists" \ No newline at end of file diff --git a/terraform/gitops/k8s-cluster-config/monitoring.tf b/terraform/gitops/k8s-cluster-config/monitoring.tf index b7cc56a81..d2efc08e2 100644 --- a/terraform/gitops/k8s-cluster-config/monitoring.tf +++ b/terraform/gitops/k8s-cluster-config/monitoring.tf @@ -38,9 +38,6 @@ module "generate_monitoring_files" { loki_ingester_retention_period = try(var.common_var_map.loki_ingester_retention_period, local.loki_ingester_retention_period) prometheus_retention_period = try(var.common_var_map.prometheus_retention_period, local.prometheus_retention_period) alertmanager_enabled = try(var.common_var_map.alertmanager_enabled, false) - loki_minio_endpoint = "haproxy.${var.cluster_name}.devbaremetal.moja-onprem.net:9000" # TODO: how do we parametrize it properly? - loki_minio_bucket = "${var.cluster_name}-loki" - minio_loki_secret_credentials_ref = "${var.cluster_name}/minio-loki-secret-credentials" } file_list = [for f in fileset(local.monitoring_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.monitoring_app_file, f))] template_path = local.monitoring_template_path From a7718c4a508aee1b40ca45735bf64564c68ad369 Mon Sep 17 00:00:00 2001 From: David Fry Date: Wed, 13 Mar 2024 00:27:21 +0000 Subject: [PATCH 014/201] placeholders for vnext add --- .../templates/vnext/istio-config.yaml.tpl | 477 +++++++ .../templates/vnext/kustomization.yaml.tpl | 11 + .../templates/vnext/values-vnext.yaml.tpl | 1245 +++++++++++++++++ terraform/gitops/vnext/mcm.tf | 222 +++ terraform/gitops/vnext/providers.tf | 10 + .../gitops/vnext/stateful-resources-config.tf | 116 ++ terraform/gitops/vnext/variables.tf | 172 +++ terraform/gitops/vnext/vault-pki-setup.tf | 81 ++ terraform/gitops/vnext/vnext.tf | 374 +++++ terraform/k8s/default-config/common-vars.yaml | 1 + 10 files changed, 2709 insertions(+) create mode 100644 terraform/gitops/generate-files/templates/vnext/istio-config.yaml.tpl create mode 100644 terraform/gitops/generate-files/templates/vnext/kustomization.yaml.tpl create mode 100644 terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl create mode 100644 terraform/gitops/vnext/mcm.tf create mode 100644 terraform/gitops/vnext/providers.tf create mode 100644 terraform/gitops/vnext/stateful-resources-config.tf create mode 100644 terraform/gitops/vnext/variables.tf create mode 100644 terraform/gitops/vnext/vault-pki-setup.tf create mode 100644 terraform/gitops/vnext/vnext.tf diff --git a/terraform/gitops/generate-files/templates/vnext/istio-config.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/istio-config.yaml.tpl new file mode 100644 index 000000000..27cfce946 --- /dev/null +++ b/terraform/gitops/generate-files/templates/vnext/istio-config.yaml.tpl @@ -0,0 +1,477 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: interop-gateway + annotations: + external-dns.alpha.kubernetes.io/target: ${external_load_balancer_dns} +spec: + selector: + istio: ${istio_external_gateway_name} + servers: + - hosts: + - '${interop_switch_fqdn}' + port: + name: https-interop + number: 443 + protocol: HTTPS + tls: + credentialName: ${vault_certman_secretname} + mode: MUTUAL +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: interop-jwt + namespace: ${istio_external_gateway_namespace} +spec: + selector: + matchLabels: + app: ${istio_external_gateway_name} +%{ if ory_stack_enabled ~} + action: CUSTOM + provider: + name: ${oathkeeper_auth_provider_name} +%{ else ~} + action: DENY +%{ endif ~} + rules: + - when: + - key: connection.sni + values: ["${interop_switch_fqdn}", "${interop_switch_fqdn}:*"] +%{ if !ory_stack_enabled ~} + from: + - source: + notRequestPrincipals: ["https://${keycloak_fqdn}/realms/${keycloak_dfsp_realm_name}/*"] +%{ endif ~} +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: interop-vs +spec: + gateways: + - interop-gateway + hosts: + - '${interop_switch_fqdn}' + http: + - name: participants + match: + - uri: + prefix: /participants + route: + - destination: + host: ${mojaloop_release_name}-account-lookup-service + port: + number: 80 + - name: parties + match: + - uri: + prefix: /parties + route: + - destination: + host: ${mojaloop_release_name}-account-lookup-service + port: + number: 80 + - name: quotes + match: + - uri: + prefix: /quotes + route: + - destination: + host: ${mojaloop_release_name}-quoting-service + port: + number: 80 + - name: transfers + match: + - uri: + prefix: /transfers + route: + - destination: + host: ${mojaloop_release_name}-ml-api-adapter-service + port: + number: 80 +%{ if bulk_enabled ~} + - name: bulkQuotes + match: + - uri: + prefix: /bulkQuotes + route: + - destination: + host: ${mojaloop_release_name}-quoting-service + port: + number: 80 + - name: bulkTransfers + match: + - uri: + prefix: /bulkTransfers + route: + - destination: + host: ${mojaloop_release_name}-bulk-api-adapter-service + port: + number: 80 +%{ endif ~} + - name: transactionRequests + match: + - uri: + prefix: /transactionRequests + route: + - destination: + host: ${mojaloop_release_name}-transaction-requests-service + port: + number: 80 + - name: authorizations + match: + - uri: + prefix: /authorizations + route: + - destination: + host: ${mojaloop_release_name}-transaction-requests-service + port: + number: 80 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: int-interop-vs +spec: + gateways: + - ${istio_internal_gateway_namespace}/${istio_internal_wildcard_gateway_name} + hosts: + - '${int_interop_switch_fqdn}' + http: + - name: participants + match: + - uri: + prefix: /participants + route: + - destination: + host: ${mojaloop_release_name}-account-lookup-service + port: + number: 80 + - name: parties + match: + - uri: + prefix: /parties + route: + - destination: + host: ${mojaloop_release_name}-account-lookup-service + port: + number: 80 + - name: quotes + match: + - uri: + prefix: /quotes + route: + - destination: + host: ${mojaloop_release_name}-quoting-service + port: + number: 80 + - name: transfers + match: + - uri: + prefix: /transfers + route: + - destination: + host: ${mojaloop_release_name}-ml-api-adapter-service + port: + number: 80 +%{ if bulk_enabled ~} + - name: bulkQuotes + match: + - uri: + prefix: /bulkQuotes + route: + - destination: + host: ${mojaloop_release_name}-quoting-service + port: + number: 80 + - name: bulkTransfers + match: + - uri: + prefix: /bulkTransfers + route: + - destination: + host: ${mojaloop_release_name}-bulk-api-adapter-service + port: + number: 80 +%{ endif ~} + - name: transactionRequests + match: + - uri: + prefix: /transactionRequests + route: + - destination: + host: ${mojaloop_release_name}-transaction-requests-service + port: + number: 80 + - name: authorizations + match: + - uri: + prefix: /authorizations + route: + - destination: + host: ${mojaloop_release_name}-transaction-requests-service + port: + number: 80 + - name: central-admin + match: + - uri: + prefix: /admin/ + rewrite: + uri: / + route: + - destination: + host: ${mojaloop_release_name}-centralledger-service + port: + number: 80 + - name: als-admin + match: + - uri: + prefix: /als-admin/ + rewrite: + uri: / + route: + - destination: + host: ${mojaloop_release_name}-account-lookup-service-admin + port: + number: 80 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: mojaloop-ttkfront-vs +spec: + gateways: +%{ if mojaloop_wildcard_gateway == "external" ~} + - ${istio_external_gateway_namespace}/${istio_external_wildcard_gateway_name} +%{ else ~} + - ${istio_internal_gateway_namespace}/${istio_internal_wildcard_gateway_name} +%{ endif ~} + hosts: + - '${ttk_frontend_public_fqdn}' + http: + - match: + - uri: + prefix: / + route: + - destination: + host: ${mojaloop_release_name}-ml-testing-toolkit-frontend + port: + number: 6060 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: mojaloop-ttkback-vs +spec: + gateways: +%{ if mojaloop_wildcard_gateway == "external" ~} + - ${istio_external_gateway_namespace}/${istio_external_wildcard_gateway_name} +%{ else ~} + - ${istio_internal_gateway_namespace}/${istio_internal_wildcard_gateway_name} +%{ endif ~} + hosts: + - '${ttk_backend_public_fqdn}' + http: + - name: api + match: + - uri: + prefix: /api/ + route: + - destination: + host: ${mojaloop_release_name}-ml-testing-toolkit-backend + port: + number: 5050 + - name: socket + match: + - uri: + prefix: /socket.io/ + route: + - destination: + host: ${mojaloop_release_name}-ml-testing-toolkit-backend + port: + number: 5050 + - name: root + match: + - uri: + prefix: / + route: + - destination: + host: ${mojaloop_release_name}-ml-testing-toolkit-backend + port: + number: 4040 +--- +%{ endif ~} + +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: finance-portal-vs +spec: + gateways: + - ${istio_external_gateway_namespace}/${istio_external_wildcard_gateway_name} + hosts: + - '${portal_fqdn}' + http: + - name: transfers + match: + - uri: + prefix: /api/transfers/ + - uri: + exact: /api/transfers + rewrite: + uri: / + route: + - destination: + host: ${finance_portal_release_name}-reporting-hub-bop-api-svc + port: + number: 80 + - name: iam + match: + - uri: + prefix: /api/iam/ + rewrite: + uri: / + route: + - destination: + host: ${finance_portal_release_name}-role-assignment-service + port: + number: 80 + - name: central-admin + match: + - uri: + prefix: /api/central-admin/ + rewrite: + uri: /central-admin/ + route: + - destination: + host: ${finance_portal_release_name}-reporting-hub-bop-experience-api-svc + port: + number: 80 + - name: central-settlements + match: + - uri: + prefix: /api/central-settlements/ + rewrite: + uri: /v2/ + route: + - destination: + host: ${mojaloop_release_name}-centralsettlement-service + port: + number: 80 + - name: reports + match: + - uri: + prefix: /api/reports/ + - uri: + exact: /api/reports + rewrite: + uri: / + route: + - destination: + host: ${finance_portal_release_name}-reporting-legacy-api + port: + number: 80 + - name: reporting-hub-bop-role-ui + match: + - uri: + prefix: /uis/iam/ + - uri: + exact: /uis/iam + rewrite: + uri: / + route: + - destination: + host: ${finance_portal_release_name}-reporting-hub-bop-role-ui + port: + number: 80 + - name: reporting-hub-bop-trx-ui + match: + - uri: + prefix: /uis/transfers/ + - uri: + exact: /uis/transfers + rewrite: + uri: / + route: + - destination: + host: ${finance_portal_release_name}-reporting-hub-bop-trx-ui + port: + number: 80 + - name: reporting-hub-bop-settlements-ui + match: + - uri: + prefix: /uis/settlements/ + - uri: + exact: /uis/settlements + rewrite: + uri: / + route: + - destination: + host: ${finance_portal_release_name}-reporting-hub-bop-settlements-ui + port: + number: 80 + - name: reporting-hub-bop-positions-ui + match: + - uri: + prefix: /uis/positions/ + - uri: + exact: /uis/positions + rewrite: + uri: / + route: + - destination: + host: ${finance_portal_release_name}-reporting-hub-bop-positions-ui + port: + number: 80 + - name: kratos-logout-proxy + match: + - uri: + prefix: /kratos/self-service/logout/browser + rewrite: + uri: /self-service/logout/browser + route: + - destination: + host: ${kratos_service_name} + port: + number: 80 + - name: kratos-whoami-proxy + match: + - uri: + prefix: /kratos/sessions/whoami + rewrite: + uri: /sessions/whoami + route: + - destination: + host: ${kratos_service_name} + port: + number: 80 + - name: reporting-hub-bop-shell + match: + - uri: + prefix: / + route: + - destination: + host: ${finance_portal_release_name}-reporting-hub-bop-shell + port: + number: 80 +--- +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: finance-portal-auth + namespace: ${istio_external_gateway_namespace} +spec: + selector: + matchLabels: + app: ${istio_external_gateway_name} + action: CUSTOM + provider: + name: ${oathkeeper_auth_provider_name} + rules: + - to: + - operation: + paths: + - /api/* + hosts: ["${portal_fqdn}", "${portal_fqdn}:*"] diff --git a/terraform/gitops/generate-files/templates/vnext/kustomization.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/kustomization.yaml.tpl new file mode 100644 index 000000000..d9f7c3dc5 --- /dev/null +++ b/terraform/gitops/generate-files/templates/vnext/kustomization.yaml.tpl @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - istio-config.yaml +helmCharts: +- name: vnext + releaseName: ${vnext_release_name} + version: ${vnext_chart_version} + repo: ${vnext_chart_repo} + valuesFile: values-vnext.yaml + namespace: ${vnext_namespace} diff --git a/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl new file mode 100644 index 000000000..468eecfc2 --- /dev/null +++ b/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl @@ -0,0 +1,1245 @@ +# Custom YAML TEMPLATE Anchors +CONFIG: + ## ACCOUNT-LOOKUP BACKEND + als_db_database: &ALS_DB_DATABASE "${account_lookup_db_database}" + als_db_password: &ALS_DB_PASSWORD "" + als_db_secret: &ALS_DB_SECRET + name: &ALS_DB_SECRET_NAME "${account_lookup_db_existing_secret}" + key: &ALS_DB_SECRET_KEY mysql-password + als_db_host: &ALS_DB_HOST "${account_lookup_db_host}" + als_db_port: &ALS_DB_PORT ${account_lookup_db_port} + als_db_user: &ALS_DB_USER "${account_lookup_db_user}" + + ## CENTRAL-LEDGER BACKEND + cl_db_database: &CL_DB_DATABASE "${central_ledger_db_database}" + cl_db_password: &CL_DB_PASSWORD "" + cl_db_secret: &CL_DB_SECRET + name: &CL_DB_SECRET_NAME "${central_ledger_db_existing_secret}" + key: &CL_DB_SECRET_KEY mysql-password + cl_db_host: &CL_DB_HOST "${central_ledger_db_host}" + cl_db_port: &CL_DB_PORT ${central_ledger_db_port} + cl_db_user: &CL_DB_USER "${central_ledger_db_user}" + + ## KAFKA BACKEND + kafka_host: &KAFKA_HOST "${kafka_host}" + kafka_port: &KAFKA_PORT ${kafka_port} + + ## BULK OBJECT STORE BACKEND + obj_mongo_host: &OBJSTORE_MONGO_HOST "${cl_mongodb_host}" + obj_mongo_port: &OBJSTORE_MONGO_PORT ${cl_mongodb_port} + obj_mongo_user: &OBJSTORE_MONGO_USER "${cl_mongodb_user}" + obj_mongo_password: &OBJSTORE_MONGO_PASSWORD "" + obj_mongo_secret: &OBJSTORE_MONGO_SECRET + name: &OBJSTORE_MONGO_SECRET_NAME "${cl_mongodb_existing_secret}" + key: &OBJSTORE_MONGO_SECRET_KEY mongodb-passwords + obj_mongo_database: &OBJSTORE_MONGO_DATABASE "${cl_mongodb_database}" + + ## MOJALOOP-TTK-SIMULATORS BACKEND + moja_ttk_sim_kafka_host: &MOJA_TTK_SIM_KAFKA_HOST "${kafka_host}" + moja_ttk_sim_kafka_port: &MOJA_TTK_SIM_KAFKA_PORT ${kafka_port} + moja_ttk_sim_redis_host: &MOJA_TTK_SIM_REDIS_HOST "${ttksims_redis_host}" + moja_ttk_sim_redis_port: &MOJA_TTK_SIM_REDIS_PORT ${ttksims_redis_port} + + ## THIRDPARTY AUTH-SVC BACKEND + tp_auth_svc_db_database: &TP_AUTH_SVC_DB_DATABASE "${third_party_auth_db_database}" + tp_auth_svc_db_password: &TP_AUTH_SVC_DB_PASSWORD "" + tp_auth_svc_db_secret: &TP_AUTH_SVC_DB_SECRET + name: &TP_AUTH_SVC_DB_SECRET_NAME "${third_party_auth_db_existing_secret}" + key: &TP_AUTH_SVC_DB_SECRET_KEY mysql-password + tp_auth_svc_db_host: &TP_AUTH_SVC_DB_HOST "${third_party_auth_db_host}" + tp_auth_svc_db_port: &TP_AUTH_SVC_DB_PORT ${third_party_auth_db_port} + tp_auth_svc_db_user: &TP_AUTH_SVC_DB_USER "${third_party_auth_db_user}" + tp_auth_svc_redis_host: &TP_AUTH_SVC_REDIS_HOST "${third_party_auth_redis_host}" + tp_auth_svc_redis_port: &TP_AUTH_SVC_REDIS_PORT ${third_party_auth_redis_port} + + ## THIRDPARTY ALS_CONSENT-SVC BACKEND + tp_als_consent_svc_db_database: &TP_ALS_CONSENT_SVC_DB_DATABASE "${third_party_consent_db_database}" + tp_als_consent_svc_db_password: &TP_ALS_CONSENT_SVC_DB_PASSWORD "" + tp_als_consent_svc_db_secret: &TP_ALS_CONSENT_SVC_DB_SECRET + name: &TP_ALS_CONSENT_SVC_DB_SECRET_NAME "${third_party_consent_db_existing_secret}" + key: &TP_ALS_CONSENT_SVC_DB_SECRET_KEY mysql-password + tp_als_consent_svc_db_host: &TP_ALS_CONSENT_SVC_DB_HOST "${third_party_consent_db_host}" + tp_als_consent_svc_db_port: &TP_ALS_CONSENT_SVC_DB_PORT ${third_party_consent_db_port} + tp_als_consent_svc_db_user: &TP_ALS_CONSENT_SVC_DB_USER "${third_party_consent_db_user}" + + ## CENTRAL-SETTLEMENT BACKEND + cs_db_host: &CS_DB_HOST "${central_settlement_db_host}" + cs_db_password: &CS_DB_PASSWORD "" + cs_db_secret: &CS_DB_SECRET + name: &CS_DB_SECRET_NAME "${central_settlement_db_existing_secret}" + key: &CS_DB_SECRET_KEY mysql-password + cs_db_user: &CS_DB_USER "${central_settlement_db_user}" + cs_db_port: &CS_DB_PORT ${central_settlement_db_port} + cs_db_database: &CS_DB_DATABASE "${central_settlement_db_database}" + + ## QUOTING BACKEND + quoting_db_host: "ING_DB_HOST "${quoting_db_host}" + quoting_db_password: "ING_DB_PASSWORD "" + quoting_db_secret: "ING_DB_SECRET + name: "ING_DB_SECRET_NAME "${quoting_db_existing_secret}" + key: "ING_DB_SECRET_KEY mysql-password + quoting_db_user: "ING_DB_USER "${quoting_db_user}" + quoting_db_port: "ING_DB_PORT ${quoting_db_port} + quoting_db_database: "ING_DB_DATABASE "${quoting_db_database}" + + ## TTK MONGODB BACKEND + ttk_mongo_host: &TTK_MONGO_HOST "${ttk_mongodb_host}" + ttk_mongo_port: &TTK_MONGO_PORT "${ttk_mongodb_port}" + ttk_mongo_user: &TTK_MONGO_USER "${ttk_mongodb_user}" + ttk_mongo_password: &TTK_MONGO_PASSWORD "" + ttk_mongo_secret: &TTK_MONGO_SECRET + name: &TTK_MONGO_SECRET_NAME "${ttk_mongodb_existing_secret}" + key: &TTK_MONGO_SECRET_KEY mongodb-passwords + ttk_mongo_database: &TTK_MONGO_DATABASE "${ttk_mongodb_database}" + + ## BATCH_PROCESSING: To enable batch processing set following to true + batch_processing_enabled: &CL_BATCH_PROCESSING_ENABLED ${central_ledger_handler_transfer_position_batch_processing_enabled} + + ## CENTRAL-LEDGER CACHE + cl_cache_enabled: &CL_CACHE_ENABLED ${central_ledger_cache_enabled} + cl_cache_expires_in_ms: &CL_CACHE_EXPIRES_IN_MS ${central_ledger_cache_expires_in_ms} + + ## MONITORING + ml_api_adapter_monitoring_prefix : &ML_API_ADAPTER_MONITORING_PREFIX "${ml_api_adapter_monitoring_prefix}" + quoting_monitoring_prefix: "ING_MONITORING_PREFIX "${quoting_service_monitoring_prefix}" + cl_monitoring_prefix: &CL_MONITORING_PREFIX "${central_ledger_monitoring_prefix}" + als_monitoring_prefix: &ALS_MONITORING_PREFIX "${account_lookup_service_monitoring_prefix}" + + ingress_class: &INGRESS_CLASS "${ingress_class_name}" + + ## Endpiont Security + endpointSecurity: &ENDPOINT_SECURITY + jwsSigningKeySecret: &JWS_SIGNING_KEY_SECRET + name: ${jws_key_secret} + key: ${jws_key_secret_private_key_key} +%{ if mojaloop_tolerations != null ~} + tolerations: &MOJALOOP_TOLERATIONS + ${indent(4, mojaloop_tolerations)} +%{ else ~} + tolerations: &MOJALOOP_TOLERATIONS [] +%{ endif ~} + +global: + config: + forensicloggingsidecar_disabled: true + +account-lookup-service: + account-lookup-service: + commonAnnotations: + secret.reloader.stakater.com/reload: "${jws_key_secret}" +%{ if account_lookup_service_affinity != null ~} + affinity: + ${indent(8, account_lookup_service_affinity)} +%{ endif ~} + tolerations: *MOJALOOP_TOLERATIONS + podLabels: + sidecar.istio.io/inject: "${enable_istio_injection}" + replicaCount: ${account_lookup_service_replica_count} + config: + kafka_host: *KAFKA_HOST + kafka_port: *KAFKA_PORT + db_password: *ALS_DB_PASSWORD + db_secret: *ALS_DB_SECRET + db_host: *ALS_DB_HOST + db_user: *ALS_DB_USER + db_port: *ALS_DB_PORT + db_database: *ALS_DB_DATABASE + endpointSecurity: *ENDPOINT_SECURITY + # Thirdparty API Config + featureEnableExtendedPartyIdType: ${mojaloop_thirdparty_support_enabled} + central_shared_end_point_cache: + expiresIn: 180000 + generateTimeout: 30000 + getDecoratedValue: true + central_shared_participant_cache: + expiresIn: 61000 + generateTimeout: 30000 + getDecoratedValue: true + general_cache: + enabled: true + maxByteSize: 10000000 + expiresIn: 61000 + ingress: +%{ if istio_create_ingress_gateways ~} + enabled: false +%{ else ~} + enabled: true +%{ endif ~} + className: *INGRESS_CLASS + hostname: account-lookup-service.${ingress_subdomain} + metrics: + config: + prefix: *ALS_MONITORING_PREFIX + account-lookup-service-admin: +%{ if account_lookup_admin_service_affinity != null ~} + affinity: + ${indent(8, account_lookup_admin_service_affinity)} +%{ endif ~} + tolerations: *MOJALOOP_TOLERATIONS + replicaCount: ${account_lookup_service_admin_replica_count} + config: + kafka_host: *KAFKA_HOST + kafka_port: *KAFKA_PORT + db_password: *ALS_DB_PASSWORD + db_secret: *ALS_DB_SECRET + db_host: *ALS_DB_HOST + db_user: *ALS_DB_USER + db_port: *ALS_DB_PORT + db_database: *ALS_DB_DATABASE + endpointSecurity: *ENDPOINT_SECURITY + # Thirdparty API Config + featureEnableExtendedPartyIdType: ${mojaloop_thirdparty_support_enabled} + central_shared_end_point_cache: + expiresIn: 180000 + generateTimeout: 30000 + getDecoratedValue: true + central_shared_participant_cache: + expiresIn: 61000 + generateTimeout: 30000 + getDecoratedValue: true + general_cache: + enabled: true + maxByteSize: 10000000 + expiresIn: 61000 + ingress: +%{ if istio_create_ingress_gateways ~} + enabled: false +%{ else ~} + enabled: true +%{ endif ~} + className: *INGRESS_CLASS + hostname: account-lookup-service-admin.${ingress_subdomain} + metrics: + config: + prefix: *ALS_MONITORING_PREFIX + als-oracle-pathfinder: + enabled: false + +quoting-service: + quoting-service: + commonAnnotations: + secret.reloader.stakater.com/reload: "${jws_key_secret}" +%{ if quoting_service_affinity != null ~} + affinity: + ${indent(6, quoting_service_affinity)} +%{ endif ~} + tolerations: *MOJALOOP_TOLERATIONS + podLabels: + sidecar.istio.io/inject: "${enable_istio_injection}" + replicaCount: ${quoting_service_replica_count} + config: + kafka_host: *KAFKA_HOST + kafka_port: *KAFKA_PORT + kafka_producer_quote_post_topic: 'topic-quotes-post' + log_transport: "console" + log_level: "info" + db_password: *QUOTING_DB_PASSWORD + db_secret: *QUOTING_DB_SECRET + db_host: *QUOTING_DB_HOST + db_user: *QUOTING_DB_USER + db_port: *QUOTING_DB_PORT + db_database: *QUOTING_DB_DATABASE + endpointSecurity: *ENDPOINT_SECURITY + ingress: +%{ if istio_create_ingress_gateways ~} + enabled: false +%{ else ~} + enabled: true +%{ endif ~} + className: *INGRESS_CLASS + hostname: quoting-service.${ingress_subdomain} + metrics: + config: + prefix: *QUOTING_MONITORING_PREFIX + quoting-service-handler: + commonAnnotations: + secret.reloader.stakater.com/reload: "${jws_key_secret}" +%{ if quoting_service_affinity != null ~} + affinity: + ${indent(6, quoting_service_affinity)} +%{ endif ~} + tolerations: *MOJALOOP_TOLERATIONS + podLabels: + sidecar.istio.io/inject: "${enable_istio_injection}" + replicaCount: ${quoting_service_handler_replica_count} + config: + kafka_host: *KAFKA_HOST + kafka_port: *KAFKA_PORT + simple_routing_mode_enabled: ${quoting_service_simple_routing_mode_enabled} + log_transport: "console" + log_level: "info" + db_password: *QUOTING_DB_PASSWORD + db_secret: *QUOTING_DB_SECRET + db_host: *QUOTING_DB_HOST + db_user: *QUOTING_DB_USER + db_port: *QUOTING_DB_PORT + db_database: *QUOTING_DB_DATABASE + endpointSecurity: *ENDPOINT_SECURITY + ingress: +%{ if istio_create_ingress_gateways ~} + enabled: false +%{ else ~} + enabled: true +%{ endif ~} + className: *INGRESS_CLASS + hostname: quoting-service-handler.${ingress_subdomain} + metrics: + config: + prefix: *QUOTING_MONITORING_PREFIX + +ml-api-adapter: + ml-api-adapter-service: +%{ if ml_api_adapter_service_affinity != null ~} + affinity: + ${indent(8, ml_api_adapter_service_affinity)} +%{ endif ~} + tolerations: *MOJALOOP_TOLERATIONS + replicaCount: ${ml_api_adapter_service_replica_count} + config: + kafka_host: *KAFKA_HOST + kafka_port: *KAFKA_PORT + ingress: +%{ if istio_create_ingress_gateways ~} + enabled: false +%{ else ~} + enabled: true +%{ endif ~} + className: *INGRESS_CLASS + #annotations: + #nginx.ingress.kubernetes.io/rewrite-target: /$2 + hostname: ml-api-adapter.${ingress_subdomain} + metrics: + config: + prefix: *ML_API_ADAPTER_MONITORING_PREFIX + ml-api-adapter-handler-notification: + commonAnnotations: + secret.reloader.stakater.com/reload: "${jws_key_secret}" +%{ if ml_api_adapter_handler_notifications_affinity != null ~} + affinity: + ${indent(8, ml_api_adapter_handler_notifications_affinity)} +%{ endif ~} + tolerations: *MOJALOOP_TOLERATIONS + podLabels: + sidecar.istio.io/inject: "${enable_istio_injection}" + replicaCount: ${ml_api_adapter_handler_notifications_replica_count} + config: + kafka_host: *KAFKA_HOST + kafka_port: *KAFKA_PORT + endpointSecurity: *ENDPOINT_SECURITY + ingress: +%{ if istio_create_ingress_gateways ~} + enabled: false +%{ else ~} + enabled: true +%{ endif ~} + className: *INGRESS_CLASS + hostname: ml-api-adapter-handler-notification.${ingress_subdomain} + metrics: + config: + prefix: *ML_API_ADAPTER_MONITORING_PREFIX + +centralledger: + centralledger-service: +%{ if centralledger_service_affinity != null ~} + affinity: + ${indent(8, centralledger_service_affinity)} +%{ endif ~} + tolerations: *MOJALOOP_TOLERATIONS + replicaCount: ${central_ledger_service_replica_count} + config: + kafka_host: *KAFKA_HOST + kafka_port: *KAFKA_PORT + db_password: *CL_DB_PASSWORD + db_secret: *CL_DB_SECRET + db_host: *CL_DB_HOST + db_user: *CL_DB_USER + db_port: *CL_DB_PORT + db_database: *CL_DB_DATABASE + cache_enabled: *CL_CACHE_ENABLED + cache_expires_in_ms: *CL_CACHE_EXPIRES_IN_MS + ingress: +%{ if istio_create_ingress_gateways ~} + enabled: false +%{ else ~} + enabled: true +%{ endif ~} + className: *INGRESS_CLASS + annotations: + nginx.ingress.kubernetes.io/rewrite-target: /$2 + path: /admin(/|$)(.*) + hostname: interop-switch.${ingress_subdomain} + metrics: + config: + prefix: *CL_MONITORING_PREFIX + centralledger-handler-transfer-prepare: +%{ if central_ledger_handler_transfer_prepare_affinity != null ~} + affinity: + ${indent(8, central_ledger_handler_transfer_prepare_affinity)} +%{ endif ~} + tolerations: *MOJALOOP_TOLERATIONS + replicaCount: ${central_ledger_handler_transfer_prepare_replica_count} + config: + kafka_host: *KAFKA_HOST + kafka_port: *KAFKA_PORT + db_password: *CL_DB_PASSWORD + db_secret: *CL_DB_SECRET + db_host: *CL_DB_HOST + db_user: *CL_DB_USER + db_port: *CL_DB_PORT + db_database: *CL_DB_DATABASE + cache_enabled: *CL_CACHE_ENABLED + cache_expires_in_ms: *CL_CACHE_EXPIRES_IN_MS + batch_processing_enabled: *CL_BATCH_PROCESSING_ENABLED + ingress: +%{ if istio_create_ingress_gateways ~} + enabled: false +%{ else ~} + enabled: true +%{ endif ~} + className: *INGRESS_CLASS + hostname: central-ledger-transfer-prepare.${ingress_subdomain} + metrics: + config: + prefix: *CL_MONITORING_PREFIX + centralledger-handler-transfer-position: +%{ if central_ledger_handler_transfer_position_affinity != null ~} + affinity: + ${indent(8, central_ledger_handler_transfer_position_affinity)} +%{ endif ~} + tolerations: *MOJALOOP_TOLERATIONS + replicaCount: ${central_ledger_handler_transfer_position_replica_count} + config: + kafka_host: *KAFKA_HOST + kafka_port: *KAFKA_PORT + db_password: *CL_DB_PASSWORD + db_secret: *CL_DB_SECRET + db_host: *CL_DB_HOST + db_user: *CL_DB_USER + db_port: *CL_DB_PORT + db_database: *CL_DB_DATABASE + cache_enabled: *CL_CACHE_ENABLED + cache_expires_in_ms: *CL_CACHE_EXPIRES_IN_MS + ingress: +%{ if istio_create_ingress_gateways ~} + enabled: false +%{ else ~} + enabled: true +%{ endif ~} + className: *INGRESS_CLASS + hostname: central-ledger-transfer-position.${ingress_subdomain} + metrics: + config: + prefix: *CL_MONITORING_PREFIX + centralledger-handler-transfer-position-batch: + enabled: *CL_BATCH_PROCESSING_ENABLED +%{ if central_ledger_handler_transfer_position_batch_affinity != null ~} + affinity: + ${indent(8, central_ledger_handler_transfer_position_batch_affinity)} +%{ endif ~} + tolerations: *MOJALOOP_TOLERATIONS + replicaCount: ${central_ledger_handler_transfer_position_batch_replica_count} + config: + kafka_host: *KAFKA_HOST + kafka_port: *KAFKA_PORT + db_password: *CL_DB_PASSWORD + db_secret: *CL_DB_SECRET + db_host: *CL_DB_HOST + db_user: *CL_DB_USER + db_port: *CL_DB_PORT + db_database: *CL_DB_DATABASE + cache_enabled: *CL_CACHE_ENABLED + cache_expires_in_ms: *CL_CACHE_EXPIRES_IN_MS + batch_size: ${central_ledger_handler_transfer_position_batch_size} + batch_consume_timeout_in_ms: ${central_ledger_handler_transfer_position_batch_consume_timeout_ms} + ingress: +%{ if istio_create_ingress_gateways ~} + enabled: false +%{ else ~} + enabled: true +%{ endif ~} + className: *INGRESS_CLASS + hostname: central-ledger-transfer-position-batch.${ingress_subdomain} + metrics: + config: + prefix: *CL_MONITORING_PREFIX + centralledger-handler-transfer-get: +%{ if central_ledger_handler_transfer_get_affinity != null ~} + affinity: + ${indent(8, central_ledger_handler_transfer_get_affinity)} +%{ endif ~} + tolerations: *MOJALOOP_TOLERATIONS + replicaCount: ${central_ledger_handler_transfer_get_replica_count} + config: + kafka_host: *KAFKA_HOST + kafka_port: *KAFKA_PORT + db_password: *CL_DB_PASSWORD + db_secret: *CL_DB_SECRET + db_host: *CL_DB_HOST + db_user: *CL_DB_USER + db_port: *CL_DB_PORT + db_database: *CL_DB_DATABASE + cache_enabled: *CL_CACHE_ENABLED + cache_expires_in_ms: *CL_CACHE_EXPIRES_IN_MS + ingress: +%{ if istio_create_ingress_gateways ~} + enabled: false +%{ else ~} + enabled: true +%{ endif ~} + className: *INGRESS_CLASS + hostname: central-ledger-transfer-get.${ingress_subdomain} + metrics: + config: + prefix: *CL_MONITORING_PREFIX + centralledger-handler-transfer-fulfil: +%{ if central_ledger_handler_transfer_fulfil_affinity != null ~} + affinity: + ${indent(8, central_ledger_handler_transfer_fulfil_affinity)} +%{ endif ~} + tolerations: *MOJALOOP_TOLERATIONS + replicaCount: ${central_ledger_handler_transfer_fulfil_replica_count} + config: + kafka_host: *KAFKA_HOST + kafka_port: *KAFKA_PORT + db_password: *CL_DB_PASSWORD + db_secret: *CL_DB_SECRET + db_host: *CL_DB_HOST + db_user: *CL_DB_USER + db_port: *CL_DB_PORT + db_database: *CL_DB_DATABASE + cache_enabled: *CL_CACHE_ENABLED + cache_expires_in_ms: *CL_CACHE_EXPIRES_IN_MS + batch_processing_enabled: *CL_BATCH_PROCESSING_ENABLED + ingress: +%{ if istio_create_ingress_gateways ~} + enabled: false +%{ else ~} + enabled: true +%{ endif ~} + className: *INGRESS_CLASS + hostname: central-ledger-transfer-fulfil.${ingress_subdomain} + metrics: + config: + prefix: *CL_MONITORING_PREFIX + centralledger-handler-timeout: + tolerations: *MOJALOOP_TOLERATIONS + config: + kafka_host: *KAFKA_HOST + kafka_port: *KAFKA_PORT + db_password: *CL_DB_PASSWORD + db_secret: *CL_DB_SECRET + db_host: *CL_DB_HOST + db_user: *CL_DB_USER + db_port: *CL_DB_PORT + db_database: *CL_DB_DATABASE + cache_enabled: *CL_CACHE_ENABLED + cache_expires_in_ms: *CL_CACHE_EXPIRES_IN_MS + ingress: +%{ if istio_create_ingress_gateways ~} + enabled: false +%{ else ~} + enabled: true +%{ endif ~} + className: *INGRESS_CLASS + hostname: central-ledger-timeout.${ingress_subdomain} + metrics: + config: + prefix: *CL_MONITORING_PREFIX + centralledger-handler-admin-transfer: +%{ if central_ledger_handler_admin_transfer_affinity != null ~} + affinity: + ${indent(8, central_ledger_handler_admin_transfer_affinity)} +%{ endif ~} + tolerations: *MOJALOOP_TOLERATIONS + replicaCount: ${central_ledger_handler_admin_transfer_replica_count} + config: + kafka_host: *KAFKA_HOST + kafka_port: *KAFKA_PORT + db_password: *CL_DB_PASSWORD + db_secret: *CL_DB_SECRET + db_host: *CL_DB_HOST + db_user: *CL_DB_USER + db_port: *CL_DB_PORT + db_database: *CL_DB_DATABASE + cache_enabled: *CL_CACHE_ENABLED + cache_expires_in_ms: *CL_CACHE_EXPIRES_IN_MS + ingress: +%{ if istio_create_ingress_gateways ~} + enabled: false +%{ else ~} + enabled: true +%{ endif ~} + className: *INGRESS_CLASS + hostname: central-ledger-admin-transfer.${ingress_subdomain} + metrics: + config: + prefix: *CL_MONITORING_PREFIX +centralsettlement: + centralsettlement-service: + ingress: +%{ if istio_create_ingress_gateways ~} + enabled: false +%{ else ~} + enabled: true +%{ endif ~} + className: *INGRESS_CLASS + annotations: + nginx.ingress.kubernetes.io/rewrite-target: /v2/$2 + path: /settlements(/|$)(.*) + hostname: interop-switch.${ingress_subdomain} +%{ if central_settlement_service_affinity != null ~} + affinity: + ${indent(8, central_settlement_service_affinity)} +%{ endif ~} + tolerations: *MOJALOOP_TOLERATIONS + replicaCount: ${central_settlement_service_replica_count} + config: + kafka_host: *KAFKA_HOST + kafka_port: *KAFKA_PORT + db_password: *CS_DB_PASSWORD + db_secret: *CS_DB_SECRET + db_host: *CS_DB_HOST + db_user: *CS_DB_USER + db_port: *CS_DB_PORT + db_database: *CS_DB_DATABASE + centralsettlement-handler-deferredsettlement: +%{ if central_settlement_handler_deferredsettlement_affinity != null ~} + affinity: + ${indent(8, central_settlement_handler_deferredsettlement_affinity)} +%{ endif ~} + tolerations: *MOJALOOP_TOLERATIONS + replicaCount: ${central_settlement_handler_deferredsettlement_replica_count} + config: + kafka_host: *KAFKA_HOST + kafka_port: *KAFKA_PORT + db_password: *CS_DB_PASSWORD + db_secret: *CS_DB_SECRET + db_host: *CS_DB_HOST + db_user: *CS_DB_USER + db_port: *CS_DB_PORT + db_database: *CS_DB_DATABASE + centralsettlement-handler-grosssettlement: +%{ if central_settlement_handler_grosssettlement_affinity != null ~} + affinity: + ${indent(8, central_settlement_handler_grosssettlement_affinity)} +%{ endif ~} + tolerations: *MOJALOOP_TOLERATIONS + replicaCount: ${central_settlement_handler_grosssettlement_replica_count} + config: + kafka_host: *KAFKA_HOST + kafka_port: *KAFKA_PORT + db_password: *CS_DB_PASSWORD + db_secret: *CS_DB_SECRET + db_host: *CS_DB_HOST + db_user: *CS_DB_USER + db_port: *CS_DB_PORT + db_database: *CS_DB_DATABASE + centralsettlement-handler-rules: +%{ if central_settlement_handler_rules_affinity != null ~} + affinity: + ${indent(8, central_settlement_handler_rules_affinity)} +%{ endif ~} + tolerations: *MOJALOOP_TOLERATIONS + replicaCount: ${central_settlement_handler_rules_replica_count} + config: + kafka_host: *KAFKA_HOST + kafka_port: *KAFKA_PORT + db_password: *CS_DB_PASSWORD + db_secret: *CS_DB_SECRET + db_host: *CS_DB_HOST + db_user: *CS_DB_USER + db_port: *CS_DB_PORT + db_database: *CS_DB_DATABASE + +transaction-requests-service: + podLabels: + sidecar.istio.io/inject: "${enable_istio_injection}" +%{ if trasaction_requests_service_affinity != null ~} + affinity: + ${indent(8, trasaction_requests_service_affinity)} +%{ endif ~} + tolerations: *MOJALOOP_TOLERATIONS + replicaCount: ${trasaction_requests_service_replica_count} + ingress: +%{ if istio_create_ingress_gateways ~} + enabled: false +%{ else ~} + enabled: true +%{ endif ~} + className: *INGRESS_CLASS + hostname: transaction-request-service.${ingress_subdomain} + +thirdparty: + enabled: ${mojaloop_thirdparty_support_enabled} + auth-svc: + enabled: true + tolerations: *MOJALOOP_TOLERATIONS + podLabels: + sidecar.istio.io/inject: "${enable_istio_injection}" + replicaCount: ${auth_service_replica_count} + config: + db_host: *TP_AUTH_SVC_DB_HOST + db_port: *TP_AUTH_SVC_DB_PORT + db_user: *TP_AUTH_SVC_DB_USER + db_password: *TP_AUTH_SVC_DB_PASSWORD + db_secret: *TP_AUTH_SVC_DB_SECRET + db_database: *TP_AUTH_SVC_DB_DATABASE + redis_host: *TP_AUTH_SVC_REDIS_HOST + redis_port: *TP_AUTH_SVC_REDIS_PORT + ingress: +%{ if istio_create_ingress_gateways ~} + enabled: false +%{ else ~} + enabled: true +%{ endif ~} + hostname: auth-service.upgtest.${ingress_subdomain} + className: *INGRESS_CLASS + + consent-oracle: + enabled: true + tolerations: *MOJALOOP_TOLERATIONS + replicaCount: ${consent_oracle_replica_count} + config: + db_host: *TP_ALS_CONSENT_SVC_DB_HOST + db_port: *TP_ALS_CONSENT_SVC_DB_PORT + db_user: *TP_ALS_CONSENT_SVC_DB_USER + db_password: *TP_ALS_CONSENT_SVC_DB_PASSWORD + db_secret: *TP_ALS_CONSENT_SVC_DB_SECRET + db_database: *TP_ALS_CONSENT_SVC_DB_DATABASE + ingress: +%{ if istio_create_ingress_gateways ~} + enabled: false +%{ else ~} + enabled: true +%{ endif ~} + hostname: consent-oracle.upgtest.${ingress_subdomain} + className: *INGRESS_CLASS + + tp-api-svc: + enabled: true + tolerations: *MOJALOOP_TOLERATIONS + podLabels: + sidecar.istio.io/inject: "${enable_istio_injection}" + replicaCount: ${tp_api_svc_replica_count} + ingress: +%{ if istio_create_ingress_gateways ~} + enabled: false +%{ else ~} + enabled: true +%{ endif ~} + hostname: tp-api-svc.upgtest.${ingress_subdomain} + className: *INGRESS_CLASS + + thirdparty-simulator: + enabled: true + tolerations: *MOJALOOP_TOLERATIONS + +simulator: + tolerations: *MOJALOOP_TOLERATIONS + ingress: +%{ if istio_create_ingress_gateways ~} + enabled: false +%{ else ~} + enabled: true +%{ endif ~} + className: *INGRESS_CLASS + hostname: moja-simulator.${ingress_subdomain} + +mojaloop-bulk: + enabled: ${bulk_enabled} + bulk-api-adapter: + bulk-api-adapter-service: + tolerations: *MOJALOOP_TOLERATIONS + replicaCount: ${bulk_api-adapter_service_replica_count} + config: + kafka_host: *KAFKA_HOST + kafka_port: *KAFKA_PORT + mongo_host: *OBJSTORE_MONGO_HOST + mongo_port: *OBJSTORE_MONGO_PORT + mongo_user: *OBJSTORE_MONGO_USER + mongo_password: *OBJSTORE_MONGO_PASSWORD + mongo_secret: *OBJSTORE_MONGO_SECRET + mongo_database: *OBJSTORE_MONGO_DATABASE + ingress: +%{ if istio_create_ingress_gateways ~} + enabled: false +%{ else ~} + enabled: true +%{ endif ~} + className: *INGRESS_CLASS + hostname: bulk-api-adapter.${ingress_subdomain} + bulk-api-adapter-handler-notification: + commonAnnotations: + secret.reloader.stakater.com/reload: "${jws_key_secret}" + tolerations: *MOJALOOP_TOLERATIONS + podLabels: + sidecar.istio.io/inject: "${enable_istio_injection}" + replicaCount: ${bulk_api_adapter_handler_notification_replica_count} + config: + kafka_host: *KAFKA_HOST + kafka_port: *KAFKA_PORT + mongo_host: *OBJSTORE_MONGO_HOST + mongo_port: *OBJSTORE_MONGO_PORT + mongo_user: *OBJSTORE_MONGO_USER + mongo_password: *OBJSTORE_MONGO_PASSWORD + mongo_secret: *OBJSTORE_MONGO_SECRET + mongo_database: *OBJSTORE_MONGO_DATABASE + endpointSecurity: *ENDPOINT_SECURITY + bulk-centralledger: + cl-handler-bulk-transfer-prepare: + tolerations: *MOJALOOP_TOLERATIONS + replicaCount: ${cl_handler_bulk_transfer_prepare_replica_count} + config: + kafka_host: *KAFKA_HOST + kafka_port: *KAFKA_PORT + db_password: *CL_DB_PASSWORD + db_secret: *CL_DB_SECRET + db_host: *CL_DB_HOST + db_user: *CL_DB_USER + db_port: *CL_DB_PORT + db_database: *CL_DB_DATABASE + mongo_host: *OBJSTORE_MONGO_HOST + mongo_port: *OBJSTORE_MONGO_PORT + mongo_user: *OBJSTORE_MONGO_USER + mongo_password: *OBJSTORE_MONGO_PASSWORD + mongo_secret: *OBJSTORE_MONGO_SECRET + mongo_database: *OBJSTORE_MONGO_DATABASE + cl-handler-bulk-transfer-fulfil: + tolerations: *MOJALOOP_TOLERATIONS + replicaCount: ${cl_handler_bulk_transfer_fulfil_replica_count} + config: + kafka_host: *KAFKA_HOST + kafka_port: *KAFKA_PORT + db_password: *CL_DB_PASSWORD + db_secret: *CL_DB_SECRET + db_host: *CL_DB_HOST + db_user: *CL_DB_USER + db_port: *CL_DB_PORT + db_database: *CL_DB_DATABASE + mongo_host: *OBJSTORE_MONGO_HOST + mongo_port: *OBJSTORE_MONGO_PORT + mongo_user: *OBJSTORE_MONGO_USER + mongo_password: *OBJSTORE_MONGO_PASSWORD + mongo_secret: *OBJSTORE_MONGO_SECRET + mongo_database: *OBJSTORE_MONGO_DATABASE + cl-handler-bulk-transfer-processing: + tolerations: *MOJALOOP_TOLERATIONS + replicaCount: ${cl_handler_bulk_transfer_processing_replica_count} + config: + kafka_host: *KAFKA_HOST + kafka_port: *KAFKA_PORT + db_password: *CL_DB_PASSWORD + db_secret: *CL_DB_SECRET + db_host: *CL_DB_HOST + db_user: *CL_DB_USER + db_port: *CL_DB_PORT + db_database: *CL_DB_DATABASE + mongo_host: *OBJSTORE_MONGO_HOST + mongo_port: *OBJSTORE_MONGO_PORT + mongo_user: *OBJSTORE_MONGO_USER + mongo_password: *OBJSTORE_MONGO_PASSWORD + mongo_secret: *OBJSTORE_MONGO_SECRET + mongo_database: *OBJSTORE_MONGO_DATABASE + cl-handler-bulk-transfer-get: + tolerations: *MOJALOOP_TOLERATIONS + replicaCount: ${cl_handler_bulk_transfer_get_replica_count} + config: + kafka_host: *KAFKA_HOST + kafka_port: *KAFKA_PORT + db_password: *CL_DB_PASSWORD + db_secret: *CL_DB_SECRET + db_host: *CL_DB_HOST + db_user: *CL_DB_USER + db_port: *CL_DB_PORT + db_database: *CL_DB_DATABASE + mongo_host: *OBJSTORE_MONGO_HOST + mongo_port: *OBJSTORE_MONGO_PORT + mongo_user: *OBJSTORE_MONGO_USER + mongo_password: *OBJSTORE_MONGO_PASSWORD + mongo_secret: *OBJSTORE_MONGO_SECRET + mongo_database: *OBJSTORE_MONGO_DATABASE + +mojaloop-ttk-simulators: + enabled: ${ttksims_enabled} + + mojaloop-ttk-sim1-svc: + enabled: true + sdk-scheme-adapter: &MOJA_TTK_SIM_SDK + sdk-scheme-adapter-api-svc: + tolerations: *MOJALOOP_TOLERATIONS + ingress: + enabled: false + kafka: + host: *MOJA_TTK_SIM_KAFKA_HOST + port: *MOJA_TTK_SIM_KAFKA_PORT + + redis: + host: *MOJA_TTK_SIM_REDIS_HOST + port: *MOJA_TTK_SIM_REDIS_PORT + + sdk-scheme-adapter-dom-evt-handler: + tolerations: *MOJALOOP_TOLERATIONS + kafka: + host: *MOJA_TTK_SIM_KAFKA_HOST + port: *MOJA_TTK_SIM_KAFKA_PORT + + redis: + host: *MOJA_TTK_SIM_REDIS_HOST + port: *MOJA_TTK_SIM_REDIS_PORT + + sdk-scheme-adapter-cmd-evt-handler: + tolerations: *MOJALOOP_TOLERATIONS + kafka: + host: *MOJA_TTK_SIM_KAFKA_HOST + port: *MOJA_TTK_SIM_KAFKA_PORT + + redis: + host: *MOJA_TTK_SIM_REDIS_HOST + port: *MOJA_TTK_SIM_REDIS_PORT + + ml-testing-toolkit: + ml-testing-toolkit-backend: + tolerations: *MOJALOOP_TOLERATIONS + ingress: + enabled: false + hosts: + specApi: + host: ttksim1-specapi.${ingress_subdomain} + adminApi: + host: ttksim1.${ingress_subdomain} + + extraEnvironments: + hub-k8s-default-environment.json: &ttksim1InputValues { + "inputValues": { + "TTKSIM1_CURRENCY": "${ttk_test_currency1}", + "TTKSIM2_CURRENCY": "${ttk_test_currency1}", + "TTKSIM3_CURRENCY": "${ttk_test_currency1}", + "TTKSIM1_FSPID": "ttksim1", + "TTKSIM2_FSPID": "ttksim2", + "TTKSIM3_FSPID": "ttksim3" + } + } + config: + mongodb: + host: *TTK_MONGO_HOST + port: *TTK_MONGO_PORT + user: *TTK_MONGO_USER + ## Secret-Management + ### Set this if you are using a clear password configured in the config section + password: *TTK_MONGO_PASSWORD + ### Configure this if you want to use a secret. Note, this will override the db_password, + ### Use the next line if you do wish to use the db_password value instead. + # secret: + ### Example config for an existing secret + secret: *TTK_MONGO_SECRET + database: *TTK_MONGO_DATABASE + + ml-testing-toolkit-frontend: + tolerations: *MOJALOOP_TOLERATIONS + ingress: + enabled: false + hosts: + ui: + host: ttksim1.${ingress_subdomain} + config: + API_BASE_URL: http://ttksim1.${ingress_subdomain} + + mojaloop-ttk-sim2-svc: + enabled: true + sdk-scheme-adapter: *MOJA_TTK_SIM_SDK + ml-testing-toolkit: + ml-testing-toolkit-backend: + tolerations: *MOJALOOP_TOLERATIONS + ingress: + enabled: false + hosts: + specApi: + host: ttksim2-specapi.${ingress_subdomain} + adminApi: + host: ttksim2.${ingress_subdomain} + + ml-testing-toolkit-frontend: + tolerations: *MOJALOOP_TOLERATIONS + ingress: + enabled: false + hosts: + ui: + host: ttksim2.${ingress_subdomain} + config: + API_BASE_URL: http://ttksim2.${ingress_subdomain} + + mojaloop-ttk-sim3-svc: + enabled: true + sdk-scheme-adapter: *MOJA_TTK_SIM_SDK + ml-testing-toolkit: + ml-testing-toolkit-backend: + tolerations: *MOJALOOP_TOLERATIONS + ingress: + enabled: false + hosts: + specApi: + host: ttksim3-specapi.${ingress_subdomain} + adminApi: + host: ttksim3.${ingress_subdomain} + + ml-testing-toolkit-frontend: + tolerations: *MOJALOOP_TOLERATIONS + ingress: + enabled: false + hosts: + ui: + host: ttksim3.${ingress_subdomain} + config: + API_BASE_URL: http://ttksim3.${ingress_subdomain} + +ml-testing-toolkit: + enabled: ${internal_ttk_enabled} + ml-testing-toolkit-backend: + tolerations: *MOJALOOP_TOLERATIONS + config: + mongodb: + host: *TTK_MONGO_HOST + port: *TTK_MONGO_PORT + user: *TTK_MONGO_USER + password: *TTK_MONGO_PASSWORD + secret: *TTK_MONGO_SECRET + database: *TTK_MONGO_DATABASE + ingress: +%{ if istio_create_ingress_gateways ~} + enabled: false +%{ else ~} + enabled: true +%{ endif ~} + className: *INGRESS_CLASS + hosts: + specApi: + host: ${ttk_backend_public_fqdn} + adminApi: + host: ${ttk_backend_public_fqdn} + parameters: &simNames + simNamePayerfsp: 'payerfsp' + simNamePayeefsp: 'payeefsp' + simNameTestfsp1: 'testfsp1' + simNameTestfsp2: 'testfsp2' + simNameTestfsp3: 'testfsp3' + simNameTestfsp4: 'testfsp4' + simNameNoResponsePayeefsp: 'noresponsepayeefsp' + simNameTTKSim1: 'ttksim1' + simNameTTKSim2: 'ttksim2' + simNameTTKSim3: 'ttksim3' + extraEnvironments: + hub-k8s-cgs-environment.json: null + hub-k8s-default-environment.json: &ttkInputValues { + "inputValues": { + "SIMPAYER_CURRENCY": "${ttk_test_currency1}", + "SIMPAYEE_CURRENCY": "${ttk_test_currency1}", + "currency": "${ttk_test_currency1}", + "currency2": "${ttk_test_currency2}", + "cgscurrency": "${ttk_test_currency3}", + "SIMPLE_ROUTING_MODE_ENABLED": ${quoting_service_simple_routing_mode_enabled}, + "ON_US_TRANSFERS_ENABLED": false, + "ENABLE_WS_ASSERTIONS": true, + "NET_DEBIT_CAP": "10000000", + "accept": "application/vnd.interoperability.parties+json;version=1.1", + "acceptParties": "application/vnd.interoperability.parties+json;version=1.1", + "acceptPartiesOld": "application/vnd.interoperability.parties+json;version=1.0", + "acceptPartiesNotSupported": "application/vnd.interoperability.parties+json;version=2.0", + "acceptParticipants": "application/vnd.interoperability.participants+json;version=1.1", + "acceptParticipantsOld": "application/vnd.interoperability.participants+json;version=1.0", + "acceptParticipantsNotSupported": "application/vnd.interoperability.participants+json;version=2.0", + "acceptQuotes": "application/vnd.interoperability.quotes+json;version=1.1", + "acceptQuotesOld": "application/vnd.interoperability.quotes+json;version=1.0", + "acceptQuotesNotSupported": "application/vnd.interoperability.quotes+json;version=2.0", + "acceptTransfers": "application/vnd.interoperability.transfers+json;version=1.1", + "acceptTransfersOld": "application/vnd.interoperability.transfers+json;version=1.0", + "acceptTransfersNotSupported": "application/vnd.interoperability.transfers+json;version=2.0", + "acceptTransactionRequests": "application/vnd.interoperability.transactionRequests+json;version=1.1", + "acceptTransactionRequestsOld": "application/vnd.interoperability.transactionRequests+json;version=1.0", + "acceptTransactionRequestsNotSupported": "application/vnd.interoperability.transactionRequests+json;version=2.0", + "acceptAuthorizations": "application/vnd.interoperability.authorizations+json;version=1.1", + "acceptAuthorizationsOld": "application/vnd.interoperability.authorizations+json;version=1.0", + "acceptAuthorizationsNotSupported": "application/vnd.interoperability.authorizations+json;version=2.0", + "acceptBulkTransfers": "application/vnd.interoperability.bulkTransfers+json;version=1.1", + "acceptBulkTransfersOld": "application/vnd.interoperability.bulkTransfers+json;version=1.0", + "acceptBulkTransfersNotSupported": "application/vnd.interoperability.bulkTransfers+json;version=2.0", + "contentType": "application/vnd.interoperability.parties+json;version=1.1", + "contentTypeTransfers": "application/vnd.interoperability.transfers+json;version=1.1", + "contentTypeTransfersOld": "application/vnd.interoperability.transfers+json;version=1.0", + "contentTypeTransfersNotSupported": "application/vnd.interoperability.transfers+json;version=2.0", + "contentTypeParties": "application/vnd.interoperability.parties+json;version=1.1", + "contentTypePartiesOld": "application/vnd.interoperability.parties+json;version=1.0", + "contentTypePartiesNotSupported": "application/vnd.interoperability.parties+json;version=2.0", + "contentTypeParticipants": "application/vnd.interoperability.participants+json;version=1.1", + "contentTypeParticipantsOld": "application/vnd.interoperability.participants+json;version=1.0", + "contentTypeParticipantsNotSupported": "application/vnd.interoperability.participants+json;version=2.0", + "contentTypeQuotes": "application/vnd.interoperability.quotes+json;version=1.1", + "contentTypeQuotesOld": "application/vnd.interoperability.quotes+json;version=1.0", + "contentTypeQuotesNotSupported": "application/vnd.interoperability.quotes+json;version=2.0", + "contentTypeTransactionRequests": "application/vnd.interoperability.transactionRequests+json;version=1.1", + "contentTypeTransactionRequestsOld": "application/vnd.interoperability.transactionRequests+json;version=1.0", + "contentTypeTransactionRequestsNotSupported": "application/vnd.interoperability.transactionRequests+json;version=2.0", + "contentTypeAuthorizations": "application/vnd.interoperability.authorizations+json;version=1.1", + "contentTypeAuthorizationsOld": "application/vnd.interoperability.authorizations+json;version=1.0", + "contentTypeAuthorizationsNotSupported": "application/vnd.interoperability.authorizations+json;version=2.0", + "contentBulkTransfers": "application/vnd.interoperability.bulkTransfers+json;version=1.1", + "contentBulkTransfersOld": "application/vnd.interoperability.bulkTransfers+json;version=1.0", + "contentBulkTransfersNotSupported": "application/vnd.interoperability.bulkTransfers+json;version=2.0", + "expectedPartiesVersion": "1.1", + "expectedParticipantsVersion": "1.1", + "expectedQuotesVersion": "1.1", + "expectedTransfersVersion": "1.1", + "expectedAuthorizationsVersion": "1.1", + "expectedTransactionRequestsVersion": "1.1" + } + } + + ml-testing-toolkit-frontend: + tolerations: *MOJALOOP_TOLERATIONS + ingress: +%{ if istio_create_ingress_gateways ~} + enabled: false +%{ else ~} + enabled: true +%{ endif ~} + className: *INGRESS_CLASS + hosts: + ui: + host: ${ttk_frontend_public_fqdn} + port: 6060 + paths: ['/'] + config: + API_BASE_URL: https://${ttk_backend_public_fqdn} + +ml-ttk-test-setup: + tests: + enabled: true + config: + testSuiteName: Provisioning + environmentName: ${ingress_subdomain} + saveReport: true + saveReportBaseUrl: http://${ttk_backend_public_fqdn} + parameters: + <<: *simNames + testCaseEnvironmentFile: *ttkInputValues + job: + enabled: true + templateLabels: + sidecar.istio.io/inject: "false" + ## Set the TTL for Job Cleanup - ref: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + # ttlSecondsAfterFinished: 50 + generateNameEnabled: false + annotations: + argocd.argoproj.io/hook: PostSync + +ml-ttk-test-val-gp: + configFileDefaults: + labels: ${ttk_gp_testcase_labels} + tests: + enabled: true + config: + testSuiteName: GP Tests + environmentName: ${ingress_subdomain} + saveReport: true + saveReportBaseUrl: http://${ttk_backend_public_fqdn} + parameters: + <<: *simNames + testCaseEnvironmentFile: *ttkInputValues + job: + enabled: true + templateLabels: + sidecar.istio.io/inject: "false" + ## Set the TTL for Job Cleanup - ref: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ + # ttlSecondsAfterFinished: 50 + generateNameEnabled: false + annotations: + argocd.argoproj.io/hook: PostSync + argocd.argoproj.io/sync-wave: "${mojaloop_test_sync_wave}" + +ml-ttk-test-val-bulk: + tests: + enabled: true + config: + testSuiteName: Bulk Tests + environmentName: ${ingress_subdomain} + saveReport: true + saveReportBaseUrl: http://${ttk_backend_public_fqdn} + parameters: + <<: *simNames + testCaseEnvironmentFile: *ttkInputValues + +ml-ttk-test-setup-tp: + tests: + enabled: true + config: + testSuiteName: Third Party Provisioning Tests + environmentName: ${ingress_subdomain} + saveReport: true + saveReportBaseUrl: http://${ttk_backend_public_fqdn} + parameters: + <<: *simNames + testCaseEnvironmentFile: *ttkInputValues + +ml-ttk-test-val-tp: + tests: + enabled: true + config: + testSuiteName: Third Party Validation Tests + environmentName: ${ingress_subdomain} + saveReport: true + saveReportBaseUrl: http://${ttk_backend_public_fqdn} + parameters: + <<: *simNames + testCaseEnvironmentFile: *ttkInputValues + +ml-ttk-test-setup-sdk-bulk: + tests: + enabled: true + config: + testSuiteName: SDK Bulk Provisioning Tests + environmentName: ${ingress_subdomain} + saveReport: true + saveReportBaseUrl: http://${ttk_backend_public_fqdn} + parameters: + <<: *simNames + testCaseEnvironmentFile: *ttkInputValues + +ml-ttk-test-val-sdk-bulk: + tests: + enabled: true + config: + testSuiteName: SDK Bulk Validation Tests + environmentName: ${ingress_subdomain} + saveReport: true + saveReportBaseUrl: http://ttksim1.${ingress_subdomain} + parameters: + <<: *simNames + testCaseEnvironmentFile: *ttksim1InputValues + +ml-ttk-test-val-sdk-r2p: + tests: + enabled: true + config: + testSuiteName: SDK Request To Pay Tests + environmentName: ${ingress_subdomain} + saveReport: true + saveReportBaseUrl: http://ttksim1.${ingress_subdomain} + parameters: + <<: *simNames + testCaseEnvironmentFile: *ttksim1InputValues + +ml-ttk-test-cleanup: + tests: + enabled: true + config: + testSuiteName: Post Cleanup + environmentName: ${ingress_subdomain} + saveReport: true + saveReportBaseUrl: http://${ttk_backend_public_fqdn} + parameters: + <<: *simNames + testCaseEnvironmentFile: *ttkInputValues + +mojaloop-simulator: + enabled: ${internal_sim_enabled} + defaults: + tolerations: *MOJALOOP_TOLERATIONS diff --git a/terraform/gitops/vnext/mcm.tf b/terraform/gitops/vnext/mcm.tf new file mode 100644 index 000000000..a548a84c9 --- /dev/null +++ b/terraform/gitops/vnext/mcm.tf @@ -0,0 +1,222 @@ +module "generate_mcm_files" { + source = "../generate-files" + var_map = { + mcm_enabled = var.mcm_enabled + db_password_secret = local.stateful_resources[local.mcm_resource_index].logical_service_config.user_password_secret + db_password_secret_key = local.stateful_resources[local.mcm_resource_index].logical_service_config.user_password_secret_key + db_user = local.stateful_resources[local.mcm_resource_index].logical_service_config.username + db_schema = local.stateful_resources[local.mcm_resource_index].logical_service_config.database_name + db_port = local.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_port + db_host = "${local.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + mcm_public_fqdn = var.mcm_public_fqdn + env_name = var.cluster_name + env_cn = var.public_subdomain + env_o = "Mojaloop" + env_ou = "Infra" + storage_class_name = var.storage_class_name + server_cert_secret_name = var.vault_certman_secretname + vault_certman_secretname = var.vault_certman_secretname + server_cert_secret_namespace = var.mcm_namespace + oauth_key = var.mcm_oidc_client_id + oauth_secret_secret = var.mcm_oidc_client_secret_secret + oauth_secret_secret_key = var.mcm_oidc_client_secret_secret_key + switch_domain = var.public_subdomain + vault_endpoint = "http://vault.${var.vault_namespace}.svc.cluster.local:8200" + pki_base_domain = var.public_subdomain + mcm_chart_repo = var.mcm_chart_repo + mcm_chart_version = var.mcm_chart_version + mcm_namespace = var.mcm_namespace + gitlab_project_url = var.gitlab_project_url + public_subdomain = var.public_subdomain + enable_oidc = var.enable_mcm_oidc + mcm_sync_wave = var.mcm_sync_wave + ingress_class = var.mcm_ingress_internal_lb ? var.internal_ingress_class_name : var.external_ingress_class_name + istio_create_ingress_gateways = var.istio_create_ingress_gateways + pki_path = var.vault_root_ca_name + dfsp_client_cert_bundle = local.dfsp_client_cert_bundle + dfsp_internal_whitelist_secret = local.dfsp_internal_whitelist_secret + dfsp_external_whitelist_secret = local.dfsp_external_whitelist_secret + onboarding_secret_path = local.dfsp_client_cert_bundle + whitelist_secret_path = local.whitelist_secret_path + mcm_service_account_name = var.mcm_service_account_name + pki_client_role = var.pki_client_cert_role + pki_server_role = var.pki_server_cert_role + mcm_vault_k8s_role_name = var.mcm_vault_k8s_role_name + k8s_auth_path = var.k8s_auth_path + mcm_secret_path = local.mcm_secret_path + totp_issuer = "not-used-yet" + token_issuer_fqdn = "keycloak.${var.public_subdomain}" + nginx_external_namespace = var.nginx_external_namespace + istio_internal_wildcard_gateway_name = var.istio_internal_wildcard_gateway_name + istio_internal_gateway_namespace = var.istio_internal_gateway_namespace + istio_external_wildcard_gateway_name = var.istio_external_wildcard_gateway_name + istio_external_gateway_namespace = var.istio_external_gateway_namespace + istio_egress_gateway_name = var.istio_egress_gateway_name + istio_egress_gateway_namespace = var.istio_egress_gateway_namespace + mcm_wildcard_gateway = local.mcm_wildcard_gateway + istio_external_gateway_name = var.istio_external_gateway_name + private_network_cidr = var.private_network_cidr + interop_switch_fqdn = var.external_interop_switch_fqdn + keycloak_fqdn = var.keycloak_fqdn + keycloak_dfsp_realm_name = var.keycloak_dfsp_realm_name + keycloak_hubop_realm_name = var.keycloak_hubop_realm_name + keycloak_name = var.keycloak_name + keycloak_namespace = var.keycloak_namespace + cert_man_vault_cluster_issuer_name = var.cert_man_vault_cluster_issuer_name + jwt_client_secret_secret_name = join("$", ["", "{${replace(var.jwt_client_secret_secret, "-", "_")}}"]) + mcm_oidc_client_id = var.mcm_oidc_client_id + mcm_oidc_client_secret_secret_name = join("$", ["", "{${replace(var.mcm_oidc_client_secret_secret, "-", "_")}}"]) + jwt_client_secret_secret_key = var.jwt_client_secret_secret_key + jwt_client_secret_secret = var.jwt_client_secret_secret + mcm_oidc_client_secret_secret = var.mcm_oidc_client_secret_secret + mcm_oidc_client_secret_secret_key = var.mcm_oidc_client_secret_secret_key + internal_load_balancer_dns = var.internal_load_balancer_dns + external_load_balancer_dns = var.external_load_balancer_dns + istio_internal_gateway_name = var.istio_internal_gateway_name + int_interop_switch_fqdn = var.internal_interop_switch_fqdn + mojaloop_namespace = var.mojaloop_namespace + mojaloop_release_name = var.mojaloop_release_name + onboarding_collection_tag = var.app_var_map.onboarding_collection_tag + ory_stack_enabled = var.ory_stack_enabled + oathkeeper_auth_provider_name = var.oathkeeper_auth_provider_name + auth_fqdn = var.auth_fqdn + kratos_service_name = "kratos-public.${var.ory_namespace}.svc.cluster.local" + keto_read_url = "http://keto-read.${var.ory_namespace}.svc.cluster.local:80" + switch_dfspid = var.switch_dfspid + } + file_list = [for f in fileset(local.mcm_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.mcm_app_file, f))] + template_path = local.mcm_template_path + output_path = "${var.output_dir}/mcm" + app_file = local.mcm_app_file + app_output_path = "${var.output_dir}/app-yamls" +} + +variable "mcm_enabled" { + description = "whether mcm app is enabled or not" + type = bool + default = true +} +variable "mcm_ingress_internal_lb" { + type = bool + description = "mcm_ingress_internal_lb" + default = false +} +variable "enable_mcm_oidc" { + type = bool + default = false +} + +variable "mcm_oauth_secret_secret" { + type = string + description = "mcm_oauth_secret_secret" + default = "mcm-oidc-secret" +} + +variable "mcm_oauth_secret_secret_key" { + type = string + description = "mcm_oauth_secret_secret_key" + default = "secret" +} + +variable "mcm_oidc_client_id" { + type = string + description = "mcm_oidc_client_id" + default = "mcm-portal" +} + +variable "mcm_chart_repo" { + type = string + default = "https://pm4ml.github.io/helm" + description = "mcm_chart_repo" +} + +variable "mcm_chart_version" { + type = string + default = "0.7.6" + description = "mcm_chart_version" +} + +variable "mcm_sync_wave" { + type = string + description = "mcm_sync_wave" + default = "-2" +} + +variable "mcm_namespace" { + type = string + description = "mcm_namespace" + default = "mcm" +} + +variable "mcm_service_account_name" { + type = string + description = "service account name for mcm" + default = "mcm" +} + +variable "mcm_vault_k8s_role_name" { + description = "vault k8s role name for mcm" + type = string + default = "kubernetes-mcm-role" +} + +variable "private_network_cidr" { + description = "network cidr for private network" + type = string +} + +variable "vault_certman_secretname" { + description = "secret name to create for tls offloading via certmanager" + type = string + default = "vault-tls-cert" +} +variable "nginx_external_namespace" { + type = string + description = "nginx_external_namespace" +} +variable "mcm_oidc_client_secret_secret_key" { + type = string +} +variable "mcm_oidc_client_secret_secret" { + type = string +} +variable "jwt_client_secret_secret_key" { + type = string +} +variable "jwt_client_secret_secret" { + type = string +} + +variable "keycloak_dfsp_realm_name" { + type = string + description = "name of realm for dfsp api access" + default = "dfsps" +} + +variable "keycloak_name" { + type = string + description = "name of keycloak instance" +} + +variable "keycloak_fqdn" { + type = string + description = "fqdn of keycloak" +} +variable "keycloak_namespace" { + type = string + description = "namespace of keycloak in which to create realm" +} +variable "mcm_public_fqdn" { + type = string + description = "hostname for mcm" +} + +locals { + mcm_template_path = "${path.module}/../generate-files/templates/mcm" + mcm_app_file = "mcm-app.yaml" + mcm_resource_index = index(local.stateful_resources.*.resource_name, "mcm-db") + mcm_wildcard_gateway = var.mcm_ingress_internal_lb ? "internal" : "external" + dfsp_client_cert_bundle = "${local.onboarding_secret_path}_pm4mls" + dfsp_internal_whitelist_secret = "${local.whitelist_secret_path}_pm4mls" + dfsp_external_whitelist_secret = "${local.whitelist_secret_path}_fsps" +} diff --git a/terraform/gitops/vnext/providers.tf b/terraform/gitops/vnext/providers.tf new file mode 100644 index 000000000..963a4388c --- /dev/null +++ b/terraform/gitops/vnext/providers.tf @@ -0,0 +1,10 @@ +terraform { + + required_providers { + gitlab = { + source = "gitlabhq/gitlab" + version = "~> 16.0" + } + vault = "~> 3.16" + } +} \ No newline at end of file diff --git a/terraform/gitops/vnext/stateful-resources-config.tf b/terraform/gitops/vnext/stateful-resources-config.tf new file mode 100644 index 000000000..ed842987a --- /dev/null +++ b/terraform/gitops/vnext/stateful-resources-config.tf @@ -0,0 +1,116 @@ +resource "local_file" "chart_values" { + for_each = { for stateful_resource in local.local_stateful_resources : stateful_resource.resource_name => stateful_resource } + + content = templatefile("${local.stateful_resources_template_path}/${each.value.local_resource_config.resource_helm_values_ref}", { + resource = each.value + }) + filename = "${local.stateful_resources_output_path}/values-${each.value.local_resource_config.resource_helm_chart}-${each.value.resource_name}.yaml" +} + +resource "local_file" "vault_crs" { + for_each = { for stateful_resource in local.local_stateful_resources : stateful_resource.resource_name => stateful_resource } + + content = templatefile("${local.stateful_resources_template_path}/vault-crs.yaml.tpl", { + resource = each.value + }) + filename = "${local.stateful_resources_output_path}/vault-crs-${each.value.resource_name}.yaml" +} + +resource "local_file" "managed_crs" { + for_each = local.managed_resource_password_map + + content = templatefile("${local.stateful_resources_template_path}/managed-crs.yaml.tpl", { + password_map = each.value + }) + filename = "${local.stateful_resources_output_path}/managed-crs-${each.key}.yaml" +} + +resource "local_file" "external_name_services" { + content = templatefile("${local.stateful_resources_template_path}/external-name-services.yaml.tpl", + { config = local.external_name_map + stateful_resources_namespace = var.stateful_resources_namespace + }) + filename = "${local.stateful_resources_output_path}/external-name-services.yaml" +} + +resource "local_file" "kustomization" { + content = templatefile("${local.stateful_resources_template_path}/stateful-resources-kustomization.yaml.tpl", + { local_stateful_resources = local.local_stateful_resources + managed_stateful_resources = local.managed_stateful_resources + }) + filename = "${local.stateful_resources_output_path}/kustomization.yaml" +} + +resource "local_file" "namespace" { + content = templatefile("${local.stateful_resources_template_path}/namespace.yaml.tpl", + { + all_ns = distinct(concat(local.all_logical_extra_namespaces, local.all_local_namespaces, local.all_local_extra_namespaces)) + }) + filename = "${local.stateful_resources_output_path}/namespace.yaml" +} + +resource "local_file" "stateful-resources-app-file" { + content = templatefile("${local.stateful_resources_template_path}/app/${local.stateful_resources_app_file}.tpl", local.stateful_resources_vars) + filename = "${local.app_stateful_resources_output_path}/${local.stateful_resources_name}-${local.stateful_resources_app_file}" +} + +locals { + stateful_resources_name = "vnext" + stateful_resources_template_path = "${path.module}/../generate-files/templates/stateful-resources" + stateful_resources_output_path = "${var.output_dir}/${local.stateful_resources_name}-stateful-resources" + stateful_resources_app_file = "stateful-resources-app.yaml" + app_stateful_resources_output_path = "${var.output_dir}/app-yamls" + stateful_resources = jsondecode(file(var.stateful_resources_config_file)) + enabled_stateful_resources = { for stateful_resource in local.stateful_resources : stateful_resource.resource_name => stateful_resource if stateful_resource.enabled } + managed_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service } + local_stateful_resources = { for local_stateful_resource in local.enabled_stateful_resources : local_stateful_resource.resource_name => local_stateful_resource if !local_stateful_resource.external_service } + local_external_name_map = { for stateful_resource in local.local_stateful_resources : stateful_resource.logical_service_config.logical_service_name => stateful_resource.local_resource_config.override_service_name != null ? "${stateful_resource.local_resource_config.override_service_name}.${stateful_resource.local_resource_config.resource_namespace}.svc.cluster.local" : "${stateful_resource.resource_name}.${stateful_resource.local_resource_config.resource_namespace}.svc.cluster.local" } + managed_external_name_map = { for index, stateful_resource in local.managed_stateful_resources : stateful_resource.logical_service_config.logical_service_name => data.gitlab_project_variable.external_stateful_resource_instance_address[index].value } + external_name_map = merge(local.local_external_name_map, local.managed_external_name_map) + managed_resource_password_map = { for index, stateful_resource in local.managed_stateful_resources : stateful_resource.resource_name => { + password = data.vault_generic_secret.external_stateful_resource_password[index].data.value + namespaces = stateful_resource.logical_service_config.secret_extra_namespaces + secret_name = stateful_resource.logical_service_config.user_password_secret + secret_key = stateful_resource.logical_service_config.user_password_secret_key + } + } + + stateful_resources_vars = { + stateful_resources_namespace = var.stateful_resources_namespace + gitlab_project_url = var.gitlab_project_url + stateful_resources_sync_wave = var.stateful_resources_sync_wave + stateful_resources_name = local.stateful_resources_name + } + all_logical_extra_namespaces = flatten([for stateful_resource in local.enabled_stateful_resources : stateful_resource.logical_service_config.secret_extra_namespaces]) + all_local_extra_namespaces = flatten([for stateful_resource in local.local_stateful_resources : stateful_resource.local_resource_config.generate_secret_extra_namespaces]) + all_local_namespaces = distinct([for stateful_resource in local.local_stateful_resources : stateful_resource.local_resource_config.resource_namespace]) +} + +variable "stateful_resources_config_file" { + default = "../config/stateful-resources.json" + type = string + description = "where to pull stateful resources config" +} + +variable "stateful_resources_namespace" { + type = string + description = "stateful_resources_namespace" + default = "stateful-resources" +} + +variable "stateful_resources_sync_wave" { + type = string + description = "stateful_resources_sync_wave, wait for vault config operator" + default = "-5" +} + +data "vault_generic_secret" "external_stateful_resource_password" { + for_each = local.managed_stateful_resources + path = "${var.kv_path}/${var.cluster_name}/${each.value.external_resource_config.password_key_name}" +} + +data "gitlab_project_variable" "external_stateful_resource_instance_address" { + for_each = local.managed_stateful_resources + project = var.current_gitlab_project_id + key = each.value.external_resource_config.instance_address_key_name +} diff --git a/terraform/gitops/vnext/variables.tf b/terraform/gitops/vnext/variables.tf new file mode 100644 index 000000000..8a00055c3 --- /dev/null +++ b/terraform/gitops/vnext/variables.tf @@ -0,0 +1,172 @@ +variable "cluster_name" { + description = "Cluster name, lower case and without spaces. This will be used to set tags and name resources" + type = string +} + +variable "output_dir" { + default = "../apps" + type = string + description = "where to output files" +} + +variable "gitlab_server_url" { + type = string + description = "gitlab_server_url" +} + +variable "gitlab_project_url" { + type = string + description = "gitlab_project_url" +} + +variable "nat_public_ips" { + type = list(any) + description = "nat_public_ips" +} +variable "internal_load_balancer_dns" { + type = string + description = "internal_load_balancer_dns" +} +variable "external_load_balancer_dns" { + type = string + description = "external_load_balancer_dns" +} +variable "private_subdomain" { + type = string + description = "private_subdomain" +} +variable "public_subdomain" { + type = string + description = "public_subdomain" +} + +variable "current_gitlab_project_id" { + type = string + description = "current_gitlab_project_id" +} + +variable "gitlab_group_name" { + type = string + description = "gitlab_group_name" +} + +variable "gitlab_api_url" { + type = string + description = "gitlab_api_url" +} + +variable "storage_class_name" { + type = string + description = "storage_class_name" + default = "longhorn" +} + +variable "external_secret_sync_wave" { + type = string + description = "external_secret_sync_wave" + default = "-11" +} + +variable "properties_key_map" { + type = map(any) + description = "contains keys for known properties" +} + +variable "secrets_key_map" { + type = map(any) + description = "contains keys for known secrets" +} + +variable "kv_path" { + description = "path for kv engine" + default = "secret" +} + +variable "external_interop_switch_fqdn" { + description = "fqdn for interop ext" +} + +variable "internal_interop_switch_fqdn" { + description = "fqdn for interop int" +} + +variable "internal_ingress_class_name" { + type = string + description = "nginx_internal_namespace" + default = "nginx-int" +} +variable "external_ingress_class_name" { + type = string + description = "external_ingress_class_name" + default = "nginx-ext" +} +variable "nginx_jwt_namespace" { + type = string + description = "nginx_jwt_namespace" + default = "nginx-jwt" +} + +variable "istio_internal_gateway_name" { + type = string + description = "istio_internal_gateway_name" +} + +variable "istio_external_gateway_name" { + type = string + description = "istio_external_gateway_name" +} + +variable "istio_internal_wildcard_gateway_name" { + type = string + description = "istio_internal_wildcard_gateway_name" +} + +variable "istio_external_wildcard_gateway_name" { + type = string + description = "istio_external_wildcard_gateway_name" +} + +variable "istio_create_ingress_gateways" { + type = bool + description = "should istio create ingress gateways" + default = true +} + +variable "istio_egress_gateway_name" { + type = string + description = "istio_egress_gateway_name" +} + +variable "istio_egress_gateway_namespace" { + type = string + description = "istio_egress_gateway_namespace" +} + +variable "istio_internal_gateway_namespace" { + type = string + description = "istio_internal_gateway_namespace" + default = "istio-ingress-int" +} + +variable "istio_external_gateway_namespace" { + type = string + description = "istio_external_gateway_namespace" + default = "istio-ingress-ext" +} +variable "cert_manager_service_account_name" { + type = string + description = "cert_manager_service_account_name" +} + +variable "vault_namespace" { + type = string + description = "vault_namespace" +} +variable "cert_manager_namespace" { + type = string + description = "cert_manager_namespace" +} +variable "switch_dfspid" { + type = string + default = "switch" +} diff --git a/terraform/gitops/vnext/vault-pki-setup.tf b/terraform/gitops/vnext/vault-pki-setup.tf new file mode 100644 index 000000000..cc79f4825 --- /dev/null +++ b/terraform/gitops/vnext/vault-pki-setup.tf @@ -0,0 +1,81 @@ +module "generate_vault_pki_setup_files" { + source = "../generate-files" + var_map = { + cert_man_vault_cluster_issuer_name = var.cert_man_vault_cluster_issuer_name + cert_manager_namespace = var.cert_manager_namespace + public_subdomain = var.public_subdomain + whitelist_secret_name_prefix = local.whitelist_secret_path + onboarding_secret_name_prefix = local.onboarding_secret_path + cert_manager_service_account_name = var.cert_manager_service_account_name + gitlab_project_url = var.gitlab_project_url + cert_manager_cluster_issuer_role_name = var.cert_manager_cluster_issuer_role_name + interop_switch_fqdn = var.external_interop_switch_fqdn + vault_root_ca_name = var.vault_root_ca_name + pki_server_cert_role = var.pki_server_cert_role + pki_client_cert_role = var.pki_client_cert_role + k8s_auth_path = var.k8s_auth_path + vault_endpoint = "http://vault.${var.vault_namespace}.svc.cluster.local:8200" + vault_pki_sync_wave = var.vault_pki_sync_wave + } + file_list = [for f in fileset(local.vault_pki_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.vault_pki_app_file, f))] + template_path = local.vault_pki_template_path + output_path = "${var.output_dir}/vault-pki-setup" + app_file = local.vault_pki_app_file + app_output_path = "${var.output_dir}/app-yamls" +} + +locals { + vault_pki_template_path = "${path.module}/../generate-files/templates/vault-pki-setup" + vault_pki_app_file = "vault-pki-app.yaml" +} + + + +variable "cert_man_vault_cluster_issuer_name" { + description = "certmanager vault cluster issuer name" + type = string + default = "vault-cluster-issuer" +} + +variable "local_vault_kv_root_path" { + description = "vault kv secret root" + type = string +} + +variable "cert_manager_cluster_issuer_role_name" { + description = "cert_manager_cluster_issuer_role_name" + type = string + default = "cert-man-cluster-issuer-role" +} + +variable "vault_root_ca_name" { + description = "root ca name for vault" + type = string + default = "pki-root-ca" +} +variable "pki_client_cert_role" { + description = "pki_client_cert_role" + default = "client-cert-role" +} + +variable "pki_server_cert_role" { + description = "pki_server_cert_role" + default = "server-cert-role" +} + +variable "k8s_auth_path" { + description = "k8s_auth_path" + default = "kubernetes" +} + +variable "vault_pki_sync_wave" { + type = string + description = "vault_pki_sync_wave" + default = "-5" +} + +locals { + whitelist_secret_path = "${var.local_vault_kv_root_path}/whitelist" + onboarding_secret_path = "${var.local_vault_kv_root_path}/onboarding" + mcm_secret_path = "${var.local_vault_kv_root_path}/mcm" +} diff --git a/terraform/gitops/vnext/vnext.tf b/terraform/gitops/vnext/vnext.tf new file mode 100644 index 000000000..51ca19ec5 --- /dev/null +++ b/terraform/gitops/vnext/vnext.tf @@ -0,0 +1,374 @@ +module "generate_vnext_files" { + source = "../generate-files" + var_map = { + vnext_enabled = var.vnext_enabled + gitlab_project_url = var.gitlab_project_url + vnext_chart_repo = var.mojaloop_chart_repo + mojaloop_chart_version = try(var.app_var_map.mojaloop_chart_version, var.mojaloop_chart_version) + mojaloop_release_name = var.mojaloop_release_name + mojaloop_namespace = var.mojaloop_namespace + storage_class_name = var.storage_class_name + mojaloop_sync_wave = var.mojaloop_sync_wave + mojaloop_test_sync_wave = var.mojaloop_test_sync_wave + internal_ttk_enabled = var.internal_ttk_enabled + istio_create_ingress_gateways = var.istio_create_ingress_gateways + istio_external_gateway_name = var.istio_external_gateway_name + external_load_balancer_dns = var.external_load_balancer_dns + istio_internal_wildcard_gateway_name = var.istio_internal_wildcard_gateway_name + istio_internal_gateway_namespace = var.istio_internal_gateway_namespace + istio_external_wildcard_gateway_name = var.istio_external_wildcard_gateway_name + istio_external_gateway_namespace = var.istio_external_gateway_namespace + mojaloop_wildcard_gateway = local.mojaloop_wildcard_gateway + keycloak_fqdn = var.keycloak_fqdn + keycloak_realm_name = var.keycloak_hubop_realm_name + ttk_frontend_public_fqdn = var.ttk_frontend_public_fqdn + ttk_backend_public_fqdn = var.ttk_backend_public_fqdn + kafka_host = "${local.stateful_resources[local.mojaloop_kafka_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + kafka_port = local.stateful_resources[local.mojaloop_kafka_resource_index].logical_service_config.logical_service_port + account_lookup_db_existing_secret = local.stateful_resources[local.ml_als_resource_index].logical_service_config.user_password_secret + account_lookup_db_user = local.stateful_resources[local.ml_als_resource_index].logical_service_config.username + account_lookup_db_host = "${local.stateful_resources[local.ml_als_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + account_lookup_db_port = local.stateful_resources[local.ml_als_resource_index].logical_service_config.logical_service_port + account_lookup_db_database = local.stateful_resources[local.ml_als_resource_index].logical_service_config.database_name + central_ledger_db_existing_secret = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.user_password_secret + central_ledger_db_user = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.username + central_ledger_db_host = "${local.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + central_ledger_db_port = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_port + central_ledger_db_database = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.database_name + central_settlement_db_existing_secret = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.user_password_secret + central_settlement_db_user = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.username + central_settlement_db_host = "${local.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + central_settlement_db_port = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_port + central_settlement_db_database = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.database_name + quoting_db_existing_secret = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.user_password_secret + quoting_db_user = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.username + quoting_db_host = "${local.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + quoting_db_port = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_port + quoting_db_database = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.database_name + cep_mongodb_database = local.stateful_resources[local.cep_mongodb_resource_index].logical_service_config.database_name + cep_mongodb_user = local.stateful_resources[local.cep_mongodb_resource_index].logical_service_config.username + cep_mongodb_host = "${local.stateful_resources[local.cep_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + cep_mongodb_existing_secret = local.stateful_resources[local.cep_mongodb_resource_index].logical_service_config.user_password_secret + cep_mongodb_port = local.stateful_resources[local.cep_mongodb_resource_index].logical_service_config.logical_service_port + cl_mongodb_database = local.stateful_resources[local.bulk_mongodb_resource_index].logical_service_config.database_name + cl_mongodb_user = local.stateful_resources[local.bulk_mongodb_resource_index].logical_service_config.username + cl_mongodb_host = "${local.stateful_resources[local.bulk_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + cl_mongodb_existing_secret = local.stateful_resources[local.bulk_mongodb_resource_index].logical_service_config.user_password_secret + cl_mongodb_port = local.stateful_resources[local.bulk_mongodb_resource_index].logical_service_config.logical_service_port + ttk_mongodb_database = local.stateful_resources[local.ttk_mongodb_resource_index].logical_service_config.database_name + ttk_mongodb_user = local.stateful_resources[local.ttk_mongodb_resource_index].logical_service_config.username + ttk_mongodb_host = "${local.stateful_resources[local.ttk_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + ttk_mongodb_existing_secret = local.stateful_resources[local.ttk_mongodb_resource_index].logical_service_config.user_password_secret + ttk_mongodb_port = local.stateful_resources[local.ttk_mongodb_resource_index].logical_service_config.logical_service_port + third_party_consent_db_existing_secret = local.stateful_resources[local.third_party_consent_oracle_db_resource_index].logical_service_config.user_password_secret + third_party_consent_db_user = local.stateful_resources[local.third_party_consent_oracle_db_resource_index].logical_service_config.username + third_party_consent_db_host = "${local.stateful_resources[local.third_party_consent_oracle_db_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + third_party_consent_db_port = local.stateful_resources[local.third_party_consent_oracle_db_resource_index].logical_service_config.logical_service_port + third_party_consent_db_database = local.stateful_resources[local.third_party_consent_oracle_db_resource_index].logical_service_config.database_name + third_party_auth_db_existing_secret = local.stateful_resources[local.third_party_auth_db_resource_index].logical_service_config.user_password_secret + third_party_auth_db_user = local.stateful_resources[local.third_party_auth_db_resource_index].logical_service_config.username + third_party_auth_db_host = "${local.stateful_resources[local.third_party_auth_db_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + third_party_auth_db_port = local.stateful_resources[local.third_party_auth_db_resource_index].logical_service_config.logical_service_port + third_party_auth_db_database = local.stateful_resources[local.third_party_auth_db_resource_index].logical_service_config.database_name + third_party_auth_redis_host = "${local.stateful_resources[local.third_party_redis_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + third_party_auth_redis_port = local.stateful_resources[local.third_party_redis_resource_index].logical_service_config.logical_service_port + ttksims_redis_host = "${local.stateful_resources[local.ttk_redis_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + ttksims_redis_port = local.stateful_resources[local.ttk_redis_resource_index].logical_service_config.logical_service_port + account_lookup_service_replica_count = try(var.app_var_map.account_lookup_service_replica_count, 1) + account_lookup_service_admin_replica_count = try(var.app_var_map.account_lookup_service_admin_replica_count, 1) + quoting_service_replica_count = try(var.app_var_map.quoting_service_replica_count, 1) + quoting_service_handler_replica_count = try(var.app_var_map.quoting_service_handler_replica_count, 1) + ml_api_adapter_service_replica_count = try(var.app_var_map.ml_api_adapter_service_replica_count, 1) + ml_api_adapter_handler_notifications_replica_count = try(var.app_var_map.ml_api_adapter_handler_notifications_replica_count, 1) + central_ledger_service_replica_count = try(var.app_var_map.central_ledger_service_replica_count, 1) + central_ledger_handler_transfer_prepare_replica_count = try(var.app_var_map.central_ledger_handler_transfer_prepare_replica_count, 1) + central_ledger_handler_transfer_position_replica_count = try(var.app_var_map.central_ledger_handler_transfer_position_replica_count, 1) + central_ledger_handler_transfer_position_batch_replica_count = try(var.app_var_map.central_ledger_handler_transfer_position_batch_replica_count, 1) + central_ledger_handler_transfer_get_replica_count = try(var.app_var_map.central_ledger_handler_transfer_get_replica_count, 1) + central_ledger_handler_transfer_fulfil_replica_count = try(var.app_var_map.central_ledger_handler_transfer_fulfil_replica_count, 1) + central_ledger_handler_admin_transfer_replica_count = try(var.app_var_map.central_ledger_handler_admin_transfer_replica_count, 1) + central_settlement_service_replica_count = try(var.app_var_map.central_settlement_service_replica_count, 1) + central_settlement_handler_deferredsettlement_replica_count = try(var.app_var_map.central_settlement_handler_deferredsettlement_replica_count, 1) + central_settlement_handler_grosssettlement_replica_count = try(var.app_var_map.central_settlement_handler_grosssettlement_replica_count, 1) + central_settlement_handler_rules_replica_count = try(var.app_var_map.central_settlement_handler_rules_replica_count, 1) + trasaction_requests_service_replica_count = try(var.app_var_map.trasaction_requests_service_replica_count, 1) + auth_service_replica_count = try(var.app_var_map.auth_service_replica_count, 1) + consent_oracle_replica_count = try(var.app_var_map.consent_oracle_replica_count, 1) + tp_api_svc_replica_count = try(var.app_var_map.tp_api_svc_replica_count, 1) + bulk_api-adapter_service_replica_count = try(var.app_var_map.adapter_service_replica_count, 1) + bulk_api_adapter_handler_notification_replica_count = try(var.app_var_map.bulk_api_adapter_handler_notification_replica_count, 1) + cl_handler_bulk_transfer_prepare_replica_count = try(var.app_var_map.cl_handler_bulk_transfer_prepare_replica_count, 1) + cl_handler_bulk_transfer_fulfil_replica_count = try(var.app_var_map.cl_handler_bulk_transfer_fulfil_replica_count, 1) + cl_handler_bulk_transfer_processing_replica_count = try(var.app_var_map.cl_handler_bulk_transfer_processing_replica_count, 1) + cl_handler_bulk_transfer_get_replica_count = try(var.app_var_map.cl_handler_bulk_transfer_get_replica_count, 1) + enable_istio_injection = try(var.app_var_map.enable_istio_injection, false) + mojaloop_tolerations = try(yamlencode(var.app_var_map.mojaloop_tolerations), []) ## TODO: need to pass this variable + account_lookup_service_affinity = yamlencode(var.app_var_map.workload_definitions.account_lookup_service.affinity_definition) + account_lookup_admin_service_affinity = try(yamlencode(var.app_var_map.workload_definitions.account_lookup_service.affinity_definition), null) + quoting_service_affinity = try(yamlencode(var.app_var_map.workload_definitions.quoting_service.affinity_definition), null) + ml_api_adapter_service_affinity = try(yamlencode(var.app_var_map.workload_definitions.core_api_adapters.affinity_definition), null) + ml_api_adapter_handler_notifications_affinity = try(yamlencode(var.app_var_map.workload_definitions.core_api_adapters.affinity_definition), null) + centralledger_service_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_ledger_service.affinity_definition), null) + central_ledger_handler_transfer_prepare_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_ledger_service.affinity_definition), null) + central_ledger_handler_transfer_position_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_ledger_service.affinity_definition), null) + central_ledger_handler_transfer_position_batch_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_ledger_service.affinity_definition), null) + central_ledger_handler_transfer_get_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_ledger_service.affinity_definition), null) + central_ledger_handler_transfer_fulfil_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_ledger_service.affinity_definition), null) + central_ledger_handler_admin_transfer_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_ledger_service.affinity_definition), null) + central_settlement_service_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_settlement.affinity_definition), null) + central_settlement_handler_deferredsettlement_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_settlement.affinity_definition), null) + central_settlement_handler_grosssettlement_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_settlement.affinity_definition), null) + central_settlement_handler_rules_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_settlement.affinity_definition), null) + trasaction_requests_service_affinity = try(yamlencode(var.app_var_map.workload_definitions.core_api_adapters.affinity_definition), null) + central_ledger_monitoring_prefix = try(var.app_var_map.central_ledger_monitoring_prefix, "moja_cl_") + quoting_service_monitoring_prefix = try(var.app_var_map.quoting_service_monitoring_prefix, "moja_qs_") + ml_api_adapter_monitoring_prefix = try(var.app_var_map.ml_api_adapter_monitoring_prefix, "moja_ml_") + account_lookup_service_monitoring_prefix = try(var.app_var_map.account_lookup_service_monitoring_prefix, "moja_als_") + grafana_dashboard_tag = try(var.app_var_map.grafana_dashboard_tag, var.mojaloop_chart_version) + bof_release_name = var.bof_release_name + ory_namespace = var.ory_namespace + bof_role_perm_operator_host = "${var.bof_release_name}-security-role-perm-operator-svc.${var.ory_namespace}.svc.cluster.local" + auth_fqdn = var.auth_fqdn + central_admin_host = "${var.mojaloop_release_name}-centralledger-service" + central_settlements_host = "${var.mojaloop_release_name}-centralsettlement-service" + account_lookup_service_host = "${var.mojaloop_release_name}-account-lookup-service" + reporting_db_secret_name = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.user_password_secret + reporting_db_user = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.username + reporting_db_host = "${local.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + reporting_db_port = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_port + reporting_db_database = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.database_name + reporting_db_secret_key = "mysql-password" + reporting_events_mongodb_database = local.stateful_resources[local.reporting_events_mongodb_resource_index].logical_service_config.database_name + reporting_events_mongodb_user = local.stateful_resources[local.reporting_events_mongodb_resource_index].logical_service_config.username + reporting_events_mongodb_host = "${local.stateful_resources[local.reporting_events_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + reporting_events_mongodb_existing_secret = local.stateful_resources[local.reporting_events_mongodb_resource_index].logical_service_config.user_password_secret + reporting_events_mongodb_port = local.stateful_resources[local.reporting_events_mongodb_resource_index].logical_service_config.logical_service_port + keto_read_url = "http://keto-read.${var.ory_namespace}.svc.cluster.local:80" + keto_write_url = "http://keto-write.${var.ory_namespace}.svc.cluster.local:80" + kratos_service_name = "kratos-public.${var.ory_namespace}.svc.cluster.local" + portal_fqdn = var.finance_portal_fqdn + finance_portal_release_name = "fin-portal" + finance_portal_chart_version = try(var.app_var_map.finance_portal_chart_version, var.finance_portal_chart_version) + ory_stack_enabled = var.ory_stack_enabled + oathkeeper_auth_provider_name = var.oathkeeper_auth_provider_name + vault_secret_key = var.vault_secret_key + role_assign_svc_secret = var.role_assign_svc_secret + role_assign_svc_user = var.role_assign_svc_user + keycloak_dfsp_realm_name = var.keycloak_dfsp_realm_name + apiResources = local.apiResources + reporting_templates_chart_version = try(var.app_var_map.reporting_templates_chart_version, var.reporting_templates_chart_version) + switch_dfspid = var.switch_dfspid + jws_key_secret = local.jws_key_secret + jws_key_secret_private_key_key = "tls.key" + jws_key_secret_public_key_key = "tls.crt" + cert_man_vault_cluster_issuer_name = var.cert_man_vault_cluster_issuer_name + jws_key_rsa_bits = try(var.app_var_map.jws_key_rsa_bits, var.jws_key_rsa_bits) + jws_rotation_renew_before_hours = try(var.app_var_map.jws_rotation_renew_before_hours, var.jws_rotation_renew_before_hours) + jws_rotation_period_hours = try(var.app_var_map.jws_rotation_period_hours, var.jws_rotation_period_hours) + mcm_hub_jws_endpoint = "http://mcm-connection-manager-api.${var.mcm_namespace}.svc.cluster.local:3001/api/hub/jwscerts" + ttk_gp_testcase_labels = try(var.app_var_map.ttk_gp_testcase_labels, var.ttk_gp_testcase_labels) + } + file_list = [for f in fileset(local.mojaloop_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.mojaloop_app_file, f))] + template_path = local.mojaloop_template_path + output_path = "${var.output_dir}/mojaloop" + app_file = local.mojaloop_app_file + app_output_path = "${var.output_dir}/app-yamls" +} + + +locals { + mojaloop_template_path = "${path.module}/../generate-files/templates/mojaloop" + mojaloop_app_file = "mojaloop-app.yaml" + ml_als_resource_index = index(local.stateful_resources.*.resource_name, "account-lookup-db") + ml_cl_resource_index = index(local.stateful_resources.*.resource_name, "central-ledger-db") + bulk_mongodb_resource_index = index(local.stateful_resources.*.resource_name, "bulk-mongodb") + ttk_mongodb_resource_index = index(local.stateful_resources.*.resource_name, "ttk-mongodb") + cep_mongodb_resource_index = index(local.stateful_resources.*.resource_name, "cep-mongodb") + mojaloop_kafka_resource_index = index(local.stateful_resources.*.resource_name, "mojaloop-kafka") + third_party_redis_resource_index = index(local.stateful_resources.*.resource_name, "thirdparty-auth-svc-redis") + third_party_auth_db_resource_index = index(local.stateful_resources.*.resource_name, "thirdparty-auth-svc-db") + third_party_consent_oracle_db_resource_index = index(local.stateful_resources.*.resource_name, "mysql-consent-oracle-db") + ttk_redis_resource_index = index(local.stateful_resources.*.resource_name, "ttk-redis") + reporting_events_mongodb_resource_index = index(local.stateful_resources.*.resource_name, "reporting-events-mongodb") + mojaloop_wildcard_gateway = var.mojaloop_ingress_internal_lb ? "internal" : "external" + apiResources = yamldecode(file(var.rbac_api_resources_file)) + jws_key_secret = "switch-jws" +} + +variable "app_var_map" { + type = any +} +variable "mojaloop_enabled" { + description = "whether mojaloop app is enabled or not" + type = bool + default = true +} + +variable "mojaloop_ingress_internal_lb" { + type = bool + description = "mojaloop_ingress_internal_lb" + default = true +} + +variable "mojaloop_chart_repo" { + description = "repo for mojaloop charts" + type = string + default = "https://mojaloop.github.io/helm/repo" +} + +variable "mojaloop_namespace" { + description = "namespace for mojaloop release" + type = string + default = "mojaloop" +} + +variable "mojaloop_release_name" { + description = "name for mojaloop release" + type = string + default = "moja" +} + +variable "mojaloop_chart_version" { + description = "Mojaloop version to install via Helm" +} + +variable "finance_portal_chart_version" { + description = "finance portal chart version" + default = "4.2.3" +} + +variable "mojaloop_sync_wave" { + type = string + description = "mojaloop_sync_wave" + default = "0" +} + +variable "mojaloop_test_sync_wave" { + type = string + description = "mojaloop_sync_wave" + default = "1" +} + +variable "internal_ttk_enabled" { + description = "whether internal ttk instance is enabled or not" + default = true +} + +variable "ttk_test_currency1" { + description = "Test currency for TTK GP tests" + type = string + default = "EUR" +} + +variable "ttk_test_currency2" { + description = "Test currency2 for TTK GP tests" + type = string + default = "USD" +} + +variable "ttk_test_currency3" { + description = "Test cgs currency for TTK GP tests" + type = string + default = "CAD" +} + +variable "internal_sim_enabled" { + description = "whether internal mojaloop simulators ar enabled or not" + default = true +} + +variable "third_party_enabled" { + description = "whether third party apis are enabled or not" + type = bool + default = false +} + +variable "bulk_enabled" { + description = "whether bulk is enabled or not" + type = bool + default = false +} + +variable "ttksims_enabled" { + description = "whether ttksims are enabled or not" + type = bool + default = false +} + +variable "quoting_service_simple_routing_mode_enabled" { + description = "whether buquoting_service_simple_routing_mode_enabled is enabled or not" + type = bool + default = false +} + +variable "ttk_frontend_public_fqdn" { + type = string +} +variable "ttk_backend_public_fqdn" { + type = string +} + +variable "auth_fqdn" { + type = string +} +variable "ory_namespace" { + type = string +} + +variable "finance_portal_fqdn" { + type = string +} + +variable "bof_release_name" { + type = string +} +variable "ory_stack_enabled" { + type = bool +} +variable "oathkeeper_auth_provider_name" { + type = string +} +variable "keycloak_hubop_realm_name" { + type = string + description = "name of realm for hub operator api access" +} + +variable "vault_secret_key" { + type = string +} + +variable "role_assign_svc_secret" { + type = string +} +variable "role_assign_svc_user" { + type = string +} + +variable "rbac_api_resources_file" { + type = string +} + +variable "reporting_templates_chart_version" { + type = string + default = "1.1.7" +} + +variable "jws_key_rsa_bits" { + type = number + default = 4096 +} + +variable "jws_rotation_period_hours" { + type = number + default = 672 +} + +variable "jws_rotation_renew_before_hours" { + type = number + default = 1 +} + +variable "ttk_gp_testcase_labels" { + type = string + default = "p2p" +} diff --git a/terraform/k8s/default-config/common-vars.yaml b/terraform/k8s/default-config/common-vars.yaml index 349f082f3..e464dfff6 100644 --- a/terraform/k8s/default-config/common-vars.yaml +++ b/terraform/k8s/default-config/common-vars.yaml @@ -17,6 +17,7 @@ argocd_lovely_plugin_version: 0.18.0 mcm_enabled: true mojaloop_enabled: true pm4ml_enabled: false +vnext_enabled: false prometheus_operator_version: 8.22.8 grafana_operator_version: 3.5.11 grafana_version: 10.2.3 From eaad864aaa591bacb1bc3777bc3ccc3daf956133 Mon Sep 17 00:00:00 2001 From: David Fry Date: Wed, 13 Mar 2024 00:29:13 +0000 Subject: [PATCH 015/201] missed appdeploy placeholder --- terraform/gitops/k8s-cluster-config/app-deploy.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/terraform/gitops/k8s-cluster-config/app-deploy.tf b/terraform/gitops/k8s-cluster-config/app-deploy.tf index f56a3914d..e07370403 100644 --- a/terraform/gitops/k8s-cluster-config/app-deploy.tf +++ b/terraform/gitops/k8s-cluster-config/app-deploy.tf @@ -118,6 +118,11 @@ module "pm4ml" { portal_admin_secret_prefix = "portal-admin-secret-" } +module "vnext" { + count = var.common_var_map.vnext_enabled ? 1 : 0 + source = "../vnext" +} + variable "app_var_map" { type = any } From 6e7fef63fc33f447829b6aadd8fbb7cb09ff4665 Mon Sep 17 00:00:00 2001 From: David Fry Date: Mon, 18 Mar 2024 18:56:00 +0000 Subject: [PATCH 016/201] 2nd draft --- terraform/gitops/vnext/mcm.tf | 4 +- terraform/gitops/vnext/vault-pki-setup.tf | 4 +- terraform/gitops/vnext/vnext.tf | 351 ++++---------- .../vnext-stateful-resources.json | 434 ++++++++++++++++++ 4 files changed, 523 insertions(+), 270 deletions(-) create mode 100644 terraform/k8s/default-config/vnext-stateful-resources.json diff --git a/terraform/gitops/vnext/mcm.tf b/terraform/gitops/vnext/mcm.tf index a548a84c9..25006b35e 100644 --- a/terraform/gitops/vnext/mcm.tf +++ b/terraform/gitops/vnext/mcm.tf @@ -74,8 +74,8 @@ module "generate_mcm_files" { external_load_balancer_dns = var.external_load_balancer_dns istio_internal_gateway_name = var.istio_internal_gateway_name int_interop_switch_fqdn = var.internal_interop_switch_fqdn - mojaloop_namespace = var.mojaloop_namespace - mojaloop_release_name = var.mojaloop_release_name + mojaloop_namespace = var.vnext_namespace + mojaloop_release_name = var.vnext_release_name onboarding_collection_tag = var.app_var_map.onboarding_collection_tag ory_stack_enabled = var.ory_stack_enabled oathkeeper_auth_provider_name = var.oathkeeper_auth_provider_name diff --git a/terraform/gitops/vnext/vault-pki-setup.tf b/terraform/gitops/vnext/vault-pki-setup.tf index cc79f4825..6bfc8c0da 100644 --- a/terraform/gitops/vnext/vault-pki-setup.tf +++ b/terraform/gitops/vnext/vault-pki-setup.tf @@ -25,8 +25,8 @@ module "generate_vault_pki_setup_files" { } locals { - vault_pki_template_path = "${path.module}/../generate-files/templates/vault-pki-setup" - vault_pki_app_file = "vault-pki-app.yaml" + vault_pki_template_path = "${path.module}/../generate-files/templates/vault-pki-setup" + vault_pki_app_file = "vault-pki-app.yaml" } diff --git a/terraform/gitops/vnext/vnext.tf b/terraform/gitops/vnext/vnext.tf index 51ca19ec5..70738ffc7 100644 --- a/terraform/gitops/vnext/vnext.tf +++ b/terraform/gitops/vnext/vnext.tf @@ -1,235 +1,117 @@ module "generate_vnext_files" { source = "../generate-files" var_map = { - vnext_enabled = var.vnext_enabled - gitlab_project_url = var.gitlab_project_url - vnext_chart_repo = var.mojaloop_chart_repo - mojaloop_chart_version = try(var.app_var_map.mojaloop_chart_version, var.mojaloop_chart_version) - mojaloop_release_name = var.mojaloop_release_name - mojaloop_namespace = var.mojaloop_namespace - storage_class_name = var.storage_class_name - mojaloop_sync_wave = var.mojaloop_sync_wave - mojaloop_test_sync_wave = var.mojaloop_test_sync_wave - internal_ttk_enabled = var.internal_ttk_enabled - istio_create_ingress_gateways = var.istio_create_ingress_gateways - istio_external_gateway_name = var.istio_external_gateway_name - external_load_balancer_dns = var.external_load_balancer_dns - istio_internal_wildcard_gateway_name = var.istio_internal_wildcard_gateway_name - istio_internal_gateway_namespace = var.istio_internal_gateway_namespace - istio_external_wildcard_gateway_name = var.istio_external_wildcard_gateway_name - istio_external_gateway_namespace = var.istio_external_gateway_namespace - mojaloop_wildcard_gateway = local.mojaloop_wildcard_gateway - keycloak_fqdn = var.keycloak_fqdn - keycloak_realm_name = var.keycloak_hubop_realm_name - ttk_frontend_public_fqdn = var.ttk_frontend_public_fqdn - ttk_backend_public_fqdn = var.ttk_backend_public_fqdn - kafka_host = "${local.stateful_resources[local.mojaloop_kafka_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - kafka_port = local.stateful_resources[local.mojaloop_kafka_resource_index].logical_service_config.logical_service_port - account_lookup_db_existing_secret = local.stateful_resources[local.ml_als_resource_index].logical_service_config.user_password_secret - account_lookup_db_user = local.stateful_resources[local.ml_als_resource_index].logical_service_config.username - account_lookup_db_host = "${local.stateful_resources[local.ml_als_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - account_lookup_db_port = local.stateful_resources[local.ml_als_resource_index].logical_service_config.logical_service_port - account_lookup_db_database = local.stateful_resources[local.ml_als_resource_index].logical_service_config.database_name - central_ledger_db_existing_secret = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.user_password_secret - central_ledger_db_user = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.username - central_ledger_db_host = "${local.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - central_ledger_db_port = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_port - central_ledger_db_database = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.database_name - central_settlement_db_existing_secret = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.user_password_secret - central_settlement_db_user = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.username - central_settlement_db_host = "${local.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - central_settlement_db_port = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_port - central_settlement_db_database = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.database_name - quoting_db_existing_secret = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.user_password_secret - quoting_db_user = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.username - quoting_db_host = "${local.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - quoting_db_port = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_port - quoting_db_database = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.database_name - cep_mongodb_database = local.stateful_resources[local.cep_mongodb_resource_index].logical_service_config.database_name - cep_mongodb_user = local.stateful_resources[local.cep_mongodb_resource_index].logical_service_config.username - cep_mongodb_host = "${local.stateful_resources[local.cep_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - cep_mongodb_existing_secret = local.stateful_resources[local.cep_mongodb_resource_index].logical_service_config.user_password_secret - cep_mongodb_port = local.stateful_resources[local.cep_mongodb_resource_index].logical_service_config.logical_service_port - cl_mongodb_database = local.stateful_resources[local.bulk_mongodb_resource_index].logical_service_config.database_name - cl_mongodb_user = local.stateful_resources[local.bulk_mongodb_resource_index].logical_service_config.username - cl_mongodb_host = "${local.stateful_resources[local.bulk_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - cl_mongodb_existing_secret = local.stateful_resources[local.bulk_mongodb_resource_index].logical_service_config.user_password_secret - cl_mongodb_port = local.stateful_resources[local.bulk_mongodb_resource_index].logical_service_config.logical_service_port - ttk_mongodb_database = local.stateful_resources[local.ttk_mongodb_resource_index].logical_service_config.database_name - ttk_mongodb_user = local.stateful_resources[local.ttk_mongodb_resource_index].logical_service_config.username - ttk_mongodb_host = "${local.stateful_resources[local.ttk_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - ttk_mongodb_existing_secret = local.stateful_resources[local.ttk_mongodb_resource_index].logical_service_config.user_password_secret - ttk_mongodb_port = local.stateful_resources[local.ttk_mongodb_resource_index].logical_service_config.logical_service_port - third_party_consent_db_existing_secret = local.stateful_resources[local.third_party_consent_oracle_db_resource_index].logical_service_config.user_password_secret - third_party_consent_db_user = local.stateful_resources[local.third_party_consent_oracle_db_resource_index].logical_service_config.username - third_party_consent_db_host = "${local.stateful_resources[local.third_party_consent_oracle_db_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - third_party_consent_db_port = local.stateful_resources[local.third_party_consent_oracle_db_resource_index].logical_service_config.logical_service_port - third_party_consent_db_database = local.stateful_resources[local.third_party_consent_oracle_db_resource_index].logical_service_config.database_name - third_party_auth_db_existing_secret = local.stateful_resources[local.third_party_auth_db_resource_index].logical_service_config.user_password_secret - third_party_auth_db_user = local.stateful_resources[local.third_party_auth_db_resource_index].logical_service_config.username - third_party_auth_db_host = "${local.stateful_resources[local.third_party_auth_db_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - third_party_auth_db_port = local.stateful_resources[local.third_party_auth_db_resource_index].logical_service_config.logical_service_port - third_party_auth_db_database = local.stateful_resources[local.third_party_auth_db_resource_index].logical_service_config.database_name - third_party_auth_redis_host = "${local.stateful_resources[local.third_party_redis_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - third_party_auth_redis_port = local.stateful_resources[local.third_party_redis_resource_index].logical_service_config.logical_service_port - ttksims_redis_host = "${local.stateful_resources[local.ttk_redis_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - ttksims_redis_port = local.stateful_resources[local.ttk_redis_resource_index].logical_service_config.logical_service_port - account_lookup_service_replica_count = try(var.app_var_map.account_lookup_service_replica_count, 1) - account_lookup_service_admin_replica_count = try(var.app_var_map.account_lookup_service_admin_replica_count, 1) - quoting_service_replica_count = try(var.app_var_map.quoting_service_replica_count, 1) - quoting_service_handler_replica_count = try(var.app_var_map.quoting_service_handler_replica_count, 1) - ml_api_adapter_service_replica_count = try(var.app_var_map.ml_api_adapter_service_replica_count, 1) - ml_api_adapter_handler_notifications_replica_count = try(var.app_var_map.ml_api_adapter_handler_notifications_replica_count, 1) - central_ledger_service_replica_count = try(var.app_var_map.central_ledger_service_replica_count, 1) - central_ledger_handler_transfer_prepare_replica_count = try(var.app_var_map.central_ledger_handler_transfer_prepare_replica_count, 1) - central_ledger_handler_transfer_position_replica_count = try(var.app_var_map.central_ledger_handler_transfer_position_replica_count, 1) - central_ledger_handler_transfer_position_batch_replica_count = try(var.app_var_map.central_ledger_handler_transfer_position_batch_replica_count, 1) - central_ledger_handler_transfer_get_replica_count = try(var.app_var_map.central_ledger_handler_transfer_get_replica_count, 1) - central_ledger_handler_transfer_fulfil_replica_count = try(var.app_var_map.central_ledger_handler_transfer_fulfil_replica_count, 1) - central_ledger_handler_admin_transfer_replica_count = try(var.app_var_map.central_ledger_handler_admin_transfer_replica_count, 1) - central_settlement_service_replica_count = try(var.app_var_map.central_settlement_service_replica_count, 1) - central_settlement_handler_deferredsettlement_replica_count = try(var.app_var_map.central_settlement_handler_deferredsettlement_replica_count, 1) - central_settlement_handler_grosssettlement_replica_count = try(var.app_var_map.central_settlement_handler_grosssettlement_replica_count, 1) - central_settlement_handler_rules_replica_count = try(var.app_var_map.central_settlement_handler_rules_replica_count, 1) - trasaction_requests_service_replica_count = try(var.app_var_map.trasaction_requests_service_replica_count, 1) - auth_service_replica_count = try(var.app_var_map.auth_service_replica_count, 1) - consent_oracle_replica_count = try(var.app_var_map.consent_oracle_replica_count, 1) - tp_api_svc_replica_count = try(var.app_var_map.tp_api_svc_replica_count, 1) - bulk_api-adapter_service_replica_count = try(var.app_var_map.adapter_service_replica_count, 1) - bulk_api_adapter_handler_notification_replica_count = try(var.app_var_map.bulk_api_adapter_handler_notification_replica_count, 1) - cl_handler_bulk_transfer_prepare_replica_count = try(var.app_var_map.cl_handler_bulk_transfer_prepare_replica_count, 1) - cl_handler_bulk_transfer_fulfil_replica_count = try(var.app_var_map.cl_handler_bulk_transfer_fulfil_replica_count, 1) - cl_handler_bulk_transfer_processing_replica_count = try(var.app_var_map.cl_handler_bulk_transfer_processing_replica_count, 1) - cl_handler_bulk_transfer_get_replica_count = try(var.app_var_map.cl_handler_bulk_transfer_get_replica_count, 1) - enable_istio_injection = try(var.app_var_map.enable_istio_injection, false) - mojaloop_tolerations = try(yamlencode(var.app_var_map.mojaloop_tolerations), []) ## TODO: need to pass this variable - account_lookup_service_affinity = yamlencode(var.app_var_map.workload_definitions.account_lookup_service.affinity_definition) - account_lookup_admin_service_affinity = try(yamlencode(var.app_var_map.workload_definitions.account_lookup_service.affinity_definition), null) - quoting_service_affinity = try(yamlencode(var.app_var_map.workload_definitions.quoting_service.affinity_definition), null) - ml_api_adapter_service_affinity = try(yamlencode(var.app_var_map.workload_definitions.core_api_adapters.affinity_definition), null) - ml_api_adapter_handler_notifications_affinity = try(yamlencode(var.app_var_map.workload_definitions.core_api_adapters.affinity_definition), null) - centralledger_service_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_ledger_service.affinity_definition), null) - central_ledger_handler_transfer_prepare_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_ledger_service.affinity_definition), null) - central_ledger_handler_transfer_position_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_ledger_service.affinity_definition), null) - central_ledger_handler_transfer_position_batch_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_ledger_service.affinity_definition), null) - central_ledger_handler_transfer_get_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_ledger_service.affinity_definition), null) - central_ledger_handler_transfer_fulfil_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_ledger_service.affinity_definition), null) - central_ledger_handler_admin_transfer_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_ledger_service.affinity_definition), null) - central_settlement_service_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_settlement.affinity_definition), null) - central_settlement_handler_deferredsettlement_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_settlement.affinity_definition), null) - central_settlement_handler_grosssettlement_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_settlement.affinity_definition), null) - central_settlement_handler_rules_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_settlement.affinity_definition), null) - trasaction_requests_service_affinity = try(yamlencode(var.app_var_map.workload_definitions.core_api_adapters.affinity_definition), null) - central_ledger_monitoring_prefix = try(var.app_var_map.central_ledger_monitoring_prefix, "moja_cl_") - quoting_service_monitoring_prefix = try(var.app_var_map.quoting_service_monitoring_prefix, "moja_qs_") - ml_api_adapter_monitoring_prefix = try(var.app_var_map.ml_api_adapter_monitoring_prefix, "moja_ml_") - account_lookup_service_monitoring_prefix = try(var.app_var_map.account_lookup_service_monitoring_prefix, "moja_als_") - grafana_dashboard_tag = try(var.app_var_map.grafana_dashboard_tag, var.mojaloop_chart_version) - bof_release_name = var.bof_release_name - ory_namespace = var.ory_namespace - bof_role_perm_operator_host = "${var.bof_release_name}-security-role-perm-operator-svc.${var.ory_namespace}.svc.cluster.local" - auth_fqdn = var.auth_fqdn - central_admin_host = "${var.mojaloop_release_name}-centralledger-service" - central_settlements_host = "${var.mojaloop_release_name}-centralsettlement-service" - account_lookup_service_host = "${var.mojaloop_release_name}-account-lookup-service" - reporting_db_secret_name = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.user_password_secret - reporting_db_user = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.username - reporting_db_host = "${local.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - reporting_db_port = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_port - reporting_db_database = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.database_name - reporting_db_secret_key = "mysql-password" - reporting_events_mongodb_database = local.stateful_resources[local.reporting_events_mongodb_resource_index].logical_service_config.database_name - reporting_events_mongodb_user = local.stateful_resources[local.reporting_events_mongodb_resource_index].logical_service_config.username - reporting_events_mongodb_host = "${local.stateful_resources[local.reporting_events_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - reporting_events_mongodb_existing_secret = local.stateful_resources[local.reporting_events_mongodb_resource_index].logical_service_config.user_password_secret - reporting_events_mongodb_port = local.stateful_resources[local.reporting_events_mongodb_resource_index].logical_service_config.logical_service_port - keto_read_url = "http://keto-read.${var.ory_namespace}.svc.cluster.local:80" - keto_write_url = "http://keto-write.${var.ory_namespace}.svc.cluster.local:80" - kratos_service_name = "kratos-public.${var.ory_namespace}.svc.cluster.local" - portal_fqdn = var.finance_portal_fqdn - finance_portal_release_name = "fin-portal" - finance_portal_chart_version = try(var.app_var_map.finance_portal_chart_version, var.finance_portal_chart_version) - ory_stack_enabled = var.ory_stack_enabled - oathkeeper_auth_provider_name = var.oathkeeper_auth_provider_name - vault_secret_key = var.vault_secret_key - role_assign_svc_secret = var.role_assign_svc_secret - role_assign_svc_user = var.role_assign_svc_user - keycloak_dfsp_realm_name = var.keycloak_dfsp_realm_name - apiResources = local.apiResources - reporting_templates_chart_version = try(var.app_var_map.reporting_templates_chart_version, var.reporting_templates_chart_version) - switch_dfspid = var.switch_dfspid - jws_key_secret = local.jws_key_secret - jws_key_secret_private_key_key = "tls.key" - jws_key_secret_public_key_key = "tls.crt" - cert_man_vault_cluster_issuer_name = var.cert_man_vault_cluster_issuer_name - jws_key_rsa_bits = try(var.app_var_map.jws_key_rsa_bits, var.jws_key_rsa_bits) - jws_rotation_renew_before_hours = try(var.app_var_map.jws_rotation_renew_before_hours, var.jws_rotation_renew_before_hours) - jws_rotation_period_hours = try(var.app_var_map.jws_rotation_period_hours, var.jws_rotation_period_hours) - mcm_hub_jws_endpoint = "http://mcm-connection-manager-api.${var.mcm_namespace}.svc.cluster.local:3001/api/hub/jwscerts" - ttk_gp_testcase_labels = try(var.app_var_map.ttk_gp_testcase_labels, var.ttk_gp_testcase_labels) + vnext_enabled = var.vnext_enabled + gitlab_project_url = var.gitlab_project_url + vnext_chart_repo = var.vnext_chart_repo + vnext_chart_version = try(var.app_var_map.vnext_chart_version, var.vnext_chart_version) + vnext_release_name = var.vnext_release_name + vnext_namespace = var.vnext_namespace + storage_class_name = var.storage_class_name + vnext_sync_wave = var.vnext_sync_wave + istio_create_ingress_gateways = var.istio_create_ingress_gateways + istio_external_gateway_name = var.istio_external_gateway_name + external_load_balancer_dns = var.external_load_balancer_dns + istio_internal_wildcard_gateway_name = var.istio_internal_wildcard_gateway_name + istio_internal_gateway_namespace = var.istio_internal_gateway_namespace + istio_external_wildcard_gateway_name = var.istio_external_wildcard_gateway_name + istio_external_gateway_namespace = var.istio_external_gateway_namespace + vnext_wildcard_gateway = local.vnext_wildcard_gateway + keycloak_fqdn = var.keycloak_fqdn + keycloak_realm_name = var.keycloak_hubop_realm_name + ttk_frontend_public_fqdn = var.ttk_frontend_public_fqdn + ttk_backend_public_fqdn = var.ttk_backend_public_fqdn + kafka_host = "${local.stateful_resources[local.vnext_kafka_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + kafka_port = local.stateful_resources[local.vnext_kafka_resource_index].logical_service_config.logical_service_port + vnext_redis_host = "${local.stateful_resources[local.vnext_redis_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + vnext_redis_port = local.stateful_resources[local.vnext_redis_resource_index].logical_service_config.logical_service_port + enable_istio_injection = try(var.app_var_map.enable_istio_injection, false) + bof_release_name = var.bof_release_name + ory_namespace = var.ory_namespace + bof_role_perm_operator_host = "${var.bof_release_name}-security-role-perm-operator-svc.${var.ory_namespace}.svc.cluster.local" + auth_fqdn = var.auth_fqdn + vnext_mongodb_database = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.database_name + vnext_mongodb_user = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.username + vnext_mongodb_host = "${local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + vnext_mongodb_existing_secret = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.user_password_secret + vnext_mongodb_port = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.logical_service_port + keto_read_url = "http://keto-read.${var.ory_namespace}.svc.cluster.local:80" + keto_write_url = "http://keto-write.${var.ory_namespace}.svc.cluster.local:80" + kratos_service_name = "kratos-public.${var.ory_namespace}.svc.cluster.local" + portal_fqdn = var.finance_portal_fqdn + finance_portal_release_name = "fin-portal" + finance_portal_chart_version = try(var.app_var_map.finance_portal_chart_version, var.finance_portal_chart_version) + ory_stack_enabled = var.ory_stack_enabled + oathkeeper_auth_provider_name = var.oathkeeper_auth_provider_name + vault_secret_key = var.vault_secret_key + role_assign_svc_secret = var.role_assign_svc_secret + role_assign_svc_user = var.role_assign_svc_user + keycloak_dfsp_realm_name = var.keycloak_dfsp_realm_name + apiResources = local.apiResources + switch_dfspid = var.switch_dfspid + jws_key_secret = local.jws_key_secret + jws_key_secret_private_key_key = "tls.key" + jws_key_secret_public_key_key = "tls.crt" + cert_man_vault_cluster_issuer_name = var.cert_man_vault_cluster_issuer_name + jws_key_rsa_bits = try(var.app_var_map.jws_key_rsa_bits, var.jws_key_rsa_bits) + jws_rotation_renew_before_hours = try(var.app_var_map.jws_rotation_renew_before_hours, var.jws_rotation_renew_before_hours) + jws_rotation_period_hours = try(var.app_var_map.jws_rotation_period_hours, var.jws_rotation_period_hours) + mcm_hub_jws_endpoint = "http://mcm-connection-manager-api.${var.mcm_namespace}.svc.cluster.local:3001/api/hub/jwscerts" } - file_list = [for f in fileset(local.mojaloop_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.mojaloop_app_file, f))] - template_path = local.mojaloop_template_path - output_path = "${var.output_dir}/mojaloop" - app_file = local.mojaloop_app_file + file_list = [for f in fileset(local.vnext_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.vnext_app_file, f))] + template_path = local.vnext_template_path + output_path = "${var.output_dir}/vnext" + app_file = local.vnext_app_file app_output_path = "${var.output_dir}/app-yamls" } locals { - mojaloop_template_path = "${path.module}/../generate-files/templates/mojaloop" - mojaloop_app_file = "mojaloop-app.yaml" - ml_als_resource_index = index(local.stateful_resources.*.resource_name, "account-lookup-db") - ml_cl_resource_index = index(local.stateful_resources.*.resource_name, "central-ledger-db") - bulk_mongodb_resource_index = index(local.stateful_resources.*.resource_name, "bulk-mongodb") - ttk_mongodb_resource_index = index(local.stateful_resources.*.resource_name, "ttk-mongodb") - cep_mongodb_resource_index = index(local.stateful_resources.*.resource_name, "cep-mongodb") - mojaloop_kafka_resource_index = index(local.stateful_resources.*.resource_name, "mojaloop-kafka") - third_party_redis_resource_index = index(local.stateful_resources.*.resource_name, "thirdparty-auth-svc-redis") - third_party_auth_db_resource_index = index(local.stateful_resources.*.resource_name, "thirdparty-auth-svc-db") - third_party_consent_oracle_db_resource_index = index(local.stateful_resources.*.resource_name, "mysql-consent-oracle-db") - ttk_redis_resource_index = index(local.stateful_resources.*.resource_name, "ttk-redis") - reporting_events_mongodb_resource_index = index(local.stateful_resources.*.resource_name, "reporting-events-mongodb") - mojaloop_wildcard_gateway = var.mojaloop_ingress_internal_lb ? "internal" : "external" - apiResources = yamldecode(file(var.rbac_api_resources_file)) - jws_key_secret = "switch-jws" + vnext_template_path = "${path.module}/../generate-files/templates/vnext" + vnext_app_file = "vnext-app.yaml" + vnext_kafka_resource_index = index(local.stateful_resources.*.resource_name, "vnext-kafka") + vnext_redis_resource_index = index(local.stateful_resources.*.resource_name, "vnext-redis") + vnext_mongodb_resource_index = index(local.stateful_resources.*.resource_name, "vnext-mongodb") + vnext_wildcard_gateway = var.vnext_ingress_internal_lb ? "internal" : "external" + apiResources = yamldecode(file(var.rbac_api_resources_file)) + jws_key_secret = "switch-jws" } variable "app_var_map" { type = any } -variable "mojaloop_enabled" { - description = "whether mojaloop app is enabled or not" +variable "vnext_enabled" { + description = "whether vnext app is enabled or not" type = bool default = true } -variable "mojaloop_ingress_internal_lb" { +variable "vnext_ingress_internal_lb" { type = bool - description = "mojaloop_ingress_internal_lb" + description = "vnext_ingress_internal_lb" default = true } -variable "mojaloop_chart_repo" { - description = "repo for mojaloop charts" +variable "vnext_chart_repo" { + description = "repo for vnext charts" type = string - default = "https://mojaloop.github.io/helm/repo" + default = "https://thitsax.github.io/vnext-charts/" } -variable "mojaloop_namespace" { - description = "namespace for mojaloop release" +variable "vnext_namespace" { + description = "namespace for vnext release" type = string - default = "mojaloop" + default = "vnext" } -variable "mojaloop_release_name" { - description = "name for mojaloop release" +variable "vnext_release_name" { + description = "name for vnext release" type = string - default = "moja" + default = "vnext" } -variable "mojaloop_chart_version" { - description = "Mojaloop version to install via Helm" +variable "vnext_chart_version" { + description = "vnext version to install via Helm" } variable "finance_portal_chart_version" { @@ -237,70 +119,12 @@ variable "finance_portal_chart_version" { default = "4.2.3" } -variable "mojaloop_sync_wave" { +variable "vnext_sync_wave" { type = string - description = "mojaloop_sync_wave" + description = "vnext_sync_wave" default = "0" } -variable "mojaloop_test_sync_wave" { - type = string - description = "mojaloop_sync_wave" - default = "1" -} - -variable "internal_ttk_enabled" { - description = "whether internal ttk instance is enabled or not" - default = true -} - -variable "ttk_test_currency1" { - description = "Test currency for TTK GP tests" - type = string - default = "EUR" -} - -variable "ttk_test_currency2" { - description = "Test currency2 for TTK GP tests" - type = string - default = "USD" -} - -variable "ttk_test_currency3" { - description = "Test cgs currency for TTK GP tests" - type = string - default = "CAD" -} - -variable "internal_sim_enabled" { - description = "whether internal mojaloop simulators ar enabled or not" - default = true -} - -variable "third_party_enabled" { - description = "whether third party apis are enabled or not" - type = bool - default = false -} - -variable "bulk_enabled" { - description = "whether bulk is enabled or not" - type = bool - default = false -} - -variable "ttksims_enabled" { - description = "whether ttksims are enabled or not" - type = bool - default = false -} - -variable "quoting_service_simple_routing_mode_enabled" { - description = "whether buquoting_service_simple_routing_mode_enabled is enabled or not" - type = bool - default = false -} - variable "ttk_frontend_public_fqdn" { type = string } @@ -348,11 +172,6 @@ variable "rbac_api_resources_file" { type = string } -variable "reporting_templates_chart_version" { - type = string - default = "1.1.7" -} - variable "jws_key_rsa_bits" { type = number default = 4096 diff --git a/terraform/k8s/default-config/vnext-stateful-resources.json b/terraform/k8s/default-config/vnext-stateful-resources.json new file mode 100644 index 000000000..a137265b5 --- /dev/null +++ b/terraform/k8s/default-config/vnext-stateful-resources.json @@ -0,0 +1,434 @@ +[ + { + "enabled": true, + "resource_name": "mcm-db", + "resource_type": "mysql", + "external_service": false, + "logical_service_config": { + "logical_service_port": 3306, + "logical_service_name": "mcm-db-svc", + "username": "devdat1asql1", + "user_password_secret": "mcm-db-secret", + "user_password_secret_key": "mysql-password", + "secret_extra_namespaces": [ + "mcm" + ], + "database_name": "mcm" + }, + "local_resource_config": { + "resource_namespace": "mcm-db", + "override_service_name": "mysql-mcm-db", + "resource_helm_repo": "https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami", + "resource_helm_chart": "mysql", + "resource_helm_chart_version": "9.7.0", + "resource_helm_values_ref": "values-mysql.yaml.tpl", + "generate_secret_name": "mcm-db-secret", + "generate_secret_keys": [ + "mysql-password", + "mysql-root-password", + "mysql-replication-password" + ], + "generate_secret_vault_base_path": "/secret/generated", + "generate_secret_extra_namespaces": [ + "mcm" + ], + "mysql_data": { + "is_legacy": false, + "existing_secret": "mcm-db-secret", + "root_password": "", + "user": "devdat1asql1", + "user_password": "", + "database_name": "mcm", + "storage_size": "8Gi", + "storage_class_name": "longhorn", + "architecture": "standalone", + "replica_count": 0, + "service_port": 3306, + "affinity_definition": null + } + }, + "external_resource_config": {} + }, + { + "enabled": true, + "resource_name": "vnext-mongodb", + "resource_type": "mongodb", + "external_service": false, + "logical_service_config": { + "logical_service_port": 27017, + "logical_service_name": "mongodb-vnext-mongodb", + "username": "mojaloop", + "user_password_secret": "mongodb-vnext-secret", + "user_password_secret_key": "mongodb-passwords", + "secret_extra_namespaces": [ + "mojaloop" + ], + "database_name": "mojaloop" + }, + "local_resource_config": { + "resource_namespace": "mojaloop", + "override_service_name": "mongodb-vnext-mongodb", + "resource_helm_repo": "https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami", + "resource_helm_chart": "mongodb", + "resource_helm_chart_version": "13.3.1", + "resource_helm_values_ref": "values-mongodb.yaml.tpl", + "generate_secret_name": "mongodb-vnext-secret", + "generate_secret_keys": [ + "mongodb-passwords", + "mongodb-root-password" + ], + "generate_secret_vault_base_path": "/secret/generated", + "generate_secret_extra_namespaces": [], + "generate_secret_special_chars": "_", + "mongodb_data": { + "existing_secret": "mongodb-vnext-secret", + "root_password": "", + "user": "mojaloop", + "user_password": "", + "database_name": "mojaloop", + "storage_size": "8Gi", + "storage_class_name": "longhorn", + "service_port": 27017 + } + }, + "external_resource_config": {} + }, + { + "enabled": true, + "resource_name": "vnext-kafka", + "resource_type": "kafka", + "external_service": false, + "logical_service_config": { + "logical_service_port": 9092, + "logical_service_name": "vnext-kafka-svc", + "database_name": null, + "secret_extra_namespaces": [] + }, + "local_resource_config": { + "resource_namespace": "vnext", + "override_service_name": null, + "resource_helm_repo": "https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami", + "resource_helm_chart": "kafka", + "resource_helm_chart_version": "26.5.0", + "resource_helm_values_ref": "values-kafka.yaml.tpl", + "generate_secret_name": null, + "generate_secret_keys": [], + "generate_secret_vault_base_path": null, + "generate_secret_extra_namespaces": [], + "kafka_provisioning": { + "enabled": true, + "topics": [ + { + "name": "topic-event", + "partitions": 12, + "replicationFactor": 3, + "config": { + "cleanup.policy": "delete", + "retention.ms": "-1", + "segment.bytes": "52428800", + "retention.bytes": "262144000" + } + }, + { + "name": "topic-transfer-prepare", + "partitions": 12, + "replicationFactor": 3, + "config": { + "cleanup.policy": "delete", + "retention.ms": "-1", + "segment.bytes": "52428800", + "retention.bytes": "262144000" + } + }, + { + "name": "topic-transfer-position", + "partitions": 12, + "replicationFactor": 3, + "config": { + "cleanup.policy": "delete", + "retention.ms": "-1", + "segment.bytes": "52428800", + "retention.bytes": "262144000" + } + }, + { + "name": "topic-transfer-position-batch", + "partitions": 12, + "replicationFactor": 3, + "config": { + "cleanup.policy": "delete", + "retention.ms": "-1", + "segment.bytes": "52428800", + "retention.bytes": "262144000" + } + }, + { + "name": "topic-transfer-fulfil", + "partitions": 12, + "replicationFactor": 3, + "config": { + "cleanup.policy": "delete", + "retention.ms": "-1", + "segment.bytes": "52428800", + "retention.bytes": "262144000" + } + }, + { + "name": "topic-notification-event", + "partitions": 12, + "replicationFactor": 3, + "config": { + "cleanup.policy": "delete", + "retention.ms": "-1", + "segment.bytes": "52428800", + "retention.bytes": "262144000" + } + }, + { + "name": "topic-transfer-get", + "partitions": 12, + "replicationFactor": 3, + "config": { + "cleanup.policy": "delete", + "retention.ms": "-1", + "segment.bytes": "52428800", + "retention.bytes": "262144000" + } + }, + { + "name": "topic-admin-transfer", + "partitions": 12, + "replicationFactor": 3, + "config": { + "cleanup.policy": "delete", + "retention.ms": "-1", + "segment.bytes": "52428800", + "retention.bytes": "262144000" + } + }, + { + "name": "topic-bulk-prepare", + "partitions": 12, + "replicationFactor": 3, + "config": { + "cleanup.policy": "delete", + "retention.ms": "-1", + "segment.bytes": "52428800", + "retention.bytes": "262144000" + } + }, + { + "name": "topic-bulk-fulfil", + "partitions": 12, + "replicationFactor": 3, + "config": { + "cleanup.policy": "delete", + "retention.ms": "-1", + "segment.bytes": "52428800", + "retention.bytes": "262144000" + } + }, + { + "name": "topic-bulk-processing", + "partitions": 12, + "replicationFactor": 3, + "config": { + "cleanup.policy": "delete", + "retention.ms": "-1", + "segment.bytes": "52428800", + "retention.bytes": "262144000" + } + }, + { + "name": "topic-bulk-get", + "partitions": 12, + "replicationFactor": 3, + "config": { + "cleanup.policy": "delete", + "retention.ms": "-1", + "segment.bytes": "52428800", + "retention.bytes": "262144000" + } + }, + { + "name": "topic-quotes-post", + "partitions": 12, + "replicationFactor": 3, + "config": { + "cleanup.policy": "delete", + "retention.ms": "-1", + "segment.bytes": "52428800", + "retention.bytes": "262144000" + } + }, + { + "name": "topic-quotes-put", + "partitions": 12, + "replicationFactor": 3, + "config": { + "cleanup.policy": "delete", + "retention.ms": "-1", + "segment.bytes": "52428800", + "retention.bytes": "262144000" + } + }, + { + "name": "topic-quotes-get", + "partitions": 12, + "replicationFactor": 3, + "config": { + "cleanup.policy": "delete", + "retention.ms": "-1", + "segment.bytes": "52428800", + "retention.bytes": "262144000" + } + }, + { + "name": "topic-bulkquotes-post", + "partitions": 12, + "replicationFactor": 3, + "config": { + "cleanup.policy": "delete", + "retention.ms": "-1", + "segment.bytes": "52428800", + "retention.bytes": "262144000" + } + }, + { + "name": "topic-bulkquotes-put", + "partitions": 12, + "replicationFactor": 3, + "config": { + "cleanup.policy": "delete", + "retention.ms": "-1", + "segment.bytes": "52428800", + "retention.bytes": "262144000" + } + }, + { + "name": "topic-bulkquotes-get", + "partitions": 12, + "replicationFactor": 3, + "config": { + "cleanup.policy": "delete", + "retention.ms": "-1", + "segment.bytes": "52428800", + "retention.bytes": "262144000" + } + } + ] + }, + "kafka_data": { + "storage_size": "8Gi", + "storage_class_name": "longhorn", + "service_port": 9092, + "replica_count": 1, + "dataplane_affinity_definition": { + "type": "soft", + "key": "workload-class.mojaloop.io/KAFKA-DATA-PLANE", + "values": ["enabled"] + }, + "controlplane_affinity_definition": { + "nodeAffinity": { + "requiredDuringSchedulingIgnoredDuringExecution": { + "nodeSelectorTerms": [ + { + "matchExpressions": [ + { + "key": "workload-class.mojaloop.io/KAFKA-CONTROL-PLANE", + "operator": "In", + "values": [ + "enabled" + ] + } + ] + } + ] + } + } + } + } + }, + "external_resource_config": { + "name": "mks", + "kafka_version": "3.4.0", + "number_of_broker_nodes": 3, + "enhanced_monitoring": "PER_TOPIC_PER_PARTITION", + "broker_node_storage_info": { + "ebs_storage_info": { + "volume_size": 100 + } + }, + "broker_node_instance_type": "kafka.t3.small", + "encryption_in_transit_client_broker": "TLS", + "encryption_in_transit_in_cluster": true, + "configuration_name": "example-configuration", + "configuration_description": "Example configuration", + "configuration_server_properties": { + "auto.create.topics.enable": true, + "delete.topic.enable": true + }, + "jmx_exporter_enabled": true, + "node_exporter_enabled": true, + "cloudwatch_logs_enabled": false, + "s3_logs_enabled": false, + "s3_logs_bucket": "aws-msk-kafka-cluster-logs", + "s3_logs_prefix": "something", + "scaling_max_capacity": 512, + "scaling_target_value": 80, + "client_authentication": { + "sasl": { + "scram": false + }, + "unauthenticated": { + "enabled": true + } + }, + "create_scram_secret_association": false, + "scram_secret_association_secret_arn_list": [], + "tags": { + "Origin": "Terraform", + "mojaloop/cost_center": "mlf-iac-sandbox", + "mojaloop/env": "ft-sbox-rw", + "mojaloop/owner": "Samuel-Kummary" + } + } + }, + { + "enabled": true, + "resource_name": "vnext-redis", + "resource_type": "redis", + "external_service": false, + "logical_service_config": { + "logical_service_port": 6379, + "logical_service_name": "vnext-redis", + "database_name": null, + "secret_extra_namespaces": [] + }, + "local_resource_config": { + "resource_namespace": "mojaloop", + "override_service_name": "redis-vnext-redis-master", + "resource_helm_repo": "https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami", + "resource_helm_chart": "redis", + "resource_helm_chart_version": "17.3.7", + "resource_helm_values_ref": "values-redis.yaml.tpl", + "generate_secret_name": null, + "generate_secret_keys": null, + "generate_secret_vault_base_path": null, + "generate_secret_extra_namespaces": [], + "redis_data": { + "auth_enabled": false, + "existing_secret": "", + "existing_secret_key": "", + "user": "", + "user_password": "", + "storage_size": "8Gi", + "storage_class_name": "longhorn", + "architecture": "standalone", + "replica_count": 0, + "service_port": 6379 + } + }, + "external_resource_config": {} + } +] \ No newline at end of file From 995a944602490b713380cd5978a1a30f7f0a0bde Mon Sep 17 00:00:00 2001 From: Aaron Reynoza Date: Sun, 24 Mar 2024 21:47:14 -0600 Subject: [PATCH 017/201] feat: enhance mysql logging --- .../templates/stateful-resources/values-mysql.yaml.tpl | 6 ++++-- .../default-config/mojaloop-stateful-resources.json | 10 ++++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/terraform/gitops/generate-files/templates/stateful-resources/values-mysql.yaml.tpl b/terraform/gitops/generate-files/templates/stateful-resources/values-mysql.yaml.tpl index 766410c7c..2a58e66d2 100644 --- a/terraform/gitops/generate-files/templates/stateful-resources/values-mysql.yaml.tpl +++ b/terraform/gitops/generate-files/templates/stateful-resources/values-mysql.yaml.tpl @@ -151,7 +151,8 @@ primary: log-error=/opt/bitnami/mysql/logs/mysqld.log character-set-server=UTF8 collation-server=utf8_general_ci - slow_query_log=0 + general_log=${resource.local_resource_config.mysql_data.general_log} + slow_query_log=${resource.local_resource_config.mysql_data.slow_query_log} slow_query_log_file=/opt/bitnami/mysql/logs/mysqld.log long_query_time=10.0 innodb_use_native_aio=0 @@ -459,7 +460,8 @@ secondary: log-error=/opt/bitnami/mysql/logs/mysqld.log character-set-server=UTF8 collation-server=utf8_general_ci - slow_query_log=0 + general_log=${resource.local_resource_config.mysql_data.general_log} + slow_query_log=${resource.local_resource_config.mysql_data.slow_query_log} slow_query_log_file=/opt/bitnami/mysql/logs/mysqld.log long_query_time=10.0 innodb_use_native_aio=0 diff --git a/terraform/k8s/default-config/mojaloop-stateful-resources.json b/terraform/k8s/default-config/mojaloop-stateful-resources.json index f8c8e04ce..ef6b96e4c 100644 --- a/terraform/k8s/default-config/mojaloop-stateful-resources.json +++ b/terraform/k8s/default-config/mojaloop-stateful-resources.json @@ -72,6 +72,8 @@ "mysql_data": { "is_legacy": false, "existing_secret": "mysql-auth-svc-secret", + "general_log": 1, + "slow_query_log": 1, "root_password": "", "user": "auth-svc", "user_password": "", @@ -122,6 +124,8 @@ "mysql_data": { "is_legacy": false, "existing_secret": "mysql-consent-oracle-secret", + "general_log": 1, + "slow_query_log": 1, "root_password": "", "user": "consent-oracle", "user_password": "", @@ -172,6 +176,8 @@ "mysql_data": { "is_legacy": false, "existing_secret": "mcm-db-secret", + "general_log": 1, + "slow_query_log": 1, "root_password": "", "user": "devdat1asql1", "user_password": "", @@ -222,6 +228,8 @@ "mysql_data": { "is_legacy": false, "existing_secret": "mysql-account-lookup-secret", + "general_log": 1, + "slow_query_log": 1, "root_password": "", "user": "account_lookup", "user_password": "", @@ -340,6 +348,8 @@ "mysql_data": { "is_legacy": false, "existing_secret": "mysql-central-ledger-secret", + "general_log": 1, + "slow_query_log": 1, "root_password": "", "user": "central_ledger", "user_password": "", From 7511b86add92611112674cb6b61cd03bc257ad9a Mon Sep 17 00:00:00 2001 From: David Fry Date: Mon, 25 Mar 2024 11:25:37 +0000 Subject: [PATCH 018/201] fix stateful resource env vars, new values file --- .../templates/vnext/istio-config.yaml.tpl | 59 +- .../templates/vnext/kustomization.yaml.tpl | 2 + .../vnext/switch-jws-deployment.yaml.tpl | 63 + .../templates/vnext/values-vnext.yaml.tpl | 1396 ++--------------- .../templates/vnext/vault-secret.yaml.tpl | 48 + .../gitops/k8s-cluster-config/app-deploy.tf | 77 +- terraform/gitops/vnext/vnext.tf | 114 +- terraform/k8s/default-config/vnext-vars.yaml | 1 + 8 files changed, 446 insertions(+), 1314 deletions(-) create mode 100644 terraform/gitops/generate-files/templates/vnext/switch-jws-deployment.yaml.tpl create mode 100644 terraform/gitops/generate-files/templates/vnext/vault-secret.yaml.tpl create mode 100644 terraform/k8s/default-config/vnext-vars.yaml diff --git a/terraform/gitops/generate-files/templates/vnext/istio-config.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/istio-config.yaml.tpl index 27cfce946..d8a971c09 100644 --- a/terraform/gitops/generate-files/templates/vnext/istio-config.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vnext/istio-config.yaml.tpl @@ -60,7 +60,7 @@ spec: prefix: /participants route: - destination: - host: ${mojaloop_release_name}-account-lookup-service + host: ${vnext_release_name}-account-lookup-service port: number: 80 - name: parties @@ -69,7 +69,7 @@ spec: prefix: /parties route: - destination: - host: ${mojaloop_release_name}-account-lookup-service + host: ${vnext_release_name}-account-lookup-service port: number: 80 - name: quotes @@ -78,7 +78,7 @@ spec: prefix: /quotes route: - destination: - host: ${mojaloop_release_name}-quoting-service + host: ${vnext_release_name}-quoting-service port: number: 80 - name: transfers @@ -87,7 +87,7 @@ spec: prefix: /transfers route: - destination: - host: ${mojaloop_release_name}-ml-api-adapter-service + host: ${vnext_release_name}-ml-api-adapter-service port: number: 80 %{ if bulk_enabled ~} @@ -97,7 +97,7 @@ spec: prefix: /bulkQuotes route: - destination: - host: ${mojaloop_release_name}-quoting-service + host: ${vnext_release_name}-quoting-service port: number: 80 - name: bulkTransfers @@ -106,7 +106,7 @@ spec: prefix: /bulkTransfers route: - destination: - host: ${mojaloop_release_name}-bulk-api-adapter-service + host: ${vnext_release_name}-bulk-api-adapter-service port: number: 80 %{ endif ~} @@ -116,7 +116,7 @@ spec: prefix: /transactionRequests route: - destination: - host: ${mojaloop_release_name}-transaction-requests-service + host: ${vnext_release_name}-transaction-requests-service port: number: 80 - name: authorizations @@ -125,7 +125,7 @@ spec: prefix: /authorizations route: - destination: - host: ${mojaloop_release_name}-transaction-requests-service + host: ${vnext_release_name}-transaction-requests-service port: number: 80 --- @@ -145,7 +145,7 @@ spec: prefix: /participants route: - destination: - host: ${mojaloop_release_name}-account-lookup-service + host: ${vnext_release_name}-account-lookup-service port: number: 80 - name: parties @@ -154,7 +154,7 @@ spec: prefix: /parties route: - destination: - host: ${mojaloop_release_name}-account-lookup-service + host: ${vnext_release_name}-account-lookup-service port: number: 80 - name: quotes @@ -163,7 +163,7 @@ spec: prefix: /quotes route: - destination: - host: ${mojaloop_release_name}-quoting-service + host: ${vnext_release_name}-quoting-service port: number: 80 - name: transfers @@ -172,7 +172,7 @@ spec: prefix: /transfers route: - destination: - host: ${mojaloop_release_name}-ml-api-adapter-service + host: ${vnext_release_name}-ml-api-adapter-service port: number: 80 %{ if bulk_enabled ~} @@ -182,7 +182,7 @@ spec: prefix: /bulkQuotes route: - destination: - host: ${mojaloop_release_name}-quoting-service + host: ${vnext_release_name}-quoting-service port: number: 80 - name: bulkTransfers @@ -191,7 +191,7 @@ spec: prefix: /bulkTransfers route: - destination: - host: ${mojaloop_release_name}-bulk-api-adapter-service + host: ${vnext_release_name}-bulk-api-adapter-service port: number: 80 %{ endif ~} @@ -201,7 +201,7 @@ spec: prefix: /transactionRequests route: - destination: - host: ${mojaloop_release_name}-transaction-requests-service + host: ${vnext_release_name}-transaction-requests-service port: number: 80 - name: authorizations @@ -210,7 +210,7 @@ spec: prefix: /authorizations route: - destination: - host: ${mojaloop_release_name}-transaction-requests-service + host: ${vnext_release_name}-transaction-requests-service port: number: 80 - name: central-admin @@ -221,7 +221,7 @@ spec: uri: / route: - destination: - host: ${mojaloop_release_name}-centralledger-service + host: ${vnext_release_name}-centralledger-service port: number: 80 - name: als-admin @@ -232,17 +232,17 @@ spec: uri: / route: - destination: - host: ${mojaloop_release_name}-account-lookup-service-admin + host: ${vnext_release_name}-account-lookup-service-admin port: number: 80 --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: - name: mojaloop-ttkfront-vs + name: vnext-ttkfront-vs spec: gateways: -%{ if mojaloop_wildcard_gateway == "external" ~} +%{ if vnext_wildcard_gateway == "external" ~} - ${istio_external_gateway_namespace}/${istio_external_wildcard_gateway_name} %{ else ~} - ${istio_internal_gateway_namespace}/${istio_internal_wildcard_gateway_name} @@ -255,17 +255,17 @@ spec: prefix: / route: - destination: - host: ${mojaloop_release_name}-ml-testing-toolkit-frontend + host: ${vnext_release_name}-ml-testing-toolkit-frontend port: number: 6060 --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: - name: mojaloop-ttkback-vs + name: vnext-ttkback-vs spec: gateways: -%{ if mojaloop_wildcard_gateway == "external" ~} +%{ if vnext_wildcard_gateway == "external" ~} - ${istio_external_gateway_namespace}/${istio_external_wildcard_gateway_name} %{ else ~} - ${istio_internal_gateway_namespace}/${istio_internal_wildcard_gateway_name} @@ -279,7 +279,7 @@ spec: prefix: /api/ route: - destination: - host: ${mojaloop_release_name}-ml-testing-toolkit-backend + host: ${vnext_release_name}-ml-testing-toolkit-backend port: number: 5050 - name: socket @@ -288,7 +288,7 @@ spec: prefix: /socket.io/ route: - destination: - host: ${mojaloop_release_name}-ml-testing-toolkit-backend + host: ${vnext_release_name}-ml-testing-toolkit-backend port: number: 5050 - name: root @@ -297,13 +297,14 @@ spec: prefix: / route: - destination: - host: ${mojaloop_release_name}-ml-testing-toolkit-backend + host: ${vnext_release_name}-ml-testing-toolkit-backend port: number: 4040 --- %{ endif ~} ---- +{{- /* + --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: @@ -357,7 +358,7 @@ spec: uri: /v2/ route: - destination: - host: ${mojaloop_release_name}-centralsettlement-service + host: ${vnext_release_name}-centralsettlement-service port: number: 80 - name: reports @@ -475,3 +476,5 @@ spec: paths: - /api/* hosts: ["${portal_fqdn}", "${portal_fqdn}:*"] + +*/ -}} \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/vnext/kustomization.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/kustomization.yaml.tpl index d9f7c3dc5..b369b3de7 100644 --- a/terraform/gitops/generate-files/templates/vnext/kustomization.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vnext/kustomization.yaml.tpl @@ -2,6 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - istio-config.yaml + - switch-jws-deployment.yaml + - vault-secret.yaml helmCharts: - name: vnext releaseName: ${vnext_release_name} diff --git a/terraform/gitops/generate-files/templates/vnext/switch-jws-deployment.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/switch-jws-deployment.yaml.tpl new file mode 100644 index 000000000..74ed5207b --- /dev/null +++ b/terraform/gitops/generate-files/templates/vnext/switch-jws-deployment.yaml.tpl @@ -0,0 +1,63 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: jws-pubkey-job + annotations: + secret.reloader.stakater.com/reload: "${jws_key_secret}" +spec: + replicas: 1 + selector: + matchLabels: + app: jws-pubkey-job + template: + metadata: + labels: + app: jws-pubkey-job + spec: + containers: + - name: jws-pubkey-job-wait + image: busybox:1.28 + command: ["sh", "-c", "echo Keep the app running! && sleep 3600"] + initContainers: + - name: init-secret + image: alpine + env: + - name: JWS_PUB_CERT + valueFrom: + secretKeyRef: + name: switch-jws + key: tls.crt + command: ["sh", "-c", echo "$$JWS_PUB_CERT" > /tmp/JWS_PUB_CERT] + volumeMounts: + - name: data + mountPath: /tmp + - name: init-extract-public-key + image: alpine/openssl:3.1.4 + command: + [ + "sh", + "-c", + "openssl x509 -pubkey -noout -in /tmp/JWS_PUB_CERT > /tmp/pubkey.pem", + ] + volumeMounts: + - name: data + mountPath: /tmp + + - name: init-call-mcm + image: curlimages/curl:8.6.0 + args: + - /bin/sh + - -ec + - >- + curl + -X POST "${mcm_hub_jws_endpoint}" + -H "Content-type: application/json" + -H "accept: application/json" + -d "{\"publicKey\":\"$(cat /tmp/pubkey.pem | sed '$ ! s/$/\\r\\n/' | tr -d '\n')\"}" + volumeMounts: + - name: data + mountPath: /tmp + volumes: + - name: data + emptyDir: {} + \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl index 468eecfc2..6a77ee5de 100644 --- a/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl @@ -1,111 +1,15 @@ # Custom YAML TEMPLATE Anchors CONFIG: - ## ACCOUNT-LOOKUP BACKEND - als_db_database: &ALS_DB_DATABASE "${account_lookup_db_database}" - als_db_password: &ALS_DB_PASSWORD "" - als_db_secret: &ALS_DB_SECRET - name: &ALS_DB_SECRET_NAME "${account_lookup_db_existing_secret}" - key: &ALS_DB_SECRET_KEY mysql-password - als_db_host: &ALS_DB_HOST "${account_lookup_db_host}" - als_db_port: &ALS_DB_PORT ${account_lookup_db_port} - als_db_user: &ALS_DB_USER "${account_lookup_db_user}" - - ## CENTRAL-LEDGER BACKEND - cl_db_database: &CL_DB_DATABASE "${central_ledger_db_database}" - cl_db_password: &CL_DB_PASSWORD "" - cl_db_secret: &CL_DB_SECRET - name: &CL_DB_SECRET_NAME "${central_ledger_db_existing_secret}" - key: &CL_DB_SECRET_KEY mysql-password - cl_db_host: &CL_DB_HOST "${central_ledger_db_host}" - cl_db_port: &CL_DB_PORT ${central_ledger_db_port} - cl_db_user: &CL_DB_USER "${central_ledger_db_user}" - ## KAFKA BACKEND kafka_host: &KAFKA_HOST "${kafka_host}" kafka_port: &KAFKA_PORT ${kafka_port} + kafka_url: &KAFKA_URL "${kafka_host}:${kafka_port}" + redis_host: &REDIS_HOST "${redis_host}" + redis_port: &REDIS_PORT ${redis_port} - ## BULK OBJECT STORE BACKEND - obj_mongo_host: &OBJSTORE_MONGO_HOST "${cl_mongodb_host}" - obj_mongo_port: &OBJSTORE_MONGO_PORT ${cl_mongodb_port} - obj_mongo_user: &OBJSTORE_MONGO_USER "${cl_mongodb_user}" - obj_mongo_password: &OBJSTORE_MONGO_PASSWORD "" - obj_mongo_secret: &OBJSTORE_MONGO_SECRET - name: &OBJSTORE_MONGO_SECRET_NAME "${cl_mongodb_existing_secret}" - key: &OBJSTORE_MONGO_SECRET_KEY mongodb-passwords - obj_mongo_database: &OBJSTORE_MONGO_DATABASE "${cl_mongodb_database}" - - ## MOJALOOP-TTK-SIMULATORS BACKEND - moja_ttk_sim_kafka_host: &MOJA_TTK_SIM_KAFKA_HOST "${kafka_host}" - moja_ttk_sim_kafka_port: &MOJA_TTK_SIM_KAFKA_PORT ${kafka_port} - moja_ttk_sim_redis_host: &MOJA_TTK_SIM_REDIS_HOST "${ttksims_redis_host}" - moja_ttk_sim_redis_port: &MOJA_TTK_SIM_REDIS_PORT ${ttksims_redis_port} - - ## THIRDPARTY AUTH-SVC BACKEND - tp_auth_svc_db_database: &TP_AUTH_SVC_DB_DATABASE "${third_party_auth_db_database}" - tp_auth_svc_db_password: &TP_AUTH_SVC_DB_PASSWORD "" - tp_auth_svc_db_secret: &TP_AUTH_SVC_DB_SECRET - name: &TP_AUTH_SVC_DB_SECRET_NAME "${third_party_auth_db_existing_secret}" - key: &TP_AUTH_SVC_DB_SECRET_KEY mysql-password - tp_auth_svc_db_host: &TP_AUTH_SVC_DB_HOST "${third_party_auth_db_host}" - tp_auth_svc_db_port: &TP_AUTH_SVC_DB_PORT ${third_party_auth_db_port} - tp_auth_svc_db_user: &TP_AUTH_SVC_DB_USER "${third_party_auth_db_user}" - tp_auth_svc_redis_host: &TP_AUTH_SVC_REDIS_HOST "${third_party_auth_redis_host}" - tp_auth_svc_redis_port: &TP_AUTH_SVC_REDIS_PORT ${third_party_auth_redis_port} - - ## THIRDPARTY ALS_CONSENT-SVC BACKEND - tp_als_consent_svc_db_database: &TP_ALS_CONSENT_SVC_DB_DATABASE "${third_party_consent_db_database}" - tp_als_consent_svc_db_password: &TP_ALS_CONSENT_SVC_DB_PASSWORD "" - tp_als_consent_svc_db_secret: &TP_ALS_CONSENT_SVC_DB_SECRET - name: &TP_ALS_CONSENT_SVC_DB_SECRET_NAME "${third_party_consent_db_existing_secret}" - key: &TP_ALS_CONSENT_SVC_DB_SECRET_KEY mysql-password - tp_als_consent_svc_db_host: &TP_ALS_CONSENT_SVC_DB_HOST "${third_party_consent_db_host}" - tp_als_consent_svc_db_port: &TP_ALS_CONSENT_SVC_DB_PORT ${third_party_consent_db_port} - tp_als_consent_svc_db_user: &TP_ALS_CONSENT_SVC_DB_USER "${third_party_consent_db_user}" - - ## CENTRAL-SETTLEMENT BACKEND - cs_db_host: &CS_DB_HOST "${central_settlement_db_host}" - cs_db_password: &CS_DB_PASSWORD "" - cs_db_secret: &CS_DB_SECRET - name: &CS_DB_SECRET_NAME "${central_settlement_db_existing_secret}" - key: &CS_DB_SECRET_KEY mysql-password - cs_db_user: &CS_DB_USER "${central_settlement_db_user}" - cs_db_port: &CS_DB_PORT ${central_settlement_db_port} - cs_db_database: &CS_DB_DATABASE "${central_settlement_db_database}" - - ## QUOTING BACKEND - quoting_db_host: "ING_DB_HOST "${quoting_db_host}" - quoting_db_password: "ING_DB_PASSWORD "" - quoting_db_secret: "ING_DB_SECRET - name: "ING_DB_SECRET_NAME "${quoting_db_existing_secret}" - key: "ING_DB_SECRET_KEY mysql-password - quoting_db_user: "ING_DB_USER "${quoting_db_user}" - quoting_db_port: "ING_DB_PORT ${quoting_db_port} - quoting_db_database: "ING_DB_DATABASE "${quoting_db_database}" + mongo_url_secret_name: "${mongodb_url_existing_secret}" &MONGO_URL_SECRET_NAME + mongo_url_secret_key: "url" &MONGO_URL_SECRET_KEY - ## TTK MONGODB BACKEND - ttk_mongo_host: &TTK_MONGO_HOST "${ttk_mongodb_host}" - ttk_mongo_port: &TTK_MONGO_PORT "${ttk_mongodb_port}" - ttk_mongo_user: &TTK_MONGO_USER "${ttk_mongodb_user}" - ttk_mongo_password: &TTK_MONGO_PASSWORD "" - ttk_mongo_secret: &TTK_MONGO_SECRET - name: &TTK_MONGO_SECRET_NAME "${ttk_mongodb_existing_secret}" - key: &TTK_MONGO_SECRET_KEY mongodb-passwords - ttk_mongo_database: &TTK_MONGO_DATABASE "${ttk_mongodb_database}" - - ## BATCH_PROCESSING: To enable batch processing set following to true - batch_processing_enabled: &CL_BATCH_PROCESSING_ENABLED ${central_ledger_handler_transfer_position_batch_processing_enabled} - - ## CENTRAL-LEDGER CACHE - cl_cache_enabled: &CL_CACHE_ENABLED ${central_ledger_cache_enabled} - cl_cache_expires_in_ms: &CL_CACHE_EXPIRES_IN_MS ${central_ledger_cache_expires_in_ms} - - ## MONITORING - ml_api_adapter_monitoring_prefix : &ML_API_ADAPTER_MONITORING_PREFIX "${ml_api_adapter_monitoring_prefix}" - quoting_monitoring_prefix: "ING_MONITORING_PREFIX "${quoting_service_monitoring_prefix}" - cl_monitoring_prefix: &CL_MONITORING_PREFIX "${central_ledger_monitoring_prefix}" - als_monitoring_prefix: &ALS_MONITORING_PREFIX "${account_lookup_service_monitoring_prefix}" - - ingress_class: &INGRESS_CLASS "${ingress_class_name}" ## Endpiont Security endpointSecurity: &ENDPOINT_SECURITY @@ -119,1127 +23,171 @@ CONFIG: tolerations: &MOJALOOP_TOLERATIONS [] %{ endif ~} -global: - config: - forensicloggingsidecar_disabled: true - -account-lookup-service: - account-lookup-service: - commonAnnotations: - secret.reloader.stakater.com/reload: "${jws_key_secret}" -%{ if account_lookup_service_affinity != null ~} - affinity: - ${indent(8, account_lookup_service_affinity)} -%{ endif ~} - tolerations: *MOJALOOP_TOLERATIONS - podLabels: - sidecar.istio.io/inject: "${enable_istio_injection}" - replicaCount: ${account_lookup_service_replica_count} - config: - kafka_host: *KAFKA_HOST - kafka_port: *KAFKA_PORT - db_password: *ALS_DB_PASSWORD - db_secret: *ALS_DB_SECRET - db_host: *ALS_DB_HOST - db_user: *ALS_DB_USER - db_port: *ALS_DB_PORT - db_database: *ALS_DB_DATABASE - endpointSecurity: *ENDPOINT_SECURITY - # Thirdparty API Config - featureEnableExtendedPartyIdType: ${mojaloop_thirdparty_support_enabled} - central_shared_end_point_cache: - expiresIn: 180000 - generateTimeout: 30000 - getDecoratedValue: true - central_shared_participant_cache: - expiresIn: 61000 - generateTimeout: 30000 - getDecoratedValue: true - general_cache: - enabled: true - maxByteSize: 10000000 - expiresIn: 61000 - ingress: -%{ if istio_create_ingress_gateways ~} - enabled: false -%{ else ~} - enabled: true -%{ endif ~} - className: *INGRESS_CLASS - hostname: account-lookup-service.${ingress_subdomain} - metrics: - config: - prefix: *ALS_MONITORING_PREFIX - account-lookup-service-admin: -%{ if account_lookup_admin_service_affinity != null ~} - affinity: - ${indent(8, account_lookup_admin_service_affinity)} -%{ endif ~} - tolerations: *MOJALOOP_TOLERATIONS - replicaCount: ${account_lookup_service_admin_replica_count} - config: - kafka_host: *KAFKA_HOST - kafka_port: *KAFKA_PORT - db_password: *ALS_DB_PASSWORD - db_secret: *ALS_DB_SECRET - db_host: *ALS_DB_HOST - db_user: *ALS_DB_USER - db_port: *ALS_DB_PORT - db_database: *ALS_DB_DATABASE - endpointSecurity: *ENDPOINT_SECURITY - # Thirdparty API Config - featureEnableExtendedPartyIdType: ${mojaloop_thirdparty_support_enabled} - central_shared_end_point_cache: - expiresIn: 180000 - generateTimeout: 30000 - getDecoratedValue: true - central_shared_participant_cache: - expiresIn: 61000 - generateTimeout: 30000 - getDecoratedValue: true - general_cache: - enabled: true - maxByteSize: 10000000 - expiresIn: 61000 - ingress: -%{ if istio_create_ingress_gateways ~} - enabled: false -%{ else ~} - enabled: true -%{ endif ~} - className: *INGRESS_CLASS - hostname: account-lookup-service-admin.${ingress_subdomain} - metrics: - config: - prefix: *ALS_MONITORING_PREFIX - als-oracle-pathfinder: - enabled: false - -quoting-service: - quoting-service: - commonAnnotations: - secret.reloader.stakater.com/reload: "${jws_key_secret}" -%{ if quoting_service_affinity != null ~} - affinity: - ${indent(6, quoting_service_affinity)} -%{ endif ~} - tolerations: *MOJALOOP_TOLERATIONS - podLabels: - sidecar.istio.io/inject: "${enable_istio_injection}" - replicaCount: ${quoting_service_replica_count} - config: - kafka_host: *KAFKA_HOST - kafka_port: *KAFKA_PORT - kafka_producer_quote_post_topic: 'topic-quotes-post' - log_transport: "console" - log_level: "info" - db_password: *QUOTING_DB_PASSWORD - db_secret: *QUOTING_DB_SECRET - db_host: *QUOTING_DB_HOST - db_user: *QUOTING_DB_USER - db_port: *QUOTING_DB_PORT - db_database: *QUOTING_DB_DATABASE - endpointSecurity: *ENDPOINT_SECURITY - ingress: -%{ if istio_create_ingress_gateways ~} - enabled: false -%{ else ~} - enabled: true -%{ endif ~} - className: *INGRESS_CLASS - hostname: quoting-service.${ingress_subdomain} - metrics: - config: - prefix: *QUOTING_MONITORING_PREFIX - quoting-service-handler: - commonAnnotations: - secret.reloader.stakater.com/reload: "${jws_key_secret}" -%{ if quoting_service_affinity != null ~} - affinity: - ${indent(6, quoting_service_affinity)} -%{ endif ~} - tolerations: *MOJALOOP_TOLERATIONS - podLabels: - sidecar.istio.io/inject: "${enable_istio_injection}" - replicaCount: ${quoting_service_handler_replica_count} - config: - kafka_host: *KAFKA_HOST - kafka_port: *KAFKA_PORT - simple_routing_mode_enabled: ${quoting_service_simple_routing_mode_enabled} - log_transport: "console" - log_level: "info" - db_password: *QUOTING_DB_PASSWORD - db_secret: *QUOTING_DB_SECRET - db_host: *QUOTING_DB_HOST - db_user: *QUOTING_DB_USER - db_port: *QUOTING_DB_PORT - db_database: *QUOTING_DB_DATABASE - endpointSecurity: *ENDPOINT_SECURITY - ingress: -%{ if istio_create_ingress_gateways ~} - enabled: false -%{ else ~} - enabled: true -%{ endif ~} - className: *INGRESS_CLASS - hostname: quoting-service-handler.${ingress_subdomain} - metrics: - config: - prefix: *QUOTING_MONITORING_PREFIX - -ml-api-adapter: - ml-api-adapter-service: -%{ if ml_api_adapter_service_affinity != null ~} - affinity: - ${indent(8, ml_api_adapter_service_affinity)} -%{ endif ~} - tolerations: *MOJALOOP_TOLERATIONS - replicaCount: ${ml_api_adapter_service_replica_count} - config: - kafka_host: *KAFKA_HOST - kafka_port: *KAFKA_PORT - ingress: -%{ if istio_create_ingress_gateways ~} - enabled: false -%{ else ~} - enabled: true -%{ endif ~} - className: *INGRESS_CLASS - #annotations: - #nginx.ingress.kubernetes.io/rewrite-target: /$2 - hostname: ml-api-adapter.${ingress_subdomain} - metrics: - config: - prefix: *ML_API_ADAPTER_MONITORING_PREFIX - ml-api-adapter-handler-notification: - commonAnnotations: - secret.reloader.stakater.com/reload: "${jws_key_secret}" -%{ if ml_api_adapter_handler_notifications_affinity != null ~} - affinity: - ${indent(8, ml_api_adapter_handler_notifications_affinity)} -%{ endif ~} - tolerations: *MOJALOOP_TOLERATIONS - podLabels: - sidecar.istio.io/inject: "${enable_istio_injection}" - replicaCount: ${ml_api_adapter_handler_notifications_replica_count} - config: - kafka_host: *KAFKA_HOST - kafka_port: *KAFKA_PORT - endpointSecurity: *ENDPOINT_SECURITY - ingress: -%{ if istio_create_ingress_gateways ~} - enabled: false -%{ else ~} - enabled: true -%{ endif ~} - className: *INGRESS_CLASS - hostname: ml-api-adapter-handler-notification.${ingress_subdomain} - metrics: - config: - prefix: *ML_API_ADAPTER_MONITORING_PREFIX - -centralledger: - centralledger-service: -%{ if centralledger_service_affinity != null ~} - affinity: - ${indent(8, centralledger_service_affinity)} -%{ endif ~} - tolerations: *MOJALOOP_TOLERATIONS - replicaCount: ${central_ledger_service_replica_count} - config: - kafka_host: *KAFKA_HOST - kafka_port: *KAFKA_PORT - db_password: *CL_DB_PASSWORD - db_secret: *CL_DB_SECRET - db_host: *CL_DB_HOST - db_user: *CL_DB_USER - db_port: *CL_DB_PORT - db_database: *CL_DB_DATABASE - cache_enabled: *CL_CACHE_ENABLED - cache_expires_in_ms: *CL_CACHE_EXPIRES_IN_MS - ingress: -%{ if istio_create_ingress_gateways ~} - enabled: false -%{ else ~} - enabled: true -%{ endif ~} - className: *INGRESS_CLASS - annotations: - nginx.ingress.kubernetes.io/rewrite-target: /$2 - path: /admin(/|$)(.*) - hostname: interop-switch.${ingress_subdomain} - metrics: - config: - prefix: *CL_MONITORING_PREFIX - centralledger-handler-transfer-prepare: -%{ if central_ledger_handler_transfer_prepare_affinity != null ~} - affinity: - ${indent(8, central_ledger_handler_transfer_prepare_affinity)} -%{ endif ~} - tolerations: *MOJALOOP_TOLERATIONS - replicaCount: ${central_ledger_handler_transfer_prepare_replica_count} - config: - kafka_host: *KAFKA_HOST - kafka_port: *KAFKA_PORT - db_password: *CL_DB_PASSWORD - db_secret: *CL_DB_SECRET - db_host: *CL_DB_HOST - db_user: *CL_DB_USER - db_port: *CL_DB_PORT - db_database: *CL_DB_DATABASE - cache_enabled: *CL_CACHE_ENABLED - cache_expires_in_ms: *CL_CACHE_EXPIRES_IN_MS - batch_processing_enabled: *CL_BATCH_PROCESSING_ENABLED - ingress: -%{ if istio_create_ingress_gateways ~} - enabled: false -%{ else ~} - enabled: true -%{ endif ~} - className: *INGRESS_CLASS - hostname: central-ledger-transfer-prepare.${ingress_subdomain} - metrics: - config: - prefix: *CL_MONITORING_PREFIX - centralledger-handler-transfer-position: -%{ if central_ledger_handler_transfer_position_affinity != null ~} - affinity: - ${indent(8, central_ledger_handler_transfer_position_affinity)} -%{ endif ~} - tolerations: *MOJALOOP_TOLERATIONS - replicaCount: ${central_ledger_handler_transfer_position_replica_count} - config: - kafka_host: *KAFKA_HOST - kafka_port: *KAFKA_PORT - db_password: *CL_DB_PASSWORD - db_secret: *CL_DB_SECRET - db_host: *CL_DB_HOST - db_user: *CL_DB_USER - db_port: *CL_DB_PORT - db_database: *CL_DB_DATABASE - cache_enabled: *CL_CACHE_ENABLED - cache_expires_in_ms: *CL_CACHE_EXPIRES_IN_MS - ingress: -%{ if istio_create_ingress_gateways ~} - enabled: false -%{ else ~} - enabled: true -%{ endif ~} - className: *INGRESS_CLASS - hostname: central-ledger-transfer-position.${ingress_subdomain} - metrics: - config: - prefix: *CL_MONITORING_PREFIX - centralledger-handler-transfer-position-batch: - enabled: *CL_BATCH_PROCESSING_ENABLED -%{ if central_ledger_handler_transfer_position_batch_affinity != null ~} - affinity: - ${indent(8, central_ledger_handler_transfer_position_batch_affinity)} -%{ endif ~} - tolerations: *MOJALOOP_TOLERATIONS - replicaCount: ${central_ledger_handler_transfer_position_batch_replica_count} - config: - kafka_host: *KAFKA_HOST - kafka_port: *KAFKA_PORT - db_password: *CL_DB_PASSWORD - db_secret: *CL_DB_SECRET - db_host: *CL_DB_HOST - db_user: *CL_DB_USER - db_port: *CL_DB_PORT - db_database: *CL_DB_DATABASE - cache_enabled: *CL_CACHE_ENABLED - cache_expires_in_ms: *CL_CACHE_EXPIRES_IN_MS - batch_size: ${central_ledger_handler_transfer_position_batch_size} - batch_consume_timeout_in_ms: ${central_ledger_handler_transfer_position_batch_consume_timeout_ms} - ingress: -%{ if istio_create_ingress_gateways ~} - enabled: false -%{ else ~} - enabled: true -%{ endif ~} - className: *INGRESS_CLASS - hostname: central-ledger-transfer-position-batch.${ingress_subdomain} - metrics: - config: - prefix: *CL_MONITORING_PREFIX - centralledger-handler-transfer-get: -%{ if central_ledger_handler_transfer_get_affinity != null ~} - affinity: - ${indent(8, central_ledger_handler_transfer_get_affinity)} -%{ endif ~} - tolerations: *MOJALOOP_TOLERATIONS - replicaCount: ${central_ledger_handler_transfer_get_replica_count} - config: - kafka_host: *KAFKA_HOST - kafka_port: *KAFKA_PORT - db_password: *CL_DB_PASSWORD - db_secret: *CL_DB_SECRET - db_host: *CL_DB_HOST - db_user: *CL_DB_USER - db_port: *CL_DB_PORT - db_database: *CL_DB_DATABASE - cache_enabled: *CL_CACHE_ENABLED - cache_expires_in_ms: *CL_CACHE_EXPIRES_IN_MS - ingress: -%{ if istio_create_ingress_gateways ~} - enabled: false -%{ else ~} - enabled: true -%{ endif ~} - className: *INGRESS_CLASS - hostname: central-ledger-transfer-get.${ingress_subdomain} - metrics: - config: - prefix: *CL_MONITORING_PREFIX - centralledger-handler-transfer-fulfil: -%{ if central_ledger_handler_transfer_fulfil_affinity != null ~} - affinity: - ${indent(8, central_ledger_handler_transfer_fulfil_affinity)} -%{ endif ~} - tolerations: *MOJALOOP_TOLERATIONS - replicaCount: ${central_ledger_handler_transfer_fulfil_replica_count} - config: - kafka_host: *KAFKA_HOST - kafka_port: *KAFKA_PORT - db_password: *CL_DB_PASSWORD - db_secret: *CL_DB_SECRET - db_host: *CL_DB_HOST - db_user: *CL_DB_USER - db_port: *CL_DB_PORT - db_database: *CL_DB_DATABASE - cache_enabled: *CL_CACHE_ENABLED - cache_expires_in_ms: *CL_CACHE_EXPIRES_IN_MS - batch_processing_enabled: *CL_BATCH_PROCESSING_ENABLED - ingress: -%{ if istio_create_ingress_gateways ~} - enabled: false -%{ else ~} - enabled: true -%{ endif ~} - className: *INGRESS_CLASS - hostname: central-ledger-transfer-fulfil.${ingress_subdomain} - metrics: - config: - prefix: *CL_MONITORING_PREFIX - centralledger-handler-timeout: - tolerations: *MOJALOOP_TOLERATIONS - config: - kafka_host: *KAFKA_HOST - kafka_port: *KAFKA_PORT - db_password: *CL_DB_PASSWORD - db_secret: *CL_DB_SECRET - db_host: *CL_DB_HOST - db_user: *CL_DB_USER - db_port: *CL_DB_PORT - db_database: *CL_DB_DATABASE - cache_enabled: *CL_CACHE_ENABLED - cache_expires_in_ms: *CL_CACHE_EXPIRES_IN_MS - ingress: -%{ if istio_create_ingress_gateways ~} - enabled: false -%{ else ~} - enabled: true -%{ endif ~} - className: *INGRESS_CLASS - hostname: central-ledger-timeout.${ingress_subdomain} - metrics: - config: - prefix: *CL_MONITORING_PREFIX - centralledger-handler-admin-transfer: -%{ if central_ledger_handler_admin_transfer_affinity != null ~} - affinity: - ${indent(8, central_ledger_handler_admin_transfer_affinity)} -%{ endif ~} - tolerations: *MOJALOOP_TOLERATIONS - replicaCount: ${central_ledger_handler_admin_transfer_replica_count} - config: - kafka_host: *KAFKA_HOST - kafka_port: *KAFKA_PORT - db_password: *CL_DB_PASSWORD - db_secret: *CL_DB_SECRET - db_host: *CL_DB_HOST - db_user: *CL_DB_USER - db_port: *CL_DB_PORT - db_database: *CL_DB_DATABASE - cache_enabled: *CL_CACHE_ENABLED - cache_expires_in_ms: *CL_CACHE_EXPIRES_IN_MS - ingress: -%{ if istio_create_ingress_gateways ~} - enabled: false -%{ else ~} - enabled: true -%{ endif ~} - className: *INGRESS_CLASS - hostname: central-ledger-admin-transfer.${ingress_subdomain} - metrics: - config: - prefix: *CL_MONITORING_PREFIX -centralsettlement: - centralsettlement-service: - ingress: -%{ if istio_create_ingress_gateways ~} - enabled: false -%{ else ~} - enabled: true -%{ endif ~} - className: *INGRESS_CLASS - annotations: - nginx.ingress.kubernetes.io/rewrite-target: /v2/$2 - path: /settlements(/|$)(.*) - hostname: interop-switch.${ingress_subdomain} -%{ if central_settlement_service_affinity != null ~} - affinity: - ${indent(8, central_settlement_service_affinity)} -%{ endif ~} - tolerations: *MOJALOOP_TOLERATIONS - replicaCount: ${central_settlement_service_replica_count} - config: - kafka_host: *KAFKA_HOST - kafka_port: *KAFKA_PORT - db_password: *CS_DB_PASSWORD - db_secret: *CS_DB_SECRET - db_host: *CS_DB_HOST - db_user: *CS_DB_USER - db_port: *CS_DB_PORT - db_database: *CS_DB_DATABASE - centralsettlement-handler-deferredsettlement: -%{ if central_settlement_handler_deferredsettlement_affinity != null ~} - affinity: - ${indent(8, central_settlement_handler_deferredsettlement_affinity)} -%{ endif ~} - tolerations: *MOJALOOP_TOLERATIONS - replicaCount: ${central_settlement_handler_deferredsettlement_replica_count} - config: - kafka_host: *KAFKA_HOST - kafka_port: *KAFKA_PORT - db_password: *CS_DB_PASSWORD - db_secret: *CS_DB_SECRET - db_host: *CS_DB_HOST - db_user: *CS_DB_USER - db_port: *CS_DB_PORT - db_database: *CS_DB_DATABASE - centralsettlement-handler-grosssettlement: -%{ if central_settlement_handler_grosssettlement_affinity != null ~} - affinity: - ${indent(8, central_settlement_handler_grosssettlement_affinity)} -%{ endif ~} - tolerations: *MOJALOOP_TOLERATIONS - replicaCount: ${central_settlement_handler_grosssettlement_replica_count} - config: - kafka_host: *KAFKA_HOST - kafka_port: *KAFKA_PORT - db_password: *CS_DB_PASSWORD - db_secret: *CS_DB_SECRET - db_host: *CS_DB_HOST - db_user: *CS_DB_USER - db_port: *CS_DB_PORT - db_database: *CS_DB_DATABASE - centralsettlement-handler-rules: -%{ if central_settlement_handler_rules_affinity != null ~} - affinity: - ${indent(8, central_settlement_handler_rules_affinity)} -%{ endif ~} - tolerations: *MOJALOOP_TOLERATIONS - replicaCount: ${central_settlement_handler_rules_replica_count} - config: - kafka_host: *KAFKA_HOST - kafka_port: *KAFKA_PORT - db_password: *CS_DB_PASSWORD - db_secret: *CS_DB_SECRET - db_host: *CS_DB_HOST - db_user: *CS_DB_USER - db_port: *CS_DB_PORT - db_database: *CS_DB_DATABASE - -transaction-requests-service: - podLabels: - sidecar.istio.io/inject: "${enable_istio_injection}" -%{ if trasaction_requests_service_affinity != null ~} - affinity: - ${indent(8, trasaction_requests_service_affinity)} -%{ endif ~} - tolerations: *MOJALOOP_TOLERATIONS - replicaCount: ${trasaction_requests_service_replica_count} - ingress: -%{ if istio_create_ingress_gateways ~} - enabled: false -%{ else ~} - enabled: true -%{ endif ~} - className: *INGRESS_CLASS - hostname: transaction-request-service.${ingress_subdomain} - -thirdparty: - enabled: ${mojaloop_thirdparty_support_enabled} - auth-svc: - enabled: true - tolerations: *MOJALOOP_TOLERATIONS - podLabels: - sidecar.istio.io/inject: "${enable_istio_injection}" - replicaCount: ${auth_service_replica_count} - config: - db_host: *TP_AUTH_SVC_DB_HOST - db_port: *TP_AUTH_SVC_DB_PORT - db_user: *TP_AUTH_SVC_DB_USER - db_password: *TP_AUTH_SVC_DB_PASSWORD - db_secret: *TP_AUTH_SVC_DB_SECRET - db_database: *TP_AUTH_SVC_DB_DATABASE - redis_host: *TP_AUTH_SVC_REDIS_HOST - redis_port: *TP_AUTH_SVC_REDIS_PORT - ingress: -%{ if istio_create_ingress_gateways ~} - enabled: false -%{ else ~} - enabled: true -%{ endif ~} - hostname: auth-service.upgtest.${ingress_subdomain} - className: *INGRESS_CLASS - - consent-oracle: - enabled: true - tolerations: *MOJALOOP_TOLERATIONS - replicaCount: ${consent_oracle_replica_count} - config: - db_host: *TP_ALS_CONSENT_SVC_DB_HOST - db_port: *TP_ALS_CONSENT_SVC_DB_PORT - db_user: *TP_ALS_CONSENT_SVC_DB_USER - db_password: *TP_ALS_CONSENT_SVC_DB_PASSWORD - db_secret: *TP_ALS_CONSENT_SVC_DB_SECRET - db_database: *TP_ALS_CONSENT_SVC_DB_DATABASE - ingress: -%{ if istio_create_ingress_gateways ~} - enabled: false -%{ else ~} - enabled: true -%{ endif ~} - hostname: consent-oracle.upgtest.${ingress_subdomain} - className: *INGRESS_CLASS - - tp-api-svc: - enabled: true - tolerations: *MOJALOOP_TOLERATIONS - podLabels: - sidecar.istio.io/inject: "${enable_istio_injection}" - replicaCount: ${tp_api_svc_replica_count} - ingress: -%{ if istio_create_ingress_gateways ~} - enabled: false -%{ else ~} - enabled: true -%{ endif ~} - hostname: tp-api-svc.upgtest.${ingress_subdomain} - className: *INGRESS_CLASS - - thirdparty-simulator: - enabled: true - tolerations: *MOJALOOP_TOLERATIONS - -simulator: - tolerations: *MOJALOOP_TOLERATIONS - ingress: -%{ if istio_create_ingress_gateways ~} - enabled: false -%{ else ~} - enabled: true -%{ endif ~} - className: *INGRESS_CLASS - hostname: moja-simulator.${ingress_subdomain} - -mojaloop-bulk: - enabled: ${bulk_enabled} - bulk-api-adapter: - bulk-api-adapter-service: - tolerations: *MOJALOOP_TOLERATIONS - replicaCount: ${bulk_api-adapter_service_replica_count} - config: - kafka_host: *KAFKA_HOST - kafka_port: *KAFKA_PORT - mongo_host: *OBJSTORE_MONGO_HOST - mongo_port: *OBJSTORE_MONGO_PORT - mongo_user: *OBJSTORE_MONGO_USER - mongo_password: *OBJSTORE_MONGO_PASSWORD - mongo_secret: *OBJSTORE_MONGO_SECRET - mongo_database: *OBJSTORE_MONGO_DATABASE - ingress: -%{ if istio_create_ingress_gateways ~} - enabled: false -%{ else ~} - enabled: true -%{ endif ~} - className: *INGRESS_CLASS - hostname: bulk-api-adapter.${ingress_subdomain} - bulk-api-adapter-handler-notification: - commonAnnotations: - secret.reloader.stakater.com/reload: "${jws_key_secret}" - tolerations: *MOJALOOP_TOLERATIONS - podLabels: - sidecar.istio.io/inject: "${enable_istio_injection}" - replicaCount: ${bulk_api_adapter_handler_notification_replica_count} - config: - kafka_host: *KAFKA_HOST - kafka_port: *KAFKA_PORT - mongo_host: *OBJSTORE_MONGO_HOST - mongo_port: *OBJSTORE_MONGO_PORT - mongo_user: *OBJSTORE_MONGO_USER - mongo_password: *OBJSTORE_MONGO_PASSWORD - mongo_secret: *OBJSTORE_MONGO_SECRET - mongo_database: *OBJSTORE_MONGO_DATABASE - endpointSecurity: *ENDPOINT_SECURITY - bulk-centralledger: - cl-handler-bulk-transfer-prepare: - tolerations: *MOJALOOP_TOLERATIONS - replicaCount: ${cl_handler_bulk_transfer_prepare_replica_count} - config: - kafka_host: *KAFKA_HOST - kafka_port: *KAFKA_PORT - db_password: *CL_DB_PASSWORD - db_secret: *CL_DB_SECRET - db_host: *CL_DB_HOST - db_user: *CL_DB_USER - db_port: *CL_DB_PORT - db_database: *CL_DB_DATABASE - mongo_host: *OBJSTORE_MONGO_HOST - mongo_port: *OBJSTORE_MONGO_PORT - mongo_user: *OBJSTORE_MONGO_USER - mongo_password: *OBJSTORE_MONGO_PASSWORD - mongo_secret: *OBJSTORE_MONGO_SECRET - mongo_database: *OBJSTORE_MONGO_DATABASE - cl-handler-bulk-transfer-fulfil: - tolerations: *MOJALOOP_TOLERATIONS - replicaCount: ${cl_handler_bulk_transfer_fulfil_replica_count} - config: - kafka_host: *KAFKA_HOST - kafka_port: *KAFKA_PORT - db_password: *CL_DB_PASSWORD - db_secret: *CL_DB_SECRET - db_host: *CL_DB_HOST - db_user: *CL_DB_USER - db_port: *CL_DB_PORT - db_database: *CL_DB_DATABASE - mongo_host: *OBJSTORE_MONGO_HOST - mongo_port: *OBJSTORE_MONGO_PORT - mongo_user: *OBJSTORE_MONGO_USER - mongo_password: *OBJSTORE_MONGO_PASSWORD - mongo_secret: *OBJSTORE_MONGO_SECRET - mongo_database: *OBJSTORE_MONGO_DATABASE - cl-handler-bulk-transfer-processing: - tolerations: *MOJALOOP_TOLERATIONS - replicaCount: ${cl_handler_bulk_transfer_processing_replica_count} - config: - kafka_host: *KAFKA_HOST - kafka_port: *KAFKA_PORT - db_password: *CL_DB_PASSWORD - db_secret: *CL_DB_SECRET - db_host: *CL_DB_HOST - db_user: *CL_DB_USER - db_port: *CL_DB_PORT - db_database: *CL_DB_DATABASE - mongo_host: *OBJSTORE_MONGO_HOST - mongo_port: *OBJSTORE_MONGO_PORT - mongo_user: *OBJSTORE_MONGO_USER - mongo_password: *OBJSTORE_MONGO_PASSWORD - mongo_secret: *OBJSTORE_MONGO_SECRET - mongo_database: *OBJSTORE_MONGO_DATABASE - cl-handler-bulk-transfer-get: - tolerations: *MOJALOOP_TOLERATIONS - replicaCount: ${cl_handler_bulk_transfer_get_replica_count} - config: - kafka_host: *KAFKA_HOST - kafka_port: *KAFKA_PORT - db_password: *CL_DB_PASSWORD - db_secret: *CL_DB_SECRET - db_host: *CL_DB_HOST - db_user: *CL_DB_USER - db_port: *CL_DB_PORT - db_database: *CL_DB_DATABASE - mongo_host: *OBJSTORE_MONGO_HOST - mongo_port: *OBJSTORE_MONGO_PORT - mongo_user: *OBJSTORE_MONGO_USER - mongo_password: *OBJSTORE_MONGO_PASSWORD - mongo_secret: *OBJSTORE_MONGO_SECRET - mongo_database: *OBJSTORE_MONGO_DATABASE - -mojaloop-ttk-simulators: - enabled: ${ttksims_enabled} - - mojaloop-ttk-sim1-svc: - enabled: true - sdk-scheme-adapter: &MOJA_TTK_SIM_SDK - sdk-scheme-adapter-api-svc: - tolerations: *MOJALOOP_TOLERATIONS - ingress: - enabled: false - kafka: - host: *MOJA_TTK_SIM_KAFKA_HOST - port: *MOJA_TTK_SIM_KAFKA_PORT - - redis: - host: *MOJA_TTK_SIM_REDIS_HOST - port: *MOJA_TTK_SIM_REDIS_PORT - - sdk-scheme-adapter-dom-evt-handler: - tolerations: *MOJALOOP_TOLERATIONS - kafka: - host: *MOJA_TTK_SIM_KAFKA_HOST - port: *MOJA_TTK_SIM_KAFKA_PORT - - redis: - host: *MOJA_TTK_SIM_REDIS_HOST - port: *MOJA_TTK_SIM_REDIS_PORT - - sdk-scheme-adapter-cmd-evt-handler: - tolerations: *MOJALOOP_TOLERATIONS - kafka: - host: *MOJA_TTK_SIM_KAFKA_HOST - port: *MOJA_TTK_SIM_KAFKA_PORT - - redis: - host: *MOJA_TTK_SIM_REDIS_HOST - port: *MOJA_TTK_SIM_REDIS_PORT - - ml-testing-toolkit: - ml-testing-toolkit-backend: - tolerations: *MOJALOOP_TOLERATIONS - ingress: - enabled: false - hosts: - specApi: - host: ttksim1-specapi.${ingress_subdomain} - adminApi: - host: ttksim1.${ingress_subdomain} - - extraEnvironments: - hub-k8s-default-environment.json: &ttksim1InputValues { - "inputValues": { - "TTKSIM1_CURRENCY": "${ttk_test_currency1}", - "TTKSIM2_CURRENCY": "${ttk_test_currency1}", - "TTKSIM3_CURRENCY": "${ttk_test_currency1}", - "TTKSIM1_FSPID": "ttksim1", - "TTKSIM2_FSPID": "ttksim2", - "TTKSIM3_FSPID": "ttksim3" - } - } - config: - mongodb: - host: *TTK_MONGO_HOST - port: *TTK_MONGO_PORT - user: *TTK_MONGO_USER - ## Secret-Management - ### Set this if you are using a clear password configured in the config section - password: *TTK_MONGO_PASSWORD - ### Configure this if you want to use a secret. Note, this will override the db_password, - ### Use the next line if you do wish to use the db_password value instead. - # secret: - ### Example config for an existing secret - secret: *TTK_MONGO_SECRET - database: *TTK_MONGO_DATABASE - - ml-testing-toolkit-frontend: - tolerations: *MOJALOOP_TOLERATIONS - ingress: - enabled: false - hosts: - ui: - host: ttksim1.${ingress_subdomain} - config: - API_BASE_URL: http://ttksim1.${ingress_subdomain} - - mojaloop-ttk-sim2-svc: - enabled: true - sdk-scheme-adapter: *MOJA_TTK_SIM_SDK - ml-testing-toolkit: - ml-testing-toolkit-backend: - tolerations: *MOJALOOP_TOLERATIONS - ingress: - enabled: false - hosts: - specApi: - host: ttksim2-specapi.${ingress_subdomain} - adminApi: - host: ttksim2.${ingress_subdomain} - - ml-testing-toolkit-frontend: - tolerations: *MOJALOOP_TOLERATIONS - ingress: - enabled: false - hosts: - ui: - host: ttksim2.${ingress_subdomain} - config: - API_BASE_URL: http://ttksim2.${ingress_subdomain} - - mojaloop-ttk-sim3-svc: - enabled: true - sdk-scheme-adapter: *MOJA_TTK_SIM_SDK - ml-testing-toolkit: - ml-testing-toolkit-backend: - tolerations: *MOJALOOP_TOLERATIONS - ingress: - enabled: false - hosts: - specApi: - host: ttksim3-specapi.${ingress_subdomain} - adminApi: - host: ttksim3.${ingress_subdomain} - - ml-testing-toolkit-frontend: - tolerations: *MOJALOOP_TOLERATIONS - ingress: - enabled: false - hosts: - ui: - host: ttksim3.${ingress_subdomain} - config: - API_BASE_URL: http://ttksim3.${ingress_subdomain} - -ml-testing-toolkit: - enabled: ${internal_ttk_enabled} - ml-testing-toolkit-backend: - tolerations: *MOJALOOP_TOLERATIONS - config: - mongodb: - host: *TTK_MONGO_HOST - port: *TTK_MONGO_PORT - user: *TTK_MONGO_USER - password: *TTK_MONGO_PASSWORD - secret: *TTK_MONGO_SECRET - database: *TTK_MONGO_DATABASE - ingress: -%{ if istio_create_ingress_gateways ~} - enabled: false -%{ else ~} - enabled: true -%{ endif ~} - className: *INGRESS_CLASS - hosts: - specApi: - host: ${ttk_backend_public_fqdn} - adminApi: - host: ${ttk_backend_public_fqdn} - parameters: &simNames - simNamePayerfsp: 'payerfsp' - simNamePayeefsp: 'payeefsp' - simNameTestfsp1: 'testfsp1' - simNameTestfsp2: 'testfsp2' - simNameTestfsp3: 'testfsp3' - simNameTestfsp4: 'testfsp4' - simNameNoResponsePayeefsp: 'noresponsepayeefsp' - simNameTTKSim1: 'ttksim1' - simNameTTKSim2: 'ttksim2' - simNameTTKSim3: 'ttksim3' - extraEnvironments: - hub-k8s-cgs-environment.json: null - hub-k8s-default-environment.json: &ttkInputValues { - "inputValues": { - "SIMPAYER_CURRENCY": "${ttk_test_currency1}", - "SIMPAYEE_CURRENCY": "${ttk_test_currency1}", - "currency": "${ttk_test_currency1}", - "currency2": "${ttk_test_currency2}", - "cgscurrency": "${ttk_test_currency3}", - "SIMPLE_ROUTING_MODE_ENABLED": ${quoting_service_simple_routing_mode_enabled}, - "ON_US_TRANSFERS_ENABLED": false, - "ENABLE_WS_ASSERTIONS": true, - "NET_DEBIT_CAP": "10000000", - "accept": "application/vnd.interoperability.parties+json;version=1.1", - "acceptParties": "application/vnd.interoperability.parties+json;version=1.1", - "acceptPartiesOld": "application/vnd.interoperability.parties+json;version=1.0", - "acceptPartiesNotSupported": "application/vnd.interoperability.parties+json;version=2.0", - "acceptParticipants": "application/vnd.interoperability.participants+json;version=1.1", - "acceptParticipantsOld": "application/vnd.interoperability.participants+json;version=1.0", - "acceptParticipantsNotSupported": "application/vnd.interoperability.participants+json;version=2.0", - "acceptQuotes": "application/vnd.interoperability.quotes+json;version=1.1", - "acceptQuotesOld": "application/vnd.interoperability.quotes+json;version=1.0", - "acceptQuotesNotSupported": "application/vnd.interoperability.quotes+json;version=2.0", - "acceptTransfers": "application/vnd.interoperability.transfers+json;version=1.1", - "acceptTransfersOld": "application/vnd.interoperability.transfers+json;version=1.0", - "acceptTransfersNotSupported": "application/vnd.interoperability.transfers+json;version=2.0", - "acceptTransactionRequests": "application/vnd.interoperability.transactionRequests+json;version=1.1", - "acceptTransactionRequestsOld": "application/vnd.interoperability.transactionRequests+json;version=1.0", - "acceptTransactionRequestsNotSupported": "application/vnd.interoperability.transactionRequests+json;version=2.0", - "acceptAuthorizations": "application/vnd.interoperability.authorizations+json;version=1.1", - "acceptAuthorizationsOld": "application/vnd.interoperability.authorizations+json;version=1.0", - "acceptAuthorizationsNotSupported": "application/vnd.interoperability.authorizations+json;version=2.0", - "acceptBulkTransfers": "application/vnd.interoperability.bulkTransfers+json;version=1.1", - "acceptBulkTransfersOld": "application/vnd.interoperability.bulkTransfers+json;version=1.0", - "acceptBulkTransfersNotSupported": "application/vnd.interoperability.bulkTransfers+json;version=2.0", - "contentType": "application/vnd.interoperability.parties+json;version=1.1", - "contentTypeTransfers": "application/vnd.interoperability.transfers+json;version=1.1", - "contentTypeTransfersOld": "application/vnd.interoperability.transfers+json;version=1.0", - "contentTypeTransfersNotSupported": "application/vnd.interoperability.transfers+json;version=2.0", - "contentTypeParties": "application/vnd.interoperability.parties+json;version=1.1", - "contentTypePartiesOld": "application/vnd.interoperability.parties+json;version=1.0", - "contentTypePartiesNotSupported": "application/vnd.interoperability.parties+json;version=2.0", - "contentTypeParticipants": "application/vnd.interoperability.participants+json;version=1.1", - "contentTypeParticipantsOld": "application/vnd.interoperability.participants+json;version=1.0", - "contentTypeParticipantsNotSupported": "application/vnd.interoperability.participants+json;version=2.0", - "contentTypeQuotes": "application/vnd.interoperability.quotes+json;version=1.1", - "contentTypeQuotesOld": "application/vnd.interoperability.quotes+json;version=1.0", - "contentTypeQuotesNotSupported": "application/vnd.interoperability.quotes+json;version=2.0", - "contentTypeTransactionRequests": "application/vnd.interoperability.transactionRequests+json;version=1.1", - "contentTypeTransactionRequestsOld": "application/vnd.interoperability.transactionRequests+json;version=1.0", - "contentTypeTransactionRequestsNotSupported": "application/vnd.interoperability.transactionRequests+json;version=2.0", - "contentTypeAuthorizations": "application/vnd.interoperability.authorizations+json;version=1.1", - "contentTypeAuthorizationsOld": "application/vnd.interoperability.authorizations+json;version=1.0", - "contentTypeAuthorizationsNotSupported": "application/vnd.interoperability.authorizations+json;version=2.0", - "contentBulkTransfers": "application/vnd.interoperability.bulkTransfers+json;version=1.1", - "contentBulkTransfersOld": "application/vnd.interoperability.bulkTransfers+json;version=1.0", - "contentBulkTransfersNotSupported": "application/vnd.interoperability.bulkTransfers+json;version=2.0", - "expectedPartiesVersion": "1.1", - "expectedParticipantsVersion": "1.1", - "expectedQuotesVersion": "1.1", - "expectedTransfersVersion": "1.1", - "expectedAuthorizationsVersion": "1.1", - "expectedTransactionRequestsVersion": "1.1" - } - } - - ml-testing-toolkit-frontend: - tolerations: *MOJALOOP_TOLERATIONS - ingress: -%{ if istio_create_ingress_gateways ~} - enabled: false -%{ else ~} - enabled: true -%{ endif ~} - className: *INGRESS_CLASS - hosts: - ui: - host: ${ttk_frontend_public_fqdn} - port: 6060 - paths: ['/'] - config: - API_BASE_URL: https://${ttk_backend_public_fqdn} - -ml-ttk-test-setup: - tests: - enabled: true - config: - testSuiteName: Provisioning - environmentName: ${ingress_subdomain} - saveReport: true - saveReportBaseUrl: http://${ttk_backend_public_fqdn} - parameters: - <<: *simNames - testCaseEnvironmentFile: *ttkInputValues - job: - enabled: true - templateLabels: - sidecar.istio.io/inject: "false" - ## Set the TTL for Job Cleanup - ref: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ - # ttlSecondsAfterFinished: 50 - generateNameEnabled: false - annotations: - argocd.argoproj.io/hook: PostSync - -ml-ttk-test-val-gp: - configFileDefaults: - labels: ${ttk_gp_testcase_labels} - tests: - enabled: true - config: - testSuiteName: GP Tests - environmentName: ${ingress_subdomain} - saveReport: true - saveReportBaseUrl: http://${ttk_backend_public_fqdn} - parameters: - <<: *simNames - testCaseEnvironmentFile: *ttkInputValues - job: - enabled: true - templateLabels: - sidecar.istio.io/inject: "false" - ## Set the TTL for Job Cleanup - ref: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ - # ttlSecondsAfterFinished: 50 - generateNameEnabled: false - annotations: - argocd.argoproj.io/hook: PostSync - argocd.argoproj.io/sync-wave: "${mojaloop_test_sync_wave}" - -ml-ttk-test-val-bulk: - tests: - enabled: true - config: - testSuiteName: Bulk Tests - environmentName: ${ingress_subdomain} - saveReport: true - saveReportBaseUrl: http://${ttk_backend_public_fqdn} - parameters: - <<: *simNames - testCaseEnvironmentFile: *ttkInputValues - -ml-ttk-test-setup-tp: - tests: - enabled: true - config: - testSuiteName: Third Party Provisioning Tests - environmentName: ${ingress_subdomain} - saveReport: true - saveReportBaseUrl: http://${ttk_backend_public_fqdn} - parameters: - <<: *simNames - testCaseEnvironmentFile: *ttkInputValues - -ml-ttk-test-val-tp: - tests: - enabled: true - config: - testSuiteName: Third Party Validation Tests - environmentName: ${ingress_subdomain} - saveReport: true - saveReportBaseUrl: http://${ttk_backend_public_fqdn} - parameters: - <<: *simNames - testCaseEnvironmentFile: *ttkInputValues - -ml-ttk-test-setup-sdk-bulk: - tests: - enabled: true - config: - testSuiteName: SDK Bulk Provisioning Tests - environmentName: ${ingress_subdomain} - saveReport: true - saveReportBaseUrl: http://${ttk_backend_public_fqdn} - parameters: - <<: *simNames - testCaseEnvironmentFile: *ttkInputValues - -ml-ttk-test-val-sdk-bulk: - tests: - enabled: true - config: - testSuiteName: SDK Bulk Validation Tests - environmentName: ${ingress_subdomain} - saveReport: true - saveReportBaseUrl: http://ttksim1.${ingress_subdomain} - parameters: - <<: *simNames - testCaseEnvironmentFile: *ttksim1InputValues - -ml-ttk-test-val-sdk-r2p: - tests: - enabled: true - config: - testSuiteName: SDK Request To Pay Tests - environmentName: ${ingress_subdomain} - saveReport: true - saveReportBaseUrl: http://ttksim1.${ingress_subdomain} - parameters: - <<: *simNames - testCaseEnvironmentFile: *ttksim1InputValues - -ml-ttk-test-cleanup: - tests: - enabled: true - config: - testSuiteName: Post Cleanup - environmentName: ${ingress_subdomain} - saveReport: true - saveReportBaseUrl: http://${ttk_backend_public_fqdn} - parameters: - <<: *simNames - testCaseEnvironmentFile: *ttkInputValues -mojaloop-simulator: - enabled: ${internal_sim_enabled} - defaults: - tolerations: *MOJALOOP_TOLERATIONS +account-lookup-http-oracle-svc: + enabled: true + env: + kafka_url: *KAFKA_URL +account-lookup-svc: + enabled: true + env: + kafka_url: *KAFKA_URL + extraEnvs: + - name: MONGO_URL + valueFrom: + secretKeyRef: + name: *MONGO_URL_SECRET_NAME + key: *MONGO_URL_SECRET_KEY + +accounts-and-balances-builtin-ledger-grpc-svc: + enabled: true + env: + kafka_url: *KAFKA_URL + redis_host: *REDIS_HOST + redis_port: *REDIS_PORT + extraEnvs: + - name: MONGO_URL + valueFrom: + secretKeyRef: + name: *MONGO_URL_SECRET_NAME + key: *MONGO_URL_SECRET_KEY + +accounts-and-balances-coa-grpc-svc: + enabled: true + env: + kafka_url: *KAFKA_URL + redis_host: *REDIS_HOST + redis_port: *REDIS_PORT + extraEnvs: + - name: MONGO_URL + valueFrom: + secretKeyRef: + name: *MONGO_URL_SECRET_NAME + key: *MONGO_URL_SECRET_KEY + +admin-ui: + enabled: true + +auditing-svc: + enabled: true + env: + kafka_url: *KAFKA_URL + +authentication-svc: + enabled: true + env: + kafka_url: *KAFKA_URL + +authorization-svc: + enabled: true + env: + kafka_url: *KAFKA_URL + +fspiop-api-svc: + enabled: true + env: + kafka_url: *KAFKA_URL + extraEnvs: + - name: MONGO_URL + valueFrom: + secretKeyRef: + name: *MONGO_URL_SECRET_NAME + key: *MONGO_URL_SECRET_KEY + +logging-svc: + enabled: true + env: + kafka_url: *KAFKA_URL + +participants-svc: + enabled: true + env: + kafka_url: *KAFKA_URL + extraEnvs: + - name: MONGO_URL + valueFrom: + secretKeyRef: + name: *MONGO_URL_SECRET_NAME + key: *MONGO_URL_SECRET_KEY + +platform-configuration-svc: + enabled: true + env: + kafka_url: *KAFKA_URL + +quoting-svc: + enabled: true + env: + kafka_url: *KAFKA_URL + extraEnvs: + - name: MONGO_URL + valueFrom: + secretKeyRef: + name: *MONGO_URL_SECRET_NAME + key: *MONGO_URL_SECRET_KEY + +settlements-api-svc: + enabled: true + env: + kafka_url: *KAFKA_URL + extraEnvs: + - name: MONGO_URL + valueFrom: + secretKeyRef: + name: *MONGO_URL_SECRET_NAME + key: *MONGO_URL_SECRET_KEY + +settlements-command-handler-svc: + enabled: true + env: + kafka_url: *KAFKA_URL + extraEnvs: + - name: MONGO_URL + valueFrom: + secretKeyRef: + name: *MONGO_URL_SECRET_NAME + key: *MONGO_URL_SECRET_KEY + +settlements-event-handler-svc: + enabled: true + env: + kafka_url: *KAFKA_URL + extraEnvs: + - name: MONGO_URL + valueFrom: + secretKeyRef: + name: *MONGO_URL_SECRET_NAME + key: *MONGO_URL_SECRET_KEY + +transfers-api-svc: + enabled: true + env: + kafka_url: *KAFKA_URL + extraEnvs: + - name: MONGO_URL + valueFrom: + secretKeyRef: + name: *MONGO_URL_SECRET_NAME + key: *MONGO_URL_SECRET_KEY + +transfers-command-handler-svc: + enabled: true + env: + kafka_url: *KAFKA_URL + extraEnvs: + - name: MONGO_URL + valueFrom: + secretKeyRef: + name: *MONGO_URL_SECRET_NAME + key: *MONGO_URL_SECRET_KEY + +transfers-event-handler-svc: + enabled: true + env: + kafka_url: *KAFKA_URL + extraEnvs: + - name: MONGO_URL + valueFrom: + secretKeyRef: + name: *MONGO_URL_SECRET_NAME + key: *MONGO_URL_SECRET_KEY diff --git a/terraform/gitops/generate-files/templates/vnext/vault-secret.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/vault-secret.yaml.tpl new file mode 100644 index 000000000..de5b2201c --- /dev/null +++ b/terraform/gitops/generate-files/templates/vnext/vault-secret.yaml.tpl @@ -0,0 +1,48 @@ +### hack, this needs to be removed once vnext services are configured with individual mongo user/password/host/etc +apiVersion: redhatcop.redhat.io/v1alpha1 +kind: VaultSecret +metadata: + name: ${mongo_url_secret_name} + annotations: + argocd.argoproj.io/sync-wave: "-3" +spec: + refreshPeriod: 1m0s + vaultSecretDefinitions: + - authentication: + path: kubernetes + role: policy-admin + serviceAccount: + name: default + name: secret + path: ${vnext_mongodb_existing_secret_vault_path}/${vnext_mongodb_resource_name}/${vnext_mongodb_existing_secret} + output: + name: ${mongo_url_secret_name} + stringData: + url: 'mongodb://${vnext_mongodb_user}:{{ .secret.password }}@${vnext_mongodb_host}:${vnext_mongodb_port}/${vnext_mongodb_database}' + type: Opaque +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: ${jws_key_secret} +spec: + secretName: ${jws_key_secret} + duration: ${jws_rotation_period_hours}h0m0s + renewBefore: ${jws_rotation_renew_before_hours}h0m0s + privateKey: + algorithm: RSA + encoding: PKCS1 + size: ${jws_key_rsa_bits} + rotationPolicy: Always + usages: + - digital signature + - key encipherment + commonName: ${interop_switch_fqdn} + issuerRef: + name: ${cert_man_vault_cluster_issuer_name} + kind: ClusterIssuer + group: cert-manager.io + secretTemplate: + labels: + reloader: enabled +--- \ No newline at end of file diff --git a/terraform/gitops/k8s-cluster-config/app-deploy.tf b/terraform/gitops/k8s-cluster-config/app-deploy.tf index e07370403..9b1db84c3 100644 --- a/terraform/gitops/k8s-cluster-config/app-deploy.tf +++ b/terraform/gitops/k8s-cluster-config/app-deploy.tf @@ -119,8 +119,66 @@ module "pm4ml" { } module "vnext" { - count = var.common_var_map.vnext_enabled ? 1 : 0 - source = "../vnext" + count = var.common_var_map.vnext_enabled ? 1 : 0 + source = "../vnext" + nat_public_ips = var.nat_public_ips + internal_load_balancer_dns = var.internal_load_balancer_dns + external_load_balancer_dns = var.external_load_balancer_dns + private_subdomain = var.private_subdomain + public_subdomain = var.public_subdomain + external_interop_switch_fqdn = local.external_interop_switch_fqdn + internal_interop_switch_fqdn = local.internal_interop_switch_fqdn + secrets_key_map = var.secrets_key_map + properties_key_map = var.properties_key_map + output_dir = var.output_dir + gitlab_project_url = var.gitlab_project_url + cluster_name = var.cluster_name + current_gitlab_project_id = var.current_gitlab_project_id + gitlab_group_name = var.gitlab_group_name + gitlab_api_url = var.gitlab_api_url + gitlab_server_url = var.gitlab_server_url + kv_path = var.kv_path + private_network_cidr = var.private_network_cidr + cert_manager_service_account_name = var.cert_manager_service_account_name + nginx_external_namespace = var.nginx_external_namespace + keycloak_fqdn = local.keycloak_fqdn + keycloak_name = var.keycloak_name + keycloak_namespace = var.keycloak_namespace + vault_namespace = var.vault_namespace + cert_manager_namespace = var.cert_manager_namespace + mcm_oidc_client_secret_secret_key = var.mcm_oidc_client_secret_secret_key + mcm_oidc_client_secret_secret = var.mcm_oidc_client_secret_secret + jwt_client_secret_secret_key = var.jwt_client_secret_secret_key + jwt_client_secret_secret = var.jwt_client_secret_secret + vault_secret_key = var.vault_secret_key + role_assign_svc_secret = var.role_assign_svc_secret + role_assign_svc_user = var.role_assign_svc_user + mcm_public_fqdn = local.mcm_public_fqdn + ttk_backend_public_fqdn = local.ttk_backend_public_fqdn + ttk_frontend_public_fqdn = local.ttk_frontend_public_fqdn + istio_external_gateway_name = var.istio_external_gateway_name + istio_internal_gateway_name = var.istio_internal_gateway_name + istio_external_wildcard_gateway_name = local.istio_external_wildcard_gateway_name + istio_internal_wildcard_gateway_name = local.istio_internal_wildcard_gateway_name + istio_egress_gateway_namespace = local.istio_egress_gateway_namespace + istio_egress_gateway_name = local.istio_egress_gateway_name + vnext_chart_version = var.app_var_map.vnext_chart_version + mcm_enabled = var.common_var_map.mcm_enabled + mcm_chart_version = var.app_var_map.mcm_chart_version + vnext_enabled = var.common_var_map.vnext_enabled + vnext_ingress_internal_lb = var.app_var_map.vnext_ingress_internal_lb + mcm_ingress_internal_lb = var.app_var_map.mcm_ingress_internal_lb + stateful_resources_config_file = var.vnext_stateful_resources_config_file + local_vault_kv_root_path = local.local_vault_kv_root_path + app_var_map = var.app_var_map + auth_fqdn = local.auth_fqdn + ory_namespace = var.ory_namespace + finance_portal_fqdn = local.finance_portal_fqdn + bof_release_name = local.bof_release_name + ory_stack_enabled = var.ory_stack_enabled + oathkeeper_auth_provider_name = local.oathkeeper_auth_provider_name + keycloak_hubop_realm_name = var.keycloak_hubop_realm_name + rbac_api_resources_file = var.rbac_api_resources_file } variable "app_var_map" { @@ -135,6 +193,12 @@ variable "mojaloop_stateful_resources_config_file" { description = "where to pull stateful resources config for mojaloop" } +variable "vnext_stateful_resources_config_file" { + default = "../config/vnext-stateful-resources.json" + type = string + description = "where to pull stateful resources config for vnext" +} + variable "private_network_cidr" { description = "network cidr for private network" type = string @@ -213,6 +277,7 @@ variable "argocd_namespace" { locals { argocd_wildcard_gateway = var.argocd_ingress_internal_lb ? "internal" : "external" mojaloop_wildcard_gateway = var.app_var_map.mojaloop_ingress_internal_lb ? "internal" : "external" + vnext_wildcard_gateway = var.app_var_map.vnext_ingress_internal_lb ? "internal" : "external" mcm_wildcard_gateway = var.app_var_map.mcm_ingress_internal_lb ? "internal" : "external" pm4ml_var_map = { for pm4ml in var.app_var_map.pm4mls : pm4ml.pm4ml => pm4ml @@ -271,7 +336,7 @@ locals { pm4ml_external_gateway_hosts = concat(local.pm4ml_external_wildcard_admin_portal_hosts, local.pm4ml_external_wildcard_portal_hosts, local.pm4ml_external_wildcard_exp_hosts) keycloak_realm_env_secret_map = merge( - var.common_var_map.mojaloop_enabled ? local.mojaloop_keycloak_realm_env_secret_map : local.pm4ml_keycloak_realm_env_secret_map, + (var.common_var_map.mojaloop_enabled || var.common_var_map.vnext_enabled) ? local.mojaloop_keycloak_realm_env_secret_map : local.pm4ml_keycloak_realm_env_secret_map, { "${var.hubop_oidc_client_secret_secret}" = var.vault_secret_key "${var.role_assign_svc_secret}" = var.vault_secret_key @@ -283,13 +348,13 @@ locals { local.argocd_wildcard_gateway == "internal" ? [local.argocd_fqdn] : [], local.vault_wildcard_gateway == "internal" ? [local.vault_public_fqdn] : [], local.grafana_wildcard_gateway == "internal" ? [local.grafana_public_fqdn] : [], - var.common_var_map.mojaloop_enabled ? local.mojaloop_internal_gateway_hosts : [], + (var.common_var_map.mojaloop_enabled || var.common_var_map.vnext_enabled) ? local.mojaloop_internal_gateway_hosts : [], var.common_var_map.pm4ml_enabled ? local.pm4ml_internal_gateway_hosts : []) external_gateway_hosts = concat([local.keycloak_fqdn, local.auth_fqdn, local.finance_portal_fqdn], local.argocd_wildcard_gateway == "external" ? [local.argocd_fqdn] : [], local.vault_wildcard_gateway == "external" ? [local.vault_public_fqdn] : [], local.grafana_wildcard_gateway == "external" ? [local.grafana_public_fqdn] : [], - var.common_var_map.mojaloop_enabled ? local.mojaloop_external_gateway_hosts : [], + (var.common_var_map.mojaloop_enabled || var.common_var_map.vnext_enabled) ? local.mojaloop_external_gateway_hosts : [], var.common_var_map.pm4ml_enabled ? local.pm4ml_external_gateway_hosts : []) - bof_managed_portal_fqdns = var.common_var_map.mojaloop_enabled ? [local.finance_portal_fqdn, local.mcm_public_fqdn] : concat(local.pm4ml_external_wildcard_portal_hosts, local.pm4ml_internal_wildcard_portal_hosts, local.pm4ml_internal_wildcard_admin_portal_hosts, local.pm4ml_external_wildcard_admin_portal_hosts) + bof_managed_portal_fqdns = (var.common_var_map.mojaloop_enabled || var.common_var_map.vnext_enabled) ? [local.finance_portal_fqdn, local.mcm_public_fqdn] : concat(local.pm4ml_external_wildcard_portal_hosts, local.pm4ml_internal_wildcard_portal_hosts, local.pm4ml_internal_wildcard_admin_portal_hosts, local.pm4ml_external_wildcard_admin_portal_hosts) } diff --git a/terraform/gitops/vnext/vnext.tf b/terraform/gitops/vnext/vnext.tf index 70738ffc7..2bb98c3b6 100644 --- a/terraform/gitops/vnext/vnext.tf +++ b/terraform/gitops/vnext/vnext.tf @@ -1,62 +1,64 @@ module "generate_vnext_files" { source = "../generate-files" var_map = { - vnext_enabled = var.vnext_enabled - gitlab_project_url = var.gitlab_project_url - vnext_chart_repo = var.vnext_chart_repo - vnext_chart_version = try(var.app_var_map.vnext_chart_version, var.vnext_chart_version) - vnext_release_name = var.vnext_release_name - vnext_namespace = var.vnext_namespace - storage_class_name = var.storage_class_name - vnext_sync_wave = var.vnext_sync_wave - istio_create_ingress_gateways = var.istio_create_ingress_gateways - istio_external_gateway_name = var.istio_external_gateway_name - external_load_balancer_dns = var.external_load_balancer_dns - istio_internal_wildcard_gateway_name = var.istio_internal_wildcard_gateway_name - istio_internal_gateway_namespace = var.istio_internal_gateway_namespace - istio_external_wildcard_gateway_name = var.istio_external_wildcard_gateway_name - istio_external_gateway_namespace = var.istio_external_gateway_namespace - vnext_wildcard_gateway = local.vnext_wildcard_gateway - keycloak_fqdn = var.keycloak_fqdn - keycloak_realm_name = var.keycloak_hubop_realm_name - ttk_frontend_public_fqdn = var.ttk_frontend_public_fqdn - ttk_backend_public_fqdn = var.ttk_backend_public_fqdn - kafka_host = "${local.stateful_resources[local.vnext_kafka_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - kafka_port = local.stateful_resources[local.vnext_kafka_resource_index].logical_service_config.logical_service_port - vnext_redis_host = "${local.stateful_resources[local.vnext_redis_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - vnext_redis_port = local.stateful_resources[local.vnext_redis_resource_index].logical_service_config.logical_service_port - enable_istio_injection = try(var.app_var_map.enable_istio_injection, false) - bof_release_name = var.bof_release_name - ory_namespace = var.ory_namespace - bof_role_perm_operator_host = "${var.bof_release_name}-security-role-perm-operator-svc.${var.ory_namespace}.svc.cluster.local" - auth_fqdn = var.auth_fqdn - vnext_mongodb_database = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.database_name - vnext_mongodb_user = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.username - vnext_mongodb_host = "${local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - vnext_mongodb_existing_secret = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.user_password_secret - vnext_mongodb_port = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.logical_service_port - keto_read_url = "http://keto-read.${var.ory_namespace}.svc.cluster.local:80" - keto_write_url = "http://keto-write.${var.ory_namespace}.svc.cluster.local:80" - kratos_service_name = "kratos-public.${var.ory_namespace}.svc.cluster.local" - portal_fqdn = var.finance_portal_fqdn - finance_portal_release_name = "fin-portal" - finance_portal_chart_version = try(var.app_var_map.finance_portal_chart_version, var.finance_portal_chart_version) - ory_stack_enabled = var.ory_stack_enabled - oathkeeper_auth_provider_name = var.oathkeeper_auth_provider_name - vault_secret_key = var.vault_secret_key - role_assign_svc_secret = var.role_assign_svc_secret - role_assign_svc_user = var.role_assign_svc_user - keycloak_dfsp_realm_name = var.keycloak_dfsp_realm_name - apiResources = local.apiResources - switch_dfspid = var.switch_dfspid - jws_key_secret = local.jws_key_secret - jws_key_secret_private_key_key = "tls.key" - jws_key_secret_public_key_key = "tls.crt" - cert_man_vault_cluster_issuer_name = var.cert_man_vault_cluster_issuer_name - jws_key_rsa_bits = try(var.app_var_map.jws_key_rsa_bits, var.jws_key_rsa_bits) - jws_rotation_renew_before_hours = try(var.app_var_map.jws_rotation_renew_before_hours, var.jws_rotation_renew_before_hours) - jws_rotation_period_hours = try(var.app_var_map.jws_rotation_period_hours, var.jws_rotation_period_hours) - mcm_hub_jws_endpoint = "http://mcm-connection-manager-api.${var.mcm_namespace}.svc.cluster.local:3001/api/hub/jwscerts" + vnext_enabled = var.vnext_enabled + gitlab_project_url = var.gitlab_project_url + vnext_chart_repo = var.vnext_chart_repo + vnext_chart_version = try(var.app_var_map.vnext_chart_version, var.vnext_chart_version) + vnext_release_name = var.vnext_release_name + vnext_namespace = var.vnext_namespace + storage_class_name = var.storage_class_name + vnext_sync_wave = var.vnext_sync_wave + istio_create_ingress_gateways = var.istio_create_ingress_gateways + istio_external_gateway_name = var.istio_external_gateway_name + external_load_balancer_dns = var.external_load_balancer_dns + istio_internal_wildcard_gateway_name = var.istio_internal_wildcard_gateway_name + istio_internal_gateway_namespace = var.istio_internal_gateway_namespace + istio_external_wildcard_gateway_name = var.istio_external_wildcard_gateway_name + istio_external_gateway_namespace = var.istio_external_gateway_namespace + vnext_wildcard_gateway = local.vnext_wildcard_gateway + keycloak_fqdn = var.keycloak_fqdn + keycloak_realm_name = var.keycloak_hubop_realm_name + ttk_frontend_public_fqdn = var.ttk_frontend_public_fqdn + ttk_backend_public_fqdn = var.ttk_backend_public_fqdn + kafka_host = "${local.stateful_resources[local.vnext_kafka_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + kafka_port = local.stateful_resources[local.vnext_kafka_resource_index].logical_service_config.logical_service_port + vnext_redis_host = "${local.stateful_resources[local.vnext_redis_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + vnext_redis_port = local.stateful_resources[local.vnext_redis_resource_index].logical_service_config.logical_service_port + enable_istio_injection = try(var.app_var_map.enable_istio_injection, false) + bof_release_name = var.bof_release_name + ory_namespace = var.ory_namespace + bof_role_perm_operator_host = "${var.bof_release_name}-security-role-perm-operator-svc.${var.ory_namespace}.svc.cluster.local" + auth_fqdn = var.auth_fqdn + vnext_mongodb_database = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.database_name + vnext_mongodb_user = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.username + vnext_mongodb_host = "${local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + vnext_mongodb_existing_secret = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.user_password_secret + vnext_mongodb_port = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.logical_service_port + vnext_mongodb_existing_secret_vault_path = local.stateful_resources[local.vnext_mongodb_resource_index].logical_resource_config.generate_secret_vault_base_path # this should go away once vnext supports passing fine grained mongo config + vnext_mongodb_resource_name = "vnext-mongodb" ## this goes away as well + keto_read_url = "http://keto-read.${var.ory_namespace}.svc.cluster.local:80" + keto_write_url = "http://keto-write.${var.ory_namespace}.svc.cluster.local:80" + kratos_service_name = "kratos-public.${var.ory_namespace}.svc.cluster.local" + portal_fqdn = var.finance_portal_fqdn + finance_portal_release_name = "fin-portal" + finance_portal_chart_version = try(var.app_var_map.finance_portal_chart_version, var.finance_portal_chart_version) + ory_stack_enabled = var.ory_stack_enabled + oathkeeper_auth_provider_name = var.oathkeeper_auth_provider_name + vault_secret_key = var.vault_secret_key + role_assign_svc_secret = var.role_assign_svc_secret + role_assign_svc_user = var.role_assign_svc_user + keycloak_dfsp_realm_name = var.keycloak_dfsp_realm_name + apiResources = local.apiResources + switch_dfspid = var.switch_dfspid + jws_key_secret = local.jws_key_secret + jws_key_secret_private_key_key = "tls.key" + jws_key_secret_public_key_key = "tls.crt" + cert_man_vault_cluster_issuer_name = var.cert_man_vault_cluster_issuer_name + jws_key_rsa_bits = try(var.app_var_map.jws_key_rsa_bits, var.jws_key_rsa_bits) + jws_rotation_renew_before_hours = try(var.app_var_map.jws_rotation_renew_before_hours, var.jws_rotation_renew_before_hours) + jws_rotation_period_hours = try(var.app_var_map.jws_rotation_period_hours, var.jws_rotation_period_hours) + mcm_hub_jws_endpoint = "http://mcm-connection-manager-api.${var.mcm_namespace}.svc.cluster.local:3001/api/hub/jwscerts" } file_list = [for f in fileset(local.vnext_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.vnext_app_file, f))] template_path = local.vnext_template_path diff --git a/terraform/k8s/default-config/vnext-vars.yaml b/terraform/k8s/default-config/vnext-vars.yaml new file mode 100644 index 000000000..11e7e2e58 --- /dev/null +++ b/terraform/k8s/default-config/vnext-vars.yaml @@ -0,0 +1 @@ +vnext_chart_version: v0.0.1 From b929bd2ab06da978aac36ebe7db3f36998e97a8b Mon Sep 17 00:00:00 2001 From: David Fry Date: Mon, 25 Mar 2024 13:41:55 +0000 Subject: [PATCH 019/201] add missing vars --- .../ci-templates/k8s-cluster/.gitlab/scripts/config-merge.sh | 2 +- terraform/k8s/default-config/vnext-vars.yaml | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/config-merge.sh b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/config-merge.sh index 6e0d80adc..4c66d2cea 100755 --- a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/config-merge.sh +++ b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/config-merge.sh @@ -1,5 +1,5 @@ mkdir -p $CONFIG_PATH -for configFile in {'aws-vars.yaml','cluster-config.yaml','common-vars.yaml','mojaloop-rbac-permissions.yaml','mojaloop-vars.yaml','pm4ml-vars.yaml','bare-metal-vars.yaml','pm4ml-rbac-permissions.yaml','mojaloop-stateful-resources.json','common-stateful-resources.json','mojaloop-rbac-api-resources.yaml'}; +for configFile in {'aws-vars.yaml','cluster-config.yaml','common-vars.yaml','mojaloop-rbac-permissions.yaml','mojaloop-vars.yaml','pm4ml-vars.yaml','bare-metal-vars.yaml','pm4ml-rbac-permissions.yaml','mojaloop-stateful-resources.json','common-stateful-resources.json','mojaloop-rbac-api-resources.yaml','vnext-vars.yaml','vnext-stateful-resources.json'}; do echo $configFile python3 .gitlab/scripts/dictmerge.py default-config/$configFile custom-config/$configFile $CONFIG_PATH; diff --git a/terraform/k8s/default-config/vnext-vars.yaml b/terraform/k8s/default-config/vnext-vars.yaml index 11e7e2e58..ed94b9981 100644 --- a/terraform/k8s/default-config/vnext-vars.yaml +++ b/terraform/k8s/default-config/vnext-vars.yaml @@ -1 +1,4 @@ -vnext_chart_version: v0.0.1 +vnext_chart_version: v0.0.2 +mcm_chart_version: 0.7.7 +mcm_ingress_internal_lb: false +vnext_ingress_internal_lb: true From c1be9a9dead3bbc2852affc0a598cb57636f8962 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Mon, 25 Mar 2024 19:39:01 +0530 Subject: [PATCH 020/201] adding sts.json in list --- .../ci-templates/k8s-cluster/.gitlab/scripts/dictmerge.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/dictmerge.py b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/dictmerge.py index 3b2974504..1d868a54f 100755 --- a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/dictmerge.py +++ b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/dictmerge.py @@ -120,7 +120,7 @@ def mergeListOfDicts(data1, data2, fileName, outputFilename, fileType): with open(outputFilename, 'w') as file: yaml.dump(mergedDict, file, indent=4 , default_flow_style=False) -elif fileName in ( "common-stateful-resources.json" , "mojaloop-stateful-resources.json" , "mojaloop-rbac-api-resources.yaml" ): +elif fileName in ( "common-stateful-resources.json" , "mojaloop-stateful-resources.json" , "mojaloop-rbac-api-resources.yaml","vnext-stateful-resources" ): mergeListOfDicts(data1, data2, fileName, outputFilename, defaultExt) elif defaultExt == ".yaml": From b9642319af59ae0d6a8e404e1bac3ebb21222cc6 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Mon, 25 Mar 2024 19:45:16 +0530 Subject: [PATCH 021/201] correction --- .../ci-templates/k8s-cluster/.gitlab/scripts/dictmerge.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/dictmerge.py b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/dictmerge.py index 1d868a54f..2af964c36 100755 --- a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/dictmerge.py +++ b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/dictmerge.py @@ -120,7 +120,7 @@ def mergeListOfDicts(data1, data2, fileName, outputFilename, fileType): with open(outputFilename, 'w') as file: yaml.dump(mergedDict, file, indent=4 , default_flow_style=False) -elif fileName in ( "common-stateful-resources.json" , "mojaloop-stateful-resources.json" , "mojaloop-rbac-api-resources.yaml","vnext-stateful-resources" ): +elif fileName in ( "common-stateful-resources.json" , "mojaloop-stateful-resources.json" , "mojaloop-rbac-api-resources.yaml","vnext-stateful-resources.json" ): mergeListOfDicts(data1, data2, fileName, outputFilename, defaultExt) elif defaultExt == ".yaml": From fbb6db02ef6e754945ff15e48282c4ebf5b50a45 Mon Sep 17 00:00:00 2001 From: David Fry Date: Tue, 26 Mar 2024 08:55:29 +0000 Subject: [PATCH 022/201] fix configs for stateful resources --- terraform/gitops/vnext/vnext.tf | 4 ++-- terraform/k8s/gitops-build/terragrunt.hcl | 8 +++++--- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/terraform/gitops/vnext/vnext.tf b/terraform/gitops/vnext/vnext.tf index 2bb98c3b6..ee5e1a5b4 100644 --- a/terraform/gitops/vnext/vnext.tf +++ b/terraform/gitops/vnext/vnext.tf @@ -35,8 +35,8 @@ module "generate_vnext_files" { vnext_mongodb_host = "${local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" vnext_mongodb_existing_secret = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.user_password_secret vnext_mongodb_port = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.logical_service_port - vnext_mongodb_existing_secret_vault_path = local.stateful_resources[local.vnext_mongodb_resource_index].logical_resource_config.generate_secret_vault_base_path # this should go away once vnext supports passing fine grained mongo config - vnext_mongodb_resource_name = "vnext-mongodb" ## this goes away as well + vnext_mongodb_existing_secret_vault_path = local.stateful_resources[local.vnext_mongodb_resource_index].local_resource_config.generate_secret_vault_base_path # this should go away once vnext supports passing fine grained mongo config + vnext_mongodb_resource_name = "vnext-mongodb" ## this goes away as well keto_read_url = "http://keto-read.${var.ory_namespace}.svc.cluster.local:80" keto_write_url = "http://keto-write.${var.ory_namespace}.svc.cluster.local:80" kratos_service_name = "kratos-public.${var.ory_namespace}.svc.cluster.local" diff --git a/terraform/k8s/gitops-build/terragrunt.hcl b/terraform/k8s/gitops-build/terragrunt.hcl index 3f9d5fbe0..117836a31 100644 --- a/terraform/k8s/gitops-build/terragrunt.hcl +++ b/terraform/k8s/gitops-build/terragrunt.hcl @@ -59,12 +59,13 @@ inputs = { external_ingress_https_port = dependency.k8s_deploy.outputs.target_group_external_https_port external_ingress_http_port = dependency.k8s_deploy.outputs.target_group_external_http_port common_var_map = local.common_vars - app_var_map = merge(local.pm4ml_vars, local.mojaloop_vars) + app_var_map = merge(local.pm4ml_vars, local.mojaloop_vars, local.vnext_vars) output_dir = local.GITOPS_BUILD_OUTPUT_DIR gitlab_project_url = local.GITLAB_PROJECT_URL cluster_name = local.CLUSTER_NAME stateful_resources_config_file = find_in_parent_folders("${get_env("CONFIG_PATH")}/common-stateful-resources.json") mojaloop_stateful_resources_config_file = find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-stateful-resources.json") + vnext_stateful_resources_config_file = find_in_parent_folders("${get_env("CONFIG_PATH")}/vnext-stateful-resources.json") current_gitlab_project_id = local.GITLAB_CURRENT_PROJECT_ID gitlab_group_name = local.GITLAB_CURRENT_GROUP_NAME gitlab_api_url = local.GITLAB_API_URL @@ -80,8 +81,8 @@ inputs = { transit_vault_url = "http://${dependency.k8s_deploy.outputs.haproxy_server_fqdn}:8200" private_network_cidr = dependency.k8s_deploy.outputs.private_network_cidr dns_provider = dependency.k8s_deploy.outputs.dns_provider - rbac_api_resources_file = local.common_vars.mojaloop_enabled ? find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-rbac-api-resources.yaml") : "" - rbac_permissions_file = local.common_vars.mojaloop_enabled ? find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-rbac-permissions.yaml") : find_in_parent_folders("${get_env("CONFIG_PATH")}/pm4ml-rbac-permissions.yaml") + rbac_api_resources_file = (local.common_vars.mojaloop_enabled || local.common_vars.vnext_enabled) ? find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-rbac-api-resources.yaml") : "" + rbac_permissions_file = (local.common_vars.mojaloop_enabled || local.common_vars.vnext_enabled) ? find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-rbac-permissions.yaml") : find_in_parent_folders("${get_env("CONFIG_PATH")}/pm4ml-rbac-permissions.yaml") } locals { @@ -92,6 +93,7 @@ locals { common_vars = yamldecode(file("${find_in_parent_folders("${get_env("CONFIG_PATH")}/common-vars.yaml")}")) pm4ml_vars = yamldecode(file("${find_in_parent_folders("${get_env("CONFIG_PATH")}/pm4ml-vars.yaml")}")) mojaloop_vars = yamldecode(file("${find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-vars.yaml")}")) + vnext_vars = yamldecode(file("${find_in_parent_folders("${get_env("CONFIG_PATH")}/vnext-vars.yaml")}")) GITLAB_SERVER_URL = get_env("GITLAB_SERVER_URL") GITOPS_BUILD_OUTPUT_DIR = get_env("GITOPS_BUILD_OUTPUT_DIR") CLUSTER_NAME = get_env("cluster_name") From 8edc6364938b2944e5785c0486a857b571a20aa2 Mon Sep 17 00:00:00 2001 From: David Fry Date: Tue, 26 Mar 2024 09:59:06 +0000 Subject: [PATCH 023/201] fix mongodb secret naming, add vnext app --- .../templates/vnext/app/vnext-app.yaml.tpl | 34 +++ .../templates/vnext/istio-config.yaml.tpl | 219 +----------------- .../templates/vnext/values-vnext.yaml.tpl | 2 +- .../templates/vnext/vault-secret.yaml.tpl | 4 +- terraform/gitops/vnext/vnext.tf | 7 +- 5 files changed, 42 insertions(+), 224 deletions(-) create mode 100644 terraform/gitops/generate-files/templates/vnext/app/vnext-app.yaml.tpl diff --git a/terraform/gitops/generate-files/templates/vnext/app/vnext-app.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/app/vnext-app.yaml.tpl new file mode 100644 index 000000000..b5258efdf --- /dev/null +++ b/terraform/gitops/generate-files/templates/vnext/app/vnext-app.yaml.tpl @@ -0,0 +1,34 @@ +%{ if vnext_enabled ~} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + annotations: + argocd.argoproj.io/sync-wave: "${vnext_sync_wave}" + name: vnext + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + source: + path: apps/vnext + repoURL: "${gitlab_project_url}" + targetRevision: HEAD + destination: + namespace: ${vnext_namespace} + server: https://kubernetes.default.svc + project: default + syncPolicy: + automated: + prune: true + selfHeal: true + retry: + limit: 5 + backoff: + duration: 5s + maxDuration: 3m0s + factor: 2 + syncOptions: + - CreateNamespace=true + - PrunePropagationPolicy=background + - PruneLast=true +%{ endif ~} \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/vnext/istio-config.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/istio-config.yaml.tpl index d8a971c09..bbf9a7277 100644 --- a/terraform/gitops/generate-files/templates/vnext/istio-config.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vnext/istio-config.yaml.tpl @@ -90,26 +90,6 @@ spec: host: ${vnext_release_name}-ml-api-adapter-service port: number: 80 -%{ if bulk_enabled ~} - - name: bulkQuotes - match: - - uri: - prefix: /bulkQuotes - route: - - destination: - host: ${vnext_release_name}-quoting-service - port: - number: 80 - - name: bulkTransfers - match: - - uri: - prefix: /bulkTransfers - route: - - destination: - host: ${vnext_release_name}-bulk-api-adapter-service - port: - number: 80 -%{ endif ~} - name: transactionRequests match: - uri: @@ -175,26 +155,6 @@ spec: host: ${vnext_release_name}-ml-api-adapter-service port: number: 80 -%{ if bulk_enabled ~} - - name: bulkQuotes - match: - - uri: - prefix: /bulkQuotes - route: - - destination: - host: ${vnext_release_name}-quoting-service - port: - number: 80 - - name: bulkTransfers - match: - - uri: - prefix: /bulkTransfers - route: - - destination: - host: ${vnext_release_name}-bulk-api-adapter-service - port: - number: 80 -%{ endif ~} - name: transactionRequests match: - uri: @@ -300,181 +260,4 @@ spec: host: ${vnext_release_name}-ml-testing-toolkit-backend port: number: 4040 ---- -%{ endif ~} - -{{- /* - --- -apiVersion: networking.istio.io/v1alpha3 -kind: VirtualService -metadata: - name: finance-portal-vs -spec: - gateways: - - ${istio_external_gateway_namespace}/${istio_external_wildcard_gateway_name} - hosts: - - '${portal_fqdn}' - http: - - name: transfers - match: - - uri: - prefix: /api/transfers/ - - uri: - exact: /api/transfers - rewrite: - uri: / - route: - - destination: - host: ${finance_portal_release_name}-reporting-hub-bop-api-svc - port: - number: 80 - - name: iam - match: - - uri: - prefix: /api/iam/ - rewrite: - uri: / - route: - - destination: - host: ${finance_portal_release_name}-role-assignment-service - port: - number: 80 - - name: central-admin - match: - - uri: - prefix: /api/central-admin/ - rewrite: - uri: /central-admin/ - route: - - destination: - host: ${finance_portal_release_name}-reporting-hub-bop-experience-api-svc - port: - number: 80 - - name: central-settlements - match: - - uri: - prefix: /api/central-settlements/ - rewrite: - uri: /v2/ - route: - - destination: - host: ${vnext_release_name}-centralsettlement-service - port: - number: 80 - - name: reports - match: - - uri: - prefix: /api/reports/ - - uri: - exact: /api/reports - rewrite: - uri: / - route: - - destination: - host: ${finance_portal_release_name}-reporting-legacy-api - port: - number: 80 - - name: reporting-hub-bop-role-ui - match: - - uri: - prefix: /uis/iam/ - - uri: - exact: /uis/iam - rewrite: - uri: / - route: - - destination: - host: ${finance_portal_release_name}-reporting-hub-bop-role-ui - port: - number: 80 - - name: reporting-hub-bop-trx-ui - match: - - uri: - prefix: /uis/transfers/ - - uri: - exact: /uis/transfers - rewrite: - uri: / - route: - - destination: - host: ${finance_portal_release_name}-reporting-hub-bop-trx-ui - port: - number: 80 - - name: reporting-hub-bop-settlements-ui - match: - - uri: - prefix: /uis/settlements/ - - uri: - exact: /uis/settlements - rewrite: - uri: / - route: - - destination: - host: ${finance_portal_release_name}-reporting-hub-bop-settlements-ui - port: - number: 80 - - name: reporting-hub-bop-positions-ui - match: - - uri: - prefix: /uis/positions/ - - uri: - exact: /uis/positions - rewrite: - uri: / - route: - - destination: - host: ${finance_portal_release_name}-reporting-hub-bop-positions-ui - port: - number: 80 - - name: kratos-logout-proxy - match: - - uri: - prefix: /kratos/self-service/logout/browser - rewrite: - uri: /self-service/logout/browser - route: - - destination: - host: ${kratos_service_name} - port: - number: 80 - - name: kratos-whoami-proxy - match: - - uri: - prefix: /kratos/sessions/whoami - rewrite: - uri: /sessions/whoami - route: - - destination: - host: ${kratos_service_name} - port: - number: 80 - - name: reporting-hub-bop-shell - match: - - uri: - prefix: / - route: - - destination: - host: ${finance_portal_release_name}-reporting-hub-bop-shell - port: - number: 80 ---- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: finance-portal-auth - namespace: ${istio_external_gateway_namespace} -spec: - selector: - matchLabels: - app: ${istio_external_gateway_name} - action: CUSTOM - provider: - name: ${oathkeeper_auth_provider_name} - rules: - - to: - - operation: - paths: - - /api/* - hosts: ["${portal_fqdn}", "${portal_fqdn}:*"] - -*/ -}} \ No newline at end of file +--- \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl index 6a77ee5de..98fa75780 100644 --- a/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl @@ -7,7 +7,7 @@ CONFIG: redis_host: &REDIS_HOST "${redis_host}" redis_port: &REDIS_PORT ${redis_port} - mongo_url_secret_name: "${mongodb_url_existing_secret}" &MONGO_URL_SECRET_NAME + mongo_url_secret_name: "${vnext_mongo_url_secret_name}" &MONGO_URL_SECRET_NAME mongo_url_secret_key: "url" &MONGO_URL_SECRET_KEY diff --git a/terraform/gitops/generate-files/templates/vnext/vault-secret.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/vault-secret.yaml.tpl index de5b2201c..6dd2cbdd0 100644 --- a/terraform/gitops/generate-files/templates/vnext/vault-secret.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vnext/vault-secret.yaml.tpl @@ -2,7 +2,7 @@ apiVersion: redhatcop.redhat.io/v1alpha1 kind: VaultSecret metadata: - name: ${mongo_url_secret_name} + name: ${vnext_mongo_url_secret_name} annotations: argocd.argoproj.io/sync-wave: "-3" spec: @@ -16,7 +16,7 @@ spec: name: secret path: ${vnext_mongodb_existing_secret_vault_path}/${vnext_mongodb_resource_name}/${vnext_mongodb_existing_secret} output: - name: ${mongo_url_secret_name} + name: ${vnext_mongo_url_secret_name} stringData: url: 'mongodb://${vnext_mongodb_user}:{{ .secret.password }}@${vnext_mongodb_host}:${vnext_mongodb_port}/${vnext_mongodb_database}' type: Opaque diff --git a/terraform/gitops/vnext/vnext.tf b/terraform/gitops/vnext/vnext.tf index ee5e1a5b4..de5d2b5ad 100644 --- a/terraform/gitops/vnext/vnext.tf +++ b/terraform/gitops/vnext/vnext.tf @@ -23,8 +23,8 @@ module "generate_vnext_files" { ttk_backend_public_fqdn = var.ttk_backend_public_fqdn kafka_host = "${local.stateful_resources[local.vnext_kafka_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" kafka_port = local.stateful_resources[local.vnext_kafka_resource_index].logical_service_config.logical_service_port - vnext_redis_host = "${local.stateful_resources[local.vnext_redis_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - vnext_redis_port = local.stateful_resources[local.vnext_redis_resource_index].logical_service_config.logical_service_port + redis_host = "${local.stateful_resources[local.vnext_redis_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + redis_port = local.stateful_resources[local.vnext_redis_resource_index].logical_service_config.logical_service_port enable_istio_injection = try(var.app_var_map.enable_istio_injection, false) bof_release_name = var.bof_release_name ory_namespace = var.ory_namespace @@ -36,7 +36,8 @@ module "generate_vnext_files" { vnext_mongodb_existing_secret = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.user_password_secret vnext_mongodb_port = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.logical_service_port vnext_mongodb_existing_secret_vault_path = local.stateful_resources[local.vnext_mongodb_resource_index].local_resource_config.generate_secret_vault_base_path # this should go away once vnext supports passing fine grained mongo config - vnext_mongodb_resource_name = "vnext-mongodb" ## this goes away as well + vnext_mongodb_resource_name = "vnext-mongodb" + vnext_mongo_url_secret_name = "vnext-mongodb-url" ## this goes away as well keto_read_url = "http://keto-read.${var.ory_namespace}.svc.cluster.local:80" keto_write_url = "http://keto-write.${var.ory_namespace}.svc.cluster.local:80" kratos_service_name = "kratos-public.${var.ory_namespace}.svc.cluster.local" From 91f90bc139854bff4634bbe9b5c1930e06a64954 Mon Sep 17 00:00:00 2001 From: David Fry Date: Tue, 26 Mar 2024 10:23:17 +0000 Subject: [PATCH 024/201] clean up missing vars --- .../generate-files/templates/vnext/values-vnext.yaml.tpl | 6 ------ terraform/gitops/vnext/vnext.tf | 2 ++ 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl index 98fa75780..6369430cd 100644 --- a/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl @@ -16,12 +16,6 @@ CONFIG: jwsSigningKeySecret: &JWS_SIGNING_KEY_SECRET name: ${jws_key_secret} key: ${jws_key_secret_private_key_key} -%{ if mojaloop_tolerations != null ~} - tolerations: &MOJALOOP_TOLERATIONS - ${indent(4, mojaloop_tolerations)} -%{ else ~} - tolerations: &MOJALOOP_TOLERATIONS [] -%{ endif ~} account-lookup-http-oracle-svc: diff --git a/terraform/gitops/vnext/vnext.tf b/terraform/gitops/vnext/vnext.tf index de5d2b5ad..af72c0082 100644 --- a/terraform/gitops/vnext/vnext.tf +++ b/terraform/gitops/vnext/vnext.tf @@ -7,6 +7,8 @@ module "generate_vnext_files" { vnext_chart_version = try(var.app_var_map.vnext_chart_version, var.vnext_chart_version) vnext_release_name = var.vnext_release_name vnext_namespace = var.vnext_namespace + interop_switch_fqdn = var.external_interop_switch_fqdn + int_interop_switch_fqdn = var.internal_interop_switch_fqdn storage_class_name = var.storage_class_name vnext_sync_wave = var.vnext_sync_wave istio_create_ingress_gateways = var.istio_create_ingress_gateways From 0c2dafa6b0f3c8202b527323edf2b4d69eef7fe0 Mon Sep 17 00:00:00 2001 From: David Fry Date: Tue, 26 Mar 2024 10:29:51 +0000 Subject: [PATCH 025/201] another missing var --- terraform/gitops/vnext/vnext.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/gitops/vnext/vnext.tf b/terraform/gitops/vnext/vnext.tf index af72c0082..6b2f64504 100644 --- a/terraform/gitops/vnext/vnext.tf +++ b/terraform/gitops/vnext/vnext.tf @@ -11,6 +11,7 @@ module "generate_vnext_files" { int_interop_switch_fqdn = var.internal_interop_switch_fqdn storage_class_name = var.storage_class_name vnext_sync_wave = var.vnext_sync_wave + vault_certman_secretname = var.vault_certman_secretname istio_create_ingress_gateways = var.istio_create_ingress_gateways istio_external_gateway_name = var.istio_external_gateway_name external_load_balancer_dns = var.external_load_balancer_dns From b85bd3df4dcd7d4f269a6bedcb11da7d9e9f0a95 Mon Sep 17 00:00:00 2001 From: David Fry Date: Tue, 26 Mar 2024 11:22:44 +0000 Subject: [PATCH 026/201] fix chart repo --- terraform/gitops/vnext/vnext.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gitops/vnext/vnext.tf b/terraform/gitops/vnext/vnext.tf index 6b2f64504..e9b47a045 100644 --- a/terraform/gitops/vnext/vnext.tf +++ b/terraform/gitops/vnext/vnext.tf @@ -101,7 +101,7 @@ variable "vnext_ingress_internal_lb" { variable "vnext_chart_repo" { description = "repo for vnext charts" type = string - default = "https://thitsax.github.io/vnext-charts/" + default = "https://mojaloop.github.io/vn-helm/" } variable "vnext_namespace" { From 4ca3735a5e1722d81f432fa172098436d33738c2 Mon Sep 17 00:00:00 2001 From: David Fry Date: Tue, 26 Mar 2024 11:34:14 +0000 Subject: [PATCH 027/201] fix anchors --- .../generate-files/templates/vnext/values-vnext.yaml.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl index 6369430cd..e4a3b10cd 100644 --- a/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl @@ -7,8 +7,8 @@ CONFIG: redis_host: &REDIS_HOST "${redis_host}" redis_port: &REDIS_PORT ${redis_port} - mongo_url_secret_name: "${vnext_mongo_url_secret_name}" &MONGO_URL_SECRET_NAME - mongo_url_secret_key: "url" &MONGO_URL_SECRET_KEY + mongo_url_secret_name: &MONGO_URL_SECRET_NAME "${vnext_mongo_url_secret_name}" + mongo_url_secret_key: &MONGO_URL_SECRET_KEY "url" ## Endpiont Security From 86ae686ae434af168c1f8b988eac01df950bf8ec Mon Sep 17 00:00:00 2001 From: Kalin Krustev Date: Tue, 26 Mar 2024 12:20:41 +0000 Subject: [PATCH 028/201] fix: use local storage by default --- .../generate-files/templates/storage/chart/values.yaml.tpl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/gitops/generate-files/templates/storage/chart/values.yaml.tpl b/terraform/gitops/generate-files/templates/storage/chart/values.yaml.tpl index a189bd0a0..51d2c2655 100644 --- a/terraform/gitops/generate-files/templates/storage/chart/values.yaml.tpl +++ b/terraform/gitops/generate-files/templates/storage/chart/values.yaml.tpl @@ -7,12 +7,13 @@ longhorn: # Set the number of replicas based on how many nodes are deployed; https://longhorn.io/docs/0.8.1/references/settings/#default-replica-count defaultClassReplicaCount: ${replica_count} reclaimPolicy: ${reclaim_policy} + defaultDataLocality: strict-local defaultSettings: backupTarget: "s3://${longhorn_backups_bucket_name}@${cloud_region}/" backupTargetCredentialSecret: ${longhorn_credentials_secret} nodeDownPodDeletionPolicy: delete-both-statefulset-and-deployment-pod - defaultDataLocality: disabled + defaultDataLocality: strict-local replicaAutoBalance: disabled autoDeletePodWhenVolumeDetachedUnexpectedly: true replicaReplenishmentWaitInterval: 360 From 77ecfa52af6c696084917057a22ceda2b9d0fdda Mon Sep 17 00:00:00 2001 From: David Fry Date: Tue, 26 Mar 2024 12:55:37 +0000 Subject: [PATCH 029/201] disable ingresses --- .../templates/vnext/values-vnext.yaml.tpl | 40 ++++++++++++++++++- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl index e4a3b10cd..cb4d4ddd4 100644 --- a/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl @@ -1,8 +1,6 @@ # Custom YAML TEMPLATE Anchors CONFIG: ## KAFKA BACKEND - kafka_host: &KAFKA_HOST "${kafka_host}" - kafka_port: &KAFKA_PORT ${kafka_port} kafka_url: &KAFKA_URL "${kafka_host}:${kafka_port}" redis_host: &REDIS_HOST "${redis_host}" redis_port: &REDIS_PORT ${redis_port} @@ -20,10 +18,14 @@ CONFIG: account-lookup-http-oracle-svc: enabled: true + ingress: + enabled: false env: kafka_url: *KAFKA_URL account-lookup-svc: enabled: true + ingress: + enabled: false env: kafka_url: *KAFKA_URL extraEnvs: @@ -35,6 +37,8 @@ account-lookup-svc: accounts-and-balances-builtin-ledger-grpc-svc: enabled: true + ingress: + enabled: false env: kafka_url: *KAFKA_URL redis_host: *REDIS_HOST @@ -48,6 +52,8 @@ accounts-and-balances-builtin-ledger-grpc-svc: accounts-and-balances-coa-grpc-svc: enabled: true + ingress: + enabled: false env: kafka_url: *KAFKA_URL redis_host: *REDIS_HOST @@ -61,24 +67,34 @@ accounts-and-balances-coa-grpc-svc: admin-ui: enabled: true + ingress: + enabled: false auditing-svc: enabled: true + ingress: + enabled: false env: kafka_url: *KAFKA_URL authentication-svc: enabled: true + ingress: + enabled: false env: kafka_url: *KAFKA_URL authorization-svc: enabled: true + ingress: + enabled: false env: kafka_url: *KAFKA_URL fspiop-api-svc: enabled: true + ingress: + enabled: false env: kafka_url: *KAFKA_URL extraEnvs: @@ -90,11 +106,15 @@ fspiop-api-svc: logging-svc: enabled: true + ingress: + enabled: false env: kafka_url: *KAFKA_URL participants-svc: enabled: true + ingress: + enabled: false env: kafka_url: *KAFKA_URL extraEnvs: @@ -106,11 +126,15 @@ participants-svc: platform-configuration-svc: enabled: true + ingress: + enabled: false env: kafka_url: *KAFKA_URL quoting-svc: enabled: true + ingress: + enabled: false env: kafka_url: *KAFKA_URL extraEnvs: @@ -122,6 +146,8 @@ quoting-svc: settlements-api-svc: enabled: true + ingress: + enabled: false env: kafka_url: *KAFKA_URL extraEnvs: @@ -133,6 +159,8 @@ settlements-api-svc: settlements-command-handler-svc: enabled: true + ingress: + enabled: false env: kafka_url: *KAFKA_URL extraEnvs: @@ -144,6 +172,8 @@ settlements-command-handler-svc: settlements-event-handler-svc: enabled: true + ingress: + enabled: false env: kafka_url: *KAFKA_URL extraEnvs: @@ -155,6 +185,8 @@ settlements-event-handler-svc: transfers-api-svc: enabled: true + ingress: + enabled: false env: kafka_url: *KAFKA_URL extraEnvs: @@ -166,6 +198,8 @@ transfers-api-svc: transfers-command-handler-svc: enabled: true + ingress: + enabled: false env: kafka_url: *KAFKA_URL extraEnvs: @@ -177,6 +211,8 @@ transfers-command-handler-svc: transfers-event-handler-svc: enabled: true + ingress: + enabled: false env: kafka_url: *KAFKA_URL extraEnvs: From 3843fee7ac8f8f10eaa27da4b5bfd81938d8928f Mon Sep 17 00:00:00 2001 From: David Fry Date: Tue, 26 Mar 2024 20:25:23 +0000 Subject: [PATCH 030/201] add es and reconfigure mongo url secret --- .../templates/vnext/kustomization.yaml.tpl | 5 + .../templates/vnext/values-vnext.yaml.tpl | 124 ++++++++---------- 2 files changed, 60 insertions(+), 69 deletions(-) diff --git a/terraform/gitops/generate-files/templates/vnext/kustomization.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/kustomization.yaml.tpl index b369b3de7..61ae60c5c 100644 --- a/terraform/gitops/generate-files/templates/vnext/kustomization.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vnext/kustomization.yaml.tpl @@ -11,3 +11,8 @@ helmCharts: repo: ${vnext_chart_repo} valuesFile: values-vnext.yaml namespace: ${vnext_namespace} +- name: elasticsearch + releaseName: elasticsearch + version: 20.0.0 + repo: https://charts.bitnami.com/bitnami + namespace: monitoring \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl index cb4d4ddd4..e1b6a6d40 100644 --- a/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl @@ -17,12 +17,20 @@ CONFIG: account-lookup-http-oracle-svc: + config: + mongo_url_secret: + name: *MONGO_URL_SECRET_NAME + key: *MONGO_URL_SECRET_KEY enabled: true ingress: enabled: false env: kafka_url: *KAFKA_URL account-lookup-svc: + config: + mongo_url_secret: + name: *MONGO_URL_SECRET_NAME + key: *MONGO_URL_SECRET_KEY enabled: true ingress: enabled: false @@ -36,6 +44,10 @@ account-lookup-svc: key: *MONGO_URL_SECRET_KEY accounts-and-balances-builtin-ledger-grpc-svc: + config: + mongo_url_secret: + name: *MONGO_URL_SECRET_NAME + key: *MONGO_URL_SECRET_KEY enabled: true ingress: enabled: false @@ -43,14 +55,12 @@ accounts-and-balances-builtin-ledger-grpc-svc: kafka_url: *KAFKA_URL redis_host: *REDIS_HOST redis_port: *REDIS_PORT - extraEnvs: - - name: MONGO_URL - valueFrom: - secretKeyRef: - name: *MONGO_URL_SECRET_NAME - key: *MONGO_URL_SECRET_KEY accounts-and-balances-coa-grpc-svc: + config: + mongo_url_secret: + name: *MONGO_URL_SECRET_NAME + key: *MONGO_URL_SECRET_KEY enabled: true ingress: enabled: false @@ -58,12 +68,6 @@ accounts-and-balances-coa-grpc-svc: kafka_url: *KAFKA_URL redis_host: *REDIS_HOST redis_port: *REDIS_PORT - extraEnvs: - - name: MONGO_URL - valueFrom: - secretKeyRef: - name: *MONGO_URL_SECRET_NAME - key: *MONGO_URL_SECRET_KEY admin-ui: enabled: true @@ -93,16 +97,14 @@ authorization-svc: fspiop-api-svc: enabled: true + config: + mongo_url_secret: + name: *MONGO_URL_SECRET_NAME + key: *MONGO_URL_SECRET_KEY ingress: enabled: false env: kafka_url: *KAFKA_URL - extraEnvs: - - name: MONGO_URL - valueFrom: - secretKeyRef: - name: *MONGO_URL_SECRET_NAME - key: *MONGO_URL_SECRET_KEY logging-svc: enabled: true @@ -113,17 +115,15 @@ logging-svc: participants-svc: enabled: true + config: + mongo_url_secret: + name: *MONGO_URL_SECRET_NAME + key: *MONGO_URL_SECRET_KEY ingress: enabled: false env: kafka_url: *KAFKA_URL - extraEnvs: - - name: MONGO_URL - valueFrom: - secretKeyRef: - name: *MONGO_URL_SECRET_NAME - key: *MONGO_URL_SECRET_KEY - + platform-configuration-svc: enabled: true ingress: @@ -133,91 +133,77 @@ platform-configuration-svc: quoting-svc: enabled: true + config: + mongo_url_secret: + name: *MONGO_URL_SECRET_NAME + key: *MONGO_URL_SECRET_KEY ingress: enabled: false env: kafka_url: *KAFKA_URL - extraEnvs: - - name: MONGO_URL - valueFrom: - secretKeyRef: - name: *MONGO_URL_SECRET_NAME - key: *MONGO_URL_SECRET_KEY settlements-api-svc: enabled: true + config: + mongo_url_secret: + name: *MONGO_URL_SECRET_NAME + key: *MONGO_URL_SECRET_KEY ingress: enabled: false env: kafka_url: *KAFKA_URL - extraEnvs: - - name: MONGO_URL - valueFrom: - secretKeyRef: - name: *MONGO_URL_SECRET_NAME - key: *MONGO_URL_SECRET_KEY - + settlements-command-handler-svc: enabled: true + config: + mongo_url_secret: + name: *MONGO_URL_SECRET_NAME + key: *MONGO_URL_SECRET_KEY ingress: enabled: false env: kafka_url: *KAFKA_URL - extraEnvs: - - name: MONGO_URL - valueFrom: - secretKeyRef: - name: *MONGO_URL_SECRET_NAME - key: *MONGO_URL_SECRET_KEY settlements-event-handler-svc: enabled: true + config: + mongo_url_secret: + name: *MONGO_URL_SECRET_NAME + key: *MONGO_URL_SECRET_KEY ingress: enabled: false env: kafka_url: *KAFKA_URL - extraEnvs: - - name: MONGO_URL - valueFrom: - secretKeyRef: - name: *MONGO_URL_SECRET_NAME - key: *MONGO_URL_SECRET_KEY transfers-api-svc: enabled: true + config: + mongo_url_secret: + name: *MONGO_URL_SECRET_NAME + key: *MONGO_URL_SECRET_KEY ingress: enabled: false env: kafka_url: *KAFKA_URL - extraEnvs: - - name: MONGO_URL - valueFrom: - secretKeyRef: - name: *MONGO_URL_SECRET_NAME - key: *MONGO_URL_SECRET_KEY - + transfers-command-handler-svc: enabled: true + config: + mongo_url_secret: + name: *MONGO_URL_SECRET_NAME + key: *MONGO_URL_SECRET_KEY ingress: enabled: false env: kafka_url: *KAFKA_URL - extraEnvs: - - name: MONGO_URL - valueFrom: - secretKeyRef: - name: *MONGO_URL_SECRET_NAME - key: *MONGO_URL_SECRET_KEY transfers-event-handler-svc: enabled: true + config: + mongo_url_secret: + name: *MONGO_URL_SECRET_NAME + key: *MONGO_URL_SECRET_KEY ingress: enabled: false env: kafka_url: *KAFKA_URL - extraEnvs: - - name: MONGO_URL - valueFrom: - secretKeyRef: - name: *MONGO_URL_SECRET_NAME - key: *MONGO_URL_SECRET_KEY From 3a2ab9612e9bf13cfb1b0d45867eca544915ea5b Mon Sep 17 00:00:00 2001 From: David Fry Date: Tue, 26 Mar 2024 20:26:07 +0000 Subject: [PATCH 031/201] bump release --- terraform/k8s/default-config/vnext-vars.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/k8s/default-config/vnext-vars.yaml b/terraform/k8s/default-config/vnext-vars.yaml index ed94b9981..9c1d65fad 100644 --- a/terraform/k8s/default-config/vnext-vars.yaml +++ b/terraform/k8s/default-config/vnext-vars.yaml @@ -1,4 +1,4 @@ -vnext_chart_version: v0.0.2 +vnext_chart_version: v0.0.3 mcm_chart_version: 0.7.7 mcm_ingress_internal_lb: false vnext_ingress_internal_lb: true From d784cade92c5c4e9696ec80b78dd5f732dd6356a Mon Sep 17 00:00:00 2001 From: David Fry Date: Wed, 27 Mar 2024 08:57:50 +0000 Subject: [PATCH 032/201] fix secret name --- .../templates/vnext/vault-secret.yaml.tpl | 2 +- terraform/gitops/vnext/vnext.tf | 124 +++++++++--------- terraform/k8s/default-config/vnext-vars.yaml | 2 +- 3 files changed, 64 insertions(+), 64 deletions(-) diff --git a/terraform/gitops/generate-files/templates/vnext/vault-secret.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/vault-secret.yaml.tpl index 6dd2cbdd0..943107845 100644 --- a/terraform/gitops/generate-files/templates/vnext/vault-secret.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vnext/vault-secret.yaml.tpl @@ -14,7 +14,7 @@ spec: serviceAccount: name: default name: secret - path: ${vnext_mongodb_existing_secret_vault_path}/${vnext_mongodb_resource_name}/${vnext_mongodb_existing_secret} + path: ${vnext_mongo_secret_path} output: name: ${vnext_mongo_url_secret_name} stringData: diff --git a/terraform/gitops/vnext/vnext.tf b/terraform/gitops/vnext/vnext.tf index e9b47a045..635057868 100644 --- a/terraform/gitops/vnext/vnext.tf +++ b/terraform/gitops/vnext/vnext.tf @@ -1,68 +1,68 @@ module "generate_vnext_files" { source = "../generate-files" var_map = { - vnext_enabled = var.vnext_enabled - gitlab_project_url = var.gitlab_project_url - vnext_chart_repo = var.vnext_chart_repo - vnext_chart_version = try(var.app_var_map.vnext_chart_version, var.vnext_chart_version) - vnext_release_name = var.vnext_release_name - vnext_namespace = var.vnext_namespace - interop_switch_fqdn = var.external_interop_switch_fqdn - int_interop_switch_fqdn = var.internal_interop_switch_fqdn - storage_class_name = var.storage_class_name - vnext_sync_wave = var.vnext_sync_wave - vault_certman_secretname = var.vault_certman_secretname - istio_create_ingress_gateways = var.istio_create_ingress_gateways - istio_external_gateway_name = var.istio_external_gateway_name - external_load_balancer_dns = var.external_load_balancer_dns - istio_internal_wildcard_gateway_name = var.istio_internal_wildcard_gateway_name - istio_internal_gateway_namespace = var.istio_internal_gateway_namespace - istio_external_wildcard_gateway_name = var.istio_external_wildcard_gateway_name - istio_external_gateway_namespace = var.istio_external_gateway_namespace - vnext_wildcard_gateway = local.vnext_wildcard_gateway - keycloak_fqdn = var.keycloak_fqdn - keycloak_realm_name = var.keycloak_hubop_realm_name - ttk_frontend_public_fqdn = var.ttk_frontend_public_fqdn - ttk_backend_public_fqdn = var.ttk_backend_public_fqdn - kafka_host = "${local.stateful_resources[local.vnext_kafka_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - kafka_port = local.stateful_resources[local.vnext_kafka_resource_index].logical_service_config.logical_service_port - redis_host = "${local.stateful_resources[local.vnext_redis_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - redis_port = local.stateful_resources[local.vnext_redis_resource_index].logical_service_config.logical_service_port - enable_istio_injection = try(var.app_var_map.enable_istio_injection, false) - bof_release_name = var.bof_release_name - ory_namespace = var.ory_namespace - bof_role_perm_operator_host = "${var.bof_release_name}-security-role-perm-operator-svc.${var.ory_namespace}.svc.cluster.local" - auth_fqdn = var.auth_fqdn - vnext_mongodb_database = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.database_name - vnext_mongodb_user = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.username - vnext_mongodb_host = "${local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - vnext_mongodb_existing_secret = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.user_password_secret - vnext_mongodb_port = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.logical_service_port - vnext_mongodb_existing_secret_vault_path = local.stateful_resources[local.vnext_mongodb_resource_index].local_resource_config.generate_secret_vault_base_path # this should go away once vnext supports passing fine grained mongo config - vnext_mongodb_resource_name = "vnext-mongodb" - vnext_mongo_url_secret_name = "vnext-mongodb-url" ## this goes away as well - keto_read_url = "http://keto-read.${var.ory_namespace}.svc.cluster.local:80" - keto_write_url = "http://keto-write.${var.ory_namespace}.svc.cluster.local:80" - kratos_service_name = "kratos-public.${var.ory_namespace}.svc.cluster.local" - portal_fqdn = var.finance_portal_fqdn - finance_portal_release_name = "fin-portal" - finance_portal_chart_version = try(var.app_var_map.finance_portal_chart_version, var.finance_portal_chart_version) - ory_stack_enabled = var.ory_stack_enabled - oathkeeper_auth_provider_name = var.oathkeeper_auth_provider_name - vault_secret_key = var.vault_secret_key - role_assign_svc_secret = var.role_assign_svc_secret - role_assign_svc_user = var.role_assign_svc_user - keycloak_dfsp_realm_name = var.keycloak_dfsp_realm_name - apiResources = local.apiResources - switch_dfspid = var.switch_dfspid - jws_key_secret = local.jws_key_secret - jws_key_secret_private_key_key = "tls.key" - jws_key_secret_public_key_key = "tls.crt" - cert_man_vault_cluster_issuer_name = var.cert_man_vault_cluster_issuer_name - jws_key_rsa_bits = try(var.app_var_map.jws_key_rsa_bits, var.jws_key_rsa_bits) - jws_rotation_renew_before_hours = try(var.app_var_map.jws_rotation_renew_before_hours, var.jws_rotation_renew_before_hours) - jws_rotation_period_hours = try(var.app_var_map.jws_rotation_period_hours, var.jws_rotation_period_hours) - mcm_hub_jws_endpoint = "http://mcm-connection-manager-api.${var.mcm_namespace}.svc.cluster.local:3001/api/hub/jwscerts" + vnext_enabled = var.vnext_enabled + gitlab_project_url = var.gitlab_project_url + vnext_chart_repo = var.vnext_chart_repo + vnext_chart_version = try(var.app_var_map.vnext_chart_version, var.vnext_chart_version) + vnext_release_name = var.vnext_release_name + vnext_namespace = var.vnext_namespace + interop_switch_fqdn = var.external_interop_switch_fqdn + int_interop_switch_fqdn = var.internal_interop_switch_fqdn + storage_class_name = var.storage_class_name + vnext_sync_wave = var.vnext_sync_wave + vault_certman_secretname = var.vault_certman_secretname + istio_create_ingress_gateways = var.istio_create_ingress_gateways + istio_external_gateway_name = var.istio_external_gateway_name + external_load_balancer_dns = var.external_load_balancer_dns + istio_internal_wildcard_gateway_name = var.istio_internal_wildcard_gateway_name + istio_internal_gateway_namespace = var.istio_internal_gateway_namespace + istio_external_wildcard_gateway_name = var.istio_external_wildcard_gateway_name + istio_external_gateway_namespace = var.istio_external_gateway_namespace + vnext_wildcard_gateway = local.vnext_wildcard_gateway + keycloak_fqdn = var.keycloak_fqdn + keycloak_realm_name = var.keycloak_hubop_realm_name + ttk_frontend_public_fqdn = var.ttk_frontend_public_fqdn + ttk_backend_public_fqdn = var.ttk_backend_public_fqdn + kafka_host = "${local.stateful_resources[local.vnext_kafka_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + kafka_port = local.stateful_resources[local.vnext_kafka_resource_index].logical_service_config.logical_service_port + redis_host = "${local.stateful_resources[local.vnext_redis_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + redis_port = local.stateful_resources[local.vnext_redis_resource_index].logical_service_config.logical_service_port + enable_istio_injection = try(var.app_var_map.enable_istio_injection, false) + bof_release_name = var.bof_release_name + ory_namespace = var.ory_namespace + bof_role_perm_operator_host = "${var.bof_release_name}-security-role-perm-operator-svc.${var.ory_namespace}.svc.cluster.local" + auth_fqdn = var.auth_fqdn + vnext_mongodb_database = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.database_name + vnext_mongodb_user = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.username + vnext_mongodb_host = "${local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + vnext_mongodb_existing_secret = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.user_password_secret + vnext_mongodb_port = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.logical_service_port + vnext_mongo_secret_path = "${local.stateful_resources[local.vnext_mongodb_resource_index].local_resource_config.generate_secret_vault_base_path}/${local.stateful_resources[local.vnext_mongodb_resource_index].resource_name}/${local.stateful_resources[local.vnext_mongodb_resource_index].local_resource_config.generate_secret_name}-password" + vnext_mongodb_resource_name = "vnext-mongodb" + vnext_mongo_url_secret_name = "vnext-mongodb-url" ## this goes away as well + keto_read_url = "http://keto-read.${var.ory_namespace}.svc.cluster.local:80" + keto_write_url = "http://keto-write.${var.ory_namespace}.svc.cluster.local:80" + kratos_service_name = "kratos-public.${var.ory_namespace}.svc.cluster.local" + portal_fqdn = var.finance_portal_fqdn + finance_portal_release_name = "fin-portal" + finance_portal_chart_version = try(var.app_var_map.finance_portal_chart_version, var.finance_portal_chart_version) + ory_stack_enabled = var.ory_stack_enabled + oathkeeper_auth_provider_name = var.oathkeeper_auth_provider_name + vault_secret_key = var.vault_secret_key + role_assign_svc_secret = var.role_assign_svc_secret + role_assign_svc_user = var.role_assign_svc_user + keycloak_dfsp_realm_name = var.keycloak_dfsp_realm_name + apiResources = local.apiResources + switch_dfspid = var.switch_dfspid + jws_key_secret = local.jws_key_secret + jws_key_secret_private_key_key = "tls.key" + jws_key_secret_public_key_key = "tls.crt" + cert_man_vault_cluster_issuer_name = var.cert_man_vault_cluster_issuer_name + jws_key_rsa_bits = try(var.app_var_map.jws_key_rsa_bits, var.jws_key_rsa_bits) + jws_rotation_renew_before_hours = try(var.app_var_map.jws_rotation_renew_before_hours, var.jws_rotation_renew_before_hours) + jws_rotation_period_hours = try(var.app_var_map.jws_rotation_period_hours, var.jws_rotation_period_hours) + mcm_hub_jws_endpoint = "http://mcm-connection-manager-api.${var.mcm_namespace}.svc.cluster.local:3001/api/hub/jwscerts" } file_list = [for f in fileset(local.vnext_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.vnext_app_file, f))] template_path = local.vnext_template_path diff --git a/terraform/k8s/default-config/vnext-vars.yaml b/terraform/k8s/default-config/vnext-vars.yaml index 9c1d65fad..1a2f4410b 100644 --- a/terraform/k8s/default-config/vnext-vars.yaml +++ b/terraform/k8s/default-config/vnext-vars.yaml @@ -1,4 +1,4 @@ -vnext_chart_version: v0.0.3 +vnext_chart_version: v0.0.6 mcm_chart_version: 0.7.7 mcm_ingress_internal_lb: false vnext_ingress_internal_lb: true From dbc9e32373e20aff2c821777411c4efaf216a03a Mon Sep 17 00:00:00 2001 From: David Fry Date: Wed, 27 Mar 2024 09:24:52 +0000 Subject: [PATCH 033/201] bump version --- terraform/k8s/default-config/vnext-vars.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/k8s/default-config/vnext-vars.yaml b/terraform/k8s/default-config/vnext-vars.yaml index 1a2f4410b..2675ba19f 100644 --- a/terraform/k8s/default-config/vnext-vars.yaml +++ b/terraform/k8s/default-config/vnext-vars.yaml @@ -1,4 +1,4 @@ -vnext_chart_version: v0.0.6 +vnext_chart_version: v0.0.7 mcm_chart_version: 0.7.7 mcm_ingress_internal_lb: false vnext_ingress_internal_lb: true From 81c63d9f6eedb38aad7da591fc5ad5f624e143e2 Mon Sep 17 00:00:00 2001 From: David Fry Date: Wed, 27 Mar 2024 10:51:12 +0000 Subject: [PATCH 034/201] fix path --- terraform/gitops/vnext/vnext.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gitops/vnext/vnext.tf b/terraform/gitops/vnext/vnext.tf index 635057868..6546ec3dc 100644 --- a/terraform/gitops/vnext/vnext.tf +++ b/terraform/gitops/vnext/vnext.tf @@ -38,7 +38,7 @@ module "generate_vnext_files" { vnext_mongodb_host = "${local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" vnext_mongodb_existing_secret = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.user_password_secret vnext_mongodb_port = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.logical_service_port - vnext_mongo_secret_path = "${local.stateful_resources[local.vnext_mongodb_resource_index].local_resource_config.generate_secret_vault_base_path}/${local.stateful_resources[local.vnext_mongodb_resource_index].resource_name}/${local.stateful_resources[local.vnext_mongodb_resource_index].local_resource_config.generate_secret_name}-password" + vnext_mongo_secret_path = "${local.stateful_resources[local.vnext_mongodb_resource_index].local_resource_config.generate_secret_vault_base_path}/${local.stateful_resources[local.vnext_mongodb_resource_index].resource_name}/${local.stateful_resources[local.vnext_mongodb_resource_index].local_resource_config.generate_secret_name}-passwords" vnext_mongodb_resource_name = "vnext-mongodb" vnext_mongo_url_secret_name = "vnext-mongodb-url" ## this goes away as well keto_read_url = "http://keto-read.${var.ory_namespace}.svc.cluster.local:80" From febee89e6c5cd05681e493152b06451900810057 Mon Sep 17 00:00:00 2001 From: David Fry Date: Wed, 27 Mar 2024 10:59:18 +0000 Subject: [PATCH 035/201] fix name again --- terraform/gitops/vnext/vnext.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gitops/vnext/vnext.tf b/terraform/gitops/vnext/vnext.tf index 6546ec3dc..082a97883 100644 --- a/terraform/gitops/vnext/vnext.tf +++ b/terraform/gitops/vnext/vnext.tf @@ -38,7 +38,7 @@ module "generate_vnext_files" { vnext_mongodb_host = "${local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" vnext_mongodb_existing_secret = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.user_password_secret vnext_mongodb_port = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.logical_service_port - vnext_mongo_secret_path = "${local.stateful_resources[local.vnext_mongodb_resource_index].local_resource_config.generate_secret_vault_base_path}/${local.stateful_resources[local.vnext_mongodb_resource_index].resource_name}/${local.stateful_resources[local.vnext_mongodb_resource_index].local_resource_config.generate_secret_name}-passwords" + vnext_mongo_secret_path = "${local.stateful_resources[local.vnext_mongodb_resource_index].local_resource_config.generate_secret_vault_base_path}/${local.stateful_resources[local.vnext_mongodb_resource_index].resource_name}/${local.stateful_resources[local.vnext_mongodb_resource_index].local_resource_config.generate_secret_name}-mongodb-passwords" vnext_mongodb_resource_name = "vnext-mongodb" vnext_mongo_url_secret_name = "vnext-mongodb-url" ## this goes away as well keto_read_url = "http://keto-read.${var.ory_namespace}.svc.cluster.local:80" From 8cbee6da2d0ad0149d3a8a7574e96fee024031c8 Mon Sep 17 00:00:00 2001 From: David Fry Date: Wed, 27 Mar 2024 12:01:30 +0000 Subject: [PATCH 036/201] add service confs to value --- .../templates/vnext/values-vnext.yaml.tpl | 71 +++++++++++++++++-- terraform/k8s/default-config/vnext-vars.yaml | 2 +- 2 files changed, 66 insertions(+), 7 deletions(-) diff --git a/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl index e1b6a6d40..242f25d7f 100644 --- a/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl @@ -8,6 +8,14 @@ CONFIG: mongo_url_secret_name: &MONGO_URL_SECRET_NAME "${vnext_mongo_url_secret_name}" mongo_url_secret_key: &MONGO_URL_SECRET_KEY "url" + platform_config_base_svc_url: &PLATFORM_CONFIG_BASE_SVC_URL http://${vnext_release_name}-platform-configuration-svc:3100 + auth_z_svc_baseurl: &AUTH_Z_SVC_BASEURL http://${vnext_release_name}-authorization-svc:3202 + auth_n_svc_baseurl: &AUTH_N_SVC_BASEURL http://${vnext_release_name}-authentication-svc:3201 + participants_svc_url: &PARTICIPANTS_SVC_URL http://${vnext_release_name}-participants-svc:3010 + elasticsearch_url: &ELASTICSEARCH_URL http://elasticsearch.monitoring.svc.cluster.local:9200 + builtin_ledger_svc_url: &BUILTIN_LEDGER_SVC_URL ${vnext_release_name}-accounts-and-balances-builtin-ledger-grpc-svc:3350 + account_and_balance_coa_svc: &ACCOUNT_AND_BALANCE_COA_SVC ${vnext_release_name}-accounts-and-balances-coa-grpc-svc:3300 + settlements_svc_url: &SETTLEMENTS_SVC_URL http://${vnext_release_name}-settlements-api-svc:3600 ## Endpiont Security endpointSecurity: &ENDPOINT_SECURITY @@ -26,6 +34,7 @@ account-lookup-http-oracle-svc: enabled: false env: kafka_url: *KAFKA_URL + account-lookup-svc: config: mongo_url_secret: @@ -36,12 +45,10 @@ account-lookup-svc: enabled: false env: kafka_url: *KAFKA_URL - extraEnvs: - - name: MONGO_URL - valueFrom: - secretKeyRef: - name: *MONGO_URL_SECRET_NAME - key: *MONGO_URL_SECRET_KEY + platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL + auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL + auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL + participants_svc_url: *PARTICIPANTS_SVC_URL accounts-and-balances-builtin-ledger-grpc-svc: config: @@ -55,6 +62,7 @@ accounts-and-balances-builtin-ledger-grpc-svc: kafka_url: *KAFKA_URL redis_host: *REDIS_HOST redis_port: *REDIS_PORT + platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL accounts-and-balances-coa-grpc-svc: config: @@ -68,6 +76,8 @@ accounts-and-balances-coa-grpc-svc: kafka_url: *KAFKA_URL redis_host: *REDIS_HOST redis_port: *REDIS_PORT + elasticsearch_url: *ELASTICSEARCH_URL + builtin_ledger_svc_url: *BUILTIN_LEDGER_SVC_URL admin-ui: enabled: true @@ -80,6 +90,7 @@ auditing-svc: enabled: false env: kafka_url: *KAFKA_URL + elasticsearch_url: *ELASTICSEARCH_URL authentication-svc: enabled: true @@ -87,6 +98,7 @@ authentication-svc: enabled: false env: kafka_url: *KAFKA_URL + platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL authorization-svc: enabled: true @@ -94,6 +106,7 @@ authorization-svc: enabled: false env: kafka_url: *KAFKA_URL + platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL fspiop-api-svc: enabled: true @@ -105,6 +118,11 @@ fspiop-api-svc: enabled: false env: kafka_url: *KAFKA_URL + platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL + auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL + auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL + participants_svc_url: *PARTICIPANTS_SVC_URL + elasticsearch_url: *ELASTICSEARCH_URL logging-svc: enabled: true @@ -112,6 +130,7 @@ logging-svc: enabled: false env: kafka_url: *KAFKA_URL + elasticsearch_url: *ELASTICSEARCH_URL participants-svc: enabled: true @@ -123,6 +142,12 @@ participants-svc: enabled: false env: kafka_url: *KAFKA_URL + platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL + auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL + auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL + elasticsearch_url: *ELASTICSEARCH_URL + builtin_ledger_svc_url: *BUILTIN_LEDGER_SVC_URL + account_and_balance_coa_svc: *ACCOUNT_AND_BALANCE_COA_SVC platform-configuration-svc: enabled: true @@ -130,6 +155,8 @@ platform-configuration-svc: enabled: false env: kafka_url: *KAFKA_URL + auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL + auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL quoting-svc: enabled: true @@ -141,6 +168,10 @@ quoting-svc: enabled: false env: kafka_url: *KAFKA_URL + platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL + auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL + auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL + participants_svc_url: *PARTICIPANTS_SVC_URL settlements-api-svc: enabled: true @@ -152,6 +183,11 @@ settlements-api-svc: enabled: false env: kafka_url: *KAFKA_URL + platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL + auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL + auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL + participants_svc_url: *PARTICIPANTS_SVC_URL + account_and_balance_coa_svc: *ACCOUNT_AND_BALANCE_COA_SVC settlements-command-handler-svc: enabled: true @@ -163,6 +199,11 @@ settlements-command-handler-svc: enabled: false env: kafka_url: *KAFKA_URL + platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL + auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL + auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL + participants_svc_url: *PARTICIPANTS_SVC_URL + account_and_balance_coa_svc: *ACCOUNT_AND_BALANCE_COA_SVC settlements-event-handler-svc: enabled: true @@ -174,6 +215,10 @@ settlements-event-handler-svc: enabled: false env: kafka_url: *KAFKA_URL + platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL + auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL + auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL + participants_svc_url: *PARTICIPANTS_SVC_URL transfers-api-svc: enabled: true @@ -185,6 +230,10 @@ transfers-api-svc: enabled: false env: kafka_url: *KAFKA_URL + platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL + auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL + auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL + participants_svc_url: *PARTICIPANTS_SVC_URL transfers-command-handler-svc: enabled: true @@ -196,6 +245,12 @@ transfers-command-handler-svc: enabled: false env: kafka_url: *KAFKA_URL + platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL + auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL + auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL + participants_svc_url: *PARTICIPANTS_SVC_URL + account_and_balance_coa_svc: *ACCOUNT_AND_BALANCE_COA_SVC + settlements_svc_url: *SETTLEMENTS_SVC_URL transfers-event-handler-svc: enabled: true @@ -207,3 +262,7 @@ transfers-event-handler-svc: enabled: false env: kafka_url: *KAFKA_URL + platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL + auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL + auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL + participants_svc_url: *PARTICIPANTS_SVC_URL diff --git a/terraform/k8s/default-config/vnext-vars.yaml b/terraform/k8s/default-config/vnext-vars.yaml index 2675ba19f..d8ce1c6cc 100644 --- a/terraform/k8s/default-config/vnext-vars.yaml +++ b/terraform/k8s/default-config/vnext-vars.yaml @@ -1,4 +1,4 @@ -vnext_chart_version: v0.0.7 +vnext_chart_version: v0.0.8 mcm_chart_version: 0.7.7 mcm_ingress_internal_lb: false vnext_ingress_internal_lb: true From 7ed38755b1b584e755f618b74151f75ade5ecf89 Mon Sep 17 00:00:00 2001 From: David Fry Date: Wed, 27 Mar 2024 12:03:02 +0000 Subject: [PATCH 037/201] bump version --- terraform/k8s/default-config/vnext-vars.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/k8s/default-config/vnext-vars.yaml b/terraform/k8s/default-config/vnext-vars.yaml index d8ce1c6cc..be2b3c5f0 100644 --- a/terraform/k8s/default-config/vnext-vars.yaml +++ b/terraform/k8s/default-config/vnext-vars.yaml @@ -1,4 +1,4 @@ -vnext_chart_version: v0.0.8 +vnext_chart_version: v0.0.9 mcm_chart_version: 0.7.7 mcm_ingress_internal_lb: false vnext_ingress_internal_lb: true From 00e671fc0ff88f4a0516e19d1bf574bb46d5c7f1 Mon Sep 17 00:00:00 2001 From: David Fry Date: Wed, 27 Mar 2024 12:59:32 +0000 Subject: [PATCH 038/201] try root pw on mongodb no db --- .../generate-files/templates/vnext/vault-secret.yaml.tpl | 2 +- terraform/gitops/vnext/vnext.tf | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/gitops/generate-files/templates/vnext/vault-secret.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/vault-secret.yaml.tpl index 943107845..f159e8122 100644 --- a/terraform/gitops/generate-files/templates/vnext/vault-secret.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vnext/vault-secret.yaml.tpl @@ -18,7 +18,7 @@ spec: output: name: ${vnext_mongo_url_secret_name} stringData: - url: 'mongodb://${vnext_mongodb_user}:{{ .secret.password }}@${vnext_mongodb_host}:${vnext_mongodb_port}/${vnext_mongodb_database}' + url: 'mongodb://${vnext_mongodb_user}:{{ .secret.password }}@${vnext_mongodb_host}:${vnext_mongodb_port}' type: Opaque --- apiVersion: cert-manager.io/v1 diff --git a/terraform/gitops/vnext/vnext.tf b/terraform/gitops/vnext/vnext.tf index 082a97883..88fb1767b 100644 --- a/terraform/gitops/vnext/vnext.tf +++ b/terraform/gitops/vnext/vnext.tf @@ -34,11 +34,11 @@ module "generate_vnext_files" { bof_role_perm_operator_host = "${var.bof_release_name}-security-role-perm-operator-svc.${var.ory_namespace}.svc.cluster.local" auth_fqdn = var.auth_fqdn vnext_mongodb_database = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.database_name - vnext_mongodb_user = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.username + vnext_mongodb_user = "root" vnext_mongodb_host = "${local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" vnext_mongodb_existing_secret = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.user_password_secret vnext_mongodb_port = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.logical_service_port - vnext_mongo_secret_path = "${local.stateful_resources[local.vnext_mongodb_resource_index].local_resource_config.generate_secret_vault_base_path}/${local.stateful_resources[local.vnext_mongodb_resource_index].resource_name}/${local.stateful_resources[local.vnext_mongodb_resource_index].local_resource_config.generate_secret_name}-mongodb-passwords" + vnext_mongo_secret_path = "${local.stateful_resources[local.vnext_mongodb_resource_index].local_resource_config.generate_secret_vault_base_path}/${local.stateful_resources[local.vnext_mongodb_resource_index].resource_name}/${local.stateful_resources[local.vnext_mongodb_resource_index].local_resource_config.generate_secret_name}-mongodb-root-password" vnext_mongodb_resource_name = "vnext-mongodb" vnext_mongo_url_secret_name = "vnext-mongodb-url" ## this goes away as well keto_read_url = "http://keto-read.${var.ory_namespace}.svc.cluster.local:80" From 2250b9d5a3b3fa0709f1566bfec58dc868421ef2 Mon Sep 17 00:00:00 2001 From: Vijay Date: Wed, 27 Mar 2024 18:34:30 +0530 Subject: [PATCH 039/201] fix: added custom dumper for pm4ml merge function --- .../k8s-cluster/.gitlab/scripts/dictmerge.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/dictmerge.py b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/dictmerge.py index 3b2974504..af5356649 100755 --- a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/dictmerge.py +++ b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/dictmerge.py @@ -15,6 +15,14 @@ yaml.Dumper.ignore_aliases = lambda *args : True +# Custom Dumper to handle single quoted integers +class CustomDumper(yaml.Dumper): + def represent_data(self, data): + if isinstance(data, str) and data.isdigit(): + return self.represent_scalar('tag:yaml.org,2002:str', data, style="'") + + return super(CustomDumper, self).represent_data(data) + def mergedicts(dict1, dict2): for k in set(dict1.keys()).union(dict2.keys()): if k in dict1 and k in dict2: @@ -118,7 +126,7 @@ def mergeListOfDicts(data1, data2, fileName, outputFilename, fileType): mergedItems.append(dict(mergedicts(data1, item))) mergedDict["pm4mls"] = mergedItems with open(outputFilename, 'w') as file: - yaml.dump(mergedDict, file, indent=4 , default_flow_style=False) + yaml.dump(mergedDict, file, indent=4 , default_flow_style=False, Dumper=CustomDumper) elif fileName in ( "common-stateful-resources.json" , "mojaloop-stateful-resources.json" , "mojaloop-rbac-api-resources.yaml" ): mergeListOfDicts(data1, data2, fileName, outputFilename, defaultExt) From 2c4a3f54e8ad60f06099eaf0f111ab1e0e13f71c Mon Sep 17 00:00:00 2001 From: David Fry Date: Wed, 27 Mar 2024 13:18:29 +0000 Subject: [PATCH 040/201] blanket apply env vars --- .../templates/vnext/values-vnext.yaml.tpl | 158 +++++++++++++++++- 1 file changed, 156 insertions(+), 2 deletions(-) diff --git a/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl index 242f25d7f..646541913 100644 --- a/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl @@ -4,10 +4,8 @@ CONFIG: kafka_url: &KAFKA_URL "${kafka_host}:${kafka_port}" redis_host: &REDIS_HOST "${redis_host}" redis_port: &REDIS_PORT ${redis_port} - mongo_url_secret_name: &MONGO_URL_SECRET_NAME "${vnext_mongo_url_secret_name}" mongo_url_secret_key: &MONGO_URL_SECRET_KEY "url" - platform_config_base_svc_url: &PLATFORM_CONFIG_BASE_SVC_URL http://${vnext_release_name}-platform-configuration-svc:3100 auth_z_svc_baseurl: &AUTH_Z_SVC_BASEURL http://${vnext_release_name}-authorization-svc:3202 auth_n_svc_baseurl: &AUTH_N_SVC_BASEURL http://${vnext_release_name}-authentication-svc:3201 @@ -34,6 +32,18 @@ account-lookup-http-oracle-svc: enabled: false env: kafka_url: *KAFKA_URL + redis_host: *REDIS_HOST + redis_port: *REDIS_PORT + mongo_url_secret_name: *MONGO_URL_SECRET_NAME + mongo_url_secret_key: *MONGO_URL_SECRET_KEY + platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL + auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL + auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL + participants_svc_url: *PARTICIPANTS_SVC_URL + elasticsearch_url: *ELASTICSEARCH_URL + builtin_ledger_svc_url: *BUILTIN_LEDGER_SVC_URL + account_and_balance_coa_svc: *ACCOUNT_AND_BALANCE_COA_SVC + settlements_svc_url: *SETTLEMENTS_SVC_URL account-lookup-svc: config: @@ -45,10 +55,18 @@ account-lookup-svc: enabled: false env: kafka_url: *KAFKA_URL + redis_host: *REDIS_HOST + redis_port: *REDIS_PORT + mongo_url_secret_name: *MONGO_URL_SECRET_NAME + mongo_url_secret_key: *MONGO_URL_SECRET_KEY platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL participants_svc_url: *PARTICIPANTS_SVC_URL + elasticsearch_url: *ELASTICSEARCH_URL + builtin_ledger_svc_url: *BUILTIN_LEDGER_SVC_URL + account_and_balance_coa_svc: *ACCOUNT_AND_BALANCE_COA_SVC + settlements_svc_url: *SETTLEMENTS_SVC_URL accounts-and-balances-builtin-ledger-grpc-svc: config: @@ -62,7 +80,16 @@ accounts-and-balances-builtin-ledger-grpc-svc: kafka_url: *KAFKA_URL redis_host: *REDIS_HOST redis_port: *REDIS_PORT + mongo_url_secret_name: *MONGO_URL_SECRET_NAME + mongo_url_secret_key: *MONGO_URL_SECRET_KEY platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL + auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL + auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL + participants_svc_url: *PARTICIPANTS_SVC_URL + elasticsearch_url: *ELASTICSEARCH_URL + builtin_ledger_svc_url: *BUILTIN_LEDGER_SVC_URL + account_and_balance_coa_svc: *ACCOUNT_AND_BALANCE_COA_SVC + settlements_svc_url: *SETTLEMENTS_SVC_URL accounts-and-balances-coa-grpc-svc: config: @@ -76,8 +103,16 @@ accounts-and-balances-coa-grpc-svc: kafka_url: *KAFKA_URL redis_host: *REDIS_HOST redis_port: *REDIS_PORT + mongo_url_secret_name: *MONGO_URL_SECRET_NAME + mongo_url_secret_key: *MONGO_URL_SECRET_KEY + platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL + auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL + auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL + participants_svc_url: *PARTICIPANTS_SVC_URL elasticsearch_url: *ELASTICSEARCH_URL builtin_ledger_svc_url: *BUILTIN_LEDGER_SVC_URL + account_and_balance_coa_svc: *ACCOUNT_AND_BALANCE_COA_SVC + settlements_svc_url: *SETTLEMENTS_SVC_URL admin-ui: enabled: true @@ -90,7 +125,18 @@ auditing-svc: enabled: false env: kafka_url: *KAFKA_URL + redis_host: *REDIS_HOST + redis_port: *REDIS_PORT + mongo_url_secret_name: *MONGO_URL_SECRET_NAME + mongo_url_secret_key: *MONGO_URL_SECRET_KEY + platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL + auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL + auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL + participants_svc_url: *PARTICIPANTS_SVC_URL elasticsearch_url: *ELASTICSEARCH_URL + builtin_ledger_svc_url: *BUILTIN_LEDGER_SVC_URL + account_and_balance_coa_svc: *ACCOUNT_AND_BALANCE_COA_SVC + settlements_svc_url: *SETTLEMENTS_SVC_URL authentication-svc: enabled: true @@ -98,7 +144,18 @@ authentication-svc: enabled: false env: kafka_url: *KAFKA_URL + redis_host: *REDIS_HOST + redis_port: *REDIS_PORT + mongo_url_secret_name: *MONGO_URL_SECRET_NAME + mongo_url_secret_key: *MONGO_URL_SECRET_KEY platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL + auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL + auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL + participants_svc_url: *PARTICIPANTS_SVC_URL + elasticsearch_url: *ELASTICSEARCH_URL + builtin_ledger_svc_url: *BUILTIN_LEDGER_SVC_URL + account_and_balance_coa_svc: *ACCOUNT_AND_BALANCE_COA_SVC + settlements_svc_url: *SETTLEMENTS_SVC_URL authorization-svc: enabled: true @@ -106,7 +163,18 @@ authorization-svc: enabled: false env: kafka_url: *KAFKA_URL + redis_host: *REDIS_HOST + redis_port: *REDIS_PORT + mongo_url_secret_name: *MONGO_URL_SECRET_NAME + mongo_url_secret_key: *MONGO_URL_SECRET_KEY platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL + auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL + auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL + participants_svc_url: *PARTICIPANTS_SVC_URL + elasticsearch_url: *ELASTICSEARCH_URL + builtin_ledger_svc_url: *BUILTIN_LEDGER_SVC_URL + account_and_balance_coa_svc: *ACCOUNT_AND_BALANCE_COA_SVC + settlements_svc_url: *SETTLEMENTS_SVC_URL fspiop-api-svc: enabled: true @@ -118,11 +186,18 @@ fspiop-api-svc: enabled: false env: kafka_url: *KAFKA_URL + redis_host: *REDIS_HOST + redis_port: *REDIS_PORT + mongo_url_secret_name: *MONGO_URL_SECRET_NAME + mongo_url_secret_key: *MONGO_URL_SECRET_KEY platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL participants_svc_url: *PARTICIPANTS_SVC_URL elasticsearch_url: *ELASTICSEARCH_URL + builtin_ledger_svc_url: *BUILTIN_LEDGER_SVC_URL + account_and_balance_coa_svc: *ACCOUNT_AND_BALANCE_COA_SVC + settlements_svc_url: *SETTLEMENTS_SVC_URL logging-svc: enabled: true @@ -130,7 +205,18 @@ logging-svc: enabled: false env: kafka_url: *KAFKA_URL + redis_host: *REDIS_HOST + redis_port: *REDIS_PORT + mongo_url_secret_name: *MONGO_URL_SECRET_NAME + mongo_url_secret_key: *MONGO_URL_SECRET_KEY + platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL + auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL + auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL + participants_svc_url: *PARTICIPANTS_SVC_URL elasticsearch_url: *ELASTICSEARCH_URL + builtin_ledger_svc_url: *BUILTIN_LEDGER_SVC_URL + account_and_balance_coa_svc: *ACCOUNT_AND_BALANCE_COA_SVC + settlements_svc_url: *SETTLEMENTS_SVC_URL participants-svc: enabled: true @@ -142,12 +228,18 @@ participants-svc: enabled: false env: kafka_url: *KAFKA_URL + redis_host: *REDIS_HOST + redis_port: *REDIS_PORT + mongo_url_secret_name: *MONGO_URL_SECRET_NAME + mongo_url_secret_key: *MONGO_URL_SECRET_KEY platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL + participants_svc_url: *PARTICIPANTS_SVC_URL elasticsearch_url: *ELASTICSEARCH_URL builtin_ledger_svc_url: *BUILTIN_LEDGER_SVC_URL account_and_balance_coa_svc: *ACCOUNT_AND_BALANCE_COA_SVC + settlements_svc_url: *SETTLEMENTS_SVC_URL platform-configuration-svc: enabled: true @@ -155,8 +247,18 @@ platform-configuration-svc: enabled: false env: kafka_url: *KAFKA_URL + redis_host: *REDIS_HOST + redis_port: *REDIS_PORT + mongo_url_secret_name: *MONGO_URL_SECRET_NAME + mongo_url_secret_key: *MONGO_URL_SECRET_KEY + platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL + participants_svc_url: *PARTICIPANTS_SVC_URL + elasticsearch_url: *ELASTICSEARCH_URL + builtin_ledger_svc_url: *BUILTIN_LEDGER_SVC_URL + account_and_balance_coa_svc: *ACCOUNT_AND_BALANCE_COA_SVC + settlements_svc_url: *SETTLEMENTS_SVC_URL quoting-svc: enabled: true @@ -168,10 +270,18 @@ quoting-svc: enabled: false env: kafka_url: *KAFKA_URL + redis_host: *REDIS_HOST + redis_port: *REDIS_PORT + mongo_url_secret_name: *MONGO_URL_SECRET_NAME + mongo_url_secret_key: *MONGO_URL_SECRET_KEY platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL participants_svc_url: *PARTICIPANTS_SVC_URL + elasticsearch_url: *ELASTICSEARCH_URL + builtin_ledger_svc_url: *BUILTIN_LEDGER_SVC_URL + account_and_balance_coa_svc: *ACCOUNT_AND_BALANCE_COA_SVC + settlements_svc_url: *SETTLEMENTS_SVC_URL settlements-api-svc: enabled: true @@ -183,11 +293,18 @@ settlements-api-svc: enabled: false env: kafka_url: *KAFKA_URL + redis_host: *REDIS_HOST + redis_port: *REDIS_PORT + mongo_url_secret_name: *MONGO_URL_SECRET_NAME + mongo_url_secret_key: *MONGO_URL_SECRET_KEY platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL participants_svc_url: *PARTICIPANTS_SVC_URL + elasticsearch_url: *ELASTICSEARCH_URL + builtin_ledger_svc_url: *BUILTIN_LEDGER_SVC_URL account_and_balance_coa_svc: *ACCOUNT_AND_BALANCE_COA_SVC + settlements_svc_url: *SETTLEMENTS_SVC_URL settlements-command-handler-svc: enabled: true @@ -199,11 +316,18 @@ settlements-command-handler-svc: enabled: false env: kafka_url: *KAFKA_URL + redis_host: *REDIS_HOST + redis_port: *REDIS_PORT + mongo_url_secret_name: *MONGO_URL_SECRET_NAME + mongo_url_secret_key: *MONGO_URL_SECRET_KEY platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL participants_svc_url: *PARTICIPANTS_SVC_URL + elasticsearch_url: *ELASTICSEARCH_URL + builtin_ledger_svc_url: *BUILTIN_LEDGER_SVC_URL account_and_balance_coa_svc: *ACCOUNT_AND_BALANCE_COA_SVC + settlements_svc_url: *SETTLEMENTS_SVC_URL settlements-event-handler-svc: enabled: true @@ -215,10 +339,18 @@ settlements-event-handler-svc: enabled: false env: kafka_url: *KAFKA_URL + redis_host: *REDIS_HOST + redis_port: *REDIS_PORT + mongo_url_secret_name: *MONGO_URL_SECRET_NAME + mongo_url_secret_key: *MONGO_URL_SECRET_KEY platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL participants_svc_url: *PARTICIPANTS_SVC_URL + elasticsearch_url: *ELASTICSEARCH_URL + builtin_ledger_svc_url: *BUILTIN_LEDGER_SVC_URL + account_and_balance_coa_svc: *ACCOUNT_AND_BALANCE_COA_SVC + settlements_svc_url: *SETTLEMENTS_SVC_URL transfers-api-svc: enabled: true @@ -230,10 +362,18 @@ transfers-api-svc: enabled: false env: kafka_url: *KAFKA_URL + redis_host: *REDIS_HOST + redis_port: *REDIS_PORT + mongo_url_secret_name: *MONGO_URL_SECRET_NAME + mongo_url_secret_key: *MONGO_URL_SECRET_KEY platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL participants_svc_url: *PARTICIPANTS_SVC_URL + elasticsearch_url: *ELASTICSEARCH_URL + builtin_ledger_svc_url: *BUILTIN_LEDGER_SVC_URL + account_and_balance_coa_svc: *ACCOUNT_AND_BALANCE_COA_SVC + settlements_svc_url: *SETTLEMENTS_SVC_URL transfers-command-handler-svc: enabled: true @@ -245,10 +385,16 @@ transfers-command-handler-svc: enabled: false env: kafka_url: *KAFKA_URL + redis_host: *REDIS_HOST + redis_port: *REDIS_PORT + mongo_url_secret_name: *MONGO_URL_SECRET_NAME + mongo_url_secret_key: *MONGO_URL_SECRET_KEY platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL participants_svc_url: *PARTICIPANTS_SVC_URL + elasticsearch_url: *ELASTICSEARCH_URL + builtin_ledger_svc_url: *BUILTIN_LEDGER_SVC_URL account_and_balance_coa_svc: *ACCOUNT_AND_BALANCE_COA_SVC settlements_svc_url: *SETTLEMENTS_SVC_URL @@ -262,7 +408,15 @@ transfers-event-handler-svc: enabled: false env: kafka_url: *KAFKA_URL + redis_host: *REDIS_HOST + redis_port: *REDIS_PORT + mongo_url_secret_name: *MONGO_URL_SECRET_NAME + mongo_url_secret_key: *MONGO_URL_SECRET_KEY platform_config_base_svc_url: *PLATFORM_CONFIG_BASE_SVC_URL auth_z_svc_baseurl: *AUTH_Z_SVC_BASEURL auth_n_svc_baseurl: *AUTH_N_SVC_BASEURL participants_svc_url: *PARTICIPANTS_SVC_URL + elasticsearch_url: *ELASTICSEARCH_URL + builtin_ledger_svc_url: *BUILTIN_LEDGER_SVC_URL + account_and_balance_coa_svc: *ACCOUNT_AND_BALANCE_COA_SVC + settlements_svc_url: *SETTLEMENTS_SVC_URL From 4841eb768c0a45a962170bc30a36650e036d589d Mon Sep 17 00:00:00 2001 From: David Fry Date: Wed, 27 Mar 2024 14:38:12 +0000 Subject: [PATCH 041/201] updaate topics for kafka --- .../vnext-stateful-resources.json | 283 ++++++------------ 1 file changed, 85 insertions(+), 198 deletions(-) diff --git a/terraform/k8s/default-config/vnext-stateful-resources.json b/terraform/k8s/default-config/vnext-stateful-resources.json index a137265b5..e97bb5ca0 100644 --- a/terraform/k8s/default-config/vnext-stateful-resources.json +++ b/terraform/k8s/default-config/vnext-stateful-resources.json @@ -118,204 +118,91 @@ "kafka_provisioning": { "enabled": true, "topics": [ - { - "name": "topic-event", - "partitions": 12, - "replicationFactor": 3, - "config": { - "cleanup.policy": "delete", - "retention.ms": "-1", - "segment.bytes": "52428800", - "retention.bytes": "262144000" - } - }, - { - "name": "topic-transfer-prepare", - "partitions": 12, - "replicationFactor": 3, - "config": { - "cleanup.policy": "delete", - "retention.ms": "-1", - "segment.bytes": "52428800", - "retention.bytes": "262144000" - } - }, - { - "name": "topic-transfer-position", - "partitions": 12, - "replicationFactor": 3, - "config": { - "cleanup.policy": "delete", - "retention.ms": "-1", - "segment.bytes": "52428800", - "retention.bytes": "262144000" - } - }, - { - "name": "topic-transfer-position-batch", - "partitions": 12, - "replicationFactor": 3, - "config": { - "cleanup.policy": "delete", - "retention.ms": "-1", - "segment.bytes": "52428800", - "retention.bytes": "262144000" - } - }, - { - "name": "topic-transfer-fulfil", - "partitions": 12, - "replicationFactor": 3, - "config": { - "cleanup.policy": "delete", - "retention.ms": "-1", - "segment.bytes": "52428800", - "retention.bytes": "262144000" - } - }, - { - "name": "topic-notification-event", - "partitions": 12, - "replicationFactor": 3, - "config": { - "cleanup.policy": "delete", - "retention.ms": "-1", - "segment.bytes": "52428800", - "retention.bytes": "262144000" - } - }, - { - "name": "topic-transfer-get", - "partitions": 12, - "replicationFactor": 3, - "config": { - "cleanup.policy": "delete", - "retention.ms": "-1", - "segment.bytes": "52428800", - "retention.bytes": "262144000" - } - }, - { - "name": "topic-admin-transfer", - "partitions": 12, - "replicationFactor": 3, - "config": { - "cleanup.policy": "delete", - "retention.ms": "-1", - "segment.bytes": "52428800", - "retention.bytes": "262144000" - } - }, - { - "name": "topic-bulk-prepare", - "partitions": 12, - "replicationFactor": 3, - "config": { - "cleanup.policy": "delete", - "retention.ms": "-1", - "segment.bytes": "52428800", - "retention.bytes": "262144000" - } - }, - { - "name": "topic-bulk-fulfil", - "partitions": 12, - "replicationFactor": 3, - "config": { - "cleanup.policy": "delete", - "retention.ms": "-1", - "segment.bytes": "52428800", - "retention.bytes": "262144000" - } - }, - { - "name": "topic-bulk-processing", - "partitions": 12, - "replicationFactor": 3, - "config": { - "cleanup.policy": "delete", - "retention.ms": "-1", - "segment.bytes": "52428800", - "retention.bytes": "262144000" - } - }, - { - "name": "topic-bulk-get", - "partitions": 12, - "replicationFactor": 3, - "config": { - "cleanup.policy": "delete", - "retention.ms": "-1", - "segment.bytes": "52428800", - "retention.bytes": "262144000" - } - }, - { - "name": "topic-quotes-post", - "partitions": 12, - "replicationFactor": 3, - "config": { - "cleanup.policy": "delete", - "retention.ms": "-1", - "segment.bytes": "52428800", - "retention.bytes": "262144000" - } - }, - { - "name": "topic-quotes-put", - "partitions": 12, - "replicationFactor": 3, - "config": { - "cleanup.policy": "delete", - "retention.ms": "-1", - "segment.bytes": "52428800", - "retention.bytes": "262144000" - } - }, - { - "name": "topic-quotes-get", - "partitions": 12, - "replicationFactor": 3, - "config": { - "cleanup.policy": "delete", - "retention.ms": "-1", - "segment.bytes": "52428800", - "retention.bytes": "262144000" - } - }, - { - "name": "topic-bulkquotes-post", - "partitions": 12, - "replicationFactor": 3, - "config": { - "cleanup.policy": "delete", - "retention.ms": "-1", - "segment.bytes": "52428800", - "retention.bytes": "262144000" - } - }, - { - "name": "topic-bulkquotes-put", - "partitions": 12, - "replicationFactor": 3, - "config": { - "cleanup.policy": "delete", - "retention.ms": "-1", - "segment.bytes": "52428800", - "retention.bytes": "262144000" - } - }, - { - "name": "topic-bulkquotes-get", - "partitions": 12, - "replicationFactor": 3, - "config": { - "cleanup.policy": "delete", - "retention.ms": "-1", - "segment.bytes": "52428800", - "retention.bytes": "262144000" - } - } + { + "name": "audits", + "partitions": 1, + "replicationFactor": 1 + }, + { + "name": "logs", + "partitions": 1, + "replicationFactor": 1 + }, + { + "name": "AccountLookupBcEvents", + "partitions": 1, + "replicationFactor": 1 + }, + { + "name": "AccountLookupBcRequests", + "partitions": 1, + "replicationFactor": 1 + }, + { + "name": "AccountLookupBcResponses", + "partitions": 1, + "replicationFactor": 1 + }, + { + "name": "AccountLookupBcErrors", + "partitions": 1, + "replicationFactor": 1 + }, + { + "name": "OperatorBcErrors", + "partitions": 1, + "replicationFactor": 1 + }, + { + "name": "QuotingBcEvents", + "partitions": 1, + "replicationFactor": 1 + }, + { + "name": "QuotingBcRequests", + "partitions": 1, + "replicationFactor": 1 + }, + { + "name": "QuotingBcErrors", + "partitions": 1, + "replicationFactor": 1 + }, + { + "name": "SettlementsBcEvents", + "partitions": 1, + "replicationFactor": 1 + }, + { + "name": "SettlementsBcCommands", + "partitions": 1, + "replicationFactor": 1 + }, + { + "name": "TransfersBcEvents", + "partitions": 1, + "replicationFactor": 1 + }, + { + "name": "TransfersBcRequests", + "partitions": 1, + "replicationFactor": 1 + }, + { + "name": "TransfersBcErrors", + "partitions": 1, + "replicationFactor": 1 + }, + { + "name": "TransfersBcTimeouts", + "partitions": 1, + "replicationFactor": 1 + }, + { + "name": "PlatformConfigurationBcEvents", + "partitions": 1, + "replicationFactor": 1 + } ] }, "kafka_data": { From 38941748e910e61600f778771d84ed27de4ea534 Mon Sep 17 00:00:00 2001 From: David Fry Date: Wed, 27 Mar 2024 15:21:44 +0000 Subject: [PATCH 042/201] fix hostnames in nginx.conf --- .../templates/vnext/values-vnext.yaml.tpl | 69 +++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl index 646541913..1cb2db7b2 100644 --- a/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vnext/values-vnext.yaml.tpl @@ -118,6 +118,75 @@ admin-ui: enabled: true ingress: enabled: false + nginx: + config: |- + server { + listen 4200; + server_name localhost; + + location / { + root /usr/share/nginx/html; + index index.html; + try_files $uri$args $uri$args/ /index.html; + } + + # proxy for rest apis - should match angular dev proxy.conf.json + location /auth_n { + rewrite /auth_n/(.*) /$1 break; + proxy_pass http://${vnext_release_name}-authentication-svc:3201; + } + + location /auth_z { + rewrite /auth_z/(.*) /$1 break; + proxy_pass http://${vnext_release_name}-authorization-svc:3202; + } + + location /_participants { + rewrite /_participants/(.*) /$1 break; + proxy_pass http://${vnext_release_name}-participants-svc:3010; + } + + location /_platform-configuration-svc { + rewrite /_platform-configuration-svc/(.*) /$1 break; + proxy_pass http://${vnext_release_name}-platform-configuration-svc:3100; + } + + location /_account-lookup { + rewrite /_account-lookup/(.*) /$1 break; + proxy_pass http://${vnext_release_name}-account-lookup-svc:3030; + } + + location /_interop { + rewrite /_interop/(.*) /$1 break; + proxy_pass http://${vnext_release_name}-fspiop-api-svc:4000; + } + + location /_quotes { + rewrite /_quotes/(.*) /$1 break; + proxy_pass http://${vnext_release_name}-quoting-svc:3033; + } + + location /_bulk-quotes { + rewrite /_bulk-quotes/(.*) /$1 break; + proxy_pass http://${vnext_release_name}-quoting-svc:3033; + } + + location /_transfers { + rewrite /_transfers/(.*) /$1 break; + proxy_pass http://${vnext_release_name}-transfers-api-svc:3500; + } + + location /_settlements { + rewrite /_settlements/(.*) /$1 break; + proxy_pass http://${vnext_release_name}-settlements-api-svc:3600; + proxy_http_version 1.1; + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + } auditing-svc: enabled: true From 3fb2bc27b7994529fedad889c4766adcb05243b2 Mon Sep 17 00:00:00 2001 From: David Fry Date: Wed, 27 Mar 2024 15:38:42 +0000 Subject: [PATCH 043/201] try adding ttk --- .../generate-files/templates/vnext/istio-config.yaml.tpl | 8 ++++---- .../generate-files/templates/vnext/kustomization.yaml.tpl | 7 ++++++- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/terraform/gitops/generate-files/templates/vnext/istio-config.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/istio-config.yaml.tpl index bbf9a7277..112f502f7 100644 --- a/terraform/gitops/generate-files/templates/vnext/istio-config.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vnext/istio-config.yaml.tpl @@ -215,7 +215,7 @@ spec: prefix: / route: - destination: - host: ${vnext_release_name}-ml-testing-toolkit-frontend + host: moja-ml-testing-toolkit-frontend port: number: 6060 --- @@ -239,7 +239,7 @@ spec: prefix: /api/ route: - destination: - host: ${vnext_release_name}-ml-testing-toolkit-backend + host: moja-ml-testing-toolkit-backend port: number: 5050 - name: socket @@ -248,7 +248,7 @@ spec: prefix: /socket.io/ route: - destination: - host: ${vnext_release_name}-ml-testing-toolkit-backend + host: moja-ml-testing-toolkit-backend port: number: 5050 - name: root @@ -257,7 +257,7 @@ spec: prefix: / route: - destination: - host: ${vnext_release_name}-ml-testing-toolkit-backend + host: moja-ml-testing-toolkit-backend port: number: 4040 --- \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/vnext/kustomization.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/kustomization.yaml.tpl index 61ae60c5c..4c9a0da3b 100644 --- a/terraform/gitops/generate-files/templates/vnext/kustomization.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vnext/kustomization.yaml.tpl @@ -15,4 +15,9 @@ helmCharts: releaseName: elasticsearch version: 20.0.0 repo: https://charts.bitnami.com/bitnami - namespace: monitoring \ No newline at end of file + namespace: monitoring +- name: ml-testing-toolkit + releaseName: moja + version: 17.4.0 + repository: http://mojaloop.io/helm/repo + alias: ttk \ No newline at end of file From 37e66f91c7d66f3a0a5c8e7a4a348286e77b5359 Mon Sep 17 00:00:00 2001 From: David Fry Date: Wed, 27 Mar 2024 15:52:40 +0000 Subject: [PATCH 044/201] fix ttk config --- .../generate-files/templates/vnext/kustomization.yaml.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/gitops/generate-files/templates/vnext/kustomization.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/kustomization.yaml.tpl index 4c9a0da3b..e75566c8c 100644 --- a/terraform/gitops/generate-files/templates/vnext/kustomization.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vnext/kustomization.yaml.tpl @@ -19,5 +19,5 @@ helmCharts: - name: ml-testing-toolkit releaseName: moja version: 17.4.0 - repository: http://mojaloop.io/helm/repo - alias: ttk \ No newline at end of file + repo: http://mojaloop.io/helm/repo + namespace: ${vnext_namespace} \ No newline at end of file From 2280f07f711682695ca7f0d6e86269d5c46a8d1f Mon Sep 17 00:00:00 2001 From: David Fry Date: Wed, 27 Mar 2024 16:06:28 +0000 Subject: [PATCH 045/201] turn off ingress --- .../generate-files/templates/vnext/kustomization.yaml.tpl | 3 ++- .../generate-files/templates/vnext/values-ttk.yaml.tpl | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 terraform/gitops/generate-files/templates/vnext/values-ttk.yaml.tpl diff --git a/terraform/gitops/generate-files/templates/vnext/kustomization.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/kustomization.yaml.tpl index e75566c8c..06350c68e 100644 --- a/terraform/gitops/generate-files/templates/vnext/kustomization.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vnext/kustomization.yaml.tpl @@ -20,4 +20,5 @@ helmCharts: releaseName: moja version: 17.4.0 repo: http://mojaloop.io/helm/repo - namespace: ${vnext_namespace} \ No newline at end of file + namespace: ${vnext_namespace} + valuesFile: values-ttk.yaml \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/vnext/values-ttk.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/values-ttk.yaml.tpl new file mode 100644 index 000000000..2d1a908fd --- /dev/null +++ b/terraform/gitops/generate-files/templates/vnext/values-ttk.yaml.tpl @@ -0,0 +1,6 @@ +ml-testing-toolkit-backend: + ingress: + enabled: false +ml-testing-toolkit-frontend: + ingress: + enabled: false \ No newline at end of file From 816fc6c3394bdbe4082601ef4d24eee814498158 Mon Sep 17 00:00:00 2001 From: David Fry Date: Wed, 27 Mar 2024 16:28:34 +0000 Subject: [PATCH 046/201] add api base url --- .../gitops/generate-files/templates/vnext/values-ttk.yaml.tpl | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/terraform/gitops/generate-files/templates/vnext/values-ttk.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/values-ttk.yaml.tpl index 2d1a908fd..e7a72b315 100644 --- a/terraform/gitops/generate-files/templates/vnext/values-ttk.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vnext/values-ttk.yaml.tpl @@ -3,4 +3,6 @@ ml-testing-toolkit-backend: enabled: false ml-testing-toolkit-frontend: ingress: - enabled: false \ No newline at end of file + enabled: false + config: + API_BASE_URL: https://${ttk_backend_public_fqdn} \ No newline at end of file From 660edc47e485485c7021ca2305299e4ec1bae3bd Mon Sep 17 00:00:00 2001 From: David Fry Date: Thu, 28 Mar 2024 07:21:58 +0000 Subject: [PATCH 047/201] add admin ui vs --- .../templates/vnext/istio-config.yaml.tpl | 23 +++++++++++++++++++ .../gitops/k8s-cluster-config/app-deploy.tf | 11 +++++++-- terraform/gitops/vnext/vnext.tf | 5 ++++ 3 files changed, 37 insertions(+), 2 deletions(-) diff --git a/terraform/gitops/generate-files/templates/vnext/istio-config.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/istio-config.yaml.tpl index 112f502f7..2131d61a8 100644 --- a/terraform/gitops/generate-files/templates/vnext/istio-config.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vnext/istio-config.yaml.tpl @@ -260,4 +260,27 @@ spec: host: moja-ml-testing-toolkit-backend port: number: 4040 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: vnext-admin-ui +spec: + gateways: +%{ if vnext_wildcard_gateway == "external" ~} + - ${istio_external_gateway_namespace}/${istio_external_wildcard_gateway_name} +%{ else ~} + - ${istio_internal_gateway_namespace}/${istio_internal_wildcard_gateway_name} +%{ endif ~} + hosts: + - '${vnext_admin_ui_fqdn}' + http: + - match: + - uri: + prefix: / + route: + - destination: + host: ${vnext_release_name}-admin-ui + port: + number: 4200 --- \ No newline at end of file diff --git a/terraform/gitops/k8s-cluster-config/app-deploy.tf b/terraform/gitops/k8s-cluster-config/app-deploy.tf index 9b1db84c3..b6b92c296 100644 --- a/terraform/gitops/k8s-cluster-config/app-deploy.tf +++ b/terraform/gitops/k8s-cluster-config/app-deploy.tf @@ -179,6 +179,7 @@ module "vnext" { oathkeeper_auth_provider_name = local.oathkeeper_auth_provider_name keycloak_hubop_realm_name = var.keycloak_hubop_realm_name rbac_api_resources_file = var.rbac_api_resources_file + vnext_admin_ui_fqdn = local.vnext_admin_ui_fqdn } variable "app_var_map" { @@ -309,6 +310,7 @@ locals { ttk_backend_public_fqdn = "ttkbackend.${var.public_subdomain}" finance_portal_fqdn = "finance-portal.${var.public_subdomain}" argocd_fqdn = "argocd.${var.public_subdomain}" + vnext_admin_ui_fqdn = "vnext-admin.${var.public_subdomain}" mojaloop_internal_gateway_hosts = concat([local.internal_interop_switch_fqdn], local.mojaloop_wildcard_gateway == "internal" ? [local.ttk_frontend_public_fqdn, local.ttk_backend_public_fqdn] : [], @@ -317,6 +319,9 @@ locals { local.mojaloop_wildcard_gateway == "external" ? [local.ttk_frontend_public_fqdn, local.ttk_backend_public_fqdn] : [], local.mcm_wildcard_gateway == "external" ? [local.mcm_public_fqdn] : []) + vnext_internal_gateway_hosts = local.mojaloop_wildcard_gateway == "internal" ? [local.vnext_admin_ui_fqdn] : [] + vnext_external_gateway_hosts = local.mojaloop_wildcard_gateway == "external" ? [local.vnext_admin_ui_fqdn] : [] + portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => "portal-${pm4ml.pm4ml}.${var.public_subdomain}" } admin_portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => "admin-portal-${pm4ml.pm4ml}.${var.public_subdomain}" } experience_api_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => "exp-${pm4ml.pm4ml}.${var.public_subdomain}" } @@ -349,12 +354,14 @@ locals { local.vault_wildcard_gateway == "internal" ? [local.vault_public_fqdn] : [], local.grafana_wildcard_gateway == "internal" ? [local.grafana_public_fqdn] : [], (var.common_var_map.mojaloop_enabled || var.common_var_map.vnext_enabled) ? local.mojaloop_internal_gateway_hosts : [], - var.common_var_map.pm4ml_enabled ? local.pm4ml_internal_gateway_hosts : []) + var.common_var_map.pm4ml_enabled ? local.pm4ml_internal_gateway_hosts : [], + var.common_var_map.vnext_enabled ? local.vnext_internal_gateway_hosts : []) external_gateway_hosts = concat([local.keycloak_fqdn, local.auth_fqdn, local.finance_portal_fqdn], local.argocd_wildcard_gateway == "external" ? [local.argocd_fqdn] : [], local.vault_wildcard_gateway == "external" ? [local.vault_public_fqdn] : [], local.grafana_wildcard_gateway == "external" ? [local.grafana_public_fqdn] : [], (var.common_var_map.mojaloop_enabled || var.common_var_map.vnext_enabled) ? local.mojaloop_external_gateway_hosts : [], - var.common_var_map.pm4ml_enabled ? local.pm4ml_external_gateway_hosts : []) + var.common_var_map.pm4ml_enabled ? local.pm4ml_external_gateway_hosts : [], + var.common_var_map.vnext_enabled ? local.vnext_external_gateway_hosts : []) bof_managed_portal_fqdns = (var.common_var_map.mojaloop_enabled || var.common_var_map.vnext_enabled) ? [local.finance_portal_fqdn, local.mcm_public_fqdn] : concat(local.pm4ml_external_wildcard_portal_hosts, local.pm4ml_internal_wildcard_portal_hosts, local.pm4ml_internal_wildcard_admin_portal_hosts, local.pm4ml_external_wildcard_admin_portal_hosts) } diff --git a/terraform/gitops/vnext/vnext.tf b/terraform/gitops/vnext/vnext.tf index 88fb1767b..dae710352 100644 --- a/terraform/gitops/vnext/vnext.tf +++ b/terraform/gitops/vnext/vnext.tf @@ -63,6 +63,7 @@ module "generate_vnext_files" { jws_rotation_renew_before_hours = try(var.app_var_map.jws_rotation_renew_before_hours, var.jws_rotation_renew_before_hours) jws_rotation_period_hours = try(var.app_var_map.jws_rotation_period_hours, var.jws_rotation_period_hours) mcm_hub_jws_endpoint = "http://mcm-connection-manager-api.${var.mcm_namespace}.svc.cluster.local:3001/api/hub/jwscerts" + vnext_admin_ui_fqdn = var.vnext_admin_ui_fqdn } file_list = [for f in fileset(local.vnext_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.vnext_app_file, f))] template_path = local.vnext_template_path @@ -138,6 +139,10 @@ variable "ttk_backend_public_fqdn" { type = string } +variable "vnext_admin_ui_fqdn" { + type = string +} + variable "auth_fqdn" { type = string } From 1d5e91b39d7395841d986605a477d28082ccdfa3 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Mon, 25 Mar 2024 15:43:57 +0530 Subject: [PATCH 048/201] Adding minio provider, minio tf code for loki and loghorn data storage --- terraform/aws/control-center-infra/outputs.tf | 23 ++-- .../aws/control-center-infra/random-pws.tf | 6 +- .../aws/control-center-infra/variables.tf | 6 + .../control-center-post-config/minio.tf | 108 ++++++++++++++++++ .../control-center/init/common-vars.yaml | 3 +- .../control-center-post-config/terragrunt.hcl | 5 + 6 files changed, 135 insertions(+), 16 deletions(-) create mode 100644 terraform/config-params/control-center-post-config/minio.tf diff --git a/terraform/aws/control-center-infra/outputs.tf b/terraform/aws/control-center-infra/outputs.tf index 30c0b2070..054ee501f 100644 --- a/terraform/aws/control-center-infra/outputs.tf +++ b/terraform/aws/control-center-infra/outputs.tf @@ -8,19 +8,20 @@ output "gitlab_root_token" { value = random_password.gitlab_root_token.result } -output "gitlab_s3_access_key" { - sensitive = true - value = random_password.gitlab_s3_access_key.result -} output "gitlab_s3_access_secret" { sensitive = true value = random_password.gitlab_s3_access_secret.result } -output "admin_s3_access_key" { +output "minio_root_password" { sensitive = true - value = random_password.admin_s3_access_key.result + value = random_password.minio_root_password.result +} + +output "minio_root_user " { + sensitive = true + value = var.minio_root_user } output "admin_s3_access_secret" { @@ -70,6 +71,10 @@ output "minio_fqdn" { value = aws_route53_record.minio_server_private.fqdn } +output "minio_server_url" { + value = "http://${aws_route53_record.minio_server_private.fqdn}:${var.minio_listening_port}" +} + output "tenant_vault_listening_port" { value = "443" } @@ -122,11 +127,9 @@ output "docker_hosts_var_maps" { gitlab_runner_version = var.gitlab_runner_version minio_server_host = aws_route53_record.minio_server_private.fqdn minio_listening_port = var.minio_listening_port - minio_root_user = "admin" - minio_admin_access_key = random_password.admin_s3_access_key.result - minio_root_password = random_password.admin_s3_access_secret.result + minio_root_user = var.minio_root_user + minio_root_password = random_password.minio_root_password.result gitlab_minio_user = var.gitlab_minio_user - minio_gitlab_access_key = random_password.gitlab_s3_access_key.result gitlab_minio_secret = random_password.gitlab_s3_access_secret.result nexus_admin_password = random_password.nexus_admin_password.result nexus_docker_repo_listening_port = var.nexus_docker_repo_listening_port diff --git a/terraform/aws/control-center-infra/random-pws.tf b/terraform/aws/control-center-infra/random-pws.tf index 278be33f5..9f680752b 100644 --- a/terraform/aws/control-center-infra/random-pws.tf +++ b/terraform/aws/control-center-infra/random-pws.tf @@ -10,10 +10,6 @@ resource "random_password" "gitlab_root_token" { override_special = "_" } -resource "random_password" "gitlab_s3_access_key" { - length = 20 - special = false -} resource "random_password" "gitlab_s3_access_secret" { length = 20 @@ -21,7 +17,7 @@ resource "random_password" "gitlab_s3_access_secret" { override_special = "_" } -resource "random_password" "admin_s3_access_key" { +resource "random_password" "minio_root_password" { length = 20 special = false } diff --git a/terraform/aws/control-center-infra/variables.tf b/terraform/aws/control-center-infra/variables.tf index d9f2167b8..656d46baf 100644 --- a/terraform/aws/control-center-infra/variables.tf +++ b/terraform/aws/control-center-infra/variables.tf @@ -148,6 +148,12 @@ variable "gitlab_minio_user" { description = "Gitlab user to access minio" } +variable "minio_root_user" { + type = string + default = "admin" + description = "Admin user to access minio" +} + variable "vault_listening_port" { type = number default = 8200 diff --git a/terraform/config-params/control-center-post-config/minio.tf b/terraform/config-params/control-center-post-config/minio.tf new file mode 100644 index 000000000..f72589ab9 --- /dev/null +++ b/terraform/config-params/control-center-post-config/minio.tf @@ -0,0 +1,108 @@ +# loki bucket , user and access policy +resource "minio_s3_bucket" "loki-s3-bucket" { + for_each = var.env_map + bucket = "${each.key}-loki" +} + +resource "random_password" "minio_loki_password" { + for_each = var.env_map + length = 20 + special = false +} + +resource "minio_iam_user" "loki-user" { + for_each = var.env_map + name = "${each.key}-loki-user" + secret = random_password.minio_loki_password[each.key].result + force_destroy = true + tags = { + env = each.key + purpose = "loki data" + } +} + +resource "minio_iam_policy" "loki-iam-policy" { + for_each = var.env_map + name = "${each.key}-loki-policy" + policy = <= 1.1" local_provider_version: "~> 2.4" gitlab_provider_version: "~> 16.0" -vault_provider_version: "~> 3.16" \ No newline at end of file +vault_provider_version: "~> 3.16" +minio_provider_version: "~>2.2.0" \ No newline at end of file diff --git a/terraform/control-center/init/control-center-post-config/terragrunt.hcl b/terraform/control-center/init/control-center-post-config/terragrunt.hcl index 707cafcbe..a78153f2d 100644 --- a/terraform/control-center/init/control-center-post-config/terragrunt.hcl +++ b/terraform/control-center/init/control-center-post-config/terragrunt.hcl @@ -116,5 +116,10 @@ provider "gitlab" { token = "${dependency.control_center_deploy.outputs.gitlab_root_token}" base_url = "https://${dependency.control_center_deploy.outputs.gitlab_server_hostname}" } +provider minio { + minio_server = "${dependency.control_center_deploy.outputs.minio_server_url}" + minio_user = "${dependency.control_center_deploy.outputs.minio_root_user}" + minio_password = "${dependency.control_center_deploy.outputs.minio_root_password}" +} EOF } From 5066537ab930e64d70dcd5f279fc2e224bb8d2b0 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Mon, 25 Mar 2024 16:01:43 +0530 Subject: [PATCH 049/201] Bringing the docker volume size to env.yaml --- .../control-center/init/control-center-deploy/terragrunt.hcl | 1 + terraform/control-center/init/environment.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/terraform/control-center/init/control-center-deploy/terragrunt.hcl b/terraform/control-center/init/control-center-deploy/terragrunt.hcl index 78f2308f4..1f867bd8d 100644 --- a/terraform/control-center/init/control-center-deploy/terragrunt.hcl +++ b/terraform/control-center/init/control-center-deploy/terragrunt.hcl @@ -42,6 +42,7 @@ inputs = { iac_group_name = local.env_vars.iac_group_name netmaker_image_version = local.env_vars.netmaker_version delete_storage_on_term = local.env_vars.delete_storage_on_term + docker_server_extra_vol_size = local.env_vars.docker_server_extra_vol_size } locals { diff --git a/terraform/control-center/init/environment.yaml b/terraform/control-center/init/environment.yaml index d40246856..fafcbc87f 100644 --- a/terraform/control-center/init/environment.yaml +++ b/terraform/control-center/init/environment.yaml @@ -13,6 +13,7 @@ iac_group_name: iac_admin netmaker_version: 0.18.7 letsencrypt_email: test@mojalabs.io delete_storage_on_term: true +docker_server_extra_vol_size: 100 envs: - env: dev domain: labsk8s604.mojaloop.live From e3aa6cbaad8b82ff52a847ffa1fcb484bf7fcace Mon Sep 17 00:00:00 2001 From: Sijo George Date: Mon, 25 Mar 2024 16:33:13 +0530 Subject: [PATCH 050/201] Fixing the typo --- terraform/aws/control-center-infra/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aws/control-center-infra/outputs.tf b/terraform/aws/control-center-infra/outputs.tf index 054ee501f..78fe875bd 100644 --- a/terraform/aws/control-center-infra/outputs.tf +++ b/terraform/aws/control-center-infra/outputs.tf @@ -19,7 +19,7 @@ output "minio_root_password" { value = random_password.minio_root_password.result } -output "minio_root_user " { +output "minio_root_user" { sensitive = true value = var.minio_root_user } From cce7d3e903fa23d06c04ecf5f3d4bac1763d3068 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Mon, 25 Mar 2024 16:39:46 +0530 Subject: [PATCH 051/201] provider config --- terraform/aws/control-center-infra/outputs.tf | 2 +- .../init/control-center-post-config/terragrunt.hcl | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/terraform/aws/control-center-infra/outputs.tf b/terraform/aws/control-center-infra/outputs.tf index 78fe875bd..53eb9d817 100644 --- a/terraform/aws/control-center-infra/outputs.tf +++ b/terraform/aws/control-center-infra/outputs.tf @@ -72,7 +72,7 @@ output "minio_fqdn" { } output "minio_server_url" { - value = "http://${aws_route53_record.minio_server_private.fqdn}:${var.minio_listening_port}" + value = "${aws_route53_record.minio_server_private.fqdn}:${var.minio_listening_port}" } output "tenant_vault_listening_port" { diff --git a/terraform/control-center/init/control-center-post-config/terragrunt.hcl b/terraform/control-center/init/control-center-post-config/terragrunt.hcl index a78153f2d..65751f600 100644 --- a/terraform/control-center/init/control-center-post-config/terragrunt.hcl +++ b/terraform/control-center/init/control-center-post-config/terragrunt.hcl @@ -106,6 +106,10 @@ terraform { version = "${local.common_vars.gitlab_provider_version}" } vault = "${local.common_vars.vault_provider_version}" + minio = { + source = "aminueza/minio" + version = "${local.common_vars.minio_provider_version}" + } } } provider "vault" { From 9345f47afc40648a483fde05632791cf0e0ac1c7 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Mon, 25 Mar 2024 16:43:57 +0530 Subject: [PATCH 052/201] Adding output deps --- .../init/control-center-post-config/terragrunt.hcl | 3 +++ 1 file changed, 3 insertions(+) diff --git a/terraform/control-center/init/control-center-post-config/terragrunt.hcl b/terraform/control-center/init/control-center-post-config/terragrunt.hcl index 65751f600..89ccde759 100644 --- a/terraform/control-center/init/control-center-post-config/terragrunt.hcl +++ b/terraform/control-center/init/control-center-post-config/terragrunt.hcl @@ -29,6 +29,9 @@ dependency "control_center_deploy" { netmaker_host_name = "test" netmaker_api_host = "test" } + minio_server_url = "temporary-dummy-id" + minio_root_user = "temporary-dummy-id" + minio_root_password = "temporary-dummy-id" } mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "show"] mock_outputs_merge_strategy_with_state = "deep_map_only" From 1c512f4548f7535e58bfeb7590b20b5699327930 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Mon, 25 Mar 2024 18:29:36 +0530 Subject: [PATCH 053/201] Adding stored params --- .../control-center-post-config/minio.tf | 35 +++++++++++++++++++ .../gitops/k8s-cluster-config/monitoring.tf | 3 ++ .../k8s-cluster-config/stored-params.tf | 10 ++++++ .../gitops/k8s-cluster-config/variables.tf | 20 +++++++++++ terraform/k8s/gitops-build/terragrunt.hcl | 1 + 5 files changed, 69 insertions(+) diff --git a/terraform/config-params/control-center-post-config/minio.tf b/terraform/config-params/control-center-post-config/minio.tf index f72589ab9..3cfa774d7 100644 --- a/terraform/config-params/control-center-post-config/minio.tf +++ b/terraform/config-params/control-center-post-config/minio.tf @@ -52,6 +52,23 @@ resource "vault_kv_secret_v2" "minio-loki-secret" { ) } +resource "gitlab_project_variable" "minio_loki_bucket" { + for_each = var.env_map + project = gitlab_project.envs[each.key].id + key = "minio_loki_bucket" + value = minio_s3_bucket.loki-s3-bucket[each.key].name + protected = false + masked = false +} + +resource "gitlab_project_variable" "minio_loki_user" { + for_each = var.env_map + project = gitlab_project.envs[each.key].id + key = "minio_loki_user" + value = minio_iam_user.loki-user[each.key].name + protected = false + masked = false +} # longhorn bucket , user and access policy resource "minio_s3_bucket" "longhorn-s3-bucket" { @@ -105,4 +122,22 @@ resource "vault_kv_secret_v2" "minio-longhorn-secret" { value = random_password.minio_longhorn_password[each.key].result } ) +} + +resource "gitlab_project_variable" "minio_lonhorn_bucket" { + for_each = var.env_map + project = gitlab_project.envs[each.key].id + key = "minio_lonhorn_bucket" + value = minio_s3_bucket.lonhorn-s3-bucket[each.key].name + protected = false + masked = false +} + +resource "gitlab_project_variable" "minio_lonhorn_user" { + for_each = var.env_map + project = gitlab_project.envs[each.key].id + key = "minio_lonhorn_user" + value = minio_iam_user.lonhorn-user[each.key].name + protected = false + masked = false } \ No newline at end of file diff --git a/terraform/gitops/k8s-cluster-config/monitoring.tf b/terraform/gitops/k8s-cluster-config/monitoring.tf index d2efc08e2..3cf624e8e 100644 --- a/terraform/gitops/k8s-cluster-config/monitoring.tf +++ b/terraform/gitops/k8s-cluster-config/monitoring.tf @@ -38,6 +38,9 @@ module "generate_monitoring_files" { loki_ingester_retention_period = try(var.common_var_map.loki_ingester_retention_period, local.loki_ingester_retention_period) prometheus_retention_period = try(var.common_var_map.prometheus_retention_period, local.prometheus_retention_period) alertmanager_enabled = try(var.common_var_map.alertmanager_enabled, false) + minio_api_url = var.minio_api_url + minio_loki_bucket = var.minio_loki_bucket + minio_loki_user = var.minio_loki_user } file_list = [for f in fileset(local.monitoring_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.monitoring_app_file, f))] template_path = local.monitoring_template_path diff --git a/terraform/gitops/k8s-cluster-config/stored-params.tf b/terraform/gitops/k8s-cluster-config/stored-params.tf index 6d3ab5dcd..68bcac5ce 100644 --- a/terraform/gitops/k8s-cluster-config/stored-params.tf +++ b/terraform/gitops/k8s-cluster-config/stored-params.tf @@ -56,6 +56,16 @@ data "gitlab_project_variable" "external_stateful_resource_instance_address" { key = each.value.external_resource_config.instance_address_key_name } +data "gitlab_project_variable" "minio_loki_bucket" { + project = var.current_gitlab_project_id + key = var.properties_key_map["minio_loki_bucket"] +} + +data "gitlab_project_variable" "minio_loki_user" { + project = var.current_gitlab_project_id + key = var.properties_key_map["minio_loki_user"] +} + data "vault_generic_secret" "external_stateful_resource_password" { for_each = local.managed_stateful_resources path = "${var.kv_path}/${var.cluster_name}/${each.value.external_resource_config.password_key_name}" diff --git a/terraform/gitops/k8s-cluster-config/variables.tf b/terraform/gitops/k8s-cluster-config/variables.tf index 5d40ccc4c..ac8a446b7 100644 --- a/terraform/gitops/k8s-cluster-config/variables.tf +++ b/terraform/gitops/k8s-cluster-config/variables.tf @@ -97,6 +97,26 @@ variable "dns_provider" { description = "provider for ext dns" } +variable "minio_loki_user" { + description = "minio username for loki" +} + +variable "minio_loki_bucket" { + description = "minio bucket name for loki" +} + +variable "minio_longhorn_user" { + description = "minio username for longhorn" +} + +variable "minio_longhorn_bucket" { + description = "minio bucket name for longhorn" +} + +variable "minio_api_url" { + description = "Url for minio api access" +} + locals { cloud_region = data.gitlab_project_variable.cloud_region.value k8s_cluster_type = data.gitlab_project_variable.k8s_cluster_type.value diff --git a/terraform/k8s/gitops-build/terragrunt.hcl b/terraform/k8s/gitops-build/terragrunt.hcl index 3f9d5fbe0..301dd3c94 100644 --- a/terraform/k8s/gitops-build/terragrunt.hcl +++ b/terraform/k8s/gitops-build/terragrunt.hcl @@ -78,6 +78,7 @@ inputs = { kv_path = local.KV_SECRET_PATH transit_vault_key_name = local.TRANSIT_VAULT_UNSEAL_KEY_NAME transit_vault_url = "http://${dependency.k8s_deploy.outputs.haproxy_server_fqdn}:8200" + minio_api_url = "http://${dependency.k8s_deploy.outputs.haproxy_server_fqdn}:9002" private_network_cidr = dependency.k8s_deploy.outputs.private_network_cidr dns_provider = dependency.k8s_deploy.outputs.dns_provider rbac_api_resources_file = local.common_vars.mojaloop_enabled ? find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-rbac-api-resources.yaml") : "" From faac81143ff7eecc22b82588e82363d385297c73 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Mon, 25 Mar 2024 18:32:39 +0530 Subject: [PATCH 054/201] correcting longhorn typo --- .../control-center-post-config/minio.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/terraform/config-params/control-center-post-config/minio.tf b/terraform/config-params/control-center-post-config/minio.tf index 3cfa774d7..3a43a3fd6 100644 --- a/terraform/config-params/control-center-post-config/minio.tf +++ b/terraform/config-params/control-center-post-config/minio.tf @@ -124,20 +124,20 @@ resource "vault_kv_secret_v2" "minio-longhorn-secret" { ) } -resource "gitlab_project_variable" "minio_lonhorn_bucket" { +resource "gitlab_project_variable" "minio_longhorn_bucket" { for_each = var.env_map project = gitlab_project.envs[each.key].id - key = "minio_lonhorn_bucket" - value = minio_s3_bucket.lonhorn-s3-bucket[each.key].name + key = "minio_longhorn_bucket" + value = minio_s3_bucket.longhorn-s3-bucket[each.key].name protected = false masked = false } -resource "gitlab_project_variable" "minio_lonhorn_user" { +resource "gitlab_project_variable" "minio_longhorn_user" { for_each = var.env_map project = gitlab_project.envs[each.key].id - key = "minio_lonhorn_user" - value = minio_iam_user.lonhorn-user[each.key].name + key = "minio_longhorn_user" + value = minio_iam_user.longhorn-user[each.key].name protected = false masked = false } \ No newline at end of file From c18f57a0feee994587f35da7f8a1bf0b8462455f Mon Sep 17 00:00:00 2001 From: Sijo George Date: Mon, 25 Mar 2024 18:36:40 +0530 Subject: [PATCH 055/201] Changing the attrbut name --- terraform/config-params/control-center-post-config/minio.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/config-params/control-center-post-config/minio.tf b/terraform/config-params/control-center-post-config/minio.tf index 3a43a3fd6..eed3db358 100644 --- a/terraform/config-params/control-center-post-config/minio.tf +++ b/terraform/config-params/control-center-post-config/minio.tf @@ -56,7 +56,7 @@ resource "gitlab_project_variable" "minio_loki_bucket" { for_each = var.env_map project = gitlab_project.envs[each.key].id key = "minio_loki_bucket" - value = minio_s3_bucket.loki-s3-bucket[each.key].name + value = minio_s3_bucket.loki-s3-bucket[each.key].id protected = false masked = false } @@ -128,7 +128,7 @@ resource "gitlab_project_variable" "minio_longhorn_bucket" { for_each = var.env_map project = gitlab_project.envs[each.key].id key = "minio_longhorn_bucket" - value = minio_s3_bucket.longhorn-s3-bucket[each.key].name + value = minio_s3_bucket.longhorn-s3-bucket[each.key].id protected = false masked = false } From c6a39dc4e6d7a9678b6895ed928b21259f07274a Mon Sep 17 00:00:00 2001 From: Sijo George Date: Mon, 25 Mar 2024 20:18:49 +0530 Subject: [PATCH 056/201] Changes for accessing minio loki creds --- .../control-center-post-config/minio.tf | 38 +++++++++++-------- .../install/vault-minio-ext-secret.yaml | 26 +++++++++++++ .../gitops/k8s-cluster-config/monitoring.tf | 6 ++- .../k8s-cluster-config/stored-params.tf | 7 +--- .../gitops/k8s-cluster-config/variables.tf | 20 ++-------- terraform/k8s/gitops-build/terragrunt.hcl | 2 +- 6 files changed, 57 insertions(+), 42 deletions(-) create mode 100644 terraform/gitops/generate-files/templates/monitoring/install/vault-minio-ext-secret.yaml diff --git a/terraform/config-params/control-center-post-config/minio.tf b/terraform/config-params/control-center-post-config/minio.tf index eed3db358..98f60a911 100644 --- a/terraform/config-params/control-center-post-config/minio.tf +++ b/terraform/config-params/control-center-post-config/minio.tf @@ -40,7 +40,7 @@ resource "minio_iam_policy" "loki-iam-policy" { EOF } -resource "vault_kv_secret_v2" "minio-loki-secret" { +resource "vault_kv_secret_v2" "minio-loki-password" { for_each = var.env_map mount = vault_mount.kv_secret.path name = "${each.key}/minio_loki_password" @@ -61,13 +61,16 @@ resource "gitlab_project_variable" "minio_loki_bucket" { masked = false } -resource "gitlab_project_variable" "minio_loki_user" { - for_each = var.env_map - project = gitlab_project.envs[each.key].id - key = "minio_loki_user" - value = minio_iam_user.loki-user[each.key].name - protected = false - masked = false +resource "vault_kv_secret_v2" "minio-loki-username" { + for_each = var.env_map + mount = vault_mount.kv_secret.path + name = "${each.key}/minio_loki_username" + delete_all_versions = true + data_json = jsonencode( + { + value = minio_iam_user.loki-user[each.key].name + } + ) } # longhorn bucket , user and access policy @@ -133,11 +136,14 @@ resource "gitlab_project_variable" "minio_longhorn_bucket" { masked = false } -resource "gitlab_project_variable" "minio_longhorn_user" { - for_each = var.env_map - project = gitlab_project.envs[each.key].id - key = "minio_longhorn_user" - value = minio_iam_user.longhorn-user[each.key].name - protected = false - masked = false -} \ No newline at end of file +resource "vault_kv_secret_v2" "minio-longhorn-username" { + for_each = var.env_map + mount = vault_mount.kv_secret.path + name = "${each.key}/minio_longhorn_username" + delete_all_versions = true + data_json = jsonencode( + { + value = minio_iam_user.longhorn-user[each.key].name + } + ) +} diff --git a/terraform/gitops/generate-files/templates/monitoring/install/vault-minio-ext-secret.yaml b/terraform/gitops/generate-files/templates/monitoring/install/vault-minio-ext-secret.yaml new file mode 100644 index 000000000..65146a5a4 --- /dev/null +++ b/terraform/gitops/generate-files/templates/monitoring/install/vault-minio-ext-secret.yaml @@ -0,0 +1,26 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: minio_credentials_ext_secret + annotations: + argocd.argoproj.io/sync-wave: "${external_secret_sync_wave}" +spec: + refreshInterval: 1h + + secretStoreRef: + kind: ClusterSecretStore + name: tenant-vault-secret-store + + target: + name: ${minio_credentials_secret_name} # Name for the secret to be created on the cluster + creationPolicy: Owner + + data: + - secretKey: MINIO_LOKI_USERNAME + remoteRef: + key: ${minio_loki_user_key} + property: value + - secretKey: MINIO_LOKI_PASSWORD + remoteRef: + key: ${minio_loki_password_key} + property: value \ No newline at end of file diff --git a/terraform/gitops/k8s-cluster-config/monitoring.tf b/terraform/gitops/k8s-cluster-config/monitoring.tf index 3cf624e8e..7aa2856c8 100644 --- a/terraform/gitops/k8s-cluster-config/monitoring.tf +++ b/terraform/gitops/k8s-cluster-config/monitoring.tf @@ -38,9 +38,11 @@ module "generate_monitoring_files" { loki_ingester_retention_period = try(var.common_var_map.loki_ingester_retention_period, local.loki_ingester_retention_period) prometheus_retention_period = try(var.common_var_map.prometheus_retention_period, local.prometheus_retention_period) alertmanager_enabled = try(var.common_var_map.alertmanager_enabled, false) + minio_credentials_secret_name = "minio_credentials_secret" minio_api_url = var.minio_api_url - minio_loki_bucket = var.minio_loki_bucket - minio_loki_user = var.minio_loki_user + minio_loki_bucket = local.minio_loki_bucket + minio_loki_user_key = "${var.cluster_name}/minio_loki_username" + minio_loki_password_key = "${var.cluster_name}/minio_loki_password" } file_list = [for f in fileset(local.monitoring_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.monitoring_app_file, f))] template_path = local.monitoring_template_path diff --git a/terraform/gitops/k8s-cluster-config/stored-params.tf b/terraform/gitops/k8s-cluster-config/stored-params.tf index 68bcac5ce..a280556d0 100644 --- a/terraform/gitops/k8s-cluster-config/stored-params.tf +++ b/terraform/gitops/k8s-cluster-config/stored-params.tf @@ -58,12 +58,7 @@ data "gitlab_project_variable" "external_stateful_resource_instance_address" { data "gitlab_project_variable" "minio_loki_bucket" { project = var.current_gitlab_project_id - key = var.properties_key_map["minio_loki_bucket"] -} - -data "gitlab_project_variable" "minio_loki_user" { - project = var.current_gitlab_project_id - key = var.properties_key_map["minio_loki_user"] + key = "minio_loki_bucket" } data "vault_generic_secret" "external_stateful_resource_password" { diff --git a/terraform/gitops/k8s-cluster-config/variables.tf b/terraform/gitops/k8s-cluster-config/variables.tf index ac8a446b7..2399cbb5a 100644 --- a/terraform/gitops/k8s-cluster-config/variables.tf +++ b/terraform/gitops/k8s-cluster-config/variables.tf @@ -97,24 +97,9 @@ variable "dns_provider" { description = "provider for ext dns" } -variable "minio_loki_user" { - description = "minio username for loki" -} - -variable "minio_loki_bucket" { - description = "minio bucket name for loki" -} - -variable "minio_longhorn_user" { - description = "minio username for longhorn" -} - -variable "minio_longhorn_bucket" { - description = "minio bucket name for longhorn" -} - variable "minio_api_url" { - description = "Url for minio api access" + type = string + description = "minio_api_url" } locals { @@ -132,4 +117,5 @@ locals { external_dns_credentials_id_provider_key = var.secrets_key_map["external_dns_cred_id_key"] longhorn_backups_credentials_secret_provider_key = var.secrets_key_map["longhorn_backups_cred_secret_key"] longhorn_backups_credentials_id_provider_key = var.secrets_key_map["longhorn_backups_cred_id_key"] + minio_loki_bucket = data.gitlab_project_variable.minio_loki_bucket } diff --git a/terraform/k8s/gitops-build/terragrunt.hcl b/terraform/k8s/gitops-build/terragrunt.hcl index 301dd3c94..d501a4249 100644 --- a/terraform/k8s/gitops-build/terragrunt.hcl +++ b/terraform/k8s/gitops-build/terragrunt.hcl @@ -78,7 +78,7 @@ inputs = { kv_path = local.KV_SECRET_PATH transit_vault_key_name = local.TRANSIT_VAULT_UNSEAL_KEY_NAME transit_vault_url = "http://${dependency.k8s_deploy.outputs.haproxy_server_fqdn}:8200" - minio_api_url = "http://${dependency.k8s_deploy.outputs.haproxy_server_fqdn}:9002" + minio_api_url = "${dependency.k8s_deploy.outputs.haproxy_server_fqdn}:9002" private_network_cidr = dependency.k8s_deploy.outputs.private_network_cidr dns_provider = dependency.k8s_deploy.outputs.dns_provider rbac_api_resources_file = local.common_vars.mojaloop_enabled ? find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-rbac-api-resources.yaml") : "" From e895c9c52d51ef7ef3fffad24ef9b6a13e722ebd Mon Sep 17 00:00:00 2001 From: Sijo George Date: Mon, 25 Mar 2024 22:00:26 +0530 Subject: [PATCH 057/201] Adding to kustmz --- .../templates/monitoring/install/kustomization.yaml.tpl | 1 + ...ult-minio-ext-secret.yaml => vault-minio-ext-secret.yaml.tpl} | 0 2 files changed, 1 insertion(+) rename terraform/gitops/generate-files/templates/monitoring/install/{vault-minio-ext-secret.yaml => vault-minio-ext-secret.yaml.tpl} (100%) diff --git a/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl index eaed261cf..c23037e27 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl @@ -4,6 +4,7 @@ resources: - https://raw.githubusercontent.com/grafana/grafana-operator/v5.6.0/deploy/kustomize/base/crds.yaml - vault-secret.yaml - istio-gateway.yaml + - vault-minio-ext-secret.yaml helmCharts: - name: prometheus-operator-crds releaseName: prometheus-operator-crds diff --git a/terraform/gitops/generate-files/templates/monitoring/install/vault-minio-ext-secret.yaml b/terraform/gitops/generate-files/templates/monitoring/install/vault-minio-ext-secret.yaml.tpl similarity index 100% rename from terraform/gitops/generate-files/templates/monitoring/install/vault-minio-ext-secret.yaml rename to terraform/gitops/generate-files/templates/monitoring/install/vault-minio-ext-secret.yaml.tpl From 4c25254f522158087209f6dec27d1c2b414b7647 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Tue, 26 Mar 2024 13:58:55 +0530 Subject: [PATCH 058/201] passing external_secret_sync_wave --- terraform/gitops/k8s-cluster-config/monitoring.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/gitops/k8s-cluster-config/monitoring.tf b/terraform/gitops/k8s-cluster-config/monitoring.tf index 7aa2856c8..fdf1d0d6b 100644 --- a/terraform/gitops/k8s-cluster-config/monitoring.tf +++ b/terraform/gitops/k8s-cluster-config/monitoring.tf @@ -43,6 +43,7 @@ module "generate_monitoring_files" { minio_loki_bucket = local.minio_loki_bucket minio_loki_user_key = "${var.cluster_name}/minio_loki_username" minio_loki_password_key = "${var.cluster_name}/minio_loki_password" + external_secret_sync_wave = var.external_secret_sync_wave } file_list = [for f in fileset(local.monitoring_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.monitoring_app_file, f))] template_path = local.monitoring_template_path From e961258847322fe60f914309856da8bf95481334 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Tue, 26 Mar 2024 15:02:09 +0530 Subject: [PATCH 059/201] correcting the secret name --- .../monitoring/install/vault-minio-ext-secret.yaml.tpl | 2 +- terraform/gitops/k8s-cluster-config/monitoring.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/gitops/generate-files/templates/monitoring/install/vault-minio-ext-secret.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/vault-minio-ext-secret.yaml.tpl index 65146a5a4..a311f59dc 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/vault-minio-ext-secret.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/vault-minio-ext-secret.yaml.tpl @@ -1,7 +1,7 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: - name: minio_credentials_ext_secret + name: ${minio_credentials_secret_name} annotations: argocd.argoproj.io/sync-wave: "${external_secret_sync_wave}" spec: diff --git a/terraform/gitops/k8s-cluster-config/monitoring.tf b/terraform/gitops/k8s-cluster-config/monitoring.tf index fdf1d0d6b..57b3ef72b 100644 --- a/terraform/gitops/k8s-cluster-config/monitoring.tf +++ b/terraform/gitops/k8s-cluster-config/monitoring.tf @@ -38,7 +38,7 @@ module "generate_monitoring_files" { loki_ingester_retention_period = try(var.common_var_map.loki_ingester_retention_period, local.loki_ingester_retention_period) prometheus_retention_period = try(var.common_var_map.prometheus_retention_period, local.prometheus_retention_period) alertmanager_enabled = try(var.common_var_map.alertmanager_enabled, false) - minio_credentials_secret_name = "minio_credentials_secret" + minio_credentials_secret_name = "minio-credentials-secret" minio_api_url = var.minio_api_url minio_loki_bucket = local.minio_loki_bucket minio_loki_user_key = "${var.cluster_name}/minio_loki_username" From 3def5e389969cc076ff8275c2b96666d3ded8d7d Mon Sep 17 00:00:00 2001 From: Sijo George Date: Tue, 26 Mar 2024 15:38:44 +0530 Subject: [PATCH 060/201] Adding converstion and decoding strategy --- .../monitoring/install/vault-minio-ext-secret.yaml.tpl | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/terraform/gitops/generate-files/templates/monitoring/install/vault-minio-ext-secret.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/vault-minio-ext-secret.yaml.tpl index a311f59dc..b5509fb95 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/vault-minio-ext-secret.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/vault-minio-ext-secret.yaml.tpl @@ -18,9 +18,13 @@ spec: data: - secretKey: MINIO_LOKI_USERNAME remoteRef: + conversionStrategy: Default + decodingStrategy: None key: ${minio_loki_user_key} property: value - secretKey: MINIO_LOKI_PASSWORD remoteRef: + conversionStrategy: Default + decodingStrategy: None key: ${minio_loki_password_key} - property: value \ No newline at end of file + property: value \ No newline at end of file From b1c724c49ec944a196cc8261442ba24e2040ed56 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Tue, 26 Mar 2024 16:40:57 +0530 Subject: [PATCH 061/201] Adding minio config in loki values --- .../monitoring/install/values-loki.yaml.tpl | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl index 35e1f87a0..8dbd59377 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl @@ -1,11 +1,25 @@ loki: overrideConfiguration: + # TODO: remove retention_period because it should be controlled by object store (minio) policies limits_config: retention_period: ${loki_ingester_retention_period} + storage_config: + boltdb_shipper: + shared_store: s3 + aws: + s3forcepathstyle: true + endpoint: ${minio_api_url} + insecure: true + access_key_id: $${MINIO_LOKI_USERNAME} + secret_access_key: $${MINIO_LOKI_PASSWORD} + bucketnames: ${minio_loki_bucket} ingester: persistence: size: ${loki_ingester_pvc_size} storageClass: ${storage_class_name} + extraArgs: ["-config.expand-env"] + extraEnvVarsSecret: ${minio_credentials_secret_name} + promtail: tolerations: - operator: "Exists" \ No newline at end of file From a45729556416b065bc3d9bb81401f4b596706cb7 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Tue, 26 Mar 2024 16:56:28 +0530 Subject: [PATCH 062/201] debug --- terraform/gitops/k8s-cluster-config/monitoring.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gitops/k8s-cluster-config/monitoring.tf b/terraform/gitops/k8s-cluster-config/monitoring.tf index 57b3ef72b..3fe0d8122 100644 --- a/terraform/gitops/k8s-cluster-config/monitoring.tf +++ b/terraform/gitops/k8s-cluster-config/monitoring.tf @@ -40,7 +40,7 @@ module "generate_monitoring_files" { alertmanager_enabled = try(var.common_var_map.alertmanager_enabled, false) minio_credentials_secret_name = "minio-credentials-secret" minio_api_url = var.minio_api_url - minio_loki_bucket = local.minio_loki_bucket + minio_loki_bucket = "${local.minio_loki_bucket}" minio_loki_user_key = "${var.cluster_name}/minio_loki_username" minio_loki_password_key = "${var.cluster_name}/minio_loki_password" external_secret_sync_wave = var.external_secret_sync_wave From ee94634b056cae3407b680825d1e164fc0f41624 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Tue, 26 Mar 2024 17:01:25 +0530 Subject: [PATCH 063/201] fixing the retrval --- terraform/gitops/k8s-cluster-config/monitoring.tf | 2 +- terraform/gitops/k8s-cluster-config/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/gitops/k8s-cluster-config/monitoring.tf b/terraform/gitops/k8s-cluster-config/monitoring.tf index 3fe0d8122..57b3ef72b 100644 --- a/terraform/gitops/k8s-cluster-config/monitoring.tf +++ b/terraform/gitops/k8s-cluster-config/monitoring.tf @@ -40,7 +40,7 @@ module "generate_monitoring_files" { alertmanager_enabled = try(var.common_var_map.alertmanager_enabled, false) minio_credentials_secret_name = "minio-credentials-secret" minio_api_url = var.minio_api_url - minio_loki_bucket = "${local.minio_loki_bucket}" + minio_loki_bucket = local.minio_loki_bucket minio_loki_user_key = "${var.cluster_name}/minio_loki_username" minio_loki_password_key = "${var.cluster_name}/minio_loki_password" external_secret_sync_wave = var.external_secret_sync_wave diff --git a/terraform/gitops/k8s-cluster-config/variables.tf b/terraform/gitops/k8s-cluster-config/variables.tf index 2399cbb5a..ff785d7e4 100644 --- a/terraform/gitops/k8s-cluster-config/variables.tf +++ b/terraform/gitops/k8s-cluster-config/variables.tf @@ -117,5 +117,5 @@ locals { external_dns_credentials_id_provider_key = var.secrets_key_map["external_dns_cred_id_key"] longhorn_backups_credentials_secret_provider_key = var.secrets_key_map["longhorn_backups_cred_secret_key"] longhorn_backups_credentials_id_provider_key = var.secrets_key_map["longhorn_backups_cred_id_key"] - minio_loki_bucket = data.gitlab_project_variable.minio_loki_bucket + minio_loki_bucket = data.gitlab_project_variable.minio_loki_bucket.value } From b8ed2b9fad14e33b0641e2d079eb273b496b5653 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Tue, 26 Mar 2024 17:26:27 +0530 Subject: [PATCH 064/201] Correcting the minio api port --- terraform/k8s/gitops-build/terragrunt.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/k8s/gitops-build/terragrunt.hcl b/terraform/k8s/gitops-build/terragrunt.hcl index d501a4249..726aa13f5 100644 --- a/terraform/k8s/gitops-build/terragrunt.hcl +++ b/terraform/k8s/gitops-build/terragrunt.hcl @@ -78,7 +78,7 @@ inputs = { kv_path = local.KV_SECRET_PATH transit_vault_key_name = local.TRANSIT_VAULT_UNSEAL_KEY_NAME transit_vault_url = "http://${dependency.k8s_deploy.outputs.haproxy_server_fqdn}:8200" - minio_api_url = "${dependency.k8s_deploy.outputs.haproxy_server_fqdn}:9002" + minio_api_url = "${dependency.k8s_deploy.outputs.haproxy_server_fqdn}:9000" private_network_cidr = dependency.k8s_deploy.outputs.private_network_cidr dns_provider = dependency.k8s_deploy.outputs.dns_provider rbac_api_resources_file = local.common_vars.mojaloop_enabled ? find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-rbac-api-resources.yaml") : "" From cf1af8542e1088193494c7c6901bef4de05615cc Mon Sep 17 00:00:00 2001 From: Sijo George Date: Tue, 26 Mar 2024 20:13:34 +0530 Subject: [PATCH 065/201] adding policy attachemnt --- .../control-center-post-config/minio.tf | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/terraform/config-params/control-center-post-config/minio.tf b/terraform/config-params/control-center-post-config/minio.tf index 98f60a911..9c85834cc 100644 --- a/terraform/config-params/control-center-post-config/minio.tf +++ b/terraform/config-params/control-center-post-config/minio.tf @@ -40,6 +40,12 @@ resource "minio_iam_policy" "loki-iam-policy" { EOF } +resource "minio_iam_user_policy_attachment" "loki-policy-attachment" { + for_each = var.env_map + user_name = minio_iam_user.loki-user[each.key].id + policy_name = minio_iam_policy.loki-iam-policy[each.key].id +} + resource "vault_kv_secret_v2" "minio-loki-password" { for_each = var.env_map mount = vault_mount.kv_secret.path @@ -115,6 +121,12 @@ resource "minio_iam_policy" "longhorn-iam-policy" { EOF } +resource "minio_iam_user_policy_attachment" "longhorn-policy-attachment" { + for_each = var.env_map + user_name = minio_iam_user.longhorn-user[each.key].id + policy_name = minio_iam_policy.longhorn-iam-policy[each.key].id +} + resource "vault_kv_secret_v2" "minio-longhorn-secret" { for_each = var.env_map mount = vault_mount.kv_secret.path From df67e87300842bfe10ecadafa2e72a859a1d2389 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Wed, 27 Mar 2024 14:22:13 +0530 Subject: [PATCH 066/201] removing taint --- .../generate-files/templates/storage/chart/values.yaml.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gitops/generate-files/templates/storage/chart/values.yaml.tpl b/terraform/gitops/generate-files/templates/storage/chart/values.yaml.tpl index 51d2c2655..9787d134d 100644 --- a/terraform/gitops/generate-files/templates/storage/chart/values.yaml.tpl +++ b/terraform/gitops/generate-files/templates/storage/chart/values.yaml.tpl @@ -17,7 +17,7 @@ longhorn: replicaAutoBalance: disabled autoDeletePodWhenVolumeDetachedUnexpectedly: true replicaReplenishmentWaitInterval: 360 - taintToleration: ":" + taintToleration: ~ enablePSP: false %{ if k8s_cluster_type == "microk8s" ~} From 2d1f612bdb1d9964926da371208cdb759c1d37b3 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Wed, 27 Mar 2024 14:39:23 +0530 Subject: [PATCH 067/201] adding changes for longhorn backup --- .../storage/external-secrets/longhorn-extsecret.yaml.tpl | 3 +++ terraform/gitops/k8s-cluster-config/storage-config.tf | 1 + terraform/gitops/k8s-cluster-config/variables.tf | 6 +++--- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/terraform/gitops/generate-files/templates/storage/external-secrets/longhorn-extsecret.yaml.tpl b/terraform/gitops/generate-files/templates/storage/external-secrets/longhorn-extsecret.yaml.tpl index 12cf516be..59adc83f9 100644 --- a/terraform/gitops/generate-files/templates/storage/external-secrets/longhorn-extsecret.yaml.tpl +++ b/terraform/gitops/generate-files/templates/storage/external-secrets/longhorn-extsecret.yaml.tpl @@ -14,6 +14,9 @@ spec: target: name: ${longhorn_credentials_secret} # Name for the secret to be created on the cluster creationPolicy: Owner + template: + data: + AWS_ENDPOINTS: ${minio_api_url} data: - secretKey: AWS_SECRET_ACCESS_KEY # TODO: max provider agnostic diff --git a/terraform/gitops/k8s-cluster-config/storage-config.tf b/terraform/gitops/k8s-cluster-config/storage-config.tf index 1495acec3..ec478673d 100644 --- a/terraform/gitops/k8s-cluster-config/storage-config.tf +++ b/terraform/gitops/k8s-cluster-config/storage-config.tf @@ -11,6 +11,7 @@ module "generate_storage_files" { replica_count = var.longhorn_replica_count longhorn_backups_credentials_id_provider_key = "${var.cluster_name}/${local.longhorn_backups_credentials_id_provider_key}" longhorn_backups_credentials_secret_provider_key = "${var.cluster_name}/${local.longhorn_backups_credentials_secret_provider_key}" + minio_api_url = "http://${var.minio_api_url}" gitlab_project_url = var.gitlab_project_url longhorn_namespace = var.longhorn_namespace external_secret_sync_wave = var.external_secret_sync_wave diff --git a/terraform/gitops/k8s-cluster-config/variables.tf b/terraform/gitops/k8s-cluster-config/variables.tf index ff785d7e4..592cebbe3 100644 --- a/terraform/gitops/k8s-cluster-config/variables.tf +++ b/terraform/gitops/k8s-cluster-config/variables.tf @@ -106,7 +106,7 @@ locals { cloud_region = data.gitlab_project_variable.cloud_region.value k8s_cluster_type = data.gitlab_project_variable.k8s_cluster_type.value cloud_platform = data.gitlab_project_variable.cloud_platform.value - longhorn_backups_bucket_name = data.gitlab_project_variable.longhorn_backups_bucket_name.value + longhorn_backups_bucket_name = data.gitlab_project_variable.minio_longhorn_bucket.value cert_manager_credentials_client_id_name = data.gitlab_project_variable.cert_manager_credentials_client_id_name.value cert_manager_credentials_client_secret_name = data.gitlab_project_variable.cert_manager_credentials_client_secret_name.value external_dns_credentials_client_secret_name = data.gitlab_project_variable.external_dns_credentials_client_secret_name.value @@ -115,7 +115,7 @@ locals { cert_manager_credentials_id_provider_key = var.secrets_key_map["external_dns_cred_id_key"] external_dns_credentials_secret_provider_key = var.secrets_key_map["external_dns_cred_secret_key"] external_dns_credentials_id_provider_key = var.secrets_key_map["external_dns_cred_id_key"] - longhorn_backups_credentials_secret_provider_key = var.secrets_key_map["longhorn_backups_cred_secret_key"] - longhorn_backups_credentials_id_provider_key = var.secrets_key_map["longhorn_backups_cred_id_key"] + longhorn_backups_credentials_secret_provider_key = "minio_longhorn_password" + longhorn_backups_credentials_id_provider_key = "minio_longhorn_username" minio_loki_bucket = data.gitlab_project_variable.minio_loki_bucket.value } From bb5ca5799542055472eedc4bbb1ca461d86d89c9 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Wed, 27 Mar 2024 15:36:55 +0530 Subject: [PATCH 068/201] adding data resource for longhorn bucket --- terraform/gitops/k8s-cluster-config/stored-params.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/terraform/gitops/k8s-cluster-config/stored-params.tf b/terraform/gitops/k8s-cluster-config/stored-params.tf index a280556d0..89606ffec 100644 --- a/terraform/gitops/k8s-cluster-config/stored-params.tf +++ b/terraform/gitops/k8s-cluster-config/stored-params.tf @@ -61,6 +61,11 @@ data "gitlab_project_variable" "minio_loki_bucket" { key = "minio_loki_bucket" } +data "gitlab_project_variable" "minio_longhorn_bucket" { + project = var.current_gitlab_project_id + key = "minio_longhorn_bucket" +} + data "vault_generic_secret" "external_stateful_resource_password" { for_each = local.managed_stateful_resources path = "${var.kv_path}/${var.cluster_name}/${each.value.external_resource_config.password_key_name}" From 2537e119e236c0b034bb05593f58450ec0009acb Mon Sep 17 00:00:00 2001 From: Sijo George Date: Wed, 27 Mar 2024 16:18:42 +0530 Subject: [PATCH 069/201] correcting longhorn config --- .../storage/external-secrets/longhorn-extsecret.yaml.tpl | 2 ++ terraform/gitops/k8s-cluster-config/storage-config.tf | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/terraform/gitops/generate-files/templates/storage/external-secrets/longhorn-extsecret.yaml.tpl b/terraform/gitops/generate-files/templates/storage/external-secrets/longhorn-extsecret.yaml.tpl index 59adc83f9..10ee70ca8 100644 --- a/terraform/gitops/generate-files/templates/storage/external-secrets/longhorn-extsecret.yaml.tpl +++ b/terraform/gitops/generate-files/templates/storage/external-secrets/longhorn-extsecret.yaml.tpl @@ -17,6 +17,8 @@ spec: template: data: AWS_ENDPOINTS: ${minio_api_url} + AWS_SECRET_ACCESS_KEY: "{{ .AWS_SECRET_ACCESS_KEY | toString }}" + AWS_ACCESS_KEY_ID: "{{ .AWS_ACCESS_KEY_ID | toString }}" data: - secretKey: AWS_SECRET_ACCESS_KEY # TODO: max provider agnostic diff --git a/terraform/gitops/k8s-cluster-config/storage-config.tf b/terraform/gitops/k8s-cluster-config/storage-config.tf index ec478673d..136839244 100644 --- a/terraform/gitops/k8s-cluster-config/storage-config.tf +++ b/terraform/gitops/k8s-cluster-config/storage-config.tf @@ -11,7 +11,7 @@ module "generate_storage_files" { replica_count = var.longhorn_replica_count longhorn_backups_credentials_id_provider_key = "${var.cluster_name}/${local.longhorn_backups_credentials_id_provider_key}" longhorn_backups_credentials_secret_provider_key = "${var.cluster_name}/${local.longhorn_backups_credentials_secret_provider_key}" - minio_api_url = "http://${var.minio_api_url}" + minio_api_url = ${var.minio_api_url} gitlab_project_url = var.gitlab_project_url longhorn_namespace = var.longhorn_namespace external_secret_sync_wave = var.external_secret_sync_wave From ae34c42c570703b3caaa340b2367e6263453bfaf Mon Sep 17 00:00:00 2001 From: Sijo George Date: Wed, 27 Mar 2024 16:42:23 +0530 Subject: [PATCH 070/201] commenting out longhorn s3 backups --- terraform/aws/post-config-k8s/longhorn_backups.tf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/terraform/aws/post-config-k8s/longhorn_backups.tf b/terraform/aws/post-config-k8s/longhorn_backups.tf index 57b9d70c9..1f6d511b3 100644 --- a/terraform/aws/post-config-k8s/longhorn_backups.tf +++ b/terraform/aws/post-config-k8s/longhorn_backups.tf @@ -1,3 +1,4 @@ +/* resource "aws_s3_bucket" "longhorn_backups" { bucket = "${local.base_domain}-lhbck" force_destroy = var.longhorn_backup_s3_destroy @@ -51,3 +52,4 @@ resource "aws_iam_user_policy" "longhorn_backups" { } EOF } +*/ \ No newline at end of file From 40eac46578563d558aa093271892175fc281dd21 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Wed, 27 Mar 2024 17:01:06 +0530 Subject: [PATCH 071/201] adding lifecycle rule --- .../control-center-post-config/minio.tf | 18 ++++++++++++++++++ .../control-center-post-config/variables.tf | 10 ++++++++++ .../control-center-post-config/terragrunt.hcl | 2 ++ terraform/control-center/init/environment.yaml | 2 ++ 4 files changed, 32 insertions(+) diff --git a/terraform/config-params/control-center-post-config/minio.tf b/terraform/config-params/control-center-post-config/minio.tf index 9c85834cc..0054507e9 100644 --- a/terraform/config-params/control-center-post-config/minio.tf +++ b/terraform/config-params/control-center-post-config/minio.tf @@ -4,6 +4,15 @@ resource "minio_s3_bucket" "loki-s3-bucket" { bucket = "${each.key}-loki" } +resource "minio_ilm_policy" "loki-bucket-lifecycle-rules" { + for_each = var.env_map + bucket = minio_s3_bucket.loki-s3-bucket[each.key].bucket + rule { + id = "expire ${each.key}-loki" + expiration = var.loki_data_expiry + } +} + resource "random_password" "minio_loki_password" { for_each = var.env_map length = 20 @@ -85,6 +94,15 @@ resource "minio_s3_bucket" "longhorn-s3-bucket" { bucket = "${each.key}-longhorn-backup" } +resource "minio_ilm_policy" "longhorn-bucket-lifecycle-rules" { + for_each = var.env_map + bucket = minio_s3_bucket.longhorn-s3-bucket[each.key].bucket + rule { + id = "expire ${each.key}-longhorn" + expiration = var.longhorn_backup_data_expiry + } +} + resource "random_password" "minio_longhorn_password" { for_each = var.env_map length = 20 diff --git a/terraform/config-params/control-center-post-config/variables.tf b/terraform/config-params/control-center-post-config/variables.tf index 46a1e9658..7669ca9ca 100644 --- a/terraform/config-params/control-center-post-config/variables.tf +++ b/terraform/config-params/control-center-post-config/variables.tf @@ -69,4 +69,14 @@ variable "netmaker_host_name" { variable "netmaker_version" { description = "netmaker version" +} + +variable "loki_data_expiry" { + description = "number of days to expire minio loki bucket data" + default = "7d" +} + +variable "longhorn_backup_data_expiry" { + description = "number of days to expire minio longhorn bucket data" + default = "7d" } \ No newline at end of file diff --git a/terraform/control-center/init/control-center-post-config/terragrunt.hcl b/terraform/control-center/init/control-center-post-config/terragrunt.hcl index 89ccde759..26faecfe6 100644 --- a/terraform/control-center/init/control-center-post-config/terragrunt.hcl +++ b/terraform/control-center/init/control-center-post-config/terragrunt.hcl @@ -72,6 +72,8 @@ inputs = { netmaker_version = local.env_vars.netmaker_version gitlab_admin_rbac_group = local.env_vars.gitlab_admin_rbac_group gitlab_readonly_rbac_group = local.env_vars.gitlab_readonly_rbac_group + loki_data_expiry = local.env_vars.loki_data_expiry + longhorn_backup_data_expiry = local.env_vars.longhorn_backup_data_expiry } locals { diff --git a/terraform/control-center/init/environment.yaml b/terraform/control-center/init/environment.yaml index fafcbc87f..d5d9f95c6 100644 --- a/terraform/control-center/init/environment.yaml +++ b/terraform/control-center/init/environment.yaml @@ -14,6 +14,8 @@ netmaker_version: 0.18.7 letsencrypt_email: test@mojalabs.io delete_storage_on_term: true docker_server_extra_vol_size: 100 +loki_data_expiry: 1d +longhorn_backup_data_expiry: 1d envs: - env: dev domain: labsk8s604.mojaloop.live From cb86a9605efbbc14c849d28eb4ea4c4dfacab58f Mon Sep 17 00:00:00 2001 From: Sijo George Date: Wed, 27 Mar 2024 17:25:48 +0530 Subject: [PATCH 072/201] correcting the variable reference --- terraform/gitops/k8s-cluster-config/storage-config.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gitops/k8s-cluster-config/storage-config.tf b/terraform/gitops/k8s-cluster-config/storage-config.tf index 136839244..2e54f987c 100644 --- a/terraform/gitops/k8s-cluster-config/storage-config.tf +++ b/terraform/gitops/k8s-cluster-config/storage-config.tf @@ -11,7 +11,7 @@ module "generate_storage_files" { replica_count = var.longhorn_replica_count longhorn_backups_credentials_id_provider_key = "${var.cluster_name}/${local.longhorn_backups_credentials_id_provider_key}" longhorn_backups_credentials_secret_provider_key = "${var.cluster_name}/${local.longhorn_backups_credentials_secret_provider_key}" - minio_api_url = ${var.minio_api_url} + minio_api_url = var.minio_api_url gitlab_project_url = var.gitlab_project_url longhorn_namespace = var.longhorn_namespace external_secret_sync_wave = var.external_secret_sync_wave From fba04d262676f9b1ea9f57a525a8f7c6cc4694fe Mon Sep 17 00:00:00 2001 From: Sijo George Date: Wed, 27 Mar 2024 17:40:13 +0530 Subject: [PATCH 073/201] Removing longhorn old refs --- terraform/aws/post-config-k8s/outputs.tf | 12 ++++++------ terraform/bare-metal/base-k8s/outputs.tf | 12 ++++++------ terraform/gitops/k8s-cluster-config/stored-params.tf | 8 ++++---- terraform/k8s/gitops-build/terragrunt.hcl | 6 +++--- 4 files changed, 19 insertions(+), 19 deletions(-) diff --git a/terraform/aws/post-config-k8s/outputs.tf b/terraform/aws/post-config-k8s/outputs.tf index 0ad98cd37..6d16ed535 100644 --- a/terraform/aws/post-config-k8s/outputs.tf +++ b/terraform/aws/post-config-k8s/outputs.tf @@ -3,14 +3,14 @@ output "secrets_var_map" { value = { route53_external_dns_access_key = aws_iam_access_key.route53-external-dns.id route53_external_dns_secret_key = aws_iam_access_key.route53-external-dns.secret - longhorn_backups_access_key = aws_iam_access_key.longhorn_backups.id - longhorn_backups_secret_key = aws_iam_access_key.longhorn_backups.secret +# longhorn_backups_access_key = aws_iam_access_key.longhorn_backups.id +# longhorn_backups_secret_key = aws_iam_access_key.longhorn_backups.secret } } output "properties_var_map" { value = { - longhorn_backups_bucket_name = aws_s3_bucket.longhorn_backups.bucket +# longhorn_backups_bucket_name = aws_s3_bucket.longhorn_backups.bucket external_dns_credentials_client_id_name = "AWS_ACCESS_KEY_ID" external_dns_credentials_client_secret_name = "AWS_SECRET_ACCESS_KEY" cert_manager_credentials_client_id_name = "AWS_ACCESS_KEY_ID" @@ -22,14 +22,14 @@ output "post_config_secrets_key_map" { value = { external_dns_cred_id_key = "route53_external_dns_access_key" external_dns_cred_secret_key = "route53_external_dns_secret_key" - longhorn_backups_cred_id_key = "longhorn_backups_access_key" - longhorn_backups_cred_secret_key = "longhorn_backups_secret_key" +# longhorn_backups_cred_id_key = "longhorn_backups_access_key" +# longhorn_backups_cred_secret_key = "longhorn_backups_secret_key" } } output "post_config_properties_key_map" { value = { - longhorn_backups_bucket_name_key = "longhorn_backups_bucket_name" +# longhorn_backups_bucket_name_key = "longhorn_backups_bucket_name" external_dns_credentials_client_id_name_key = "external_dns_credentials_client_id_name" external_dns_credentials_client_secret_name_key = "external_dns_credentials_client_secret_name" cert_manager_credentials_client_id_name_key = "cert_manager_credentials_client_id_name" diff --git a/terraform/bare-metal/base-k8s/outputs.tf b/terraform/bare-metal/base-k8s/outputs.tf index 4fbad7082..b491848f8 100644 --- a/terraform/bare-metal/base-k8s/outputs.tf +++ b/terraform/bare-metal/base-k8s/outputs.tf @@ -170,13 +170,13 @@ locals { secrets_var_map = { route53_external_dns_access_key = var.app_var_map.route53_external_dns_access_key route53_external_dns_secret_key = var.app_var_map.route53_external_dns_secret_key - longhorn_backups_access_key = var.app_var_map.longhorn_backups_access_key - longhorn_backups_secret_key = var.app_var_map.longhorn_backups_secret_key +# longhorn_backups_access_key = var.app_var_map.longhorn_backups_access_key +# longhorn_backups_secret_key = var.app_var_map.longhorn_backups_secret_key } properties_var_map = { - longhorn_backups_bucket_name = var.app_var_map.longhorn_backups_bucket_name +# longhorn_backups_bucket_name = var.app_var_map.longhorn_backups_bucket_name external_dns_credentials_client_id_name = var.app_var_map.external_dns_credentials_client_id_name external_dns_credentials_client_secret_name = var.app_var_map.external_dns_credentials_client_secret_name cert_manager_credentials_client_id_name = var.app_var_map.cert_manager_credentials_client_id_name @@ -186,12 +186,12 @@ locals { post_config_secrets_key_map = { external_dns_cred_id_key = "route53_external_dns_access_key" external_dns_cred_secret_key = "route53_external_dns_secret_key" - longhorn_backups_cred_id_key = "longhorn_backups_access_key" - longhorn_backups_cred_secret_key = "longhorn_backups_secret_key" +# longhorn_backups_cred_id_key = "longhorn_backups_access_key" +# longhorn_backups_cred_secret_key = "longhorn_backups_secret_key" } post_config_properties_key_map = { - longhorn_backups_bucket_name_key = "longhorn_backups_bucket_name" +# longhorn_backups_bucket_name_key = "longhorn_backups_bucket_name" external_dns_credentials_client_id_name_key = "external_dns_credentials_client_id_name" external_dns_credentials_client_secret_name_key = "external_dns_credentials_client_secret_name" cert_manager_credentials_client_id_name_key = "cert_manager_credentials_client_id_name" diff --git a/terraform/gitops/k8s-cluster-config/stored-params.tf b/terraform/gitops/k8s-cluster-config/stored-params.tf index 89606ffec..e4a7d8dcf 100644 --- a/terraform/gitops/k8s-cluster-config/stored-params.tf +++ b/terraform/gitops/k8s-cluster-config/stored-params.tf @@ -13,10 +13,10 @@ data "gitlab_project_variable" "cloud_region" { key = "CLOUD_REGION" } -data "gitlab_project_variable" "longhorn_backups_bucket_name" { - project = var.current_gitlab_project_id - key = var.properties_key_map["longhorn_backups_bucket_name_key"] -} +#data "gitlab_project_variable" "longhorn_backups_bucket_name" { +# project = var.current_gitlab_project_id +# key = var.properties_key_map["longhorn_backups_bucket_name_key"] +#} data "gitlab_project_variable" "cert_manager_credentials_client_secret_name" { project = var.current_gitlab_project_id diff --git a/terraform/k8s/gitops-build/terragrunt.hcl b/terraform/k8s/gitops-build/terragrunt.hcl index 726aa13f5..300074a2a 100644 --- a/terraform/k8s/gitops-build/terragrunt.hcl +++ b/terraform/k8s/gitops-build/terragrunt.hcl @@ -27,13 +27,13 @@ dependency "k8s_deploy" { target_group_external_https_port = 0 target_group_external_http_port = 0 properties_key_map = { - longhorn_backups_bucket_name_key = "mock" +# longhorn_backups_bucket_name_key = "mock" } secrets_key_map = { external_dns_cred_id_key = "mock" external_dns_cred_secret_key = "mock" - longhorn_backups_cred_id_key = "mock" - longhorn_backups_cred_secret_key = "mock" +# longhorn_backups_cred_id_key = "mock" +# longhorn_backups_cred_secret_key = "mock" } haproxy_server_fqdn = "null" private_network_cidr = "" From d34be4dc4ae19d6282b656795f0f4199c2483263 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Wed, 27 Mar 2024 19:01:17 +0530 Subject: [PATCH 074/201] removing commented lines --- terraform/aws/post-config-k8s/outputs.tf | 6 ------ terraform/bare-metal/base-k8s/outputs.tf | 6 ------ terraform/gitops/k8s-cluster-config/stored-params.tf | 4 ---- terraform/k8s/gitops-build/terragrunt.hcl | 3 --- 4 files changed, 19 deletions(-) diff --git a/terraform/aws/post-config-k8s/outputs.tf b/terraform/aws/post-config-k8s/outputs.tf index 6d16ed535..a67ae6d1a 100644 --- a/terraform/aws/post-config-k8s/outputs.tf +++ b/terraform/aws/post-config-k8s/outputs.tf @@ -3,14 +3,11 @@ output "secrets_var_map" { value = { route53_external_dns_access_key = aws_iam_access_key.route53-external-dns.id route53_external_dns_secret_key = aws_iam_access_key.route53-external-dns.secret -# longhorn_backups_access_key = aws_iam_access_key.longhorn_backups.id -# longhorn_backups_secret_key = aws_iam_access_key.longhorn_backups.secret } } output "properties_var_map" { value = { -# longhorn_backups_bucket_name = aws_s3_bucket.longhorn_backups.bucket external_dns_credentials_client_id_name = "AWS_ACCESS_KEY_ID" external_dns_credentials_client_secret_name = "AWS_SECRET_ACCESS_KEY" cert_manager_credentials_client_id_name = "AWS_ACCESS_KEY_ID" @@ -22,14 +19,11 @@ output "post_config_secrets_key_map" { value = { external_dns_cred_id_key = "route53_external_dns_access_key" external_dns_cred_secret_key = "route53_external_dns_secret_key" -# longhorn_backups_cred_id_key = "longhorn_backups_access_key" -# longhorn_backups_cred_secret_key = "longhorn_backups_secret_key" } } output "post_config_properties_key_map" { value = { -# longhorn_backups_bucket_name_key = "longhorn_backups_bucket_name" external_dns_credentials_client_id_name_key = "external_dns_credentials_client_id_name" external_dns_credentials_client_secret_name_key = "external_dns_credentials_client_secret_name" cert_manager_credentials_client_id_name_key = "cert_manager_credentials_client_id_name" diff --git a/terraform/bare-metal/base-k8s/outputs.tf b/terraform/bare-metal/base-k8s/outputs.tf index b491848f8..59d5d1400 100644 --- a/terraform/bare-metal/base-k8s/outputs.tf +++ b/terraform/bare-metal/base-k8s/outputs.tf @@ -170,13 +170,10 @@ locals { secrets_var_map = { route53_external_dns_access_key = var.app_var_map.route53_external_dns_access_key route53_external_dns_secret_key = var.app_var_map.route53_external_dns_secret_key -# longhorn_backups_access_key = var.app_var_map.longhorn_backups_access_key -# longhorn_backups_secret_key = var.app_var_map.longhorn_backups_secret_key } properties_var_map = { -# longhorn_backups_bucket_name = var.app_var_map.longhorn_backups_bucket_name external_dns_credentials_client_id_name = var.app_var_map.external_dns_credentials_client_id_name external_dns_credentials_client_secret_name = var.app_var_map.external_dns_credentials_client_secret_name cert_manager_credentials_client_id_name = var.app_var_map.cert_manager_credentials_client_id_name @@ -186,12 +183,9 @@ locals { post_config_secrets_key_map = { external_dns_cred_id_key = "route53_external_dns_access_key" external_dns_cred_secret_key = "route53_external_dns_secret_key" -# longhorn_backups_cred_id_key = "longhorn_backups_access_key" -# longhorn_backups_cred_secret_key = "longhorn_backups_secret_key" } post_config_properties_key_map = { -# longhorn_backups_bucket_name_key = "longhorn_backups_bucket_name" external_dns_credentials_client_id_name_key = "external_dns_credentials_client_id_name" external_dns_credentials_client_secret_name_key = "external_dns_credentials_client_secret_name" cert_manager_credentials_client_id_name_key = "cert_manager_credentials_client_id_name" diff --git a/terraform/gitops/k8s-cluster-config/stored-params.tf b/terraform/gitops/k8s-cluster-config/stored-params.tf index e4a7d8dcf..83a94a3fe 100644 --- a/terraform/gitops/k8s-cluster-config/stored-params.tf +++ b/terraform/gitops/k8s-cluster-config/stored-params.tf @@ -13,10 +13,6 @@ data "gitlab_project_variable" "cloud_region" { key = "CLOUD_REGION" } -#data "gitlab_project_variable" "longhorn_backups_bucket_name" { -# project = var.current_gitlab_project_id -# key = var.properties_key_map["longhorn_backups_bucket_name_key"] -#} data "gitlab_project_variable" "cert_manager_credentials_client_secret_name" { project = var.current_gitlab_project_id diff --git a/terraform/k8s/gitops-build/terragrunt.hcl b/terraform/k8s/gitops-build/terragrunt.hcl index 300074a2a..08d247ed4 100644 --- a/terraform/k8s/gitops-build/terragrunt.hcl +++ b/terraform/k8s/gitops-build/terragrunt.hcl @@ -27,13 +27,10 @@ dependency "k8s_deploy" { target_group_external_https_port = 0 target_group_external_http_port = 0 properties_key_map = { -# longhorn_backups_bucket_name_key = "mock" } secrets_key_map = { external_dns_cred_id_key = "mock" external_dns_cred_secret_key = "mock" -# longhorn_backups_cred_id_key = "mock" -# longhorn_backups_cred_secret_key = "mock" } haproxy_server_fqdn = "null" private_network_cidr = "" From 2615bf11914338339883e3fb6f2cc1f222125ccb Mon Sep 17 00:00:00 2001 From: David Fry Date: Thu, 28 Mar 2024 07:47:36 +0000 Subject: [PATCH 075/201] fix typo on internal/external --- terraform/gitops/k8s-cluster-config/app-deploy.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/gitops/k8s-cluster-config/app-deploy.tf b/terraform/gitops/k8s-cluster-config/app-deploy.tf index b6b92c296..03d4ce4ae 100644 --- a/terraform/gitops/k8s-cluster-config/app-deploy.tf +++ b/terraform/gitops/k8s-cluster-config/app-deploy.tf @@ -319,8 +319,8 @@ locals { local.mojaloop_wildcard_gateway == "external" ? [local.ttk_frontend_public_fqdn, local.ttk_backend_public_fqdn] : [], local.mcm_wildcard_gateway == "external" ? [local.mcm_public_fqdn] : []) - vnext_internal_gateway_hosts = local.mojaloop_wildcard_gateway == "internal" ? [local.vnext_admin_ui_fqdn] : [] - vnext_external_gateway_hosts = local.mojaloop_wildcard_gateway == "external" ? [local.vnext_admin_ui_fqdn] : [] + vnext_internal_gateway_hosts = local.vnext_wildcard_gateway == "internal" ? [local.vnext_admin_ui_fqdn] : [] + vnext_external_gateway_hosts = local.vnext_wildcard_gateway == "external" ? [local.vnext_admin_ui_fqdn] : [] portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => "portal-${pm4ml.pm4ml}.${var.public_subdomain}" } admin_portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => "admin-portal-${pm4ml.pm4ml}.${var.public_subdomain}" } From 38b7fffd13a0597f97c39313a2a7b8423f4f82a9 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 28 Mar 2024 13:25:36 +0530 Subject: [PATCH 076/201] change in policy --- terraform/config-params/control-center-post-config/minio.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/terraform/config-params/control-center-post-config/minio.tf b/terraform/config-params/control-center-post-config/minio.tf index 0054507e9..543318d73 100644 --- a/terraform/config-params/control-center-post-config/minio.tf +++ b/terraform/config-params/control-center-post-config/minio.tf @@ -41,7 +41,6 @@ resource "minio_iam_policy" "loki-iam-policy" { "Sid":"AccessEnvLokiBucket", "Effect": "Allow", "Action": ["*"], - "Principal":"*", "Resource": ["${minio_s3_bucket.loki-s3-bucket[each.key].arn}"] } ] @@ -131,7 +130,6 @@ resource "minio_iam_policy" "longhorn-iam-policy" { "Sid":"AccessEnvlonghornBucket", "Effect": "Allow", "Action": ["*"], - "Principal":"*", "Resource": ["${minio_s3_bucket.longhorn-s3-bucket[each.key].arn}"] } ] From 1488f24a8ec7d18fbd10ecb11b602129643787c0 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 28 Mar 2024 13:49:07 +0530 Subject: [PATCH 077/201] change in policy --- terraform/config-params/control-center-post-config/minio.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/config-params/control-center-post-config/minio.tf b/terraform/config-params/control-center-post-config/minio.tf index 543318d73..361c8dee2 100644 --- a/terraform/config-params/control-center-post-config/minio.tf +++ b/terraform/config-params/control-center-post-config/minio.tf @@ -40,7 +40,7 @@ resource "minio_iam_policy" "loki-iam-policy" { { "Sid":"AccessEnvLokiBucket", "Effect": "Allow", - "Action": ["*"], + "Action": "s3:*", "Resource": ["${minio_s3_bucket.loki-s3-bucket[each.key].arn}"] } ] @@ -129,7 +129,7 @@ resource "minio_iam_policy" "longhorn-iam-policy" { { "Sid":"AccessEnvlonghornBucket", "Effect": "Allow", - "Action": ["*"], + "Action": "s3:*", "Resource": ["${minio_s3_bucket.longhorn-s3-bucket[each.key].arn}"] } ] From b8498132d45efdc7e660d08f164a17135d7a6b65 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 28 Mar 2024 14:07:02 +0530 Subject: [PATCH 078/201] adding changes in permission --- .../config-params/control-center-post-config/minio.tf | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/terraform/config-params/control-center-post-config/minio.tf b/terraform/config-params/control-center-post-config/minio.tf index 361c8dee2..c03dc7664 100644 --- a/terraform/config-params/control-center-post-config/minio.tf +++ b/terraform/config-params/control-center-post-config/minio.tf @@ -41,7 +41,9 @@ resource "minio_iam_policy" "loki-iam-policy" { "Sid":"AccessEnvLokiBucket", "Effect": "Allow", "Action": "s3:*", - "Resource": ["${minio_s3_bucket.loki-s3-bucket[each.key].arn}"] + "Resource": ["${minio_s3_bucket.loki-s3-bucket[each.key].arn}", + "${minio_s3_bucket.loki-s3-bucket[each.key].arn}/*" + ] } ] } @@ -130,7 +132,9 @@ resource "minio_iam_policy" "longhorn-iam-policy" { "Sid":"AccessEnvlonghornBucket", "Effect": "Allow", "Action": "s3:*", - "Resource": ["${minio_s3_bucket.longhorn-s3-bucket[each.key].arn}"] + "Resource": ["${minio_s3_bucket.longhorn-s3-bucket[each.key].arn}", + "${minio_s3_bucket.longhorn-s3-bucket[each.key].arn}/*" + ] } ] } From 68747ad08005460b14206431a574584592c8ce4d Mon Sep 17 00:00:00 2001 From: Aaron Reynoza Date: Thu, 28 Mar 2024 17:37:59 -0600 Subject: [PATCH 079/201] add more values pt-1 --- .../stateful-resources/values-mysql.yaml.tpl | 62 +++++++++---------- .../mojaloop-stateful-resources.json | 10 +++ 2 files changed, 41 insertions(+), 31 deletions(-) diff --git a/terraform/gitops/generate-files/templates/stateful-resources/values-mysql.yaml.tpl b/terraform/gitops/generate-files/templates/stateful-resources/values-mysql.yaml.tpl index 2a58e66d2..c131f01de 100644 --- a/terraform/gitops/generate-files/templates/stateful-resources/values-mysql.yaml.tpl +++ b/terraform/gitops/generate-files/templates/stateful-resources/values-mysql.yaml.tpl @@ -136,18 +136,18 @@ primary: ## configuration: |- [mysqld] - default_authentication_plugin=mysql_native_password + default_authentication_plugin=${resource.local_resource_config.mysql_data.default_authentication_plugin} skip-name-resolve explicit_defaults_for_timestamp - basedir=/opt/bitnami/mysql - plugin_dir=/opt/bitnami/mysql/lib/plugin - port=3306 - socket=/opt/bitnami/mysql/tmp/mysql.sock - datadir=/bitnami/mysql/data - tmpdir=/opt/bitnami/mysql/tmp - max_allowed_packet=16M - bind-address=* - pid-file=/opt/bitnami/mysql/tmp/mysqld.pid + basedir=${resource.local_resource_config.mysql_data.basedir} + plugin_dir=${resource.local_resource_config.mysql_data.plugin_dir} + port=${resource.local_resource_config.mysql_data.port} + socket=${resource.local_resource_config.mysql_data.socket} + datadir=${resource.local_resource_config.mysql_data.datadir} + tmpdir=${resource.local_resource_config.mysql_data.tmpdir} + max_allowed_packet=${resource.local_resource_config.mysql_data.max_allowed_packet} + bind-address=${resource.local_resource_config.mysql_data.bind-address} + pid-file=${resource.local_resource_config.mysql_data.pid-file} log-error=/opt/bitnami/mysql/logs/mysqld.log character-set-server=UTF8 collation-server=utf8_general_ci @@ -160,15 +160,15 @@ primary: innodb_buffer_pool_size=2147483648 [client] - port=3306 - socket=/opt/bitnami/mysql/tmp/mysql.sock + port=${resource.local_resource_config.mysql_data.port} + socket=${resource.local_resource_config.mysql_data.socket} default-character-set=UTF8 - plugin_dir=/opt/bitnami/mysql/lib/plugin + plugin_dir=${resource.local_resource_config.mysql_data.plugin_dir} [manager] - port=3306 - socket=/opt/bitnami/mysql/tmp/mysql.sock - pid-file=/opt/bitnami/mysql/tmp/mysqld.pid + port=${resource.local_resource_config.mysql_data.port} + socket=${resource.local_resource_config.mysql_data.socket} + pid-file=${resource.local_resource_config.mysql_data.pid-file} ## @param primary.existingConfigmap Name of existing ConfigMap with MySQL Primary configuration. ## NOTE: When it's set the 'configuration' parameter is ignored ## @@ -445,18 +445,18 @@ secondary: ## configuration: |- [mysqld] - default_authentication_plugin=mysql_native_password + default_authentication_plugin=${resource.local_resource_config.mysql_data.default_authentication_plugin} skip-name-resolve explicit_defaults_for_timestamp basedir=/opt/bitnami/mysql - plugin_dir=/opt/bitnami/mysql/lib/plugin - port=3306 - socket=/opt/bitnami/mysql/tmp/mysql.sock - datadir=/bitnami/mysql/data - tmpdir=/opt/bitnami/mysql/tmp - max_allowed_packet=16M - bind-address=* - pid-file=/opt/bitnami/mysql/tmp/mysqld.pid + plugin_dir=${resource.local_resource_config.mysql_data.plugin_dir} + port=${resource.local_resource_config.mysql_data.port} + socket=${resource.local_resource_config.mysql_data.socket} + datadir=${resource.local_resource_config.mysql_data.datadir} + tmpdir=${resource.local_resource_config.mysql_data.tmpdir} + max_allowed_packet=${resource.local_resource_config.mysql_data.max_allowed_packet} + bind-address=${resource.local_resource_config.mysql_data.bind-address} + pid-file=${resource.local_resource_config.mysql_data.pid-file} log-error=/opt/bitnami/mysql/logs/mysqld.log character-set-server=UTF8 collation-server=utf8_general_ci @@ -467,15 +467,15 @@ secondary: innodb_use_native_aio=0 [client] - port=3306 - socket=/opt/bitnami/mysql/tmp/mysql.sock + port=${resource.local_resource_config.mysql_data.port} + socket=${resource.local_resource_config.mysql_data.socket} default-character-set=UTF8 - plugin_dir=/opt/bitnami/mysql/lib/plugin + plugin_dir=${resource.local_resource_config.mysql_data.plugin_dir} [manager] - port=3306 - socket=/opt/bitnami/mysql/tmp/mysql.sock - pid-file=/opt/bitnami/mysql/tmp/mysqld.pid + port=${resource.local_resource_config.mysql_data.port} + socket=${resource.local_resource_config.mysql_data.socket} + pid-file=${resource.local_resource_config.mysql_data.pid-file} ## @param secondary.existingConfigmap Name of existing ConfigMap with MySQL Secondary configuration. ## NOTE: When it's set the 'configuration' parameter is ignored ## diff --git a/terraform/k8s/default-config/mojaloop-stateful-resources.json b/terraform/k8s/default-config/mojaloop-stateful-resources.json index ef6b96e4c..6940a4cbd 100644 --- a/terraform/k8s/default-config/mojaloop-stateful-resources.json +++ b/terraform/k8s/default-config/mojaloop-stateful-resources.json @@ -351,6 +351,16 @@ "general_log": 1, "slow_query_log": 1, "root_password": "", + "default_authentication_plugin": "mysql_native_password", + "basedir": "/opt/bitnami/mysql", + "plugin_dir": "/opt/bitnami/mysql/lib/plugin", + "socket": "/opt/bitnami/mysql/tmp/mysql.sock", + "datadir": "/bitnami/mysql/data", + "tmpdir": "/opt/bitnami/mysql/tmp", + "max_allowed_packet": "16M", + "bind-address": "*", + "pid-file": "/opt/bitnami/mysql/tmp/mysqld.pid", + "port": 3306, "user": "central_ledger", "user_password": "", "database_name": "central_ledger", From c26911b1bd001cb483f7a9d168c7f2f4b4705644 Mon Sep 17 00:00:00 2001 From: David Fry Date: Tue, 2 Apr 2024 09:34:19 +0100 Subject: [PATCH 080/201] bump to latest chart version --- terraform/k8s/default-config/vnext-vars.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/k8s/default-config/vnext-vars.yaml b/terraform/k8s/default-config/vnext-vars.yaml index be2b3c5f0..c0b763d04 100644 --- a/terraform/k8s/default-config/vnext-vars.yaml +++ b/terraform/k8s/default-config/vnext-vars.yaml @@ -1,4 +1,4 @@ -vnext_chart_version: v0.0.9 +vnext_chart_version: v0.1.0 mcm_chart_version: 0.7.7 mcm_ingress_internal_lb: false vnext_ingress_internal_lb: true From 564b7aaaa172b51d78a20c0a089837b4341996b8 Mon Sep 17 00:00:00 2001 From: David Fry Date: Thu, 4 Apr 2024 12:51:35 +0100 Subject: [PATCH 081/201] revert output change to use old secret for migration --- terraform/aws/control-center-infra/outputs.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/aws/control-center-infra/outputs.tf b/terraform/aws/control-center-infra/outputs.tf index 53eb9d817..fd3a2bdac 100644 --- a/terraform/aws/control-center-infra/outputs.tf +++ b/terraform/aws/control-center-infra/outputs.tf @@ -16,7 +16,7 @@ output "gitlab_s3_access_secret" { output "minio_root_password" { sensitive = true - value = random_password.minio_root_password.result + value = random_password.admin_s3_access_secret.result } output "minio_root_user" { @@ -72,7 +72,7 @@ output "minio_fqdn" { } output "minio_server_url" { - value = "${aws_route53_record.minio_server_private.fqdn}:${var.minio_listening_port}" + value = "${aws_route53_record.minio_server_private.fqdn}:${var.minio_listening_port}" } output "tenant_vault_listening_port" { @@ -128,7 +128,7 @@ output "docker_hosts_var_maps" { minio_server_host = aws_route53_record.minio_server_private.fqdn minio_listening_port = var.minio_listening_port minio_root_user = var.minio_root_user - minio_root_password = random_password.minio_root_password.result + minio_root_password = random_password.admin_s3_access_secret.result gitlab_minio_user = var.gitlab_minio_user gitlab_minio_secret = random_password.gitlab_s3_access_secret.result nexus_admin_password = random_password.nexus_admin_password.result From 4c88ebdadfa7e6c7dd5959906ce8d0ecbc848380 Mon Sep 17 00:00:00 2001 From: David Fry Date: Thu, 4 Apr 2024 14:47:53 +0100 Subject: [PATCH 082/201] add http for non ssl url --- .../storage/external-secrets/longhorn-extsecret.yaml.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gitops/generate-files/templates/storage/external-secrets/longhorn-extsecret.yaml.tpl b/terraform/gitops/generate-files/templates/storage/external-secrets/longhorn-extsecret.yaml.tpl index 10ee70ca8..7661c5791 100644 --- a/terraform/gitops/generate-files/templates/storage/external-secrets/longhorn-extsecret.yaml.tpl +++ b/terraform/gitops/generate-files/templates/storage/external-secrets/longhorn-extsecret.yaml.tpl @@ -16,7 +16,7 @@ spec: creationPolicy: Owner template: data: - AWS_ENDPOINTS: ${minio_api_url} + AWS_ENDPOINTS: http://${minio_api_url}/ AWS_SECRET_ACCESS_KEY: "{{ .AWS_SECRET_ACCESS_KEY | toString }}" AWS_ACCESS_KEY_ID: "{{ .AWS_ACCESS_KEY_ID | toString }}" From 009dbfaef713bb082b12a6c9ce512bfaf58da7e7 Mon Sep 17 00:00:00 2001 From: Muzammil Date: Thu, 4 Apr 2024 19:36:06 +0500 Subject: [PATCH 083/201] Add multi-line config in promtail configuration (#206) --- .../monitoring/install/values-loki.yaml.tpl | 88 +++++++++++++++++++ 1 file changed, 88 insertions(+) diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl index 8dbd59377..81b1140cf 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl @@ -21,5 +21,93 @@ ingester: extraEnvVarsSecret: ${minio_credentials_secret_name} promtail: + # reference: https://github.com/bitnami/charts/blob/5f843aec99a13573f67e59b5e3193916ca01f308/bitnami/grafana-loki/values.yaml#L4440 + # only multiline stage has been added in pipeline_stages + configuration: | + server: + log_level: {{ .Values.promtail.logLevel }} + http_listen_port: {{ .Values.promtail.containerPorts.http }} + + clients: + - url: http://{{ include "grafana-loki.gateway.fullname" . }}:{{ .Values.gateway.service.ports.http }}/loki/api/v1/push + {{- if .Values.gateway.auth.enabled }} + basic_auth: + # The username to use for basic auth + username: {{ .Values.gateway.auth.username }} + password_file: /bitnami/promtail/conf/secrets/password + {{- end }} + positions: + filename: /run/promtail/positions.yaml + + scrape_configs: + # See also https://github.com/grafana/loki/blob/master/production/ksonnet/promtail/scrape_config.libsonnet for reference + - job_name: kubernetes-pods + pipeline_stages: + - cri: {} + - multiline: + firstline: '^\d{4}-\d{2}-\d{2}T\d{1,2}:\d{2}:\d{2}\.\d{3}' + max_wait_time: 3s + max_lines: 128 + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_controller_name + regex: ([0-9a-z-.]+?)(-[0-9a-f]{8,10})? + action: replace + target_label: __tmp_controller_name + - source_labels: + - __meta_kubernetes_pod_label_app_kubernetes_io_name + - __meta_kubernetes_pod_label_app + - __tmp_controller_name + - __meta_kubernetes_pod_name + regex: ^;*([^;]+)(;.*)?$ + action: replace + target_label: app + - source_labels: + - __meta_kubernetes_pod_label_app_kubernetes_io_component + - __meta_kubernetes_pod_label_component + regex: ^;*([^;]+)(;.*)?$ + action: replace + target_label: component + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: node_name + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: namespace + - action: replace + replacement: $1 + separator: / + source_labels: + - namespace + - app + target_label: job + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: pod + - action: replace + source_labels: + - __meta_kubernetes_pod_container_name + target_label: container + - action: replace + replacement: /var/log/pods/*$1/*.log + separator: / + source_labels: + - __meta_kubernetes_pod_uid + - __meta_kubernetes_pod_container_name + target_label: __path__ + - action: replace + regex: true/(.*) + replacement: /var/log/pods/*$1/*.log + separator: / + source_labels: + - __meta_kubernetes_pod_annotationpresent_kubernetes_io_config_hash + - __meta_kubernetes_pod_annotation_kubernetes_io_config_hash + - __meta_kubernetes_pod_container_name + target_label: __path__ tolerations: - operator: "Exists" \ No newline at end of file From 1e63f2528a4fa0c0b89705de8f338fcdbff051fd Mon Sep 17 00:00:00 2001 From: Aaron Reynoza Date: Thu, 4 Apr 2024 08:55:17 -0600 Subject: [PATCH 084/201] add more dynamic variables for mysql --- .../stateful-resources/values-mysql.yaml.tpl | 16 ++-- .../mojaloop-stateful-resources.json | 77 ++++++++++++++++++- 2 files changed, 84 insertions(+), 9 deletions(-) diff --git a/terraform/gitops/generate-files/templates/stateful-resources/values-mysql.yaml.tpl b/terraform/gitops/generate-files/templates/stateful-resources/values-mysql.yaml.tpl index c131f01de..67e37cad3 100644 --- a/terraform/gitops/generate-files/templates/stateful-resources/values-mysql.yaml.tpl +++ b/terraform/gitops/generate-files/templates/stateful-resources/values-mysql.yaml.tpl @@ -148,16 +148,16 @@ primary: max_allowed_packet=${resource.local_resource_config.mysql_data.max_allowed_packet} bind-address=${resource.local_resource_config.mysql_data.bind-address} pid-file=${resource.local_resource_config.mysql_data.pid-file} - log-error=/opt/bitnami/mysql/logs/mysqld.log - character-set-server=UTF8 - collation-server=utf8_general_ci + log-error=${resource.local_resource_config.mysql_data.log-error} + character-set-server=${resource.local_resource_config.mysql_data.character-set-server} + collation-server=${resource.local_resource_config.mysql_data.collation-server} general_log=${resource.local_resource_config.mysql_data.general_log} slow_query_log=${resource.local_resource_config.mysql_data.slow_query_log} slow_query_log_file=/opt/bitnami/mysql/logs/mysqld.log - long_query_time=10.0 - innodb_use_native_aio=0 - max_connections=2000 - innodb_buffer_pool_size=2147483648 + long_query_time=${resource.local_resource_config.mysql_data.long_query_time} + innodb_use_native_aio=${resource.local_resource_config.mysql_data.innodb_use_native_aio} + max_connections=${resource.local_resource_config.mysql_data.max_connections} + innodb_buffer_pool_size=${resource.local_resource_config.mysql_data.innodb_buffer_pool_size} [client] port=${resource.local_resource_config.mysql_data.port} @@ -1119,4 +1119,4 @@ metrics: ## message: 'MariaDB instance {{`{{`}} $labels.instance {{`}}`}} is down' ## summary: MariaDB instance is down ## - rules: [] + rules: [] \ No newline at end of file diff --git a/terraform/k8s/default-config/mojaloop-stateful-resources.json b/terraform/k8s/default-config/mojaloop-stateful-resources.json index 6940a4cbd..b08d9602d 100644 --- a/terraform/k8s/default-config/mojaloop-stateful-resources.json +++ b/terraform/k8s/default-config/mojaloop-stateful-resources.json @@ -71,6 +71,23 @@ ], "mysql_data": { "is_legacy": false, + "default_authentication_plugin": "mysql_native_password", + "basedir": "/opt/bitnami/mysql", + "plugin_dir": "/opt/bitnami/mysql/lib/plugin", + "socket": "/opt/bitnami/mysql/tmp/mysql.sock", + "datadir": "/bitnami/mysql/data", + "tmpdir": "/opt/bitnami/mysql/tmp", + "max_allowed_packet": "16M", + "bind-address": "*", + "pid-file": "/opt/bitnami/mysql/tmp/mysqld.pid", + "log-error": "/opt/bitnami/mysql/logs/mysqld.log", + "character-set-server": "UTF8", + "collation-server": "utf8_general_ci", + "long_query_time": 10.0, + "innodb_use_native_aio": 0, + "max_connections": 2000, + "innodb_buffer_pool_size": 2147483648, + "port": 3306, "existing_secret": "mysql-auth-svc-secret", "general_log": 1, "slow_query_log": 1, @@ -123,6 +140,23 @@ ], "mysql_data": { "is_legacy": false, + "default_authentication_plugin": "mysql_native_password", + "basedir": "/opt/bitnami/mysql", + "plugin_dir": "/opt/bitnami/mysql/lib/plugin", + "socket": "/opt/bitnami/mysql/tmp/mysql.sock", + "datadir": "/bitnami/mysql/data", + "tmpdir": "/opt/bitnami/mysql/tmp", + "max_allowed_packet": "16M", + "bind-address": "*", + "pid-file": "/opt/bitnami/mysql/tmp/mysqld.pid", + "log-error": "/opt/bitnami/mysql/logs/mysqld.log", + "character-set-server": "UTF8", + "collation-server": "utf8_general_ci", + "long_query_time": 10.0, + "innodb_use_native_aio": 0, + "max_connections": 2000, + "innodb_buffer_pool_size": 2147483648, + "port": 3306, "existing_secret": "mysql-consent-oracle-secret", "general_log": 1, "slow_query_log": 1, @@ -175,6 +209,23 @@ ], "mysql_data": { "is_legacy": false, + "default_authentication_plugin": "mysql_native_password", + "basedir": "/opt/bitnami/mysql", + "plugin_dir": "/opt/bitnami/mysql/lib/plugin", + "socket": "/opt/bitnami/mysql/tmp/mysql.sock", + "datadir": "/bitnami/mysql/data", + "tmpdir": "/opt/bitnami/mysql/tmp", + "max_allowed_packet": "16M", + "bind-address": "*", + "pid-file": "/opt/bitnami/mysql/tmp/mysqld.pid", + "log-error": "/opt/bitnami/mysql/logs/mysqld.log", + "character-set-server": "UTF8", + "collation-server": "utf8_general_ci", + "long_query_time": 10.0, + "innodb_use_native_aio": 0, + "max_connections": 2000, + "innodb_buffer_pool_size": 2147483648, + "port": 3306, "existing_secret": "mcm-db-secret", "general_log": 1, "slow_query_log": 1, @@ -227,6 +278,23 @@ ], "mysql_data": { "is_legacy": false, + "default_authentication_plugin": "mysql_native_password", + "basedir": "/opt/bitnami/mysql", + "plugin_dir": "/opt/bitnami/mysql/lib/plugin", + "socket": "/opt/bitnami/mysql/tmp/mysql.sock", + "datadir": "/bitnami/mysql/data", + "tmpdir": "/opt/bitnami/mysql/tmp", + "max_allowed_packet": "16M", + "bind-address": "*", + "pid-file": "/opt/bitnami/mysql/tmp/mysqld.pid", + "log-error": "/opt/bitnami/mysql/logs/mysqld.log", + "character-set-server": "UTF8", + "collation-server": "utf8_general_ci", + "long_query_time": 10.0, + "innodb_use_native_aio": 0, + "max_connections": 2000, + "innodb_buffer_pool_size": 2147483648, + "port": 3306, "existing_secret": "mysql-account-lookup-secret", "general_log": 1, "slow_query_log": 1, @@ -360,6 +428,13 @@ "max_allowed_packet": "16M", "bind-address": "*", "pid-file": "/opt/bitnami/mysql/tmp/mysqld.pid", + "log-error": "/opt/bitnami/mysql/logs/mysqld.log", + "character-set-server": "UTF8", + "collation-server": "utf8_general_ci", + "long_query_time": 10.0, + "innodb_use_native_aio": 0, + "max_connections": 2000, + "innodb_buffer_pool_size": 2147483648, "port": 3306, "user": "central_ledger", "user_password": "", @@ -956,4 +1031,4 @@ }, "external_resource_config": {} } -] \ No newline at end of file +] From f4ec746eef1a4418c8267eec751c0bf4dd7184e6 Mon Sep 17 00:00:00 2001 From: Muzammil Date: Thu, 4 Apr 2024 20:10:20 +0500 Subject: [PATCH 085/201] IPROD-525: Display offending processes (cpu+memory) on performance-troubleshooting-dashboard (#204) * Add process-exporter * add prometheus_process_exporter_version * turn off service monitor * enable service monitor again * added process-exporter-service monitor * add a recording rule * add tpl to rules file * update performance-troubleshooting url * add instance_nodename:node_memory_MemTotal_bytes * use v16.0.0-snapshot.6 tag for dashboards * fix dashboard-performance-troubleshooting url * update kafka-topic-overview * update dashboard urls * add node-exporter relabellings * remove recording rules * add comment in process exporter service monitor * upgrade performance troublesshoting dashboard to v16.1.0-snapshot.7 * rm resources folder --------- Co-authored-by: David Fry Co-authored-by: David Fry --- .../templates/mojaloop/grafana.yaml.tpl | 2 +- .../monitoring/install/kustomization.yaml.tpl | 7 +++++ .../process-exporter-service-monitor.yaml.tpl | 19 ++++++++++++ .../install/values-process-exporter.yaml.tpl | 6 ++++ .../install/values-prom-operator.yaml.tpl | 4 +++ .../post-config/dashboards/default.yaml.tpl | 15 ++++++++++ .../post-config/monitoring-crs.yaml.tpl | 4 +-- .../gitops/k8s-cluster-config/monitoring.tf | 30 ++++++++++--------- terraform/k8s/default-config/common-vars.yaml | 1 + 9 files changed, 71 insertions(+), 17 deletions(-) create mode 100644 terraform/gitops/generate-files/templates/monitoring/install/process-exporter-service-monitor.yaml.tpl create mode 100644 terraform/gitops/generate-files/templates/monitoring/install/values-process-exporter.yaml.tpl create mode 100644 terraform/gitops/generate-files/templates/monitoring/post-config/dashboards/default.yaml.tpl diff --git a/terraform/gitops/generate-files/templates/mojaloop/grafana.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/grafana.yaml.tpl index 96c8021b4..6670ad313 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/grafana.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/grafana.yaml.tpl @@ -126,5 +126,5 @@ spec: datasources: - inputName: "DS_PROMETHEUS" datasourceName: "Prometheus" - url: "https://raw.githubusercontent.com/mojaloop/helm/v16.0.0-snapshot.5/monitoring/dashboards/mojaloop/dashboard-performance-troubleshooting.json" + url: "https://raw.githubusercontent.com/mojaloop/helm/v16.1.0-snapshot.7/monitoring/dashboards/mojaloop/dashboard-performance-troubleshooting.json" --- diff --git a/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl index c23037e27..bc97d4d1e 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl @@ -4,6 +4,7 @@ resources: - https://raw.githubusercontent.com/grafana/grafana-operator/v5.6.0/deploy/kustomize/base/crds.yaml - vault-secret.yaml - istio-gateway.yaml + - process-exporter-service-monitor.yaml - vault-minio-ext-secret.yaml helmCharts: - name: prometheus-operator-crds @@ -34,3 +35,9 @@ helmCharts: repo: oci://registry-1.docker.io/bitnamicharts valuesFile: values-tempo.yaml namespace: ${monitoring_namespace} +- name: prometheus-process-exporter + releaseName: process-exporter + version: ${prometheus_process_exporter_version} + repo: https://raw.githubusercontent.com/mumoshu/prometheus-process-exporter/master/docs + valuesFile: values-process-exporter.yaml + namespace: ${monitoring_namespace} diff --git a/terraform/gitops/generate-files/templates/monitoring/install/process-exporter-service-monitor.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/process-exporter-service-monitor.yaml.tpl new file mode 100644 index 000000000..7791dc422 --- /dev/null +++ b/terraform/gitops/generate-files/templates/monitoring/install/process-exporter-service-monitor.yaml.tpl @@ -0,0 +1,19 @@ +# NOTE: service monitor in helm char does not allow adding relabelings, therefore we have to maintain custom service-monitor +# https://github.com/mumoshu/prometheus-process-exporter/blob/master/charts/prometheus-process-exporter/templates/servicemonitor.yaml +# Request to fix in upstream: https://github.com/mumoshu/prometheus-process-exporter/issues/23 +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: process-exporter-servicemonitor + annotations: + app.kubernetes.io/description: "Enables monitoring of prometheus-process-exporter" +spec: + selector: + matchLabels: + app: prometheus-process-exporter + endpoints: + - port: metrics + path: /metrics + relabelings: + - sourceLabels: [__meta_kubernetes_pod_node_name] + targetLabel: nodename \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-process-exporter.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-process-exporter.yaml.tpl new file mode 100644 index 000000000..200964707 --- /dev/null +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-process-exporter.yaml.tpl @@ -0,0 +1,6 @@ +rbac: + create: false +groups: + - name: "{{.ExeFull}}" + cmdline: + - '.+' \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-prom-operator.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-prom-operator.yaml.tpl index f16ad81ba..b859c707f 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-prom-operator.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-prom-operator.yaml.tpl @@ -28,5 +28,9 @@ commonLabels: commonAnnotations: build: argocd node-exporter: + serviceMonitor: + relabelings: + - sourceLabels: [__meta_kubernetes_pod_node_name] + targetLabel: nodename tolerations: - operator: "Exists" \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/monitoring/post-config/dashboards/default.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/post-config/dashboards/default.yaml.tpl new file mode 100644 index 000000000..e77a03ed2 --- /dev/null +++ b/terraform/gitops/generate-files/templates/monitoring/post-config/dashboards/default.yaml.tpl @@ -0,0 +1,15 @@ +apiVersion: grafana.integreatly.org/v1beta1 +kind: GrafanaDashboard +metadata: + name: process-exporter +spec: + folder: default + datasources: + - inputName: "DS_PROMETHEUS" + datasourceName: "Prometheus" + instanceSelector: + matchLabels: + dashboards: "grafana" + grafanaCom: + id: 249 + revision: 2 \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl index d5a9d4eda..ae8ea04d9 100644 --- a/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl @@ -155,7 +155,7 @@ spec: instanceSelector: matchLabels: dashboards: "grafana" - url: "https://raw.githubusercontent.com/mojaloop/helm/v16.1.0-snapshot.0/monitoring/dashboards/messaging/dashboard-kafka-topic-overview.json" + url: "https://raw.githubusercontent.com/mojaloop/helm/v16.1.0-snapshot.6/monitoring/dashboards/messaging/dashboard-kafka-topic-overview.json" --- apiVersion: grafana.integreatly.org/v1beta1 kind: GrafanaDashboard @@ -169,5 +169,5 @@ spec: instanceSelector: matchLabels: dashboards: "grafana" - url: "https://raw.githubusercontent.com/mojaloop/helm/v16.1.0-snapshot.0/monitoring/dashboards/messaging/dashboard-kafka-cluster-overview.json" + url: "https://raw.githubusercontent.com/mojaloop/helm/v16.1.0-snapshot.6/monitoring/dashboards/messaging/dashboard-kafka-cluster-overview.json" --- \ No newline at end of file diff --git a/terraform/gitops/k8s-cluster-config/monitoring.tf b/terraform/gitops/k8s-cluster-config/monitoring.tf index 57b3ef72b..a882ad71a 100644 --- a/terraform/gitops/k8s-cluster-config/monitoring.tf +++ b/terraform/gitops/k8s-cluster-config/monitoring.tf @@ -5,6 +5,7 @@ module "generate_monitoring_files" { loki_chart_version = try(var.common_var_map.loki_chart_version, local.loki_chart_version) prometheus_operator_version = try(var.common_var_map.prometheus_operator_version, local.prometheus_operator_version) prometheus_operator_release_name = local.prometheus_operator_release_name + prometheus_process_exporter_version = try(var.common_var_map.prometheus_process_exporter_version, local.prometheus_process_exporter_version) loki_release_name = local.loki_release_name grafana_operator_version = try(var.common_var_map.grafana_operator_version, local.grafana_operator_version) grafana_version = try(var.common_var_map.grafana_version, local.grafana_version) @@ -98,18 +99,19 @@ variable "monitoring_namespace" { } locals { - grafana_wildcard_gateway = var.grafana_ingress_internal_lb ? "internal" : "external" - loki_release_name = "loki" - prometheus_operator_release_name = "prom" - loki_chart_version = "2.13.0" - prometheus_operator_version = "8.22.8" - tempo_chart_version = "2.6.0" - grafana_version = "10.2.3" - grafana_operator_version = "3.5.11" - monitoring_template_path = "${path.module}/../generate-files/templates/monitoring" - monitoring_app_file = "monitoring-app.yaml" - loki_ingester_pvc_size = "50Gi" - prometheus_pvc_size = "50Gi" - loki_ingester_retention_period = "72h" - prometheus_retention_period = "10d" + grafana_wildcard_gateway = var.grafana_ingress_internal_lb ? "internal" : "external" + loki_release_name = "loki" + prometheus_operator_release_name = "prom" + loki_chart_version = "2.13.0" + prometheus_operator_version = "8.22.8" + prometheus_process_exporter_version = "0.4.2" + tempo_chart_version = "2.6.0" + grafana_version = "10.2.3" + grafana_operator_version = "3.5.11" + monitoring_template_path = "${path.module}/../generate-files/templates/monitoring" + monitoring_app_file = "monitoring-app.yaml" + loki_ingester_pvc_size = "50Gi" + prometheus_pvc_size = "50Gi" + loki_ingester_retention_period = "72h" + prometheus_retention_period = "10d" } diff --git a/terraform/k8s/default-config/common-vars.yaml b/terraform/k8s/default-config/common-vars.yaml index e464dfff6..715b769be 100644 --- a/terraform/k8s/default-config/common-vars.yaml +++ b/terraform/k8s/default-config/common-vars.yaml @@ -19,6 +19,7 @@ mojaloop_enabled: true pm4ml_enabled: false vnext_enabled: false prometheus_operator_version: 8.22.8 +prometheus_process_exporter_version: 0.4.2 grafana_operator_version: 3.5.11 grafana_version: 10.2.3 tempo_chart_version: 2.6.0 From 87b8e1d0f75c2a07f122750ee2a8124f03f8b58e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aar=C3=B3n=20Reynoza?= Date: Thu, 4 Apr 2024 09:11:06 -0600 Subject: [PATCH 086/201] add more dynamic variables for mysql (#207) --- .../stateful-resources/values-mysql.yaml.tpl | 16 ++-- .../mojaloop-stateful-resources.json | 77 ++++++++++++++++++- 2 files changed, 84 insertions(+), 9 deletions(-) diff --git a/terraform/gitops/generate-files/templates/stateful-resources/values-mysql.yaml.tpl b/terraform/gitops/generate-files/templates/stateful-resources/values-mysql.yaml.tpl index c131f01de..67e37cad3 100644 --- a/terraform/gitops/generate-files/templates/stateful-resources/values-mysql.yaml.tpl +++ b/terraform/gitops/generate-files/templates/stateful-resources/values-mysql.yaml.tpl @@ -148,16 +148,16 @@ primary: max_allowed_packet=${resource.local_resource_config.mysql_data.max_allowed_packet} bind-address=${resource.local_resource_config.mysql_data.bind-address} pid-file=${resource.local_resource_config.mysql_data.pid-file} - log-error=/opt/bitnami/mysql/logs/mysqld.log - character-set-server=UTF8 - collation-server=utf8_general_ci + log-error=${resource.local_resource_config.mysql_data.log-error} + character-set-server=${resource.local_resource_config.mysql_data.character-set-server} + collation-server=${resource.local_resource_config.mysql_data.collation-server} general_log=${resource.local_resource_config.mysql_data.general_log} slow_query_log=${resource.local_resource_config.mysql_data.slow_query_log} slow_query_log_file=/opt/bitnami/mysql/logs/mysqld.log - long_query_time=10.0 - innodb_use_native_aio=0 - max_connections=2000 - innodb_buffer_pool_size=2147483648 + long_query_time=${resource.local_resource_config.mysql_data.long_query_time} + innodb_use_native_aio=${resource.local_resource_config.mysql_data.innodb_use_native_aio} + max_connections=${resource.local_resource_config.mysql_data.max_connections} + innodb_buffer_pool_size=${resource.local_resource_config.mysql_data.innodb_buffer_pool_size} [client] port=${resource.local_resource_config.mysql_data.port} @@ -1119,4 +1119,4 @@ metrics: ## message: 'MariaDB instance {{`{{`}} $labels.instance {{`}}`}} is down' ## summary: MariaDB instance is down ## - rules: [] + rules: [] \ No newline at end of file diff --git a/terraform/k8s/default-config/mojaloop-stateful-resources.json b/terraform/k8s/default-config/mojaloop-stateful-resources.json index 6940a4cbd..b08d9602d 100644 --- a/terraform/k8s/default-config/mojaloop-stateful-resources.json +++ b/terraform/k8s/default-config/mojaloop-stateful-resources.json @@ -71,6 +71,23 @@ ], "mysql_data": { "is_legacy": false, + "default_authentication_plugin": "mysql_native_password", + "basedir": "/opt/bitnami/mysql", + "plugin_dir": "/opt/bitnami/mysql/lib/plugin", + "socket": "/opt/bitnami/mysql/tmp/mysql.sock", + "datadir": "/bitnami/mysql/data", + "tmpdir": "/opt/bitnami/mysql/tmp", + "max_allowed_packet": "16M", + "bind-address": "*", + "pid-file": "/opt/bitnami/mysql/tmp/mysqld.pid", + "log-error": "/opt/bitnami/mysql/logs/mysqld.log", + "character-set-server": "UTF8", + "collation-server": "utf8_general_ci", + "long_query_time": 10.0, + "innodb_use_native_aio": 0, + "max_connections": 2000, + "innodb_buffer_pool_size": 2147483648, + "port": 3306, "existing_secret": "mysql-auth-svc-secret", "general_log": 1, "slow_query_log": 1, @@ -123,6 +140,23 @@ ], "mysql_data": { "is_legacy": false, + "default_authentication_plugin": "mysql_native_password", + "basedir": "/opt/bitnami/mysql", + "plugin_dir": "/opt/bitnami/mysql/lib/plugin", + "socket": "/opt/bitnami/mysql/tmp/mysql.sock", + "datadir": "/bitnami/mysql/data", + "tmpdir": "/opt/bitnami/mysql/tmp", + "max_allowed_packet": "16M", + "bind-address": "*", + "pid-file": "/opt/bitnami/mysql/tmp/mysqld.pid", + "log-error": "/opt/bitnami/mysql/logs/mysqld.log", + "character-set-server": "UTF8", + "collation-server": "utf8_general_ci", + "long_query_time": 10.0, + "innodb_use_native_aio": 0, + "max_connections": 2000, + "innodb_buffer_pool_size": 2147483648, + "port": 3306, "existing_secret": "mysql-consent-oracle-secret", "general_log": 1, "slow_query_log": 1, @@ -175,6 +209,23 @@ ], "mysql_data": { "is_legacy": false, + "default_authentication_plugin": "mysql_native_password", + "basedir": "/opt/bitnami/mysql", + "plugin_dir": "/opt/bitnami/mysql/lib/plugin", + "socket": "/opt/bitnami/mysql/tmp/mysql.sock", + "datadir": "/bitnami/mysql/data", + "tmpdir": "/opt/bitnami/mysql/tmp", + "max_allowed_packet": "16M", + "bind-address": "*", + "pid-file": "/opt/bitnami/mysql/tmp/mysqld.pid", + "log-error": "/opt/bitnami/mysql/logs/mysqld.log", + "character-set-server": "UTF8", + "collation-server": "utf8_general_ci", + "long_query_time": 10.0, + "innodb_use_native_aio": 0, + "max_connections": 2000, + "innodb_buffer_pool_size": 2147483648, + "port": 3306, "existing_secret": "mcm-db-secret", "general_log": 1, "slow_query_log": 1, @@ -227,6 +278,23 @@ ], "mysql_data": { "is_legacy": false, + "default_authentication_plugin": "mysql_native_password", + "basedir": "/opt/bitnami/mysql", + "plugin_dir": "/opt/bitnami/mysql/lib/plugin", + "socket": "/opt/bitnami/mysql/tmp/mysql.sock", + "datadir": "/bitnami/mysql/data", + "tmpdir": "/opt/bitnami/mysql/tmp", + "max_allowed_packet": "16M", + "bind-address": "*", + "pid-file": "/opt/bitnami/mysql/tmp/mysqld.pid", + "log-error": "/opt/bitnami/mysql/logs/mysqld.log", + "character-set-server": "UTF8", + "collation-server": "utf8_general_ci", + "long_query_time": 10.0, + "innodb_use_native_aio": 0, + "max_connections": 2000, + "innodb_buffer_pool_size": 2147483648, + "port": 3306, "existing_secret": "mysql-account-lookup-secret", "general_log": 1, "slow_query_log": 1, @@ -360,6 +428,13 @@ "max_allowed_packet": "16M", "bind-address": "*", "pid-file": "/opt/bitnami/mysql/tmp/mysqld.pid", + "log-error": "/opt/bitnami/mysql/logs/mysqld.log", + "character-set-server": "UTF8", + "collation-server": "utf8_general_ci", + "long_query_time": 10.0, + "innodb_use_native_aio": 0, + "max_connections": 2000, + "innodb_buffer_pool_size": 2147483648, "port": 3306, "user": "central_ledger", "user_password": "", @@ -956,4 +1031,4 @@ }, "external_resource_config": {} } -] \ No newline at end of file +] From 007050049d2ed0b05dd344073819aff4ee2bd8a1 Mon Sep 17 00:00:00 2001 From: vijayg10 <33152110+vijayg10@users.noreply.github.com> Date: Thu, 4 Apr 2024 20:43:08 +0530 Subject: [PATCH 087/201] feat: standardise poc demos changes (#205) * fix: pm4ml vs paths * fix: indent in mojaloop tolerations * feat: added vs for payment token adapter in pm4ml * feat: added core connector customization logic to pm4ml --- .../mojaloop/values-mojaloop.yaml.tpl | 2 +- .../templates/pm4ml/istio-gateway.yaml.tpl | 41 ++++++++++++++++--- .../templates/pm4ml/values-pm4ml.yaml.tpl | 18 ++++++-- .../gitops/k8s-cluster-config/app-deploy.tf | 4 +- terraform/gitops/pm4ml/pm4ml.tf | 14 +++---- terraform/k8s/default-config/pm4ml-vars.yaml | 7 +++- 6 files changed, 66 insertions(+), 20 deletions(-) diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl index 68341f48f..a2ef93091 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl @@ -116,7 +116,7 @@ CONFIG: tolerations: &MOJALOOP_TOLERATIONS ${indent(4, mojaloop_tolerations)} %{ else ~} - tolerations: &MOJALOOP_TOLERATIONS [] + tolerations: &MOJALOOP_TOLERATIONS [] %{ endif ~} global: diff --git a/terraform/gitops/generate-files/templates/pm4ml/istio-gateway.yaml.tpl b/terraform/gitops/generate-files/templates/pm4ml/istio-gateway.yaml.tpl index 07a526546..af240707e 100644 --- a/terraform/gitops/generate-files/templates/pm4ml/istio-gateway.yaml.tpl +++ b/terraform/gitops/generate-files/templates/pm4ml/istio-gateway.yaml.tpl @@ -282,7 +282,9 @@ spec: - name: "sim-backend" match: - uri: - prefix: /sim-backend-test(/|$)(.*) + prefix: /sim-backend-test/ + rewrite: + uri: / route: - destination: host: sim-backend @@ -291,7 +293,9 @@ spec: - name: "mojaloop-core-connector" match: - uri: - prefix: /cc-send(/|$)(.*) + prefix: /cc-send/ + rewrite: + uri: / route: - destination: host: ${pm4ml_release_name}-mojaloop-core-connector @@ -300,7 +304,9 @@ spec: - name: "mlcon-outbound" match: - uri: - prefix: /mlcon-outbound(/|$)(.*) + prefix: /mlcon-outbound/ + rewrite: + uri: / route: - destination: host: ${pm4ml_release_name}-sdk-scheme-adapter-api-svc @@ -309,7 +315,9 @@ spec: - name: "mlcon-sdktest" match: - uri: - prefix: /mlcon-sdktest(/|$)(.*) + prefix: /mlcon-sdktest/ + rewrite: + uri: / route: - destination: host: ${pm4ml_release_name}-sdk-scheme-adapter-api-svc @@ -318,7 +326,9 @@ spec: - name: "mgmt-api" match: - uri: - prefix: /mgmt-api(/|$)(.*) + prefix: /mgmt-api/ + rewrite: + uri: / route: - destination: host: ${pm4ml_release_name}-management-api @@ -381,5 +391,26 @@ spec: host: ${pm4ml_release_name}-ttk-backend port: number: 4040 + +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ${pm4ml_release_name}-portal-pta-vs +spec: + gateways: + - ${istio_internal_gateway_namespace}/${istio_internal_wildcard_gateway_name} + hosts: + - '${pta_portal_fqdn}' + http: + - match: + - uri: + prefix: / + route: + - destination: + host: ${pm4ml_release_name}-mojaloop-payment-token-adapter + port: + number: 3000 --- %{ endif ~} \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl b/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl index 26af30a7b..a9f736700 100644 --- a/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl +++ b/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl @@ -110,8 +110,6 @@ prometheus: scheme-adapter: sdk-scheme-adapter-api-svc: - image: - tag: v23.1.2-snapshot.2 %{ if enable_sdk_bulk_transaction_support ~} kafka: &kafkaConfig host: ${kafka_host} @@ -133,8 +131,15 @@ scheme-adapter: "test": "test" } env: + LOG_LEVEL: error DFSP_ID: *dfspId CACHE_URL: redis://${redis_host}:${redis_port} + AUTO_ACCEPT_QUOTES: false + AUTO_ACCEPT_PARTY: false + AUTO_ACCEPT_R2P_PARTY: false + AUTO_ACCEPT_R2P_BUSINESS_QUOTES: false + AUTO_ACCEPT_R2P_DEVICE_OTP: false + AUTO_ACCEPT_PARTICIPANTS_PUT: false JWS_SIGN: true VALIDATE_INBOUND_JWS: true PEER_ENDPOINT: "${pm4ml_external_switch_fqdn}" @@ -146,16 +151,22 @@ scheme-adapter: OAUTH_CLIENT_SECRET_KEY: "${pm4ml_external_switch_client_secret_key}" OAUTH_CLIENT_SECRET_NAME: "${pm4ml_external_switch_client_secret}" RESERVE_NOTIFICATION: ${pm4ml_reserve_notification} -%{ if use_ttk_as_backend_simulator ~} +%{ if core_connector_selected == "ttk" ~} BACKEND_ENDPOINT: "${pm4ml_release_name}-ttk-backend:4040" %{ else ~} +%{ if core_connector_selected == "cc" ~} BACKEND_ENDPOINT: "${pm4ml_release_name}-mojaloop-core-connector:3003" +%{ else ~} + BACKEND_ENDPOINT: "${custom_core_connector_endpoint}" +%{ endif ~} %{ endif ~} MGMT_API_WS_URL: "${pm4ml_release_name}-management-api" %{ if enable_sdk_bulk_transaction_support ~} ENABLE_BACKEND_EVENT_HANDLER: true ENABLE_FSPIOP_EVENT_HANDLER: true REQUEST_PROCESSING_TIMEOUT_SECONDS: 30 +%{ else ~} + REQUEST_PROCESSING_TIMEOUT_SECONDS: 10 %{ endif ~} %{ if enable_sdk_bulk_transaction_support ~} @@ -202,6 +213,7 @@ ttk: "CALLBACK_ENDPOINT": "http://${pm4ml_release_name}-sdk-scheme-adapter-api-svc:4001", "SEND_CALLBACK_ENABLE": true, "DEFAULT_ENVIRONMENT_FILE_NAME": "pm4ml-default-environment.json", + "DEFAULT_REQUEST_TIMEOUT": 15000, "FSPID": *dfspId } diff --git a/terraform/gitops/k8s-cluster-config/app-deploy.tf b/terraform/gitops/k8s-cluster-config/app-deploy.tf index 03d4ce4ae..032616a4c 100644 --- a/terraform/gitops/k8s-cluster-config/app-deploy.tf +++ b/terraform/gitops/k8s-cluster-config/app-deploy.tf @@ -108,6 +108,7 @@ module "pm4ml" { mojaloop_connnector_fqdns = local.mojaloop_connnector_fqdns ttk_backend_fqdns = local.pm4ml_ttk_backend_fqdns ttk_frontend_fqdns = local.pm4ml_ttk_frontend_fqdns + pta_portal_fqdns = local.pm4ml_pta_portal_fqdns test_fqdns = local.test_fqdns vault_root_ca_name = "pki-${var.cluster_name}" app_var_map = local.pm4ml_var_map @@ -329,6 +330,7 @@ locals { test_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => "test-${pm4ml.pm4ml}.${var.public_subdomain}" } pm4ml_ttk_frontend_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => "ttkfront-${pm4ml.pm4ml}.${var.public_subdomain}" } pm4ml_ttk_backend_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => "ttkback-${pm4ml.pm4ml}.${var.public_subdomain}" } + pm4ml_pta_portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => "pta-portal-${pm4ml.pm4ml}.${var.public_subdomain}" } pm4ml_internal_wildcard_admin_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.admin_portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "internal"] pm4ml_external_wildcard_admin_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.admin_portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external"] @@ -337,7 +339,7 @@ locals { pm4ml_internal_wildcard_exp_hosts = [for pm4ml in local.pm4ml_var_map : local.experience_api_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "internal"] pm4ml_external_wildcard_exp_hosts = [for pm4ml in local.pm4ml_var_map : local.experience_api_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external"] - pm4ml_internal_gateway_hosts = concat(local.pm4ml_internal_wildcard_admin_portal_hosts, local.pm4ml_internal_wildcard_portal_hosts, local.pm4ml_internal_wildcard_exp_hosts, values(local.pm4ml_ttk_frontend_fqdns), values(local.pm4ml_ttk_backend_fqdns), values(local.test_fqdns)) + pm4ml_internal_gateway_hosts = concat(local.pm4ml_internal_wildcard_admin_portal_hosts, local.pm4ml_internal_wildcard_portal_hosts, local.pm4ml_internal_wildcard_exp_hosts, values(local.pm4ml_ttk_frontend_fqdns), values(local.pm4ml_ttk_backend_fqdns), values(local.test_fqdns), values(local.pm4ml_pta_portal_fqdns)) pm4ml_external_gateway_hosts = concat(local.pm4ml_external_wildcard_admin_portal_hosts, local.pm4ml_external_wildcard_portal_hosts, local.pm4ml_external_wildcard_exp_hosts) keycloak_realm_env_secret_map = merge( diff --git a/terraform/gitops/pm4ml/pm4ml.tf b/terraform/gitops/pm4ml/pm4ml.tf index 8701c3787..bd642a7da 100644 --- a/terraform/gitops/pm4ml/pm4ml.tf +++ b/terraform/gitops/pm4ml/pm4ml.tf @@ -67,9 +67,11 @@ module "generate_pm4ml_files" { kafka_host = "kafka" kafka_port = "9092" ttk_enabled = each.value.pm4ml_ttk_enabled - use_ttk_as_backend_simulator = each.value.use_ttk_as_backend_simulator + core_connector_selected = each.value.core_connector_selected + custom_core_connector_endpoint = each.value.custom_core_connector_endpoint ttk_backend_fqdn = var.ttk_backend_fqdns[each.key] ttk_frontend_fqdn = var.ttk_frontend_fqdns[each.key] + pta_portal_fqdn = var.pta_portal_fqdns[each.key] test_fqdn = var.test_fqdns[each.key] ory_namespace = var.ory_namespace ory_stack_enabled = var.ory_stack_enabled @@ -136,7 +138,9 @@ variable "ttk_backend_fqdns" { variable "ttk_frontend_fqdns" { description = "fqdns for pm4ml ttk front" } - +variable "pta_portal_fqdns" { + description = "fqdns for pm4ml payment token adapter portal" +} variable "pm4ml_vault_k8s_role_name" { description = "vault k8s role name for pm4ml" type = string @@ -208,12 +212,6 @@ variable "pm4ml_external_switch_client_secret" { default = "pm4ml-external-switch-client-secret" } -variable "use_ttk_as_backend_simulator" { - type = bool - description = "use_ttk_as_backend_simulator" - default = false -} - variable "enable_sdk_bulk_transaction_support" { type = bool description = "enable_sdk_bulk_transaction_support" diff --git a/terraform/k8s/default-config/pm4ml-vars.yaml b/terraform/k8s/default-config/pm4ml-vars.yaml index 6101e6753..718676be1 100644 --- a/terraform/k8s/default-config/pm4ml-vars.yaml +++ b/terraform/k8s/default-config/pm4ml-vars.yaml @@ -1,6 +1,6 @@ pm4ml: pm4mltest pm4ml_enabled: true -pm4ml_chart_version: 9.0.11 +pm4ml_chart_version: 9.1.4 pm4ml_external_mcm_public_fqdn: mcm.dev.labsk8s601.mojaloop.live pm4ml_ingress_internal_lb: false pm4ml_external_switch_client_id: dfsp-jwt @@ -11,7 +11,10 @@ pm4ml_external_switch_fqdn: extapi.dev.labsk8s601.mojaloop.live pm4ml_dfsp_id: pm4mltest pm4ml_ttk_enabled: true enable_sdk_bulk_transaction_support: false -use_ttk_as_backend_simulator: true +## core_connector_selected can be one of the following values: "ttk", "cc", "custom" +core_connector_selected: ttk +## custom_core_connector_endpoint is only required if core_connector_selected is set to "custom" +custom_core_connector_endpoint: 'pm4mltest-mojaloop-core-connector:3003' pm4ml_reserve_notification: false core_connector_config: {} payment_token_adapter_config: {} From e37e09581781079cc1b8ec366dfa5f7770e0b0e9 Mon Sep 17 00:00:00 2001 From: David Fry Date: Fri, 5 Apr 2024 16:40:24 +0200 Subject: [PATCH 088/201] https://github.com/argoproj/argo-cd/issues/11074 (#208) --- .../templates/monitoring/monitoring-install.yaml.tpl | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/terraform/gitops/generate-files/templates/monitoring/monitoring-install.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/monitoring-install.yaml.tpl index 5846b179e..ea4a6ad8b 100644 --- a/terraform/gitops/generate-files/templates/monitoring/monitoring-install.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/monitoring-install.yaml.tpl @@ -17,6 +17,10 @@ spec: server: https://kubernetes.default.svc project: default ignoreDifferences: + - group: monitoring.coreos.com + kind: ServiceMonitor + jqPathExpressions: + - .spec.endpoints[]?.relabelings[]?.action - group: redhatcop.redhat.io kind: VaultSecret jqPathExpressions: From d322d62fb1510ef28f221c45784ef3254b5a0fd9 Mon Sep 17 00:00:00 2001 From: David Fry Date: Mon, 8 Apr 2024 12:20:25 +0200 Subject: [PATCH 089/201] set version tags in default cluster config (#209) --- terraform/k8s/default-config/cluster-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/k8s/default-config/cluster-config.yaml b/terraform/k8s/default-config/cluster-config.yaml index 79823e5e1..019fa85d7 100644 --- a/terraform/k8s/default-config/cluster-config.yaml +++ b/terraform/k8s/default-config/cluster-config.yaml @@ -7,8 +7,8 @@ cloud_platform_client_secret_name: AWS_SECRET_ACCESS_KEY k8s_cluster_module: base-k8s cloud_region: eu-west-1 k8s_cluster_type: microk8s -ansible_collection_tag: v5.0.0 -iac_terraform_modules_tag: v5.0.0 +ansible_collection_tag: v5.1.0 +iac_terraform_modules_tag: v5.1.0 letsencrypt_email: test@mojalabs.io dns_zone_force_destroy: true longhorn_backup_object_store_destroy: true From b918ac2d2c6b03faeacf90abd4a8adf5aadc56db Mon Sep 17 00:00:00 2001 From: Muzammil Date: Tue, 9 Apr 2024 11:50:06 +0500 Subject: [PATCH 090/201] [IPROD-563] Make loki run on monitoring nodes (#210) * add monitoring workload label * add node affinities for different components * added a comment --- .../monitoring/install/values-loki.yaml.tpl | 54 +++++++++++++++++++ .../k8s/default-config/cluster-config.yaml | 1 + 2 files changed, 55 insertions(+) diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl index 81b1140cf..531f0d5bd 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl @@ -13,12 +13,66 @@ loki: access_key_id: $${MINIO_LOKI_USERNAME} secret_access_key: $${MINIO_LOKI_PASSWORD} bucketnames: ${minio_loki_bucket} + +# NOTE: make sure all components which are running have node affinity enabled for monitoring nodes ingester: persistence: size: ${loki_ingester_pvc_size} storageClass: ${storage_class_name} extraArgs: ["-config.expand-env"] extraEnvVarsSecret: ${minio_credentials_secret_name} + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +compactor: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +distributor: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +gateway: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +querier: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +queryFrontend: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] + +memcachedchunks: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +memcachedfrontend: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +memcachedindexqueries: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +memcachedindexwrites: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] + + promtail: # reference: https://github.com/bitnami/charts/blob/5f843aec99a13573f67e59b5e3193916ca01f308/bitnami/grafana-loki/values.yaml#L4440 diff --git a/terraform/k8s/default-config/cluster-config.yaml b/terraform/k8s/default-config/cluster-config.yaml index 019fa85d7..a41fcf63b 100644 --- a/terraform/k8s/default-config/cluster-config.yaml +++ b/terraform/k8s/default-config/cluster-config.yaml @@ -31,6 +31,7 @@ nodes: workload-class.mojaloop.io/KAFKA-DATA-PLANE: "enabled" workload-class.mojaloop.io/RDBMS-CENTRAL-LEDGER-LIVE: "enabled" workload-class.mojaloop.io/RDBMS-ALS-LIVE: "enabled" + workload-class.mojaloop.io/MONITORING: "enabled" vpc_cidr: "10.106.0.0/23" enable_k6s_test_harness: false k6s_docker_server_instance_type: "m5.large" From 5046d89e595297f0077c8b2df09298fa03722f44 Mon Sep 17 00:00:00 2001 From: Muzammil Date: Tue, 9 Apr 2024 18:58:24 +0500 Subject: [PATCH 091/201] IPROD-563: Run Prometheus, Grafana and Tempo on monitoring nodes only (#212) * set node affinities for tempo * add node affinities for prometheus and related services * move grafana to monitoring nodes as well * enable updating version tags for prometheus and grafana CRDs --- .../monitoring/install/kustomization.yaml.tpl | 4 +- .../install/values-grafana-operator.yaml.tpl | 5 +++ .../install/values-prom-operator.yaml.tpl | 23 ++++++++++- .../monitoring/install/values-tempo.yaml.tpl | 41 ++++++++++++++++++- .../post-config/monitoring-crs.yaml.tpl | 8 ++++ .../gitops/k8s-cluster-config/monitoring.tf | 5 ++- terraform/k8s/default-config/common-vars.yaml | 2 + 7 files changed, 83 insertions(+), 5 deletions(-) diff --git a/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl index bc97d4d1e..6ad60ec07 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl @@ -1,7 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - https://raw.githubusercontent.com/grafana/grafana-operator/v5.6.0/deploy/kustomize/base/crds.yaml + - https://raw.githubusercontent.com/grafana/grafana-operator/${grafana_crd_version_tag}/deploy/kustomize/base/crds.yaml - vault-secret.yaml - istio-gateway.yaml - process-exporter-service-monitor.yaml @@ -9,7 +9,7 @@ resources: helmCharts: - name: prometheus-operator-crds releaseName: prometheus-operator-crds - version: 8.0.1 + version: ${prometheus_crd_version} repo: https://prometheus-community.github.io/helm-charts/ - name: kube-prometheus releaseName: ${prometheus_operator_release_name} diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-grafana-operator.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-grafana-operator.yaml.tpl index 6650ddbd3..043ea2bf8 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-grafana-operator.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-grafana-operator.yaml.tpl @@ -1,2 +1,7 @@ grafana: enabled: false +operator: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-prom-operator.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-prom-operator.yaml.tpl index b859c707f..e6a484c63 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-prom-operator.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-prom-operator.yaml.tpl @@ -7,12 +7,25 @@ alertmanager: enabled: true storageClass: ${storage_class_name} size: 10Gi + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] prometheus: persistence: enabled: true storageClass: ${storage_class_name} size: ${prometheus_pvc_size} retention: ${prometheus_retention_period} + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +operator: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] kubelet: serviceMonitor: relabelings: @@ -23,14 +36,22 @@ kubelet: targetLabel: kubernetes_io_hostname replacement: $${1} action: replace + commonLabels: build: argocd commonAnnotations: build: argocd + node-exporter: serviceMonitor: relabelings: - sourceLabels: [__meta_kubernetes_pod_node_name] targetLabel: nodename tolerations: - - operator: "Exists" \ No newline at end of file + - operator: "Exists" +blackboxExporter: + enabled: false + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-tempo.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-tempo.yaml.tpl index 13a794a46..108667750 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-tempo.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-tempo.yaml.tpl @@ -1 +1,40 @@ -#none \ No newline at end of file +compactor: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +distributor: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +ingester: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +metricsGenerator: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +querier: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +queryFrontend: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +vulture: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +memcached: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] diff --git a/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl index ae8ea04d9..2a6450fc4 100644 --- a/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl @@ -23,6 +23,14 @@ spec: secretKeyRef: key: ${admin_secret_pw_key} name: ${admin_secret} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: 'workload-class.mojaloop.io/MONITORING' + operator: In + values: ['enabled'] config: unified_alerting: enabled: "false" diff --git a/terraform/gitops/k8s-cluster-config/monitoring.tf b/terraform/gitops/k8s-cluster-config/monitoring.tf index a882ad71a..189f6b548 100644 --- a/terraform/gitops/k8s-cluster-config/monitoring.tf +++ b/terraform/gitops/k8s-cluster-config/monitoring.tf @@ -1,7 +1,8 @@ module "generate_monitoring_files" { source = "../generate-files" var_map = { - grafana_chart_repo = var.grafana_chart_repo + grafana_crd_version_tag = try(var.common_var_map.grafana_crd_version_tag, local.grafana_crd_version_tag) + prometheus_crd_version = try(var.common_var_map.prometheus_crd_version, local.prometheus_crd_version) loki_chart_version = try(var.common_var_map.loki_chart_version, local.loki_chart_version) prometheus_operator_version = try(var.common_var_map.prometheus_operator_version, local.prometheus_operator_version) prometheus_operator_release_name = local.prometheus_operator_release_name @@ -99,6 +100,8 @@ variable "monitoring_namespace" { } locals { + grafana_crd_version_tag = "v5.6.0" + prometheus_crd_version = "8.0.1" grafana_wildcard_gateway = var.grafana_ingress_internal_lb ? "internal" : "external" loki_release_name = "loki" prometheus_operator_release_name = "prom" diff --git a/terraform/k8s/default-config/common-vars.yaml b/terraform/k8s/default-config/common-vars.yaml index 715b769be..0920e05bc 100644 --- a/terraform/k8s/default-config/common-vars.yaml +++ b/terraform/k8s/default-config/common-vars.yaml @@ -18,6 +18,8 @@ mcm_enabled: true mojaloop_enabled: true pm4ml_enabled: false vnext_enabled: false +grafana_crd_version_tag: v5.6.0 +prometheus_crd_version: 8.0.1 prometheus_operator_version: 8.22.8 prometheus_process_exporter_version: 0.4.2 grafana_operator_version: 3.5.11 From d4a48a5c94dab32672b228be4c328a872f38372e Mon Sep 17 00:00:00 2001 From: Sijo George <87609749+sijo5722-2021@users.noreply.github.com> Date: Wed, 10 Apr 2024 19:03:59 +0530 Subject: [PATCH 092/201] Polling freq and backup job freq (#213) --- .../generate-files/templates/storage/chart/values.yaml.tpl | 1 + .../templates/storage/custom-resources/longhorn-job.yaml.tpl | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/gitops/generate-files/templates/storage/chart/values.yaml.tpl b/terraform/gitops/generate-files/templates/storage/chart/values.yaml.tpl index 9787d134d..774cc9325 100644 --- a/terraform/gitops/generate-files/templates/storage/chart/values.yaml.tpl +++ b/terraform/gitops/generate-files/templates/storage/chart/values.yaml.tpl @@ -17,6 +17,7 @@ longhorn: replicaAutoBalance: disabled autoDeletePodWhenVolumeDetachedUnexpectedly: true replicaReplenishmentWaitInterval: 360 + backupstorePollInterval: 0 taintToleration: ~ enablePSP: false diff --git a/terraform/gitops/generate-files/templates/storage/custom-resources/longhorn-job.yaml.tpl b/terraform/gitops/generate-files/templates/storage/custom-resources/longhorn-job.yaml.tpl index 3e402c45b..d6d39256d 100644 --- a/terraform/gitops/generate-files/templates/storage/custom-resources/longhorn-job.yaml.tpl +++ b/terraform/gitops/generate-files/templates/storage/custom-resources/longhorn-job.yaml.tpl @@ -5,7 +5,7 @@ metadata: annotations: argocd.argoproj.io/sync-wave: "${longhorn_job_sync_wave}" spec: - cron: "0 * * * *" + cron: "0 */12 * * *" task: "backup" groups: - default From f32846038c3cee93a76bc643a5909bc66e8c31d3 Mon Sep 17 00:00:00 2001 From: Aaron Reynoza Date: Wed, 10 Apr 2024 11:53:43 -0600 Subject: [PATCH 093/201] disable default logs for mysql --- .../mojaloop-stateful-resources.json | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/terraform/k8s/default-config/mojaloop-stateful-resources.json b/terraform/k8s/default-config/mojaloop-stateful-resources.json index b08d9602d..3b06ffeeb 100644 --- a/terraform/k8s/default-config/mojaloop-stateful-resources.json +++ b/terraform/k8s/default-config/mojaloop-stateful-resources.json @@ -89,8 +89,8 @@ "innodb_buffer_pool_size": 2147483648, "port": 3306, "existing_secret": "mysql-auth-svc-secret", - "general_log": 1, - "slow_query_log": 1, + "general_log": 0, + "slow_query_log": 0, "root_password": "", "user": "auth-svc", "user_password": "", @@ -158,8 +158,8 @@ "innodb_buffer_pool_size": 2147483648, "port": 3306, "existing_secret": "mysql-consent-oracle-secret", - "general_log": 1, - "slow_query_log": 1, + "general_log": 0, + "slow_query_log": 0, "root_password": "", "user": "consent-oracle", "user_password": "", @@ -227,8 +227,8 @@ "innodb_buffer_pool_size": 2147483648, "port": 3306, "existing_secret": "mcm-db-secret", - "general_log": 1, - "slow_query_log": 1, + "general_log": 0, + "slow_query_log": 0, "root_password": "", "user": "devdat1asql1", "user_password": "", @@ -296,8 +296,8 @@ "innodb_buffer_pool_size": 2147483648, "port": 3306, "existing_secret": "mysql-account-lookup-secret", - "general_log": 1, - "slow_query_log": 1, + "general_log": 0, + "slow_query_log": 0, "root_password": "", "user": "account_lookup", "user_password": "", @@ -416,8 +416,8 @@ "mysql_data": { "is_legacy": false, "existing_secret": "mysql-central-ledger-secret", - "general_log": 1, - "slow_query_log": 1, + "general_log": 0, + "slow_query_log": 0, "root_password": "", "default_authentication_plugin": "mysql_native_password", "basedir": "/opt/bitnami/mysql", From 7b20032706f0ee313c557b6be078e23365f916bc Mon Sep 17 00:00:00 2001 From: Muzammil Date: Thu, 4 Apr 2024 20:10:20 +0500 Subject: [PATCH 094/201] IPROD-525: Display offending processes (cpu+memory) on performance-troubleshooting-dashboard (#204) * Add process-exporter * add prometheus_process_exporter_version * turn off service monitor * enable service monitor again * added process-exporter-service monitor * add a recording rule * add tpl to rules file * update performance-troubleshooting url * add instance_nodename:node_memory_MemTotal_bytes * use v16.0.0-snapshot.6 tag for dashboards * fix dashboard-performance-troubleshooting url * update kafka-topic-overview * update dashboard urls * add node-exporter relabellings * remove recording rules * add comment in process exporter service monitor * upgrade performance troublesshoting dashboard to v16.1.0-snapshot.7 * rm resources folder --------- Co-authored-by: David Fry Co-authored-by: David Fry --- .../templates/mojaloop/grafana.yaml.tpl | 2 +- .../monitoring/install/kustomization.yaml.tpl | 7 +++++ .../process-exporter-service-monitor.yaml.tpl | 19 ++++++++++++ .../install/values-process-exporter.yaml.tpl | 6 ++++ .../install/values-prom-operator.yaml.tpl | 4 +++ .../post-config/dashboards/default.yaml.tpl | 15 ++++++++++ .../post-config/monitoring-crs.yaml.tpl | 4 +-- .../gitops/k8s-cluster-config/monitoring.tf | 30 ++++++++++--------- terraform/k8s/default-config/common-vars.yaml | 1 + 9 files changed, 71 insertions(+), 17 deletions(-) create mode 100644 terraform/gitops/generate-files/templates/monitoring/install/process-exporter-service-monitor.yaml.tpl create mode 100644 terraform/gitops/generate-files/templates/monitoring/install/values-process-exporter.yaml.tpl create mode 100644 terraform/gitops/generate-files/templates/monitoring/post-config/dashboards/default.yaml.tpl diff --git a/terraform/gitops/generate-files/templates/mojaloop/grafana.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/grafana.yaml.tpl index 96c8021b4..6670ad313 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/grafana.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/grafana.yaml.tpl @@ -126,5 +126,5 @@ spec: datasources: - inputName: "DS_PROMETHEUS" datasourceName: "Prometheus" - url: "https://raw.githubusercontent.com/mojaloop/helm/v16.0.0-snapshot.5/monitoring/dashboards/mojaloop/dashboard-performance-troubleshooting.json" + url: "https://raw.githubusercontent.com/mojaloop/helm/v16.1.0-snapshot.7/monitoring/dashboards/mojaloop/dashboard-performance-troubleshooting.json" --- diff --git a/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl index c23037e27..bc97d4d1e 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl @@ -4,6 +4,7 @@ resources: - https://raw.githubusercontent.com/grafana/grafana-operator/v5.6.0/deploy/kustomize/base/crds.yaml - vault-secret.yaml - istio-gateway.yaml + - process-exporter-service-monitor.yaml - vault-minio-ext-secret.yaml helmCharts: - name: prometheus-operator-crds @@ -34,3 +35,9 @@ helmCharts: repo: oci://registry-1.docker.io/bitnamicharts valuesFile: values-tempo.yaml namespace: ${monitoring_namespace} +- name: prometheus-process-exporter + releaseName: process-exporter + version: ${prometheus_process_exporter_version} + repo: https://raw.githubusercontent.com/mumoshu/prometheus-process-exporter/master/docs + valuesFile: values-process-exporter.yaml + namespace: ${monitoring_namespace} diff --git a/terraform/gitops/generate-files/templates/monitoring/install/process-exporter-service-monitor.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/process-exporter-service-monitor.yaml.tpl new file mode 100644 index 000000000..7791dc422 --- /dev/null +++ b/terraform/gitops/generate-files/templates/monitoring/install/process-exporter-service-monitor.yaml.tpl @@ -0,0 +1,19 @@ +# NOTE: service monitor in helm char does not allow adding relabelings, therefore we have to maintain custom service-monitor +# https://github.com/mumoshu/prometheus-process-exporter/blob/master/charts/prometheus-process-exporter/templates/servicemonitor.yaml +# Request to fix in upstream: https://github.com/mumoshu/prometheus-process-exporter/issues/23 +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: process-exporter-servicemonitor + annotations: + app.kubernetes.io/description: "Enables monitoring of prometheus-process-exporter" +spec: + selector: + matchLabels: + app: prometheus-process-exporter + endpoints: + - port: metrics + path: /metrics + relabelings: + - sourceLabels: [__meta_kubernetes_pod_node_name] + targetLabel: nodename \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-process-exporter.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-process-exporter.yaml.tpl new file mode 100644 index 000000000..200964707 --- /dev/null +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-process-exporter.yaml.tpl @@ -0,0 +1,6 @@ +rbac: + create: false +groups: + - name: "{{.ExeFull}}" + cmdline: + - '.+' \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-prom-operator.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-prom-operator.yaml.tpl index f16ad81ba..b859c707f 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-prom-operator.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-prom-operator.yaml.tpl @@ -28,5 +28,9 @@ commonLabels: commonAnnotations: build: argocd node-exporter: + serviceMonitor: + relabelings: + - sourceLabels: [__meta_kubernetes_pod_node_name] + targetLabel: nodename tolerations: - operator: "Exists" \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/monitoring/post-config/dashboards/default.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/post-config/dashboards/default.yaml.tpl new file mode 100644 index 000000000..e77a03ed2 --- /dev/null +++ b/terraform/gitops/generate-files/templates/monitoring/post-config/dashboards/default.yaml.tpl @@ -0,0 +1,15 @@ +apiVersion: grafana.integreatly.org/v1beta1 +kind: GrafanaDashboard +metadata: + name: process-exporter +spec: + folder: default + datasources: + - inputName: "DS_PROMETHEUS" + datasourceName: "Prometheus" + instanceSelector: + matchLabels: + dashboards: "grafana" + grafanaCom: + id: 249 + revision: 2 \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl index d5a9d4eda..ae8ea04d9 100644 --- a/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl @@ -155,7 +155,7 @@ spec: instanceSelector: matchLabels: dashboards: "grafana" - url: "https://raw.githubusercontent.com/mojaloop/helm/v16.1.0-snapshot.0/monitoring/dashboards/messaging/dashboard-kafka-topic-overview.json" + url: "https://raw.githubusercontent.com/mojaloop/helm/v16.1.0-snapshot.6/monitoring/dashboards/messaging/dashboard-kafka-topic-overview.json" --- apiVersion: grafana.integreatly.org/v1beta1 kind: GrafanaDashboard @@ -169,5 +169,5 @@ spec: instanceSelector: matchLabels: dashboards: "grafana" - url: "https://raw.githubusercontent.com/mojaloop/helm/v16.1.0-snapshot.0/monitoring/dashboards/messaging/dashboard-kafka-cluster-overview.json" + url: "https://raw.githubusercontent.com/mojaloop/helm/v16.1.0-snapshot.6/monitoring/dashboards/messaging/dashboard-kafka-cluster-overview.json" --- \ No newline at end of file diff --git a/terraform/gitops/k8s-cluster-config/monitoring.tf b/terraform/gitops/k8s-cluster-config/monitoring.tf index 57b3ef72b..a882ad71a 100644 --- a/terraform/gitops/k8s-cluster-config/monitoring.tf +++ b/terraform/gitops/k8s-cluster-config/monitoring.tf @@ -5,6 +5,7 @@ module "generate_monitoring_files" { loki_chart_version = try(var.common_var_map.loki_chart_version, local.loki_chart_version) prometheus_operator_version = try(var.common_var_map.prometheus_operator_version, local.prometheus_operator_version) prometheus_operator_release_name = local.prometheus_operator_release_name + prometheus_process_exporter_version = try(var.common_var_map.prometheus_process_exporter_version, local.prometheus_process_exporter_version) loki_release_name = local.loki_release_name grafana_operator_version = try(var.common_var_map.grafana_operator_version, local.grafana_operator_version) grafana_version = try(var.common_var_map.grafana_version, local.grafana_version) @@ -98,18 +99,19 @@ variable "monitoring_namespace" { } locals { - grafana_wildcard_gateway = var.grafana_ingress_internal_lb ? "internal" : "external" - loki_release_name = "loki" - prometheus_operator_release_name = "prom" - loki_chart_version = "2.13.0" - prometheus_operator_version = "8.22.8" - tempo_chart_version = "2.6.0" - grafana_version = "10.2.3" - grafana_operator_version = "3.5.11" - monitoring_template_path = "${path.module}/../generate-files/templates/monitoring" - monitoring_app_file = "monitoring-app.yaml" - loki_ingester_pvc_size = "50Gi" - prometheus_pvc_size = "50Gi" - loki_ingester_retention_period = "72h" - prometheus_retention_period = "10d" + grafana_wildcard_gateway = var.grafana_ingress_internal_lb ? "internal" : "external" + loki_release_name = "loki" + prometheus_operator_release_name = "prom" + loki_chart_version = "2.13.0" + prometheus_operator_version = "8.22.8" + prometheus_process_exporter_version = "0.4.2" + tempo_chart_version = "2.6.0" + grafana_version = "10.2.3" + grafana_operator_version = "3.5.11" + monitoring_template_path = "${path.module}/../generate-files/templates/monitoring" + monitoring_app_file = "monitoring-app.yaml" + loki_ingester_pvc_size = "50Gi" + prometheus_pvc_size = "50Gi" + loki_ingester_retention_period = "72h" + prometheus_retention_period = "10d" } diff --git a/terraform/k8s/default-config/common-vars.yaml b/terraform/k8s/default-config/common-vars.yaml index e464dfff6..715b769be 100644 --- a/terraform/k8s/default-config/common-vars.yaml +++ b/terraform/k8s/default-config/common-vars.yaml @@ -19,6 +19,7 @@ mojaloop_enabled: true pm4ml_enabled: false vnext_enabled: false prometheus_operator_version: 8.22.8 +prometheus_process_exporter_version: 0.4.2 grafana_operator_version: 3.5.11 grafana_version: 10.2.3 tempo_chart_version: 2.6.0 From 609923cd11e7a99af71fd92d19dbc2e0ae4e3447 Mon Sep 17 00:00:00 2001 From: vijayg10 <33152110+vijayg10@users.noreply.github.com> Date: Thu, 4 Apr 2024 20:43:08 +0530 Subject: [PATCH 095/201] feat: standardise poc demos changes (#205) * fix: pm4ml vs paths * fix: indent in mojaloop tolerations * feat: added vs for payment token adapter in pm4ml * feat: added core connector customization logic to pm4ml --- .../mojaloop/values-mojaloop.yaml.tpl | 2 +- .../templates/pm4ml/istio-gateway.yaml.tpl | 41 ++++++++++++++++--- .../templates/pm4ml/values-pm4ml.yaml.tpl | 18 ++++++-- .../gitops/k8s-cluster-config/app-deploy.tf | 4 +- terraform/gitops/pm4ml/pm4ml.tf | 14 +++---- terraform/k8s/default-config/pm4ml-vars.yaml | 7 +++- 6 files changed, 66 insertions(+), 20 deletions(-) diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl index 68341f48f..a2ef93091 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl @@ -116,7 +116,7 @@ CONFIG: tolerations: &MOJALOOP_TOLERATIONS ${indent(4, mojaloop_tolerations)} %{ else ~} - tolerations: &MOJALOOP_TOLERATIONS [] + tolerations: &MOJALOOP_TOLERATIONS [] %{ endif ~} global: diff --git a/terraform/gitops/generate-files/templates/pm4ml/istio-gateway.yaml.tpl b/terraform/gitops/generate-files/templates/pm4ml/istio-gateway.yaml.tpl index 07a526546..af240707e 100644 --- a/terraform/gitops/generate-files/templates/pm4ml/istio-gateway.yaml.tpl +++ b/terraform/gitops/generate-files/templates/pm4ml/istio-gateway.yaml.tpl @@ -282,7 +282,9 @@ spec: - name: "sim-backend" match: - uri: - prefix: /sim-backend-test(/|$)(.*) + prefix: /sim-backend-test/ + rewrite: + uri: / route: - destination: host: sim-backend @@ -291,7 +293,9 @@ spec: - name: "mojaloop-core-connector" match: - uri: - prefix: /cc-send(/|$)(.*) + prefix: /cc-send/ + rewrite: + uri: / route: - destination: host: ${pm4ml_release_name}-mojaloop-core-connector @@ -300,7 +304,9 @@ spec: - name: "mlcon-outbound" match: - uri: - prefix: /mlcon-outbound(/|$)(.*) + prefix: /mlcon-outbound/ + rewrite: + uri: / route: - destination: host: ${pm4ml_release_name}-sdk-scheme-adapter-api-svc @@ -309,7 +315,9 @@ spec: - name: "mlcon-sdktest" match: - uri: - prefix: /mlcon-sdktest(/|$)(.*) + prefix: /mlcon-sdktest/ + rewrite: + uri: / route: - destination: host: ${pm4ml_release_name}-sdk-scheme-adapter-api-svc @@ -318,7 +326,9 @@ spec: - name: "mgmt-api" match: - uri: - prefix: /mgmt-api(/|$)(.*) + prefix: /mgmt-api/ + rewrite: + uri: / route: - destination: host: ${pm4ml_release_name}-management-api @@ -381,5 +391,26 @@ spec: host: ${pm4ml_release_name}-ttk-backend port: number: 4040 + +--- + +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: ${pm4ml_release_name}-portal-pta-vs +spec: + gateways: + - ${istio_internal_gateway_namespace}/${istio_internal_wildcard_gateway_name} + hosts: + - '${pta_portal_fqdn}' + http: + - match: + - uri: + prefix: / + route: + - destination: + host: ${pm4ml_release_name}-mojaloop-payment-token-adapter + port: + number: 3000 --- %{ endif ~} \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl b/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl index 26af30a7b..a9f736700 100644 --- a/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl +++ b/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl @@ -110,8 +110,6 @@ prometheus: scheme-adapter: sdk-scheme-adapter-api-svc: - image: - tag: v23.1.2-snapshot.2 %{ if enable_sdk_bulk_transaction_support ~} kafka: &kafkaConfig host: ${kafka_host} @@ -133,8 +131,15 @@ scheme-adapter: "test": "test" } env: + LOG_LEVEL: error DFSP_ID: *dfspId CACHE_URL: redis://${redis_host}:${redis_port} + AUTO_ACCEPT_QUOTES: false + AUTO_ACCEPT_PARTY: false + AUTO_ACCEPT_R2P_PARTY: false + AUTO_ACCEPT_R2P_BUSINESS_QUOTES: false + AUTO_ACCEPT_R2P_DEVICE_OTP: false + AUTO_ACCEPT_PARTICIPANTS_PUT: false JWS_SIGN: true VALIDATE_INBOUND_JWS: true PEER_ENDPOINT: "${pm4ml_external_switch_fqdn}" @@ -146,16 +151,22 @@ scheme-adapter: OAUTH_CLIENT_SECRET_KEY: "${pm4ml_external_switch_client_secret_key}" OAUTH_CLIENT_SECRET_NAME: "${pm4ml_external_switch_client_secret}" RESERVE_NOTIFICATION: ${pm4ml_reserve_notification} -%{ if use_ttk_as_backend_simulator ~} +%{ if core_connector_selected == "ttk" ~} BACKEND_ENDPOINT: "${pm4ml_release_name}-ttk-backend:4040" %{ else ~} +%{ if core_connector_selected == "cc" ~} BACKEND_ENDPOINT: "${pm4ml_release_name}-mojaloop-core-connector:3003" +%{ else ~} + BACKEND_ENDPOINT: "${custom_core_connector_endpoint}" +%{ endif ~} %{ endif ~} MGMT_API_WS_URL: "${pm4ml_release_name}-management-api" %{ if enable_sdk_bulk_transaction_support ~} ENABLE_BACKEND_EVENT_HANDLER: true ENABLE_FSPIOP_EVENT_HANDLER: true REQUEST_PROCESSING_TIMEOUT_SECONDS: 30 +%{ else ~} + REQUEST_PROCESSING_TIMEOUT_SECONDS: 10 %{ endif ~} %{ if enable_sdk_bulk_transaction_support ~} @@ -202,6 +213,7 @@ ttk: "CALLBACK_ENDPOINT": "http://${pm4ml_release_name}-sdk-scheme-adapter-api-svc:4001", "SEND_CALLBACK_ENABLE": true, "DEFAULT_ENVIRONMENT_FILE_NAME": "pm4ml-default-environment.json", + "DEFAULT_REQUEST_TIMEOUT": 15000, "FSPID": *dfspId } diff --git a/terraform/gitops/k8s-cluster-config/app-deploy.tf b/terraform/gitops/k8s-cluster-config/app-deploy.tf index 03d4ce4ae..032616a4c 100644 --- a/terraform/gitops/k8s-cluster-config/app-deploy.tf +++ b/terraform/gitops/k8s-cluster-config/app-deploy.tf @@ -108,6 +108,7 @@ module "pm4ml" { mojaloop_connnector_fqdns = local.mojaloop_connnector_fqdns ttk_backend_fqdns = local.pm4ml_ttk_backend_fqdns ttk_frontend_fqdns = local.pm4ml_ttk_frontend_fqdns + pta_portal_fqdns = local.pm4ml_pta_portal_fqdns test_fqdns = local.test_fqdns vault_root_ca_name = "pki-${var.cluster_name}" app_var_map = local.pm4ml_var_map @@ -329,6 +330,7 @@ locals { test_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => "test-${pm4ml.pm4ml}.${var.public_subdomain}" } pm4ml_ttk_frontend_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => "ttkfront-${pm4ml.pm4ml}.${var.public_subdomain}" } pm4ml_ttk_backend_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => "ttkback-${pm4ml.pm4ml}.${var.public_subdomain}" } + pm4ml_pta_portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => "pta-portal-${pm4ml.pm4ml}.${var.public_subdomain}" } pm4ml_internal_wildcard_admin_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.admin_portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "internal"] pm4ml_external_wildcard_admin_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.admin_portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external"] @@ -337,7 +339,7 @@ locals { pm4ml_internal_wildcard_exp_hosts = [for pm4ml in local.pm4ml_var_map : local.experience_api_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "internal"] pm4ml_external_wildcard_exp_hosts = [for pm4ml in local.pm4ml_var_map : local.experience_api_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external"] - pm4ml_internal_gateway_hosts = concat(local.pm4ml_internal_wildcard_admin_portal_hosts, local.pm4ml_internal_wildcard_portal_hosts, local.pm4ml_internal_wildcard_exp_hosts, values(local.pm4ml_ttk_frontend_fqdns), values(local.pm4ml_ttk_backend_fqdns), values(local.test_fqdns)) + pm4ml_internal_gateway_hosts = concat(local.pm4ml_internal_wildcard_admin_portal_hosts, local.pm4ml_internal_wildcard_portal_hosts, local.pm4ml_internal_wildcard_exp_hosts, values(local.pm4ml_ttk_frontend_fqdns), values(local.pm4ml_ttk_backend_fqdns), values(local.test_fqdns), values(local.pm4ml_pta_portal_fqdns)) pm4ml_external_gateway_hosts = concat(local.pm4ml_external_wildcard_admin_portal_hosts, local.pm4ml_external_wildcard_portal_hosts, local.pm4ml_external_wildcard_exp_hosts) keycloak_realm_env_secret_map = merge( diff --git a/terraform/gitops/pm4ml/pm4ml.tf b/terraform/gitops/pm4ml/pm4ml.tf index 8701c3787..bd642a7da 100644 --- a/terraform/gitops/pm4ml/pm4ml.tf +++ b/terraform/gitops/pm4ml/pm4ml.tf @@ -67,9 +67,11 @@ module "generate_pm4ml_files" { kafka_host = "kafka" kafka_port = "9092" ttk_enabled = each.value.pm4ml_ttk_enabled - use_ttk_as_backend_simulator = each.value.use_ttk_as_backend_simulator + core_connector_selected = each.value.core_connector_selected + custom_core_connector_endpoint = each.value.custom_core_connector_endpoint ttk_backend_fqdn = var.ttk_backend_fqdns[each.key] ttk_frontend_fqdn = var.ttk_frontend_fqdns[each.key] + pta_portal_fqdn = var.pta_portal_fqdns[each.key] test_fqdn = var.test_fqdns[each.key] ory_namespace = var.ory_namespace ory_stack_enabled = var.ory_stack_enabled @@ -136,7 +138,9 @@ variable "ttk_backend_fqdns" { variable "ttk_frontend_fqdns" { description = "fqdns for pm4ml ttk front" } - +variable "pta_portal_fqdns" { + description = "fqdns for pm4ml payment token adapter portal" +} variable "pm4ml_vault_k8s_role_name" { description = "vault k8s role name for pm4ml" type = string @@ -208,12 +212,6 @@ variable "pm4ml_external_switch_client_secret" { default = "pm4ml-external-switch-client-secret" } -variable "use_ttk_as_backend_simulator" { - type = bool - description = "use_ttk_as_backend_simulator" - default = false -} - variable "enable_sdk_bulk_transaction_support" { type = bool description = "enable_sdk_bulk_transaction_support" diff --git a/terraform/k8s/default-config/pm4ml-vars.yaml b/terraform/k8s/default-config/pm4ml-vars.yaml index 6101e6753..718676be1 100644 --- a/terraform/k8s/default-config/pm4ml-vars.yaml +++ b/terraform/k8s/default-config/pm4ml-vars.yaml @@ -1,6 +1,6 @@ pm4ml: pm4mltest pm4ml_enabled: true -pm4ml_chart_version: 9.0.11 +pm4ml_chart_version: 9.1.4 pm4ml_external_mcm_public_fqdn: mcm.dev.labsk8s601.mojaloop.live pm4ml_ingress_internal_lb: false pm4ml_external_switch_client_id: dfsp-jwt @@ -11,7 +11,10 @@ pm4ml_external_switch_fqdn: extapi.dev.labsk8s601.mojaloop.live pm4ml_dfsp_id: pm4mltest pm4ml_ttk_enabled: true enable_sdk_bulk_transaction_support: false -use_ttk_as_backend_simulator: true +## core_connector_selected can be one of the following values: "ttk", "cc", "custom" +core_connector_selected: ttk +## custom_core_connector_endpoint is only required if core_connector_selected is set to "custom" +custom_core_connector_endpoint: 'pm4mltest-mojaloop-core-connector:3003' pm4ml_reserve_notification: false core_connector_config: {} payment_token_adapter_config: {} From 231c583d7a53539d74756bf9abb29d5f2dfb8191 Mon Sep 17 00:00:00 2001 From: David Fry Date: Fri, 5 Apr 2024 16:40:24 +0200 Subject: [PATCH 096/201] https://github.com/argoproj/argo-cd/issues/11074 (#208) --- .../templates/monitoring/monitoring-install.yaml.tpl | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/terraform/gitops/generate-files/templates/monitoring/monitoring-install.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/monitoring-install.yaml.tpl index 5846b179e..ea4a6ad8b 100644 --- a/terraform/gitops/generate-files/templates/monitoring/monitoring-install.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/monitoring-install.yaml.tpl @@ -17,6 +17,10 @@ spec: server: https://kubernetes.default.svc project: default ignoreDifferences: + - group: monitoring.coreos.com + kind: ServiceMonitor + jqPathExpressions: + - .spec.endpoints[]?.relabelings[]?.action - group: redhatcop.redhat.io kind: VaultSecret jqPathExpressions: From ab8c816ad9d76d8ef7347590223f9583c34fb081 Mon Sep 17 00:00:00 2001 From: David Fry Date: Mon, 8 Apr 2024 12:20:25 +0200 Subject: [PATCH 097/201] set version tags in default cluster config (#209) --- terraform/k8s/default-config/cluster-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/k8s/default-config/cluster-config.yaml b/terraform/k8s/default-config/cluster-config.yaml index 79823e5e1..019fa85d7 100644 --- a/terraform/k8s/default-config/cluster-config.yaml +++ b/terraform/k8s/default-config/cluster-config.yaml @@ -7,8 +7,8 @@ cloud_platform_client_secret_name: AWS_SECRET_ACCESS_KEY k8s_cluster_module: base-k8s cloud_region: eu-west-1 k8s_cluster_type: microk8s -ansible_collection_tag: v5.0.0 -iac_terraform_modules_tag: v5.0.0 +ansible_collection_tag: v5.1.0 +iac_terraform_modules_tag: v5.1.0 letsencrypt_email: test@mojalabs.io dns_zone_force_destroy: true longhorn_backup_object_store_destroy: true From d790e9370eaaf7592260df7636feae9159d0938a Mon Sep 17 00:00:00 2001 From: Muzammil Date: Tue, 9 Apr 2024 11:50:06 +0500 Subject: [PATCH 098/201] [IPROD-563] Make loki run on monitoring nodes (#210) * add monitoring workload label * add node affinities for different components * added a comment --- .../monitoring/install/values-loki.yaml.tpl | 54 +++++++++++++++++++ .../k8s/default-config/cluster-config.yaml | 1 + 2 files changed, 55 insertions(+) diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl index 81b1140cf..531f0d5bd 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl @@ -13,12 +13,66 @@ loki: access_key_id: $${MINIO_LOKI_USERNAME} secret_access_key: $${MINIO_LOKI_PASSWORD} bucketnames: ${minio_loki_bucket} + +# NOTE: make sure all components which are running have node affinity enabled for monitoring nodes ingester: persistence: size: ${loki_ingester_pvc_size} storageClass: ${storage_class_name} extraArgs: ["-config.expand-env"] extraEnvVarsSecret: ${minio_credentials_secret_name} + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +compactor: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +distributor: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +gateway: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +querier: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +queryFrontend: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] + +memcachedchunks: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +memcachedfrontend: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +memcachedindexqueries: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +memcachedindexwrites: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] + + promtail: # reference: https://github.com/bitnami/charts/blob/5f843aec99a13573f67e59b5e3193916ca01f308/bitnami/grafana-loki/values.yaml#L4440 diff --git a/terraform/k8s/default-config/cluster-config.yaml b/terraform/k8s/default-config/cluster-config.yaml index 019fa85d7..a41fcf63b 100644 --- a/terraform/k8s/default-config/cluster-config.yaml +++ b/terraform/k8s/default-config/cluster-config.yaml @@ -31,6 +31,7 @@ nodes: workload-class.mojaloop.io/KAFKA-DATA-PLANE: "enabled" workload-class.mojaloop.io/RDBMS-CENTRAL-LEDGER-LIVE: "enabled" workload-class.mojaloop.io/RDBMS-ALS-LIVE: "enabled" + workload-class.mojaloop.io/MONITORING: "enabled" vpc_cidr: "10.106.0.0/23" enable_k6s_test_harness: false k6s_docker_server_instance_type: "m5.large" From 18891bf938f92dbaf2f0451cf53011e83ee252f8 Mon Sep 17 00:00:00 2001 From: Muzammil Date: Tue, 9 Apr 2024 18:58:24 +0500 Subject: [PATCH 099/201] IPROD-563: Run Prometheus, Grafana and Tempo on monitoring nodes only (#212) * set node affinities for tempo * add node affinities for prometheus and related services * move grafana to monitoring nodes as well * enable updating version tags for prometheus and grafana CRDs --- .../monitoring/install/kustomization.yaml.tpl | 4 +- .../install/values-grafana-operator.yaml.tpl | 5 +++ .../install/values-prom-operator.yaml.tpl | 23 ++++++++++- .../monitoring/install/values-tempo.yaml.tpl | 41 ++++++++++++++++++- .../post-config/monitoring-crs.yaml.tpl | 8 ++++ .../gitops/k8s-cluster-config/monitoring.tf | 5 ++- terraform/k8s/default-config/common-vars.yaml | 2 + 7 files changed, 83 insertions(+), 5 deletions(-) diff --git a/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl index bc97d4d1e..6ad60ec07 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl @@ -1,7 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - https://raw.githubusercontent.com/grafana/grafana-operator/v5.6.0/deploy/kustomize/base/crds.yaml + - https://raw.githubusercontent.com/grafana/grafana-operator/${grafana_crd_version_tag}/deploy/kustomize/base/crds.yaml - vault-secret.yaml - istio-gateway.yaml - process-exporter-service-monitor.yaml @@ -9,7 +9,7 @@ resources: helmCharts: - name: prometheus-operator-crds releaseName: prometheus-operator-crds - version: 8.0.1 + version: ${prometheus_crd_version} repo: https://prometheus-community.github.io/helm-charts/ - name: kube-prometheus releaseName: ${prometheus_operator_release_name} diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-grafana-operator.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-grafana-operator.yaml.tpl index 6650ddbd3..043ea2bf8 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-grafana-operator.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-grafana-operator.yaml.tpl @@ -1,2 +1,7 @@ grafana: enabled: false +operator: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-prom-operator.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-prom-operator.yaml.tpl index b859c707f..e6a484c63 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-prom-operator.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-prom-operator.yaml.tpl @@ -7,12 +7,25 @@ alertmanager: enabled: true storageClass: ${storage_class_name} size: 10Gi + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] prometheus: persistence: enabled: true storageClass: ${storage_class_name} size: ${prometheus_pvc_size} retention: ${prometheus_retention_period} + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +operator: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] kubelet: serviceMonitor: relabelings: @@ -23,14 +36,22 @@ kubelet: targetLabel: kubernetes_io_hostname replacement: $${1} action: replace + commonLabels: build: argocd commonAnnotations: build: argocd + node-exporter: serviceMonitor: relabelings: - sourceLabels: [__meta_kubernetes_pod_node_name] targetLabel: nodename tolerations: - - operator: "Exists" \ No newline at end of file + - operator: "Exists" +blackboxExporter: + enabled: false + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-tempo.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-tempo.yaml.tpl index 13a794a46..108667750 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-tempo.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-tempo.yaml.tpl @@ -1 +1,40 @@ -#none \ No newline at end of file +compactor: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +distributor: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +ingester: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +metricsGenerator: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +querier: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +queryFrontend: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +vulture: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] +memcached: + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] diff --git a/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl index ae8ea04d9..2a6450fc4 100644 --- a/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl @@ -23,6 +23,14 @@ spec: secretKeyRef: key: ${admin_secret_pw_key} name: ${admin_secret} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: 'workload-class.mojaloop.io/MONITORING' + operator: In + values: ['enabled'] config: unified_alerting: enabled: "false" diff --git a/terraform/gitops/k8s-cluster-config/monitoring.tf b/terraform/gitops/k8s-cluster-config/monitoring.tf index a882ad71a..189f6b548 100644 --- a/terraform/gitops/k8s-cluster-config/monitoring.tf +++ b/terraform/gitops/k8s-cluster-config/monitoring.tf @@ -1,7 +1,8 @@ module "generate_monitoring_files" { source = "../generate-files" var_map = { - grafana_chart_repo = var.grafana_chart_repo + grafana_crd_version_tag = try(var.common_var_map.grafana_crd_version_tag, local.grafana_crd_version_tag) + prometheus_crd_version = try(var.common_var_map.prometheus_crd_version, local.prometheus_crd_version) loki_chart_version = try(var.common_var_map.loki_chart_version, local.loki_chart_version) prometheus_operator_version = try(var.common_var_map.prometheus_operator_version, local.prometheus_operator_version) prometheus_operator_release_name = local.prometheus_operator_release_name @@ -99,6 +100,8 @@ variable "monitoring_namespace" { } locals { + grafana_crd_version_tag = "v5.6.0" + prometheus_crd_version = "8.0.1" grafana_wildcard_gateway = var.grafana_ingress_internal_lb ? "internal" : "external" loki_release_name = "loki" prometheus_operator_release_name = "prom" diff --git a/terraform/k8s/default-config/common-vars.yaml b/terraform/k8s/default-config/common-vars.yaml index 715b769be..0920e05bc 100644 --- a/terraform/k8s/default-config/common-vars.yaml +++ b/terraform/k8s/default-config/common-vars.yaml @@ -18,6 +18,8 @@ mcm_enabled: true mojaloop_enabled: true pm4ml_enabled: false vnext_enabled: false +grafana_crd_version_tag: v5.6.0 +prometheus_crd_version: 8.0.1 prometheus_operator_version: 8.22.8 prometheus_process_exporter_version: 0.4.2 grafana_operator_version: 3.5.11 From e7a34bf824ac467ee3c697dc40eadf8532cbd364 Mon Sep 17 00:00:00 2001 From: Sijo George <87609749+sijo5722-2021@users.noreply.github.com> Date: Wed, 10 Apr 2024 19:03:59 +0530 Subject: [PATCH 100/201] Polling freq and backup job freq (#213) --- .../generate-files/templates/storage/chart/values.yaml.tpl | 1 + .../templates/storage/custom-resources/longhorn-job.yaml.tpl | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/gitops/generate-files/templates/storage/chart/values.yaml.tpl b/terraform/gitops/generate-files/templates/storage/chart/values.yaml.tpl index 9787d134d..774cc9325 100644 --- a/terraform/gitops/generate-files/templates/storage/chart/values.yaml.tpl +++ b/terraform/gitops/generate-files/templates/storage/chart/values.yaml.tpl @@ -17,6 +17,7 @@ longhorn: replicaAutoBalance: disabled autoDeletePodWhenVolumeDetachedUnexpectedly: true replicaReplenishmentWaitInterval: 360 + backupstorePollInterval: 0 taintToleration: ~ enablePSP: false diff --git a/terraform/gitops/generate-files/templates/storage/custom-resources/longhorn-job.yaml.tpl b/terraform/gitops/generate-files/templates/storage/custom-resources/longhorn-job.yaml.tpl index 3e402c45b..d6d39256d 100644 --- a/terraform/gitops/generate-files/templates/storage/custom-resources/longhorn-job.yaml.tpl +++ b/terraform/gitops/generate-files/templates/storage/custom-resources/longhorn-job.yaml.tpl @@ -5,7 +5,7 @@ metadata: annotations: argocd.argoproj.io/sync-wave: "${longhorn_job_sync_wave}" spec: - cron: "0 * * * *" + cron: "0 */12 * * *" task: "backup" groups: - default From 6a59a229018fc48c001ea7ce3fc64ce4a10abd01 Mon Sep 17 00:00:00 2001 From: David Fry Date: Thu, 11 Apr 2024 11:21:06 +0100 Subject: [PATCH 101/201] set min and max block duration to 30m --- .../monitoring/install/values-prom-operator.yaml.tpl | 9 ++++++++- terraform/gitops/k8s-cluster-config/monitoring.tf | 4 ++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-prom-operator.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-prom-operator.yaml.tpl index e6a484c63..0ce8a3294 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-prom-operator.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-prom-operator.yaml.tpl @@ -20,7 +20,14 @@ prometheus: nodeAffinityPreset: type: hard key: workload-class.mojaloop.io/MONITORING - values: ["enabled"] + values: ["enabled"] + # setting these to prevent oom issue https://github.com/prometheus/prometheus/issues/6934#issuecomment-1099293120 + disableCompaction: false #this is the default anyway + additionalArgs: + - name: storage.tsdb.min-block-duration + value: ${prom_tsdb_min_block_duration} + - name: storage.tsdb.max-block-duration + value: ${prom_tsdb_max_block_duration} operator: nodeAffinityPreset: type: hard diff --git a/terraform/gitops/k8s-cluster-config/monitoring.tf b/terraform/gitops/k8s-cluster-config/monitoring.tf index 189f6b548..f7b958e1d 100644 --- a/terraform/gitops/k8s-cluster-config/monitoring.tf +++ b/terraform/gitops/k8s-cluster-config/monitoring.tf @@ -46,6 +46,8 @@ module "generate_monitoring_files" { minio_loki_user_key = "${var.cluster_name}/minio_loki_username" minio_loki_password_key = "${var.cluster_name}/minio_loki_password" external_secret_sync_wave = var.external_secret_sync_wave + prom_tsdb_max_block_duration = try(var.common_var_map.loki_ingester_pvc_size, local.prom_tsdb_max_block_duration) + prom_tsdb_min_block_duration = try(var.common_var_map.loki_ingester_pvc_size, local.prom_tsdb_min_block_duration) } file_list = [for f in fileset(local.monitoring_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.monitoring_app_file, f))] template_path = local.monitoring_template_path @@ -117,4 +119,6 @@ locals { prometheus_pvc_size = "50Gi" loki_ingester_retention_period = "72h" prometheus_retention_period = "10d" + prom_tsdb_min_block_duration = "30m" + prom_tsdb_max_block_duration = "30m" } From fecff9b40fb089da03b3cb96a2f671edf71d2e3b Mon Sep 17 00:00:00 2001 From: David Fry Date: Thu, 11 Apr 2024 20:19:58 +0100 Subject: [PATCH 102/201] fix typo --- terraform/gitops/k8s-cluster-config/monitoring.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/gitops/k8s-cluster-config/monitoring.tf b/terraform/gitops/k8s-cluster-config/monitoring.tf index f7b958e1d..b60747562 100644 --- a/terraform/gitops/k8s-cluster-config/monitoring.tf +++ b/terraform/gitops/k8s-cluster-config/monitoring.tf @@ -46,8 +46,8 @@ module "generate_monitoring_files" { minio_loki_user_key = "${var.cluster_name}/minio_loki_username" minio_loki_password_key = "${var.cluster_name}/minio_loki_password" external_secret_sync_wave = var.external_secret_sync_wave - prom_tsdb_max_block_duration = try(var.common_var_map.loki_ingester_pvc_size, local.prom_tsdb_max_block_duration) - prom_tsdb_min_block_duration = try(var.common_var_map.loki_ingester_pvc_size, local.prom_tsdb_min_block_duration) + prom_tsdb_max_block_duration = try(var.common_var_map.prom_tsdb_max_block_duration, local.prom_tsdb_max_block_duration) + prom_tsdb_min_block_duration = try(var.common_var_map.prom_tsdb_min_block_duration, local.prom_tsdb_min_block_duration) } file_list = [for f in fileset(local.monitoring_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.monitoring_app_file, f))] template_path = local.monitoring_template_path From 4bbc2a00b3d6fa6637dd9d902090accad14a533b Mon Sep 17 00:00:00 2001 From: David Fry Date: Mon, 15 Apr 2024 23:05:52 +0200 Subject: [PATCH 103/201] clean up and making aws objects' name unique (#211) --- terraform/aws/base-k8s/infra.tf | 13 ++--- terraform/aws/base-k8s/variables.tf | 6 -- terraform/aws/eks/infra.tf | 13 ++--- terraform/aws/eks/variables.tf | 10 +--- terraform/aws/post-config-k8s/ext-dns.tf | 8 +-- .../aws/post-config-k8s/longhorn_backups.tf | 55 ------------------- terraform/aws/post-config-k8s/variables.tf | 14 ++--- 7 files changed, 22 insertions(+), 97 deletions(-) delete mode 100644 terraform/aws/post-config-k8s/longhorn_backups.tf diff --git a/terraform/aws/base-k8s/infra.tf b/terraform/aws/base-k8s/infra.tf index b08414725..ff375eb95 100644 --- a/terraform/aws/base-k8s/infra.tf +++ b/terraform/aws/base-k8s/infra.tf @@ -21,13 +21,12 @@ module "base_infra" { } module "post_config" { - source = "../post-config-k8s" - name = var.cluster_name - domain = var.domain - tags = var.tags - private_zone_id = module.base_infra.private_zone.id - public_zone_id = module.base_infra.public_zone.id - longhorn_backup_s3_destroy = var.longhorn_backup_object_store_destroy + source = "../post-config-k8s" + name = var.cluster_name + domain = var.domain + tags = var.tags + private_zone_id = module.base_infra.private_zone.id + public_zone_id = module.base_infra.public_zone.id } module "k6s_test_harness" { diff --git a/terraform/aws/base-k8s/variables.tf b/terraform/aws/base-k8s/variables.tf index ae278bc2c..723a8bb69 100644 --- a/terraform/aws/base-k8s/variables.tf +++ b/terraform/aws/base-k8s/variables.tf @@ -78,12 +78,6 @@ variable "dns_zone_force_destroy" { default = false } -variable "longhorn_backup_object_store_destroy" { - description = "destroy object store backup on destroy of env" - type = bool - default = false -} - variable "os_user_name" { default = "ubuntu" type = string diff --git a/terraform/aws/eks/infra.tf b/terraform/aws/eks/infra.tf index 76989e3ca..d5a98371d 100644 --- a/terraform/aws/eks/infra.tf +++ b/terraform/aws/eks/infra.tf @@ -21,13 +21,12 @@ module "base_infra" { } module "post_config" { - source = "../post-config-k8s" - name = var.cluster_name - domain = var.domain - tags = var.tags - private_zone_id = module.base_infra.private_zone.id - public_zone_id = module.base_infra.public_zone.id - longhorn_backup_s3_destroy = var.longhorn_backup_object_store_destroy + source = "../post-config-k8s" + name = var.cluster_name + domain = var.domain + tags = var.tags + private_zone_id = module.base_infra.private_zone.id + public_zone_id = module.base_infra.public_zone.id } module "k6s_test_harness" { diff --git a/terraform/aws/eks/variables.tf b/terraform/aws/eks/variables.tf index 4f03b74d5..83dd8cd8a 100644 --- a/terraform/aws/eks/variables.tf +++ b/terraform/aws/eks/variables.tf @@ -111,12 +111,6 @@ variable "dns_zone_force_destroy" { default = false } -variable "longhorn_backup_object_store_destroy" { - description = "destroy object store backup on destroy of env" - type = bool - default = false -} - variable "os_user_name" { default = "ubuntu" type = string @@ -195,8 +189,8 @@ variable "master_node_supports_traffic" { } variable "dns_provider" { - type = string - default = "aws" + type = string + default = "aws" description = "which dns provider to use, defaults to cloud provider" } diff --git a/terraform/aws/post-config-k8s/ext-dns.tf b/terraform/aws/post-config-k8s/ext-dns.tf index 672b9e876..b39643676 100644 --- a/terraform/aws/post-config-k8s/ext-dns.tf +++ b/terraform/aws/post-config-k8s/ext-dns.tf @@ -1,14 +1,14 @@ # IAM user with permissions to be able to update route53 records, for use with external-dns resource "aws_iam_user" "route53-external-dns" { - name = "${var.name}-external-dns" - tags = merge({ Name = "${var.name}-route53-external-dns" }, var.tags) + name = "${local.base_domain}-external-dns" + tags = merge({ Name = "${local.base_domain}-route53-external-dns" }, var.tags) } resource "aws_iam_access_key" "route53-external-dns" { user = aws_iam_user.route53-external-dns.name } # IAM Policy to allow external-dns user to update the given zone and cert-manager to create validation records resource "aws_iam_user_policy" "route53-external-dns" { - name = "${var.name}-external-dns" + name = "${local.base_domain}-external-dns" user = aws_iam_user.route53-external-dns.name policy = < Date: Tue, 16 Apr 2024 13:54:57 +0500 Subject: [PATCH 104/201] Enabled s3 read for loki-querier (#218) * Enabled s3 read for loki-querier * give minio credentials to compactor as well --- .../monitoring/install/values-loki.yaml.tpl | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl index 531f0d5bd..808fd9d8c 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl @@ -3,6 +3,15 @@ loki: # TODO: remove retention_period because it should be controlled by object store (minio) policies limits_config: retention_period: ${loki_ingester_retention_period} + schema_config: + configs: + - from: 2020-10-24 + store: boltdb-shipper + object_store: s3 + schema: v11 + index: + prefix: index_ + period: 24h storage_config: boltdb_shipper: shared_store: s3 @@ -26,6 +35,9 @@ ingester: key: workload-class.mojaloop.io/MONITORING values: ["enabled"] compactor: + # https://grafana.com/docs/loki/latest/operations/storage/boltdb-shipper/#compactor + extraArgs: ["-config.expand-env"] + extraEnvVarsSecret: minio-credentials-secret nodeAffinityPreset: type: hard key: workload-class.mojaloop.io/MONITORING @@ -41,6 +53,8 @@ gateway: key: workload-class.mojaloop.io/MONITORING values: ["enabled"] querier: + extraArgs: ["-config.expand-env"] + extraEnvVarsSecret: minio-credentials-secret nodeAffinityPreset: type: hard key: workload-class.mojaloop.io/MONITORING From d716b907b12a600994c6e0c862ce5fc62dbfed2f Mon Sep 17 00:00:00 2001 From: David Fry Date: Tue, 16 Apr 2024 10:55:55 +0200 Subject: [PATCH 105/201] addon module support (#216) * ffirst draft * cleanup of optional tg module support add addons boilerplate * cleanup inputs * refactor stateful svcs * rename common st resources * fix vars for module calls * fix missing ref * fix app name and check length > 0 * fix typo --- .../bootstrap/.gitlab/ci/Dockerfile | 2 +- .../ci-templates/k8s-cluster/.gitlab-ci.yml | 7 +- .../k8s-cluster/.gitlab/ci/Dockerfile | 2 +- .../.gitlab/scripts/config-merge.sh | 2 +- .../templates/mojaloop/kustomization.yaml.tpl | 2 + .../mojaloop/values-mojaloop-addons.yaml.tpl | 1 + .../common-stateful-resources-config.tf | 35 + .../gitops/k8s-cluster-config/keycloak.tf | 22 +- terraform/gitops/k8s-cluster-config/ory.tf | 28 +- .../gitops/k8s-cluster-config/outputs.tf | 12 + .../k8s-cluster-config/stored-params.tf | 13 - terraform/gitops/mojaloop/mcm.tf | 14 +- terraform/gitops/mojaloop/mojaloop.tf | 147 +- terraform/gitops/mojaloop/outputs.tf | 12 + terraform/gitops/mojaloop/providers.tf | 9 +- .../mojaloop/stateful-resources-config.tf | 129 +- terraform/gitops/pm4ml/providers.tf | 10 - .../gitops/stateful-resources/outputs.tf | 7 + .../stateful-resources-config.tf | 56 +- .../app/stateful-resources-app.yaml.tpl | 33 + .../external-name-services.yaml.tpl | 11 + .../stateful-resources/managed-crs.yaml.tpl | 26 + .../stateful-resources/namespace.yaml.tpl | 7 + .../stateful-resources-kustomization.yaml.tpl | 21 + .../stateful-resources/values-kafka.yaml.tpl | 1015 ++++++++++ .../values-mongodb.yaml.tpl | 83 + .../stateful-resources/values-mysql.yaml.tpl | 1122 +++++++++++ .../stateful-resources/values-pgsql.yaml.tpl | 1426 ++++++++++++++ .../stateful-resources/values-redis.yaml.tpl | 1667 +++++++++++++++++ .../stateful-resources/vault-crs.yaml.tpl | 85 + terraform/gitops/vnext/mcm.tf | 14 +- terraform/gitops/vnext/providers.tf | 9 +- .../gitops/vnext/stateful-resources-config.tf | 125 +- terraform/gitops/vnext/vnext.tf | 24 +- .../k8s/addons-gitops-build/terragrunt.hcl | 86 + terraform/k8s/default-config/addons-vars.yaml | 4 + .../k8s/default-config/cluster-config.yaml | 2 + terraform/k8s/k8s-store-config/terragrunt.hcl | 1 + .../deploy-managed-svcs/outputs.tf | 36 - 39 files changed, 5896 insertions(+), 411 deletions(-) create mode 100644 terraform/gitops/generate-files/templates/mojaloop/values-mojaloop-addons.yaml.tpl create mode 100644 terraform/gitops/k8s-cluster-config/common-stateful-resources-config.tf create mode 100644 terraform/gitops/mojaloop/outputs.tf delete mode 100644 terraform/gitops/pm4ml/providers.tf create mode 100644 terraform/gitops/stateful-resources/outputs.tf rename terraform/gitops/{k8s-cluster-config => stateful-resources}/stateful-resources-config.tf (78%) create mode 100644 terraform/gitops/stateful-resources/templates/stateful-resources/app/stateful-resources-app.yaml.tpl create mode 100644 terraform/gitops/stateful-resources/templates/stateful-resources/external-name-services.yaml.tpl create mode 100644 terraform/gitops/stateful-resources/templates/stateful-resources/managed-crs.yaml.tpl create mode 100644 terraform/gitops/stateful-resources/templates/stateful-resources/namespace.yaml.tpl create mode 100644 terraform/gitops/stateful-resources/templates/stateful-resources/stateful-resources-kustomization.yaml.tpl create mode 100644 terraform/gitops/stateful-resources/templates/stateful-resources/values-kafka.yaml.tpl create mode 100644 terraform/gitops/stateful-resources/templates/stateful-resources/values-mongodb.yaml.tpl create mode 100644 terraform/gitops/stateful-resources/templates/stateful-resources/values-mysql.yaml.tpl create mode 100644 terraform/gitops/stateful-resources/templates/stateful-resources/values-pgsql.yaml.tpl create mode 100644 terraform/gitops/stateful-resources/templates/stateful-resources/values-redis.yaml.tpl create mode 100644 terraform/gitops/stateful-resources/templates/stateful-resources/vault-crs.yaml.tpl create mode 100644 terraform/k8s/addons-gitops-build/terragrunt.hcl create mode 100644 terraform/k8s/default-config/addons-vars.yaml delete mode 100644 terraform/none/support-svcs/deploy-managed-svcs/outputs.tf diff --git a/terraform/gitlab/ci-templates/bootstrap/.gitlab/ci/Dockerfile b/terraform/gitlab/ci-templates/bootstrap/.gitlab/ci/Dockerfile index 968a97d73..3e4a5cf94 100644 --- a/terraform/gitlab/ci-templates/bootstrap/.gitlab/ci/Dockerfile +++ b/terraform/gitlab/ci-templates/bootstrap/.gitlab/ci/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/mojaloop/control-center-util:0.9.3 +FROM ghcr.io/mojaloop/control-center-util:5.0.1 ARG GITLAB_TF_REPO_VERSION=1.0.0 RUN curl -sL https://gitlab.com/gitlab-org/terraform-images/-/raw/v${GITLAB_TF_REPO_VERSION}/src/bin/gitlab-terraform.sh -o /usr/bin/gitlab-terraform \ && chmod +x /usr/bin/gitlab-terraform \ No newline at end of file diff --git a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab-ci.yml b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab-ci.yml index fc2b3d7d8..c40a03920 100644 --- a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab-ci.yml +++ b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab-ci.yml @@ -56,7 +56,7 @@ cache: - source $(which gitlab-terraform) - .gitlab/scripts/config-merge.sh - yq eval '.' $CONFIG_PATH/cluster-config.yaml -o=json > cluster-config.json - - for var in $(jq -r 'to_entries[] | "\(.key)=\(.value)\n"' ./cluster-config.json); do export $var; done + - for var in $(jq -r 'to_entries[] | "\(.key)=\(.value)\n"' ./cluster-config.json); do export $var; done - export VAULT_TOKEN="$(vault write -field=token auth/${VAULT_AUTH_PATH}/login role=$VAULT_AUTH_ROLE jwt=$VAULT_ID_TOKEN)" - export ENV_VAULT_TOKEN="$(vault kv get -field=value ${KV_SECRET_PATH}/${CI_PROJECT_NAME}/env_token)" - export NETMAKER_OPS_TOKEN="$(vault kv get -field=value ${KV_SECRET_PATH}/${CI_PROJECT_NAME}/netmaker_ops_token)" @@ -70,6 +70,9 @@ cache: - if [ "$PRIVATE_REPO_USER" == "nullvalue" ]; then git config --global credential.helper 'store --file ~/.gitcredentials.store'; fi - git config --global advice.detachedHead false - source set-ansible-destroy-preq-vars.sh + - export TERRAGRUNT_EXCLUDE_DIR="/dev/null" + - if [ "$managed_svc_enabled" == "false" ]; then export TERRAGRUNT_EXCLUDE_DIR="${TERRAGRUNT_EXCLUDE_DIR},${TF_ROOT}/managed-services,${TF_ROOT}/ansible-managed-svcs-deploy"; fi + - if [ "$addons_module_enabled" == "false" ]; then export TERRAGRUNT_EXCLUDE_DIR="${TERRAGRUNT_EXCLUDE_DIR},$TF_ROOT/addons-gitops-build"; fi - set prepare:image: @@ -123,7 +126,7 @@ init: - terragrunt run-all init -input=false -reconfigure artifacts: paths: - - $CONFIG_PATH/*.yaml + - $CONFIG_PATH/*.yaml - $CONFIG_PATH/*.yml - $CONFIG_PATH/*.json diff --git a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/ci/Dockerfile b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/ci/Dockerfile index 5baf0efb4..3e4a5cf94 100644 --- a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/ci/Dockerfile +++ b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/ci/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/mojaloop/control-center-util:0.9.4 +FROM ghcr.io/mojaloop/control-center-util:5.0.1 ARG GITLAB_TF_REPO_VERSION=1.0.0 RUN curl -sL https://gitlab.com/gitlab-org/terraform-images/-/raw/v${GITLAB_TF_REPO_VERSION}/src/bin/gitlab-terraform.sh -o /usr/bin/gitlab-terraform \ && chmod +x /usr/bin/gitlab-terraform \ No newline at end of file diff --git a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/config-merge.sh b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/config-merge.sh index 4c66d2cea..ca7117f2b 100755 --- a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/config-merge.sh +++ b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/config-merge.sh @@ -1,5 +1,5 @@ mkdir -p $CONFIG_PATH -for configFile in {'aws-vars.yaml','cluster-config.yaml','common-vars.yaml','mojaloop-rbac-permissions.yaml','mojaloop-vars.yaml','pm4ml-vars.yaml','bare-metal-vars.yaml','pm4ml-rbac-permissions.yaml','mojaloop-stateful-resources.json','common-stateful-resources.json','mojaloop-rbac-api-resources.yaml','vnext-vars.yaml','vnext-stateful-resources.json'}; +for configFile in {'aws-vars.yaml','cluster-config.yaml','common-vars.yaml','mojaloop-rbac-permissions.yaml','mojaloop-vars.yaml','pm4ml-vars.yaml','bare-metal-vars.yaml','pm4ml-rbac-permissions.yaml','mojaloop-stateful-resources.json','common-stateful-resources.json','mojaloop-rbac-api-resources.yaml','vnext-vars.yaml','vnext-stateful-resources.json','addons-vars.yaml'}; do echo $configFile python3 .gitlab/scripts/dictmerge.py default-config/$configFile custom-config/$configFile $CONFIG_PATH; diff --git a/terraform/gitops/generate-files/templates/mojaloop/kustomization.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/kustomization.yaml.tpl index 59dea85b6..1f073aa27 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/kustomization.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/kustomization.yaml.tpl @@ -15,6 +15,8 @@ helmCharts: repo: ${mojaloop_chart_repo} valuesFile: values-mojaloop.yaml namespace: ${mojaloop_namespace} + additionalValuesFiles: + - values-mojaloop-addons.yaml - name: finance-portal releaseName: ${finance_portal_release_name} version: ${finance_portal_chart_version} diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop-addons.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop-addons.yaml.tpl new file mode 100644 index 000000000..42d51bf36 --- /dev/null +++ b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop-addons.yaml.tpl @@ -0,0 +1 @@ +#placeholder file for addons \ No newline at end of file diff --git a/terraform/gitops/k8s-cluster-config/common-stateful-resources-config.tf b/terraform/gitops/k8s-cluster-config/common-stateful-resources-config.tf new file mode 100644 index 000000000..0e8c58b47 --- /dev/null +++ b/terraform/gitops/k8s-cluster-config/common-stateful-resources-config.tf @@ -0,0 +1,35 @@ +module "common_stateful_resources" { + source = "../stateful-resources" + stateful_resources_name = "common" + cluster_name = var.cluster_name + output_dir = var.output_dir + gitlab_project_url = var.gitlab_project_url + gitlab_server_url = var.gitlab_server_url + current_gitlab_project_id = var.current_gitlab_project_id + stateful_resources_config_file = var.stateful_resources_config_file + stateful_resources_namespace = var.stateful_resources_namespace + create_stateful_resources_ns = true + kv_path = var.kv_path + external_stateful_resource_instance_addresses = length(data.gitlab_project_variable.external_stateful_resource_instance_address) > 0 ? data.gitlab_project_variable.external_stateful_resource_instance_address.*.value : [] +} + +variable "stateful_resources_config_file" { + type = string +} +variable "stateful_resources_namespace" { + type = string + default = "stateful-resources" +} + + +data "gitlab_project_variable" "external_stateful_resource_instance_address" { + for_each = local.managed_stateful_resources + project = var.current_gitlab_project_id + key = each.value.external_resource_config.instance_address_key_name +} + +locals { + stateful_resources = jsondecode(file(var.stateful_resources_config_file)) + enabled_stateful_resources = { for stateful_resource in local.stateful_resources : stateful_resource.resource_name => stateful_resource if stateful_resource.enabled } + managed_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service } +} diff --git a/terraform/gitops/k8s-cluster-config/keycloak.tf b/terraform/gitops/k8s-cluster-config/keycloak.tf index 3795e151d..9eb38ee92 100644 --- a/terraform/gitops/k8s-cluster-config/keycloak.tf +++ b/terraform/gitops/k8s-cluster-config/keycloak.tf @@ -5,11 +5,11 @@ module "generate_keycloak_files" { keycloak_operator_version = var.common_var_map.keycloak_operator_version keycloak_namespace = var.keycloak_namespace gitlab_project_url = var.gitlab_project_url - keycloak_postgres_database = local.stateful_resources[local.keycloak_postgres_resource_index].logical_service_config.database_name - keycloak_postgres_user = local.stateful_resources[local.keycloak_postgres_resource_index].logical_service_config.username - keycloak_postgres_host = "${local.stateful_resources[local.keycloak_postgres_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - keycloak_postgres_password_secret = local.stateful_resources[local.keycloak_postgres_resource_index].logical_service_config.user_password_secret - keycloak_postgres_port = local.stateful_resources[local.keycloak_postgres_resource_index].logical_service_config.logical_service_port + keycloak_postgres_database = module.common_stateful_resources.stateful_resources[local.keycloak_postgres_resource_index].logical_service_config.database_name + keycloak_postgres_user = module.common_stateful_resources.stateful_resources[local.keycloak_postgres_resource_index].logical_service_config.username + keycloak_postgres_host = "${module.common_stateful_resources.stateful_resources[local.keycloak_postgres_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + keycloak_postgres_password_secret = module.common_stateful_resources.stateful_resources[local.keycloak_postgres_resource_index].logical_service_config.user_password_secret + keycloak_postgres_port = module.common_stateful_resources.stateful_resources[local.keycloak_postgres_resource_index].logical_service_config.logical_service_port keycloak_postgres_password_secret_key = "password" keycloak_fqdn = local.keycloak_fqdn keycloak_admin_fqdn = local.keycloak_admin_fqdn @@ -30,7 +30,7 @@ module "generate_keycloak_files" { ref_secrets_path = local.keycloak_secrets_path ory_stack_enabled = var.ory_stack_enabled } -file_list = [for f in fileset(local.keycloak_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.keycloak_app_file, f))] + file_list = [for f in fileset(local.keycloak_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.keycloak_app_file, f))] template_path = local.keycloak_template_path output_path = "${var.output_dir}/keycloak" app_file = local.keycloak_app_file @@ -38,8 +38,8 @@ file_list = [for f in fileset(local.keycloak_template_path, "**/*.tpl") : } locals { - keycloak_template_path = "${path.module}/../generate-files/templates/keycloak" - keycloak_app_file = "keycloak-app.yaml" + keycloak_template_path = "${path.module}/../generate-files/templates/keycloak" + keycloak_app_file = "keycloak-app.yaml" } variable "keycloak_ingress_internal_lb" { @@ -49,8 +49,8 @@ variable "keycloak_ingress_internal_lb" { } variable "keycloak_name" { - default = "switch-keycloak" - type = string + default = "switch-keycloak" + type = string description = "name of keycloak instance" } @@ -79,7 +79,7 @@ variable "keycloak_dfsp_realm_name" { } locals { - keycloak_postgres_resource_index = index(local.stateful_resources.*.resource_name, "keycloak-db") + keycloak_postgres_resource_index = index(module.common_stateful_resources.stateful_resources.*.resource_name, "keycloak-db") keycloak_wildcard_gateway = var.keycloak_ingress_internal_lb ? "internal" : "external" keycloak_fqdn = "keycloak.${var.public_subdomain}" keycloak_admin_fqdn = "admin-keycloak.${var.public_subdomain}" diff --git a/terraform/gitops/k8s-cluster-config/ory.tf b/terraform/gitops/k8s-cluster-config/ory.tf index f4f59541a..125d496b2 100644 --- a/terraform/gitops/k8s-cluster-config/ory.tf +++ b/terraform/gitops/k8s-cluster-config/ory.tf @@ -12,19 +12,19 @@ module "generate_ory_files" { auth_fqdn = local.auth_fqdn public_subdomain = var.public_subdomain bof_managed_portal_fqdns = local.bof_managed_portal_fqdns - keto_postgres_database = local.stateful_resources[local.keto_postgres_resource_index].logical_service_config.database_name - keto_postgres_user = local.stateful_resources[local.keto_postgres_resource_index].logical_service_config.username - keto_postgres_host = "${local.stateful_resources[local.keto_postgres_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - keto_postgres_password_secret = local.stateful_resources[local.keto_postgres_resource_index].logical_service_config.user_password_secret - keto_postgres_port = local.stateful_resources[local.keto_postgres_resource_index].logical_service_config.logical_service_port - keto_postgres_secret_path = "${local.stateful_resources[local.keto_postgres_resource_index].local_resource_config.generate_secret_vault_base_path}/${local.stateful_resources[local.keto_postgres_resource_index].resource_name}/${local.stateful_resources[local.keto_postgres_resource_index].local_resource_config.generate_secret_name}-password" + keto_postgres_database = module.common_stateful_resources.stateful_resources[local.keto_postgres_resource_index].logical_service_config.database_name + keto_postgres_user = module.common_stateful_resources.stateful_resources[local.keto_postgres_resource_index].logical_service_config.username + keto_postgres_host = "${module.common_stateful_resources.stateful_resources[local.keto_postgres_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + keto_postgres_password_secret = module.common_stateful_resources.stateful_resources[local.keto_postgres_resource_index].logical_service_config.user_password_secret + keto_postgres_port = module.common_stateful_resources.stateful_resources[local.keto_postgres_resource_index].logical_service_config.logical_service_port + keto_postgres_secret_path = "${module.common_stateful_resources.stateful_resources[local.keto_postgres_resource_index].local_resource_config.generate_secret_vault_base_path}/${module.common_stateful_resources.stateful_resources[local.keto_postgres_resource_index].resource_name}/${module.common_stateful_resources.stateful_resources[local.keto_postgres_resource_index].local_resource_config.generate_secret_name}-password" keto_postgres_password_secret_key = "password" - kratos_postgres_database = local.stateful_resources[local.kratos_postgres_resource_index].logical_service_config.database_name - kratos_postgres_user = local.stateful_resources[local.kratos_postgres_resource_index].logical_service_config.username - kratos_postgres_host = "${local.stateful_resources[local.kratos_postgres_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - kratos_postgres_password_secret = local.stateful_resources[local.kratos_postgres_resource_index].logical_service_config.user_password_secret - kratos_postgres_port = local.stateful_resources[local.kratos_postgres_resource_index].logical_service_config.logical_service_port - kratos_postgres_secret_path = "${local.stateful_resources[local.kratos_postgres_resource_index].local_resource_config.generate_secret_vault_base_path}/${local.stateful_resources[local.kratos_postgres_resource_index].resource_name}/${local.stateful_resources[local.kratos_postgres_resource_index].local_resource_config.generate_secret_name}-password" + kratos_postgres_database = module.common_stateful_resources.stateful_resources[local.kratos_postgres_resource_index].logical_service_config.database_name + kratos_postgres_user = module.common_stateful_resources.stateful_resources[local.kratos_postgres_resource_index].logical_service_config.username + kratos_postgres_host = "${module.common_stateful_resources.stateful_resources[local.kratos_postgres_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + kratos_postgres_password_secret = module.common_stateful_resources.stateful_resources[local.kratos_postgres_resource_index].logical_service_config.user_password_secret + kratos_postgres_port = module.common_stateful_resources.stateful_resources[local.kratos_postgres_resource_index].logical_service_config.logical_service_port + kratos_postgres_secret_path = "${module.common_stateful_resources.stateful_resources[local.kratos_postgres_resource_index].local_resource_config.generate_secret_vault_base_path}/${module.common_stateful_resources.stateful_resources[local.kratos_postgres_resource_index].resource_name}/${module.common_stateful_resources.stateful_resources[local.kratos_postgres_resource_index].local_resource_config.generate_secret_name}-password" kratos_postgres_password_secret_key = "password" hubop_oidc_client_secret_secret_name = join("$", ["", "{${replace(var.hubop_oidc_client_secret_secret, "-", "_")}}"]) hubop_oidc_client_secret_secret = var.hubop_oidc_client_secret_secret @@ -118,8 +118,8 @@ variable "rbac_permissions_file" { locals { ory_template_path = "${path.module}/../generate-files/templates/ory" ory_app_file = "ory-app.yaml" - kratos_postgres_resource_index = index(local.stateful_resources.*.resource_name, "kratos-db") - keto_postgres_resource_index = index(local.stateful_resources.*.resource_name, "keto-db") + kratos_postgres_resource_index = index(module.common_stateful_resources.stateful_resources.*.resource_name, "kratos-db") + keto_postgres_resource_index = index(module.common_stateful_resources.stateful_resources.*.resource_name, "keto-db") oathkeeper_auth_url = "oathkeeper-api.${var.ory_namespace}.svc.cluster.local" oathkeeper_auth_provider_name = "ory-authz" bof_release_name = "bof" diff --git a/terraform/gitops/k8s-cluster-config/outputs.tf b/terraform/gitops/k8s-cluster-config/outputs.tf index e69de29bb..e5edafdd9 100644 --- a/terraform/gitops/k8s-cluster-config/outputs.tf +++ b/terraform/gitops/k8s-cluster-config/outputs.tf @@ -0,0 +1,12 @@ +output "mojaloop_output_path" { + value = var.common_var_map.mojaloop_enabled ? module.mojaloop[0].mojaloop_output_path : "" +} +output "mojaloop_sync_wave" { + value = var.common_var_map.mojaloop_enabled ? module.mojaloop[0].mojaloop_sync_wave : 0 +} +output "mojaloop_kafka_host" { + value = var.common_var_map.mojaloop_enabled ? module.mojaloop[0].mojaloop_kafka_host : "" +} +output "mojaloop_kafka_port" { + value = var.common_var_map.mojaloop_enabled ? module.mojaloop[0].mojaloop_kafka_port : "" +} diff --git a/terraform/gitops/k8s-cluster-config/stored-params.tf b/terraform/gitops/k8s-cluster-config/stored-params.tf index 83a94a3fe..0823695a0 100644 --- a/terraform/gitops/k8s-cluster-config/stored-params.tf +++ b/terraform/gitops/k8s-cluster-config/stored-params.tf @@ -44,14 +44,6 @@ data "vault_generic_secret" "grafana_oauth_client_secret" { path = "${var.kv_path}/${var.cluster_name}/${var.grafana_oidc_client_secret_secret_key}" } -# need to grab managed external service endpoints and passwords - -data "gitlab_project_variable" "external_stateful_resource_instance_address" { - for_each = local.managed_stateful_resources - project = var.current_gitlab_project_id - key = each.value.external_resource_config.instance_address_key_name -} - data "gitlab_project_variable" "minio_loki_bucket" { project = var.current_gitlab_project_id key = "minio_loki_bucket" @@ -61,8 +53,3 @@ data "gitlab_project_variable" "minio_longhorn_bucket" { project = var.current_gitlab_project_id key = "minio_longhorn_bucket" } - -data "vault_generic_secret" "external_stateful_resource_password" { - for_each = local.managed_stateful_resources - path = "${var.kv_path}/${var.cluster_name}/${each.value.external_resource_config.password_key_name}" -} \ No newline at end of file diff --git a/terraform/gitops/mojaloop/mcm.tf b/terraform/gitops/mojaloop/mcm.tf index a548a84c9..8e43f53fa 100644 --- a/terraform/gitops/mojaloop/mcm.tf +++ b/terraform/gitops/mojaloop/mcm.tf @@ -2,12 +2,12 @@ module "generate_mcm_files" { source = "../generate-files" var_map = { mcm_enabled = var.mcm_enabled - db_password_secret = local.stateful_resources[local.mcm_resource_index].logical_service_config.user_password_secret - db_password_secret_key = local.stateful_resources[local.mcm_resource_index].logical_service_config.user_password_secret_key - db_user = local.stateful_resources[local.mcm_resource_index].logical_service_config.username - db_schema = local.stateful_resources[local.mcm_resource_index].logical_service_config.database_name - db_port = local.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_port - db_host = "${local.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + db_password_secret = module.mojaloop_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.user_password_secret + db_password_secret_key = module.mojaloop_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.user_password_secret_key + db_user = module.mojaloop_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.username + db_schema = module.mojaloop_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.database_name + db_port = module.mojaloop_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_port + db_host = "${module.mojaloop_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" mcm_public_fqdn = var.mcm_public_fqdn env_name = var.cluster_name env_cn = var.public_subdomain @@ -214,7 +214,7 @@ variable "mcm_public_fqdn" { locals { mcm_template_path = "${path.module}/../generate-files/templates/mcm" mcm_app_file = "mcm-app.yaml" - mcm_resource_index = index(local.stateful_resources.*.resource_name, "mcm-db") + mcm_resource_index = index(module.mojaloop_stateful_resources.stateful_resources.*.resource_name, "mcm-db") mcm_wildcard_gateway = var.mcm_ingress_internal_lb ? "internal" : "external" dfsp_client_cert_bundle = "${local.onboarding_secret_path}_pm4mls" dfsp_internal_whitelist_secret = "${local.whitelist_secret_path}_pm4mls" diff --git a/terraform/gitops/mojaloop/mojaloop.tf b/terraform/gitops/mojaloop/mojaloop.tf index 397454b86..e33c2d6e3 100644 --- a/terraform/gitops/mojaloop/mojaloop.tf +++ b/terraform/gitops/mojaloop/mojaloop.tf @@ -43,57 +43,57 @@ module "generate_mojaloop_files" { keycloak_realm_name = var.keycloak_hubop_realm_name ttk_frontend_public_fqdn = var.ttk_frontend_public_fqdn ttk_backend_public_fqdn = var.ttk_backend_public_fqdn - kafka_host = "${local.stateful_resources[local.mojaloop_kafka_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - kafka_port = local.stateful_resources[local.mojaloop_kafka_resource_index].logical_service_config.logical_service_port - account_lookup_db_existing_secret = local.stateful_resources[local.ml_als_resource_index].logical_service_config.user_password_secret - account_lookup_db_user = local.stateful_resources[local.ml_als_resource_index].logical_service_config.username - account_lookup_db_host = "${local.stateful_resources[local.ml_als_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - account_lookup_db_port = local.stateful_resources[local.ml_als_resource_index].logical_service_config.logical_service_port - account_lookup_db_database = local.stateful_resources[local.ml_als_resource_index].logical_service_config.database_name - central_ledger_db_existing_secret = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.user_password_secret - central_ledger_db_user = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.username - central_ledger_db_host = "${local.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - central_ledger_db_port = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_port - central_ledger_db_database = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.database_name - central_settlement_db_existing_secret = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.user_password_secret - central_settlement_db_user = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.username - central_settlement_db_host = "${local.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - central_settlement_db_port = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_port - central_settlement_db_database = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.database_name - quoting_db_existing_secret = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.user_password_secret - quoting_db_user = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.username - quoting_db_host = "${local.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - quoting_db_port = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_port - quoting_db_database = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.database_name - cep_mongodb_database = local.stateful_resources[local.cep_mongodb_resource_index].logical_service_config.database_name - cep_mongodb_user = local.stateful_resources[local.cep_mongodb_resource_index].logical_service_config.username - cep_mongodb_host = "${local.stateful_resources[local.cep_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - cep_mongodb_existing_secret = local.stateful_resources[local.cep_mongodb_resource_index].logical_service_config.user_password_secret - cep_mongodb_port = local.stateful_resources[local.cep_mongodb_resource_index].logical_service_config.logical_service_port - cl_mongodb_database = local.stateful_resources[local.bulk_mongodb_resource_index].logical_service_config.database_name - cl_mongodb_user = local.stateful_resources[local.bulk_mongodb_resource_index].logical_service_config.username - cl_mongodb_host = "${local.stateful_resources[local.bulk_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - cl_mongodb_existing_secret = local.stateful_resources[local.bulk_mongodb_resource_index].logical_service_config.user_password_secret - cl_mongodb_port = local.stateful_resources[local.bulk_mongodb_resource_index].logical_service_config.logical_service_port - ttk_mongodb_database = local.stateful_resources[local.ttk_mongodb_resource_index].logical_service_config.database_name - ttk_mongodb_user = local.stateful_resources[local.ttk_mongodb_resource_index].logical_service_config.username - ttk_mongodb_host = "${local.stateful_resources[local.ttk_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - ttk_mongodb_existing_secret = local.stateful_resources[local.ttk_mongodb_resource_index].logical_service_config.user_password_secret - ttk_mongodb_port = local.stateful_resources[local.ttk_mongodb_resource_index].logical_service_config.logical_service_port - third_party_consent_db_existing_secret = local.stateful_resources[local.third_party_consent_oracle_db_resource_index].logical_service_config.user_password_secret - third_party_consent_db_user = local.stateful_resources[local.third_party_consent_oracle_db_resource_index].logical_service_config.username - third_party_consent_db_host = "${local.stateful_resources[local.third_party_consent_oracle_db_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - third_party_consent_db_port = local.stateful_resources[local.third_party_consent_oracle_db_resource_index].logical_service_config.logical_service_port - third_party_consent_db_database = local.stateful_resources[local.third_party_consent_oracle_db_resource_index].logical_service_config.database_name - third_party_auth_db_existing_secret = local.stateful_resources[local.third_party_auth_db_resource_index].logical_service_config.user_password_secret - third_party_auth_db_user = local.stateful_resources[local.third_party_auth_db_resource_index].logical_service_config.username - third_party_auth_db_host = "${local.stateful_resources[local.third_party_auth_db_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - third_party_auth_db_port = local.stateful_resources[local.third_party_auth_db_resource_index].logical_service_config.logical_service_port - third_party_auth_db_database = local.stateful_resources[local.third_party_auth_db_resource_index].logical_service_config.database_name - third_party_auth_redis_host = "${local.stateful_resources[local.third_party_redis_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - third_party_auth_redis_port = local.stateful_resources[local.third_party_redis_resource_index].logical_service_config.logical_service_port - ttksims_redis_host = "${local.stateful_resources[local.ttk_redis_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - ttksims_redis_port = local.stateful_resources[local.ttk_redis_resource_index].logical_service_config.logical_service_port + kafka_host = "${module.mojaloop_stateful_resources.stateful_resources[local.mojaloop_kafka_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + kafka_port = module.mojaloop_stateful_resources.stateful_resources[local.mojaloop_kafka_resource_index].logical_service_config.logical_service_port + account_lookup_db_existing_secret = module.mojaloop_stateful_resources.stateful_resources[local.ml_als_resource_index].logical_service_config.user_password_secret + account_lookup_db_user = module.mojaloop_stateful_resources.stateful_resources[local.ml_als_resource_index].logical_service_config.username + account_lookup_db_host = "${module.mojaloop_stateful_resources.stateful_resources[local.ml_als_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + account_lookup_db_port = module.mojaloop_stateful_resources.stateful_resources[local.ml_als_resource_index].logical_service_config.logical_service_port + account_lookup_db_database = module.mojaloop_stateful_resources.stateful_resources[local.ml_als_resource_index].logical_service_config.database_name + central_ledger_db_existing_secret = module.mojaloop_stateful_resources.stateful_resources[local.ml_cl_resource_index].logical_service_config.user_password_secret + central_ledger_db_user = module.mojaloop_stateful_resources.stateful_resources[local.ml_cl_resource_index].logical_service_config.username + central_ledger_db_host = "${module.mojaloop_stateful_resources.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + central_ledger_db_port = module.mojaloop_stateful_resources.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_port + central_ledger_db_database = module.mojaloop_stateful_resources.stateful_resources[local.ml_cl_resource_index].logical_service_config.database_name + central_settlement_db_existing_secret = module.mojaloop_stateful_resources.stateful_resources[local.ml_cl_resource_index].logical_service_config.user_password_secret + central_settlement_db_user = module.mojaloop_stateful_resources.stateful_resources[local.ml_cl_resource_index].logical_service_config.username + central_settlement_db_host = "${module.mojaloop_stateful_resources.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + central_settlement_db_port = module.mojaloop_stateful_resources.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_port + central_settlement_db_database = module.mojaloop_stateful_resources.stateful_resources[local.ml_cl_resource_index].logical_service_config.database_name + quoting_db_existing_secret = module.mojaloop_stateful_resources.stateful_resources[local.ml_cl_resource_index].logical_service_config.user_password_secret + quoting_db_user = module.mojaloop_stateful_resources.stateful_resources[local.ml_cl_resource_index].logical_service_config.username + quoting_db_host = "${module.mojaloop_stateful_resources.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + quoting_db_port = module.mojaloop_stateful_resources.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_port + quoting_db_database = module.mojaloop_stateful_resources.stateful_resources[local.ml_cl_resource_index].logical_service_config.database_name + cep_mongodb_database = module.mojaloop_stateful_resources.stateful_resources[local.cep_mongodb_resource_index].logical_service_config.database_name + cep_mongodb_user = module.mojaloop_stateful_resources.stateful_resources[local.cep_mongodb_resource_index].logical_service_config.username + cep_mongodb_host = "${module.mojaloop_stateful_resources.stateful_resources[local.cep_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + cep_mongodb_existing_secret = module.mojaloop_stateful_resources.stateful_resources[local.cep_mongodb_resource_index].logical_service_config.user_password_secret + cep_mongodb_port = module.mojaloop_stateful_resources.stateful_resources[local.cep_mongodb_resource_index].logical_service_config.logical_service_port + cl_mongodb_database = module.mojaloop_stateful_resources.stateful_resources[local.bulk_mongodb_resource_index].logical_service_config.database_name + cl_mongodb_user = module.mojaloop_stateful_resources.stateful_resources[local.bulk_mongodb_resource_index].logical_service_config.username + cl_mongodb_host = "${module.mojaloop_stateful_resources.stateful_resources[local.bulk_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + cl_mongodb_existing_secret = module.mojaloop_stateful_resources.stateful_resources[local.bulk_mongodb_resource_index].logical_service_config.user_password_secret + cl_mongodb_port = module.mojaloop_stateful_resources.stateful_resources[local.bulk_mongodb_resource_index].logical_service_config.logical_service_port + ttk_mongodb_database = module.mojaloop_stateful_resources.stateful_resources[local.ttk_mongodb_resource_index].logical_service_config.database_name + ttk_mongodb_user = module.mojaloop_stateful_resources.stateful_resources[local.ttk_mongodb_resource_index].logical_service_config.username + ttk_mongodb_host = "${module.mojaloop_stateful_resources.stateful_resources[local.ttk_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + ttk_mongodb_existing_secret = module.mojaloop_stateful_resources.stateful_resources[local.ttk_mongodb_resource_index].logical_service_config.user_password_secret + ttk_mongodb_port = module.mojaloop_stateful_resources.stateful_resources[local.ttk_mongodb_resource_index].logical_service_config.logical_service_port + third_party_consent_db_existing_secret = module.mojaloop_stateful_resources.stateful_resources[local.third_party_consent_oracle_db_resource_index].logical_service_config.user_password_secret + third_party_consent_db_user = module.mojaloop_stateful_resources.stateful_resources[local.third_party_consent_oracle_db_resource_index].logical_service_config.username + third_party_consent_db_host = "${module.mojaloop_stateful_resources.stateful_resources[local.third_party_consent_oracle_db_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + third_party_consent_db_port = module.mojaloop_stateful_resources.stateful_resources[local.third_party_consent_oracle_db_resource_index].logical_service_config.logical_service_port + third_party_consent_db_database = module.mojaloop_stateful_resources.stateful_resources[local.third_party_consent_oracle_db_resource_index].logical_service_config.database_name + third_party_auth_db_existing_secret = module.mojaloop_stateful_resources.stateful_resources[local.third_party_auth_db_resource_index].logical_service_config.user_password_secret + third_party_auth_db_user = module.mojaloop_stateful_resources.stateful_resources[local.third_party_auth_db_resource_index].logical_service_config.username + third_party_auth_db_host = "${module.mojaloop_stateful_resources.stateful_resources[local.third_party_auth_db_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + third_party_auth_db_port = module.mojaloop_stateful_resources.stateful_resources[local.third_party_auth_db_resource_index].logical_service_config.logical_service_port + third_party_auth_db_database = module.mojaloop_stateful_resources.stateful_resources[local.third_party_auth_db_resource_index].logical_service_config.database_name + third_party_auth_redis_host = "${module.mojaloop_stateful_resources.stateful_resources[local.third_party_redis_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + third_party_auth_redis_port = module.mojaloop_stateful_resources.stateful_resources[local.third_party_redis_resource_index].logical_service_config.logical_service_port + ttksims_redis_host = "${module.mojaloop_stateful_resources.stateful_resources[local.ttk_redis_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + ttksims_redis_port = module.mojaloop_stateful_resources.stateful_resources[local.ttk_redis_resource_index].logical_service_config.logical_service_port account_lookup_service_replica_count = try(var.app_var_map.account_lookup_service_replica_count, 1) account_lookup_service_admin_replica_count = try(var.app_var_map.account_lookup_service_admin_replica_count, 1) quoting_service_replica_count = try(var.app_var_map.quoting_service_replica_count, 1) @@ -152,17 +152,17 @@ module "generate_mojaloop_files" { central_admin_host = "${var.mojaloop_release_name}-centralledger-service" central_settlements_host = "${var.mojaloop_release_name}-centralsettlement-service" account_lookup_service_host = "${var.mojaloop_release_name}-account-lookup-service" - reporting_db_secret_name = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.user_password_secret - reporting_db_user = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.username - reporting_db_host = "${local.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - reporting_db_port = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_port - reporting_db_database = local.stateful_resources[local.ml_cl_resource_index].logical_service_config.database_name + reporting_db_secret_name = module.mojaloop_stateful_resources.stateful_resources[local.ml_cl_resource_index].logical_service_config.user_password_secret + reporting_db_user = module.mojaloop_stateful_resources.stateful_resources[local.ml_cl_resource_index].logical_service_config.username + reporting_db_host = "${module.mojaloop_stateful_resources.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + reporting_db_port = module.mojaloop_stateful_resources.stateful_resources[local.ml_cl_resource_index].logical_service_config.logical_service_port + reporting_db_database = module.mojaloop_stateful_resources.stateful_resources[local.ml_cl_resource_index].logical_service_config.database_name reporting_db_secret_key = "mysql-password" - reporting_events_mongodb_database = local.stateful_resources[local.reporting_events_mongodb_resource_index].logical_service_config.database_name - reporting_events_mongodb_user = local.stateful_resources[local.reporting_events_mongodb_resource_index].logical_service_config.username - reporting_events_mongodb_host = "${local.stateful_resources[local.reporting_events_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - reporting_events_mongodb_existing_secret = local.stateful_resources[local.reporting_events_mongodb_resource_index].logical_service_config.user_password_secret - reporting_events_mongodb_port = local.stateful_resources[local.reporting_events_mongodb_resource_index].logical_service_config.logical_service_port + reporting_events_mongodb_database = module.mojaloop_stateful_resources.stateful_resources[local.reporting_events_mongodb_resource_index].logical_service_config.database_name + reporting_events_mongodb_user = module.mojaloop_stateful_resources.stateful_resources[local.reporting_events_mongodb_resource_index].logical_service_config.username + reporting_events_mongodb_host = "${module.mojaloop_stateful_resources.stateful_resources[local.reporting_events_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + reporting_events_mongodb_existing_secret = module.mojaloop_stateful_resources.stateful_resources[local.reporting_events_mongodb_resource_index].logical_service_config.user_password_secret + reporting_events_mongodb_port = module.mojaloop_stateful_resources.stateful_resources[local.reporting_events_mongodb_resource_index].logical_service_config.logical_service_port keto_read_url = "http://keto-read.${var.ory_namespace}.svc.cluster.local:80" keto_write_url = "http://keto-write.${var.ory_namespace}.svc.cluster.local:80" kratos_service_name = "kratos-public.${var.ory_namespace}.svc.cluster.local" @@ -190,7 +190,7 @@ module "generate_mojaloop_files" { } file_list = [for f in fileset(local.mojaloop_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.mojaloop_app_file, f))] template_path = local.mojaloop_template_path - output_path = "${var.output_dir}/mojaloop" + output_path = local.output_path app_file = local.mojaloop_app_file app_output_path = "${var.output_dir}/app-yamls" } @@ -199,17 +199,18 @@ module "generate_mojaloop_files" { locals { mojaloop_template_path = "${path.module}/../generate-files/templates/mojaloop" mojaloop_app_file = "mojaloop-app.yaml" - ml_als_resource_index = index(local.stateful_resources.*.resource_name, "account-lookup-db") - ml_cl_resource_index = index(local.stateful_resources.*.resource_name, "central-ledger-db") - bulk_mongodb_resource_index = index(local.stateful_resources.*.resource_name, "bulk-mongodb") - ttk_mongodb_resource_index = index(local.stateful_resources.*.resource_name, "ttk-mongodb") - cep_mongodb_resource_index = index(local.stateful_resources.*.resource_name, "cep-mongodb") - mojaloop_kafka_resource_index = index(local.stateful_resources.*.resource_name, "mojaloop-kafka") - third_party_redis_resource_index = index(local.stateful_resources.*.resource_name, "thirdparty-auth-svc-redis") - third_party_auth_db_resource_index = index(local.stateful_resources.*.resource_name, "thirdparty-auth-svc-db") - third_party_consent_oracle_db_resource_index = index(local.stateful_resources.*.resource_name, "mysql-consent-oracle-db") - ttk_redis_resource_index = index(local.stateful_resources.*.resource_name, "ttk-redis") - reporting_events_mongodb_resource_index = index(local.stateful_resources.*.resource_name, "reporting-events-mongodb") + output_path = "${var.output_dir}/mojaloop" + ml_als_resource_index = index(module.mojaloop_stateful_resources.stateful_resources.*.resource_name, "account-lookup-db") + ml_cl_resource_index = index(module.mojaloop_stateful_resources.stateful_resources.*.resource_name, "central-ledger-db") + bulk_mongodb_resource_index = index(module.mojaloop_stateful_resources.stateful_resources.*.resource_name, "bulk-mongodb") + ttk_mongodb_resource_index = index(module.mojaloop_stateful_resources.stateful_resources.*.resource_name, "ttk-mongodb") + cep_mongodb_resource_index = index(module.mojaloop_stateful_resources.stateful_resources.*.resource_name, "cep-mongodb") + mojaloop_kafka_resource_index = index(module.mojaloop_stateful_resources.stateful_resources.*.resource_name, "mojaloop-kafka") + third_party_redis_resource_index = index(module.mojaloop_stateful_resources.stateful_resources.*.resource_name, "thirdparty-auth-svc-redis") + third_party_auth_db_resource_index = index(module.mojaloop_stateful_resources.stateful_resources.*.resource_name, "thirdparty-auth-svc-db") + third_party_consent_oracle_db_resource_index = index(module.mojaloop_stateful_resources.stateful_resources.*.resource_name, "mysql-consent-oracle-db") + ttk_redis_resource_index = index(module.mojaloop_stateful_resources.stateful_resources.*.resource_name, "ttk-redis") + reporting_events_mongodb_resource_index = index(module.mojaloop_stateful_resources.stateful_resources.*.resource_name, "reporting-events-mongodb") mojaloop_wildcard_gateway = var.mojaloop_ingress_internal_lb ? "internal" : "external" apiResources = yamldecode(file(var.rbac_api_resources_file)) jws_key_secret = "switch-jws" diff --git a/terraform/gitops/mojaloop/outputs.tf b/terraform/gitops/mojaloop/outputs.tf new file mode 100644 index 000000000..5cf85c8bb --- /dev/null +++ b/terraform/gitops/mojaloop/outputs.tf @@ -0,0 +1,12 @@ +output "mojaloop_output_path" { + value = local.output_path +} +output "mojaloop_sync_wave" { + value = var.mojaloop_sync_wave +} +output "mojaloop_kafka_host" { + value = "${module.mojaloop_stateful_resources.stateful_resources[local.mojaloop_kafka_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" +} +output "mojaloop_kafka_port" { + value = module.mojaloop_stateful_resources.stateful_resources[local.mojaloop_kafka_resource_index].logical_service_config.logical_service_port +} diff --git a/terraform/gitops/mojaloop/providers.tf b/terraform/gitops/mojaloop/providers.tf index 963a4388c..0bf3cf34b 100644 --- a/terraform/gitops/mojaloop/providers.tf +++ b/terraform/gitops/mojaloop/providers.tf @@ -1,10 +1,9 @@ -terraform { - +terraform { + required_providers { gitlab = { - source = "gitlabhq/gitlab" + source = "gitlabhq/gitlab" version = "~> 16.0" } - vault = "~> 3.16" } -} \ No newline at end of file +} diff --git a/terraform/gitops/mojaloop/stateful-resources-config.tf b/terraform/gitops/mojaloop/stateful-resources-config.tf index e89bda2ab..f767dc554 100644 --- a/terraform/gitops/mojaloop/stateful-resources-config.tf +++ b/terraform/gitops/mojaloop/stateful-resources-config.tf @@ -1,116 +1,35 @@ -resource "local_file" "chart_values" { - for_each = { for stateful_resource in local.local_stateful_resources : stateful_resource.resource_name => stateful_resource } - - content = templatefile("${local.stateful_resources_template_path}/${each.value.local_resource_config.resource_helm_values_ref}", { - resource = each.value - }) - filename = "${local.stateful_resources_output_path}/values-${each.value.local_resource_config.resource_helm_chart}-${each.value.resource_name}.yaml" -} - -resource "local_file" "vault_crs" { - for_each = { for stateful_resource in local.local_stateful_resources : stateful_resource.resource_name => stateful_resource } - - content = templatefile("${local.stateful_resources_template_path}/vault-crs.yaml.tpl", { - resource = each.value - }) - filename = "${local.stateful_resources_output_path}/vault-crs-${each.value.resource_name}.yaml" -} - -resource "local_file" "managed_crs" { - for_each = local.managed_resource_password_map - - content = templatefile("${local.stateful_resources_template_path}/managed-crs.yaml.tpl", { - password_map = each.value - }) - filename = "${local.stateful_resources_output_path}/managed-crs-${each.key}.yaml" -} - -resource "local_file" "external_name_services" { - content = templatefile("${local.stateful_resources_template_path}/external-name-services.yaml.tpl", - { config = local.external_name_map - stateful_resources_namespace = var.stateful_resources_namespace - }) - filename = "${local.stateful_resources_output_path}/external-name-services.yaml" -} - -resource "local_file" "kustomization" { - content = templatefile("${local.stateful_resources_template_path}/stateful-resources-kustomization.yaml.tpl", - { local_stateful_resources = local.local_stateful_resources - managed_stateful_resources = local.managed_stateful_resources - }) - filename = "${local.stateful_resources_output_path}/kustomization.yaml" -} - -resource "local_file" "namespace" { - content = templatefile("${local.stateful_resources_template_path}/namespace.yaml.tpl", - { - all_ns = distinct(concat(local.all_logical_extra_namespaces, local.all_local_namespaces, local.all_local_extra_namespaces)) - }) - filename = "${local.stateful_resources_output_path}/namespace.yaml" -} - -resource "local_file" "stateful-resources-app-file" { - content = templatefile("${local.stateful_resources_template_path}/app/${local.stateful_resources_app_file}.tpl", local.stateful_resources_vars) - filename = "${local.app_stateful_resources_output_path}/${local.stateful_resources_name}-${local.stateful_resources_app_file}" -} - -locals { - stateful_resources_name = "mojaloop" - stateful_resources_template_path = "${path.module}/../generate-files/templates/stateful-resources" - stateful_resources_output_path = "${var.output_dir}/${local.stateful_resources_name}-stateful-resources" - stateful_resources_app_file = "stateful-resources-app.yaml" - app_stateful_resources_output_path = "${var.output_dir}/app-yamls" - stateful_resources = jsondecode(file(var.stateful_resources_config_file)) - enabled_stateful_resources = { for stateful_resource in local.stateful_resources : stateful_resource.resource_name => stateful_resource if stateful_resource.enabled } - managed_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service } - local_stateful_resources = { for local_stateful_resource in local.enabled_stateful_resources : local_stateful_resource.resource_name => local_stateful_resource if !local_stateful_resource.external_service } - local_external_name_map = { for stateful_resource in local.local_stateful_resources : stateful_resource.logical_service_config.logical_service_name => stateful_resource.local_resource_config.override_service_name != null ? "${stateful_resource.local_resource_config.override_service_name}.${stateful_resource.local_resource_config.resource_namespace}.svc.cluster.local" : "${stateful_resource.resource_name}.${stateful_resource.local_resource_config.resource_namespace}.svc.cluster.local" } - managed_external_name_map = { for index, stateful_resource in local.managed_stateful_resources : stateful_resource.logical_service_config.logical_service_name => data.gitlab_project_variable.external_stateful_resource_instance_address[index].value } - external_name_map = merge(local.local_external_name_map, local.managed_external_name_map) - managed_resource_password_map = { for index, stateful_resource in local.managed_stateful_resources : stateful_resource.resource_name => { - password = data.vault_generic_secret.external_stateful_resource_password[index].data.value - namespaces = stateful_resource.logical_service_config.secret_extra_namespaces - secret_name = stateful_resource.logical_service_config.user_password_secret - secret_key = stateful_resource.logical_service_config.user_password_secret_key - } - } - - stateful_resources_vars = { - stateful_resources_namespace = var.stateful_resources_namespace - gitlab_project_url = var.gitlab_project_url - stateful_resources_sync_wave = var.stateful_resources_sync_wave - stateful_resources_name = local.stateful_resources_name - } - all_logical_extra_namespaces = flatten([for stateful_resource in local.enabled_stateful_resources : stateful_resource.logical_service_config.secret_extra_namespaces]) - all_local_extra_namespaces = flatten([for stateful_resource in local.local_stateful_resources : stateful_resource.local_resource_config.generate_secret_extra_namespaces]) - all_local_namespaces = distinct([for stateful_resource in local.local_stateful_resources : stateful_resource.local_resource_config.resource_namespace]) +module "mojaloop_stateful_resources" { + source = "../stateful-resources" + stateful_resources_name = "mojaloop" + cluster_name = var.cluster_name + output_dir = var.output_dir + gitlab_project_url = var.gitlab_project_url + gitlab_server_url = var.gitlab_server_url + current_gitlab_project_id = var.current_gitlab_project_id + stateful_resources_config_file = var.stateful_resources_config_file + stateful_resources_namespace = var.stateful_resources_namespace + create_stateful_resources_ns = false + kv_path = var.kv_path + external_stateful_resource_instance_addresses = length(data.gitlab_project_variable.external_stateful_resource_instance_address) > 0 ? data.gitlab_project_variable.external_stateful_resource_instance_address.*.value : [] } variable "stateful_resources_config_file" { - default = "../config/stateful-resources.json" - type = string - description = "where to pull stateful resources config" + type = string } - variable "stateful_resources_namespace" { - type = string - description = "stateful_resources_namespace" - default = "stateful-resources" + type = string + default = "stateful-resources" } -variable "stateful_resources_sync_wave" { - type = string - description = "stateful_resources_sync_wave, wait for vault config operator" - default = "-5" -} -data "vault_generic_secret" "external_stateful_resource_password" { +data "gitlab_project_variable" "external_stateful_resource_instance_address" { for_each = local.managed_stateful_resources - path = "${var.kv_path}/${var.cluster_name}/${each.value.external_resource_config.password_key_name}" + project = var.current_gitlab_project_id + key = each.value.external_resource_config.instance_address_key_name } -data "gitlab_project_variable" "external_stateful_resource_instance_address" { - for_each = local.managed_stateful_resources - project = var.current_gitlab_project_id - key = each.value.external_resource_config.instance_address_key_name -} \ No newline at end of file +locals { + stateful_resources = jsondecode(file(var.stateful_resources_config_file)) + enabled_stateful_resources = { for stateful_resource in local.stateful_resources : stateful_resource.resource_name => stateful_resource if stateful_resource.enabled } + managed_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service } +} diff --git a/terraform/gitops/pm4ml/providers.tf b/terraform/gitops/pm4ml/providers.tf deleted file mode 100644 index 963a4388c..000000000 --- a/terraform/gitops/pm4ml/providers.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - - required_providers { - gitlab = { - source = "gitlabhq/gitlab" - version = "~> 16.0" - } - vault = "~> 3.16" - } -} \ No newline at end of file diff --git a/terraform/gitops/stateful-resources/outputs.tf b/terraform/gitops/stateful-resources/outputs.tf new file mode 100644 index 000000000..6d7d96769 --- /dev/null +++ b/terraform/gitops/stateful-resources/outputs.tf @@ -0,0 +1,7 @@ +output "stateful_resources" { + value = local.stateful_resources +} + +output "managed_stateful_resources" { + value = local.managed_stateful_resources +} diff --git a/terraform/gitops/k8s-cluster-config/stateful-resources-config.tf b/terraform/gitops/stateful-resources/stateful-resources-config.tf similarity index 78% rename from terraform/gitops/k8s-cluster-config/stateful-resources-config.tf rename to terraform/gitops/stateful-resources/stateful-resources-config.tf index 1a03d6dff..e477ec3f8 100644 --- a/terraform/gitops/k8s-cluster-config/stateful-resources-config.tf +++ b/terraform/gitops/stateful-resources/stateful-resources-config.tf @@ -44,7 +44,7 @@ resource "local_file" "kustomization" { resource "local_file" "namespace" { content = templatefile("${local.stateful_resources_template_path}/namespace.yaml.tpl", { - all_ns = distinct(concat([var.stateful_resources_namespace], local.all_logical_extra_namespaces, local.all_local_namespaces, local.all_local_extra_namespaces)) + all_ns = distinct(concat(var.create_stateful_resources_ns ? [var.stateful_resources_namespace] : [], local.all_logical_extra_namespaces, local.all_local_namespaces, local.all_local_extra_namespaces)) }) filename = "${local.stateful_resources_output_path}/namespace.yaml" } @@ -55,8 +55,8 @@ resource "local_file" "stateful-resources-app-file" { } locals { - stateful_resources_name = "common" - stateful_resources_template_path = "${path.module}/../generate-files/templates/stateful-resources" + stateful_resources_name = var.stateful_resources_name + stateful_resources_template_path = "${path.module}/templates/stateful-resources" stateful_resources_output_path = "${var.output_dir}/${local.stateful_resources_name}-stateful-resources" stateful_resources_app_file = "stateful-resources-app.yaml" app_stateful_resources_output_path = "${var.output_dir}/app-yamls" @@ -65,10 +65,10 @@ locals { managed_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service } local_stateful_resources = { for local_stateful_resource in local.enabled_stateful_resources : local_stateful_resource.resource_name => local_stateful_resource if !local_stateful_resource.external_service } local_external_name_map = { for stateful_resource in local.local_stateful_resources : stateful_resource.logical_service_config.logical_service_name => stateful_resource.local_resource_config.override_service_name != null ? "${stateful_resource.local_resource_config.override_service_name}.${stateful_resource.local_resource_config.resource_namespace}.svc.cluster.local" : "${stateful_resource.resource_name}.${stateful_resource.local_resource_config.resource_namespace}.svc.cluster.local" } - managed_external_name_map = { for index, stateful_resource in local.managed_stateful_resources : stateful_resource.logical_service_config.logical_service_name => data.gitlab_project_variable.external_stateful_resource_instance_address[index].value } + managed_external_name_map = { for index, stateful_resource in local.managed_stateful_resources : stateful_resource.logical_service_config.logical_service_name => var.external_stateful_resource_instance_addresses[index] } external_name_map = merge(local.local_external_name_map, local.managed_external_name_map) managed_resource_password_map = { for index, stateful_resource in local.managed_stateful_resources : stateful_resource.resource_name => { - password = data.vault_generic_secret.external_stateful_resource_password[index].data.value + vault_path = "${var.kv_path}/${var.cluster_name}/${stateful_resource.external_resource_config.password_key_name}" namespaces = stateful_resource.logical_service_config.secret_extra_namespaces secret_name = stateful_resource.logical_service_config.user_password_secret secret_key = stateful_resource.logical_service_config.user_password_secret_key @@ -86,6 +86,42 @@ locals { all_local_namespaces = distinct([for stateful_resource in local.local_stateful_resources : stateful_resource.local_resource_config.resource_namespace]) } +variable "external_stateful_resource_instance_addresses" { + type = list(string) + default = [] +} + +variable "create_stateful_resources_ns" { + type = bool + description = "whether to create st res ns" + default = false +} + +variable "gitlab_project_url" { + type = string + description = "gitlab_project_url" +} + +variable "cluster_name" { + description = "Cluster name, lower case and without spaces. This will be used to set tags and name resources" + type = string +} + +variable "gitlab_server_url" { + type = string + description = "gitlab_server_url" +} + +variable "current_gitlab_project_id" { + type = string + description = "current_gitlab_project_id" +} + +variable "kv_path" { + description = "path for tenant kv engine" + default = "secret" +} + variable "stateful_resources_config_file" { default = "../config/stateful-resources.json" type = string @@ -98,6 +134,16 @@ variable "stateful_resources_namespace" { default = "stateful-resources" } +variable "stateful_resources_name" { + type = string + description = "stateful_resources_name" +} + +variable "output_dir" { + type = string + description = "output_dir" +} + variable "stateful_resources_sync_wave" { type = string description = "stateful_resources_sync_wave, wait for vault config operator" diff --git a/terraform/gitops/stateful-resources/templates/stateful-resources/app/stateful-resources-app.yaml.tpl b/terraform/gitops/stateful-resources/templates/stateful-resources/app/stateful-resources-app.yaml.tpl new file mode 100644 index 000000000..d19adca76 --- /dev/null +++ b/terraform/gitops/stateful-resources/templates/stateful-resources/app/stateful-resources-app.yaml.tpl @@ -0,0 +1,33 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + annotations: + argocd.argoproj.io/sync-wave: "${stateful_resources_sync_wave}" + name: "${stateful_resources_name}-stateful-resources-app" + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + source: + path: apps/${stateful_resources_name}-stateful-resources + repoURL: "${gitlab_project_url}" + targetRevision: HEAD + destination: + namespace: argocd + server: https://kubernetes.default.svc + project: default + syncPolicy: + automated: + prune: true + selfHeal: true + allowEmpty: true + retry: + limit: 10 + backoff: + duration: 5s + maxDuration: 5m0s + factor: 2 + syncOptions: + - CreateNamespace=true + - PrunePropagationPolicy=background + - PruneLast=true \ No newline at end of file diff --git a/terraform/gitops/stateful-resources/templates/stateful-resources/external-name-services.yaml.tpl b/terraform/gitops/stateful-resources/templates/stateful-resources/external-name-services.yaml.tpl new file mode 100644 index 000000000..605c7ef59 --- /dev/null +++ b/terraform/gitops/stateful-resources/templates/stateful-resources/external-name-services.yaml.tpl @@ -0,0 +1,11 @@ +%{ for logical_service_name, external_name in config ~} +--- +apiVersion: v1 +kind: Service +metadata: + name: ${logical_service_name} + namespace: ${stateful_resources_namespace} +spec: + type: ExternalName + externalName: ${external_name} +%{ endfor ~} \ No newline at end of file diff --git a/terraform/gitops/stateful-resources/templates/stateful-resources/managed-crs.yaml.tpl b/terraform/gitops/stateful-resources/templates/stateful-resources/managed-crs.yaml.tpl new file mode 100644 index 000000000..d5657f0b5 --- /dev/null +++ b/terraform/gitops/stateful-resources/templates/stateful-resources/managed-crs.yaml.tpl @@ -0,0 +1,26 @@ +%{ for ns in password_map.namespaces ~} +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: ${password_map.secret_name} + namespace: ${ns} + annotations: + argocd.argoproj.io/sync-wave: "-11" +spec: + refreshInterval: 1h + + secretStoreRef: + kind: ClusterSecretStore + name: tenant-vault-secret-store + + target: + name: ${password_map.secret_name} # Name for the secret to be created on the cluster + creationPolicy: Owner + + data: + - secretKey: ${password_map.secret_key} + remoteRef: + key: ${password_map.vault_path} + property: value +%{ endfor ~} \ No newline at end of file diff --git a/terraform/gitops/stateful-resources/templates/stateful-resources/namespace.yaml.tpl b/terraform/gitops/stateful-resources/templates/stateful-resources/namespace.yaml.tpl new file mode 100644 index 000000000..8ce1b0502 --- /dev/null +++ b/terraform/gitops/stateful-resources/templates/stateful-resources/namespace.yaml.tpl @@ -0,0 +1,7 @@ +%{ for ns in all_ns ~} +apiVersion: v1 +kind: Namespace +metadata: + name: ${ns} +--- +%{ endfor ~} \ No newline at end of file diff --git a/terraform/gitops/stateful-resources/templates/stateful-resources/stateful-resources-kustomization.yaml.tpl b/terraform/gitops/stateful-resources/templates/stateful-resources/stateful-resources-kustomization.yaml.tpl new file mode 100644 index 000000000..0e09f5fb0 --- /dev/null +++ b/terraform/gitops/stateful-resources/templates/stateful-resources/stateful-resources-kustomization.yaml.tpl @@ -0,0 +1,21 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- external-name-services.yaml +- namespace.yaml +%{ for stateful_resource in local_stateful_resources ~} +- vault-crs-${stateful_resource.resource_name}.yaml +%{ endfor ~} +%{ for stateful_resource in managed_stateful_resources ~} +- managed-crs-${stateful_resource.resource_name}.yaml +%{ endfor ~} +helmCharts: +%{ for stateful_resource in local_stateful_resources ~} +- name: ${stateful_resource.local_resource_config.resource_helm_chart} + namespace: ${stateful_resource.local_resource_config.resource_namespace} + releaseName: ${stateful_resource.local_resource_config.resource_helm_chart}-${stateful_resource.resource_name} + version: ${stateful_resource.local_resource_config.resource_helm_chart_version} + repo: ${stateful_resource.local_resource_config.resource_helm_repo} + valuesFile: values-${stateful_resource.local_resource_config.resource_helm_chart}-${stateful_resource.resource_name}.yaml +%{ endfor ~} \ No newline at end of file diff --git a/terraform/gitops/stateful-resources/templates/stateful-resources/values-kafka.yaml.tpl b/terraform/gitops/stateful-resources/templates/stateful-resources/values-kafka.yaml.tpl new file mode 100644 index 000000000..4a68be5f0 --- /dev/null +++ b/terraform/gitops/stateful-resources/templates/stateful-resources/values-kafka.yaml.tpl @@ -0,0 +1,1015 @@ +# Copyright VMware, Inc. +# SPDX-License-Identifier: APACHE-2.0 + +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass +## + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.storageClass Global StorageClass for Persistent Volume(s) +## +global: + storageClass: ${resource.local_resource_config.kafka_data.storage_class_name} + +## @section Common parameters +## + + +fullnameOverride: ${resource.resource_name} +## @param clusterDomain Default Kubernetes cluster domain +## + +## @section Kafka parameters +## + +## Bitnami Kafka image version +## ref: https://hub.docker.com/r/bitnami/kafka/tags/ +## @param image.registry [default: REGISTRY_NAME] Kafka image registry +## @param image.repository [default: REPOSITORY_NAME/kafka] Kafka image repository +## @skip image.tag Kafka image tag (immutable tags are recommended) +## @param image.digest Kafka image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy Kafka image pull policy +## @param image.pullSecrets Specify docker-registry secret names as an array +## @param image.debug Specify if debug values should be set +## +## @param extraInit Additional content for the kafka init script, rendered as a template. +## +extraInit: "" +## @param config Configuration file for Kafka, rendered as a template. Auto-generated based on chart values when not specified. +## @param existingConfigmap ConfigMap with Kafka Configuration +## NOTE: This will override the configuration based on values, please act carefully +## If both are set, the existingConfigMap will be used. +## +config: "" +existingConfigmap: "" +## @param extraConfig Additional configuration to be appended at the end of the generated Kafka configuration file. +## +extraConfig: "" +## @param secretConfig Additional configuration to be appended at the end of the generated Kafka configuration file. +## This value will be stored in a secret. +## +secretConfig: "" +## @param existingSecretConfig Secret with additonal configuration that will be appended to the end of the generated Kafka configuration file +## The key for the configuration should be: server-secret.properties +## NOTE: This will override secretConfig value +## +existingSecretConfig: "" +## @param log4j An optional log4j.properties file to overwrite the default of the Kafka brokers +## An optional log4j.properties file to overwrite the default of the Kafka brokers +## ref: https://github.com/apache/kafka/blob/trunk/config/log4j.properties +## +log4j: "" +## @param existingLog4jConfigMap The name of an existing ConfigMap containing a log4j.properties file +## The name of an existing ConfigMap containing a log4j.properties file +## NOTE: this will override `log4j` +## +existingLog4jConfigMap: "" +## @param heapOpts Kafka Java Heap size +## +heapOpts: -Xmx1024m -Xms1024m +## @param interBrokerProtocolVersion Override the setting 'inter.broker.protocol.version' during the ZK migration. +## Ref. https://docs.confluent.io/platform/current/installation/migrate-zk-kraft.html +## +interBrokerProtocolVersion: "" +## Kafka listeners configuration +## +listeners: + ## @param listeners.client.name Name for the Kafka client listener + ## @param listeners.client.containerPort Port for the Kafka client listener + ## @param listeners.client.protocol Security protocol for the Kafka client listener. Allowed values are 'PLAINTEXT', 'SASL_PLAINTEXT', 'SASL_SSL' and 'SSL' + ## @param listeners.client.sslClientAuth Optional. If SASL_SSL is enabled, configure mTLS TLS authentication type. If SSL protocol is enabled, overrides tls.authType for this listener. Allowed values are 'none', 'requested' and 'required' + client: + containerPort: ${resource.local_resource_config.kafka_data.service_port} + protocol: PLAINTEXT + name: CLIENT + sslClientAuth: "" + ## @param listeners.controller.name Name for the Kafka controller listener + ## @param listeners.controller.containerPort Port for the Kafka controller listener + ## @param listeners.controller.protocol Security protocol for the Kafka controller listener. Allowed values are 'PLAINTEXT', 'SASL_PLAINTEXT', 'SASL_SSL' and 'SSL' + ## @param listeners.controller.sslClientAuth Optional. If SASL_SSL is enabled, configure mTLS TLS authentication type. If SSL protocol is enabled, overrides tls.authType for this listener. Allowed values are 'none', 'requested' and 'required' + ## Ref: https://cwiki.apache.org/confluence/display/KAFKA/KIP-684+-+Support+mutual+TLS+authentication+on+SASL_SSL+listeners + controller: + name: CONTROLLER + containerPort: 9093 + protocol: SASL_PLAINTEXT + sslClientAuth: "" + ## @param listeners.interbroker.name Name for the Kafka inter-broker listener + ## @param listeners.interbroker.containerPort Port for the Kafka inter-broker listener + ## @param listeners.interbroker.protocol Security protocol for the Kafka inter-broker listener. Allowed values are 'PLAINTEXT', 'SASL_PLAINTEXT', 'SASL_SSL' and 'SSL' + ## @param listeners.interbroker.sslClientAuth Optional. If SASL_SSL is enabled, configure mTLS TLS authentication type. If SSL protocol is enabled, overrides tls.authType for this listener. Allowed values are 'none', 'requested' and 'required' + interbroker: + containerPort: 9094 + protocol: SASL_PLAINTEXT + name: INTERNAL + sslClientAuth: "" + ## @param listeners.external.containerPort Port for the Kafka external listener + ## @param listeners.external.protocol Security protocol for the Kafka external listener. . Allowed values are 'PLAINTEXT', 'SASL_PLAINTEXT', 'SASL_SSL' and 'SSL' + ## @param listeners.external.name Name for the Kafka external listener + ## @param listeners.external.sslClientAuth Optional. If SASL_SSL is enabled, configure mTLS TLS authentication type. If SSL protocol is enabled, overrides tls.sslClientAuth for this listener. Allowed values are 'none', 'requested' and 'required' + external: + containerPort: 9095 + protocol: SASL_PLAINTEXT + name: EXTERNAL + sslClientAuth: "" + ## @param listeners.extraListeners Array of listener objects to be appended to already existing listeners + ## E.g. + ## extraListeners: + ## - name: CUSTOM + ## containerPort: 9097 + ## protocol: SASL_PLAINTEXT + ## sslClientAuth: "" + ## + extraListeners: [] + ## NOTE: If set, below values will override configuration set using the above values (extraListeners.*, controller.*, interbroker.*, client.* and external.*) + ## @param listeners.overrideListeners Overrides the Kafka 'listeners' configuration setting. + ## @param listeners.advertisedListeners Overrides the Kafka 'advertised.listener' configuration setting. + ## @param listeners.securityProtocolMap Overrides the Kafka 'security.protocol.map' configuration setting. + overrideListeners: "" + advertisedListeners: "" + securityProtocolMap: "" + +## @section Controller-eligible statefulset parameters +## +controller: + ## @param controller.replicaCount Number of Kafka controller-eligible nodes + ## Ignore this section if running in Zookeeper mode. + ## + replicaCount: ${resource.local_resource_config.kafka_data.replica_count} + ## @param controller.controllerOnly If set to true, controller nodes will be deployed as dedicated controllers, instead of controller+broker processes. + ## + controllerOnly: false + ## @param controller.minId Minimal node.id values for controller-eligible nodes. Do not change after first initialization. + ## Broker-only id increment their ID starting at this minimal value. + ## We recommend setting this this value high enough, as IDs under this value will be used by controller-elegible nodes + ## + minId: 0 + ## @param controller.zookeeperMigrationMode Set to true to deploy cluster controller quorum + ## This allows configuring both kraft and zookeeper modes simultaneously in order to perform the migration of the Kafka metadata. + ## Ref. https://docs.confluent.io/platform/current/installation/migrate-zk-kraft.html + ## + zookeeperMigrationMode: false + ## @param controller.config Configuration file for Kafka controller-eligible nodes, rendered as a template. Auto-generated based on chart values when not specified. + ## @param controller.existingConfigmap ConfigMap with Kafka Configuration for controller-eligible nodes. + ## NOTE: This will override the configuration based on values, please act carefully + ## If both are set, the existingConfigMap will be used. + ## + config: "" + existingConfigmap: "" + ## @param controller.extraConfig Additional configuration to be appended at the end of the generated Kafka controller-eligible nodes configuration file. + ## +%{ if resource.local_resource_config.kafka_data.replica_count == 1 ~} + extraConfig: |- + offsets.topic.replication.factor=1 + default.replication.factor=1 + transaction.state.log.replication.factor=1 +%{ else ~} + extraConfig: "" +%{ endif ~} + ## @param controller.secretConfig Additional configuration to be appended at the end of the generated Kafka controller-eligible nodes configuration file. + ## This value will be stored in a secret. + ## + secretConfig: "" + ## @param controller.existingSecretConfig Secret with additonal configuration that will be appended to the end of the generated Kafka controller-eligible nodes configuration file + ## The key for the configuration should be: server-secret.properties + ## NOTE: This will override controller.secretConfig value + ## + existingSecretConfig: "" + ## @param controller.heapOpts Kafka Java Heap size for controller-eligible nodes + ## + heapOpts: -Xmx1024m -Xms1024m + ## @param controller.command Override Kafka container command + ## + command: [] + ## @param controller.args Override Kafka container arguments + ## + args: [] + ## @param controller.extraEnvVars Extra environment variables to add to Kafka pods + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/kafka#configuration + ## e.g: + ## extraEnvVars: + ## - name: KAFKA_CFG_BACKGROUND_THREADS + ## value: "10" + ## + extraEnvVars: [] + ## @param controller.extraEnvVarsCM ConfigMap with extra environment variables + ## + extraEnvVarsCM: "" + ## @param controller.extraEnvVarsSecret Secret with extra environment variables + ## + extraEnvVarsSecret: "" + ## @param controller.extraContainerPorts Kafka controller-eligible extra containerPorts. + ## + extraContainerPorts: [] + ## Configure extra options for Kafka containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param controller.livenessProbe.enabled Enable livenessProbe on Kafka containers + ## @param controller.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param controller.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param controller.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param controller.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param controller.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + periodSeconds: 10 + successThreshold: 1 + ## @param controller.readinessProbe.enabled Enable readinessProbe on Kafka containers + ## @param controller.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param controller.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param controller.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param controller.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param controller.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + failureThreshold: 6 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + ## @param controller.startupProbe.enabled Enable startupProbe on Kafka containers + ## @param controller.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param controller.startupProbe.periodSeconds Period seconds for startupProbe + ## @param controller.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param controller.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param controller.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param controller.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param controller.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param controller.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param controller.lifecycleHooks lifecycleHooks for the Kafka container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## Kafka init container resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param controller.initContainerResources.limits The resources limits for the init container + ## @param controller.initContainerResources.requests The requested resources for the init container + ## + initContainerResources: + limits: {} + requests: {} + ## Kafka resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param controller.resources.limits The resources limits for the container + ## @param controller.resources.requests The requested resources for the container + ## + resources: + limits: {} + requests: {} + ## Kafka pods' Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param controller.podSecurityContext.enabled Enable security context for the pods + ## @param controller.podSecurityContext.fsGroup Set Kafka pod's Security Context fsGroup + ## @param controller.podSecurityContext.seccompProfile.type Set Kafka pods's Security Context seccomp profile + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + seccompProfile: + type: "RuntimeDefault" + ## Kafka containers' Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param controller.containerSecurityContext.enabled Enable Kafka containers' Security Context + ## @param controller.containerSecurityContext.runAsUser Set Kafka containers' Security Context runAsUser + ## @param controller.containerSecurityContext.runAsNonRoot Set Kafka containers' Security Context runAsNonRoot + ## @param controller.containerSecurityContext.allowPrivilegeEscalation Force the child process to be run as non-privileged + ## @param controller.containerSecurityContext.readOnlyRootFilesystem Allows the pod to mount the RootFS as ReadOnly only + ## @param controller.containerSecurityContext.capabilities.drop Set Kafka containers' server Security Context capabilities to be dropped + ## e.g: + ## containerSecurityContext: + ## enabled: true + ## capabilities: + ## drop: ["NET_RAW"] + ## readOnlyRootFilesystem: true + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + ## @param controller.hostAliases Kafka pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param controller.hostNetwork Specify if host network should be enabled for Kafka pods + ## + hostNetwork: false + ## @param controller.hostIPC Specify if host IPC should be enabled for Kafka pods + ## + hostIPC: false + ## @param controller.podLabels Extra labels for Kafka pods + ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param controller.podAnnotations Extra annotations for Kafka pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param controller.podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param controller.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + +%{ if resource.local_resource_config.kafka_data.dataplane_affinity_definition != null ~} + nodeAffinityPreset: + ## @param controller.nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: ${resource.local_resource_config.kafka_data.dataplane_affinity_definition.type} + ## @param controller.nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: ${resource.local_resource_config.kafka_data.dataplane_affinity_definition.key} + ## @param controller.nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: + ${indent(6, yamlencode(resource.local_resource_config.kafka_data.dataplane_affinity_definition.values))} + ## @param controller.affinity Affinity for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set + ## +%{ else ~} + affinity: {} +%{ endif ~} + + ## @param controller.nodeSelector Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param controller.tolerations Tolerations for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param controller.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + ## @param controller.terminationGracePeriodSeconds Seconds the pod needs to gracefully terminate + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution + ## + terminationGracePeriodSeconds: "" + ## @param controller.podManagementPolicy StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: OrderedReady and Parallel + ## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy + ## + podManagementPolicy: Parallel + ## @param controller.minReadySeconds How many seconds a pod needs to be ready before killing the next, during update + ## + minReadySeconds: 0 + ## @param controller.priorityClassName Name of the existing priority class to be used by kafka pods + ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + ## + priorityClassName: "" + ## @param controller.runtimeClassName Name of the runtime class to be used by pod(s) + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + ## + runtimeClassName: "" + ## @param controller.enableServiceLinks Whether information about services should be injected into pod's environment variable + ## The environment variables injected by service links are not used, but can lead to slow kafka boot times or slow running of the scripts when there are many services in the current namespace. + ## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`. + ## + enableServiceLinks: true + ## @param controller.schedulerName Name of the k8s scheduler (other than default) + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param controller.updateStrategy.type Kafka statefulset strategy type + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + type: RollingUpdate + ## @param controller.extraVolumes Optionally specify extra list of additional volumes for the Kafka pod(s) + ## e.g: + ## extraVolumes: + ## - name: kafka-jaas + ## secret: + ## secretName: kafka-jaas + ## + extraVolumes: [] + ## @param controller.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Kafka container(s) + ## extraVolumeMounts: + ## - name: kafka-jaas + ## mountPath: /bitnami/kafka/config/kafka_jaas.conf + ## subPath: kafka_jaas.conf + ## + extraVolumeMounts: [] + ## @param controller.sidecars Add additional sidecar containers to the Kafka pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param controller.initContainers Add additional Add init containers to the Kafka pod(s) + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + initContainers: [] + ## Kafka Pod Disruption Budget + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## @param controller.pdb.create Deploy a pdb object for the Kafka pod + ## @param controller.pdb.minAvailable Maximum number/percentage of unavailable Kafka replicas + ## @param controller.pdb.maxUnavailable Maximum number/percentage of unavailable Kafka replicas + ## + pdb: + create: false + minAvailable: "" + maxUnavailable: 1 + ## Enable persistence using Persistent Volume Claims + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + ## @param controller.persistence.enabled Enable Kafka data persistence using PVC, note that ZooKeeper persistence is unaffected + ## + enabled: true + ## @param controller.persistence.existingClaim A manually managed Persistent Volume and Claim + ## If defined, PVC must be created manually before volume will be bound + ## The value is evaluated as a template + ## + existingClaim: "" + ## @param controller.persistence.storageClass PVC Storage Class for Kafka data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: ${resource.local_resource_config.kafka_data.storage_class_name} + ## @param controller.persistence.accessModes Persistent Volume Access Modes + ## + accessModes: + - ReadWriteOnce + ## @param controller.persistence.size PVC Storage Request for Kafka data volume + ## + size: ${resource.local_resource_config.kafka_data.storage_size} + ## @param controller.persistence.annotations Annotations for the PVC + ## + annotations: {} + ## @param controller.persistence.labels Labels for the PVC + ## + labels: {} + ## @param controller.persistence.selector Selector to match an existing Persistent Volume for Kafka data PVC. If set, the PVC can't have a PV dynamically provisioned for it + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param controller.persistence.mountPath Mount path of the Kafka data volume + ## + mountPath: /bitnami/kafka + ## Log Persistence parameters + ## + logPersistence: + ## @param controller.logPersistence.enabled Enable Kafka logs persistence using PVC, note that ZooKeeper persistence is unaffected + ## + enabled: false + ## @param controller.logPersistence.existingClaim A manually managed Persistent Volume and Claim + ## If defined, PVC must be created manually before volume will be bound + ## The value is evaluated as a template + ## + existingClaim: "" + ## @param controller.logPersistence.storageClass PVC Storage Class for Kafka logs volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: "" + ## @param controller.logPersistence.accessModes Persistent Volume Access Modes + ## + accessModes: + - ReadWriteOnce + ## @param controller.logPersistence.size PVC Storage Request for Kafka logs volume + ## + size: 8Gi + ## @param controller.logPersistence.annotations Annotations for the PVC + ## + annotations: {} + ## @param controller.logPersistence.selector Selector to match an existing Persistent Volume for Kafka log data PVC. If set, the PVC can't have a PV dynamically provisioned for it + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param controller.logPersistence.mountPath Mount path of the Kafka logs volume + ## + mountPath: /opt/bitnami/kafka/logs + +## @section Broker-only statefulset parameters +## +broker: + ## @param broker.replicaCount Number of Kafka broker-only nodes + ## + replicaCount: 0 + ## @param broker.minId Minimal node.id values for broker-only nodes. Do not change after first initialization. + ## Broker-only id increment their ID starting at this minimal value. + ## We recommend setting this this value high enough, as IDs under this value will be used by controller-eligible nodes + ## + ## + minId: 100 + ## @param broker.zookeeperMigrationMode Set to true to deploy cluster controller quorum + ## This allows configuring both kraft and zookeeper modes simultaneously in order to perform the migration of the Kafka metadata. + ## Ref. https://docs.confluent.io/platform/current/installation/migrate-zk-kraft.html + ## + zookeeperMigrationMode: false + ## @param broker.config Configuration file for Kafka broker-only nodes, rendered as a template. Auto-generated based on chart values when not specified. + ## @param broker.existingConfigmap ConfigMap with Kafka Configuration for broker-only nodes. + ## NOTE: This will override the configuration based on values, please act carefully + ## If both are set, the existingConfigMap will be used. + ## + config: "" + existingConfigmap: "" + ## @param broker.extraConfig Additional configuration to be appended at the end of the generated Kafka broker-only nodes configuration file. + ## + extraConfig: ' + min.insync.replicas=1 + unclean.leader.election.enable=true + ' + ## @param broker.secretConfig Additional configuration to be appended at the end of the generated Kafka broker-only nodes configuration file. + ## This value will be stored in a secret. + ## + secretConfig: "" + ## @param broker.existingSecretConfig Secret with additonal configuration that will be appended to the end of the generated Kafka broker-only nodes configuration file + ## The key for the configuration should be: server-secret.properties + ## NOTE: This will override broker.secretConfig value + ## + existingSecretConfig: "" + ## @param broker.heapOpts Kafka Java Heap size for broker-only nodes + ## + heapOpts: -Xmx1024m -Xms1024m + ## @param broker.command Override Kafka container command + ## + command: [] + ## @param broker.args Override Kafka container arguments + ## + args: [] + ## @param broker.extraEnvVars Extra environment variables to add to Kafka pods + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/kafka#configuration + ## e.g: + ## extraEnvVars: + ## - name: KAFKA_CFG_BACKGROUND_THREADS + ## value: "10" + ## + extraEnvVars: [] + ## @param broker.extraEnvVarsCM ConfigMap with extra environment variables + ## + extraEnvVarsCM: "" + ## @param broker.extraEnvVarsSecret Secret with extra environment variables + ## + extraEnvVarsSecret: "" + ## @param broker.extraContainerPorts Kafka broker-only extra containerPorts. + ## + extraContainerPorts: [] + ## Configure extra options for Kafka containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param broker.livenessProbe.enabled Enable livenessProbe on Kafka containers + ## @param broker.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param broker.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param broker.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param broker.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param broker.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + periodSeconds: 10 + successThreshold: 1 + ## @param broker.readinessProbe.enabled Enable readinessProbe on Kafka containers + ## @param broker.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param broker.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param broker.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param broker.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param broker.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + failureThreshold: 6 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + ## @param broker.startupProbe.enabled Enable startupProbe on Kafka containers + ## @param broker.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param broker.startupProbe.periodSeconds Period seconds for startupProbe + ## @param broker.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param broker.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param broker.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param broker.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param broker.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param broker.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param broker.lifecycleHooks lifecycleHooks for the Kafka container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## Kafka init container resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param broker.initContainerResources.limits The resources limits for the container + ## @param broker.initContainerResources.requests The requested resources for the container + ## + initContainerResources: + limits: {} + requests: {} + ## Kafka resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param broker.resources.limits The resources limits for the container + ## @param broker.resources.requests The requested resources for the container + ## + resources: + limits: {} + requests: {} + ## Kafka pods' Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param broker.podSecurityContext.enabled Enable security context for the pods + ## @param broker.podSecurityContext.fsGroup Set Kafka pod's Security Context fsGroup + ## @param broker.podSecurityContext.seccompProfile.type Set Kafka pod's Security Context seccomp profile + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + seccompProfile: + type: "RuntimeDefault" + ## Kafka containers' Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param broker.containerSecurityContext.enabled Enable Kafka containers' Security Context + ## @param broker.containerSecurityContext.runAsUser Set Kafka containers' Security Context runAsUser + ## @param broker.containerSecurityContext.runAsNonRoot Set Kafka containers' Security Context runAsNonRoot + ## @param broker.containerSecurityContext.allowPrivilegeEscalation Force the child process to be run as non-privileged + ## @param broker.containerSecurityContext.readOnlyRootFilesystem Allows the pod to mount the RootFS as ReadOnly only + ## @param broker.containerSecurityContext.capabilities.drop Set Kafka containers' server Security Context capabilities to be dropped + ## e.g: + ## containerSecurityContext: + ## enabled: true + ## capabilities: + ## drop: ["NET_RAW"] + ## readOnlyRootFilesystem: true + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: ["ALL"] + ## @param broker.hostAliases Kafka pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param broker.hostNetwork Specify if host network should be enabled for Kafka pods + ## + hostNetwork: false + ## @param broker.hostIPC Specify if host IPC should be enabled for Kafka pods + ## + hostIPC: false + ## @param broker.podLabels Extra labels for Kafka pods + ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param broker.podAnnotations Extra annotations for Kafka pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param broker.podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param broker.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param broker.nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param broker.nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param broker.nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param broker.affinity Affinity for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set + ## +%{ if resource.local_resource_config.kafka_data.dataplane_affinity_definition != null ~} + affinity: + ${indent(4, yamlencode(resource.local_resource_config.kafka_data.dataplane_affinity_definition))} +%{ else ~} + affinity: {} +%{ endif ~} + ## @param broker.nodeSelector Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param broker.tolerations Tolerations for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param broker.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + ## @param broker.terminationGracePeriodSeconds Seconds the pod needs to gracefully terminate + ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution + ## + terminationGracePeriodSeconds: "" + ## @param broker.podManagementPolicy StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: OrderedReady and Parallel + ## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy + ## + podManagementPolicy: Parallel + ## @param broker.minReadySeconds How many seconds a pod needs to be ready before killing the next, during update + ## + minReadySeconds: 0 + ## @param broker.priorityClassName Name of the existing priority class to be used by kafka pods + ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + ## + priorityClassName: "" + ## @param broker.runtimeClassName Name of the runtime class to be used by pod(s) + ## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ + ## + runtimeClassName: "" + ## @param broker.enableServiceLinks Whether information about services should be injected into pod's environment variable + ## The environment variables injected by service links are not used, but can lead to slow kafka boot times or slow running of the scripts when there are many services in the current namespace. + ## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`. + ## + enableServiceLinks: true + ## @param broker.schedulerName Name of the k8s scheduler (other than default) + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param broker.updateStrategy.type Kafka statefulset strategy type + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + type: RollingUpdate + ## @param broker.extraVolumes Optionally specify extra list of additional volumes for the Kafka pod(s) + ## e.g: + ## extraVolumes: + ## - name: kafka-jaas + ## secret: + ## secretName: kafka-jaas + ## + extraVolumes: [] + ## @param broker.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Kafka container(s) + ## extraVolumeMounts: + ## - name: kafka-jaas + ## mountPath: /bitnami/kafka/config/kafka_jaas.conf + ## subPath: kafka_jaas.conf + ## + extraVolumeMounts: [] + ## @param broker.sidecars Add additional sidecar containers to the Kafka pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param broker.initContainers Add additional Add init containers to the Kafka pod(s) + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + initContainers: [] + ## Kafka Pod Disruption Budget + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## @param broker.pdb.create Deploy a pdb object for the Kafka pod + ## @param broker.pdb.minAvailable Maximum number/percentage of unavailable Kafka replicas + ## @param broker.pdb.maxUnavailable Maximum number/percentage of unavailable Kafka replicas + ## + pdb: + create: false + minAvailable: "" + maxUnavailable: 1 + ## Enable persistence using Persistent Volume Claims + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + ## @param broker.persistence.enabled Enable Kafka data persistence using PVC, note that ZooKeeper persistence is unaffected + ## + enabled: true + ## @param broker.persistence.existingClaim A manually managed Persistent Volume and Claim + ## If defined, PVC must be created manually before volume will be bound + ## The value is evaluated as a template + ## + existingClaim: "" + ## @param broker.persistence.storageClass PVC Storage Class for Kafka data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: ${resource.local_resource_config.kafka_data.storage_class_name} + ## @param broker.persistence.accessModes Persistent Volume Access Modes + ## + accessModes: + - ReadWriteOnce + ## @param broker.persistence.size PVC Storage Request for Kafka data volume + ## + size: ${resource.local_resource_config.kafka_data.storage_size} + ## @param broker.persistence.annotations Annotations for the PVC + ## + annotations: {} + ## @param broker.persistence.labels Labels for the PVC + ## + labels: {} + ## @param broker.persistence.selector Selector to match an existing Persistent Volume for Kafka data PVC. If set, the PVC can't have a PV dynamically provisioned for it + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param broker.persistence.mountPath Mount path of the Kafka data volume + ## + mountPath: /bitnami/kafka + ## Log Persistence parameters + ## + logPersistence: + ## @param broker.logPersistence.enabled Enable Kafka logs persistence using PVC, note that ZooKeeper persistence is unaffected + ## + enabled: false + ## @param broker.logPersistence.existingClaim A manually managed Persistent Volume and Claim + ## If defined, PVC must be created manually before volume will be bound + ## The value is evaluated as a template + ## + existingClaim: "" + ## @param broker.logPersistence.storageClass PVC Storage Class for Kafka logs volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + storageClass: "" + ## @param broker.logPersistence.accessModes Persistent Volume Access Modes + ## + accessModes: + - ReadWriteOnce + ## @param broker.logPersistence.size PVC Storage Request for Kafka logs volume + ## + size: 8Gi + ## @param broker.logPersistence.annotations Annotations for the PVC + ## + annotations: {} + ## @param broker.logPersistence.selector Selector to match an existing Persistent Volume for Kafka log data PVC. If set, the PVC can't have a PV dynamically provisioned for it + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param broker.logPersistence.mountPath Mount path of the Kafka logs volume + ## + mountPath: /opt/bitnami/kafka/logs + + +## @section Traffic Exposure parameters +## + + +## @section Metrics parameters +## + +## Prometheus Exporters / Metrics +## +metrics: + ## Prometheus Kafka exporter: exposes complimentary metrics to JMX exporter + ## + kafka: + ## @param metrics.kafka.enabled Whether or not to create a standalone Kafka exporter to expose Kafka metrics + ## + enabled: true + jmx: + ## @param metrics.jmx.enabled Whether or not to expose JMX metrics to Prometheus + ## + enabled: true + serviceMonitor: + ## @param metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (requires `metrics.kafka.enabled` or `metrics.jmx.enabled` to be `true`) + ## + enabled: true + +## @section Kafka provisioning parameters +## + +## Kafka provisioning +## +provisioning: + ## @param provisioning.enabled Enable kafka provisioning Job + ## + enabled: ${resource.local_resource_config.kafka_provisioning.enabled} + ## @param provisioning.numPartitions Default number of partitions for topics when unspecified + ## + numPartitions: 1 + ## @param provisioning.replicationFactor Default replication factor for topics when unspecified + ## + replicationFactor: 1 + ## @param provisioning.topics Kafka topics to provision + ## - name: topic-name + ## partitions: 1 + ## replicationFactor: 1 + ## ## https://kafka.apache.org/documentation/#topicconfigs + ## config: + ## max.message.bytes: 64000 + ## flush.messages: 1 + ## + topics: + ${indent(4, yamlencode(resource.local_resource_config.kafka_provisioning.topics))} + ## @param provisioning.nodeSelector Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param provisioning.tolerations Tolerations for pod assignment + ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + +## @section KRaft chart parameters + +## KRaft configuration +## Kafka mode without Zookeeper. Kafka nodes can work as controllers in this mode. +## +kraft: + ## @param kraft.enabled Switch to enable or disable the KRaft mode for Kafka + ## + enabled: true + +zookeeper: + ## @param zookeeper.enabled Switch to enable or disable the ZooKeeper helm chart. Must be false if you use KRaft mode. + ## + enabled: false + ## @param zookeeper.replicaCount Number of ZooKeeper nodes + ## + +extraEnvVars: + - name: GC_LOG_ENABLED + value: 'true' diff --git a/terraform/gitops/stateful-resources/templates/stateful-resources/values-mongodb.yaml.tpl b/terraform/gitops/stateful-resources/templates/stateful-resources/values-mongodb.yaml.tpl new file mode 100644 index 000000000..2a9ea6cd2 --- /dev/null +++ b/terraform/gitops/stateful-resources/templates/stateful-resources/values-mongodb.yaml.tpl @@ -0,0 +1,83 @@ +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass +## + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.storageClass Global StorageClass for Persistent Volume(s) +## @param global.namespaceOverride Override the namespace for resource deployed by the chart, but can itself be overridden by the local namespaceOverride +## +global: + storageClass: ${resource.local_resource_config.mongodb_data.storage_class_name} + + +## @section Common parameters +## + +## @param nameOverride String to partially override mongodb.fullname template (will maintain the release name) +## +nameOverride: ${resource.resource_name} +## @param fullnameOverride String to fully override mongodb.fullname template +## +fullnameOverride: "" + +## @param architecture MongoDB(®) architecture (`standalone` or `replicaset`) +## +architecture: standalone +## @param useStatefulSet Set to true to use a StatefulSet instead of a Deployment (only when `architecture=standalone`) +## +useStatefulSet: false +## MongoDB(®) Authentication parameters +## +auth: + ## @param auth.enabled Enable authentication + ## ref: https://docs.mongodb.com/manual/tutorial/enable-authentication/ + ## + enabled: true + ## @param auth.rootUser MongoDB(®) root user + ## + rootUser: root + ## MongoDB(®) custom users and databases + ## ref: https://github.com/bitnami/bitnami-docker-mongodb/blob/master/README.md#creating-users-and-databases-on-first-run + ## @param auth.usernames List of custom users to be created during the initialization + ## @param auth.passwords List of passwords for the custom users set at `auth.usernames` + ## @param auth.databases List of custom databases to be created during the initialization + ## + usernames: [] + passwords: [] + databases: [] + ## @param auth.username DEPRECATED: use `auth.usernames` instead + ## @param auth.password DEPRECATED: use `auth.passwords` instead + ## @param auth.database DEPRECATED: use `auth.databases` instead + database: ${resource.local_resource_config.mongodb_data.database_name} + username: ${resource.local_resource_config.mongodb_data.user} + ## @param auth.replicaSetKey Key used for authentication in the replicaset (only when `architecture=replicaset`) + ## + replicaSetKey: "" + ## @param auth.existingSecret Existing secret with MongoDB(®) credentials (keys: `mongodb-password`, `mongodb-root-password`, ` mongodb-replica-set-key`) + ## NOTE: When it's set the previous parameters are ignored. + ## + existingSecret: "${resource.local_resource_config.mongodb_data.existing_secret}" + +persistence: + ## @param persistence.enabled Enable MongoDB(®) data persistence using PVC + ## + enabled: true + size: ${resource.local_resource_config.mongodb_data.storage_size} +service: + ports: + mongodb: ${resource.local_resource_config.mongodb_data.service_port} +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` + ## + enabled: true + +metrics: + ## @param metrics.enabled Enable using a sidecar Prometheus exporter + ## + enabled: true + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using Prometheus Operator + enabled: true diff --git a/terraform/gitops/stateful-resources/templates/stateful-resources/values-mysql.yaml.tpl b/terraform/gitops/stateful-resources/templates/stateful-resources/values-mysql.yaml.tpl new file mode 100644 index 000000000..67e37cad3 --- /dev/null +++ b/terraform/gitops/stateful-resources/templates/stateful-resources/values-mysql.yaml.tpl @@ -0,0 +1,1122 @@ +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass +## + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.storageClass Global StorageClass for Persistent Volume(s) +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: "" + +## @section Common parameters +## + +## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) +## +kubeVersion: "" +## @param nameOverride String to partially override common.names.fullname template (will maintain the release name) +## +nameOverride: ${resource.resource_name} +## @param fullnameOverride String to fully override common.names.fullname template +## +fullnameOverride: "" + +## @param serviceBindings.enabled Create secret for service binding (Experimental) +## Ref: https://servicebinding.io/service-provider/ + + +## Enable diagnostic mode in the deployment +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity + +## @section MySQL common parameters +## + +## Bitnami MySQL image +## ref: https://hub.docker.com/r/bitnami/mysql/tags/ +## @param image.registry MySQL image registry +## @param image.repository MySQL image repository +## @param image.tag MySQL image tag (immutable tags are recommended) +## @param image.digest MySQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy MySQL image pull policy +## @param image.pullSecrets Specify docker-registry secret names as an array +## @param image.debug Specify if debug logs should be enabled +## +image: + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## It turns BASH and/or NAMI debugging in the image + ## + debug: false +## @param architecture MySQL architecture (`standalone` or `replication`) +## +architecture: ${resource.local_resource_config.mysql_data.architecture} +## MySQL Authentication parameters +## +auth: + ## @param auth.rootPassword Password for the `root` user. Ignored if existing secret is provided + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mysql#setting-the-root-password-on-first-run + ## + rootPassword: "${resource.local_resource_config.mysql_data.root_password}" + ## @param auth.database Name for a custom database to create + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mysql#creating-a-database-on-first-run + ## + database: ${resource.local_resource_config.mysql_data.database_name} + ## @param auth.username Name for a custom user to create + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mysql#creating-a-database-user-on-first-run + ## + username: ${resource.local_resource_config.mysql_data.user} + ## @param auth.replicationUser MySQL replication user + ## ref: https://github.com/bitnami/bitnami-docker-mysql#setting-up-a-replication-cluster + ## + password: "${resource.local_resource_config.mysql_data.user_password}" + ## @param auth.replicationUser MySQL replication user + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/mysql#setting-up-a-replication-cluster + ## + replicationUser: replicator + ## @param auth.replicationPassword MySQL replication user password. Ignored if existing secret is provided + ## + replicationPassword: "${resource.local_resource_config.mysql_data.root_password}" + + existingSecret: "${resource.local_resource_config.mysql_data.existing_secret}" + +## @section MySQL Primary parameters +## + +primary: + ## @param primary.name Name of the primary database (eg primary, master, leader, ...) + ## + name: primary + ## @param primary.command Override default container command on MySQL Primary container(s) (useful when using custom images) + ## + command: [] + ## @param primary.args Override default container args on MySQL Primary container(s) (useful when using custom images) + ## + args: [] + ## @param primary.lifecycleHooks for the MySQL Primary container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param primary.hostAliases Deployment pod host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param primary.configuration [string] Configure MySQL Primary with a custom my.cnf file + ## ref: https://mysql.com/kb/en/mysql/configuring-mysql-with-mycnf/#example-of-configuration-file + ## + configuration: |- + [mysqld] + default_authentication_plugin=${resource.local_resource_config.mysql_data.default_authentication_plugin} + skip-name-resolve + explicit_defaults_for_timestamp + basedir=${resource.local_resource_config.mysql_data.basedir} + plugin_dir=${resource.local_resource_config.mysql_data.plugin_dir} + port=${resource.local_resource_config.mysql_data.port} + socket=${resource.local_resource_config.mysql_data.socket} + datadir=${resource.local_resource_config.mysql_data.datadir} + tmpdir=${resource.local_resource_config.mysql_data.tmpdir} + max_allowed_packet=${resource.local_resource_config.mysql_data.max_allowed_packet} + bind-address=${resource.local_resource_config.mysql_data.bind-address} + pid-file=${resource.local_resource_config.mysql_data.pid-file} + log-error=${resource.local_resource_config.mysql_data.log-error} + character-set-server=${resource.local_resource_config.mysql_data.character-set-server} + collation-server=${resource.local_resource_config.mysql_data.collation-server} + general_log=${resource.local_resource_config.mysql_data.general_log} + slow_query_log=${resource.local_resource_config.mysql_data.slow_query_log} + slow_query_log_file=/opt/bitnami/mysql/logs/mysqld.log + long_query_time=${resource.local_resource_config.mysql_data.long_query_time} + innodb_use_native_aio=${resource.local_resource_config.mysql_data.innodb_use_native_aio} + max_connections=${resource.local_resource_config.mysql_data.max_connections} + innodb_buffer_pool_size=${resource.local_resource_config.mysql_data.innodb_buffer_pool_size} + + [client] + port=${resource.local_resource_config.mysql_data.port} + socket=${resource.local_resource_config.mysql_data.socket} + default-character-set=UTF8 + plugin_dir=${resource.local_resource_config.mysql_data.plugin_dir} + + [manager] + port=${resource.local_resource_config.mysql_data.port} + socket=${resource.local_resource_config.mysql_data.socket} + pid-file=${resource.local_resource_config.mysql_data.pid-file} + ## @param primary.existingConfigmap Name of existing ConfigMap with MySQL Primary configuration. + ## NOTE: When it's set the 'configuration' parameter is ignored + ## + existingConfigmap: "" + ## @param primary.updateStrategy.type Update strategy type for the MySQL primary statefulset + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + type: RollingUpdate + ## @param primary.podAnnotations Additional pod annotations for MySQL primary pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param primary.podAffinityPreset MySQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param primary.podAntiAffinityPreset MySQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## MySQL Primary node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param primary.nodeAffinityPreset.type MySQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param primary.nodeAffinityPreset.key MySQL primary node label key to match Ignored if `primary.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param primary.nodeAffinityPreset.values MySQL primary node label values to match. Ignored if `primary.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param primary.affinity Affinity for MySQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set + ## +%{ if resource.local_resource_config.mysql_data.affinity_definition != null ~} + affinity: + ${indent(4, yamlencode(resource.local_resource_config.mysql_data.affinity_definition))} +%{ else ~} + affinity: {} +%{ endif ~} + ## @param primary.nodeSelector Node labels for MySQL primary pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param primary.tolerations Tolerations for MySQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param primary.priorityClassName MySQL primary pods' priorityClassName + ## + priorityClassName: "" + ## @param primary.runtimeClassName MySQL primary pods' runtimeClassName + ## + runtimeClassName: "" + ## @param primary.schedulerName Name of the k8s scheduler (other than default) + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param primary.terminationGracePeriodSeconds In seconds, time the given to the MySQL primary pod needs to terminate gracefully + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods + ## + terminationGracePeriodSeconds: "" + ## @param primary.topologySpreadConstraints Topology Spread Constraints for pod assignment + ## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## The value is evaluated as a template + ## + topologySpreadConstraints: [] + ## @param primary.podManagementPolicy podManagementPolicy to manage scaling operation of MySQL primary pods + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies + ## + podManagementPolicy: "" + ## MySQL primary Pod security context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param primary.podSecurityContext.enabled Enable security context for MySQL primary pods + ## @param primary.podSecurityContext.fsGroup Group ID for the mounted volumes' filesystem + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## MySQL primary container security context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param primary.containerSecurityContext.enabled MySQL primary container securityContext + ## @param primary.containerSecurityContext.runAsUser User ID for the MySQL primary container + ## @param primary.containerSecurityContext.runAsNonRoot Set MySQL primary container's Security Context runAsNonRoot + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + ## MySQL primary container's resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param primary.resources.limits The resources limits for MySQL primary containers + ## @param primary.resources.requests The requested resources for MySQL primary containers + ## + resources: + ## Example: + ## limits: + ## cpu: 250m + ## memory: 256Mi + ## + limits: {} + ## Examples: + ## requests: + ## cpu: 250m + ## memory: 256Mi + ## + requests: {} + ## Configure extra options for liveness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param primary.livenessProbe.enabled Enable livenessProbe + ## @param primary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param primary.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param primary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param primary.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param primary.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## Configure extra options for readiness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param primary.readinessProbe.enabled Enable readinessProbe + ## @param primary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param primary.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param primary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param primary.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param primary.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## Configure extra options for startupProbe probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param primary.startupProbe.enabled Enable startupProbe + ## @param primary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param primary.startupProbe.periodSeconds Period seconds for startupProbe + ## @param primary.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param primary.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param primary.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: true + initialDelaySeconds: 15 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 10 + successThreshold: 1 + ## @param primary.customLivenessProbe Override default liveness probe for MySQL primary containers + ## + customLivenessProbe: {} + ## @param primary.customReadinessProbe Override default readiness probe for MySQL primary containers + ## + customReadinessProbe: {} + ## @param primary.customStartupProbe Override default startup probe for MySQL primary containers + ## + customStartupProbe: {} + ## @param primary.extraFlags MySQL primary additional command line flags + ## Can be used to specify command line flags, for example: + ## E.g. + ## extraFlags: "--max-connect-errors=1000 --max_connections=155" + ## + extraFlags: "" + ## @param primary.extraEnvVars Extra environment variables to be set on MySQL primary containers + ## E.g. + ## extraEnvVars: + ## - name: TZ + ## value: "Europe/Paris" + ## + extraEnvVars: [] + ## @param primary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for MySQL primary containers + ## + extraEnvVarsCM: "" + ## @param primary.extraEnvVarsSecret Name of existing Secret containing extra env vars for MySQL primary containers + ## + extraEnvVarsSecret: "" + ## @param primary.extraPorts Extra ports to expose + ## + extraPorts: [] + ## Enable persistence using Persistent Volume Claims + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + ## @param primary.persistence.enabled Enable persistence on MySQL primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir + ## + enabled: true + ## @param primary.persistence.existingClaim Name of an existing `PersistentVolumeClaim` for MySQL primary replicas + ## NOTE: When it's set the rest of persistence parameters are ignored + ## + existingClaim: "" + ## @param primary.persistence.subPath The name of a volume's sub path to mount for persistence + ## + subPath: "" + ## @param primary.persistence.storageClass MySQL primary persistent volume storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: ${resource.local_resource_config.mysql_data.storage_class_name} + ## @param primary.persistence.annotations [object] MySQL primary persistent volume claim annotations + ## + annotations: {} + ## @param primary.persistence.accessModes MySQL primary persistent volume access Modes + ## + accessModes: + - ReadWriteOnce + ## @param primary.persistence.size MySQL primary persistent volume size + ## + size: ${resource.local_resource_config.mysql_data.storage_size} + ## @param primary.persistence.selector [object] Selector to match an existing Persistent Volume + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param primary.extraVolumes Optionally specify extra list of additional volumes to the MySQL Primary pod(s) + ## + extraVolumes: [] + ## @param primary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the MySQL Primary container(s) + ## + extraVolumeMounts: [] + ## @param primary.initContainers Add additional init containers for the MySQL Primary pod(s) + ## + initContainers: [] + ## @param primary.sidecars Add additional sidecar containers for the MySQL Primary pod(s) + ## + sidecars: [] + ## MySQL Primary Service parameters + ## + service: + ## @param primary.service.type MySQL Primary K8s service type + ## + type: ClusterIP + ## @param primary.service.ports.mysql MySQL Primary K8s service port + ## + ports: + mysql: ${resource.local_resource_config.mysql_data.service_port} +## @section MySQL Secondary parameters +## + +secondary: + ## @param secondary.name Name of the secondary database (eg secondary, slave, ...) + ## + name: secondary + ## @param secondary.replicaCount Number of MySQL secondary replicas + ## + replicaCount: ${resource.local_resource_config.mysql_data.replica_count} + + ## @param secondary.configuration [string] Configure MySQL Secondary with a custom my.cnf file + ## ref: https://mysql.com/kb/en/mysql/configuring-mysql-with-mycnf/#example-of-configuration-file + ## + configuration: |- + [mysqld] + default_authentication_plugin=${resource.local_resource_config.mysql_data.default_authentication_plugin} + skip-name-resolve + explicit_defaults_for_timestamp + basedir=/opt/bitnami/mysql + plugin_dir=${resource.local_resource_config.mysql_data.plugin_dir} + port=${resource.local_resource_config.mysql_data.port} + socket=${resource.local_resource_config.mysql_data.socket} + datadir=${resource.local_resource_config.mysql_data.datadir} + tmpdir=${resource.local_resource_config.mysql_data.tmpdir} + max_allowed_packet=${resource.local_resource_config.mysql_data.max_allowed_packet} + bind-address=${resource.local_resource_config.mysql_data.bind-address} + pid-file=${resource.local_resource_config.mysql_data.pid-file} + log-error=/opt/bitnami/mysql/logs/mysqld.log + character-set-server=UTF8 + collation-server=utf8_general_ci + general_log=${resource.local_resource_config.mysql_data.general_log} + slow_query_log=${resource.local_resource_config.mysql_data.slow_query_log} + slow_query_log_file=/opt/bitnami/mysql/logs/mysqld.log + long_query_time=10.0 + innodb_use_native_aio=0 + + [client] + port=${resource.local_resource_config.mysql_data.port} + socket=${resource.local_resource_config.mysql_data.socket} + default-character-set=UTF8 + plugin_dir=${resource.local_resource_config.mysql_data.plugin_dir} + + [manager] + port=${resource.local_resource_config.mysql_data.port} + socket=${resource.local_resource_config.mysql_data.socket} + pid-file=${resource.local_resource_config.mysql_data.pid-file} + ## @param secondary.existingConfigmap Name of existing ConfigMap with MySQL Secondary configuration. + ## NOTE: When it's set the 'configuration' parameter is ignored + ## + existingConfigmap: "" + ## @param secondary.updateStrategy.type Update strategy type for the MySQL secondary statefulset + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + type: RollingUpdate + ## @param secondary.podAnnotations Additional pod annotations for MySQL secondary pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param secondary.podAffinityPreset MySQL secondary pod affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param secondary.podAntiAffinityPreset MySQL secondary pod anti-affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## Allowed values: soft, hard + ## + podAntiAffinityPreset: soft + ## MySQL Secondary node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param secondary.nodeAffinityPreset.type MySQL secondary node affinity preset type. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param secondary.nodeAffinityPreset.key MySQL secondary node label key to match Ignored if `secondary.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param secondary.nodeAffinityPreset.values MySQL secondary node label values to match. Ignored if `secondary.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param secondary.affinity Affinity for MySQL secondary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set + ## +%{ if resource.local_resource_config.mysql_data.affinity_definition != null ~} + affinity: + ${indent(4, yamlencode(resource.local_resource_config.mysql_data.affinity_definition))} +%{ else ~} + affinity: {} +%{ endif ~} + ## @param secondary.nodeSelector Node labels for MySQL secondary pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param secondary.tolerations Tolerations for MySQL secondary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param secondary.priorityClassName MySQL secondary pods' priorityClassName + ## + priorityClassName: "" + ## @param secondary.runtimeClassName MySQL secondary pods' runtimeClassName + ## + runtimeClassName: "" + ## @param secondary.schedulerName Name of the k8s scheduler (other than default) + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param secondary.terminationGracePeriodSeconds In seconds, time the given to the MySQL secondary pod needs to terminate gracefully + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods + ## + terminationGracePeriodSeconds: "" + ## @param secondary.topologySpreadConstraints Topology Spread Constraints for pod assignment + ## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## The value is evaluated as a template + ## + topologySpreadConstraints: [] + ## @param secondary.podManagementPolicy podManagementPolicy to manage scaling operation of MySQL secondary pods + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies + ## + podManagementPolicy: "" + ## MySQL secondary Pod security context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param secondary.podSecurityContext.enabled Enable security context for MySQL secondary pods + ## @param secondary.podSecurityContext.fsGroup Group ID for the mounted volumes' filesystem + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## MySQL secondary container security context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param secondary.containerSecurityContext.enabled MySQL secondary container securityContext + ## @param secondary.containerSecurityContext.runAsUser User ID for the MySQL secondary container + ## @param secondary.containerSecurityContext.runAsNonRoot Set MySQL secondary container's Security Context runAsNonRoot + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + ## MySQL secondary container's resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param secondary.resources.limits The resources limits for MySQL secondary containers + ## @param secondary.resources.requests The requested resources for MySQL secondary containers + ## + resources: + ## Example: + ## limits: + ## cpu: 250m + ## memory: 256Mi + ## + limits: {} + ## Examples: + ## requests: + ## cpu: 250m + ## memory: 256Mi + ## + requests: {} + ## Configure extra options for liveness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param secondary.livenessProbe.enabled Enable livenessProbe + ## @param secondary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param secondary.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param secondary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param secondary.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param secondary.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## Configure extra options for readiness probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param secondary.readinessProbe.enabled Enable readinessProbe + ## @param secondary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param secondary.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param secondary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param secondary.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param secondary.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + successThreshold: 1 + ## Configure extra options for startupProbe probe + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param secondary.startupProbe.enabled Enable startupProbe + ## @param secondary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param secondary.startupProbe.periodSeconds Period seconds for startupProbe + ## @param secondary.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param secondary.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param secondary.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: true + initialDelaySeconds: 15 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param secondary.customLivenessProbe Override default liveness probe for MySQL secondary containers + ## + customLivenessProbe: {} + ## @param secondary.customReadinessProbe Override default readiness probe for MySQL secondary containers + ## + customReadinessProbe: {} + ## @param secondary.customStartupProbe Override default startup probe for MySQL secondary containers + ## + customStartupProbe: {} + ## @param secondary.extraFlags MySQL secondary additional command line flags + ## Can be used to specify command line flags, for example: + ## E.g. + ## extraFlags: "--max-connect-errors=1000 --max_connections=155" + ## + extraFlags: "" + ## @param secondary.extraEnvVars An array to add extra environment variables on MySQL secondary containers + ## E.g. + ## extraEnvVars: + ## - name: TZ + ## value: "Europe/Paris" + ## + extraEnvVars: [] + ## @param secondary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for MySQL secondary containers + ## + extraEnvVarsCM: "" + ## @param secondary.extraEnvVarsSecret Name of existing Secret containing extra env vars for MySQL secondary containers + ## + extraEnvVarsSecret: "" + ## @param secondary.extraPorts Extra ports to expose + ## + extraPorts: [] + ## Enable persistence using Persistent Volume Claims + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + ## @param secondary.persistence.enabled Enable persistence on MySQL secondary replicas using a `PersistentVolumeClaim` + ## + enabled: true + ## @param secondary.persistence.existingClaim Name of an existing `PersistentVolumeClaim` for MySQL secondary replicas + ## NOTE: When it's set the rest of persistence parameters are ignored + ## + existingClaim: "" + ## @param secondary.persistence.subPath The name of a volume's sub path to mount for persistence + ## + subPath: "" + ## @param secondary.persistence.storageClass MySQL secondary persistent volume storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: ${resource.local_resource_config.mysql_data.storage_class_name} + ## @param secondary.persistence.annotations [object] MySQL secondary persistent volume claim annotations + ## + annotations: {} + ## @param secondary.persistence.accessModes MySQL secondary persistent volume access Modes + ## + accessModes: + - ReadWriteOnce + ## @param secondary.persistence.size MySQL secondary persistent volume size + ## + size: ${resource.local_resource_config.mysql_data.storage_size} + ## @param secondary.persistence.selector [object] Selector to match an existing Persistent Volume + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param secondary.extraVolumes Optionally specify extra list of additional volumes to the MySQL secondary pod(s) + ## + extraVolumes: [] + ## @param secondary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the MySQL secondary container(s) + ## + extraVolumeMounts: [] + ## @param secondary.initContainers Add additional init containers for the MySQL secondary pod(s) + ## + initContainers: [] + ## @param secondary.sidecars Add additional sidecar containers for the MySQL secondary pod(s) + ## + sidecars: [] + ## MySQL Secondary Service parameters + ## + service: + ## @param secondary.service.type MySQL secondary Kubernetes service type + ## + type: ClusterIP + ## @param secondary.service.ports.mysql MySQL secondary Kubernetes service port + ## + ports: + mysql: 3306 + ## @param secondary.service.nodePorts.mysql MySQL secondary Kubernetes service node port + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + mysql: "" + ## @param secondary.service.clusterIP MySQL secondary Kubernetes service clusterIP IP + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param secondary.service.loadBalancerIP MySQL secondary loadBalancerIP if service type is `LoadBalancer` + ## Set the LoadBalancer service type to internal only + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param secondary.service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param secondary.service.loadBalancerSourceRanges Addresses that are allowed when MySQL secondary service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## E.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param secondary.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param secondary.service.annotations Additional custom annotations for MySQL secondary service + ## + annotations: {} + ## @param secondary.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param secondary.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## Headless service properties + ## + headless: + ## @param secondary.service.headless.annotations Additional custom annotations for headless MySQL secondary service. + ## + annotations: {} + + ## MySQL secondary Pod Disruption Budget configuration + ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + ## + pdb: + ## @param secondary.pdb.create Enable/disable a Pod Disruption Budget creation for MySQL secondary pods + ## + create: false + ## @param secondary.pdb.minAvailable Minimum number/percentage of MySQL secondary pods that should remain scheduled + ## + minAvailable: 1 + ## @param secondary.pdb.maxUnavailable Maximum number/percentage of MySQL secondary pods that may be made unavailable + ## + maxUnavailable: "" + ## @param secondary.podLabels Additional pod labels for MySQL secondary pods + ## + podLabels: {} + +## @section RBAC parameters +## + +## MySQL pods ServiceAccount +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + ## @param serviceAccount.create Enable the creation of a ServiceAccount for MySQL pods + ## + create: true + ## @param serviceAccount.name Name of the created ServiceAccount + ## If not set and create is true, a name is generated using the mysql.fullname template + ## + name: "" + ## @param serviceAccount.annotations Annotations for MySQL Service Account + ## + annotations: {} + ## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account + ## + automountServiceAccountToken: true + +## Role Based Access +## ref: https://kubernetes.io/docs/admin/authorization/rbac/ +## +rbac: + ## @param rbac.create Whether to create & use RBAC resources or not + ## + create: false + ## @param rbac.rules Custom RBAC rules to set + ## e.g: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## + rules: [] + +## @section Network Policy +## + +## MySQL Nework Policy configuration +## +networkPolicy: + ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources + ## + enabled: false + ## @param networkPolicy.allowExternal The Policy model to apply. + ## When set to false, only pods with the correct + ## client label will have network access to the port MySQL is listening + ## on. When true, MySQL will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.explicitNamespacesSelector A Kubernetes LabelSelector to explicitly select namespaces from which ingress traffic could be allowed to MySQL + ## If explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace + ## and that match other criteria, the ones that have the good label, can reach the DB. + ## But sometimes, we want the DB to be accessible to clients from other namespaces, in this case, we can use this + ## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added. + ## + ## Example: + ## explicitNamespacesSelector: + ## matchLabels: + ## role: frontend + ## matchExpressions: + ## - {key: role, operator: In, values: [frontend]} + ## + explicitNamespacesSelector: {} + +## @section Volume Permissions parameters +## + +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` + ## + enabled: true + ## @param volumePermissions.image.registry Init container volume-permissions image registry + ## @param volumePermissions.image.repository Init container volume-permissions image repository + ## @param volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) + ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy + ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param volumePermissions.resources Init container volume-permissions resources + ## + resources: {} + +## @section Metrics parameters +## + +## Mysqld Prometheus exporter parameters +## +metrics: + ## @param metrics.enabled Start a side-car prometheus exporter + ## + enabled: true + ## @param metrics.image.registry Exporter image registry + ## @param metrics.image.repository Exporter image repository + ## @param metrics.image.tag Exporter image tag (immutable tags are recommended) + ## @param metrics.image.digest Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param metrics.image.pullPolicy Exporter image pull policy + ## @param metrics.image.pullSecrets Specify docker-registry secret names as an array + ## + image: + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## MySQL metrics container security context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param metrics.containerSecurityContext.enabled MySQL metrics container securityContext + ## @param metrics.containerSecurityContext.runAsUser User ID for the MySQL metrics container + ## @param metrics.containerSecurityContext.runAsNonRoot Set MySQL metrics container's Security Context runAsNonRoot + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + ## MySQL Prometheus exporter service parameters + ## Mysqld Prometheus exporter liveness and readiness probes + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param metrics.service.type Kubernetes service type for MySQL Prometheus Exporter + ## @param metrics.service.port MySQL Prometheus Exporter service port + ## @param metrics.service.annotations [object] Prometheus exporter service annotations + ## + service: + type: ClusterIP + port: 9104 + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.metrics.service.port }}" + ## @param metrics.extraArgs.primary Extra args to be passed to mysqld_exporter on Primary pods + ## @param metrics.extraArgs.secondary Extra args to be passed to mysqld_exporter on Secondary pods + ## ref: https://github.com/prometheus/mysqld_exporter/ + ## E.g. + ## - --collect.auto_increment.columns + ## - --collect.binlog_size + ## - --collect.engine_innodb_status + ## - --collect.engine_tokudb_status + ## - --collect.global_status + ## - --collect.global_variables + ## - --collect.info_schema.clientstats + ## - --collect.info_schema.innodb_metrics + ## - --collect.info_schema.innodb_tablespaces + ## - --collect.info_schema.innodb_cmp + ## - --collect.info_schema.innodb_cmpmem + ## - --collect.info_schema.processlist + ## - --collect.info_schema.processlist.min_time + ## - --collect.info_schema.query_response_time + ## - --collect.info_schema.tables + ## - --collect.info_schema.tables.databases + ## - --collect.info_schema.tablestats + ## - --collect.info_schema.userstats + ## - --collect.perf_schema.eventsstatements + ## - --collect.perf_schema.eventsstatements.digest_text_limit + ## - --collect.perf_schema.eventsstatements.limit + ## - --collect.perf_schema.eventsstatements.timelimit + ## - --collect.perf_schema.eventswaits + ## - --collect.perf_schema.file_events + ## - --collect.perf_schema.file_instances + ## - --collect.perf_schema.indexiowaits + ## - --collect.perf_schema.tableiowaits + ## - --collect.perf_schema.tablelocks + ## - --collect.perf_schema.replication_group_member_stats + ## - --collect.slave_status + ## - --collect.slave_hosts + ## - --collect.heartbeat + ## - --collect.heartbeat.database + ## - --collect.heartbeat.table + ## + extraArgs: + primary: [] + secondary: [] + ## Mysqld Prometheus exporter resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## @param metrics.resources.limits The resources limits for MySQL prometheus exporter containers + ## @param metrics.resources.requests The requested resources for MySQL prometheus exporter containers + ## + resources: + ## Example: + ## limits: + ## cpu: 100m + ## memory: 256Mi + ## + limits: {} + ## Examples: + ## requests: + ## cpu: 100m + ## memory: 256Mi + ## + requests: {} + ## Mysqld Prometheus exporter liveness probe + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param metrics.livenessProbe.enabled Enable livenessProbe + ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 120 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + ## Mysqld Prometheus exporter readiness probe + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + ## @param metrics.readinessProbe.enabled Enable readinessProbe + ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + ## Prometheus Service Monitor + ## ref: https://github.com/coreos/prometheus-operator + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator + ## + enabled: true + ## @param metrics.serviceMonitor.namespace Specify the namespace in which the serviceMonitor resource will be created + ## + namespace: "" + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## @param metrics.serviceMonitor.interval Specify the interval at which metrics should be scraped + ## + interval: 30s + ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended + ## e.g: + ## scrapeTimeout: 30s + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + relabelings: [] + ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.selector ServiceMonitor selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## + ## selector: + ## prometheus: my-prometheus + ## + selector: {} + ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint + ## + honorLabels: false + ## @param metrics.serviceMonitor.labels Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec + ## + labels: {} + ## @param metrics.serviceMonitor.annotations ServiceMonitor annotations + ## + annotations: {} + + ## Prometheus Operator prometheusRule configuration + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled Creates a Prometheus Operator prometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`) + ## + enabled: false + ## @param metrics.prometheusRule.namespace Namespace for the prometheusRule Resource (defaults to the Release Namespace) + ## + namespace: "" + ## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so prometheusRule will be discovered by Prometheus + ## + additionalLabels: {} + ## @param metrics.prometheusRule.rules Prometheus Rule definitions + ## - alert: Mysql-Down + ## expr: absent(up{job="mysql"} == 1) + ## for: 5m + ## labels: + ## severity: warning + ## service: mariadb + ## annotations: + ## message: 'MariaDB instance {{`{{`}} $labels.instance {{`}}`}} is down' + ## summary: MariaDB instance is down + ## + rules: [] \ No newline at end of file diff --git a/terraform/gitops/stateful-resources/templates/stateful-resources/values-pgsql.yaml.tpl b/terraform/gitops/stateful-resources/templates/stateful-resources/values-pgsql.yaml.tpl new file mode 100644 index 000000000..2300b8cdb --- /dev/null +++ b/terraform/gitops/stateful-resources/templates/stateful-resources/values-pgsql.yaml.tpl @@ -0,0 +1,1426 @@ +# Copyright VMware, Inc. +# SPDX-License-Identifier: APACHE-2.0 + +## @section Global parameters +## Please, note that this will override the parameters, including dependencies, configured to use the global value +## +global: + ## @param global.imageRegistry Global Docker image registry + ## + imageRegistry: "" + ## @param global.imagePullSecrets Global Docker registry secret names as an array + ## e.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + ## @param global.storageClass Global StorageClass for Persistent Volume(s) + ## + storageClass: ${resource.local_resource_config.pgsql_data.storage_class_name} + + postgresql: + ## @param global.postgresql.auth.postgresPassword Password for the "postgres" admin user (overrides `auth.postgresPassword`) + ## @param global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`) + ## @param global.postgresql.auth.password Password for the custom user to create (overrides `auth.password`) + ## @param global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`) + ## @param global.postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). + ## @param global.postgresql.auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. + ## @param global.postgresql.auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. + ## @param global.postgresql.auth.secretKeys.replicationPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. + ## + auth: + postgresPassword: "${resource.local_resource_config.pgsql_data.root_password}" + username: ${resource.local_resource_config.pgsql_data.user} + password: "${resource.local_resource_config.pgsql_data.user_password}" + database: ${resource.local_resource_config.pgsql_data.database_name} + existingSecret: "${resource.local_resource_config.pgsql_data.existing_secret}" + secretKeys: + adminPasswordKey: postgres-password + userPasswordKey: password + replicationPasswordKey: replication-password + ## @param global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`) + ## + service: + ports: + postgresql: ${resource.local_resource_config.pgsql_data.service_port} + +## @section Common parameters +## + +## @param kubeVersion Override Kubernetes version +## +kubeVersion: "" +## @param nameOverride String to partially override common.names.fullname template (will maintain the release name) +## +nameOverride: ${resource.resource_name} +## @param fullnameOverride String to fully override common.names.fullname template +## +fullnameOverride: "" +## @param clusterDomain Kubernetes Cluster Domain +## +clusterDomain: cluster.local +## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template) +## +extraDeploy: [] +## @param commonLabels Add labels to all the deployed resources +## +commonLabels: {} +## @param commonAnnotations Add annotations to all the deployed resources +## +commonAnnotations: {} +## Enable diagnostic mode in the statefulset +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the statefulset + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the statefulset + ## + args: + - infinity + +## @section PostgreSQL common parameters +## + +## Bitnami PostgreSQL image version +## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ +## @param image.registry PostgreSQL image registry +## @param image.repository PostgreSQL image repository +## @param image.tag PostgreSQL image tag (immutable tags are recommended) +## @param image.digest PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy PostgreSQL image pull policy +## @param image.pullSecrets Specify image pull secrets +## @param image.debug Specify if debug values should be set +## +image: + registry: docker.io + repository: bitnami/postgresql + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## + debug: false +## Authentication parameters +## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#setting-the-root-password-on-first-run +## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#creating-a-database-on-first-run +## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#creating-a-database-user-on-first-run +## +auth: + ## @param auth.enablePostgresUser Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user + ## + enablePostgresUser: true + ## @param auth.postgresPassword Password for the "postgres" admin user. Ignored if `auth.existingSecret` is provided + ## + postgresPassword: "" + ## @param auth.username Name for a custom user to create + ## + username: "" + ## @param auth.password Password for the custom user to create. Ignored if `auth.existingSecret` is provided + ## + password: "" + ## @param auth.database Name for a custom database to create + ## + database: "" + ## @param auth.replicationUsername Name of the replication user + ## + replicationUsername: repl_user + ## @param auth.replicationPassword Password for the replication user. Ignored if `auth.existingSecret` is provided + ## + replicationPassword: "${resource.local_resource_config.pgsql_data.root_password}" + ## @param auth.existingSecret Name of existing secret to use for PostgreSQL credentials. `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case. + ## + existingSecret: "" + ## @param auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. + ## @param auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. + ## @param auth.secretKeys.replicationPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. + ## + secretKeys: + adminPasswordKey: postgres-password + userPasswordKey: password + replicationPasswordKey: replication-password + ## @param auth.usePasswordFiles Mount credentials as a files instead of using an environment variable + ## + usePasswordFiles: false +## @param architecture PostgreSQL architecture (`standalone` or `replication`) +## +architecture: ${resource.local_resource_config.pgsql_data.architecture} +## Replication configuration +## Ignored if `architecture` is `standalone` +## +replication: + ## @param replication.synchronousCommit Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` + ## @param replication.numSynchronousReplicas Number of replicas that will have synchronous replication. Note: Cannot be greater than `readReplicas.replicaCount`. + ## ref: https://www.postgresql.org/docs/current/runtime-config-wal.html#GUC-SYNCHRONOUS-COMMIT + ## + synchronousCommit: "off" + numSynchronousReplicas: ${resource.local_resource_config.pgsql_data.replica_count} + ## @param replication.applicationName Cluster application name. Useful for advanced replication settings + ## + applicationName: my_application +## @param containerPorts.postgresql PostgreSQL container port +## +containerPorts: + postgresql: 5432 +## Audit settings +## https://github.com/bitnami/containers/tree/main/bitnami/postgresql#auditing +## @param audit.logHostname Log client hostnames +## @param audit.logConnections Add client log-in operations to the log file +## @param audit.logDisconnections Add client log-outs operations to the log file +## @param audit.pgAuditLog Add operations to log using the pgAudit extension +## @param audit.pgAuditLogCatalog Log catalog using pgAudit +## @param audit.clientMinMessages Message log level to share with the user +## @param audit.logLinePrefix Template for log line prefix (default if not set) +## @param audit.logTimezone Timezone for the log timestamps +## +audit: + logHostname: false + logConnections: false + logDisconnections: false + pgAuditLog: "" + pgAuditLogCatalog: "off" + clientMinMessages: error + logLinePrefix: "" + logTimezone: "" +## LDAP configuration +## @param ldap.enabled Enable LDAP support +## DEPRECATED ldap.url It will removed in a future, please use 'ldap.uri' instead +## @param ldap.server IP address or name of the LDAP server. +## @param ldap.port Port number on the LDAP server to connect to +## @param ldap.prefix String to prepend to the user name when forming the DN to bind +## @param ldap.suffix String to append to the user name when forming the DN to bind +## DEPRECATED ldap.baseDN It will removed in a future, please use 'ldap.basedn' instead +## DEPRECATED ldap.bindDN It will removed in a future, please use 'ldap.binddn' instead +## DEPRECATED ldap.bind_password It will removed in a future, please use 'ldap.bindpw' instead +## @param ldap.basedn Root DN to begin the search for the user in +## @param ldap.binddn DN of user to bind to LDAP +## @param ldap.bindpw Password for the user to bind to LDAP +## DEPRECATED ldap.search_attr It will removed in a future, please use 'ldap.searchAttribute' instead +## DEPRECATED ldap.search_filter It will removed in a future, please use 'ldap.searchFilter' instead +## @param ldap.searchAttribute Attribute to match against the user name in the search +## @param ldap.searchFilter The search filter to use when doing search+bind authentication +## @param ldap.scheme Set to `ldaps` to use LDAPS +## DEPRECATED ldap.tls as string is deprecated,please use 'ldap.tls.enabled' instead +## @param ldap.tls.enabled Se to true to enable TLS encryption +## +ldap: + enabled: false + server: "" + port: "" + prefix: "" + suffix: "" + basedn: "" + binddn: "" + bindpw: "" + searchAttribute: "" + searchFilter: "" + scheme: "" + tls: + enabled: false + ## @param ldap.uri LDAP URL beginning in the form `ldap[s]://host[:port]/basedn`. If provided, all the other LDAP parameters will be ignored. + ## Ref: https://www.postgresql.org/docs/current/auth-ldap.html + ## + uri: "" +## @param postgresqlDataDir PostgreSQL data dir folder +## +postgresqlDataDir: /bitnami/postgresql/data +## @param postgresqlSharedPreloadLibraries Shared preload libraries (comma-separated list) +## +postgresqlSharedPreloadLibraries: "pgaudit" +## Start PostgreSQL pod(s) without limitations on shm memory. +## By default docker and containerd (and possibly other container runtimes) limit `/dev/shm` to `64M` +## ref: https://github.com/docker-library/postgres/issues/416 +## ref: https://github.com/containerd/containerd/issues/3654 +## +shmVolume: + ## @param shmVolume.enabled Enable emptyDir volume for /dev/shm for PostgreSQL pod(s) + ## + enabled: true + ## @param shmVolume.sizeLimit Set this to enable a size limit on the shm tmpfs + ## Note: the size of the tmpfs counts against container's memory limit + ## e.g: + ## sizeLimit: 1Gi + ## + sizeLimit: "" +## TLS configuration +## +tls: + ## @param tls.enabled Enable TLS traffic support + ## + enabled: false + ## @param tls.autoGenerated Generate automatically self-signed TLS certificates + ## + autoGenerated: false + ## @param tls.preferServerCiphers Whether to use the server's TLS cipher preferences rather than the client's + ## + preferServerCiphers: true + ## @param tls.certificatesSecret Name of an existing secret that contains the certificates + ## + certificatesSecret: "" + ## @param tls.certFilename Certificate filename + ## + certFilename: "" + ## @param tls.certKeyFilename Certificate key filename + ## + certKeyFilename: "" + ## @param tls.certCAFilename CA Certificate filename + ## If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate + ## ref: https://www.postgresql.org/docs/9.6/auth-methods.html + ## + certCAFilename: "" + ## @param tls.crlFilename File containing a Certificate Revocation List + ## + crlFilename: "" + +## @section PostgreSQL Primary parameters +## +primary: + ## @param primary.name Name of the primary database (eg primary, master, leader, ...) + ## + name: primary + ## @param primary.configuration PostgreSQL Primary main configuration to be injected as ConfigMap + ## ref: https://www.postgresql.org/docs/current/static/runtime-config.html + ## + configuration: "" + ## @param primary.pgHbaConfiguration PostgreSQL Primary client authentication configuration + ## ref: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html + ## e.g:# + ## pgHbaConfiguration: |- + ## local all all trust + ## host all all localhost trust + ## host mydatabase mysuser 192.168.0.0/24 md5 + ## + pgHbaConfiguration: "" + ## @param primary.existingConfigmap Name of an existing ConfigMap with PostgreSQL Primary configuration + ## NOTE: `primary.configuration` and `primary.pgHbaConfiguration` will be ignored + ## + existingConfigmap: "" + ## @param primary.extendedConfiguration Extended PostgreSQL Primary configuration (appended to main or default configuration) + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf + ## + extendedConfiguration: "" + ## @param primary.existingExtendedConfigmap Name of an existing ConfigMap with PostgreSQL Primary extended configuration + ## NOTE: `primary.extendedConfiguration` will be ignored + ## + existingExtendedConfigmap: "" + ## Initdb configuration + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#specifying-initdb-arguments + ## + initdb: + ## @param primary.initdb.args PostgreSQL initdb extra arguments + ## + args: "" + ## @param primary.initdb.postgresqlWalDir Specify a custom location for the PostgreSQL transaction log + ## + postgresqlWalDir: "" + ## @param primary.initdb.scripts Dictionary of initdb scripts + ## Specify dictionary of scripts to be run at first boot + ## e.g: + ## scripts: + ## my_init_script.sh: | + ## #!/bin/sh + ## echo "Do something." + ## + scripts: {} + ## @param primary.initdb.scriptsConfigMap ConfigMap with scripts to be run at first boot + ## NOTE: This will override `primary.initdb.scripts` + ## + scriptsConfigMap: "" + ## @param primary.initdb.scriptsSecret Secret with scripts to be run at first boot (in case it contains sensitive information) + ## NOTE: This can work along `primary.initdb.scripts` or `primary.initdb.scriptsConfigMap` + ## + scriptsSecret: "" + ## @param primary.initdb.user Specify the PostgreSQL username to execute the initdb scripts + ## + user: "" + ## @param primary.initdb.password Specify the PostgreSQL password to execute the initdb scripts + ## + password: "" + ## Configure current cluster's primary server to be the standby server in other cluster. + ## This will allow cross cluster replication and provide cross cluster high availability. + ## You will need to configure pgHbaConfiguration if you want to enable this feature with local cluster replication enabled. + ## @param primary.standby.enabled Whether to enable current cluster's primary as standby server of another cluster or not + ## @param primary.standby.primaryHost The Host of replication primary in the other cluster + ## @param primary.standby.primaryPort The Port of replication primary in the other cluster + ## + standby: + enabled: false + primaryHost: "" + primaryPort: "" + ## @param primary.extraEnvVars Array with extra environment variables to add to PostgreSQL Primary nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param primary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes + ## + extraEnvVarsCM: "" + ## @param primary.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL Primary nodes + ## + extraEnvVarsSecret: "" + ## @param primary.command Override default container command (useful when using custom images) + ## + command: [] + ## @param primary.args Override default container args (useful when using custom images) + ## + args: [] + ## Configure extra options for PostgreSQL Primary containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param primary.livenessProbe.enabled Enable livenessProbe on PostgreSQL Primary containers + ## @param primary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param primary.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param primary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param primary.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param primary.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param primary.readinessProbe.enabled Enable readinessProbe on PostgreSQL Primary containers + ## @param primary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param primary.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param primary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param primary.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param primary.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param primary.startupProbe.enabled Enable startupProbe on PostgreSQL Primary containers + ## @param primary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param primary.startupProbe.periodSeconds Period seconds for startupProbe + ## @param primary.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param primary.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param primary.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param primary.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param primary.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param primary.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param primary.lifecycleHooks for the PostgreSQL Primary container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## PostgreSQL Primary resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param primary.resources.limits The resources limits for the PostgreSQL Primary containers + ## @param primary.resources.requests.memory The requested memory for the PostgreSQL Primary containers + ## @param primary.resources.requests.cpu The requested cpu for the PostgreSQL Primary containers + ## + resources: + limits: {} + requests: + memory: 256Mi + cpu: 250m + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param primary.podSecurityContext.enabled Enable security context + ## @param primary.podSecurityContext.fsGroup Group ID for the pod + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param primary.containerSecurityContext.enabled Enable container security context + ## @param primary.containerSecurityContext.runAsUser User ID for the container + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param primary.hostAliases PostgreSQL primary pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param primary.hostNetwork Specify if host network should be enabled for PostgreSQL pod (postgresql primary) + ## + hostNetwork: false + ## @param primary.hostIPC Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) + ## + hostIPC: false + ## @param primary.labels Map of labels to add to the statefulset (postgresql primary) + ## + labels: {} + ## @param primary.annotations Annotations for PostgreSQL primary pods + ## + annotations: {} + ## @param primary.podLabels Map of labels to add to the pods (postgresql primary) + ## + podLabels: {} + ## @param primary.podAnnotations Map of annotations to add to the pods (postgresql primary) + ## + podAnnotations: {} + ## @param primary.podAffinityPreset PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param primary.podAntiAffinityPreset PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## PostgreSQL Primary node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param primary.nodeAffinityPreset.type PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param primary.nodeAffinityPreset.key PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param primary.nodeAffinityPreset.values PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param primary.affinity Affinity for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param primary.nodeSelector Node labels for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param primary.tolerations Tolerations for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param primary.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + ## @param primary.priorityClassName Priority Class to use for each pod (postgresql primary) + ## + priorityClassName: "" + ## @param primary.schedulerName Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param primary.terminationGracePeriodSeconds Seconds PostgreSQL primary pod needs to terminate gracefully + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods + ## + terminationGracePeriodSeconds: "" + ## @param primary.updateStrategy.type PostgreSQL Primary statefulset strategy type + ## @param primary.updateStrategy.rollingUpdate PostgreSQL Primary statefulset rolling update configuration parameters + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + type: RollingUpdate + rollingUpdate: {} + ## @param primary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s) + ## + extraVolumeMounts: [] + ## @param primary.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s) + ## + extraVolumes: [] + ## @param primary.sidecars Add additional sidecar containers to the PostgreSQL Primary pod(s) + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param primary.initContainers Add additional init containers to the PostgreSQL Primary pod(s) + ## Example + ## + ## initContainers: + ## - name: do-something + ## image: busybox + ## command: ['do', 'something'] + ## + initContainers: [] + ## @param primary.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) + ## + extraPodSpec: {} + ## PostgreSQL Primary service configuration + ## + service: + ## @param primary.service.type Kubernetes Service type + ## + type: ClusterIP + ## @param primary.service.ports.postgresql PostgreSQL service port + ## + ports: + postgresql: 5432 + ## Node ports to expose + ## NOTE: choose port between <30000-32767> + ## @param primary.service.nodePorts.postgresql Node port for PostgreSQL + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + postgresql: "" + ## @param primary.service.clusterIP Static clusterIP or None for headless services + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param primary.service.annotations Annotations for PostgreSQL primary service + ## + annotations: {} + ## @param primary.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer` + ## Set the LoadBalancer service type to internal only + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param primary.service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param primary.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param primary.service.extraPorts Extra ports to expose in the PostgreSQL primary service + ## + extraPorts: [] + ## @param primary.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param primary.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## Headless service properties + ## + headless: + ## @param primary.service.headless.annotations Additional custom annotations for headless PostgreSQL primary service + ## + annotations: {} + ## PostgreSQL Primary persistence configuration + ## + persistence: + ## @param primary.persistence.enabled Enable PostgreSQL Primary data persistence using PVC + ## + enabled: true + ## @param primary.persistence.existingClaim Name of an existing PVC to use + ## + existingClaim: "" + ## @param primary.persistence.mountPath The path the volume will be mounted at + ## Note: useful when using custom PostgreSQL images + ## + mountPath: /bitnami/postgresql + ## @param primary.persistence.subPath The subdirectory of the volume to mount to + ## Useful in dev environments and one PV for multiple services + ## + subPath: "" + ## @param primary.persistence.storageClass PVC Storage Class for PostgreSQL Primary data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param primary.persistence.accessModes PVC Access Mode for PostgreSQL volume + ## + accessModes: + - ReadWriteOnce + ## @param primary.persistence.size PVC Storage Request for PostgreSQL volume + ## + size: ${resource.local_resource_config.pgsql_data.storage_size} + ## @param primary.persistence.annotations Annotations for the PVC + ## + annotations: {} + ## @param primary.persistence.labels Labels for the PVC + ## + labels: {} + ## @param primary.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param primary.persistence.dataSource Custom PVC data source + ## + dataSource: {} + +## @section PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`) +## +readReplicas: + ## @param readReplicas.name Name of the read replicas database (eg secondary, slave, ...) + ## + name: read + ## @param readReplicas.replicaCount Number of PostgreSQL read only replicas + ## + replicaCount: ${resource.local_resource_config.pgsql_data.replica_count} + ## @param readReplicas.extendedConfiguration Extended PostgreSQL read only replicas configuration (appended to main or default configuration) + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf + ## + extendedConfiguration: "" + ## @param readReplicas.extraEnvVars Array with extra environment variables to add to PostgreSQL read only nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param readReplicas.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes + ## + extraEnvVarsCM: "" + ## @param readReplicas.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL read only nodes + ## + extraEnvVarsSecret: "" + ## @param readReplicas.command Override default container command (useful when using custom images) + ## + command: [] + ## @param readReplicas.args Override default container args (useful when using custom images) + ## + args: [] + ## Configure extra options for PostgreSQL read only containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param readReplicas.livenessProbe.enabled Enable livenessProbe on PostgreSQL read only containers + ## @param readReplicas.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param readReplicas.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param readReplicas.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param readReplicas.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param readReplicas.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param readReplicas.readinessProbe.enabled Enable readinessProbe on PostgreSQL read only containers + ## @param readReplicas.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param readReplicas.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param readReplicas.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param readReplicas.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param readReplicas.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param readReplicas.startupProbe.enabled Enable startupProbe on PostgreSQL read only containers + ## @param readReplicas.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param readReplicas.startupProbe.periodSeconds Period seconds for startupProbe + ## @param readReplicas.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param readReplicas.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param readReplicas.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param readReplicas.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param readReplicas.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param readReplicas.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param readReplicas.lifecycleHooks for the PostgreSQL read only container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## PostgreSQL read only resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param readReplicas.resources.limits The resources limits for the PostgreSQL read only containers + ## @param readReplicas.resources.requests.memory The requested memory for the PostgreSQL read only containers + ## @param readReplicas.resources.requests.cpu The requested cpu for the PostgreSQL read only containers + ## + resources: + limits: {} + requests: + memory: 256Mi + cpu: 250m + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param readReplicas.podSecurityContext.enabled Enable security context + ## @param readReplicas.podSecurityContext.fsGroup Group ID for the pod + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param readReplicas.containerSecurityContext.enabled Enable container security context + ## @param readReplicas.containerSecurityContext.runAsUser User ID for the container + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param readReplicas.hostAliases PostgreSQL read only pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param readReplicas.hostNetwork Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only) + ## + hostNetwork: false + ## @param readReplicas.hostIPC Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) + ## + hostIPC: false + ## @param readReplicas.labels Map of labels to add to the statefulset (PostgreSQL read only) + ## + labels: {} + ## @param readReplicas.annotations Annotations for PostgreSQL read only pods + ## + annotations: {} + ## @param readReplicas.podLabels Map of labels to add to the pods (PostgreSQL read only) + ## + podLabels: {} + ## @param readReplicas.podAnnotations Map of annotations to add to the pods (PostgreSQL read only) + ## + podAnnotations: {} + ## @param readReplicas.podAffinityPreset PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param readReplicas.podAntiAffinityPreset PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## PostgreSQL read only node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param readReplicas.nodeAffinityPreset.type PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param readReplicas.nodeAffinityPreset.key PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param readReplicas.nodeAffinityPreset.values PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param readReplicas.affinity Affinity for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param readReplicas.nodeSelector Node labels for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param readReplicas.tolerations Tolerations for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param readReplicas.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + ## @param readReplicas.priorityClassName Priority Class to use for each pod (PostgreSQL read only) + ## + priorityClassName: "" + ## @param readReplicas.schedulerName Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param readReplicas.terminationGracePeriodSeconds Seconds PostgreSQL read only pod needs to terminate gracefully + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods + ## + terminationGracePeriodSeconds: "" + ## @param readReplicas.updateStrategy.type PostgreSQL read only statefulset strategy type + ## @param readReplicas.updateStrategy.rollingUpdate PostgreSQL read only statefulset rolling update configuration parameters + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + type: RollingUpdate + rollingUpdate: {} + ## @param readReplicas.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s) + ## + extraVolumeMounts: [] + ## @param readReplicas.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s) + ## + extraVolumes: [] + ## @param readReplicas.sidecars Add additional sidecar containers to the PostgreSQL read only pod(s) + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param readReplicas.initContainers Add additional init containers to the PostgreSQL read only pod(s) + ## Example + ## + ## initContainers: + ## - name: do-something + ## image: busybox + ## command: ['do', 'something'] + ## + initContainers: [] + ## @param readReplicas.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL read only pod(s) + ## + extraPodSpec: {} + ## PostgreSQL read only service configuration + ## + service: + ## @param readReplicas.service.type Kubernetes Service type + ## + type: ClusterIP + ## @param readReplicas.service.ports.postgresql PostgreSQL service port + ## + ports: + postgresql: 5432 + ## Node ports to expose + ## NOTE: choose port between <30000-32767> + ## @param readReplicas.service.nodePorts.postgresql Node port for PostgreSQL + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + postgresql: "" + ## @param readReplicas.service.clusterIP Static clusterIP or None for headless services + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param readReplicas.service.annotations Annotations for PostgreSQL read only service + ## + annotations: {} + ## @param readReplicas.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer` + ## Set the LoadBalancer service type to internal only + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param readReplicas.service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param readReplicas.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param readReplicas.service.extraPorts Extra ports to expose in the PostgreSQL read only service + ## + extraPorts: [] + ## @param readReplicas.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param readReplicas.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## Headless service properties + ## + headless: + ## @param readReplicas.service.headless.annotations Additional custom annotations for headless PostgreSQL read only service + ## + annotations: {} + ## PostgreSQL read only persistence configuration + ## + persistence: + ## @param readReplicas.persistence.enabled Enable PostgreSQL read only data persistence using PVC + ## + enabled: true + ## @param readReplicas.persistence.existingClaim Name of an existing PVC to use + ## + existingClaim: "" + ## @param readReplicas.persistence.mountPath The path the volume will be mounted at + ## Note: useful when using custom PostgreSQL images + ## + mountPath: /bitnami/postgresql + ## @param readReplicas.persistence.subPath The subdirectory of the volume to mount to + ## Useful in dev environments and one PV for multiple services + ## + subPath: "" + ## @param readReplicas.persistence.storageClass PVC Storage Class for PostgreSQL read only data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param readReplicas.persistence.accessModes PVC Access Mode for PostgreSQL volume + ## + accessModes: + - ReadWriteOnce + ## @param readReplicas.persistence.size PVC Storage Request for PostgreSQL volume + ## + size: ${resource.local_resource_config.pgsql_data.storage_size} + ## @param readReplicas.persistence.annotations Annotations for the PVC + ## + annotations: {} + ## @param readReplicas.persistence.labels Labels for the PVC + ## + labels: {} + ## @param readReplicas.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param readReplicas.persistence.dataSource Custom PVC data source + ## + dataSource: {} + +## @section NetworkPolicy parameters +## + +## Add networkpolicies +## +networkPolicy: + ## @param networkPolicy.enabled Enable network policies + ## + enabled: false + ## @param networkPolicy.metrics.enabled Enable network policies for metrics (prometheus) + ## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. + ## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. + ## + metrics: + enabled: false + ## e.g: + ## namespaceSelector: + ## label: monitoring + ## + namespaceSelector: {} + ## e.g: + ## podSelector: + ## label: monitoring + ## + podSelector: {} + ## Ingress Rules + ## + ingressRules: + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin. + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s). + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s). + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules Custom network policy for the PostgreSQL primary node. + ## + primaryAccessOnlyFrom: + enabled: false + ## e.g: + ## namespaceSelector: + ## label: ingress + ## + namespaceSelector: {} + ## e.g: + ## podSelector: + ## label: access + ## + podSelector: {} + ## custom ingress rules + ## e.g: + ## customRules: + ## - from: + ## - namespaceSelector: + ## matchLabels: + ## label: example + ## + customRules: [] + ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin. + ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s). + ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s). + ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules Custom network policy for the PostgreSQL read-only nodes. + ## + readReplicasAccessOnlyFrom: + enabled: false + ## e.g: + ## namespaceSelector: + ## label: ingress + ## + namespaceSelector: {} + ## e.g: + ## podSelector: + ## label: access + ## + podSelector: {} + ## custom ingress rules + ## e.g: + ## CustomRules: + ## - from: + ## - namespaceSelector: + ## matchLabels: + ## label: example + ## + customRules: [] + ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). + ## @param networkPolicy.egressRules.customRules Custom network policy rule + ## + egressRules: + # Deny connections to external. This is not compatible with an external database. + denyConnectionsToExternal: false + ## Additional custom egress rules + ## e.g: + ## customRules: + ## - to: + ## - namespaceSelector: + ## matchLabels: + ## label: example + ## + customRules: [] + +## @section Volume Permissions parameters +## + +## Init containers parameters: +## volumePermissions: Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node +## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume + ## + enabled: false + ## @param volumePermissions.image.registry Init container volume-permissions image registry + ## @param volumePermissions.image.repository Init container volume-permissions image repository + ## @param volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) + ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy + ## @param volumePermissions.image.pullSecrets Init container volume-permissions image pull secrets + ## + image: + registry: docker.io + repository: bitnami/os-shell + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init container resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param volumePermissions.resources.limits Init container volume-permissions resource limits + ## @param volumePermissions.resources.requests Init container volume-permissions resource requests + ## + resources: + limits: {} + requests: {} + ## Init container' Security Context + ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser + ## and not the below volumePermissions.containerSecurityContext.runAsUser + ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container + ## + containerSecurityContext: + runAsUser: 0 + +## @section Other Parameters +## + +## @param serviceBindings.enabled Create secret for service binding (Experimental) +## Ref: https://servicebinding.io/service-provider/ +## +serviceBindings: + enabled: false + +## Service account for PostgreSQL to use. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + ## @param serviceAccount.create Enable creation of ServiceAccount for PostgreSQL pod + ## + create: false + ## @param serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created + ## Can be set to false if pods using this serviceAccount do not need to use K8s API + ## + automountServiceAccountToken: true + ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} +## Creates role for ServiceAccount +## @param rbac.create Create Role and RoleBinding (required for PSP to work) +## +rbac: + create: false + ## @param rbac.rules Custom RBAC rules to set + ## e.g: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## + rules: [] +## Pod Security Policy +## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## @param psp.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later +## +psp: + create: false + +## @section Metrics Parameters +## + +metrics: + ## @param metrics.enabled Start a prometheus exporter + ## + enabled: false + ## @param metrics.image.registry PostgreSQL Prometheus Exporter image registry + ## @param metrics.image.repository PostgreSQL Prometheus Exporter image repository + ## @param metrics.image.tag PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) + ## @param metrics.image.digest PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param metrics.image.pullPolicy PostgreSQL Prometheus Exporter image pull policy + ## @param metrics.image.pullSecrets Specify image pull secrets + ## + image: + registry: docker.io + repository: bitnami/postgres-exporter + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param metrics.customMetrics Define additional custom metrics + ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file + ## customMetrics: + ## pg_database: + ## query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size_bytes FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')" + ## metrics: + ## - name: + ## usage: "LABEL" + ## description: "Name of the database" + ## - size_bytes: + ## usage: "GAUGE" + ## description: "Size of the database in bytes" + ## + customMetrics: {} + ## @param metrics.extraEnvVars Extra environment variables to add to PostgreSQL Prometheus exporter + ## see: https://github.com/wrouesnel/postgres_exporter#environment-variables + ## For example: + ## extraEnvVars: + ## - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS + ## value: "true" + ## + extraEnvVars: [] + ## PostgreSQL Prometheus exporter containers' Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param metrics.containerSecurityContext.enabled Enable PostgreSQL Prometheus exporter containers' Security Context + ## @param metrics.containerSecurityContext.runAsUser Set PostgreSQL Prometheus exporter containers' Security Context runAsUser + ## @param metrics.containerSecurityContext.runAsNonRoot Set PostgreSQL Prometheus exporter containers' Security Context runAsNonRoot + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + ## Configure extra options for PostgreSQL Prometheus exporter containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param metrics.livenessProbe.enabled Enable livenessProbe on PostgreSQL Prometheus exporter containers + ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param metrics.readinessProbe.enabled Enable readinessProbe on PostgreSQL Prometheus exporter containers + ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param metrics.startupProbe.enabled Enable startupProbe on PostgreSQL Prometheus exporter containers + ## @param metrics.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param metrics.startupProbe.periodSeconds Period seconds for startupProbe + ## @param metrics.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param metrics.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param metrics.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param metrics.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param metrics.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param metrics.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param metrics.containerPorts.metrics PostgreSQL Prometheus exporter metrics container port + ## + containerPorts: + metrics: 9187 + ## PostgreSQL Prometheus exporter resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param metrics.resources.limits The resources limits for the PostgreSQL Prometheus exporter container + ## @param metrics.resources.requests The requested resources for the PostgreSQL Prometheus exporter container + ## + resources: + limits: {} + requests: {} + ## Service configuration + ## + service: + ## @param metrics.service.ports.metrics PostgreSQL Prometheus Exporter service port + ## + ports: + metrics: 9187 + ## @param metrics.service.clusterIP Static clusterIP or None for headless services + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + ## + clusterIP: "" + ## @param metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/user-guide/services/ + ## + sessionAffinity: None + ## @param metrics.service.annotations [object] Annotations for Prometheus to auto-discover the metrics endpoint + ## + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}" + ## Prometheus Operator ServiceMonitor configuration + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using Prometheus Operator + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) + ## + namespace: "" + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + interval: "" + ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus + ## + labels: {} + ## @param metrics.serviceMonitor.selector Prometheus instance selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## + selector: {} + ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## + relabelings: [] + ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint + ## + honorLabels: false + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## Custom PrometheusRule to be defined + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled Create a PrometheusRule for Prometheus Operator + ## + enabled: false + ## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace) + ## + namespace: "" + ## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus + ## + labels: {} + ## @param metrics.prometheusRule.rules PrometheusRule definitions + ## Make sure to constraint the rules to the current postgresql service. + ## rules: + ## - alert: HugeReplicationLag + ## expr: pg_replication_lag{service="{{ printf "%s-metrics" (include "common.names.fullname" .) }}"} / 3600 > 1 + ## for: 1m + ## labels: + ## severity: critical + ## annotations: + ## description: replication for {{ include "common.names.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s). + ## summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s). + ## + rules: [] diff --git a/terraform/gitops/stateful-resources/templates/stateful-resources/values-redis.yaml.tpl b/terraform/gitops/stateful-resources/templates/stateful-resources/values-redis.yaml.tpl new file mode 100644 index 000000000..d9ec07b5f --- /dev/null +++ b/terraform/gitops/stateful-resources/templates/stateful-resources/values-redis.yaml.tpl @@ -0,0 +1,1667 @@ +## @section Global parameters +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass +## + +## @param global.imageRegistry Global Docker image registry +## @param global.imagePullSecrets Global Docker registry secret names as an array +## @param global.storageClass Global StorageClass for Persistent Volume(s) +## @param global.redis.password Global Redis® password (overrides `auth.password`) +## +global: + imageRegistry: "" + ## E.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + storageClass: ${resource.local_resource_config.redis_data.storage_class_name} + +## @section Common parameters +## + +## @param kubeVersion Override Kubernetes version +## +kubeVersion: "" +## @param nameOverride String to partially override common.names.fullname +## +nameOverride: ${resource.resource_name} +## @param fullnameOverride String to fully override common.names.fullname +## +fullnameOverride: "" +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} +## @param secretAnnotations Annotations to add to secret +## +secretAnnotations: {} +## @param clusterDomain Kubernetes cluster domain name +## +clusterDomain: cluster.local +## @param extraDeploy Array of extra objects to deploy with the release +## +extraDeploy: [] + +## Enable diagnostic mode in the deployment +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the deployment + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the deployment + ## + args: + - infinity + +## @section Redis® Image parameters +## + +## Bitnami Redis® image +## ref: https://hub.docker.com/r/bitnami/redis/tags/ +## @param image.registry Redis® image registry +## @param image.repository Redis® image repository +## @param image.tag Redis® image tag (immutable tags are recommended) +## @param image.digest Redis® image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy Redis® image pull policy +## @param image.pullSecrets Redis® image pull secrets +## @param image.debug Enable image debug mode +## +image: + registry: docker.io + repository: bitnami/redis + tag: 7.0.5-debian-11-r7 + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Enable debug mode + ## + debug: false + +## @section Redis® common configuration parameters +## https://github.com/bitnami/containers/tree/main/bitnami/redis#configuration +## + +## @param architecture Redis® architecture. Allowed values: `standalone` or `replication` +## +architecture: ${resource.local_resource_config.redis_data.architecture} +## Redis® Authentication parameters +## ref: https://github.com/bitnami/containers/tree/main/bitnami/redis#setting-the-server-password-on-first-run +## +auth: + ## @param auth.enabled Enable password authentication + ## set to false until 3rd party supports auth + enabled: false + ## @param auth.sentinel Enable password authentication on sentinels too + ## + sentinel: true + + ## @param auth.existingSecret The name of an existing secret with Redis® credentials + ## NOTE: When it's set, the previous `auth.password` parameter is ignored + ## + existingSecret: "${resource.local_resource_config.redis_data.existing_secret}" + ## @param auth.existingSecretPasswordKey Password key to be retrieved from existing secret + ## NOTE: ignored unless `auth.existingSecret` parameter is set + ## + existingSecretPasswordKey: "${resource.local_resource_config.redis_data.existing_secret_key}" + ## @param auth.usePasswordFiles Mount credentials as files instead of using an environment variable + ## + usePasswordFiles: false + +## @param commonConfiguration [string] Common configuration to be added into the ConfigMap +## ref: https://redis.io/topics/config +## +commonConfiguration: |- + # Enable AOF https://redis.io/topics/persistence#append-only-file + appendonly yes + # Disable RDB persistence, AOF persistence already enabled. + save "" +## @param existingConfigmap The name of an existing ConfigMap with your custom configuration for Redis® nodes +## +existingConfigmap: "" + +## @section Redis® master configuration parameters +## + +master: + ## @param master.count Number of Redis® master instances to deploy (experimental, requires additional configuration) + ## + count: 1 + ## @param master.configuration Configuration for Redis® master nodes + ## ref: https://redis.io/topics/config + ## + configuration: "" + ## @param master.disableCommands Array with Redis® commands to disable on master nodes + ## Commands will be completely disabled by renaming each to an empty string. + ## ref: https://redis.io/topics/security#disabling-of-specific-commands + ## + disableCommands: + - FLUSHDB + - FLUSHALL + ## @param master.command Override default container command (useful when using custom images) + ## + command: [] + ## @param master.args Override default container args (useful when using custom images) + ## + args: [] + ## @param master.preExecCmds Additional commands to run prior to starting Redis® master + ## + preExecCmds: [] + ## @param master.extraFlags Array with additional command line flags for Redis® master + ## e.g: + ## extraFlags: + ## - "--maxmemory-policy volatile-ttl" + ## - "--repl-backlog-size 1024mb" + ## + extraFlags: [] + ## @param master.extraEnvVars Array with extra environment variables to add to Redis® master nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param master.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Redis® master nodes + ## + extraEnvVarsCM: "" + ## @param master.extraEnvVarsSecret Name of existing Secret containing extra env vars for Redis® master nodes + ## + extraEnvVarsSecret: "" + ## @param master.containerPorts.redis Container port to open on Redis® master nodes + ## + containerPorts: + redis: 6379 + ## Configure extra options for Redis® containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param master.startupProbe.enabled Enable startupProbe on Redis® master nodes + ## @param master.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param master.startupProbe.periodSeconds Period seconds for startupProbe + ## @param master.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param master.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param master.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param master.livenessProbe.enabled Enable livenessProbe on Redis® master nodes + ## @param master.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param master.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param master.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param master.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param master.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param master.readinessProbe.enabled Enable readinessProbe on Redis® master nodes + ## @param master.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param master.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param master.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param master.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param master.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + ## @param master.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param master.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param master.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## Redis® master resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param master.resources.limits The resources limits for the Redis® master containers + ## @param master.resources.requests The requested resources for the Redis® master containers + ## + resources: + limits: {} + requests: {} + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param master.podSecurityContext.enabled Enabled Redis® master pods' Security Context + ## @param master.podSecurityContext.fsGroup Set Redis® master pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param master.containerSecurityContext.enabled Enabled Redis® master containers' Security Context + ## @param master.containerSecurityContext.runAsUser Set Redis® master containers' Security Context runAsUser + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param master.kind Use either Deployment or StatefulSet (default) + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/ + ## + kind: StatefulSet + ## @param master.schedulerName Alternate scheduler for Redis® master pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param master.updateStrategy.type Redis® master statefulset strategy type + ## @skip master.updateStrategy.rollingUpdate + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + rollingUpdate: {} + ## @param master.priorityClassName Redis® master pods' priorityClassName + ## + priorityClassName: "" + ## @param master.hostAliases Redis® master pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param master.podLabels Extra labels for Redis® master pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param master.podAnnotations Annotations for Redis® master pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param master.shareProcessNamespace Share a single process namespace between all of the containers in Redis® master pods + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ + ## + shareProcessNamespace: false + ## @param master.podAffinityPreset Pod affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param master.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node master.affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param master.nodeAffinityPreset.type Node affinity preset type. Ignored if `master.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param master.nodeAffinityPreset.key Node label key to match. Ignored if `master.affinity` is set + ## + key: "" + ## @param master.nodeAffinityPreset.values Node label values to match. Ignored if `master.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param master.affinity Affinity for Redis® master pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `master.podAffinityPreset`, `master.podAntiAffinityPreset`, and `master.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param master.nodeSelector Node labels for Redis® master pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param master.tolerations Tolerations for Redis® master pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param master.topologySpreadConstraints Spread Constraints for Redis® master pod assignment + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## E.g. + ## topologySpreadConstraints: + ## - maxSkew: 1 + ## topologyKey: node + ## whenUnsatisfiable: DoNotSchedule + ## + topologySpreadConstraints: [] + ## @param master.dnsPolicy DNS Policy for Redis® master pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + ## E.g. + ## dnsPolicy: ClusterFirst + dnsPolicy: "" + ## @param master.dnsConfig DNS Configuration for Redis® master pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + ## E.g. + ## dnsConfig: + ## options: + ## - name: ndots + ## value: "4" + ## - name: single-request-reopen + dnsConfig: {} + ## @param master.lifecycleHooks for the Redis® master container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param master.extraVolumes Optionally specify extra list of additional volumes for the Redis® master pod(s) + ## + extraVolumes: [] + ## @param master.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis® master container(s) + ## + extraVolumeMounts: [] + ## @param master.sidecars Add additional sidecar containers to the Redis® master pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param master.initContainers Add additional init containers to the Redis® master pod(s) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] + ## Persistence parameters + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + ## @param master.persistence.enabled Enable persistence on Redis® master nodes using Persistent Volume Claims + ## + enabled: true + ## @param master.persistence.medium Provide a medium for `emptyDir` volumes. + ## + medium: "" + ## @param master.persistence.sizeLimit Set this to enable a size limit for `emptyDir` volumes. + ## + sizeLimit: "" + ## @param master.persistence.path The path the volume will be mounted at on Redis® master containers + ## NOTE: Useful when using different Redis® images + ## + path: /data + ## @param master.persistence.subPath The subdirectory of the volume to mount on Redis® master containers + ## NOTE: Useful in dev environments + ## + subPath: "" + ## @param master.persistence.storageClass Persistent Volume storage class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner + ## + storageClass: "" + ## @param master.persistence.accessModes Persistent Volume access modes + ## + accessModes: + - ReadWriteOnce + ## @param master.persistence.size Persistent Volume size + ## + size: ${resource.local_resource_config.redis_data.storage_size} + ## @param master.persistence.annotations Additional custom annotations for the PVC + ## + annotations: {} + ## @param master.persistence.selector Additional labels to match for the PVC + ## e.g: + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param master.persistence.dataSource Custom PVC data source + ## + dataSource: {} + ## @param master.persistence.existingClaim Use a existing PVC which must be created manually before bound + ## NOTE: requires master.persistence.enabled: true + ## + existingClaim: "" + ## Redis® master service parameters + ## + service: + ## @param master.service.type Redis® master service type + ## + type: ClusterIP + ## @param master.service.ports.redis Redis® master service port + ## + ports: + redis: ${resource.local_resource_config.redis_data.service_port} + ## @param master.service.nodePorts.redis Node port for Redis® master + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + redis: "" + ## @param master.service.externalTrafficPolicy Redis® master service external traffic policy + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param master.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param master.service.internalTrafficPolicy Redis® master service internal traffic policy (requires Kubernetes v1.22 or greater to be usable) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/ + ## + internalTrafficPolicy: Cluster + ## @param master.service.clusterIP Redis® master service Cluster IP + ## + clusterIP: "" + ## @param master.service.loadBalancerIP Redis® master service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param master.service.loadBalancerSourceRanges Redis® master service Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param master.service.annotations Additional custom annotations for Redis® master service + ## + annotations: {} + ## @param master.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param master.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## @param master.terminationGracePeriodSeconds Integer setting the termination grace period for the redis-master pods + ## + terminationGracePeriodSeconds: 30 + ## ServiceAccount configuration + ## + serviceAccount: + ## @param master.serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: false + ## @param master.serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param master.serviceAccount.automountServiceAccountToken Whether to auto mount the service account token + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server + ## + automountServiceAccountToken: true + ## @param master.serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} + +## @section Redis® replicas configuration parameters +## + +replica: + ## @param replica.replicaCount Number of Redis® replicas to deploy + ## + replicaCount: ${resource.local_resource_config.redis_data.replica_count} + ## @param replica.configuration Configuration for Redis® replicas nodes + ## ref: https://redis.io/topics/config + ## + configuration: "" + ## @param replica.disableCommands Array with Redis® commands to disable on replicas nodes + ## Commands will be completely disabled by renaming each to an empty string. + ## ref: https://redis.io/topics/security#disabling-of-specific-commands + ## + disableCommands: + - FLUSHDB + - FLUSHALL + ## @param replica.command Override default container command (useful when using custom images) + ## + command: [] + ## @param replica.args Override default container args (useful when using custom images) + ## + args: [] + ## @param replica.preExecCmds Additional commands to run prior to starting Redis® replicas + ## + preExecCmds: [] + ## @param replica.extraFlags Array with additional command line flags for Redis® replicas + ## e.g: + ## extraFlags: + ## - "--maxmemory-policy volatile-ttl" + ## - "--repl-backlog-size 1024mb" + ## + extraFlags: [] + ## @param replica.extraEnvVars Array with extra environment variables to add to Redis® replicas nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param replica.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Redis® replicas nodes + ## + extraEnvVarsCM: "" + ## @param replica.extraEnvVarsSecret Name of existing Secret containing extra env vars for Redis® replicas nodes + ## + extraEnvVarsSecret: "" + ## @param replica.externalMaster.enabled Use external master for bootstrapping + ## @param replica.externalMaster.host External master host to bootstrap from + ## @param replica.externalMaster.port Port for Redis service external master host + ## + externalMaster: + enabled: false + host: "" + port: 6379 + ## @param replica.containerPorts.redis Container port to open on Redis® replicas nodes + ## + containerPorts: + redis: 6379 + ## Configure extra options for Redis® containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param replica.startupProbe.enabled Enable startupProbe on Redis® replicas nodes + ## @param replica.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param replica.startupProbe.periodSeconds Period seconds for startupProbe + ## @param replica.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param replica.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param replica.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 22 + ## @param replica.livenessProbe.enabled Enable livenessProbe on Redis® replicas nodes + ## @param replica.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param replica.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param replica.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param replica.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param replica.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param replica.readinessProbe.enabled Enable readinessProbe on Redis® replicas nodes + ## @param replica.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param replica.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param replica.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param replica.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param replica.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + ## @param replica.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param replica.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param replica.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## Redis® replicas resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param replica.resources.limits The resources limits for the Redis® replicas containers + ## @param replica.resources.requests The requested resources for the Redis® replicas containers + ## + resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: {} + # cpu: 250m + # memory: 256Mi + requests: {} + # cpu: 250m + # memory: 256Mi + ## Configure Pods Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param replica.podSecurityContext.enabled Enabled Redis® replicas pods' Security Context + ## @param replica.podSecurityContext.fsGroup Set Redis® replicas pod's Security Context fsGroup + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param replica.containerSecurityContext.enabled Enabled Redis® replicas containers' Security Context + ## @param replica.containerSecurityContext.runAsUser Set Redis® replicas containers' Security Context runAsUser + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param replica.schedulerName Alternate scheduler for Redis® replicas pods + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param replica.updateStrategy.type Redis® replicas statefulset strategy type + ## @skip replica.updateStrategy.rollingUpdate + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + rollingUpdate: {} + ## @param replica.priorityClassName Redis® replicas pods' priorityClassName + ## + priorityClassName: "" + ## @param replica.podManagementPolicy podManagementPolicy to manage scaling operation of %%MAIN_CONTAINER_NAME%% pods + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies + ## + podManagementPolicy: "" + ## @param replica.hostAliases Redis® replicas pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param replica.podLabels Extra labels for Redis® replicas pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param replica.podAnnotations Annotations for Redis® replicas pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: {} + ## @param replica.shareProcessNamespace Share a single process namespace between all of the containers in Redis® replicas pods + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ + ## + shareProcessNamespace: false + ## @param replica.podAffinityPreset Pod affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param replica.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## Node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param replica.nodeAffinityPreset.type Node affinity preset type. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param replica.nodeAffinityPreset.key Node label key to match. Ignored if `replica.affinity` is set + ## + key: "" + ## @param replica.nodeAffinityPreset.values Node label values to match. Ignored if `replica.affinity` is set + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param replica.affinity Affinity for Redis® replicas pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## NOTE: `replica.podAffinityPreset`, `replica.podAntiAffinityPreset`, and `replica.nodeAffinityPreset` will be ignored when it's set + ## + affinity: {} + ## @param replica.nodeSelector Node labels for Redis® replicas pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param replica.tolerations Tolerations for Redis® replicas pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param replica.topologySpreadConstraints Spread Constraints for Redis® replicas pod assignment + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## E.g. + ## topologySpreadConstraints: + ## - maxSkew: 1 + ## topologyKey: node + ## whenUnsatisfiable: DoNotSchedule + ## + topologySpreadConstraints: [] + ## @param replica.dnsPolicy DNS Policy for Redis® replica pods + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + ## E.g. + ## dnsPolicy: ClusterFirst + dnsPolicy: "" + ## @param replica.dnsConfig DNS Configuration for Redis® replica pods + ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ + ## E.g. + ## dnsConfig: + ## options: + ## - name: ndots + ## value: "4" + ## - name: single-request-reopen + dnsConfig: {} + ## @param replica.lifecycleHooks for the Redis® replica container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param replica.extraVolumes Optionally specify extra list of additional volumes for the Redis® replicas pod(s) + ## + extraVolumes: [] + ## @param replica.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis® replicas container(s) + ## + extraVolumeMounts: [] + ## @param replica.sidecars Add additional sidecar containers to the Redis® replicas pod(s) + ## e.g: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param replica.initContainers Add additional init containers to the Redis® replicas pod(s) + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + ## e.g: + ## initContainers: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## command: ['sh', '-c', 'echo "hello world"'] + ## + initContainers: [] + ## Persistence Parameters + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + ## @param replica.persistence.enabled Enable persistence on Redis® replicas nodes using Persistent Volume Claims + ## + enabled: true + ## @param replica.persistence.medium Provide a medium for `emptyDir` volumes. + ## + medium: "" + ## @param replica.persistence.sizeLimit Set this to enable a size limit for `emptyDir` volumes. + ## + sizeLimit: "" + ## @param replica.persistence.path The path the volume will be mounted at on Redis® replicas containers + ## NOTE: Useful when using different Redis® images + ## + path: /data + ## @param replica.persistence.subPath The subdirectory of the volume to mount on Redis® replicas containers + ## NOTE: Useful in dev environments + ## + subPath: "" + ## @param replica.persistence.storageClass Persistent Volume storage class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner + ## + storageClass: "" + ## @param replica.persistence.accessModes Persistent Volume access modes + ## + accessModes: + - ReadWriteOnce + ## @param replica.persistence.size Persistent Volume size + ## + size: 8Gi + ## @param replica.persistence.annotations Additional custom annotations for the PVC + ## + annotations: {} + ## @param replica.persistence.selector Additional labels to match for the PVC + ## e.g: + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param replica.persistence.dataSource Custom PVC data source + ## + dataSource: {} + ## @param replica.persistence.existingClaim Use a existing PVC which must be created manually before bound + ## NOTE: requires replica.persistence.enabled: true + ## + existingClaim: "" + ## Redis® replicas service parameters + ## + service: + ## @param replica.service.type Redis® replicas service type + ## + type: ClusterIP + ## @param replica.service.ports.redis Redis® replicas service port + ## + ports: + redis: 6379 + ## @param replica.service.nodePorts.redis Node port for Redis® replicas + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## NOTE: choose port between <30000-32767> + ## + nodePorts: + redis: "" + ## @param replica.service.externalTrafficPolicy Redis® replicas service external traffic policy + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param replica.service.internalTrafficPolicy Redis® replicas service internal traffic policy (requires Kubernetes v1.22 or greater to be usable) + ## ref: https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/ + ## + internalTrafficPolicy: Cluster + ## @param replica.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param replica.service.clusterIP Redis® replicas service Cluster IP + ## + clusterIP: "" + ## @param replica.service.loadBalancerIP Redis® replicas service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param replica.service.loadBalancerSourceRanges Redis® replicas service Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param replica.service.annotations Additional custom annotations for Redis® replicas service + ## + annotations: {} + ## @param replica.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param replica.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## @param replica.terminationGracePeriodSeconds Integer setting the termination grace period for the redis-replicas pods + ## + terminationGracePeriodSeconds: 30 + ## Autoscaling configuration + ## + autoscaling: + ## @param replica.autoscaling.enabled Enable replica autoscaling settings + ## + enabled: false + ## @param replica.autoscaling.minReplicas Minimum replicas for the pod autoscaling + ## + minReplicas: 1 + ## @param replica.autoscaling.maxReplicas Maximum replicas for the pod autoscaling + ## + maxReplicas: 11 + ## @param replica.autoscaling.targetCPU Percentage of CPU to consider when autoscaling + ## + targetCPU: "" + ## @param replica.autoscaling.targetMemory Percentage of Memory to consider when autoscaling + ## + targetMemory: "" + ## ServiceAccount configuration + ## + serviceAccount: + ## @param replica.serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: false + ## @param replica.serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param replica.serviceAccount.automountServiceAccountToken Whether to auto mount the service account token + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server + ## + automountServiceAccountToken: true + ## @param replica.serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} +## @section Redis® Sentinel configuration parameters +## + +sentinel: + ## @param sentinel.enabled Use Redis® Sentinel on Redis® pods. + ## IMPORTANT: this will disable the master and replicas services and + ## create a single Redis® service exposing both the Redis and Sentinel ports + ## + enabled: false + ## Bitnami Redis® Sentinel image version + ## ref: https://hub.docker.com/r/bitnami/redis-sentinel/tags/ + ## @param sentinel.image.registry Redis® Sentinel image registry + ## @param sentinel.image.repository Redis® Sentinel image repository + ## @param sentinel.image.tag Redis® Sentinel image tag (immutable tags are recommended) + ## @param sentinel.image.digest Redis® Sentinel image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param sentinel.image.pullPolicy Redis® Sentinel image pull policy + ## @param sentinel.image.pullSecrets Redis® Sentinel image pull secrets + ## @param sentinel.image.debug Enable image debug mode + ## + image: + registry: docker.io + repository: bitnami/redis-sentinel + tag: 7.0.5-debian-11-r6 + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Enable debug mode + ## + debug: false + ## @param sentinel.masterSet Master set name + ## + masterSet: mymaster + ## @param sentinel.quorum Sentinel Quorum + ## + quorum: 2 + ## @param sentinel.getMasterTimeout Amount of time to allow before get_sentinel_master_info() times out. + ## NOTE: This is directly related to the startupProbes which are configured to run every 10 seconds for a total of 22 failures. If adjusting this value, also adjust the startupProbes. + getMasterTimeout: 220 + ## @param sentinel.automateClusterRecovery Automate cluster recovery in cases where the last replica is not considered a good replica and Sentinel won't automatically failover to it. + ## This also prevents any new replica from starting until the last remaining replica is elected as master to guarantee that it is the one to be elected by Sentinel, and not a newly started replica with no data. + ## NOTE: This feature requires a "downAfterMilliseconds" value less or equal to 2000. + ## + automateClusterRecovery: false + ## Sentinel timing restrictions + ## @param sentinel.downAfterMilliseconds Timeout for detecting a Redis® node is down + ## @param sentinel.failoverTimeout Timeout for performing a election failover + ## + downAfterMilliseconds: 60000 + failoverTimeout: 180000 + ## @param sentinel.parallelSyncs Number of replicas that can be reconfigured in parallel to use the new master after a failover + ## + parallelSyncs: 1 + ## @param sentinel.configuration Configuration for Redis® Sentinel nodes + ## ref: https://redis.io/topics/sentinel + ## + configuration: "" + ## @param sentinel.command Override default container command (useful when using custom images) + ## + command: [] + ## @param sentinel.args Override default container args (useful when using custom images) + ## + args: [] + ## @param sentinel.preExecCmds Additional commands to run prior to starting Redis® Sentinel + ## + preExecCmds: [] + ## @param sentinel.extraEnvVars Array with extra environment variables to add to Redis® Sentinel nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param sentinel.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Redis® Sentinel nodes + ## + extraEnvVarsCM: "" + ## @param sentinel.extraEnvVarsSecret Name of existing Secret containing extra env vars for Redis® Sentinel nodes + ## + extraEnvVarsSecret: "" + ## @param sentinel.externalMaster.enabled Use external master for bootstrapping + ## @param sentinel.externalMaster.host External master host to bootstrap from + ## @param sentinel.externalMaster.port Port for Redis service external master host + ## + externalMaster: + enabled: false + host: "" + port: 6379 + ## @param sentinel.containerPorts.sentinel Container port to open on Redis® Sentinel nodes + ## + containerPorts: + sentinel: 26379 + ## Configure extra options for Redis® containers' liveness and readiness probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes + ## @param sentinel.startupProbe.enabled Enable startupProbe on Redis® Sentinel nodes + ## @param sentinel.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param sentinel.startupProbe.periodSeconds Period seconds for startupProbe + ## @param sentinel.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param sentinel.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param sentinel.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 22 + ## @param sentinel.livenessProbe.enabled Enable livenessProbe on Redis® Sentinel nodes + ## @param sentinel.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param sentinel.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param sentinel.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param sentinel.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param sentinel.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + ## @param sentinel.readinessProbe.enabled Enable readinessProbe on Redis® Sentinel nodes + ## @param sentinel.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param sentinel.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param sentinel.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param sentinel.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param sentinel.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 20 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 5 + ## @param sentinel.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param sentinel.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param sentinel.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## Persistence parameters + ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + persistence: + ## @param sentinel.persistence.enabled Enable persistence on Redis® sentinel nodes using Persistent Volume Claims (Experimental) + ## + enabled: false + ## @param sentinel.persistence.storageClass Persistent Volume storage class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner + ## + storageClass: "" + ## @param sentinel.persistence.accessModes Persistent Volume access modes + ## + accessModes: + - ReadWriteOnce + ## @param sentinel.persistence.size Persistent Volume size + ## + size: 100Mi + ## @param sentinel.persistence.annotations Additional custom annotations for the PVC + ## + annotations: {} + ## @param sentinel.persistence.selector Additional labels to match for the PVC + ## e.g: + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param sentinel.persistence.dataSource Custom PVC data source + ## + dataSource: {} + ## @param sentinel.persistence.medium Provide a medium for `emptyDir` volumes. + ## + medium: "" + ## Redis® Sentinel resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param sentinel.resources.limits The resources limits for the Redis® Sentinel containers + ## @param sentinel.resources.requests The requested resources for the Redis® Sentinel containers + ## + resources: + limits: {} + requests: {} + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param sentinel.containerSecurityContext.enabled Enabled Redis® Sentinel containers' Security Context + ## @param sentinel.containerSecurityContext.runAsUser Set Redis® Sentinel containers' Security Context runAsUser + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param sentinel.lifecycleHooks for the Redis® sentinel container(s) to automate configuration before or after startup + ## + lifecycleHooks: {} + ## @param sentinel.extraVolumes Optionally specify extra list of additional volumes for the Redis® Sentinel + ## + extraVolumes: [] + ## @param sentinel.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis® Sentinel container(s) + ## + extraVolumeMounts: [] + ## Redis® Sentinel service parameters + ## + service: + ## @param sentinel.service.type Redis® Sentinel service type + ## + type: ClusterIP + ## @param sentinel.service.ports.redis Redis® service port for Redis® + ## @param sentinel.service.ports.sentinel Redis® service port for Redis® Sentinel + ## + ports: + redis: 6379 + sentinel: 26379 + ## @param sentinel.service.nodePorts.redis Node port for Redis® + ## @param sentinel.service.nodePorts.sentinel Node port for Sentinel + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## NOTE: choose port between <30000-32767> + ## NOTE: By leaving these values blank, they will be generated by ports-configmap + ## If setting manually, please leave at least replica.replicaCount + 1 in between sentinel.service.nodePorts.redis and sentinel.service.nodePorts.sentinel to take into account the ports that will be created while incrementing that base port + ## + nodePorts: + redis: "" + sentinel: "" + ## @param sentinel.service.externalTrafficPolicy Redis® Sentinel service external traffic policy + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param sentinel.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param sentinel.service.clusterIP Redis® Sentinel service Cluster IP + ## + clusterIP: "" + ## @param sentinel.service.loadBalancerIP Redis® Sentinel service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param sentinel.service.loadBalancerSourceRanges Redis® Sentinel service Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param sentinel.service.annotations Additional custom annotations for Redis® Sentinel service + ## + annotations: {} + ## @param sentinel.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param sentinel.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## @param sentinel.terminationGracePeriodSeconds Integer setting the termination grace period for the redis-node pods + ## + terminationGracePeriodSeconds: 30 + +## @section Other Parameters +## + +## Network Policy configuration +## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources + ## + enabled: false + ## @param networkPolicy.allowExternal Don't require client label for connections + ## When set to false, only pods with the correct client label will have network access to the ports + ## Redis® is listening on. When true, Redis® will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.extraIngress Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraIngress: [] + ## @param networkPolicy.extraEgress Add extra egress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} +## PodSecurityPolicy configuration +## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## +podSecurityPolicy: + ## @param podSecurityPolicy.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later + ## + create: false + ## @param podSecurityPolicy.enabled Enable PodSecurityPolicy's RBAC rules + ## + enabled: false +## RBAC configuration +## +rbac: + ## @param rbac.create Specifies whether RBAC resources should be created + ## + create: false + ## @param rbac.rules Custom RBAC rules to set + ## e.g: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## + rules: [] +## ServiceAccount configuration +## +serviceAccount: + ## @param serviceAccount.create Specifies whether a ServiceAccount should be created + ## + create: true + ## @param serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param serviceAccount.automountServiceAccountToken Whether to auto mount the service account token + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server + ## + automountServiceAccountToken: true + ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} +## Redis® Pod Disruption Budget configuration +## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +## +pdb: + ## @param pdb.create Specifies whether a PodDisruptionBudget should be created + ## + create: false + ## @param pdb.minAvailable Min number of pods that must still be available after the eviction + ## + minAvailable: 1 + ## @param pdb.maxUnavailable Max number of pods that can be unavailable after the eviction + ## + maxUnavailable: "" +## TLS configuration +## +tls: + ## @param tls.enabled Enable TLS traffic + ## + enabled: false + ## @param tls.authClients Require clients to authenticate + ## + authClients: true + ## @param tls.autoGenerated Enable autogenerated certificates + ## + autoGenerated: false + ## @param tls.existingSecret The name of the existing secret that contains the TLS certificates + ## + existingSecret: "" + ## @param tls.certificatesSecret DEPRECATED. Use existingSecret instead. + ## + certificatesSecret: "" + ## @param tls.certFilename Certificate filename + ## + certFilename: "" + ## @param tls.certKeyFilename Certificate Key filename + ## + certKeyFilename: "" + ## @param tls.certCAFilename CA Certificate filename + ## + certCAFilename: "" + ## @param tls.dhParamsFilename File containing DH params (in order to support DH based ciphers) + ## + dhParamsFilename: "" + +## @section Metrics Parameters +## + +metrics: + ## @param metrics.enabled Start a sidecar prometheus exporter to expose Redis® metrics + ## + enabled: true + ## Bitnami Redis® Exporter image + ## ref: https://hub.docker.com/r/bitnami/redis-exporter/tags/ + ## @param metrics.image.registry Redis® Exporter image registry + ## @param metrics.image.repository Redis® Exporter image repository + ## @param metrics.image.tag Redis® Exporter image tag (immutable tags are recommended) + ## @param metrics.image.digest Redis® Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param metrics.image.pullPolicy Redis® Exporter image pull policy + ## @param metrics.image.pullSecrets Redis® Exporter image pull secrets + ## + image: + registry: docker.io + repository: bitnami/redis-exporter + tag: 1.44.0-debian-11-r16 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param metrics.command Override default metrics container init command (useful when using custom images) + ## + command: [] + ## @param metrics.redisTargetHost A way to specify an alternative Redis® hostname + ## Useful for certificate CN/SAN matching + ## + redisTargetHost: "localhost" + ## @param metrics.extraArgs Extra arguments for Redis® exporter, for example: + ## e.g.: + ## extraArgs: + ## check-keys: myKey,myOtherKey + ## + extraArgs: {} + ## @param metrics.extraEnvVars Array with extra environment variables to add to Redis® exporter + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## Configure Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod + ## @param metrics.containerSecurityContext.enabled Enabled Redis® exporter containers' Security Context + ## @param metrics.containerSecurityContext.runAsUser Set Redis® exporter containers' Security Context runAsUser + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param metrics.extraVolumes Optionally specify extra list of additional volumes for the Redis® metrics sidecar + ## + extraVolumes: [] + ## @param metrics.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Redis® metrics sidecar + ## + extraVolumeMounts: [] + ## Redis® exporter resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param metrics.resources.limits The resources limits for the Redis® exporter container + ## @param metrics.resources.requests The requested resources for the Redis® exporter container + ## + resources: + limits: {} + requests: {} + ## @param metrics.podLabels Extra labels for Redis® exporter pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + ## + podLabels: {} + ## @param metrics.podAnnotations [object] Annotations for Redis® exporter pods + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9121" + ## Redis® exporter service parameters + ## + service: + ## @param metrics.service.type Redis® exporter service type + ## + type: ClusterIP + ## @param metrics.service.port Redis® exporter service port + ## + port: 9121 + ## @param metrics.service.externalTrafficPolicy Redis® exporter service external traffic policy + ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param metrics.service.extraPorts Extra ports to expose (normally used with the `sidecar` value) + ## + extraPorts: [] + ## @param metrics.service.loadBalancerIP Redis® exporter service Load Balancer IP + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param metrics.service.loadBalancerSourceRanges Redis® exporter service Load Balancer sources + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## e.g. + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param metrics.service.annotations Additional custom annotations for Redis® exporter service + ## + annotations: {} + ## Prometheus Service Monitor + ## ref: https://github.com/coreos/prometheus-operator + ## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator + ## + enabled: true + ## @param metrics.serviceMonitor.namespace The namespace in which the ServiceMonitor will be created + ## + namespace: "" + ## @param metrics.serviceMonitor.interval The interval at which metrics should be scraped + ## + interval: 30s + ## @param metrics.serviceMonitor.scrapeTimeout The timeout after which the scrape is ended + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.relabellings Metrics RelabelConfigs to apply to samples before scraping. + ## + relabellings: [] + ## @param metrics.serviceMonitor.metricRelabelings Metrics RelabelConfigs to apply to samples before ingestion. + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint + ## + honorLabels: false + ## @param metrics.serviceMonitor.additionalLabels Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus + ## + additionalLabels: {} + ## @param metrics.serviceMonitor.podTargetLabels Labels from the Kubernetes pod to be transferred to the created metrics + ## + podTargetLabels: [] + ## Custom PrometheusRule to be defined + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled Create a custom prometheusRule Resource for scraping metrics using PrometheusOperator + ## + enabled: false + ## @param metrics.prometheusRule.namespace The namespace in which the prometheusRule will be created + ## + namespace: "" + ## @param metrics.prometheusRule.additionalLabels Additional labels for the prometheusRule + ## + additionalLabels: {} + ## @param metrics.prometheusRule.rules Custom Prometheus rules + ## e.g: + ## rules: + ## - alert: RedisDown + ## expr: redis_up{service="{{ template "common.names.fullname" . }}-metrics"} == 0 + ## for: 2m + ## labels: + ## severity: error + ## annotations: + ## summary: Redis® instance {{ "{{ $labels.instance }}" }} down + ## description: Redis® instance {{ "{{ $labels.instance }}" }} is down + ## - alert: RedisMemoryHigh + ## expr: > + ## redis_memory_used_bytes{service="{{ template "common.names.fullname" . }}-metrics"} * 100 + ## / + ## redis_memory_max_bytes{service="{{ template "common.names.fullname" . }}-metrics"} + ## > 90 + ## for: 2m + ## labels: + ## severity: error + ## annotations: + ## summary: Redis® instance {{ "{{ $labels.instance }}" }} is using too much memory + ## description: | + ## Redis® instance {{ "{{ $labels.instance }}" }} is using {{ "{{ $value }}" }}% of its available memory. + ## - alert: RedisKeyEviction + ## expr: | + ## increase(redis_evicted_keys_total{service="{{ template "common.names.fullname" . }}-metrics"}[5m]) > 0 + ## for: 1s + ## labels: + ## severity: error + ## annotations: + ## summary: Redis® instance {{ "{{ $labels.instance }}" }} has evicted keys + ## description: | + ## Redis® instance {{ "{{ $labels.instance }}" }} has evicted {{ "{{ $value }}" }} keys in the last 5 minutes. + ## + rules: [] + +## @section Init Container Parameters +## + +## 'volumePermissions' init container parameters +## Changes the owner and group of the persistent volume mount point to runAsUser:fsGroup values +## based on the *podSecurityContext/*containerSecurityContext parameters +## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` + ## + enabled: false + ## Bitnami Shell image + ## ref: https://hub.docker.com/r/bitnami/bitnami-shell/tags/ + ## @param volumePermissions.image.registry Bitnami Shell image registry + ## @param volumePermissions.image.repository Bitnami Shell image repository + ## @param volumePermissions.image.tag Bitnami Shell image tag (immutable tags are recommended) + ## @param volumePermissions.image.digest Bitnami Shell image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param volumePermissions.image.pullPolicy Bitnami Shell image pull policy + ## @param volumePermissions.image.pullSecrets Bitnami Shell image pull secrets + ## + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: 11-debian-11-r40 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init container's resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param volumePermissions.resources.limits The resources limits for the init container + ## @param volumePermissions.resources.requests The requested resources for the init container + ## + resources: + limits: {} + requests: {} + ## Init container Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser + ## NOTE: when runAsUser is set to special value "auto", init container will try to chown the + ## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` + ## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed) + ## + containerSecurityContext: + runAsUser: 0 + +## init-sysctl container parameters +## used to perform sysctl operation to modify Kernel settings (needed sometimes to avoid warnings) +## +sysctl: + ## @param sysctl.enabled Enable init container to modify Kernel settings + ## + enabled: false + ## Bitnami Shell image + ## ref: https://hub.docker.com/r/bitnami/bitnami-shell/tags/ + ## @param sysctl.image.registry Bitnami Shell image registry + ## @param sysctl.image.repository Bitnami Shell image repository + ## @param sysctl.image.tag Bitnami Shell image tag (immutable tags are recommended) + ## @param sysctl.image.digest Bitnami Shell image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param sysctl.image.pullPolicy Bitnami Shell image pull policy + ## @param sysctl.image.pullSecrets Bitnami Shell image pull secrets + ## + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: 11-debian-11-r40 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param sysctl.command Override default init-sysctl container command (useful when using custom images) + ## + command: [] + ## @param sysctl.mountHostSys Mount the host `/sys` folder to `/host-sys` + ## + mountHostSys: false + ## Init container's resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param sysctl.resources.limits The resources limits for the init container + ## @param sysctl.resources.requests The requested resources for the init container + ## + resources: + limits: {} + requests: {} + +## @section useExternalDNS Parameters +## +## @param useExternalDNS.enabled Enable various syntax that would enable external-dns to work. Note this requires a working installation of `external-dns` to be usable. +## @param useExternalDNS.additionalAnnotations Extra annotations to be utilized when `external-dns` is enabled. +## @param useExternalDNS.annotationKey The annotation key utilized when `external-dns` is enabled. Setting this to `false` will disable annotations. +## @param useExternalDNS.suffix The DNS suffix utilized when `external-dns` is enabled. Note that we prepend the suffix with the full name of the release. +## +useExternalDNS: + enabled: false + suffix: "" + annotationKey: external-dns.alpha.kubernetes.io/ + additionalAnnotations: {} + +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup` + ## + enabled: true diff --git a/terraform/gitops/stateful-resources/templates/stateful-resources/vault-crs.yaml.tpl b/terraform/gitops/stateful-resources/templates/stateful-resources/vault-crs.yaml.tpl new file mode 100644 index 000000000..44f1a482b --- /dev/null +++ b/terraform/gitops/stateful-resources/templates/stateful-resources/vault-crs.yaml.tpl @@ -0,0 +1,85 @@ +%{ if resource.local_resource_config.generate_secret_name != null ~} +apiVersion: redhatcop.redhat.io/v1alpha1 +kind: PasswordPolicy +metadata: + name: ${resource.resource_type}-${resource.resource_name}-policy + namespace: ${resource.local_resource_config.resource_namespace} + annotations: + argocd.argoproj.io/sync-wave: "-3" +spec: + # Add fields here + authentication: + path: kubernetes + role: policy-admin + serviceAccount: + name: default + passwordPolicy: | + length = 20 + rule "charset" { + charset = "abcdefghijklmnopqrstuvwxyz" + min-chars = 1 + } + rule "charset" { + charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + min-chars = 1 + } + rule "charset" { + charset = "0123456789" + min-chars = 1 + } + rule "charset" { + charset = "${try(resource.local_resource_config.generate_secret_special_chars, "!@#$%^&*")}" + min-chars = 1 + } +--- +%{ for key in resource.local_resource_config.generate_secret_keys ~} +apiVersion: redhatcop.redhat.io/v1alpha1 +kind: RandomSecret +metadata: + name: ${resource.local_resource_config.generate_secret_name}-${key} + namespace: ${resource.local_resource_config.resource_namespace} + annotations: + argocd.argoproj.io/sync-wave: "-3" +spec: + authentication: + path: kubernetes + role: policy-admin + serviceAccount: + name: default + isKVSecretsEngineV2: false + path: ${resource.local_resource_config.generate_secret_vault_base_path}/${resource.resource_name} + secretKey: password + secretFormat: + passwordPolicyName: ${resource.resource_type}-${resource.resource_name}-policy +--- +%{ endfor ~} +%{ for ns in concat([resource.local_resource_config.resource_namespace], resource.local_resource_config.generate_secret_extra_namespaces) ~} +apiVersion: redhatcop.redhat.io/v1alpha1 +kind: VaultSecret +metadata: + name: ${resource.local_resource_config.generate_secret_name} + namespace: ${ns} + annotations: + argocd.argoproj.io/sync-wave: "-3" +spec: + refreshPeriod: 1m0s + vaultSecretDefinitions: +%{ for key in resource.local_resource_config.generate_secret_keys ~} + - authentication: + path: kubernetes + role: policy-admin + serviceAccount: + name: default + name: dynamicsecret_${replace(key, "-", "_")} + path: ${resource.local_resource_config.generate_secret_vault_base_path}/${resource.resource_name}/${resource.local_resource_config.generate_secret_name}-${key} +%{ endfor ~} + output: + name: ${resource.local_resource_config.generate_secret_name} + stringData: +%{ for key in resource.local_resource_config.generate_secret_keys ~} + ${key}: '{{ .dynamicsecret_${replace(key, "-", "_")}.password }}' +%{ endfor ~} + type: Opaque +--- +%{ endfor ~} +%{ endif ~} \ No newline at end of file diff --git a/terraform/gitops/vnext/mcm.tf b/terraform/gitops/vnext/mcm.tf index 25006b35e..e11a6954f 100644 --- a/terraform/gitops/vnext/mcm.tf +++ b/terraform/gitops/vnext/mcm.tf @@ -2,12 +2,12 @@ module "generate_mcm_files" { source = "../generate-files" var_map = { mcm_enabled = var.mcm_enabled - db_password_secret = local.stateful_resources[local.mcm_resource_index].logical_service_config.user_password_secret - db_password_secret_key = local.stateful_resources[local.mcm_resource_index].logical_service_config.user_password_secret_key - db_user = local.stateful_resources[local.mcm_resource_index].logical_service_config.username - db_schema = local.stateful_resources[local.mcm_resource_index].logical_service_config.database_name - db_port = local.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_port - db_host = "${local.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + db_password_secret = module.vnext_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.user_password_secret + db_password_secret_key = module.vnext_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.user_password_secret_key + db_user = module.vnext_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.username + db_schema = module.vnext_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.database_name + db_port = module.vnext_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_port + db_host = "${module.vnext_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" mcm_public_fqdn = var.mcm_public_fqdn env_name = var.cluster_name env_cn = var.public_subdomain @@ -214,7 +214,7 @@ variable "mcm_public_fqdn" { locals { mcm_template_path = "${path.module}/../generate-files/templates/mcm" mcm_app_file = "mcm-app.yaml" - mcm_resource_index = index(local.stateful_resources.*.resource_name, "mcm-db") + mcm_resource_index = index(module.vnext_stateful_resources.stateful_resources.*.resource_name, "mcm-db") mcm_wildcard_gateway = var.mcm_ingress_internal_lb ? "internal" : "external" dfsp_client_cert_bundle = "${local.onboarding_secret_path}_pm4mls" dfsp_internal_whitelist_secret = "${local.whitelist_secret_path}_pm4mls" diff --git a/terraform/gitops/vnext/providers.tf b/terraform/gitops/vnext/providers.tf index 963a4388c..0bf3cf34b 100644 --- a/terraform/gitops/vnext/providers.tf +++ b/terraform/gitops/vnext/providers.tf @@ -1,10 +1,9 @@ -terraform { - +terraform { + required_providers { gitlab = { - source = "gitlabhq/gitlab" + source = "gitlabhq/gitlab" version = "~> 16.0" } - vault = "~> 3.16" } -} \ No newline at end of file +} diff --git a/terraform/gitops/vnext/stateful-resources-config.tf b/terraform/gitops/vnext/stateful-resources-config.tf index ed842987a..a07ca2c8a 100644 --- a/terraform/gitops/vnext/stateful-resources-config.tf +++ b/terraform/gitops/vnext/stateful-resources-config.tf @@ -1,116 +1,35 @@ -resource "local_file" "chart_values" { - for_each = { for stateful_resource in local.local_stateful_resources : stateful_resource.resource_name => stateful_resource } - - content = templatefile("${local.stateful_resources_template_path}/${each.value.local_resource_config.resource_helm_values_ref}", { - resource = each.value - }) - filename = "${local.stateful_resources_output_path}/values-${each.value.local_resource_config.resource_helm_chart}-${each.value.resource_name}.yaml" -} - -resource "local_file" "vault_crs" { - for_each = { for stateful_resource in local.local_stateful_resources : stateful_resource.resource_name => stateful_resource } - - content = templatefile("${local.stateful_resources_template_path}/vault-crs.yaml.tpl", { - resource = each.value - }) - filename = "${local.stateful_resources_output_path}/vault-crs-${each.value.resource_name}.yaml" -} - -resource "local_file" "managed_crs" { - for_each = local.managed_resource_password_map - - content = templatefile("${local.stateful_resources_template_path}/managed-crs.yaml.tpl", { - password_map = each.value - }) - filename = "${local.stateful_resources_output_path}/managed-crs-${each.key}.yaml" -} - -resource "local_file" "external_name_services" { - content = templatefile("${local.stateful_resources_template_path}/external-name-services.yaml.tpl", - { config = local.external_name_map - stateful_resources_namespace = var.stateful_resources_namespace - }) - filename = "${local.stateful_resources_output_path}/external-name-services.yaml" -} - -resource "local_file" "kustomization" { - content = templatefile("${local.stateful_resources_template_path}/stateful-resources-kustomization.yaml.tpl", - { local_stateful_resources = local.local_stateful_resources - managed_stateful_resources = local.managed_stateful_resources - }) - filename = "${local.stateful_resources_output_path}/kustomization.yaml" -} - -resource "local_file" "namespace" { - content = templatefile("${local.stateful_resources_template_path}/namespace.yaml.tpl", - { - all_ns = distinct(concat(local.all_logical_extra_namespaces, local.all_local_namespaces, local.all_local_extra_namespaces)) - }) - filename = "${local.stateful_resources_output_path}/namespace.yaml" -} - -resource "local_file" "stateful-resources-app-file" { - content = templatefile("${local.stateful_resources_template_path}/app/${local.stateful_resources_app_file}.tpl", local.stateful_resources_vars) - filename = "${local.app_stateful_resources_output_path}/${local.stateful_resources_name}-${local.stateful_resources_app_file}" -} - -locals { - stateful_resources_name = "vnext" - stateful_resources_template_path = "${path.module}/../generate-files/templates/stateful-resources" - stateful_resources_output_path = "${var.output_dir}/${local.stateful_resources_name}-stateful-resources" - stateful_resources_app_file = "stateful-resources-app.yaml" - app_stateful_resources_output_path = "${var.output_dir}/app-yamls" - stateful_resources = jsondecode(file(var.stateful_resources_config_file)) - enabled_stateful_resources = { for stateful_resource in local.stateful_resources : stateful_resource.resource_name => stateful_resource if stateful_resource.enabled } - managed_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service } - local_stateful_resources = { for local_stateful_resource in local.enabled_stateful_resources : local_stateful_resource.resource_name => local_stateful_resource if !local_stateful_resource.external_service } - local_external_name_map = { for stateful_resource in local.local_stateful_resources : stateful_resource.logical_service_config.logical_service_name => stateful_resource.local_resource_config.override_service_name != null ? "${stateful_resource.local_resource_config.override_service_name}.${stateful_resource.local_resource_config.resource_namespace}.svc.cluster.local" : "${stateful_resource.resource_name}.${stateful_resource.local_resource_config.resource_namespace}.svc.cluster.local" } - managed_external_name_map = { for index, stateful_resource in local.managed_stateful_resources : stateful_resource.logical_service_config.logical_service_name => data.gitlab_project_variable.external_stateful_resource_instance_address[index].value } - external_name_map = merge(local.local_external_name_map, local.managed_external_name_map) - managed_resource_password_map = { for index, stateful_resource in local.managed_stateful_resources : stateful_resource.resource_name => { - password = data.vault_generic_secret.external_stateful_resource_password[index].data.value - namespaces = stateful_resource.logical_service_config.secret_extra_namespaces - secret_name = stateful_resource.logical_service_config.user_password_secret - secret_key = stateful_resource.logical_service_config.user_password_secret_key - } - } - - stateful_resources_vars = { - stateful_resources_namespace = var.stateful_resources_namespace - gitlab_project_url = var.gitlab_project_url - stateful_resources_sync_wave = var.stateful_resources_sync_wave - stateful_resources_name = local.stateful_resources_name - } - all_logical_extra_namespaces = flatten([for stateful_resource in local.enabled_stateful_resources : stateful_resource.logical_service_config.secret_extra_namespaces]) - all_local_extra_namespaces = flatten([for stateful_resource in local.local_stateful_resources : stateful_resource.local_resource_config.generate_secret_extra_namespaces]) - all_local_namespaces = distinct([for stateful_resource in local.local_stateful_resources : stateful_resource.local_resource_config.resource_namespace]) +module "vnext_stateful_resources" { + source = "../stateful-resources" + stateful_resources_name = "vnext" + cluster_name = var.cluster_name + output_dir = var.output_dir + gitlab_project_url = var.gitlab_project_url + gitlab_server_url = var.gitlab_server_url + current_gitlab_project_id = var.current_gitlab_project_id + stateful_resources_config_file = var.stateful_resources_config_file + stateful_resources_namespace = var.stateful_resources_namespace + create_stateful_resources_ns = false + kv_path = var.kv_path + external_stateful_resource_instance_addresses = length(data.gitlab_project_variable.external_stateful_resource_instance_address) > 0 ? data.gitlab_project_variable.external_stateful_resource_instance_address.*.value : [] } variable "stateful_resources_config_file" { - default = "../config/stateful-resources.json" - type = string - description = "where to pull stateful resources config" + type = string } - variable "stateful_resources_namespace" { - type = string - description = "stateful_resources_namespace" - default = "stateful-resources" + type = string + default = "stateful-resources" } -variable "stateful_resources_sync_wave" { - type = string - description = "stateful_resources_sync_wave, wait for vault config operator" - default = "-5" -} - -data "vault_generic_secret" "external_stateful_resource_password" { - for_each = local.managed_stateful_resources - path = "${var.kv_path}/${var.cluster_name}/${each.value.external_resource_config.password_key_name}" -} data "gitlab_project_variable" "external_stateful_resource_instance_address" { for_each = local.managed_stateful_resources project = var.current_gitlab_project_id key = each.value.external_resource_config.instance_address_key_name } + +locals { + stateful_resources = jsondecode(file(var.stateful_resources_config_file)) + enabled_stateful_resources = { for stateful_resource in local.stateful_resources : stateful_resource.resource_name => stateful_resource if stateful_resource.enabled } + managed_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service } +} diff --git a/terraform/gitops/vnext/vnext.tf b/terraform/gitops/vnext/vnext.tf index dae710352..d5fc1526d 100644 --- a/terraform/gitops/vnext/vnext.tf +++ b/terraform/gitops/vnext/vnext.tf @@ -24,21 +24,21 @@ module "generate_vnext_files" { keycloak_realm_name = var.keycloak_hubop_realm_name ttk_frontend_public_fqdn = var.ttk_frontend_public_fqdn ttk_backend_public_fqdn = var.ttk_backend_public_fqdn - kafka_host = "${local.stateful_resources[local.vnext_kafka_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - kafka_port = local.stateful_resources[local.vnext_kafka_resource_index].logical_service_config.logical_service_port - redis_host = "${local.stateful_resources[local.vnext_redis_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - redis_port = local.stateful_resources[local.vnext_redis_resource_index].logical_service_config.logical_service_port + kafka_host = "${module.vnext_stateful_resources.stateful_resources[local.vnext_kafka_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + kafka_port = module.vnext_stateful_resources.stateful_resources[local.vnext_kafka_resource_index].logical_service_config.logical_service_port + redis_host = "${module.vnext_stateful_resources.stateful_resources[local.vnext_redis_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + redis_port = module.vnext_stateful_resources.stateful_resources[local.vnext_redis_resource_index].logical_service_config.logical_service_port enable_istio_injection = try(var.app_var_map.enable_istio_injection, false) bof_release_name = var.bof_release_name ory_namespace = var.ory_namespace bof_role_perm_operator_host = "${var.bof_release_name}-security-role-perm-operator-svc.${var.ory_namespace}.svc.cluster.local" auth_fqdn = var.auth_fqdn - vnext_mongodb_database = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.database_name + vnext_mongodb_database = module.vnext_stateful_resources.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.database_name vnext_mongodb_user = "root" - vnext_mongodb_host = "${local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - vnext_mongodb_existing_secret = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.user_password_secret - vnext_mongodb_port = local.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.logical_service_port - vnext_mongo_secret_path = "${local.stateful_resources[local.vnext_mongodb_resource_index].local_resource_config.generate_secret_vault_base_path}/${local.stateful_resources[local.vnext_mongodb_resource_index].resource_name}/${local.stateful_resources[local.vnext_mongodb_resource_index].local_resource_config.generate_secret_name}-mongodb-root-password" + vnext_mongodb_host = "${module.vnext_stateful_resources.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" + vnext_mongodb_existing_secret = module.vnext_stateful_resources.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.user_password_secret + vnext_mongodb_port = module.vnext_stateful_resources.stateful_resources[local.vnext_mongodb_resource_index].logical_service_config.logical_service_port + vnext_mongo_secret_path = "${module.vnext_stateful_resources.stateful_resources[local.vnext_mongodb_resource_index].local_resource_config.generate_secret_vault_base_path}/${module.vnext_stateful_resources.stateful_resources[local.vnext_mongodb_resource_index].resource_name}/${module.vnext_stateful_resources.stateful_resources[local.vnext_mongodb_resource_index].local_resource_config.generate_secret_name}-mongodb-root-password" vnext_mongodb_resource_name = "vnext-mongodb" vnext_mongo_url_secret_name = "vnext-mongodb-url" ## this goes away as well keto_read_url = "http://keto-read.${var.ory_namespace}.svc.cluster.local:80" @@ -76,9 +76,9 @@ module "generate_vnext_files" { locals { vnext_template_path = "${path.module}/../generate-files/templates/vnext" vnext_app_file = "vnext-app.yaml" - vnext_kafka_resource_index = index(local.stateful_resources.*.resource_name, "vnext-kafka") - vnext_redis_resource_index = index(local.stateful_resources.*.resource_name, "vnext-redis") - vnext_mongodb_resource_index = index(local.stateful_resources.*.resource_name, "vnext-mongodb") + vnext_kafka_resource_index = index(module.vnext_stateful_resources.stateful_resources.*.resource_name, "vnext-kafka") + vnext_redis_resource_index = index(module.vnext_stateful_resources.stateful_resources.*.resource_name, "vnext-redis") + vnext_mongodb_resource_index = index(module.vnext_stateful_resources.stateful_resources.*.resource_name, "vnext-mongodb") vnext_wildcard_gateway = var.vnext_ingress_internal_lb ? "internal" : "external" apiResources = yamldecode(file(var.rbac_api_resources_file)) jws_key_secret = "switch-jws" diff --git a/terraform/k8s/addons-gitops-build/terragrunt.hcl b/terraform/k8s/addons-gitops-build/terragrunt.hcl new file mode 100644 index 000000000..738610df7 --- /dev/null +++ b/terraform/k8s/addons-gitops-build/terragrunt.hcl @@ -0,0 +1,86 @@ +terraform { + source = "git::https://github.com/${get_env("addons_github_org")}/${get_env("addons_github_repo")}.git//${get_env("addons_github_module_path")}?ref=${get_env("addons_github_module_tag")}" +} + + +include "root" { + path = find_in_parent_folders() +} + +dependency "gitops_build" { + config_path = "../gitops-build" + mock_outputs = { + mojaloop_sync_wave = 0 + mojaloop_output_path = "" + } +} + + +inputs = { + tags = local.tags + common_var_map = local.common_vars + app_var_map = local.addons_vars + output_dir = local.GITOPS_BUILD_OUTPUT_DIR + gitlab_project_url = local.GITLAB_PROJECT_URL + cluster_name = local.CLUSTER_NAME + addons_sync_wave = (dependency.gitops_build.outputs.mojaloop_sync_wave - 1) + mojaloop_app_output_path = dependency.gitops_build.outputs.mojaloop_output_path + stateful_resources_config_file = find_in_parent_folders("${get_env("CONFIG_PATH")}/addons-stateful-resources.json") +} + +locals { + env_vars = yamldecode(file("${find_in_parent_folders("${get_env("CONFIG_PATH")}/cluster-config.yaml")}")) + tags = local.env_vars.tags + gitlab_readonly_rbac_group = get_env("GITLAB_READONLY_RBAC_GROUP") + gitlab_admin_rbac_group = get_env("GITLAB_ADMIN_RBAC_GROUP") + common_vars = yamldecode(file("${find_in_parent_folders("${get_env("CONFIG_PATH")}/common-vars.yaml")}")) + pm4ml_vars = yamldecode(file("${find_in_parent_folders("${get_env("CONFIG_PATH")}/pm4ml-vars.yaml")}")) + mojaloop_vars = yamldecode(file("${find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-vars.yaml")}")) + vnext_vars = yamldecode(file("${find_in_parent_folders("${get_env("CONFIG_PATH")}/vnext-vars.yaml")}")) + addons_vars = yamldecode(file("${find_in_parent_folders("${get_env("CONFIG_PATH")}/addons-vars.yaml")}")) + GITLAB_SERVER_URL = get_env("GITLAB_SERVER_URL") + GITOPS_BUILD_OUTPUT_DIR = get_env("GITOPS_BUILD_OUTPUT_DIR") + CLUSTER_NAME = get_env("cluster_name") + CLUSTER_DOMAIN = get_env("domain") + GITLAB_PROJECT_URL = get_env("GITLAB_PROJECT_URL") + GITLAB_CURRENT_PROJECT_ID = get_env("GITLAB_CURRENT_PROJECT_ID") + GITLAB_CURRENT_GROUP_NAME = get_env("GITLAB_CURRENT_GROUP_NAME") + GITLAB_API_URL = get_env("GITLAB_API_URL") + CLOUD_REGION = get_env("cloud_region") + ENABLE_VAULT_OIDC = get_env("ENABLE_VAULT_OIDC") + ENABLE_GRAFANA_OIDC = get_env("ENABLE_GRAFANA_OIDC") + LETSENCRYPT_EMAIL = get_env("letsencrypt_email") + GITLAB_TOKEN = get_env("GITLAB_CI_PAT") + ENV_VAULT_TOKEN = get_env("ENV_VAULT_TOKEN") + KV_SECRET_PATH = get_env("KV_SECRET_PATH") + VAULT_GITLAB_ROOT_TOKEN = get_env("VAULT_GITLAB_ROOT_TOKEN") + TRANSIT_VAULT_UNSEAL_KEY_NAME = get_env("TRANSIT_VAULT_UNSEAL_KEY_NAME") + VAULT_SERVER_URL = get_env("VAULT_SERVER_URL") +} + +generate "required_providers_override" { + path = "required_providers_override.tf" + + if_exists = "overwrite_terragrunt" + + contents = < Date: Thu, 18 Apr 2024 14:17:05 +0500 Subject: [PATCH 106/201] Enable log deletion using compactor (#220) * enable deletion using compactor * add commit * move comment message * update compactor/shared_store * parametrize loki_retention_enabled --- .../templates/monitoring/install/values-loki.yaml.tpl | 6 +++++- terraform/gitops/k8s-cluster-config/monitoring.tf | 2 ++ terraform/k8s/default-config/common-vars.yaml | 1 + 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl index 808fd9d8c..a09bbd04b 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl @@ -1,6 +1,9 @@ loki: overrideConfiguration: - # TODO: remove retention_period because it should be controlled by object store (minio) policies + # https://grafana.com/docs/loki/latest/operations/storage/retention/ + compactor: + retention_enabled: true # enable deletion using compactor + shared_store: s3 limits_config: retention_period: ${loki_ingester_retention_period} schema_config: @@ -16,6 +19,7 @@ loki: boltdb_shipper: shared_store: s3 aws: + # s3 is alias for aws s3forcepathstyle: true endpoint: ${minio_api_url} insecure: true diff --git a/terraform/gitops/k8s-cluster-config/monitoring.tf b/terraform/gitops/k8s-cluster-config/monitoring.tf index b60747562..6c3c34dcb 100644 --- a/terraform/gitops/k8s-cluster-config/monitoring.tf +++ b/terraform/gitops/k8s-cluster-config/monitoring.tf @@ -37,6 +37,7 @@ module "generate_monitoring_files" { grafana_wildcard_gateway = local.grafana_wildcard_gateway loki_ingester_pvc_size = try(var.common_var_map.loki_ingester_pvc_size, local.loki_ingester_pvc_size) prometheus_pvc_size = try(var.common_var_map.prometheus_pvc_size, local.prometheus_pvc_size) + loki_retention_enabled = try(var.common_var_map.loki_retention_enabled, local.loki_retention_enabled) loki_ingester_retention_period = try(var.common_var_map.loki_ingester_retention_period, local.loki_ingester_retention_period) prometheus_retention_period = try(var.common_var_map.prometheus_retention_period, local.prometheus_retention_period) alertmanager_enabled = try(var.common_var_map.alertmanager_enabled, false) @@ -117,6 +118,7 @@ locals { monitoring_app_file = "monitoring-app.yaml" loki_ingester_pvc_size = "50Gi" prometheus_pvc_size = "50Gi" + loki_retention_enabled = true loki_ingester_retention_period = "72h" prometheus_retention_period = "10d" prom_tsdb_min_block_duration = "30m" diff --git a/terraform/k8s/default-config/common-vars.yaml b/terraform/k8s/default-config/common-vars.yaml index 0920e05bc..0911c01ad 100644 --- a/terraform/k8s/default-config/common-vars.yaml +++ b/terraform/k8s/default-config/common-vars.yaml @@ -29,6 +29,7 @@ loki_chart_version: 2.13.0 ory_stack_enabled: true loki_ingester_pvc_size: 50Gi prometheus_pvc_size: 50Gi +loki_retention_enabled: true loki_ingester_retention_period: 72h prometheus_retention_period: 10d istio_egress_gateway_max_replicas: 5 From b52ad0982cfd1e354bf8178436e191a3ece557d2 Mon Sep 17 00:00:00 2001 From: Sijo George <87609749+sijo5722-2021@users.noreply.github.com> Date: Thu, 18 Apr 2024 14:55:13 +0530 Subject: [PATCH 107/201] Feature/refactor istio gw for using 2 separate domains (#219) * Initial commit for istio gw private and public zone * adding the var map changes * commiting unsaved :( * another one * changing internal domain * including new files in kustom.yaml * some cleaning * Change in gitlab app for argocd oidc * correcting locals * correcting the local var * changes for monitoring and vault * Adding missed save * fixing typo * file name change * Keycloak changes * resolving commit - adding missing vars in var map * resolving commit - Changes for ttk * finance portal changes * fixing the missing var * adding missing var * adding vnext * correcting the ref * resolving commit - changes for mcm * resolving commit - mcm changes in vnext * additional changes for mcm in vnext * validating conditional stmt in for expressino * adding merge changes * additional changes for pm4ml * removal of ory_stack_enabled flag * correction * Fix * fix for the access of internal_interop_switch_fqdn * control center change for callbackurl and short private subdomain * Code to get the inputs * correcting the input * fix typo * Getting the internal lb flag for argocd, vault and grafana * adding try * Correction in kuztomize file * fix for vault and argocd oidc * Correction in grafana oidc --- terraform/aws/base-infra/route53.tf | 3 +- terraform/aws/base-infra/variables.tf | 6 + .../control-center-post-config/gitlab.tf | 30 ++--- .../control-center-post-config/variables.tf | 5 + .../control-center-post-config/terragrunt.hcl | 10 +- .../control-center/init/environment.yaml | 12 +- .../external-dns/chart/values.yaml.tpl | 1 - .../istio/istio-gateways/argocd-vs.yaml.tpl | 6 +- .../istio/istio-gateways/gateways.yaml.tpl | 10 +- .../istio-gateways/kustomization.yaml.tpl | 3 +- ...l => lets-wildcard-cert-external.yaml.tpl} | 2 +- .../lets-wildcard-cert-internal.yaml.tpl | 22 ++++ .../istio-main/values-istio-istiod.yaml.tpl | 2 - .../post-config/keycloak-ingress.yaml.tpl | 19 +-- .../templates/mcm/istio-gateway.yaml.tpl | 45 +------ .../templates/mcm/keycloak-realm-cr.yaml.tpl | 2 +- .../templates/mcm/rbac.yaml.tpl | 4 +- .../templates/mcm/values-mcm.yaml.tpl | 14 +- .../templates/mojaloop/istio-config.yaml.tpl | 26 ++-- .../mojaloop/values-mojaloop.yaml.tpl | 22 ++-- ...tio-gateway.yaml.tpl => istio-vs.yaml.tpl} | 8 +- .../monitoring/install/kustomization.yaml.tpl | 2 +- .../post-config/alertmanager-config.yaml.tpl | 2 +- .../post-config/monitoring-crs.yaml.tpl | 4 +- .../templates/ory/app/ory-app.yaml.tpl | 4 +- .../templates/pm4ml/istio-gateway.yaml.tpl | 66 ++-------- .../templates/pm4ml/values-pm4ml.yaml.tpl | 2 - .../vault/charts/vault/values.yaml.tpl | 4 +- ...tio-gateway.yaml.tpl => istio-vs.yaml.tpl} | 8 +- .../templates/vault/post-config.yaml.tpl | 4 +- .../templates/vnext/istio-config.yaml.tpl | 26 +--- .../templates/vnext/values-ttk.yaml.tpl | 2 +- .../gitops/k8s-cluster-config/app-deploy.tf | 120 ++++++++++-------- .../gitops/k8s-cluster-config/ingress.tf | 6 +- terraform/gitops/k8s-cluster-config/istio.tf | 34 ++--- .../gitops/k8s-cluster-config/keycloak.tf | 60 +++++---- .../gitops/k8s-cluster-config/monitoring.tf | 15 ++- .../gitops/k8s-cluster-config/nginx-jwt.tf | 2 +- terraform/gitops/k8s-cluster-config/ory.tf | 6 - .../gitops/k8s-cluster-config/variables.tf | 12 ++ terraform/gitops/k8s-cluster-config/vault.tf | 24 ++-- terraform/gitops/mojaloop/mcm.tf | 29 ++++- terraform/gitops/mojaloop/mojaloop.tf | 44 +++++-- terraform/gitops/pm4ml/pm4ml.tf | 22 +++- terraform/gitops/vnext/mcm.tf | 29 ++++- terraform/gitops/vnext/vnext.tf | 37 ++++-- .../k8s/ansible-k8s-deploy/terragrunt.hcl | 1 + terraform/k8s/default-config/common-vars.yaml | 1 - .../k8s/default-config/mojaloop-vars.yaml | 1 + terraform/k8s/gitops-build/terragrunt.hcl | 6 + 50 files changed, 441 insertions(+), 384 deletions(-) rename terraform/gitops/generate-files/templates/istio/istio-gateways/{lets-wildcard-cert.yaml.tpl => lets-wildcard-cert-external.yaml.tpl} (96%) create mode 100644 terraform/gitops/generate-files/templates/istio/istio-gateways/lets-wildcard-cert-internal.yaml.tpl rename terraform/gitops/generate-files/templates/monitoring/install/{istio-gateway.yaml.tpl => istio-vs.yaml.tpl} (56%) rename terraform/gitops/generate-files/templates/vault/{istio-gateway.yaml.tpl => istio-vs.yaml.tpl} (60%) diff --git a/terraform/aws/base-infra/route53.tf b/terraform/aws/base-infra/route53.tf index 2b3814a0f..f7ad4abd5 100644 --- a/terraform/aws/base-infra/route53.tf +++ b/terraform/aws/base-infra/route53.tf @@ -1,8 +1,7 @@ resource "aws_route53_zone" "private" { force_destroy = var.route53_zone_force_destroy count = (var.configure_route_53 && var.create_private_zone) ? 1 : 0 - name = "${local.cluster_domain}.internal." - + name = "${var.private_subdomain_string}.${local.cluster_domain}." vpc { vpc_id = module.vpc.vpc_id } diff --git a/terraform/aws/base-infra/variables.tf b/terraform/aws/base-infra/variables.tf index bb933ae33..0bee6ada0 100644 --- a/terraform/aws/base-infra/variables.tf +++ b/terraform/aws/base-infra/variables.tf @@ -94,6 +94,12 @@ variable "create_haproxy_dns_record" { description = "whether to create public dns record for private ip of bastion for haproxy" } +variable "private_subdomain_string" { + type = string + default = "int" +} + + ### # Local copies of variables to allow for parsing ### diff --git a/terraform/config-params/control-center-post-config/gitlab.tf b/terraform/config-params/control-center-post-config/gitlab.tf index d2c8664cb..1e8e5fc36 100644 --- a/terraform/config-params/control-center-post-config/gitlab.tf +++ b/terraform/config-params/control-center-post-config/gitlab.tf @@ -173,7 +173,7 @@ resource "gitlab_group_access_token" "gitlab_ci_pat" { resource "vault_kv_secret_v2" "vault_oauth_client_id" { for_each = { - for key, env in var.env_map : key => env if env.enable_vault_oauth_to_gitlab + for key, env in var.env_map : key => env if env.vault_oidc_domain != "" } mount = vault_mount.kv_secret.path name = "${each.key}/vault_oauth_client_id" @@ -187,7 +187,7 @@ resource "vault_kv_secret_v2" "vault_oauth_client_id" { resource "vault_kv_secret_v2" "vault_oauth_client_secret" { for_each = { - for key, env in var.env_map : key => env if env.enable_vault_oauth_to_gitlab + for key, env in var.env_map : key => env if env.vault_oidc_domain != "" } mount = vault_mount.kv_secret.path name = "${each.key}/vault_oauth_client_secret" @@ -201,7 +201,7 @@ resource "vault_kv_secret_v2" "vault_oauth_client_secret" { resource "gitlab_project_variable" "enable_vault_oidc" { for_each = { - for key, env in var.env_map : key => env if env.enable_vault_oauth_to_gitlab + for key, env in var.env_map : key => env if env.vault_oidc_domain != "" } project = gitlab_project.envs[each.key].id key = "ENABLE_VAULT_OIDC" @@ -212,17 +212,17 @@ resource "gitlab_project_variable" "enable_vault_oidc" { resource "gitlab_application" "vault_oidc" { for_each = { - for key, env in var.env_map : key => env if env.enable_vault_oauth_to_gitlab + for key, env in var.env_map : key => env if env.vault_oidc_domain != "" } confidential = true scopes = ["openid"] name = "${each.key}_vault_oidc" - redirect_url = "https://vault.${each.key}.${each.value["domain"]}/ui/vault/auth/oidc/oidc/callback" + redirect_url = "https://vault.${each.value["vault_oidc_domain"]}.${each.value["domain"]}/ui/vault/auth/oidc/oidc/callback" } resource "vault_kv_secret_v2" "grafana_oauth_client_id" { for_each = { - for key, env in var.env_map : key => env if env.enable_grafana_oauth_to_gitlab + for key, env in var.env_map : key => env if env.grafana_oidc_domain != "" } mount = vault_mount.kv_secret.path name = "${each.key}/grafana_oauth_client_id" @@ -236,7 +236,7 @@ resource "vault_kv_secret_v2" "grafana_oauth_client_id" { resource "vault_kv_secret_v2" "grafana_oauth_client_secret" { for_each = { - for key, env in var.env_map : key => env if env.enable_grafana_oauth_to_gitlab + for key, env in var.env_map : key => env if env.grafana_oidc_domain != "" } mount = vault_mount.kv_secret.path name = "${each.key}/grafana_oauth_client_secret" @@ -250,7 +250,7 @@ resource "vault_kv_secret_v2" "grafana_oauth_client_secret" { resource "gitlab_project_variable" "enable_grafana_oauth" { for_each = { - for key, env in var.env_map : key => env if env.enable_grafana_oauth_to_gitlab + for key, env in var.env_map : key => env if env.grafana_oidc_domain != "" } project = gitlab_project.envs[each.key].id key = "ENABLE_GRAFANA_OIDC" @@ -261,17 +261,17 @@ resource "gitlab_project_variable" "enable_grafana_oauth" { resource "gitlab_application" "grafana_oidc" { for_each = { - for key, env in var.env_map : key => env if env.enable_grafana_oauth_to_gitlab + for key, env in var.env_map : key => env if env.grafana_oidc_domain != "" } confidential = true scopes = ["read_api"] name = "${each.key}_grafana_oidc" - redirect_url = "https://grafana.${each.key}.${each.value["domain"]}/login/gitlab" + redirect_url = "https://grafana.${each.value["grafana_oidc_domain"]}.${each.value["domain"]}/login/gitlab" } resource "vault_kv_secret_v2" "argocd_oauth_client_id" { for_each = { - for key, env in var.env_map : key => env if env.enable_argocd_oauth_to_gitlab + for key, env in var.env_map : key => env if env.argocd_oidc_domain != "" } mount = vault_mount.kv_secret.path name = "${each.key}/argocd_oauth_client_id" @@ -285,7 +285,7 @@ resource "vault_kv_secret_v2" "argocd_oauth_client_id" { resource "vault_kv_secret_v2" "argocd_oauth_client_secret" { for_each = { - for key, env in var.env_map : key => env if env.enable_argocd_oauth_to_gitlab + for key, env in var.env_map : key => env if env.argocd_oidc_domain != "" } mount = vault_mount.kv_secret.path name = "${each.key}/argocd_oauth_client_secret" @@ -299,7 +299,7 @@ resource "vault_kv_secret_v2" "argocd_oauth_client_secret" { resource "gitlab_project_variable" "enable_argocd_oauth" { for_each = { - for key, env in var.env_map : key => env if env.enable_argocd_oauth_to_gitlab + for key, env in var.env_map : key => env if env.argocd_oidc_domain != "" } project = gitlab_project.envs[each.key].id key = "ENABLE_ARGOCD_OIDC" @@ -310,10 +310,10 @@ resource "gitlab_project_variable" "enable_argocd_oauth" { resource "gitlab_application" "argocd_oidc" { for_each = { - for key, env in var.env_map : key => env if env.enable_argocd_oauth_to_gitlab + for key, env in var.env_map : key => env if env.argocd_oidc_domain != "" } confidential = true scopes = ["openid", "read_api", "profile", "email"] name = "${each.key}_argocd_oidc" - redirect_url = "https://argocd.${each.key}.${each.value["domain"]}/auth/callback" + redirect_url = "https://argocd.${each.value["argocd_oidc_domain"]}.${each.value["domain"]}/auth/callback" } diff --git a/terraform/config-params/control-center-post-config/variables.tf b/terraform/config-params/control-center-post-config/variables.tf index 7669ca9ca..9542fdb84 100644 --- a/terraform/config-params/control-center-post-config/variables.tf +++ b/terraform/config-params/control-center-post-config/variables.tf @@ -79,4 +79,9 @@ variable "loki_data_expiry" { variable "longhorn_backup_data_expiry" { description = "number of days to expire minio longhorn bucket data" default = "7d" +} + +variable "private_subdomain_string" { + description = "the string in the internal subdomain to distiguish with publci subdomain" + default = "internal" } \ No newline at end of file diff --git a/terraform/control-center/init/control-center-post-config/terragrunt.hcl b/terraform/control-center/init/control-center-post-config/terragrunt.hcl index 26faecfe6..f5e28ad83 100644 --- a/terraform/control-center/init/control-center-post-config/terragrunt.hcl +++ b/terraform/control-center/init/control-center-post-config/terragrunt.hcl @@ -74,6 +74,7 @@ inputs = { gitlab_readonly_rbac_group = local.env_vars.gitlab_readonly_rbac_group loki_data_expiry = local.env_vars.loki_data_expiry longhorn_backup_data_expiry = local.env_vars.longhorn_backup_data_expiry + private_subdomain_string = local.private_subdomain_string } locals { @@ -85,12 +86,13 @@ locals { ) env_map = { for val in local.env_vars.envs : val["env"] => { - domain = val["domain"] - enable_vault_oauth_to_gitlab = val["enable_vault_oauth_to_gitlab"] - enable_grafana_oauth_to_gitlab = val["enable_grafana_oauth_to_gitlab"] - enable_argocd_oauth_to_gitlab = val["enable_argocd_oauth_to_gitlab"] + domain = val["domain"] + vault_oidc_domain = try(val["vault_oidc_domain"],"") + grafana_oidc_domain = try(val["grafana_oidc_domain"],"") + argocd_oidc_domain = try(val["argocd_oidc_domain"],"") } } + private_subdomain_string = "int" } include "root" { diff --git a/terraform/control-center/init/environment.yaml b/terraform/control-center/init/environment.yaml index d5d9f95c6..457ebe13a 100644 --- a/terraform/control-center/init/environment.yaml +++ b/terraform/control-center/init/environment.yaml @@ -19,14 +19,14 @@ longhorn_backup_data_expiry: 1d envs: - env: dev domain: labsk8s604.mojaloop.live - enable_vault_oauth_to_gitlab: true - enable_grafana_oauth_to_gitlab: true - enable_argocd_oauth_to_gitlab: false + vault_oidc_domain: int.dev + grafana_oidc_domain: int.dev + argocd_oidc_domain: int.dev - env: test domain: labsk8s604.mojaloop.live - enable_vault_oauth_to_gitlab: true - enable_grafana_oauth_to_gitlab: true - enable_argocd_oauth_to_gitlab: false + vault_oidc_domain: int.test + grafana_oidc_domain: int.test + argocd_oidc_domain: int.test tags: { "Origin": "Terraform", diff --git a/terraform/gitops/generate-files/templates/external-dns/chart/values.yaml.tpl b/terraform/gitops/generate-files/templates/external-dns/chart/values.yaml.tpl index 82bfc9c4d..60cf48ff8 100644 --- a/terraform/gitops/generate-files/templates/external-dns/chart/values.yaml.tpl +++ b/terraform/gitops/generate-files/templates/external-dns/chart/values.yaml.tpl @@ -23,5 +23,4 @@ external-dns: sources: - service - ingress - - istio-gateway - istio-virtualservice \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/istio/istio-gateways/argocd-vs.yaml.tpl b/terraform/gitops/generate-files/templates/istio/istio-gateways/argocd-vs.yaml.tpl index d54faad19..231d394b9 100644 --- a/terraform/gitops/generate-files/templates/istio/istio-gateways/argocd-vs.yaml.tpl +++ b/terraform/gitops/generate-files/templates/istio/istio-gateways/argocd-vs.yaml.tpl @@ -11,7 +11,11 @@ spec: - ${istio_internal_gateway_namespace}/${istio_internal_wildcard_gateway_name} %{ endif ~} hosts: - - '${argocd_fqdn}' +%{ if argocd_wildcard_gateway == "external" ~} + - '${argocd_public_fqdn}' +%{ else ~} + - '${argocd_private_fqdn}' +%{ endif ~} http: - match: - uri: diff --git a/terraform/gitops/generate-files/templates/istio/istio-gateways/gateways.yaml.tpl b/terraform/gitops/generate-files/templates/istio/istio-gateways/gateways.yaml.tpl index 7e9e78449..dc326c7f2 100644 --- a/terraform/gitops/generate-files/templates/istio/istio-gateways/gateways.yaml.tpl +++ b/terraform/gitops/generate-files/templates/istio/istio-gateways/gateways.yaml.tpl @@ -10,15 +10,13 @@ spec: istio: ${istio_internal_gateway_name} servers: - hosts: -%{ for host in internal_gateway_hosts ~} - - '${host}' -%{ endfor ~} + - '*.${private_subdomain}' port: name: https number: 443 protocol: HTTPS tls: - credentialName: ${default_ssl_certificate} + credentialName: ${default_internal_ssl_certificate} mode: SIMPLE --- apiVersion: networking.istio.io/v1alpha3 @@ -33,9 +31,7 @@ spec: istio: ${istio_external_gateway_name} servers: - hosts: -%{ for host in external_gateway_hosts ~} - - '${host}' -%{ endfor ~} + - '*.${public_subdomain}' port: name: https number: 443 diff --git a/terraform/gitops/generate-files/templates/istio/istio-gateways/kustomization.yaml.tpl b/terraform/gitops/generate-files/templates/istio/istio-gateways/kustomization.yaml.tpl index 6cd10867b..3e0848cf2 100644 --- a/terraform/gitops/generate-files/templates/istio/istio-gateways/kustomization.yaml.tpl +++ b/terraform/gitops/generate-files/templates/istio/istio-gateways/kustomization.yaml.tpl @@ -2,7 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - namespace.yaml - - lets-wildcard-cert.yaml + - lets-wildcard-cert-external.yaml + - lets-wildcard-cert-internal.yaml - proxy-protocol.yaml - gateways.yaml - argocd-vs.yaml diff --git a/terraform/gitops/generate-files/templates/istio/istio-gateways/lets-wildcard-cert.yaml.tpl b/terraform/gitops/generate-files/templates/istio/istio-gateways/lets-wildcard-cert-external.yaml.tpl similarity index 96% rename from terraform/gitops/generate-files/templates/istio/istio-gateways/lets-wildcard-cert.yaml.tpl rename to terraform/gitops/generate-files/templates/istio/istio-gateways/lets-wildcard-cert-external.yaml.tpl index 2e84c1b73..a1c5f5967 100644 --- a/terraform/gitops/generate-files/templates/istio/istio-gateways/lets-wildcard-cert.yaml.tpl +++ b/terraform/gitops/generate-files/templates/istio/istio-gateways/lets-wildcard-cert-external.yaml.tpl @@ -1,7 +1,7 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: wildcard-cert-internal + name: wildcard-cert-external namespace: ${istio_namespace} annotations: argocd.argoproj.io/sync-wave: "${wildcare_certificate_wave}" diff --git a/terraform/gitops/generate-files/templates/istio/istio-gateways/lets-wildcard-cert-internal.yaml.tpl b/terraform/gitops/generate-files/templates/istio/istio-gateways/lets-wildcard-cert-internal.yaml.tpl new file mode 100644 index 000000000..008da7e46 --- /dev/null +++ b/terraform/gitops/generate-files/templates/istio/istio-gateways/lets-wildcard-cert-internal.yaml.tpl @@ -0,0 +1,22 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: wildcard-cert-internal + namespace: ${istio_namespace} + annotations: + argocd.argoproj.io/sync-wave: "${wildcare_certificate_wave}" +spec: + secretName: ${default_internal_ssl_certificate} + issuerRef: + name: letsencrypt + kind: ClusterIssuer + commonName: ${private_subdomain} + dnsNames: + - "${private_subdomain}" + - "*.${private_subdomain}" + secretTemplate: + annotations: + reflector.v1.k8s.emberstack.com/reflection-allowed: "true" + reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "keycloak, ${istio_external_gateway_namespace}, ${istio_internal_gateway_namespace}" # Control destination namespaces + reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" # Auto create reflection for matching namespaces + reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "keycloak, ${istio_external_gateway_namespace}, ${istio_internal_gateway_namespace}" # Control auto-reflection namespaces \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/istio/istio-main/values-istio-istiod.yaml.tpl b/terraform/gitops/generate-files/templates/istio/istio-main/values-istio-istiod.yaml.tpl index 8741fcc70..b98c95c30 100644 --- a/terraform/gitops/generate-files/templates/istio/istio-main/values-istio-istiod.yaml.tpl +++ b/terraform/gitops/generate-files/templates/istio/istio-main/values-istio-istiod.yaml.tpl @@ -193,7 +193,6 @@ meshConfig: ISTIO_META_DNS_CAPTURE: "true" # Enable automatic address allocation, optional ISTIO_META_DNS_AUTO_ALLOCATE: "true" -%{ if ory_stack_enabled ~} extensionProviders: - name: ${oathkeeper_auth_provider_name} envoyExtAuthzHttp: @@ -204,7 +203,6 @@ meshConfig: statusOnError: "500" pathPrefix: /decisions includeRequestHeadersInCheck: ["authorization", "cookie"] -%{ endif ~} global: # Used to locate istiod. istioNamespace: ${istio_namespace} diff --git a/terraform/gitops/generate-files/templates/keycloak/post-config/keycloak-ingress.yaml.tpl b/terraform/gitops/generate-files/templates/keycloak/post-config/keycloak-ingress.yaml.tpl index 90d111870..784a601c9 100644 --- a/terraform/gitops/generate-files/templates/keycloak/post-config/keycloak-ingress.yaml.tpl +++ b/terraform/gitops/generate-files/templates/keycloak/post-config/keycloak-ingress.yaml.tpl @@ -57,7 +57,7 @@ metadata: name: keycloak-ext-vs spec: gateways: - - ${istio_external_gateway_namespace}/${istio_external_wildcard_gateway_name} + - ${keycloak_istio_gateway_namespace}/${keycloak_istio_wildcard_gateway_name} hosts: - '${keycloak_fqdn}' http: @@ -76,7 +76,7 @@ metadata: name: keycloak-admin-vs spec: gateways: - - ${istio_internal_gateway_namespace}/${istio_internal_wildcard_gateway_name} + - ${keycloak_admin_istio_gateway_namespace}/${keycloak_admin_istio_wildcard_gateway_name} hosts: - '${keycloak_admin_fqdn}' http: @@ -99,19 +99,4 @@ spec: trafficPolicy: tls: mode: SIMPLE ---- -%{ if !ory_stack_enabled ~} -apiVersion: security.istio.io/v1beta1 -kind: RequestAuthentication -metadata: - name: keycloak-master-jwt - namespace: ${istio_external_gateway_namespace} -spec: - selector: - matchLabels: - istio: ${istio_external_gateway_name} - jwtRules: - - issuer: "https://${keycloak_fqdn}/realms/master" - jwksUri: "https://${keycloak_fqdn}/realms/master/protocol/openid-connect/certs" -%{ endif ~} %{ endif ~} \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/mcm/istio-gateway.yaml.tpl b/terraform/gitops/generate-files/templates/mcm/istio-gateway.yaml.tpl index 0fe396057..2281073d9 100644 --- a/terraform/gitops/generate-files/templates/mcm/istio-gateway.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mcm/istio-gateway.yaml.tpl @@ -5,13 +5,9 @@ metadata: name: mcm-vs spec: gateways: -%{ if mcm_wildcard_gateway == "external" ~} - - ${istio_external_gateway_namespace}/${istio_external_wildcard_gateway_name} -%{ else ~} - - ${istio_internal_gateway_namespace}/${istio_internal_wildcard_gateway_name} -%{ endif ~} + - ${mcm_istio_gateway_namespace}/${mcm_istio_wildcard_gateway_name} hosts: - - '${mcm_public_fqdn}' + - '${mcm_fqdn}' http: - name: "api" match: @@ -64,52 +60,21 @@ spec: host: mcm-connection-manager-ui port: number: 8080 -%{ if mcm_wildcard_gateway == "external" ~} --- apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: mcm-jwt - namespace: ${istio_external_gateway_namespace} + namespace: ${mcm_istio_gateway_namespace} spec: selector: matchLabels: - app: ${istio_external_gateway_name} -%{ if ory_stack_enabled ~} + app: ${mcm_istio_gateway_name} action: CUSTOM provider: name: ${oathkeeper_auth_provider_name} -%{ else ~} - action: DENY -%{ endif ~} rules: - to: - operation: paths: ["/api/*", "/pm4mlapi/*"] - hosts: ["${mcm_public_fqdn}", "${mcm_public_fqdn}:*"] -%{ if !ory_stack_enabled ~} - from: - - source: - notRequestPrincipals: ["https://${keycloak_fqdn}/realms/${keycloak_dfsp_realm_name}/*"] -%{ endif ~} -%{ if !ory_stack_enabled ~} ---- -apiVersion: security.istio.io/v1beta1 -kind: RequestAuthentication -metadata: - name: keycloak-${keycloak_dfsp_realm_name}-jwt - namespace: ${istio_external_gateway_namespace} -spec: - selector: - matchLabels: - istio: ${istio_external_gateway_name} - jwtRules: - - issuer: "https://${keycloak_fqdn}/realms/${keycloak_dfsp_realm_name}" - jwksUri: "https://${keycloak_fqdn}/realms/${keycloak_dfsp_realm_name}/protocol/openid-connect/certs" - fromHeaders: - - name: Authorization - prefix: "Bearer " - - name: Cookie - prefix: "MCM_SESSION" -%{ endif ~} -%{ endif ~} \ No newline at end of file + hosts: ["${mcm_fqdn}", "${mcm_fqdn}:*"] \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/mcm/keycloak-realm-cr.yaml.tpl b/terraform/gitops/generate-files/templates/mcm/keycloak-realm-cr.yaml.tpl index 9eb0a591c..615420f5b 100644 --- a/terraform/gitops/generate-files/templates/mcm/keycloak-realm-cr.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mcm/keycloak-realm-cr.yaml.tpl @@ -365,7 +365,7 @@ spec: clientAuthenticatorType: client-secret secret: ${mcm_oidc_client_secret_secret_name} redirectUris: - - https://${mcm_public_fqdn}/login-callback + - https://${mcm_fqdn}/login-callback webOrigins: - /* notBefore: 0 diff --git a/terraform/gitops/generate-files/templates/mcm/rbac.yaml.tpl b/terraform/gitops/generate-files/templates/mcm/rbac.yaml.tpl index 84252e2b5..562afbb6c 100644 --- a/terraform/gitops/generate-files/templates/mcm/rbac.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mcm/rbac.yaml.tpl @@ -5,7 +5,7 @@ metadata: namespace: ${mcm_namespace} spec: match: - url: ://${mcm_public_fqdn}/api/<.*> + url: ://${mcm_fqdn}/api/<.*> methods: - POST - GET @@ -35,7 +35,7 @@ metadata: namespace: ${mcm_namespace} spec: match: - url: ://${mcm_public_fqdn}/pm4mlapi/<.*> + url: ://${mcm_fqdn}/pm4mlapi/<.*> methods: - POST - GET diff --git a/terraform/gitops/generate-files/templates/mcm/values-mcm.yaml.tpl b/terraform/gitops/generate-files/templates/mcm/values-mcm.yaml.tpl index eaaba1780..1528c9d48 100644 --- a/terraform/gitops/generate-files/templates/mcm/values-mcm.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mcm/values-mcm.yaml.tpl @@ -10,7 +10,7 @@ api: image: name: ghcr.io/pm4ml/connection-manager-api version: v1.9.8-snapshot.0 - url: https://${mcm_public_fqdn} + url: https://${mcm_fqdn} extraTLS: rootCert: enabled: false @@ -64,18 +64,12 @@ api: vault.hashicorp.com/agent-limits-mem: "" #this disables limit, TODO: need to tune this proxy.istio.io/config: '{ "holdApplicationUntilProxyStarts": true }' ui: -%{ if ory_stack_enabled ~} - checkSessionUrl: https://${mcm_public_fqdn}/kratos/sessions/whoami + checkSessionUrl: https://${mcm_fqdn}/kratos/sessions/whoami loginUrl: https://${auth_fqdn}/kratos/self-service/login/browser loginProvider: keycloak logoutUrl: /kratos/self-service/logout/browser?return_to=https%3A%2F%2F${keycloak_fqdn}%2Frealms%2F${keycloak_hubop_realm_name}%2Fprotocol%2Fopenid-connect%2Flogout -%{ endif ~} oauth: -%{ if ory_stack_enabled ~} enabled: true -%{ else ~} - enabled: false -%{ endif ~} hubOidcProviderUrl: "https://${keycloak_fqdn}/realms/${keycloak_dfsp_realm_name}/protocol/openid-connect" clientId: ${oauth_key} clientSecretName: ${oauth_secret_secret} @@ -88,10 +82,10 @@ ingress: enabled: true %{ endif ~} className: ${ingress_class} - host: ${mcm_public_fqdn} + host: ${mcm_fqdn} tls: - hosts: - - "*.${mcm_public_fqdn}" + - "*.${mcm_fqdn}" annotations: nginx.ingress.kubernetes.io/ssl-redirect: "false" nginx.ingress.kubernetes.io/whitelist-source-range: "0.0.0.0/0" diff --git a/terraform/gitops/generate-files/templates/mojaloop/istio-config.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/istio-config.yaml.tpl index c34f646d1..64432b604 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/istio-config.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/istio-config.yaml.tpl @@ -28,7 +28,7 @@ spec: selector: matchLabels: app: ${istio_external_gateway_name} -%{ if ory_stack_enabled ~} +%{ if fspiop_use_ory_for_auth ~} action: CUSTOM provider: name: ${oathkeeper_auth_provider_name} @@ -39,7 +39,7 @@ spec: - when: - key: connection.sni values: ["${interop_switch_fqdn}", "${interop_switch_fqdn}:*"] -%{ if !ory_stack_enabled ~} +%{ if !fspiop_use_ory_for_auth ~} from: - source: notRequestPrincipals: ["https://${keycloak_fqdn}/realms/${keycloak_dfsp_realm_name}/*"] @@ -243,13 +243,9 @@ metadata: name: mojaloop-ttkfront-vs spec: gateways: -%{ if mojaloop_wildcard_gateway == "external" ~} - - ${istio_external_gateway_namespace}/${istio_external_wildcard_gateway_name} -%{ else ~} - - ${istio_internal_gateway_namespace}/${istio_internal_wildcard_gateway_name} -%{ endif ~} + - ${ttk_istio_gateway_namespace}/${ttk_istio_wildcard_gateway_name} hosts: - - '${ttk_frontend_public_fqdn}' + - '${ttk_frontend_fqdn}' http: - match: - uri: @@ -266,13 +262,9 @@ metadata: name: mojaloop-ttkback-vs spec: gateways: -%{ if mojaloop_wildcard_gateway == "external" ~} - - ${istio_external_gateway_namespace}/${istio_external_wildcard_gateway_name} -%{ else ~} - - ${istio_internal_gateway_namespace}/${istio_internal_wildcard_gateway_name} -%{ endif ~} + - ${ttk_istio_gateway_namespace}/${ttk_istio_wildcard_gateway_name} hosts: - - '${ttk_backend_public_fqdn}' + - '${ttk_backend_fqdn}' http: - name: api match: @@ -311,7 +303,7 @@ metadata: name: finance-portal-vs spec: gateways: - - ${istio_external_gateway_namespace}/${istio_external_wildcard_gateway_name} + - ${portal_istio_gateway_namespace}/${portal_istio_wildcard_gateway_name} hosts: - '${portal_fqdn}' http: @@ -462,11 +454,11 @@ apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: finance-portal-auth - namespace: ${istio_external_gateway_namespace} + namespace: ${portal_istio_gateway_namespace} spec: selector: matchLabels: - app: ${istio_external_gateway_name} + app: ${portal_istio_gateway_name} action: CUSTOM provider: name: ${oathkeeper_auth_provider_name} diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl index a2ef93091..d6d02b4bb 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl @@ -1067,9 +1067,9 @@ ml-testing-toolkit: className: *INGRESS_CLASS hosts: specApi: - host: ${ttk_backend_public_fqdn} + host: ${ttk_backend_fqdn} adminApi: - host: ${ttk_backend_public_fqdn} + host: ${ttk_backend_fqdn} parameters: &simNames simNamePayerfsp: 'payerfsp' simNamePayeefsp: 'payeefsp' @@ -1158,11 +1158,11 @@ ml-testing-toolkit: className: *INGRESS_CLASS hosts: ui: - host: ${ttk_frontend_public_fqdn} + host: ${ttk_frontend_fqdn} port: 6060 paths: ['/'] config: - API_BASE_URL: https://${ttk_backend_public_fqdn} + API_BASE_URL: https://${ttk_backend_fqdn} ml-ttk-test-setup: tests: @@ -1171,7 +1171,7 @@ ml-ttk-test-setup: testSuiteName: Provisioning environmentName: ${ingress_subdomain} saveReport: true - saveReportBaseUrl: http://${ttk_backend_public_fqdn} + saveReportBaseUrl: http://${ttk_backend_fqdn} parameters: <<: *simNames testCaseEnvironmentFile: *ttkInputValues @@ -1194,7 +1194,7 @@ ml-ttk-test-val-gp: testSuiteName: GP Tests environmentName: ${ingress_subdomain} saveReport: true - saveReportBaseUrl: http://${ttk_backend_public_fqdn} + saveReportBaseUrl: http://${ttk_backend_fqdn} parameters: <<: *simNames testCaseEnvironmentFile: *ttkInputValues @@ -1216,7 +1216,7 @@ ml-ttk-test-val-bulk: testSuiteName: Bulk Tests environmentName: ${ingress_subdomain} saveReport: true - saveReportBaseUrl: http://${ttk_backend_public_fqdn} + saveReportBaseUrl: http://${ttk_backend_fqdn} parameters: <<: *simNames testCaseEnvironmentFile: *ttkInputValues @@ -1228,7 +1228,7 @@ ml-ttk-test-setup-tp: testSuiteName: Third Party Provisioning Tests environmentName: ${ingress_subdomain} saveReport: true - saveReportBaseUrl: http://${ttk_backend_public_fqdn} + saveReportBaseUrl: http://${ttk_backend_fqdn} parameters: <<: *simNames testCaseEnvironmentFile: *ttkInputValues @@ -1240,7 +1240,7 @@ ml-ttk-test-val-tp: testSuiteName: Third Party Validation Tests environmentName: ${ingress_subdomain} saveReport: true - saveReportBaseUrl: http://${ttk_backend_public_fqdn} + saveReportBaseUrl: http://${ttk_backend_fqdn} parameters: <<: *simNames testCaseEnvironmentFile: *ttkInputValues @@ -1252,7 +1252,7 @@ ml-ttk-test-setup-sdk-bulk: testSuiteName: SDK Bulk Provisioning Tests environmentName: ${ingress_subdomain} saveReport: true - saveReportBaseUrl: http://${ttk_backend_public_fqdn} + saveReportBaseUrl: http://${ttk_backend_fqdn} parameters: <<: *simNames testCaseEnvironmentFile: *ttkInputValues @@ -1288,7 +1288,7 @@ ml-ttk-test-cleanup: testSuiteName: Post Cleanup environmentName: ${ingress_subdomain} saveReport: true - saveReportBaseUrl: http://${ttk_backend_public_fqdn} + saveReportBaseUrl: http://${ttk_backend_fqdn} parameters: <<: *simNames testCaseEnvironmentFile: *ttkInputValues diff --git a/terraform/gitops/generate-files/templates/monitoring/install/istio-gateway.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/istio-vs.yaml.tpl similarity index 56% rename from terraform/gitops/generate-files/templates/monitoring/install/istio-gateway.yaml.tpl rename to terraform/gitops/generate-files/templates/monitoring/install/istio-vs.yaml.tpl index 74e10d523..312a0280b 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/istio-gateway.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/istio-vs.yaml.tpl @@ -5,13 +5,9 @@ metadata: name: grafana-vs spec: gateways: -%{ if grafana_wildcard_gateway == "external" ~} - - ${istio_external_gateway_namespace}/${istio_external_wildcard_gateway_name} -%{ else ~} - - ${istio_internal_gateway_namespace}/${istio_internal_wildcard_gateway_name} -%{ endif ~} + - ${grafana_istio_gateway_namespace}/${grafana_istio_wildcard_gateway_name} hosts: - - 'grafana.${public_subdomain}' + - ${grafana_fqdn} http: - match: - uri: diff --git a/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl index 6ad60ec07..fb742e0da 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/kustomization.yaml.tpl @@ -3,7 +3,7 @@ kind: Kustomization resources: - https://raw.githubusercontent.com/grafana/grafana-operator/${grafana_crd_version_tag}/deploy/kustomize/base/crds.yaml - vault-secret.yaml - - istio-gateway.yaml + - istio-vs.yaml - process-exporter-service-monitor.yaml - vault-minio-ext-secret.yaml helmCharts: diff --git a/terraform/gitops/generate-files/templates/monitoring/post-config/alertmanager-config.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/post-config/alertmanager-config.yaml.tpl index 2c145a2f7..9f126a90e 100644 --- a/terraform/gitops/generate-files/templates/monitoring/post-config/alertmanager-config.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/post-config/alertmanager-config.yaml.tpl @@ -19,7 +19,7 @@ spec: - apiKey: name: alertmanager-jira-secret key: data - tags: ${public_subdomain} + tags: ${grafana_subdomain} --- apiVersion: external-secrets.io/v1beta1 diff --git a/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl index 2a6450fc4..5c4d3824b 100644 --- a/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl @@ -37,8 +37,8 @@ spec: alerting: enabled: "true" server: - domain: "${public_subdomain}" - root_url: https://grafana.${public_subdomain} + domain: "${grafana_subdomain}" + root_url: https://grafana.${grafana_subdomain} auth.gitlab: enabled: "${enable_oidc}" allow_sign_up: "true" diff --git a/terraform/gitops/generate-files/templates/ory/app/ory-app.yaml.tpl b/terraform/gitops/generate-files/templates/ory/app/ory-app.yaml.tpl index 49e5c2fef..8b279f657 100644 --- a/terraform/gitops/generate-files/templates/ory/app/ory-app.yaml.tpl +++ b/terraform/gitops/generate-files/templates/ory/app/ory-app.yaml.tpl @@ -1,4 +1,3 @@ -%{ if ory_stack_enabled ~} apiVersion: argoproj.io/v1alpha1 kind: Application metadata: @@ -30,5 +29,4 @@ spec: syncOptions: - CreateNamespace=true - PrunePropagationPolicy=background - - PruneLast=true -%{ endif ~} \ No newline at end of file + - PruneLast=true \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/pm4ml/istio-gateway.yaml.tpl b/terraform/gitops/generate-files/templates/pm4ml/istio-gateway.yaml.tpl index af240707e..ac4cb00e9 100644 --- a/terraform/gitops/generate-files/templates/pm4ml/istio-gateway.yaml.tpl +++ b/terraform/gitops/generate-files/templates/pm4ml/istio-gateway.yaml.tpl @@ -5,11 +5,7 @@ metadata: name: ${pm4ml_release_name}-ui-vs spec: gateways: -%{ if pm4ml_wildcard_gateway == "external" ~} - - ${istio_external_gateway_namespace}/${istio_external_wildcard_gateway_name} -%{ else ~} - - ${istio_internal_gateway_namespace}/${istio_internal_wildcard_gateway_name} -%{ endif ~} + - ${pm4ml_istio_gateway_namespace}/${pm4ml_istio_wildcard_gateway_name} hosts: - '${portal_fqdn}' http: @@ -51,11 +47,7 @@ metadata: name: ${admin_portal_release_name}-admin-ui-vs spec: gateways: -%{ if pm4ml_wildcard_gateway == "external" ~} - - ${istio_external_gateway_namespace}/${istio_external_wildcard_gateway_name} -%{ else ~} - - ${istio_internal_gateway_namespace}/${istio_internal_wildcard_gateway_name} -%{ endif ~} + - ${pm4ml_istio_gateway_namespace}/${pm4ml_istio_wildcard_gateway_name} hosts: - '${admin_portal_fqdn}' http: @@ -119,11 +111,11 @@ apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: ${admin_portal_release_name}-auth - namespace: ${istio_external_gateway_namespace} + namespace: ${pm4ml_istio_gateway_namespace} spec: selector: matchLabels: - app: ${istio_external_gateway_name} + app: ${pm4ml_istio_gateway_name} action: CUSTOM provider: name: ${oathkeeper_auth_provider_name} @@ -138,11 +130,11 @@ apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: ${pm4ml_release_name}-exp-auth - namespace: ${istio_external_gateway_namespace} + namespace: ${pm4ml_istio_gateway_namespace} spec: selector: matchLabels: - app: ${istio_external_gateway_name} + app: ${pm4ml_istio_gateway_name} action: CUSTOM provider: name: ${oathkeeper_auth_provider_name} @@ -159,11 +151,7 @@ metadata: name: ${pm4ml_release_name}-experience-vs spec: gateways: -%{ if pm4ml_wildcard_gateway == "external" ~} - - ${istio_external_gateway_namespace}/${istio_external_wildcard_gateway_name} -%{ else ~} - - ${istio_internal_gateway_namespace}/${istio_internal_wildcard_gateway_name} -%{ endif ~} + - ${pm4ml_istio_gateway_namespace}/${pm4ml_istio_wildcard_gateway_name} hosts: - '${experience_api_fqdn}' http: @@ -181,7 +169,7 @@ spec: add: access-control-allow-origin: "https://${portal_fqdn}" access-control-allow-credentials: "true" -%{ if pm4ml_wildcard_gateway == "external" ~} + --- apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy @@ -192,41 +180,14 @@ spec: selector: matchLabels: app: ${istio_external_gateway_name} -%{ if ory_stack_enabled ~} action: CUSTOM provider: name: ${oathkeeper_auth_provider_name} -%{ else ~} - action: DENY -%{ endif ~} rules: - to: - operation: paths: ["/api/*"] hosts: ["${portal_fqdn}", "${portal_fqdn}:*"] -%{ if !ory_stack_enabled ~} - from: - - source: - notRequestPrincipals: ["https://${keycloak_fqdn}/realms/${keycloak_pm4ml_realm_name}/*"] -%{ endif ~} -%{ if !ory_stack_enabled ~} ---- -apiVersion: security.istio.io/v1beta1 -kind: RequestAuthentication -metadata: - name: keycloak-${keycloak_pm4ml_realm_name}-jwt - namespace: ${istio_external_gateway_namespace} -spec: - selector: - matchLabels: - istio: ${istio_external_gateway_name} - jwtRules: - - issuer: "https://${keycloak_fqdn}/realms/${keycloak_pm4ml_realm_name}" - jwksUri: "https://${keycloak_fqdn}/realms/${keycloak_pm4ml_realm_name}/protocol/openid-connect/certs" - fromHeaders: - - name: Authorization - prefix: "Bearer " -%{ endif ~} --- apiVersion: networking.istio.io/v1alpha3 kind: Gateway @@ -275,7 +236,7 @@ metadata: name: ${pm4ml_release_name}-test-vs spec: gateways: - - istio-ingress-int/internal-wildcard-gateway + - ${pm4ml_istio_gateway_namespace}/${pm4ml_istio_wildcard_gateway_name} hosts: - '${test_fqdn}' http: @@ -341,7 +302,7 @@ metadata: name: ${pm4ml_release_name}-ttkfront-vs spec: gateways: - - ${istio_internal_gateway_namespace}/${istio_internal_wildcard_gateway_name} + - ${pm4ml_istio_gateway_namespace}/${pm4ml_istio_wildcard_gateway_name} hosts: - '${ttk_frontend_fqdn}' http: @@ -360,7 +321,7 @@ metadata: name: ${pm4ml_release_name}-ttkback-vs spec: gateways: - - ${istio_internal_gateway_namespace}/${istio_internal_wildcard_gateway_name} + - ${pm4ml_istio_gateway_namespace}/${pm4ml_istio_wildcard_gateway_name} hosts: - '${ttk_backend_fqdn}' http: @@ -400,7 +361,7 @@ metadata: name: ${pm4ml_release_name}-portal-pta-vs spec: gateways: - - ${istio_internal_gateway_namespace}/${istio_internal_wildcard_gateway_name} + - ${pm4ml_istio_gateway_namespace}/${pm4ml_istio_wildcard_gateway_name} hosts: - '${pta_portal_fqdn}' http: @@ -412,5 +373,4 @@ spec: host: ${pm4ml_release_name}-mojaloop-payment-token-adapter port: number: 3000 ---- -%{ endif ~} \ No newline at end of file +--- \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl b/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl index a9f736700..bf69ded35 100644 --- a/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl +++ b/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl @@ -21,12 +21,10 @@ frontend: enabled: false env: API_BASE_URL: "https://${experience_api_fqdn}" -%{ if ory_stack_enabled ~} CHECK_SESSION_URL: https://${portal_fqdn}/kratos/sessions/whoami LOGIN_URL: https://${auth_fqdn}/kratos/self-service/login/browser LOGOUT_URL: /kratos/self-service/logout/browser?return_to=https%3A%2F%2F${keycloak_fqdn}%2Frealms%2F${keycloak_pm4ml_realm_name}%2Fprotocol%2Fopenid-connect%2Flogout LOGIN_PROVIDER: ${keycloak_pm4ml_realm_name} -%{ endif ~} experience-api: image: diff --git a/terraform/gitops/generate-files/templates/vault/charts/vault/values.yaml.tpl b/terraform/gitops/generate-files/templates/vault/charts/vault/values.yaml.tpl index eb6f43aa1..d3d8a1067 100644 --- a/terraform/gitops/generate-files/templates/vault/charts/vault/values.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vault/charts/vault/values.yaml.tpl @@ -88,10 +88,10 @@ vault: %{ endif ~} ingressClassName: ${ingress_class} hosts: - - host: vault.${public_subdomain} + - host: ${vault_fqdn} tls: - hosts: - - "*.${public_subdomain}" + - "*.${vault_subdomain}" ui: enabled: true diff --git a/terraform/gitops/generate-files/templates/vault/istio-gateway.yaml.tpl b/terraform/gitops/generate-files/templates/vault/istio-vs.yaml.tpl similarity index 60% rename from terraform/gitops/generate-files/templates/vault/istio-gateway.yaml.tpl rename to terraform/gitops/generate-files/templates/vault/istio-vs.yaml.tpl index 61c7d0f5e..7858ee532 100644 --- a/terraform/gitops/generate-files/templates/vault/istio-gateway.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vault/istio-vs.yaml.tpl @@ -7,13 +7,9 @@ metadata: argocd.argoproj.io/sync-wave: "${vault_sync_wave}" spec: gateways: -%{ if vault_wildcard_gateway == "external" ~} - - ${istio_external_gateway_namespace}/${istio_external_wildcard_gateway_name} -%{ else ~} - - ${istio_internal_gateway_namespace}/${istio_internal_wildcard_gateway_name} -%{ endif ~} + - ${vault_istio_gateway_namespace}/${vault_istio_wildcard_gateway_name} hosts: - - 'vault.${public_subdomain}' + - ${vault_fqdn} http: - match: - uri: diff --git a/terraform/gitops/generate-files/templates/vault/post-config.yaml.tpl b/terraform/gitops/generate-files/templates/vault/post-config.yaml.tpl index 1ef11a51e..c36468168 100644 --- a/terraform/gitops/generate-files/templates/vault/post-config.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vault/post-config.yaml.tpl @@ -73,7 +73,7 @@ data: { "user_claim": "sub", "bound_audiences": "$${OIDC_CLIENT_ID}", - "allowed_redirect_uris": ["https://vault.${public_subdomain}/ui/vault/auth/oidc/oidc/callback"], + "allowed_redirect_uris": ["https://${vault_fqdn}/ui/vault/auth/oidc/oidc/callback"], "role_type": "oidc", "token_policies": "vault-admin", "ttl": "1h", @@ -85,7 +85,7 @@ data: { "user_claim": "sub", "bound_audiences": "$${OIDC_CLIENT_ID}", - "allowed_redirect_uris": ["https://vault.${public_subdomain}/ui/vault/auth/oidc/oidc/callback"], + "allowed_redirect_uris": ["https://${vault_fqdn}/ui/vault/auth/oidc/oidc/callback"], "role_type": "oidc", "token_policies": "read-secrets", "ttl": "1h", diff --git a/terraform/gitops/generate-files/templates/vnext/istio-config.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/istio-config.yaml.tpl index 2131d61a8..27946e161 100644 --- a/terraform/gitops/generate-files/templates/vnext/istio-config.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vnext/istio-config.yaml.tpl @@ -27,7 +27,7 @@ spec: selector: matchLabels: app: ${istio_external_gateway_name} -%{ if ory_stack_enabled ~} +%{ if fspiop_use_ory_for_auth ~} action: CUSTOM provider: name: ${oathkeeper_auth_provider_name} @@ -38,7 +38,7 @@ spec: - when: - key: connection.sni values: ["${interop_switch_fqdn}", "${interop_switch_fqdn}:*"] -%{ if !ory_stack_enabled ~} +%{ if !fspiop_use_ory_for_auth ~} from: - source: notRequestPrincipals: ["https://${keycloak_fqdn}/realms/${keycloak_dfsp_realm_name}/*"] @@ -202,13 +202,9 @@ metadata: name: vnext-ttkfront-vs spec: gateways: -%{ if vnext_wildcard_gateway == "external" ~} - - ${istio_external_gateway_namespace}/${istio_external_wildcard_gateway_name} -%{ else ~} - - ${istio_internal_gateway_namespace}/${istio_internal_wildcard_gateway_name} -%{ endif ~} + - ${ttk_istio_gateway_namespace}/${ttk_istio_wildcard_gateway_name} hosts: - - '${ttk_frontend_public_fqdn}' + - '${ttk_frontend_fqdn}' http: - match: - uri: @@ -225,13 +221,9 @@ metadata: name: vnext-ttkback-vs spec: gateways: -%{ if vnext_wildcard_gateway == "external" ~} - - ${istio_external_gateway_namespace}/${istio_external_wildcard_gateway_name} -%{ else ~} - - ${istio_internal_gateway_namespace}/${istio_internal_wildcard_gateway_name} -%{ endif ~} + - ${ttk_istio_gateway_namespace}/${ttk_istio_wildcard_gateway_name} hosts: - - '${ttk_backend_public_fqdn}' + - '${ttk_backend_fqdn}' http: - name: api match: @@ -267,11 +259,7 @@ metadata: name: vnext-admin-ui spec: gateways: -%{ if vnext_wildcard_gateway == "external" ~} - - ${istio_external_gateway_namespace}/${istio_external_wildcard_gateway_name} -%{ else ~} - - ${istio_internal_gateway_namespace}/${istio_internal_wildcard_gateway_name} -%{ endif ~} + - ${vnext_istio_gateway_namespace}/${vnext_istio_wildcard_gateway_name} hosts: - '${vnext_admin_ui_fqdn}' http: diff --git a/terraform/gitops/generate-files/templates/vnext/values-ttk.yaml.tpl b/terraform/gitops/generate-files/templates/vnext/values-ttk.yaml.tpl index e7a72b315..28ca4be1d 100644 --- a/terraform/gitops/generate-files/templates/vnext/values-ttk.yaml.tpl +++ b/terraform/gitops/generate-files/templates/vnext/values-ttk.yaml.tpl @@ -5,4 +5,4 @@ ml-testing-toolkit-frontend: ingress: enabled: false config: - API_BASE_URL: https://${ttk_backend_public_fqdn} \ No newline at end of file + API_BASE_URL: https://${ttk_backend_fqdn} \ No newline at end of file diff --git a/terraform/gitops/k8s-cluster-config/app-deploy.tf b/terraform/gitops/k8s-cluster-config/app-deploy.tf index 032616a4c..52353b988 100644 --- a/terraform/gitops/k8s-cluster-config/app-deploy.tf +++ b/terraform/gitops/k8s-cluster-config/app-deploy.tf @@ -33,9 +33,10 @@ module "mojaloop" { vault_secret_key = var.vault_secret_key role_assign_svc_secret = var.role_assign_svc_secret role_assign_svc_user = var.role_assign_svc_user - mcm_public_fqdn = local.mcm_public_fqdn - ttk_backend_public_fqdn = local.ttk_backend_public_fqdn - ttk_frontend_public_fqdn = local.ttk_frontend_public_fqdn + ttk_backend_fqdn = local.ttk_backend_fqdn + ttk_frontend_fqdn = local.ttk_frontend_fqdn + ttk_istio_gateway_namespace = local.ttk_istio_gateway_namespace + ttk_istio_wildcard_gateway_name = local.ttk_istio_wildcard_gateway_name istio_external_gateway_name = var.istio_external_gateway_name istio_internal_gateway_name = var.istio_internal_gateway_name istio_external_wildcard_gateway_name = local.istio_external_wildcard_gateway_name @@ -56,11 +57,18 @@ module "mojaloop" { auth_fqdn = local.auth_fqdn ory_namespace = var.ory_namespace finance_portal_fqdn = local.finance_portal_fqdn + portal_istio_gateway_namespace = local.portal_istio_gateway_namespace + portal_istio_wildcard_gateway_name = local.portal_istio_wildcard_gateway_name + portal_istio_gateway_name = local.portal_istio_gateway_name bof_release_name = local.bof_release_name - ory_stack_enabled = var.ory_stack_enabled oathkeeper_auth_provider_name = local.oathkeeper_auth_provider_name keycloak_hubop_realm_name = var.keycloak_hubop_realm_name rbac_api_resources_file = var.rbac_api_resources_file + mcm_fqdn = local.mcm_fqdn + mcm_istio_gateway_namespace = local.mcm_istio_gateway_namespace + mcm_istio_wildcard_gateway_name = local.mcm_istio_wildcard_gateway_name + mcm_istio_gateway_name = local.mcm_istio_gateway_name + fspiop_use_ory_for_auth = var.app_var_map.fspiop_use_ory_for_auth } module "pm4ml" { @@ -101,7 +109,6 @@ module "pm4ml" { local_vault_kv_root_path = local.local_vault_kv_root_path portal_fqdns = local.portal_fqdns admin_portal_fqdns = local.admin_portal_fqdns - ory_stack_enabled = var.ory_stack_enabled auth_fqdn = local.auth_fqdn oathkeeper_auth_provider_name = local.oathkeeper_auth_provider_name experience_api_fqdns = local.experience_api_fqdns @@ -117,6 +124,9 @@ module "pm4ml" { role_assign_svc_secret_prefix = "role-assign-svc-secret-" portal_admin_user = var.portal_admin_user portal_admin_secret_prefix = "portal-admin-secret-" + pm4ml_istio_gateway_namespaces = local.pm4ml_istio_gateway_namespaces + pm4ml_istio_wildcard_gateway_names = local.pm4ml_istio_wildcard_gateway_names + pm4ml_istio_gateway_names = local.pm4ml_istio_gateway_names } module "vnext" { @@ -154,9 +164,14 @@ module "vnext" { vault_secret_key = var.vault_secret_key role_assign_svc_secret = var.role_assign_svc_secret role_assign_svc_user = var.role_assign_svc_user - mcm_public_fqdn = local.mcm_public_fqdn - ttk_backend_public_fqdn = local.ttk_backend_public_fqdn - ttk_frontend_public_fqdn = local.ttk_frontend_public_fqdn + mcm_fqdn = local.mcm_fqdn + mcm_istio_gateway_namespace = local.mcm_istio_gateway_namespace + mcm_istio_wildcard_gateway_name = local.mcm_istio_wildcard_gateway_name + mcm_istio_gateway_name = local.mcm_istio_gateway_name + ttk_backend_fqdn = local.ttk_backend_fqdn + ttk_frontend_fqdn = local.ttk_frontend_fqdn + ttk_istio_wildcard_gateway_name = local.ttk_istio_wildcard_gateway_name + ttk_istio_gateway_namespace = local.ttk_istio_gateway_namespace istio_external_gateway_name = var.istio_external_gateway_name istio_internal_gateway_name = var.istio_internal_gateway_name istio_external_wildcard_gateway_name = local.istio_external_wildcard_gateway_name @@ -176,11 +191,13 @@ module "vnext" { ory_namespace = var.ory_namespace finance_portal_fqdn = local.finance_portal_fqdn bof_release_name = local.bof_release_name - ory_stack_enabled = var.ory_stack_enabled oathkeeper_auth_provider_name = local.oathkeeper_auth_provider_name keycloak_hubop_realm_name = var.keycloak_hubop_realm_name rbac_api_resources_file = var.rbac_api_resources_file vnext_admin_ui_fqdn = local.vnext_admin_ui_fqdn + vnext_istio_gateway_namespace = local.vnext_istio_gateway_namespace + vnext_istio_wildcard_gateway_name = local.vnext_istio_wildcard_gateway_name + fspiop_use_ory_for_auth = var.app_var_map.fspiop_use_ory_for_auth } variable "app_var_map" { @@ -276,11 +293,13 @@ variable "argocd_namespace" { description = "namespace argocd is deployed to" } +variable "finanace_portal_ingress_internal_lb" { + default = false + description = "whether argocd should only be available on private network" +} + locals { - argocd_wildcard_gateway = var.argocd_ingress_internal_lb ? "internal" : "external" - mojaloop_wildcard_gateway = var.app_var_map.mojaloop_ingress_internal_lb ? "internal" : "external" - vnext_wildcard_gateway = var.app_var_map.vnext_ingress_internal_lb ? "internal" : "external" - mcm_wildcard_gateway = var.app_var_map.mcm_ingress_internal_lb ? "internal" : "external" + pm4ml_var_map = { for pm4ml in var.app_var_map.pm4mls : pm4ml.pm4ml => pm4ml } @@ -301,36 +320,45 @@ locals { pm4ml_wildcard_gateways = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => pm4ml.pm4ml_ingress_internal_lb ? "internal" : "external" } - mcm_public_fqdn = "mcm.${var.public_subdomain}" + mcm_wildcard_gateway = var.app_var_map.mcm_ingress_internal_lb ? "internal" : "external" + mcm_fqdn = local.mcm_wildcard_gateway == "external" ? "mcm.${var.public_subdomain}" : "mcm.${var.private_subdomain}" + mcm_istio_gateway_namespace = local.mcm_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace + mcm_istio_wildcard_gateway_name = local.mcm_wildcard_gateway == "external" ? local.istio_external_wildcard_gateway_name : local.istio_internal_wildcard_gateway_name + mcm_istio_gateway_name = local.mcm_wildcard_gateway == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name + auth_fqdn = "auth.${var.public_subdomain}" - vault_public_fqdn = "vault.${var.public_subdomain}" - grafana_public_fqdn = "grafana.${var.public_subdomain}" external_interop_switch_fqdn = "extapi.${var.public_subdomain}" - internal_interop_switch_fqdn = "intapi.${var.public_subdomain}" - ttk_frontend_public_fqdn = "ttkfrontend.${var.public_subdomain}" - ttk_backend_public_fqdn = "ttkbackend.${var.public_subdomain}" - finance_portal_fqdn = "finance-portal.${var.public_subdomain}" - argocd_fqdn = "argocd.${var.public_subdomain}" - vnext_admin_ui_fqdn = "vnext-admin.${var.public_subdomain}" + internal_interop_switch_fqdn = "intapi.${var.private_subdomain}" + + mojaloop_wildcard_gateway = var.app_var_map.mojaloop_ingress_internal_lb ? "internal" : "external" + ttk_frontend_fqdn = local.mojaloop_wildcard_gateway == "external" ? "ttkfrontend.${var.public_subdomain}" : "ttkfrontend.${var.private_subdomain}" + ttk_backend_fqdn = local.mojaloop_wildcard_gateway == "external" ? "ttkbackend.${var.public_subdomain}" : "ttkbackend.${var.private_subdomain}" + ttk_istio_wildcard_gateway_name = local.mojaloop_wildcard_gateway == "external" ? local.istio_external_wildcard_gateway_name : local.istio_internal_wildcard_gateway_name + ttk_istio_gateway_namespace = local.mojaloop_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace + + finance_portal_wildcard_gateway = var.finanace_portal_ingress_internal_lb ? "internal" : "external" + finance_portal_fqdn = local.finance_portal_wildcard_gateway == "external" ? "finance-portal.${var.public_subdomain}" : "finance-portal.${var.private_subdomain}" + portal_istio_gateway_namespace = local.finance_portal_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace + portal_istio_wildcard_gateway_name = local.finance_portal_wildcard_gateway == "external" ? local.istio_external_wildcard_gateway_name : local.istio_internal_wildcard_gateway_name + portal_istio_gateway_name = local.finance_portal_wildcard_gateway == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name - mojaloop_internal_gateway_hosts = concat([local.internal_interop_switch_fqdn], - local.mojaloop_wildcard_gateway == "internal" ? [local.ttk_frontend_public_fqdn, local.ttk_backend_public_fqdn] : [], - local.mcm_wildcard_gateway == "internal" ? [local.mcm_public_fqdn] : []) - mojaloop_external_gateway_hosts = concat( - local.mojaloop_wildcard_gateway == "external" ? [local.ttk_frontend_public_fqdn, local.ttk_backend_public_fqdn] : [], - local.mcm_wildcard_gateway == "external" ? [local.mcm_public_fqdn] : []) + vnext_wildcard_gateway = var.app_var_map.vnext_ingress_internal_lb ? "internal" : "external" + vnext_admin_ui_fqdn = local.vnext_wildcard_gateway == "external" ? "vnext-admin.${var.public_subdomain}" : "vnext-admin.${var.private_subdomain}" + vnext_istio_gateway_namespace = local.vnext_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace + vnext_istio_wildcard_gateway_name = local.vnext_wildcard_gateway == "external" ? local.istio_external_wildcard_gateway_name : local.istio_internal_wildcard_gateway_name - vnext_internal_gateway_hosts = local.vnext_wildcard_gateway == "internal" ? [local.vnext_admin_ui_fqdn] : [] - vnext_external_gateway_hosts = local.vnext_wildcard_gateway == "external" ? [local.vnext_admin_ui_fqdn] : [] + portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "portal-${pm4ml.pm4ml}.${var.public_subdomain}" : "portal-${pm4ml.pm4ml}.${var.private_subdomain}" } + admin_portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "admin-portal-${pm4ml.pm4ml}.${var.public_subdomain}" : "admin-portal-${pm4ml.pm4ml}.${var.private_subdomain}"} + experience_api_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "exp-${pm4ml.pm4ml}.${var.public_subdomain}" : "exp-${pm4ml.pm4ml}.${var.private_subdomain}"} + mojaloop_connnector_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "conn-${pm4ml.pm4ml}.${var.public_subdomain}" : "conn-${pm4ml.pm4ml}.${var.private_subdomain}" } + test_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "test-${pm4ml.pm4ml}.${var.public_subdomain}" : "test-${pm4ml.pm4ml}.${var.private_subdomain}" } + pm4ml_ttk_frontend_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "ttkfront-${pm4ml.pm4ml}.${var.public_subdomain}" : "ttkfront-${pm4ml.pm4ml}.${var.private_subdomain}" } + pm4ml_ttk_backend_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "ttkback-${pm4ml.pm4ml}.${var.public_subdomain}" : "ttkback-${pm4ml.pm4ml}.${var.private_subdomain}"} + pm4ml_pta_portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "pta-portal-${pm4ml.pm4ml}.${var.public_subdomain}" : "pta-portal-${pm4ml.pm4ml}.${var.private_subdomain}"} - portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => "portal-${pm4ml.pm4ml}.${var.public_subdomain}" } - admin_portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => "admin-portal-${pm4ml.pm4ml}.${var.public_subdomain}" } - experience_api_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => "exp-${pm4ml.pm4ml}.${var.public_subdomain}" } - mojaloop_connnector_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => "conn-${pm4ml.pm4ml}.${var.public_subdomain}" } - test_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => "test-${pm4ml.pm4ml}.${var.public_subdomain}" } - pm4ml_ttk_frontend_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => "ttkfront-${pm4ml.pm4ml}.${var.public_subdomain}" } - pm4ml_ttk_backend_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => "ttkback-${pm4ml.pm4ml}.${var.public_subdomain}" } - pm4ml_pta_portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => "pta-portal-${pm4ml.pm4ml}.${var.public_subdomain}" } + pm4ml_istio_gateway_namespaces = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace } + pm4ml_istio_wildcard_gateway_names = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? local.istio_external_wildcard_gateway_name : local.istio_internal_wildcard_gateway_name } + pm4ml_istio_gateway_names = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name } pm4ml_internal_wildcard_admin_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.admin_portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "internal"] pm4ml_external_wildcard_admin_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.admin_portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external"] @@ -351,19 +379,5 @@ locals { } ) - internal_gateway_hosts = concat([local.keycloak_admin_fqdn], - local.argocd_wildcard_gateway == "internal" ? [local.argocd_fqdn] : [], - local.vault_wildcard_gateway == "internal" ? [local.vault_public_fqdn] : [], - local.grafana_wildcard_gateway == "internal" ? [local.grafana_public_fqdn] : [], - (var.common_var_map.mojaloop_enabled || var.common_var_map.vnext_enabled) ? local.mojaloop_internal_gateway_hosts : [], - var.common_var_map.pm4ml_enabled ? local.pm4ml_internal_gateway_hosts : [], - var.common_var_map.vnext_enabled ? local.vnext_internal_gateway_hosts : []) - external_gateway_hosts = concat([local.keycloak_fqdn, local.auth_fqdn, local.finance_portal_fqdn], - local.argocd_wildcard_gateway == "external" ? [local.argocd_fqdn] : [], - local.vault_wildcard_gateway == "external" ? [local.vault_public_fqdn] : [], - local.grafana_wildcard_gateway == "external" ? [local.grafana_public_fqdn] : [], - (var.common_var_map.mojaloop_enabled || var.common_var_map.vnext_enabled) ? local.mojaloop_external_gateway_hosts : [], - var.common_var_map.pm4ml_enabled ? local.pm4ml_external_gateway_hosts : [], - var.common_var_map.vnext_enabled ? local.vnext_external_gateway_hosts : []) - bof_managed_portal_fqdns = (var.common_var_map.mojaloop_enabled || var.common_var_map.vnext_enabled) ? [local.finance_portal_fqdn, local.mcm_public_fqdn] : concat(local.pm4ml_external_wildcard_portal_hosts, local.pm4ml_internal_wildcard_portal_hosts, local.pm4ml_internal_wildcard_admin_portal_hosts, local.pm4ml_external_wildcard_admin_portal_hosts) + bof_managed_portal_fqdns = (var.common_var_map.mojaloop_enabled || var.common_var_map.vnext_enabled) ? [local.finance_portal_fqdn, local.mcm_fqdn] : concat(local.pm4ml_external_wildcard_portal_hosts, local.pm4ml_internal_wildcard_portal_hosts, local.pm4ml_internal_wildcard_admin_portal_hosts, local.pm4ml_external_wildcard_admin_portal_hosts) } diff --git a/terraform/gitops/k8s-cluster-config/ingress.tf b/terraform/gitops/k8s-cluster-config/ingress.tf index e5bb92e27..ec5df99d6 100644 --- a/terraform/gitops/k8s-cluster-config/ingress.tf +++ b/terraform/gitops/k8s-cluster-config/ingress.tf @@ -51,11 +51,7 @@ variable "ingress_sync_wave" { description = "ingress_sync_wave" default = "-7" } -variable "default_ssl_certificate" { - type = string - description = "default_ssl_certificate" - default = "default-lets-enc" -} + variable "wildcare_certificate_wave" { type = string description = "nginx_internal_namespace" diff --git a/terraform/gitops/k8s-cluster-config/istio.tf b/terraform/gitops/k8s-cluster-config/istio.tf index 2b9b2f763..e72b40613 100644 --- a/terraform/gitops/k8s-cluster-config/istio.tf +++ b/terraform/gitops/k8s-cluster-config/istio.tf @@ -14,7 +14,7 @@ module "generate_istio_files" { istio_internal_wildcard_gateway_name = local.istio_internal_wildcard_gateway_name istio_egress_gateway_namespace = local.istio_egress_gateway_namespace istio_egress_gateway_name = local.istio_egress_gateway_name - istio_egress_gateway_max_replicas = try(var.common_var_map.istio_egress_gateway_max_replicas,var.istio_egress_gateway_max_replicas) + istio_egress_gateway_max_replicas = try(var.common_var_map.istio_egress_gateway_max_replicas, var.istio_egress_gateway_max_replicas) external_ingress_https_port = var.external_ingress_https_port external_ingress_http_port = var.external_ingress_http_port external_ingress_health_port = var.external_ingress_health_port @@ -24,20 +24,20 @@ module "generate_istio_files" { istio_external_gateway_name = var.istio_external_gateway_name istio_internal_gateway_name = var.istio_internal_gateway_name default_ssl_certificate = var.default_ssl_certificate + default_internal_ssl_certificate = var.default_internal_ssl_certificate wildcare_certificate_wave = var.wildcare_certificate_wave public_subdomain = var.public_subdomain + private_subdomain = var.private_subdomain istio_gateways_sync_wave = var.istio_gateways_sync_wave kiali_chart_version = var.kiali_chart_version kiali_chart_repo = var.kiali_chart_repo internal_load_balancer_dns = var.internal_load_balancer_dns external_load_balancer_dns = var.external_load_balancer_dns - internal_gateway_hosts = local.internal_gateway_hosts - external_gateway_hosts = local.external_gateway_hosts - ory_stack_enabled = var.ory_stack_enabled - oathkeeper_auth_url = var.ory_stack_enabled ? local.oathkeeper_auth_url : "" - oathkeeper_auth_provider_name = var.ory_stack_enabled ? local.oathkeeper_auth_provider_name : "" + oathkeeper_auth_url = local.oathkeeper_auth_url + oathkeeper_auth_provider_name = local.oathkeeper_auth_provider_name argocd_wildcard_gateway = local.argocd_wildcard_gateway - argocd_fqdn = local.argocd_fqdn + argocd_public_fqdn = local.argocd_public_fqdn + argocd_private_fqdn = local.argocd_private_fqdn argocd_namespace = var.argocd_namespace } @@ -49,8 +49,15 @@ module "generate_istio_files" { } locals { - istio_template_path = "${path.module}/../generate-files/templates/istio" - istio_app_file = "istio-app.yaml" + istio_template_path = "${path.module}/../generate-files/templates/istio" + istio_app_file = "istio-app.yaml" + argocd_wildcard_gateway = var.argocd_ingress_internal_lb ? "internal" : "external" + argocd_public_fqdn = "argocd.${var.public_subdomain}" + argocd_private_fqdn = "argocd.${var.private_subdomain}" + istio_internal_wildcard_gateway_name = "internal-wildcard-gateway" + istio_external_wildcard_gateway_name = "external-wildcard-gateway" + istio_egress_gateway_name = "callback-egress-gateway" + istio_egress_gateway_namespace = "egress-gateway" } @@ -129,12 +136,5 @@ variable "istio_create_ingress_gateways" { variable "istio_egress_gateway_max_replicas" { type = number description = "istio_egress_gateway_max_replicas" - default = 5 -} - -locals { - istio_internal_wildcard_gateway_name = "internal-wildcard-gateway" - istio_external_wildcard_gateway_name = "external-wildcard-gateway" - istio_egress_gateway_name = "callback-egress-gateway" - istio_egress_gateway_namespace = "egress-gateway" + default = 5 } diff --git a/terraform/gitops/k8s-cluster-config/keycloak.tf b/terraform/gitops/k8s-cluster-config/keycloak.tf index 9eb38ee92..707c3b156 100644 --- a/terraform/gitops/k8s-cluster-config/keycloak.tf +++ b/terraform/gitops/k8s-cluster-config/keycloak.tf @@ -11,24 +11,28 @@ module "generate_keycloak_files" { keycloak_postgres_password_secret = module.common_stateful_resources.stateful_resources[local.keycloak_postgres_resource_index].logical_service_config.user_password_secret keycloak_postgres_port = module.common_stateful_resources.stateful_resources[local.keycloak_postgres_resource_index].logical_service_config.logical_service_port keycloak_postgres_password_secret_key = "password" - keycloak_fqdn = local.keycloak_fqdn - keycloak_admin_fqdn = local.keycloak_admin_fqdn - keycloak_dfsp_realm_name = var.keycloak_dfsp_realm_name - keycloak_sync_wave = var.keycloak_sync_wave - keycloak_post_config_sync_wave = var.keycloak_post_config_sync_wave - ingress_class = var.keycloak_ingress_internal_lb ? var.internal_ingress_class_name : var.external_ingress_class_name - istio_internal_wildcard_gateway_name = local.istio_internal_wildcard_gateway_name - istio_internal_gateway_namespace = var.istio_internal_gateway_namespace - istio_external_wildcard_gateway_name = local.istio_external_wildcard_gateway_name - istio_external_gateway_namespace = var.istio_external_gateway_namespace - istio_external_gateway_name = var.istio_external_gateway_name - keycloak_wildcard_gateway = local.keycloak_wildcard_gateway - external_ingress_class_name = var.external_ingress_class_name - keycloak_tls_secretname = var.default_ssl_certificate - istio_create_ingress_gateways = var.istio_create_ingress_gateways - ref_secrets = local.keycloak_realm_env_secret_map - ref_secrets_path = local.keycloak_secrets_path - ory_stack_enabled = var.ory_stack_enabled + keycloak_fqdn = local.keycloak_fqdn + keycloak_istio_wildcard_gateway_name = local.keycloak_istio_wildcard_gateway_name + keycloak_istio_gateway_name = local.keycloak_istio_gateway_name + keycloak_istio_gateway_namespace = local.keycloak_istio_gateway_namespace + keycloak_admin_fqdn = local.keycloak_admin_fqdn + keycloak_admin_istio_gateway_namespace = local.keycloak_admin_istio_gateway_namespace + keycloak_admin_istio_wildcard_gateway_name = local.keycloak_admin_istio_wildcard_gateway_name + keycloak_dfsp_realm_name = var.keycloak_dfsp_realm_name + keycloak_sync_wave = var.keycloak_sync_wave + keycloak_post_config_sync_wave = var.keycloak_post_config_sync_wave + ingress_class = var.keycloak_ingress_internal_lb ? var.internal_ingress_class_name : var.external_ingress_class_name + #istio_internal_wildcard_gateway_name = local.istio_internal_wildcard_gateway_name + #istio_internal_gateway_namespace = var.istio_internal_gateway_namespace + #istio_external_wildcard_gateway_name = local.istio_external_wildcard_gateway_name + #istio_external_gateway_namespace = var.istio_external_gateway_namespace + #istio_external_gateway_name = var.istio_external_gateway_name + #keycloak_wildcard_gateway = local.keycloak_wildcard_gateway + external_ingress_class_name = var.external_ingress_class_name + keycloak_tls_secretname = var.default_ssl_certificate + istio_create_ingress_gateways = var.istio_create_ingress_gateways + ref_secrets = local.keycloak_realm_env_secret_map + ref_secrets_path = local.keycloak_secrets_path } file_list = [for f in fileset(local.keycloak_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.keycloak_app_file, f))] template_path = local.keycloak_template_path @@ -48,6 +52,12 @@ variable "keycloak_ingress_internal_lb" { default = false } +variable "keycloak_admin_ingress_internal_lb" { + type = bool + description = "keycloak_admin_ingress_internal_lb" + default = true +} + variable "keycloak_name" { default = "switch-keycloak" type = string @@ -80,8 +90,14 @@ variable "keycloak_dfsp_realm_name" { locals { keycloak_postgres_resource_index = index(module.common_stateful_resources.stateful_resources.*.resource_name, "keycloak-db") - keycloak_wildcard_gateway = var.keycloak_ingress_internal_lb ? "internal" : "external" - keycloak_fqdn = "keycloak.${var.public_subdomain}" - keycloak_admin_fqdn = "admin-keycloak.${var.public_subdomain}" - keycloak_secrets_path = "/secret/keycloak" + keycloak_wildcard_gateway = var.keycloak_ingress_internal_lb ? "internal" : "external" + keycloak_admin_wildcard_gateway = var.keycloak_admin_ingress_internal_lb ? "internal" : "external" + keycloak_fqdn = local.keycloak_wildcard_gateway == "external" ? "keycloak.${var.public_subdomain}" : "keycloak.${var.private_subdomain}" + keycloak_istio_wildcard_gateway_name = local.keycloak_wildcard_gateway == "external" ? local.istio_external_wildcard_gateway_name : local.istio_internal_wildcard_gateway_name + keycloak_istio_gateway_namespace = local.keycloak_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace + keycloak_admin_fqdn = local.keycloak_admin_wildcard_gateway == "external" ? "admin-keycloak.${var.public_subdomain}" : "admin-keycloak.${var.private_subdomain}" + keycloak_admin_istio_wildcard_gateway_name = local.keycloak_admin_wildcard_gateway == "external" ? local.istio_external_wildcard_gateway_name : local.istio_internal_wildcard_gateway_name + keycloak_admin_istio_gateway_namespace = local.keycloak_admin_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace + keycloak_istio_gateway_name = local.keycloak_wildcard_gateway == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name + keycloak_secrets_path = "/secret/keycloak" } diff --git a/terraform/gitops/k8s-cluster-config/monitoring.tf b/terraform/gitops/k8s-cluster-config/monitoring.tf index 6c3c34dcb..af537da7b 100644 --- a/terraform/gitops/k8s-cluster-config/monitoring.tf +++ b/terraform/gitops/k8s-cluster-config/monitoring.tf @@ -30,11 +30,6 @@ module "generate_monitoring_files" { monitoring_post_config_sync_wave = var.monitoring_post_config_sync_wave ingress_class = var.grafana_ingress_internal_lb ? var.internal_ingress_class_name : var.external_ingress_class_name istio_create_ingress_gateways = var.istio_create_ingress_gateways - istio_internal_wildcard_gateway_name = local.istio_internal_wildcard_gateway_name - istio_internal_gateway_namespace = var.istio_internal_gateway_namespace - istio_external_wildcard_gateway_name = local.istio_external_wildcard_gateway_name - istio_external_gateway_namespace = var.istio_external_gateway_namespace - grafana_wildcard_gateway = local.grafana_wildcard_gateway loki_ingester_pvc_size = try(var.common_var_map.loki_ingester_pvc_size, local.loki_ingester_pvc_size) prometheus_pvc_size = try(var.common_var_map.prometheus_pvc_size, local.prometheus_pvc_size) loki_retention_enabled = try(var.common_var_map.loki_retention_enabled, local.loki_retention_enabled) @@ -49,6 +44,10 @@ module "generate_monitoring_files" { external_secret_sync_wave = var.external_secret_sync_wave prom_tsdb_max_block_duration = try(var.common_var_map.prom_tsdb_max_block_duration, local.prom_tsdb_max_block_duration) prom_tsdb_min_block_duration = try(var.common_var_map.prom_tsdb_min_block_duration, local.prom_tsdb_min_block_duration) + grafana_subdomain = local.grafana_subdomain + grafana_fqdn = local.grafana_fqdn + grafana_istio_gateway_namespace = local.grafana_istio_gateway_namespace + grafana_istio_wildcard_gateway_name = local.vault_istio_wildcard_gateway_name } file_list = [for f in fileset(local.monitoring_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.monitoring_app_file, f))] template_path = local.monitoring_template_path @@ -123,4 +122,10 @@ locals { prometheus_retention_period = "10d" prom_tsdb_min_block_duration = "30m" prom_tsdb_max_block_duration = "30m" + grafana_public_fqdn = "grafana.${var.public_subdomain}" + grafana_private_fqdn = "grafana.${var.private_subdomain}" + grafana_subdomain = local.grafana_wildcard_gateway == "external" ? var.public_subdomain : var.private_subdomain + grafana_fqdn = local.grafana_wildcard_gateway == "external" ? "grafana.${var.public_subdomain}" : "grafana.${var.private_subdomain}" + grafana_istio_gateway_namespace = local.grafana_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace + grafana_istio_wildcard_gateway_name = local.grafana_wildcard_gateway == "external" ? local.istio_external_wildcard_gateway_name : local.istio_internal_wildcard_gateway_name } diff --git a/terraform/gitops/k8s-cluster-config/nginx-jwt.tf b/terraform/gitops/k8s-cluster-config/nginx-jwt.tf index a65a54421..aeec32da3 100644 --- a/terraform/gitops/k8s-cluster-config/nginx-jwt.tf +++ b/terraform/gitops/k8s-cluster-config/nginx-jwt.tf @@ -2,7 +2,7 @@ module "generate_nginx_jwt_files" { source = "../generate-files" var_map = { gitlab_project_url = var.gitlab_project_url - keycloak_fqdn = "keycloak.${var.public_subdomain}" + keycloak_fqdn = local.keycloak_fqdn keycloak_dfsp_realm_name = var.keycloak_dfsp_realm_name nginx_jwt_sync_wave = var.nginx_jwt_sync_wave nginx_jwt_helm_chart_repo = var.nginx_jwt_helm_chart_repo diff --git a/terraform/gitops/k8s-cluster-config/ory.tf b/terraform/gitops/k8s-cluster-config/ory.tf index 125d496b2..e98058d84 100644 --- a/terraform/gitops/k8s-cluster-config/ory.tf +++ b/terraform/gitops/k8s-cluster-config/ory.tf @@ -3,7 +3,6 @@ module "generate_ory_files" { var_map = { gitlab_project_url = var.gitlab_project_url ory_sync_wave = var.ory_sync_wave - ory_stack_enabled = try(var.common_var_map.ory_stack_enabled, var.ory_stack_enabled) oathkeeper_chart_version = try(var.common_var_map.oathkeeper_chart_version, var.oathkeeper_chart_version) kratos_chart_version = try(var.common_var_map.kratos_chart_version, var.kratos_chart_version) keto_chart_version = try(var.common_var_map.keto_chart_version, var.keto_chart_version) @@ -54,11 +53,6 @@ module "generate_ory_files" { app_output_path = "${var.output_dir}/app-yamls" } -variable "ory_stack_enabled" { - description = "whether ory_stack app is enabled or not" - type = bool - default = true -} variable "ory_sync_wave" { type = string description = "ory_sync_wave" diff --git a/terraform/gitops/k8s-cluster-config/variables.tf b/terraform/gitops/k8s-cluster-config/variables.tf index 592cebbe3..2730b1888 100644 --- a/terraform/gitops/k8s-cluster-config/variables.tf +++ b/terraform/gitops/k8s-cluster-config/variables.tf @@ -102,6 +102,18 @@ variable "minio_api_url" { description = "minio_api_url" } +variable "default_ssl_certificate" { + type = string + description = "default_ssl_certificate" + default = "lets-enc-external-tls" +} + +variable "default_internal_ssl_certificate" { + type = string + description = "default_internal_ssl_certificate" + default = "lets-enc-internal-tls" +} + locals { cloud_region = data.gitlab_project_variable.cloud_region.value k8s_cluster_type = data.gitlab_project_variable.k8s_cluster_type.value diff --git a/terraform/gitops/k8s-cluster-config/vault.tf b/terraform/gitops/k8s-cluster-config/vault.tf index c2f910a04..7d5c33a18 100644 --- a/terraform/gitops/k8s-cluster-config/vault.tf +++ b/terraform/gitops/k8s-cluster-config/vault.tf @@ -25,11 +25,6 @@ module "generate_vault_files" { vault_k8s_auth_path = var.vault_k8s_auth_path public_subdomain = var.public_subdomain ingress_class = var.vault_ingress_internal_lb ? var.internal_ingress_class_name : var.external_ingress_class_name - istio_internal_wildcard_gateway_name = local.istio_internal_wildcard_gateway_name - istio_internal_gateway_namespace = var.istio_internal_gateway_namespace - istio_external_wildcard_gateway_name = local.istio_external_wildcard_gateway_name - istio_external_gateway_namespace = var.istio_external_gateway_namespace - vault_wildcard_gateway = local.vault_wildcard_gateway istio_create_ingress_gateways = var.istio_create_ingress_gateways consul_namespace = var.consul_namespace gitlab_server_url = var.gitlab_server_url @@ -40,6 +35,10 @@ module "generate_vault_files" { transit_vault_url = var.transit_vault_url transit_vault_key_name = var.transit_vault_key_name local_vault_kv_root_path = local.local_vault_kv_root_path + vault_subdomain = local.vault_subdomain + vault_fqdn = local.vault_fqdn + vault_istio_gateway_namespace = local.vault_istio_gateway_namespace + vault_istio_wildcard_gateway_name = local.vault_istio_wildcard_gateway_name } file_list = [for f in fileset(local.vault_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.vault_app_file, f))] @@ -50,8 +49,14 @@ module "generate_vault_files" { } locals { - vault_template_path = "${path.module}/../generate-files/templates/vault" - vault_app_file = "vault-app.yaml" + vault_wildcard_gateway = var.vault_ingress_internal_lb ? "internal" : "external" + local_vault_kv_root_path = "secret" + vault_template_path = "${path.module}/../generate-files/templates/vault" + vault_app_file = "vault-app.yaml" + vault_subdomain = local.vault_wildcard_gateway == "external" ? var.public_subdomain : var.private_subdomain + vault_fqdn = local.vault_wildcard_gateway == "external" ? "vault.${var.public_subdomain}" : "vault.${var.private_subdomain}" + vault_istio_gateway_namespace = local.vault_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace + vault_istio_wildcard_gateway_name = local.vault_wildcard_gateway == "external" ? local.istio_external_wildcard_gateway_name : local.istio_internal_wildcard_gateway_name } variable "vault_sync_wave" { @@ -144,8 +149,3 @@ variable "enable_vault_oidc" { type = bool default = false } - -locals { - vault_wildcard_gateway = var.vault_ingress_internal_lb ? "internal" : "external" - local_vault_kv_root_path = "secret" -} diff --git a/terraform/gitops/mojaloop/mcm.tf b/terraform/gitops/mojaloop/mcm.tf index 8e43f53fa..9c080e551 100644 --- a/terraform/gitops/mojaloop/mcm.tf +++ b/terraform/gitops/mojaloop/mcm.tf @@ -8,7 +8,11 @@ module "generate_mcm_files" { db_schema = module.mojaloop_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.database_name db_port = module.mojaloop_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_port db_host = "${module.mojaloop_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - mcm_public_fqdn = var.mcm_public_fqdn + mcm_fqdn = var.mcm_fqdn + mcm_istio_gateway_namespace = var.mcm_istio_gateway_namespace + mcm_istio_wildcard_gateway_name = var.mcm_istio_wildcard_gateway_name + mcm_istio_gateway_name = var.mcm_istio_gateway_name + fspiop_use_ory_for_auth = var.fspiop_use_ory_for_auth env_name = var.cluster_name env_cn = var.public_subdomain env_o = "Mojaloop" @@ -77,7 +81,6 @@ module "generate_mcm_files" { mojaloop_namespace = var.mojaloop_namespace mojaloop_release_name = var.mojaloop_release_name onboarding_collection_tag = var.app_var_map.onboarding_collection_tag - ory_stack_enabled = var.ory_stack_enabled oathkeeper_auth_provider_name = var.oathkeeper_auth_provider_name auth_fqdn = var.auth_fqdn kratos_service_name = "kratos-public.${var.ory_namespace}.svc.cluster.local" @@ -206,11 +209,31 @@ variable "keycloak_namespace" { type = string description = "namespace of keycloak in which to create realm" } -variable "mcm_public_fqdn" { + +variable "mcm_fqdn" { type = string description = "hostname for mcm" } +variable "mcm_istio_wildcard_gateway_name" { + type = string + default = "" +} + +variable "mcm_istio_gateway_namespace" { + type = string + default = "" +} + +variable "mcm_istio_gateway_name" { + type = string + default = "" +} + +variable "fspiop_use_ory_for_auth" { + type = bool +} + locals { mcm_template_path = "${path.module}/../generate-files/templates/mcm" mcm_app_file = "mcm-app.yaml" diff --git a/terraform/gitops/mojaloop/mojaloop.tf b/terraform/gitops/mojaloop/mojaloop.tf index e33c2d6e3..363cf0c3b 100644 --- a/terraform/gitops/mojaloop/mojaloop.tf +++ b/terraform/gitops/mojaloop/mojaloop.tf @@ -41,8 +41,10 @@ module "generate_mojaloop_files" { mojaloop_wildcard_gateway = local.mojaloop_wildcard_gateway keycloak_fqdn = var.keycloak_fqdn keycloak_realm_name = var.keycloak_hubop_realm_name - ttk_frontend_public_fqdn = var.ttk_frontend_public_fqdn - ttk_backend_public_fqdn = var.ttk_backend_public_fqdn + ttk_frontend_fqdn = var.ttk_frontend_fqdn + ttk_backend_fqdn = var.ttk_backend_fqdn + ttk_istio_gateway_namespace = var.ttk_istio_gateway_namespace + ttk_istio_wildcard_gateway_name = var.ttk_istio_wildcard_gateway_name kafka_host = "${module.mojaloop_stateful_resources.stateful_resources[local.mojaloop_kafka_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" kafka_port = module.mojaloop_stateful_resources.stateful_resources[local.mojaloop_kafka_resource_index].logical_service_config.logical_service_port account_lookup_db_existing_secret = module.mojaloop_stateful_resources.stateful_resources[local.ml_als_resource_index].logical_service_config.user_password_secret @@ -167,9 +169,11 @@ module "generate_mojaloop_files" { keto_write_url = "http://keto-write.${var.ory_namespace}.svc.cluster.local:80" kratos_service_name = "kratos-public.${var.ory_namespace}.svc.cluster.local" portal_fqdn = var.finance_portal_fqdn + portal_istio_gateway_namespace = var.portal_istio_gateway_namespace + portal_istio_wildcard_gateway_name = var.portal_istio_wildcard_gateway_name + portal_istio_gateway_name = var.portal_istio_gateway_name finance_portal_release_name = "fin-portal" finance_portal_chart_version = try(var.app_var_map.finance_portal_chart_version, var.finance_portal_chart_version) - ory_stack_enabled = var.ory_stack_enabled oathkeeper_auth_provider_name = var.oathkeeper_auth_provider_name vault_secret_key = var.vault_secret_key role_assign_svc_secret = var.role_assign_svc_secret @@ -187,6 +191,7 @@ module "generate_mojaloop_files" { jws_rotation_period_hours = try(var.app_var_map.jws_rotation_period_hours, var.jws_rotation_period_hours) mcm_hub_jws_endpoint = "http://mcm-connection-manager-api.${var.mcm_namespace}.svc.cluster.local:3001/api/hub/jwscerts" ttk_gp_testcase_labels = try(var.app_var_map.ttk_gp_testcase_labels, var.ttk_gp_testcase_labels) + fspiop_use_ory_for_auth = var.fspiop_use_ory_for_auth } file_list = [for f in fileset(local.mojaloop_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.mojaloop_app_file, f))] template_path = local.mojaloop_template_path @@ -322,10 +327,10 @@ variable "quoting_service_simple_routing_mode_enabled" { default = false } -variable "ttk_frontend_public_fqdn" { +variable "ttk_frontend_fqdn" { type = string } -variable "ttk_backend_public_fqdn" { +variable "ttk_backend_fqdn" { type = string } @@ -343,9 +348,7 @@ variable "finance_portal_fqdn" { variable "bof_release_name" { type = string } -variable "ory_stack_enabled" { - type = bool -} + variable "oathkeeper_auth_provider_name" { type = string } @@ -393,3 +396,28 @@ variable "ttk_gp_testcase_labels" { type = string default = "p2p" } + +variable "ttk_istio_wildcard_gateway_name" { + type = string + default = "" +} + +variable "ttk_istio_gateway_namespace" { + type = string + default = "" +} + +variable "portal_istio_wildcard_gateway_name" { + type = string + default = "" +} + +variable "portal_istio_gateway_namespace" { + type = string + default = "" +} + +variable "portal_istio_gateway_name" { + type = string + default = "" +} diff --git a/terraform/gitops/pm4ml/pm4ml.tf b/terraform/gitops/pm4ml/pm4ml.tf index bd642a7da..1b45f031b 100644 --- a/terraform/gitops/pm4ml/pm4ml.tf +++ b/terraform/gitops/pm4ml/pm4ml.tf @@ -74,7 +74,6 @@ module "generate_pm4ml_files" { pta_portal_fqdn = var.pta_portal_fqdns[each.key] test_fqdn = var.test_fqdns[each.key] ory_namespace = var.ory_namespace - ory_stack_enabled = var.ory_stack_enabled oathkeeper_auth_provider_name = var.oathkeeper_auth_provider_name istio_create_ingress_gateways = var.istio_create_ingress_gateways bof_release_name = var.bof_release_name @@ -88,6 +87,10 @@ module "generate_pm4ml_files" { pm4ml_reserve_notification = each.value.pm4ml_reserve_notification core_connector_config = each.value.core_connector_config payment_token_adapter_config = each.value.payment_token_adapter_config + pm4ml_istio_gateway_namespace = var.pm4ml_istio_gateway_namespaces[each.key] + pm4ml_istio_wildcard_gateway_name = var.pm4ml_istio_wildcard_gateway_names[each.key] + pm4ml_istio_gateway_name = var.pm4ml_istio_gateway_names[each.key] + } file_list = [for f in fileset(local.pm4ml_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.pm4ml_app_file, f))] @@ -116,9 +119,7 @@ variable "admin_portal_fqdns" { variable "auth_fqdn" { type = string } -variable "ory_stack_enabled" { - type = bool -} + variable "oathkeeper_auth_provider_name" { type = string } @@ -239,6 +240,19 @@ variable "role_assign_svc_secret_prefix" { variable "portal_admin_secret_prefix" { type = string } + +variable "pm4ml_istio_gateway_namespaces" { + description = "fqdns for pm4ml portal" +} + +variable "pm4ml_istio_wildcard_gateway_names" { + description = "fqdns for pm4ml portal" +} + +variable "pm4ml_istio_gateway_names" { + description = "fqdns for pm4ml portal" +} + locals { nat_cidr_list = join(", ", [for ip in var.nat_public_ips : format("%s/32", ip)]) } diff --git a/terraform/gitops/vnext/mcm.tf b/terraform/gitops/vnext/mcm.tf index e11a6954f..34db4050f 100644 --- a/terraform/gitops/vnext/mcm.tf +++ b/terraform/gitops/vnext/mcm.tf @@ -8,7 +8,11 @@ module "generate_mcm_files" { db_schema = module.vnext_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.database_name db_port = module.vnext_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_port db_host = "${module.vnext_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - mcm_public_fqdn = var.mcm_public_fqdn + mcm_fqdn = var.mcm_fqdn + mcm_istio_gateway_namespace = var.mcm_istio_gateway_namespace + mcm_istio_wildcard_gateway_name = var.mcm_istio_wildcard_gateway_name + mcm_istio_gateway_name = var.mcm_istio_gateway_name + fspiop_use_ory_for_auth = var.fspiop_use_ory_for_auth env_name = var.cluster_name env_cn = var.public_subdomain env_o = "Mojaloop" @@ -77,7 +81,6 @@ module "generate_mcm_files" { mojaloop_namespace = var.vnext_namespace mojaloop_release_name = var.vnext_release_name onboarding_collection_tag = var.app_var_map.onboarding_collection_tag - ory_stack_enabled = var.ory_stack_enabled oathkeeper_auth_provider_name = var.oathkeeper_auth_provider_name auth_fqdn = var.auth_fqdn kratos_service_name = "kratos-public.${var.ory_namespace}.svc.cluster.local" @@ -206,11 +209,31 @@ variable "keycloak_namespace" { type = string description = "namespace of keycloak in which to create realm" } -variable "mcm_public_fqdn" { + +variable "mcm_fqdn" { type = string description = "hostname for mcm" } +variable "mcm_istio_wildcard_gateway_name" { + type = string + default = "" +} + +variable "mcm_istio_gateway_namespace" { + type = string + default = "" +} + +variable "mcm_istio_gateway_name" { + type = string + default = "" +} + +variable "fspiop_use_ory_for_auth" { + type = bool +} + locals { mcm_template_path = "${path.module}/../generate-files/templates/mcm" mcm_app_file = "mcm-app.yaml" diff --git a/terraform/gitops/vnext/vnext.tf b/terraform/gitops/vnext/vnext.tf index d5fc1526d..0ed75320f 100644 --- a/terraform/gitops/vnext/vnext.tf +++ b/terraform/gitops/vnext/vnext.tf @@ -22,8 +22,10 @@ module "generate_vnext_files" { vnext_wildcard_gateway = local.vnext_wildcard_gateway keycloak_fqdn = var.keycloak_fqdn keycloak_realm_name = var.keycloak_hubop_realm_name - ttk_frontend_public_fqdn = var.ttk_frontend_public_fqdn - ttk_backend_public_fqdn = var.ttk_backend_public_fqdn + ttk_frontend_fqdn = var.ttk_frontend_fqdn + ttk_backend_fqdn = var.ttk_backend_fqdn + ttk_istio_wildcard_gateway_name = var.ttk_istio_wildcard_gateway_name + ttk_istio_gateway_namespace = var.ttk_istio_gateway_namespace kafka_host = "${module.vnext_stateful_resources.stateful_resources[local.vnext_kafka_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" kafka_port = module.vnext_stateful_resources.stateful_resources[local.vnext_kafka_resource_index].logical_service_config.logical_service_port redis_host = "${module.vnext_stateful_resources.stateful_resources[local.vnext_redis_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" @@ -47,7 +49,6 @@ module "generate_vnext_files" { portal_fqdn = var.finance_portal_fqdn finance_portal_release_name = "fin-portal" finance_portal_chart_version = try(var.app_var_map.finance_portal_chart_version, var.finance_portal_chart_version) - ory_stack_enabled = var.ory_stack_enabled oathkeeper_auth_provider_name = var.oathkeeper_auth_provider_name vault_secret_key = var.vault_secret_key role_assign_svc_secret = var.role_assign_svc_secret @@ -64,6 +65,8 @@ module "generate_vnext_files" { jws_rotation_period_hours = try(var.app_var_map.jws_rotation_period_hours, var.jws_rotation_period_hours) mcm_hub_jws_endpoint = "http://mcm-connection-manager-api.${var.mcm_namespace}.svc.cluster.local:3001/api/hub/jwscerts" vnext_admin_ui_fqdn = var.vnext_admin_ui_fqdn + vnext_istio_gateway_namespace = var.vnext_istio_gateway_namespace + vnext_istio_wildcard_gateway_name = var.vnext_istio_wildcard_gateway_name } file_list = [for f in fileset(local.vnext_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.vnext_app_file, f))] template_path = local.vnext_template_path @@ -132,10 +135,10 @@ variable "vnext_sync_wave" { default = "0" } -variable "ttk_frontend_public_fqdn" { +variable "ttk_frontend_fqdn" { type = string } -variable "ttk_backend_public_fqdn" { +variable "ttk_backend_fqdn" { type = string } @@ -157,9 +160,7 @@ variable "finance_portal_fqdn" { variable "bof_release_name" { type = string } -variable "ory_stack_enabled" { - type = bool -} + variable "oathkeeper_auth_provider_name" { type = string } @@ -202,3 +203,23 @@ variable "ttk_gp_testcase_labels" { type = string default = "p2p" } + +variable "ttk_istio_wildcard_gateway_name" { + type = string + default = "" +} + +variable "ttk_istio_gateway_namespace" { + type = string + default = "" +} + +variable "vnext_istio_wildcard_gateway_name" { + type = string + default = "" +} + +variable "vnext_istio_gateway_namespace" { + type = string + default = "" +} \ No newline at end of file diff --git a/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl b/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl index 6b92a061f..7fd769542 100644 --- a/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl +++ b/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl @@ -99,6 +99,7 @@ locals { cluster_name = get_env("cluster_name") netmaker_env_network_name = get_env("cluster_name") cluster_domain = "${get_env("cluster_name")}.${get_env("domain")}" + argocd_domain = "${get_env("argocd_oidc_domain")}.${get_env("domain")}" oidc_admin_group = get_env("gitlab_admin_rbac_group") eks_aws_secret_access_key = (local.K8S_CLUSTER_TYPE == "eks") ? get_env("AWS_SECRET_ACCESS_KEY") : "" eks_aws_access_key_id = (local.K8S_CLUSTER_TYPE == "eks") ? get_env("AWS_ACCESS_KEY_ID") : "" diff --git a/terraform/k8s/default-config/common-vars.yaml b/terraform/k8s/default-config/common-vars.yaml index 0911c01ad..38fc61351 100644 --- a/terraform/k8s/default-config/common-vars.yaml +++ b/terraform/k8s/default-config/common-vars.yaml @@ -26,7 +26,6 @@ grafana_operator_version: 3.5.11 grafana_version: 10.2.3 tempo_chart_version: 2.6.0 loki_chart_version: 2.13.0 -ory_stack_enabled: true loki_ingester_pvc_size: 50Gi prometheus_pvc_size: 50Gi loki_retention_enabled: true diff --git a/terraform/k8s/default-config/mojaloop-vars.yaml b/terraform/k8s/default-config/mojaloop-vars.yaml index 906f596c0..d1f38bf19 100644 --- a/terraform/k8s/default-config/mojaloop-vars.yaml +++ b/terraform/k8s/default-config/mojaloop-vars.yaml @@ -47,6 +47,7 @@ account_lookup_service_monitoring_prefix: "moja_als_" ttk_gp_testcase_labels: "p2p" jws_rotation_period_hours: 672 jws_rotation_renew_before_hours: 1 +fspiop_use_ory_for_auth: false mojaloop_tolerations: - key: "moja-enabled" operator: "Equal" diff --git a/terraform/k8s/gitops-build/terragrunt.hcl b/terraform/k8s/gitops-build/terragrunt.hcl index 4fcf4610a..c6cad625d 100644 --- a/terraform/k8s/gitops-build/terragrunt.hcl +++ b/terraform/k8s/gitops-build/terragrunt.hcl @@ -81,6 +81,9 @@ inputs = { dns_provider = dependency.k8s_deploy.outputs.dns_provider rbac_api_resources_file = (local.common_vars.mojaloop_enabled || local.common_vars.vnext_enabled) ? find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-rbac-api-resources.yaml") : "" rbac_permissions_file = (local.common_vars.mojaloop_enabled || local.common_vars.vnext_enabled) ? find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-rbac-permissions.yaml") : find_in_parent_folders("${get_env("CONFIG_PATH")}/pm4ml-rbac-permissions.yaml") + argocd_ingress_internal_lb = local.argocd_ingress_internal_lb + grafana_ingress_internal_lb = local.grafana_ingress_internal_lb + vault_ingress_internal_lb = local.vault_ingress_internal_lb } locals { @@ -110,6 +113,9 @@ locals { VAULT_GITLAB_ROOT_TOKEN = get_env("VAULT_GITLAB_ROOT_TOKEN") TRANSIT_VAULT_UNSEAL_KEY_NAME = get_env("TRANSIT_VAULT_UNSEAL_KEY_NAME") VAULT_SERVER_URL = get_env("VAULT_SERVER_URL") + argocd_ingress_internal_lb = strcontains(try(get_env("argocd_oidc_domain"),"int."),"int.")? true : false + grafana_ingress_internal_lb = strcontains(try(get_env("grafana_oidc_domain"),"int."),"int.")? true : false + vault_ingress_internal_lb = strcontains(try(get_env("vault_oidc_domain"),"int."),"int.")? true : false } generate "required_providers_override" { From 9ef8980900160ac2fade6457934544e1f3ec51d5 Mon Sep 17 00:00:00 2001 From: David Fry Date: Thu, 18 Apr 2024 11:30:45 +0200 Subject: [PATCH 108/201] fix for 1.6.1 chart, add flag for backup job (#223) --- .../generate-files/templates/storage/chart/values.yaml.tpl | 3 +++ .../templates/storage/custom-resources/longhorn-job.yaml.tpl | 4 +++- terraform/gitops/k8s-cluster-config/storage-config.tf | 5 +++-- terraform/k8s/default-config/common-vars.yaml | 3 ++- 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/terraform/gitops/generate-files/templates/storage/chart/values.yaml.tpl b/terraform/gitops/generate-files/templates/storage/chart/values.yaml.tpl index 774cc9325..9dfc38bec 100644 --- a/terraform/gitops/generate-files/templates/storage/chart/values.yaml.tpl +++ b/terraform/gitops/generate-files/templates/storage/chart/values.yaml.tpl @@ -1,4 +1,7 @@ longhorn: + preUpgradeChecker: + # -- Setting that allows Longhorn to perform pre-upgrade checks. Disable this setting when installing Longhorn using Argo CD or other GitOps solutions. + jobEnabled: false longhornManager: tolerations: - operator: "Exists" diff --git a/terraform/gitops/generate-files/templates/storage/custom-resources/longhorn-job.yaml.tpl b/terraform/gitops/generate-files/templates/storage/custom-resources/longhorn-job.yaml.tpl index d6d39256d..5745415cf 100644 --- a/terraform/gitops/generate-files/templates/storage/custom-resources/longhorn-job.yaml.tpl +++ b/terraform/gitops/generate-files/templates/storage/custom-resources/longhorn-job.yaml.tpl @@ -1,3 +1,4 @@ +%{ if longhorn_backup_job_enabled ~} apiVersion: longhorn.io/v1beta1 kind: RecurringJob metadata: @@ -10,4 +11,5 @@ spec: groups: - default retain: 2 - concurrency: 2 \ No newline at end of file + concurrency: 2 +%{ endif ~} \ No newline at end of file diff --git a/terraform/gitops/k8s-cluster-config/storage-config.tf b/terraform/gitops/k8s-cluster-config/storage-config.tf index 2e54f987c..cfc36c58e 100644 --- a/terraform/gitops/k8s-cluster-config/storage-config.tf +++ b/terraform/gitops/k8s-cluster-config/storage-config.tf @@ -17,6 +17,7 @@ module "generate_storage_files" { external_secret_sync_wave = var.external_secret_sync_wave longhorn_job_sync_wave = var.longhorn_job_sync_wave storage_sync_wave = var.storage_sync_wave + longhorn_backup_job_enabled = try(var.common_var_map.longhorn_backup_job_enabled, false) } file_list = [for f in fileset(local.storage_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.storage_app_file, f))] template_path = local.storage_template_path @@ -26,8 +27,8 @@ module "generate_storage_files" { } locals { - storage_template_path = "${path.module}/../generate-files/templates/storage" - storage_app_file = "storage-app.yaml" + storage_template_path = "${path.module}/../generate-files/templates/storage" + storage_app_file = "storage-app.yaml" } variable "longhorn_chart_repo" { diff --git a/terraform/k8s/default-config/common-vars.yaml b/terraform/k8s/default-config/common-vars.yaml index 38fc61351..11ba4b20c 100644 --- a/terraform/k8s/default-config/common-vars.yaml +++ b/terraform/k8s/default-config/common-vars.yaml @@ -4,7 +4,7 @@ gitlab_provider_version: "~> 16.0" vault_provider_version: "~> 3.16" cert_manager_chart_version: 1.12.2 consul_chart_version: 1.4.0 -longhorn_chart_version: 1.4.4 +longhorn_chart_version: 1.6.1 external_dns_chart_version: 6.24.1 vault_chart_version: 0.24.1 vault_config_operator_helm_chart_version: 0.8.16 @@ -34,3 +34,4 @@ prometheus_retention_period: 10d istio_egress_gateway_max_replicas: 5 microk8s_version: 1.29/stable alertmanager_enabled: false +longhorn_backup_job_enabled: true From 803503a65fb4d158eaab89349d4acb1cdeb57a50 Mon Sep 17 00:00:00 2001 From: David Fry Date: Thu, 18 Apr 2024 11:32:41 +0200 Subject: [PATCH 109/201] cleanup (#222) --- .../gitops/k8s-cluster-config/outputs.tf | 3 +++ .../k8s/addons-gitops-build/terragrunt.hcl | 22 +++++++++++++++++++ .../addons-stateful-resources.json | 1 + 3 files changed, 26 insertions(+) create mode 100644 terraform/k8s/default-config/addons-stateful-resources.json diff --git a/terraform/gitops/k8s-cluster-config/outputs.tf b/terraform/gitops/k8s-cluster-config/outputs.tf index e5edafdd9..df6c0ba8a 100644 --- a/terraform/gitops/k8s-cluster-config/outputs.tf +++ b/terraform/gitops/k8s-cluster-config/outputs.tf @@ -10,3 +10,6 @@ output "mojaloop_kafka_host" { output "mojaloop_kafka_port" { value = var.common_var_map.mojaloop_enabled ? module.mojaloop[0].mojaloop_kafka_port : "" } +output "storage_class_name" { + value = var.storage_class_name +} diff --git a/terraform/k8s/addons-gitops-build/terragrunt.hcl b/terraform/k8s/addons-gitops-build/terragrunt.hcl index 738610df7..9afaff4b1 100644 --- a/terraform/k8s/addons-gitops-build/terragrunt.hcl +++ b/terraform/k8s/addons-gitops-build/terragrunt.hcl @@ -7,12 +7,30 @@ include "root" { path = find_in_parent_folders() } +dependency "k8s_deploy" { + config_path = "../k8s-deploy" + mock_outputs = { + internal_load_balancer_dns = "" + external_load_balancer_dns = "" + private_subdomain = "" + public_subdomain = "" + external_interop_switch_fqdn = "" + internal_interop_switch_fqdn = "" + } + mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "show"] + mock_outputs_merge_strategy_with_state = "shallow" +} + dependency "gitops_build" { config_path = "../gitops-build" mock_outputs = { mojaloop_sync_wave = 0 mojaloop_output_path = "" + mojaloop_kafka_port = 0 + mojaloop_kafka_host = "" + storage_class_name = "" } + mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "show"] } @@ -23,8 +41,12 @@ inputs = { output_dir = local.GITOPS_BUILD_OUTPUT_DIR gitlab_project_url = local.GITLAB_PROJECT_URL cluster_name = local.CLUSTER_NAME + external_load_balancer_dns = dependency.k8s_deploy.outputs.external_load_balancer_dns addons_sync_wave = (dependency.gitops_build.outputs.mojaloop_sync_wave - 1) mojaloop_app_output_path = dependency.gitops_build.outputs.mojaloop_output_path + mojaloop_kafka_host = dependency.gitops_build.outputs.mojaloop_kafka_host + mojaloop_kafka_port = dependency.gitops_build.outputs.mojaloop_kafka_port + storage_class_name = dependency.gitops_build.outputs.storage_class_name stateful_resources_config_file = find_in_parent_folders("${get_env("CONFIG_PATH")}/addons-stateful-resources.json") } diff --git a/terraform/k8s/default-config/addons-stateful-resources.json b/terraform/k8s/default-config/addons-stateful-resources.json new file mode 100644 index 000000000..0637a088a --- /dev/null +++ b/terraform/k8s/default-config/addons-stateful-resources.json @@ -0,0 +1 @@ +[] \ No newline at end of file From e89c13b17956cdbfa56fb2a394fe946a1c424047 Mon Sep 17 00:00:00 2001 From: Sijo George <87609749+sijo5722-2021@users.noreply.github.com> Date: Thu, 18 Apr 2024 16:17:11 +0530 Subject: [PATCH 110/201] Fix/refactor igw (#228) * fixing grafna oidc * fixing non existing index --- terraform/gitops/k8s-cluster-config/monitoring.tf | 4 ++-- terraform/gitops/k8s-cluster-config/stored-params.tf | 2 ++ terraform/k8s/gitops-build/terragrunt.hcl | 4 ++-- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/terraform/gitops/k8s-cluster-config/monitoring.tf b/terraform/gitops/k8s-cluster-config/monitoring.tf index af537da7b..0fb478c4d 100644 --- a/terraform/gitops/k8s-cluster-config/monitoring.tf +++ b/terraform/gitops/k8s-cluster-config/monitoring.tf @@ -15,8 +15,8 @@ module "generate_monitoring_files" { gitlab_server_url = var.gitlab_server_url gitlab_project_url = var.gitlab_project_url public_subdomain = var.public_subdomain - client_id = data.vault_generic_secret.grafana_oauth_client_id.data.value - client_secret = data.vault_generic_secret.grafana_oauth_client_secret.data.value + client_id = try(data.vault_generic_secret.grafana_oauth_client_id[0].data.value,"") + client_secret = try(data.vault_generic_secret.grafana_oauth_client_secret[0].data.value,"") enable_oidc = var.enable_grafana_oidc storage_class_name = var.storage_class_name groups = var.gitlab_admin_group_name diff --git a/terraform/gitops/k8s-cluster-config/stored-params.tf b/terraform/gitops/k8s-cluster-config/stored-params.tf index 0823695a0..8b7a76358 100644 --- a/terraform/gitops/k8s-cluster-config/stored-params.tf +++ b/terraform/gitops/k8s-cluster-config/stored-params.tf @@ -37,10 +37,12 @@ data "gitlab_project_variable" "external_dns_credentials_client_id_name" { # need to get these by hand because loki doesnt support k8s secret env vars. data "vault_generic_secret" "grafana_oauth_client_id" { + count = var.enable_grafana_oidc ? 1 : 0 path = "${var.kv_path}/${var.cluster_name}/${var.grafana_oidc_client_id_secret_key}" } data "vault_generic_secret" "grafana_oauth_client_secret" { + count = var.enable_grafana_oidc ? 1 : 0 path = "${var.kv_path}/${var.cluster_name}/${var.grafana_oidc_client_secret_secret_key}" } diff --git a/terraform/k8s/gitops-build/terragrunt.hcl b/terraform/k8s/gitops-build/terragrunt.hcl index c6cad625d..0d02611e3 100644 --- a/terraform/k8s/gitops-build/terragrunt.hcl +++ b/terraform/k8s/gitops-build/terragrunt.hcl @@ -104,8 +104,8 @@ locals { GITLAB_CURRENT_GROUP_NAME = get_env("GITLAB_CURRENT_GROUP_NAME") GITLAB_API_URL = get_env("GITLAB_API_URL") CLOUD_REGION = get_env("cloud_region") - ENABLE_VAULT_OIDC = get_env("ENABLE_VAULT_OIDC") - ENABLE_GRAFANA_OIDC = get_env("ENABLE_GRAFANA_OIDC") + ENABLE_VAULT_OIDC = try(get_env("vault_oidc_domain"),"") == "" ? false : true + ENABLE_GRAFANA_OIDC = try(get_env("grafana_oidc_domain"),"") == "" ? false : true LETSENCRYPT_EMAIL = get_env("letsencrypt_email") GITLAB_TOKEN = get_env("GITLAB_CI_PAT") ENV_VAULT_TOKEN = get_env("ENV_VAULT_TOKEN") From 1b54a10f902db07c8163a281ab67fb066b5befd6 Mon Sep 17 00:00:00 2001 From: Sijo George <87609749+sijo5722-2021@users.noreply.github.com> Date: Fri, 19 Apr 2024 21:03:00 +0530 Subject: [PATCH 111/201] Draft - Refactoring app-deploy.tf (#229) * update configs for performance * update configs for performance * first draft patch kustomization * cleanup naming * add istio log config * rm values from default * app-deploy refactoring * fix: scale account lookup service * Removing unwanted variable assignements * Removing unwanted variable definition * Inclding variable finanace_portal_ingress_internal_lb in vnext * removing fin portal fqdn * Removing fin_portal assignment in vnext * Removing the var definition * Removing the var definition from mojaloop * Moving pm4ml_keycloak_realm_env_secret_map * Removing local var definition from app deploy * Removing duplicate pm4ml_var_map * Fixing variable issues * removing the first two from allowedurllist * rm interop vars not needed anymore * Removing the commented line * cleanup internal/external lb vars --------- Co-authored-by: Kalin Krustev Co-authored-by: David Fry Co-authored-by: David Fry --- .../istio-main/values-istio-istiod.yaml.tpl | 4 +- .../templates/mojaloop/kustomization.yaml.tpl | 1 + .../values-mojaloop-override.yaml.tpl | 1 + .../mojaloop/values-mojaloop.yaml.tpl | 54 ----- .../templates/ory/values-kratos.yaml.tpl | 7 +- .../gitops/k8s-cluster-config/app-deploy.tf | 130 +---------- terraform/gitops/k8s-cluster-config/istio.tf | 5 + .../gitops/k8s-cluster-config/keycloak.tf | 20 ++ terraform/gitops/k8s-cluster-config/ory.tf | 8 +- terraform/gitops/mojaloop/mcm.tf | 49 ++-- terraform/gitops/mojaloop/mojaloop.tf | 95 ++++---- terraform/gitops/mojaloop/variables.tf | 9 - terraform/gitops/mojaloop/vault-pki-setup.tf | 5 +- terraform/gitops/pm4ml/pm4ml.tf | 87 +++---- terraform/gitops/pm4ml/variables.tf | 14 +- terraform/gitops/pm4ml/vault-pki-setup.tf | 7 +- terraform/gitops/vnext/mcm.tf | 46 ++-- terraform/gitops/vnext/variables.tf | 8 - terraform/gitops/vnext/vault-pki-setup.tf | 1 - terraform/gitops/vnext/vnext.tf | 86 +++---- terraform/k8s/default-config/common-vars.yaml | 1 + .../mojaloop-values-override.yaml | 216 ++++++++++++++++++ .../k8s/default-config/mojaloop-vars.yaml | 28 --- terraform/k8s/gitops-build/terragrunt.hcl | 4 +- 24 files changed, 406 insertions(+), 480 deletions(-) create mode 100644 terraform/gitops/generate-files/templates/mojaloop/values-mojaloop-override.yaml.tpl create mode 100644 terraform/k8s/default-config/mojaloop-values-override.yaml diff --git a/terraform/gitops/generate-files/templates/istio/istio-main/values-istio-istiod.yaml.tpl b/terraform/gitops/generate-files/templates/istio/istio-main/values-istio-istiod.yaml.tpl index b98c95c30..987206643 100644 --- a/terraform/gitops/generate-files/templates/istio/istio-main/values-istio-istiod.yaml.tpl +++ b/terraform/gitops/generate-files/templates/istio/istio-main/values-istio-istiod.yaml.tpl @@ -309,7 +309,7 @@ global: # Per Component log level for proxy, applies to gateways and sidecars. If a component level is # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:debug" + componentLogLevel: "misc:${istio_proxy_log_level}" # If set, newly injected sidecars will have core dumps enabled. enableCoreDump: false @@ -332,7 +332,7 @@ global: # Log level for proxy, applies to gateways and sidecars. # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: debug + logLevel: ${istio_proxy_log_level} #If set to true, istio-proxy container will have privileged securityContext privileged: false diff --git a/terraform/gitops/generate-files/templates/mojaloop/kustomization.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/kustomization.yaml.tpl index 1f073aa27..480bf6371 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/kustomization.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/kustomization.yaml.tpl @@ -16,6 +16,7 @@ helmCharts: valuesFile: values-mojaloop.yaml namespace: ${mojaloop_namespace} additionalValuesFiles: + - values-mojaloop-override.yaml - values-mojaloop-addons.yaml - name: finance-portal releaseName: ${finance_portal_release_name} diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop-override.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop-override.yaml.tpl new file mode 100644 index 000000000..42d51bf36 --- /dev/null +++ b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop-override.yaml.tpl @@ -0,0 +1 @@ +#placeholder file for addons \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl index d6d02b4bb..5ed656c12 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl @@ -372,15 +372,6 @@ centralledger: config: prefix: *CL_MONITORING_PREFIX centralledger-handler-transfer-prepare: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 10 - sidecar: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 10 %{ if central_ledger_handler_transfer_prepare_affinity != null ~} affinity: ${indent(8, central_ledger_handler_transfer_prepare_affinity)} @@ -411,15 +402,6 @@ centralledger: config: prefix: *CL_MONITORING_PREFIX centralledger-handler-transfer-position: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 10 - sidecar: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 10 %{ if central_ledger_handler_transfer_position_affinity != null ~} affinity: ${indent(8, central_ledger_handler_transfer_position_affinity)} @@ -450,15 +432,6 @@ centralledger: prefix: *CL_MONITORING_PREFIX centralledger-handler-transfer-position-batch: enabled: *CL_BATCH_PROCESSING_ENABLED - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 10 - sidecar: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 10 %{ if central_ledger_handler_transfer_position_batch_affinity != null ~} affinity: ${indent(8, central_ledger_handler_transfer_position_batch_affinity)} @@ -490,15 +463,6 @@ centralledger: config: prefix: *CL_MONITORING_PREFIX centralledger-handler-transfer-get: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 10 - sidecar: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 10 %{ if central_ledger_handler_transfer_get_affinity != null ~} affinity: ${indent(8, central_ledger_handler_transfer_get_affinity)} @@ -528,15 +492,6 @@ centralledger: config: prefix: *CL_MONITORING_PREFIX centralledger-handler-transfer-fulfil: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 10 - sidecar: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 10 %{ if central_ledger_handler_transfer_fulfil_affinity != null ~} affinity: ${indent(8, central_ledger_handler_transfer_fulfil_affinity)} @@ -567,15 +522,6 @@ centralledger: config: prefix: *CL_MONITORING_PREFIX centralledger-handler-timeout: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 10 - sidecar: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 10 tolerations: *MOJALOOP_TOLERATIONS config: kafka_host: *KAFKA_HOST diff --git a/terraform/gitops/generate-files/templates/ory/values-kratos.yaml.tpl b/terraform/gitops/generate-files/templates/ory/values-kratos.yaml.tpl index 5e4c67e85..c6a91834d 100644 --- a/terraform/gitops/generate-files/templates/ory/values-kratos.yaml.tpl +++ b/terraform/gitops/generate-files/templates/ory/values-kratos.yaml.tpl @@ -86,11 +86,8 @@ kratos: selfservice: default_browser_return_url: https://${auth_fqdn}/ui/welcome allowed_return_urls: - - https://${auth_fqdn}/ui - - https://${keycloak_fqdn} -%{ for fqdnItem in bof_managed_portal_fqdns ~} - - https://${fqdnItem} -%{ endfor ~} + - https://*.${private_subdomain} + - https://*.${public_subdomain} methods: password: diff --git a/terraform/gitops/k8s-cluster-config/app-deploy.tf b/terraform/gitops/k8s-cluster-config/app-deploy.tf index 52353b988..68819afb2 100644 --- a/terraform/gitops/k8s-cluster-config/app-deploy.tf +++ b/terraform/gitops/k8s-cluster-config/app-deploy.tf @@ -6,8 +6,6 @@ module "mojaloop" { external_load_balancer_dns = var.external_load_balancer_dns private_subdomain = var.private_subdomain public_subdomain = var.public_subdomain - external_interop_switch_fqdn = local.external_interop_switch_fqdn - internal_interop_switch_fqdn = local.internal_interop_switch_fqdn secrets_key_map = var.secrets_key_map properties_key_map = var.properties_key_map output_dir = var.output_dir @@ -33,10 +31,6 @@ module "mojaloop" { vault_secret_key = var.vault_secret_key role_assign_svc_secret = var.role_assign_svc_secret role_assign_svc_user = var.role_assign_svc_user - ttk_backend_fqdn = local.ttk_backend_fqdn - ttk_frontend_fqdn = local.ttk_frontend_fqdn - ttk_istio_gateway_namespace = local.ttk_istio_gateway_namespace - ttk_istio_wildcard_gateway_name = local.ttk_istio_wildcard_gateway_name istio_external_gateway_name = var.istio_external_gateway_name istio_internal_gateway_name = var.istio_internal_gateway_name istio_external_wildcard_gateway_name = local.istio_external_wildcard_gateway_name @@ -49,21 +43,16 @@ module "mojaloop" { mojaloop_enabled = var.common_var_map.mojaloop_enabled bulk_enabled = var.app_var_map.bulk_enabled third_party_enabled = var.app_var_map.third_party_enabled - mojaloop_ingress_internal_lb = var.app_var_map.mojaloop_ingress_internal_lb - mcm_ingress_internal_lb = var.app_var_map.mcm_ingress_internal_lb stateful_resources_config_file = var.mojaloop_stateful_resources_config_file local_vault_kv_root_path = local.local_vault_kv_root_path app_var_map = var.app_var_map auth_fqdn = local.auth_fqdn ory_namespace = var.ory_namespace - finance_portal_fqdn = local.finance_portal_fqdn - portal_istio_gateway_namespace = local.portal_istio_gateway_namespace - portal_istio_wildcard_gateway_name = local.portal_istio_wildcard_gateway_name - portal_istio_gateway_name = local.portal_istio_gateway_name bof_release_name = local.bof_release_name oathkeeper_auth_provider_name = local.oathkeeper_auth_provider_name keycloak_hubop_realm_name = var.keycloak_hubop_realm_name rbac_api_resources_file = var.rbac_api_resources_file + mojaloop_values_override_file = var.mojaloop_values_override_file mcm_fqdn = local.mcm_fqdn mcm_istio_gateway_namespace = local.mcm_istio_gateway_namespace mcm_istio_wildcard_gateway_name = local.mcm_istio_wildcard_gateway_name @@ -79,8 +68,6 @@ module "pm4ml" { external_load_balancer_dns = var.external_load_balancer_dns private_subdomain = var.private_subdomain public_subdomain = var.public_subdomain - external_interop_switch_fqdn = local.external_interop_switch_fqdn - internal_interop_switch_fqdn = local.internal_interop_switch_fqdn secrets_key_map = var.secrets_key_map properties_key_map = var.properties_key_map output_dir = var.output_dir @@ -107,16 +94,8 @@ module "pm4ml" { istio_external_wildcard_gateway_name = local.istio_external_wildcard_gateway_name istio_internal_wildcard_gateway_name = local.istio_internal_wildcard_gateway_name local_vault_kv_root_path = local.local_vault_kv_root_path - portal_fqdns = local.portal_fqdns - admin_portal_fqdns = local.admin_portal_fqdns auth_fqdn = local.auth_fqdn oathkeeper_auth_provider_name = local.oathkeeper_auth_provider_name - experience_api_fqdns = local.experience_api_fqdns - mojaloop_connnector_fqdns = local.mojaloop_connnector_fqdns - ttk_backend_fqdns = local.pm4ml_ttk_backend_fqdns - ttk_frontend_fqdns = local.pm4ml_ttk_frontend_fqdns - pta_portal_fqdns = local.pm4ml_pta_portal_fqdns - test_fqdns = local.test_fqdns vault_root_ca_name = "pki-${var.cluster_name}" app_var_map = local.pm4ml_var_map bof_release_name = local.bof_release_name @@ -124,9 +103,6 @@ module "pm4ml" { role_assign_svc_secret_prefix = "role-assign-svc-secret-" portal_admin_user = var.portal_admin_user portal_admin_secret_prefix = "portal-admin-secret-" - pm4ml_istio_gateway_namespaces = local.pm4ml_istio_gateway_namespaces - pm4ml_istio_wildcard_gateway_names = local.pm4ml_istio_wildcard_gateway_names - pm4ml_istio_gateway_names = local.pm4ml_istio_gateway_names } module "vnext" { @@ -137,8 +113,6 @@ module "vnext" { external_load_balancer_dns = var.external_load_balancer_dns private_subdomain = var.private_subdomain public_subdomain = var.public_subdomain - external_interop_switch_fqdn = local.external_interop_switch_fqdn - internal_interop_switch_fqdn = local.internal_interop_switch_fqdn secrets_key_map = var.secrets_key_map properties_key_map = var.properties_key_map output_dir = var.output_dir @@ -164,14 +138,6 @@ module "vnext" { vault_secret_key = var.vault_secret_key role_assign_svc_secret = var.role_assign_svc_secret role_assign_svc_user = var.role_assign_svc_user - mcm_fqdn = local.mcm_fqdn - mcm_istio_gateway_namespace = local.mcm_istio_gateway_namespace - mcm_istio_wildcard_gateway_name = local.mcm_istio_wildcard_gateway_name - mcm_istio_gateway_name = local.mcm_istio_gateway_name - ttk_backend_fqdn = local.ttk_backend_fqdn - ttk_frontend_fqdn = local.ttk_frontend_fqdn - ttk_istio_wildcard_gateway_name = local.ttk_istio_wildcard_gateway_name - ttk_istio_gateway_namespace = local.ttk_istio_gateway_namespace istio_external_gateway_name = var.istio_external_gateway_name istio_internal_gateway_name = var.istio_internal_gateway_name istio_external_wildcard_gateway_name = local.istio_external_wildcard_gateway_name @@ -182,22 +148,16 @@ module "vnext" { mcm_enabled = var.common_var_map.mcm_enabled mcm_chart_version = var.app_var_map.mcm_chart_version vnext_enabled = var.common_var_map.vnext_enabled - vnext_ingress_internal_lb = var.app_var_map.vnext_ingress_internal_lb - mcm_ingress_internal_lb = var.app_var_map.mcm_ingress_internal_lb stateful_resources_config_file = var.vnext_stateful_resources_config_file local_vault_kv_root_path = local.local_vault_kv_root_path app_var_map = var.app_var_map auth_fqdn = local.auth_fqdn ory_namespace = var.ory_namespace - finance_portal_fqdn = local.finance_portal_fqdn bof_release_name = local.bof_release_name oathkeeper_auth_provider_name = local.oathkeeper_auth_provider_name keycloak_hubop_realm_name = var.keycloak_hubop_realm_name rbac_api_resources_file = var.rbac_api_resources_file - vnext_admin_ui_fqdn = local.vnext_admin_ui_fqdn - vnext_istio_gateway_namespace = local.vnext_istio_gateway_namespace - vnext_istio_wildcard_gateway_name = local.vnext_istio_wildcard_gateway_name - fspiop_use_ory_for_auth = var.app_var_map.fspiop_use_ory_for_auth + fspiop_use_ory_for_auth = var.app_var_map.fspiop_use_ory_for_auth } variable "app_var_map" { @@ -283,6 +243,10 @@ variable "rbac_api_resources_file" { type = string } +variable "mojaloop_values_override_file" { + type = string +} + variable "argocd_ingress_internal_lb" { default = true description = "whether argocd should only be available on private network" @@ -293,91 +257,11 @@ variable "argocd_namespace" { description = "namespace argocd is deployed to" } -variable "finanace_portal_ingress_internal_lb" { - default = false - description = "whether argocd should only be available on private network" -} - locals { + auth_fqdn = "auth.${var.public_subdomain}" pm4ml_var_map = { for pm4ml in var.app_var_map.pm4mls : pm4ml.pm4ml => pm4ml } - oidc_providers = var.common_var_map.pm4ml_enabled ? [for pm4ml in var.app_var_map.pm4mls : { - realm = "${var.keycloak_pm4ml_realm_name}-${pm4ml.pm4ml}" - client_id = "${var.pm4ml_oidc_client_id_prefix}-${pm4ml.pm4ml}" - secret_name = "${var.pm4ml_oidc_client_secret_secret}-${pm4ml.pm4ml}" - }] : [] - mojaloop_keycloak_realm_env_secret_map = { - "${var.mcm_oidc_client_secret_secret}" = var.mcm_oidc_client_secret_secret_key - "${var.jwt_client_secret_secret}" = var.jwt_client_secret_secret_key - } - pm4ml_keycloak_realm_env_secret_map = merge( - { for key, pm4ml in local.pm4ml_var_map : "${var.pm4ml_oidc_client_secret_secret}-${key}" => var.vault_secret_key }, - { for key, pm4ml in local.pm4ml_var_map : "portal-admin-secret-${key}" => var.vault_secret_key }, - { for key, pm4ml in local.pm4ml_var_map : "role-assign-svc-secret-${key}" => var.vault_secret_key } - ) - - pm4ml_wildcard_gateways = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => pm4ml.pm4ml_ingress_internal_lb ? "internal" : "external" } - - mcm_wildcard_gateway = var.app_var_map.mcm_ingress_internal_lb ? "internal" : "external" - mcm_fqdn = local.mcm_wildcard_gateway == "external" ? "mcm.${var.public_subdomain}" : "mcm.${var.private_subdomain}" - mcm_istio_gateway_namespace = local.mcm_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace - mcm_istio_wildcard_gateway_name = local.mcm_wildcard_gateway == "external" ? local.istio_external_wildcard_gateway_name : local.istio_internal_wildcard_gateway_name - mcm_istio_gateway_name = local.mcm_wildcard_gateway == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name - - auth_fqdn = "auth.${var.public_subdomain}" - external_interop_switch_fqdn = "extapi.${var.public_subdomain}" - internal_interop_switch_fqdn = "intapi.${var.private_subdomain}" - - mojaloop_wildcard_gateway = var.app_var_map.mojaloop_ingress_internal_lb ? "internal" : "external" - ttk_frontend_fqdn = local.mojaloop_wildcard_gateway == "external" ? "ttkfrontend.${var.public_subdomain}" : "ttkfrontend.${var.private_subdomain}" - ttk_backend_fqdn = local.mojaloop_wildcard_gateway == "external" ? "ttkbackend.${var.public_subdomain}" : "ttkbackend.${var.private_subdomain}" - ttk_istio_wildcard_gateway_name = local.mojaloop_wildcard_gateway == "external" ? local.istio_external_wildcard_gateway_name : local.istio_internal_wildcard_gateway_name - ttk_istio_gateway_namespace = local.mojaloop_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace - - finance_portal_wildcard_gateway = var.finanace_portal_ingress_internal_lb ? "internal" : "external" - finance_portal_fqdn = local.finance_portal_wildcard_gateway == "external" ? "finance-portal.${var.public_subdomain}" : "finance-portal.${var.private_subdomain}" - portal_istio_gateway_namespace = local.finance_portal_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace - portal_istio_wildcard_gateway_name = local.finance_portal_wildcard_gateway == "external" ? local.istio_external_wildcard_gateway_name : local.istio_internal_wildcard_gateway_name - portal_istio_gateway_name = local.finance_portal_wildcard_gateway == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name - - vnext_wildcard_gateway = var.app_var_map.vnext_ingress_internal_lb ? "internal" : "external" - vnext_admin_ui_fqdn = local.vnext_wildcard_gateway == "external" ? "vnext-admin.${var.public_subdomain}" : "vnext-admin.${var.private_subdomain}" - vnext_istio_gateway_namespace = local.vnext_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace - vnext_istio_wildcard_gateway_name = local.vnext_wildcard_gateway == "external" ? local.istio_external_wildcard_gateway_name : local.istio_internal_wildcard_gateway_name - - portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "portal-${pm4ml.pm4ml}.${var.public_subdomain}" : "portal-${pm4ml.pm4ml}.${var.private_subdomain}" } - admin_portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "admin-portal-${pm4ml.pm4ml}.${var.public_subdomain}" : "admin-portal-${pm4ml.pm4ml}.${var.private_subdomain}"} - experience_api_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "exp-${pm4ml.pm4ml}.${var.public_subdomain}" : "exp-${pm4ml.pm4ml}.${var.private_subdomain}"} - mojaloop_connnector_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "conn-${pm4ml.pm4ml}.${var.public_subdomain}" : "conn-${pm4ml.pm4ml}.${var.private_subdomain}" } - test_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "test-${pm4ml.pm4ml}.${var.public_subdomain}" : "test-${pm4ml.pm4ml}.${var.private_subdomain}" } - pm4ml_ttk_frontend_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "ttkfront-${pm4ml.pm4ml}.${var.public_subdomain}" : "ttkfront-${pm4ml.pm4ml}.${var.private_subdomain}" } - pm4ml_ttk_backend_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "ttkback-${pm4ml.pm4ml}.${var.public_subdomain}" : "ttkback-${pm4ml.pm4ml}.${var.private_subdomain}"} - pm4ml_pta_portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "pta-portal-${pm4ml.pm4ml}.${var.public_subdomain}" : "pta-portal-${pm4ml.pm4ml}.${var.private_subdomain}"} - - pm4ml_istio_gateway_namespaces = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace } - pm4ml_istio_wildcard_gateway_names = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? local.istio_external_wildcard_gateway_name : local.istio_internal_wildcard_gateway_name } - pm4ml_istio_gateway_names = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name } - - pm4ml_internal_wildcard_admin_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.admin_portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "internal"] - pm4ml_external_wildcard_admin_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.admin_portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external"] - pm4ml_internal_wildcard_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "internal"] - pm4ml_external_wildcard_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external"] - pm4ml_internal_wildcard_exp_hosts = [for pm4ml in local.pm4ml_var_map : local.experience_api_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "internal"] - pm4ml_external_wildcard_exp_hosts = [for pm4ml in local.pm4ml_var_map : local.experience_api_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external"] - - pm4ml_internal_gateway_hosts = concat(local.pm4ml_internal_wildcard_admin_portal_hosts, local.pm4ml_internal_wildcard_portal_hosts, local.pm4ml_internal_wildcard_exp_hosts, values(local.pm4ml_ttk_frontend_fqdns), values(local.pm4ml_ttk_backend_fqdns), values(local.test_fqdns), values(local.pm4ml_pta_portal_fqdns)) - pm4ml_external_gateway_hosts = concat(local.pm4ml_external_wildcard_admin_portal_hosts, local.pm4ml_external_wildcard_portal_hosts, local.pm4ml_external_wildcard_exp_hosts) - - keycloak_realm_env_secret_map = merge( - (var.common_var_map.mojaloop_enabled || var.common_var_map.vnext_enabled) ? local.mojaloop_keycloak_realm_env_secret_map : local.pm4ml_keycloak_realm_env_secret_map, - { - "${var.hubop_oidc_client_secret_secret}" = var.vault_secret_key - "${var.role_assign_svc_secret}" = var.vault_secret_key - "${var.portal_admin_secret}" = var.vault_secret_key - } - ) - bof_managed_portal_fqdns = (var.common_var_map.mojaloop_enabled || var.common_var_map.vnext_enabled) ? [local.finance_portal_fqdn, local.mcm_fqdn] : concat(local.pm4ml_external_wildcard_portal_hosts, local.pm4ml_internal_wildcard_portal_hosts, local.pm4ml_internal_wildcard_admin_portal_hosts, local.pm4ml_external_wildcard_admin_portal_hosts) } diff --git a/terraform/gitops/k8s-cluster-config/istio.tf b/terraform/gitops/k8s-cluster-config/istio.tf index e72b40613..7f83693d2 100644 --- a/terraform/gitops/k8s-cluster-config/istio.tf +++ b/terraform/gitops/k8s-cluster-config/istio.tf @@ -39,6 +39,7 @@ module "generate_istio_files" { argocd_public_fqdn = local.argocd_public_fqdn argocd_private_fqdn = local.argocd_private_fqdn argocd_namespace = var.argocd_namespace + istio_proxy_log_level = try(var.common_var_map.istio_proxy_log_level, local.istio_proxy_log_level) } file_list = [for f in fileset(local.istio_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.istio_app_file, f))] @@ -49,6 +50,10 @@ module "generate_istio_files" { } locals { + + istio_template_path = "${path.module}/../generate-files/templates/istio" + istio_app_file = "istio-app.yaml" + istio_proxy_log_level = "warn" istio_template_path = "${path.module}/../generate-files/templates/istio" istio_app_file = "istio-app.yaml" argocd_wildcard_gateway = var.argocd_ingress_internal_lb ? "internal" : "external" diff --git a/terraform/gitops/k8s-cluster-config/keycloak.tf b/terraform/gitops/k8s-cluster-config/keycloak.tf index 707c3b156..d9e6e5c03 100644 --- a/terraform/gitops/k8s-cluster-config/keycloak.tf +++ b/terraform/gitops/k8s-cluster-config/keycloak.tf @@ -100,4 +100,24 @@ locals { keycloak_admin_istio_gateway_namespace = local.keycloak_admin_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace keycloak_istio_gateway_name = local.keycloak_wildcard_gateway == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name keycloak_secrets_path = "/secret/keycloak" + + mojaloop_keycloak_realm_env_secret_map = { + "${var.mcm_oidc_client_secret_secret}" = var.mcm_oidc_client_secret_secret_key + "${var.jwt_client_secret_secret}" = var.jwt_client_secret_secret_key + } + + pm4ml_keycloak_realm_env_secret_map = merge( + { for key, pm4ml in local.pm4ml_var_map : "${var.pm4ml_oidc_client_secret_secret}-${key}" => var.vault_secret_key }, + { for key, pm4ml in local.pm4ml_var_map : "portal-admin-secret-${key}" => var.vault_secret_key }, + { for key, pm4ml in local.pm4ml_var_map : "role-assign-svc-secret-${key}" => var.vault_secret_key } + ) + + keycloak_realm_env_secret_map = merge( + (var.common_var_map.mojaloop_enabled || var.common_var_map.vnext_enabled) ? local.mojaloop_keycloak_realm_env_secret_map : local.pm4ml_keycloak_realm_env_secret_map, + { + "${var.hubop_oidc_client_secret_secret}" = var.vault_secret_key + "${var.role_assign_svc_secret}" = var.vault_secret_key + "${var.portal_admin_secret}" = var.vault_secret_key + } + ) } diff --git a/terraform/gitops/k8s-cluster-config/ory.tf b/terraform/gitops/k8s-cluster-config/ory.tf index e98058d84..144bb4f5c 100644 --- a/terraform/gitops/k8s-cluster-config/ory.tf +++ b/terraform/gitops/k8s-cluster-config/ory.tf @@ -10,7 +10,7 @@ module "generate_ory_files" { ory_namespace = var.ory_namespace auth_fqdn = local.auth_fqdn public_subdomain = var.public_subdomain - bof_managed_portal_fqdns = local.bof_managed_portal_fqdns + private_subdomain = var.private_subdomain keto_postgres_database = module.common_stateful_resources.stateful_resources[local.keto_postgres_resource_index].logical_service_config.database_name keto_postgres_user = module.common_stateful_resources.stateful_resources[local.keto_postgres_resource_index].logical_service_config.username keto_postgres_host = "${module.common_stateful_resources.stateful_resources[local.keto_postgres_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" @@ -120,4 +120,10 @@ locals { rolesPermissions = yamldecode(file(var.rbac_permissions_file)) mojaloopRoles = local.rolesPermissions["roles"] permissionExclusions = local.rolesPermissions["permission-exclusions"] + + oidc_providers = var.common_var_map.pm4ml_enabled ? [for pm4ml in var.app_var_map.pm4mls : { + realm = "${var.keycloak_pm4ml_realm_name}-${pm4ml.pm4ml}" + client_id = "${var.pm4ml_oidc_client_id_prefix}-${pm4ml.pm4ml}" + secret_name = "${var.pm4ml_oidc_client_secret_secret}-${pm4ml.pm4ml}" + }] : [] } diff --git a/terraform/gitops/mojaloop/mcm.tf b/terraform/gitops/mojaloop/mcm.tf index 9c080e551..bf44dc7a1 100644 --- a/terraform/gitops/mojaloop/mcm.tf +++ b/terraform/gitops/mojaloop/mcm.tf @@ -8,11 +8,11 @@ module "generate_mcm_files" { db_schema = module.mojaloop_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.database_name db_port = module.mojaloop_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_port db_host = "${module.mojaloop_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - mcm_fqdn = var.mcm_fqdn - mcm_istio_gateway_namespace = var.mcm_istio_gateway_namespace - mcm_istio_wildcard_gateway_name = var.mcm_istio_wildcard_gateway_name - mcm_istio_gateway_name = var.mcm_istio_gateway_name - fspiop_use_ory_for_auth = var.fspiop_use_ory_for_auth + mcm_fqdn = local.mcm_fqdn + mcm_istio_gateway_namespace = local.mcm_istio_gateway_namespace + mcm_istio_wildcard_gateway_name = local.mcm_istio_wildcard_gateway_name + mcm_istio_gateway_name = local.mcm_istio_gateway_name + fspiop_use_ory_for_auth = var.fspiop_use_ory_for_auth env_name = var.cluster_name env_cn = var.public_subdomain env_o = "Mojaloop" @@ -34,7 +34,7 @@ module "generate_mcm_files" { public_subdomain = var.public_subdomain enable_oidc = var.enable_mcm_oidc mcm_sync_wave = var.mcm_sync_wave - ingress_class = var.mcm_ingress_internal_lb ? var.internal_ingress_class_name : var.external_ingress_class_name + ingress_class = try(var.app_var_map.mcm_ingress_internal_lb, false) ? var.internal_ingress_class_name : var.external_ingress_class_name istio_create_ingress_gateways = var.istio_create_ingress_gateways pki_path = var.vault_root_ca_name dfsp_client_cert_bundle = local.dfsp_client_cert_bundle @@ -60,7 +60,7 @@ module "generate_mcm_files" { mcm_wildcard_gateway = local.mcm_wildcard_gateway istio_external_gateway_name = var.istio_external_gateway_name private_network_cidr = var.private_network_cidr - interop_switch_fqdn = var.external_interop_switch_fqdn + interop_switch_fqdn = local.external_interop_switch_fqdn keycloak_fqdn = var.keycloak_fqdn keycloak_dfsp_realm_name = var.keycloak_dfsp_realm_name keycloak_hubop_realm_name = var.keycloak_hubop_realm_name @@ -77,7 +77,7 @@ module "generate_mcm_files" { internal_load_balancer_dns = var.internal_load_balancer_dns external_load_balancer_dns = var.external_load_balancer_dns istio_internal_gateway_name = var.istio_internal_gateway_name - int_interop_switch_fqdn = var.internal_interop_switch_fqdn + int_interop_switch_fqdn = local.internal_interop_switch_fqdn mojaloop_namespace = var.mojaloop_namespace mojaloop_release_name = var.mojaloop_release_name onboarding_collection_tag = var.app_var_map.onboarding_collection_tag @@ -99,11 +99,7 @@ variable "mcm_enabled" { type = bool default = true } -variable "mcm_ingress_internal_lb" { - type = bool - description = "mcm_ingress_internal_lb" - default = false -} + variable "enable_mcm_oidc" { type = bool default = false @@ -210,26 +206,6 @@ variable "keycloak_namespace" { description = "namespace of keycloak in which to create realm" } -variable "mcm_fqdn" { - type = string - description = "hostname for mcm" -} - -variable "mcm_istio_wildcard_gateway_name" { - type = string - default = "" -} - -variable "mcm_istio_gateway_namespace" { - type = string - default = "" -} - -variable "mcm_istio_gateway_name" { - type = string - default = "" -} - variable "fspiop_use_ory_for_auth" { type = bool } @@ -238,8 +214,13 @@ locals { mcm_template_path = "${path.module}/../generate-files/templates/mcm" mcm_app_file = "mcm-app.yaml" mcm_resource_index = index(module.mojaloop_stateful_resources.stateful_resources.*.resource_name, "mcm-db") - mcm_wildcard_gateway = var.mcm_ingress_internal_lb ? "internal" : "external" + mcm_wildcard_gateway = try(var.app_var_map.mcm_ingress_internal_lb, false) ? "internal" : "external" dfsp_client_cert_bundle = "${local.onboarding_secret_path}_pm4mls" dfsp_internal_whitelist_secret = "${local.whitelist_secret_path}_pm4mls" dfsp_external_whitelist_secret = "${local.whitelist_secret_path}_fsps" + + mcm_fqdn = local.mcm_wildcard_gateway == "external" ? "mcm.${var.public_subdomain}" : "mcm.${var.private_subdomain}" + mcm_istio_gateway_namespace = local.mcm_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace + mcm_istio_wildcard_gateway_name = local.mcm_wildcard_gateway == "external" ? var.istio_external_wildcard_gateway_name : var.istio_internal_wildcard_gateway_name + mcm_istio_gateway_name = local.mcm_wildcard_gateway == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name } diff --git a/terraform/gitops/mojaloop/mojaloop.tf b/terraform/gitops/mojaloop/mojaloop.tf index 363cf0c3b..d34760296 100644 --- a/terraform/gitops/mojaloop/mojaloop.tf +++ b/terraform/gitops/mojaloop/mojaloop.tf @@ -25,12 +25,12 @@ module "generate_mojaloop_files" { central_ledger_handler_transfer_position_batch_consume_timeout_ms = try(var.app_var_map.central_ledger_handler_transfer_position_batch_consume_timeout_ms, 10) central_ledger_cache_enabled = try(var.app_var_map.central_ledger_cache_enabled, true) central_ledger_cache_expires_in_ms = try(var.app_var_map.central_ledger_cache_expires_in_ms, 1000) - interop_switch_fqdn = var.external_interop_switch_fqdn - int_interop_switch_fqdn = var.internal_interop_switch_fqdn + interop_switch_fqdn = local.external_interop_switch_fqdn + int_interop_switch_fqdn = local.internal_interop_switch_fqdn external_ingress_class_name = var.external_ingress_class_name vault_certman_secretname = var.vault_certman_secretname nginx_jwt_namespace = var.nginx_jwt_namespace - ingress_class_name = var.mojaloop_ingress_internal_lb ? var.internal_ingress_class_name : var.external_ingress_class_name + ingress_class_name = try(var.app_var_map.mojaloop_ingress_internal_lb, true) ? var.internal_ingress_class_name : var.external_ingress_class_name istio_create_ingress_gateways = var.istio_create_ingress_gateways istio_external_gateway_name = var.istio_external_gateway_name external_load_balancer_dns = var.external_load_balancer_dns @@ -41,10 +41,10 @@ module "generate_mojaloop_files" { mojaloop_wildcard_gateway = local.mojaloop_wildcard_gateway keycloak_fqdn = var.keycloak_fqdn keycloak_realm_name = var.keycloak_hubop_realm_name - ttk_frontend_fqdn = var.ttk_frontend_fqdn - ttk_backend_fqdn = var.ttk_backend_fqdn - ttk_istio_gateway_namespace = var.ttk_istio_gateway_namespace - ttk_istio_wildcard_gateway_name = var.ttk_istio_wildcard_gateway_name + ttk_frontend_fqdn = local.ttk_frontend_fqdn + ttk_backend_fqdn = local.ttk_backend_fqdn + ttk_istio_gateway_namespace = local.ttk_istio_gateway_namespace + ttk_istio_wildcard_gateway_name = local.ttk_istio_wildcard_gateway_name kafka_host = "${module.mojaloop_stateful_resources.stateful_resources[local.mojaloop_kafka_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" kafka_port = module.mojaloop_stateful_resources.stateful_resources[local.mojaloop_kafka_resource_index].logical_service_config.logical_service_port account_lookup_db_existing_secret = module.mojaloop_stateful_resources.stateful_resources[local.ml_als_resource_index].logical_service_config.user_password_secret @@ -113,7 +113,7 @@ module "generate_mojaloop_files" { central_settlement_handler_deferredsettlement_replica_count = try(var.app_var_map.central_settlement_handler_deferredsettlement_replica_count, 1) central_settlement_handler_grosssettlement_replica_count = try(var.app_var_map.central_settlement_handler_grosssettlement_replica_count, 1) central_settlement_handler_rules_replica_count = try(var.app_var_map.central_settlement_handler_rules_replica_count, 1) - trasaction_requests_service_replica_count = try(var.app_var_map.trasaction_requests_service_replica_count, 1) + transaction_requests_service_replica_count = try(var.app_var_map.transaction_requests_service_replica_count, 1) auth_service_replica_count = try(var.app_var_map.auth_service_replica_count, 1) consent_oracle_replica_count = try(var.app_var_map.consent_oracle_replica_count, 1) tp_api_svc_replica_count = try(var.app_var_map.tp_api_svc_replica_count, 1) @@ -141,7 +141,7 @@ module "generate_mojaloop_files" { central_settlement_handler_deferredsettlement_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_settlement.affinity_definition), null) central_settlement_handler_grosssettlement_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_settlement.affinity_definition), null) central_settlement_handler_rules_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_settlement.affinity_definition), null) - trasaction_requests_service_affinity = try(yamlencode(var.app_var_map.workload_definitions.core_api_adapters.affinity_definition), null) + transaction_requests_service_affinity = try(yamlencode(var.app_var_map.workload_definitions.core_api_adapters.affinity_definition), null) central_ledger_monitoring_prefix = try(var.app_var_map.central_ledger_monitoring_prefix, "moja_cl_") quoting_service_monitoring_prefix = try(var.app_var_map.quoting_service_monitoring_prefix, "moja_qs_") ml_api_adapter_monitoring_prefix = try(var.app_var_map.ml_api_adapter_monitoring_prefix, "moja_ml_") @@ -168,10 +168,10 @@ module "generate_mojaloop_files" { keto_read_url = "http://keto-read.${var.ory_namespace}.svc.cluster.local:80" keto_write_url = "http://keto-write.${var.ory_namespace}.svc.cluster.local:80" kratos_service_name = "kratos-public.${var.ory_namespace}.svc.cluster.local" - portal_fqdn = var.finance_portal_fqdn - portal_istio_gateway_namespace = var.portal_istio_gateway_namespace - portal_istio_wildcard_gateway_name = var.portal_istio_wildcard_gateway_name - portal_istio_gateway_name = var.portal_istio_gateway_name + portal_fqdn = local.finance_portal_fqdn + portal_istio_gateway_namespace = local.portal_istio_gateway_namespace + portal_istio_wildcard_gateway_name = local.portal_istio_wildcard_gateway_name + portal_istio_gateway_name = local.portal_istio_gateway_name finance_portal_release_name = "fin-portal" finance_portal_chart_version = try(var.app_var_map.finance_portal_chart_version, var.finance_portal_chart_version) oathkeeper_auth_provider_name = var.oathkeeper_auth_provider_name @@ -191,7 +191,9 @@ module "generate_mojaloop_files" { jws_rotation_period_hours = try(var.app_var_map.jws_rotation_period_hours, var.jws_rotation_period_hours) mcm_hub_jws_endpoint = "http://mcm-connection-manager-api.${var.mcm_namespace}.svc.cluster.local:3001/api/hub/jwscerts" ttk_gp_testcase_labels = try(var.app_var_map.ttk_gp_testcase_labels, var.ttk_gp_testcase_labels) + override_values_file_exists = local.override_values_file_exists fspiop_use_ory_for_auth = var.fspiop_use_ory_for_auth + } file_list = [for f in fileset(local.mojaloop_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.mojaloop_app_file, f))] template_path = local.mojaloop_template_path @@ -200,8 +202,29 @@ module "generate_mojaloop_files" { app_output_path = "${var.output_dir}/app-yamls" } +resource "local_file" "mojaloop_values_override" { + count = local.override_values_file_exists ? 1 : 0 + content = file(var.mojaloop_values_override_file) + filename = "${local.output_path}/values-mojaloop-override.yaml" + depends_on = [module.generate_mojaloop_files] +} locals { + mojaloop_wildcard_gateway = try(var.app_var_map.mojaloop_ingress_internal_lb, true) ? "internal" : "external" + ttk_frontend_fqdn = local.mojaloop_wildcard_gateway == "external" ? "ttkfrontend.${var.public_subdomain}" : "ttkfrontend.${var.private_subdomain}" + ttk_backend_fqdn = local.mojaloop_wildcard_gateway == "external" ? "ttkbackend.${var.public_subdomain}" : "ttkbackend.${var.private_subdomain}" + ttk_istio_wildcard_gateway_name = local.mojaloop_wildcard_gateway == "external" ? var.istio_external_wildcard_gateway_name : var.istio_internal_wildcard_gateway_name + ttk_istio_gateway_namespace = local.mojaloop_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace + + finance_portal_wildcard_gateway = try(var.app_var_map.finance_portal_ingress_internal_lb, true) ? "internal" : "external" + finance_portal_fqdn = local.finance_portal_wildcard_gateway == "external" ? "finance-portal.${var.public_subdomain}" : "finance-portal.${var.private_subdomain}" + portal_istio_gateway_namespace = local.finance_portal_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace + portal_istio_wildcard_gateway_name = local.finance_portal_wildcard_gateway == "external" ? var.istio_external_wildcard_gateway_name : var.istio_internal_wildcard_gateway_name + portal_istio_gateway_name = local.finance_portal_wildcard_gateway == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name + + external_interop_switch_fqdn = "extapi.${var.public_subdomain}" + internal_interop_switch_fqdn = "intapi.${var.private_subdomain}" + mojaloop_template_path = "${path.module}/../generate-files/templates/mojaloop" mojaloop_app_file = "mojaloop-app.yaml" output_path = "${var.output_dir}/mojaloop" @@ -216,9 +239,9 @@ locals { third_party_consent_oracle_db_resource_index = index(module.mojaloop_stateful_resources.stateful_resources.*.resource_name, "mysql-consent-oracle-db") ttk_redis_resource_index = index(module.mojaloop_stateful_resources.stateful_resources.*.resource_name, "ttk-redis") reporting_events_mongodb_resource_index = index(module.mojaloop_stateful_resources.stateful_resources.*.resource_name, "reporting-events-mongodb") - mojaloop_wildcard_gateway = var.mojaloop_ingress_internal_lb ? "internal" : "external" apiResources = yamldecode(file(var.rbac_api_resources_file)) jws_key_secret = "switch-jws" + override_values_file_exists = fileexists(var.mojaloop_values_override_file) } variable "app_var_map" { @@ -230,12 +253,6 @@ variable "mojaloop_enabled" { default = true } -variable "mojaloop_ingress_internal_lb" { - type = bool - description = "mojaloop_ingress_internal_lb" - default = true -} - variable "mojaloop_chart_repo" { description = "repo for mojaloop charts" type = string @@ -327,12 +344,6 @@ variable "quoting_service_simple_routing_mode_enabled" { default = false } -variable "ttk_frontend_fqdn" { - type = string -} -variable "ttk_backend_fqdn" { - type = string -} variable "auth_fqdn" { type = string @@ -341,9 +352,6 @@ variable "ory_namespace" { type = string } -variable "finance_portal_fqdn" { - type = string -} variable "bof_release_name" { type = string @@ -372,6 +380,10 @@ variable "rbac_api_resources_file" { type = string } +variable "mojaloop_values_override_file" { + type = string +} + variable "reporting_templates_chart_version" { type = string default = "1.1.7" @@ -396,28 +408,3 @@ variable "ttk_gp_testcase_labels" { type = string default = "p2p" } - -variable "ttk_istio_wildcard_gateway_name" { - type = string - default = "" -} - -variable "ttk_istio_gateway_namespace" { - type = string - default = "" -} - -variable "portal_istio_wildcard_gateway_name" { - type = string - default = "" -} - -variable "portal_istio_gateway_namespace" { - type = string - default = "" -} - -variable "portal_istio_gateway_name" { - type = string - default = "" -} diff --git a/terraform/gitops/mojaloop/variables.tf b/terraform/gitops/mojaloop/variables.tf index 8a00055c3..3b9f90bce 100644 --- a/terraform/gitops/mojaloop/variables.tf +++ b/terraform/gitops/mojaloop/variables.tf @@ -81,15 +81,6 @@ variable "kv_path" { description = "path for kv engine" default = "secret" } - -variable "external_interop_switch_fqdn" { - description = "fqdn for interop ext" -} - -variable "internal_interop_switch_fqdn" { - description = "fqdn for interop int" -} - variable "internal_ingress_class_name" { type = string description = "nginx_internal_namespace" diff --git a/terraform/gitops/mojaloop/vault-pki-setup.tf b/terraform/gitops/mojaloop/vault-pki-setup.tf index cc79f4825..f27754b11 100644 --- a/terraform/gitops/mojaloop/vault-pki-setup.tf +++ b/terraform/gitops/mojaloop/vault-pki-setup.tf @@ -9,7 +9,6 @@ module "generate_vault_pki_setup_files" { cert_manager_service_account_name = var.cert_manager_service_account_name gitlab_project_url = var.gitlab_project_url cert_manager_cluster_issuer_role_name = var.cert_manager_cluster_issuer_role_name - interop_switch_fqdn = var.external_interop_switch_fqdn vault_root_ca_name = var.vault_root_ca_name pki_server_cert_role = var.pki_server_cert_role pki_client_cert_role = var.pki_client_cert_role @@ -25,8 +24,8 @@ module "generate_vault_pki_setup_files" { } locals { - vault_pki_template_path = "${path.module}/../generate-files/templates/vault-pki-setup" - vault_pki_app_file = "vault-pki-app.yaml" + vault_pki_template_path = "${path.module}/../generate-files/templates/vault-pki-setup" + vault_pki_app_file = "vault-pki-app.yaml" } diff --git a/terraform/gitops/pm4ml/pm4ml.tf b/terraform/gitops/pm4ml/pm4ml.tf index 1b45f031b..4ce1b99df 100644 --- a/terraform/gitops/pm4ml/pm4ml.tf +++ b/terraform/gitops/pm4ml/pm4ml.tf @@ -17,10 +17,10 @@ module "generate_pm4ml_files" { pm4ml_wildcard_gateway = each.value.pm4ml_ingress_internal_lb ? "internal" : "external" keycloak_fqdn = var.keycloak_fqdn keycloak_pm4ml_realm_name = "${var.keycloak_pm4ml_realm_name}-${each.key}" - experience_api_fqdn = var.experience_api_fqdns[each.key] + experience_api_fqdn = local.experience_api_fqdns[each.key] kratos_service_name = "kratos-public.${var.ory_namespace}.svc.cluster.local" - portal_fqdn = var.portal_fqdns[each.key] - admin_portal_fqdn = var.admin_portal_fqdns[each.key] + portal_fqdn = local.portal_fqdns[each.key] + admin_portal_fqdn = local.admin_portal_fqdns[each.key] auth_fqdn = var.auth_fqdn admin_portal_release_name = "admin-portal-${each.key}" admin_portal_chart_version = try(var.app_var_map.admin_portal_chart_version, var.admin_portal_chart_version) @@ -39,9 +39,9 @@ module "generate_pm4ml_files" { keto_read_url = "http://keto-read.${var.ory_namespace}.svc.cluster.local:80" keto_write_url = "http://keto-write.${var.ory_namespace}.svc.cluster.local:80" pm4ml_secret_path = "${var.local_vault_kv_root_path}/${each.key}" - callback_url = "https://${var.mojaloop_connnector_fqdns[each.key]}" - mojaloop_connnector_fqdn = var.mojaloop_connnector_fqdns[each.key] - callback_fqdn = var.mojaloop_connnector_fqdns[each.key] + callback_url = "https://${local.mojaloop_connnector_fqdns[each.key]}" + mojaloop_connnector_fqdn = local.mojaloop_connnector_fqdns[each.key] + callback_fqdn = local.mojaloop_connnector_fqdns[each.key] redis_port = "6379" redis_host = "redis-master" redis_replica_count = "1" @@ -69,10 +69,10 @@ module "generate_pm4ml_files" { ttk_enabled = each.value.pm4ml_ttk_enabled core_connector_selected = each.value.core_connector_selected custom_core_connector_endpoint = each.value.custom_core_connector_endpoint - ttk_backend_fqdn = var.ttk_backend_fqdns[each.key] - ttk_frontend_fqdn = var.ttk_frontend_fqdns[each.key] - pta_portal_fqdn = var.pta_portal_fqdns[each.key] - test_fqdn = var.test_fqdns[each.key] + ttk_backend_fqdn = local.pm4ml_ttk_frontend_fqdns[each.key] + ttk_frontend_fqdn = local.pm4ml_ttk_frontend_fqdns[each.key] + pta_portal_fqdn = local.pm4ml_pta_portal_fqdns[each.key] + test_fqdn = local.test_fqdns[each.key] ory_namespace = var.ory_namespace oathkeeper_auth_provider_name = var.oathkeeper_auth_provider_name istio_create_ingress_gateways = var.istio_create_ingress_gateways @@ -87,9 +87,9 @@ module "generate_pm4ml_files" { pm4ml_reserve_notification = each.value.pm4ml_reserve_notification core_connector_config = each.value.core_connector_config payment_token_adapter_config = each.value.payment_token_adapter_config - pm4ml_istio_gateway_namespace = var.pm4ml_istio_gateway_namespaces[each.key] - pm4ml_istio_wildcard_gateway_name = var.pm4ml_istio_wildcard_gateway_names[each.key] - pm4ml_istio_gateway_name = var.pm4ml_istio_gateway_names[each.key] + pm4ml_istio_gateway_namespace = local.pm4ml_istio_gateway_namespaces[each.key] + pm4ml_istio_wildcard_gateway_name = local.pm4ml_istio_wildcard_gateway_names[each.key] + pm4ml_istio_gateway_name = local.pm4ml_istio_gateway_names[each.key] } @@ -104,18 +104,37 @@ module "generate_pm4ml_files" { locals { pm4ml_template_path = "${path.module}/../generate-files/templates/pm4ml" pm4ml_app_file = "pm4ml-app.yaml" + + pm4ml_var_map = var.app_var_map + + pm4ml_wildcard_gateways = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => pm4ml.pm4ml_ingress_internal_lb ? "internal" : "external" } + + portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "portal-${pm4ml.pm4ml}.${var.public_subdomain}" : "portal-${pm4ml.pm4ml}.${var.private_subdomain}" } + admin_portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "admin-portal-${pm4ml.pm4ml}.${var.public_subdomain}" : "admin-portal-${pm4ml.pm4ml}.${var.private_subdomain}"} + experience_api_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "exp-${pm4ml.pm4ml}.${var.public_subdomain}" : "exp-${pm4ml.pm4ml}.${var.private_subdomain}"} + mojaloop_connnector_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "conn-${pm4ml.pm4ml}.${var.public_subdomain}" : "conn-${pm4ml.pm4ml}.${var.private_subdomain}" } + test_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "test-${pm4ml.pm4ml}.${var.public_subdomain}" : "test-${pm4ml.pm4ml}.${var.private_subdomain}" } + pm4ml_ttk_frontend_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "ttkfront-${pm4ml.pm4ml}.${var.public_subdomain}" : "ttkfront-${pm4ml.pm4ml}.${var.private_subdomain}" } + pm4ml_ttk_backend_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "ttkback-${pm4ml.pm4ml}.${var.public_subdomain}" : "ttkback-${pm4ml.pm4ml}.${var.private_subdomain}"} + pm4ml_pta_portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "pta-portal-${pm4ml.pm4ml}.${var.public_subdomain}" : "pta-portal-${pm4ml.pm4ml}.${var.private_subdomain}"} + + pm4ml_istio_gateway_namespaces = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace } + pm4ml_istio_wildcard_gateway_names = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? var.istio_external_wildcard_gateway_name : var.istio_internal_wildcard_gateway_name } + pm4ml_istio_gateway_names = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name } + + pm4ml_internal_wildcard_admin_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.admin_portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "internal"] + pm4ml_external_wildcard_admin_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.admin_portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external"] + pm4ml_internal_wildcard_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "internal"] + pm4ml_external_wildcard_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external"] + pm4ml_internal_wildcard_exp_hosts = [for pm4ml in local.pm4ml_var_map : local.experience_api_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "internal"] + pm4ml_external_wildcard_exp_hosts = [for pm4ml in local.pm4ml_var_map : local.experience_api_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external"] } variable "app_var_map" { type = any } -variable "portal_fqdns" { - description = "fqdns for pm4ml portal" -} -variable "admin_portal_fqdns" { - description = "fqdns for pm4ml admin portal" -} + variable "auth_fqdn" { type = string } @@ -123,25 +142,7 @@ variable "auth_fqdn" { variable "oathkeeper_auth_provider_name" { type = string } -variable "experience_api_fqdns" { - description = "fqdns for pm4ml experience api" -} -variable "mojaloop_connnector_fqdns" { - description = "fqdns for pm4ml connector" -} -variable "test_fqdns" { - description = "fqdns for pm4ml test" -} -variable "ttk_backend_fqdns" { - description = "fqdns for pm4ml ttk back" -} -variable "ttk_frontend_fqdns" { - description = "fqdns for pm4ml ttk front" -} -variable "pta_portal_fqdns" { - description = "fqdns for pm4ml payment token adapter portal" -} variable "pm4ml_vault_k8s_role_name" { description = "vault k8s role name for pm4ml" type = string @@ -241,18 +242,6 @@ variable "portal_admin_secret_prefix" { type = string } -variable "pm4ml_istio_gateway_namespaces" { - description = "fqdns for pm4ml portal" -} - -variable "pm4ml_istio_wildcard_gateway_names" { - description = "fqdns for pm4ml portal" -} - -variable "pm4ml_istio_gateway_names" { - description = "fqdns for pm4ml portal" -} - locals { nat_cidr_list = join(", ", [for ip in var.nat_public_ips : format("%s/32", ip)]) } diff --git a/terraform/gitops/pm4ml/variables.tf b/terraform/gitops/pm4ml/variables.tf index 114d760c5..eb933542d 100644 --- a/terraform/gitops/pm4ml/variables.tf +++ b/terraform/gitops/pm4ml/variables.tf @@ -20,7 +20,7 @@ variable "gitlab_project_url" { } variable "nat_public_ips" { - type = list + type = list(any) description = "nat_public_ips" } variable "internal_load_balancer_dns" { @@ -82,14 +82,6 @@ variable "kv_path" { default = "secret" } -variable "external_interop_switch_fqdn" { - description = "fqdn for interop ext" -} - -variable "internal_interop_switch_fqdn" { - description = "fqdn for interop int" -} - variable "internal_ingress_class_name" { type = string description = "nginx_internal_namespace" @@ -153,11 +145,11 @@ variable "vault_namespace" { description = "vault_namespace" } variable "cert_manager_namespace" { - type = string + type = string description = "cert_manager_namespace" } variable "vault_certman_secretname" { description = "secret name to create for tls offloading via certmanager" type = string default = "vault-tls-cert" -} \ No newline at end of file +} diff --git a/terraform/gitops/pm4ml/vault-pki-setup.tf b/terraform/gitops/pm4ml/vault-pki-setup.tf index 458965e68..9708709fd 100644 --- a/terraform/gitops/pm4ml/vault-pki-setup.tf +++ b/terraform/gitops/pm4ml/vault-pki-setup.tf @@ -8,7 +8,6 @@ module "generate_vault_pki_setup_files" { cert_manager_service_account_name = var.cert_manager_service_account_name gitlab_project_url = var.gitlab_project_url cert_manager_cluster_issuer_role_name = var.cert_manager_cluster_issuer_role_name - interop_switch_fqdn = var.external_interop_switch_fqdn vault_root_ca_name = var.vault_root_ca_name pki_server_cert_role = var.pki_server_cert_role pki_client_cert_role = var.pki_client_cert_role @@ -24,8 +23,8 @@ module "generate_vault_pki_setup_files" { } locals { - vault_pki_template_path = "${path.module}/../generate-files/templates/vault-pki-setup" - vault_pki_app_file = "vault-pki-app.yaml" + vault_pki_template_path = "${path.module}/../generate-files/templates/vault-pki-setup" + vault_pki_app_file = "vault-pki-app.yaml" } @@ -77,4 +76,4 @@ variable "vault_pki_sync_wave" { variable "local_vault_kv_root_path" { description = "vault kv secret root" type = string -} \ No newline at end of file +} diff --git a/terraform/gitops/vnext/mcm.tf b/terraform/gitops/vnext/mcm.tf index 34db4050f..d8876fc3d 100644 --- a/terraform/gitops/vnext/mcm.tf +++ b/terraform/gitops/vnext/mcm.tf @@ -8,10 +8,10 @@ module "generate_mcm_files" { db_schema = module.vnext_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.database_name db_port = module.vnext_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_port db_host = "${module.vnext_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - mcm_fqdn = var.mcm_fqdn - mcm_istio_gateway_namespace = var.mcm_istio_gateway_namespace - mcm_istio_wildcard_gateway_name = var.mcm_istio_wildcard_gateway_name - mcm_istio_gateway_name = var.mcm_istio_gateway_name + mcm_fqdn = local.mcm_fqdn + mcm_istio_gateway_namespace = local.mcm_istio_gateway_namespace + mcm_istio_wildcard_gateway_name = local.mcm_istio_wildcard_gateway_name + mcm_istio_gateway_name = local.mcm_istio_gateway_name fspiop_use_ory_for_auth = var.fspiop_use_ory_for_auth env_name = var.cluster_name env_cn = var.public_subdomain @@ -34,7 +34,7 @@ module "generate_mcm_files" { public_subdomain = var.public_subdomain enable_oidc = var.enable_mcm_oidc mcm_sync_wave = var.mcm_sync_wave - ingress_class = var.mcm_ingress_internal_lb ? var.internal_ingress_class_name : var.external_ingress_class_name + ingress_class = try(var.app_var_map.mcm_ingress_internal_lb, false) ? var.internal_ingress_class_name : var.external_ingress_class_name istio_create_ingress_gateways = var.istio_create_ingress_gateways pki_path = var.vault_root_ca_name dfsp_client_cert_bundle = local.dfsp_client_cert_bundle @@ -60,7 +60,7 @@ module "generate_mcm_files" { mcm_wildcard_gateway = local.mcm_wildcard_gateway istio_external_gateway_name = var.istio_external_gateway_name private_network_cidr = var.private_network_cidr - interop_switch_fqdn = var.external_interop_switch_fqdn + interop_switch_fqdn = local.external_interop_switch_fqdn keycloak_fqdn = var.keycloak_fqdn keycloak_dfsp_realm_name = var.keycloak_dfsp_realm_name keycloak_hubop_realm_name = var.keycloak_hubop_realm_name @@ -77,7 +77,7 @@ module "generate_mcm_files" { internal_load_balancer_dns = var.internal_load_balancer_dns external_load_balancer_dns = var.external_load_balancer_dns istio_internal_gateway_name = var.istio_internal_gateway_name - int_interop_switch_fqdn = var.internal_interop_switch_fqdn + int_interop_switch_fqdn = local.internal_interop_switch_fqdn mojaloop_namespace = var.vnext_namespace mojaloop_release_name = var.vnext_release_name onboarding_collection_tag = var.app_var_map.onboarding_collection_tag @@ -99,11 +99,6 @@ variable "mcm_enabled" { type = bool default = true } -variable "mcm_ingress_internal_lb" { - type = bool - description = "mcm_ingress_internal_lb" - default = false -} variable "enable_mcm_oidc" { type = bool default = false @@ -210,26 +205,6 @@ variable "keycloak_namespace" { description = "namespace of keycloak in which to create realm" } -variable "mcm_fqdn" { - type = string - description = "hostname for mcm" -} - -variable "mcm_istio_wildcard_gateway_name" { - type = string - default = "" -} - -variable "mcm_istio_gateway_namespace" { - type = string - default = "" -} - -variable "mcm_istio_gateway_name" { - type = string - default = "" -} - variable "fspiop_use_ory_for_auth" { type = bool } @@ -238,8 +213,13 @@ locals { mcm_template_path = "${path.module}/../generate-files/templates/mcm" mcm_app_file = "mcm-app.yaml" mcm_resource_index = index(module.vnext_stateful_resources.stateful_resources.*.resource_name, "mcm-db") - mcm_wildcard_gateway = var.mcm_ingress_internal_lb ? "internal" : "external" + mcm_wildcard_gateway = try(var.app_var_map.mcm_ingress_internal_lb, false) ? "internal" : "external" dfsp_client_cert_bundle = "${local.onboarding_secret_path}_pm4mls" dfsp_internal_whitelist_secret = "${local.whitelist_secret_path}_pm4mls" dfsp_external_whitelist_secret = "${local.whitelist_secret_path}_fsps" + + mcm_fqdn = local.mcm_wildcard_gateway == "external" ? "mcm.${var.public_subdomain}" : "mcm.${var.private_subdomain}" + mcm_istio_gateway_namespace = local.mcm_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace + mcm_istio_wildcard_gateway_name = local.mcm_wildcard_gateway == "external" ? var.istio_external_wildcard_gateway_name : var.istio_internal_wildcard_gateway_name + mcm_istio_gateway_name = local.mcm_wildcard_gateway == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name } diff --git a/terraform/gitops/vnext/variables.tf b/terraform/gitops/vnext/variables.tf index 8a00055c3..dc4e5bbec 100644 --- a/terraform/gitops/vnext/variables.tf +++ b/terraform/gitops/vnext/variables.tf @@ -82,14 +82,6 @@ variable "kv_path" { default = "secret" } -variable "external_interop_switch_fqdn" { - description = "fqdn for interop ext" -} - -variable "internal_interop_switch_fqdn" { - description = "fqdn for interop int" -} - variable "internal_ingress_class_name" { type = string description = "nginx_internal_namespace" diff --git a/terraform/gitops/vnext/vault-pki-setup.tf b/terraform/gitops/vnext/vault-pki-setup.tf index 6bfc8c0da..f27754b11 100644 --- a/terraform/gitops/vnext/vault-pki-setup.tf +++ b/terraform/gitops/vnext/vault-pki-setup.tf @@ -9,7 +9,6 @@ module "generate_vault_pki_setup_files" { cert_manager_service_account_name = var.cert_manager_service_account_name gitlab_project_url = var.gitlab_project_url cert_manager_cluster_issuer_role_name = var.cert_manager_cluster_issuer_role_name - interop_switch_fqdn = var.external_interop_switch_fqdn vault_root_ca_name = var.vault_root_ca_name pki_server_cert_role = var.pki_server_cert_role pki_client_cert_role = var.pki_client_cert_role diff --git a/terraform/gitops/vnext/vnext.tf b/terraform/gitops/vnext/vnext.tf index 0ed75320f..ebc65134d 100644 --- a/terraform/gitops/vnext/vnext.tf +++ b/terraform/gitops/vnext/vnext.tf @@ -7,8 +7,8 @@ module "generate_vnext_files" { vnext_chart_version = try(var.app_var_map.vnext_chart_version, var.vnext_chart_version) vnext_release_name = var.vnext_release_name vnext_namespace = var.vnext_namespace - interop_switch_fqdn = var.external_interop_switch_fqdn - int_interop_switch_fqdn = var.internal_interop_switch_fqdn + interop_switch_fqdn = local.external_interop_switch_fqdn + int_interop_switch_fqdn = local.internal_interop_switch_fqdn storage_class_name = var.storage_class_name vnext_sync_wave = var.vnext_sync_wave vault_certman_secretname = var.vault_certman_secretname @@ -22,10 +22,10 @@ module "generate_vnext_files" { vnext_wildcard_gateway = local.vnext_wildcard_gateway keycloak_fqdn = var.keycloak_fqdn keycloak_realm_name = var.keycloak_hubop_realm_name - ttk_frontend_fqdn = var.ttk_frontend_fqdn - ttk_backend_fqdn = var.ttk_backend_fqdn - ttk_istio_wildcard_gateway_name = var.ttk_istio_wildcard_gateway_name - ttk_istio_gateway_namespace = var.ttk_istio_gateway_namespace + ttk_frontend_fqdn = local.ttk_frontend_fqdn + ttk_backend_fqdn = local.ttk_backend_fqdn + ttk_istio_wildcard_gateway_name = local.ttk_istio_wildcard_gateway_name + ttk_istio_gateway_namespace = local.ttk_istio_gateway_namespace kafka_host = "${module.vnext_stateful_resources.stateful_resources[local.vnext_kafka_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" kafka_port = module.vnext_stateful_resources.stateful_resources[local.vnext_kafka_resource_index].logical_service_config.logical_service_port redis_host = "${module.vnext_stateful_resources.stateful_resources[local.vnext_redis_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" @@ -46,7 +46,6 @@ module "generate_vnext_files" { keto_read_url = "http://keto-read.${var.ory_namespace}.svc.cluster.local:80" keto_write_url = "http://keto-write.${var.ory_namespace}.svc.cluster.local:80" kratos_service_name = "kratos-public.${var.ory_namespace}.svc.cluster.local" - portal_fqdn = var.finance_portal_fqdn finance_portal_release_name = "fin-portal" finance_portal_chart_version = try(var.app_var_map.finance_portal_chart_version, var.finance_portal_chart_version) oathkeeper_auth_provider_name = var.oathkeeper_auth_provider_name @@ -64,9 +63,9 @@ module "generate_vnext_files" { jws_rotation_renew_before_hours = try(var.app_var_map.jws_rotation_renew_before_hours, var.jws_rotation_renew_before_hours) jws_rotation_period_hours = try(var.app_var_map.jws_rotation_period_hours, var.jws_rotation_period_hours) mcm_hub_jws_endpoint = "http://mcm-connection-manager-api.${var.mcm_namespace}.svc.cluster.local:3001/api/hub/jwscerts" - vnext_admin_ui_fqdn = var.vnext_admin_ui_fqdn - vnext_istio_gateway_namespace = var.vnext_istio_gateway_namespace - vnext_istio_wildcard_gateway_name = var.vnext_istio_wildcard_gateway_name + vnext_admin_ui_fqdn = local.vnext_admin_ui_fqdn + vnext_istio_gateway_namespace = local.vnext_istio_gateway_namespace + vnext_istio_wildcard_gateway_name = local.vnext_istio_wildcard_gateway_name } file_list = [for f in fileset(local.vnext_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.vnext_app_file, f))] template_path = local.vnext_template_path @@ -77,14 +76,24 @@ module "generate_vnext_files" { locals { - vnext_template_path = "${path.module}/../generate-files/templates/vnext" - vnext_app_file = "vnext-app.yaml" - vnext_kafka_resource_index = index(module.vnext_stateful_resources.stateful_resources.*.resource_name, "vnext-kafka") - vnext_redis_resource_index = index(module.vnext_stateful_resources.stateful_resources.*.resource_name, "vnext-redis") - vnext_mongodb_resource_index = index(module.vnext_stateful_resources.stateful_resources.*.resource_name, "vnext-mongodb") - vnext_wildcard_gateway = var.vnext_ingress_internal_lb ? "internal" : "external" - apiResources = yamldecode(file(var.rbac_api_resources_file)) - jws_key_secret = "switch-jws" + vnext_wildcard_gateway = try(var.app_var_map.vnext_ingress_internal_lb, true) ? "internal" : "external" + vnext_admin_ui_fqdn = local.vnext_wildcard_gateway == "external" ? "vnext-admin.${var.public_subdomain}" : "vnext-admin.${var.private_subdomain}" + vnext_istio_gateway_namespace = local.vnext_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace + vnext_istio_wildcard_gateway_name = local.vnext_wildcard_gateway == "external" ? var.istio_external_wildcard_gateway_name : var.istio_internal_wildcard_gateway_name + + ttk_frontend_fqdn = local.vnext_wildcard_gateway == "external" ? "ttkfrontend.${var.public_subdomain}" : "ttkfrontend.${var.private_subdomain}" + ttk_backend_fqdn = local.vnext_wildcard_gateway == "external" ? "ttkbackend.${var.public_subdomain}" : "ttkbackend.${var.private_subdomain}" + ttk_istio_wildcard_gateway_name = local.vnext_wildcard_gateway == "external" ? var.istio_external_wildcard_gateway_name : var.istio_internal_wildcard_gateway_name + ttk_istio_gateway_namespace = local.vnext_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace + external_interop_switch_fqdn = "extapi.${var.public_subdomain}" + internal_interop_switch_fqdn = "intapi.${var.private_subdomain}" + vnext_template_path = "${path.module}/../generate-files/templates/vnext" + vnext_app_file = "vnext-app.yaml" + vnext_kafka_resource_index = index(module.vnext_stateful_resources.stateful_resources.*.resource_name, "vnext-kafka") + vnext_redis_resource_index = index(module.vnext_stateful_resources.stateful_resources.*.resource_name, "vnext-redis") + vnext_mongodb_resource_index = index(module.vnext_stateful_resources.stateful_resources.*.resource_name, "vnext-mongodb") + apiResources = yamldecode(file(var.rbac_api_resources_file)) + jws_key_secret = "switch-jws" } variable "app_var_map" { @@ -96,12 +105,6 @@ variable "vnext_enabled" { default = true } -variable "vnext_ingress_internal_lb" { - type = bool - description = "vnext_ingress_internal_lb" - default = true -} - variable "vnext_chart_repo" { description = "repo for vnext charts" type = string @@ -135,17 +138,6 @@ variable "vnext_sync_wave" { default = "0" } -variable "ttk_frontend_fqdn" { - type = string -} -variable "ttk_backend_fqdn" { - type = string -} - -variable "vnext_admin_ui_fqdn" { - type = string -} - variable "auth_fqdn" { type = string } @@ -153,10 +145,6 @@ variable "ory_namespace" { type = string } -variable "finance_portal_fqdn" { - type = string -} - variable "bof_release_name" { type = string } @@ -203,23 +191,3 @@ variable "ttk_gp_testcase_labels" { type = string default = "p2p" } - -variable "ttk_istio_wildcard_gateway_name" { - type = string - default = "" -} - -variable "ttk_istio_gateway_namespace" { - type = string - default = "" -} - -variable "vnext_istio_wildcard_gateway_name" { - type = string - default = "" -} - -variable "vnext_istio_gateway_namespace" { - type = string - default = "" -} \ No newline at end of file diff --git a/terraform/k8s/default-config/common-vars.yaml b/terraform/k8s/default-config/common-vars.yaml index 11ba4b20c..ec6c54b67 100644 --- a/terraform/k8s/default-config/common-vars.yaml +++ b/terraform/k8s/default-config/common-vars.yaml @@ -34,4 +34,5 @@ prometheus_retention_period: 10d istio_egress_gateway_max_replicas: 5 microk8s_version: 1.29/stable alertmanager_enabled: false +istio_proxy_log_level: warn longhorn_backup_job_enabled: true diff --git a/terraform/k8s/default-config/mojaloop-values-override.yaml b/terraform/k8s/default-config/mojaloop-values-override.yaml new file mode 100644 index 000000000..b25990de3 --- /dev/null +++ b/terraform/k8s/default-config/mojaloop-values-override.yaml @@ -0,0 +1,216 @@ +account-lookup-service: + account-lookup-service: + replicaCount: 12 + config: + event_log_filter: "" + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + account-lookup-service-admin: + replicaCount: 1 +quoting-service: + quoting-service: + replicaCount: 4 + config: + event_log_filter: "" + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + quoting-service-handler: + replicaCount: 12 + config: + event_log_filter: "" + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 +ml-api-adapter: + ml-api-adapter-service: + replicaCount: 4 + config: + event_log_filter: "" + ml-api-adapter-handler-notification: + replicaCount: 12 + config: + event_log_filter: "" +centralledger: + centralledger-service: + replicaCount: 8 + config: + event_log_filter: "" + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + centralledger-handler-transfer-prepare: + replicaCount: 12 + config: + event_log_filter: "" + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + centralledger-handler-transfer-position: + replicaCount: 8 + config: + event_log_filter: "" + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + centralledger-handler-transfer-position-batch: + replicaCount: 12 + config: + event_log_filter: "" + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + centralledger-handler-transfer-get: + replicaCount: 1 + config: + event_log_filter: "" + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + centralledger-handler-transfer-fulfil: + replicaCount: 12 + config: + event_log_filter: "" + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + centralledger-handler-timeout: + config: + event_log_filter: "" + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + centralledger-handler-admin-transfer: + replicaCount: 1 + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 +centralsettlement: + centralsettlement-service: + replicaCount: 1 + config: + event_log_filter: "" + centralsettlement-handler-deferredsettlement: + replicaCount: 1 + config: + event_log_filter: "" + centralsettlement-handler-grosssettlement: + replicaCount: 1 + config: + event_log_filter: "" + centralsettlement-handler-rules: + replicaCount: 1 + config: + event_log_filter: "" +transaction-requests-service: + replicaCount: 4 + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 +thirdparty: + auth-svc: + replicaCount: 1 + consent-oracle: + replicaCount: 1 + tp-api-svc: + replicaCount: 1 +mojaloop-bulk: + bulk-api-adapter: + bulk-api-adapter-service: + replicaCount: 1 + config: + event_log_filter: "" + bulk-api-adapter-handler-notification: + replicaCount: 1 + config: + event_log_filter: "" + bulk-centralledger: + cl-handler-bulk-transfer-prepare: + replicaCount: 1 + config: + event_log_filter: "" + cl-handler-bulk-transfer-fulfil: + replicaCount: 1 + config: + event_log_filter: "" + cl-handler-bulk-transfer-processing: + replicaCount: 1 + config: + event_log_filter: "" + cl-handler-bulk-transfer-get: + replicaCount: 1 + config: + event_log_filter: "" diff --git a/terraform/k8s/default-config/mojaloop-vars.yaml b/terraform/k8s/default-config/mojaloop-vars.yaml index d1f38bf19..bd62df7e4 100644 --- a/terraform/k8s/default-config/mojaloop-vars.yaml +++ b/terraform/k8s/default-config/mojaloop-vars.yaml @@ -4,34 +4,6 @@ mcm_chart_version: 0.7.7 mojaloop_chart_version: 16.0.0 mcm_ingress_internal_lb: false mojaloop_ingress_internal_lb: true -#replica counts -account_lookup_service_replica_count: 1 -account_lookup_service_admin_replica_count: 1 -quoting_service_replica_count: 1 -quoting_service_handler_replica_count: 1 -ml_api_adapter_service_replica_count: 1 -ml_api_adapter_handler_notifications_replica_count: 1 -central_ledger_service_replica_count: 1 -central_ledger_handler_transfer_prepare_replica_count: 1 -central_ledger_handler_transfer_position_replica_count: 1 -central_ledger_handler_transfer_position_batch_replica_count: 1 -central_ledger_handler_transfer_get_replica_count: 1 -central_ledger_handler_transfer_fulfil_replica_count: 1 -central_ledger_handler_admin_transfer_replica_count: 1 -central_settlement_service_replica_count: 1 -central_settlement_handler_deferredsettlement_replica_count: 1 -central_settlement_handler_grosssettlement_replica_count: 1 -central_settlement_handler_rules_replica_count: 1 -trasaction_requests_service_replica_count: 1 -auth_service_replica_count: 1 -consent_oracle_replica_count: 1 -tp_api_svc_replica_count: 1 -bulk_api-adapter_service_replica_count: 1 -bulk_api_adapter_handler_notification_replica_count: 1 -cl_handler_bulk_transfer_prepare_replica_count: 1 -cl_handler_bulk_transfer_fulfil_replica_count: 1 -cl_handler_bulk_transfer_processing_replica_count: 1 -cl_handler_bulk_transfer_get_replica_count: 1 onboarding_collection_tag: 15.2.0 grafana_dashboard_tag: 15.2.0 enable_istio_injection: true diff --git a/terraform/k8s/gitops-build/terragrunt.hcl b/terraform/k8s/gitops-build/terragrunt.hcl index 0d02611e3..0d23bbdad 100644 --- a/terraform/k8s/gitops-build/terragrunt.hcl +++ b/terraform/k8s/gitops-build/terragrunt.hcl @@ -2,7 +2,6 @@ terraform { source = "git::https://github.com/mojaloop/iac-modules.git//terraform/gitops/k8s-cluster-config?ref=${get_env("iac_terraform_modules_tag")}" } - include "root" { path = find_in_parent_folders() } @@ -15,7 +14,7 @@ dependency "k8s_store_config" { dependency "k8s_deploy" { config_path = "../k8s-deploy" mock_outputs = { - nat_public_ips = [""] + nat_public_ips = [""] internal_load_balancer_dns = "" external_load_balancer_dns = "" private_subdomain = "" @@ -63,6 +62,7 @@ inputs = { stateful_resources_config_file = find_in_parent_folders("${get_env("CONFIG_PATH")}/common-stateful-resources.json") mojaloop_stateful_resources_config_file = find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-stateful-resources.json") vnext_stateful_resources_config_file = find_in_parent_folders("${get_env("CONFIG_PATH")}/vnext-stateful-resources.json") + mojaloop_values_override_file = find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-values-override.yaml", "mojaloop-values-override.yaml") current_gitlab_project_id = local.GITLAB_CURRENT_PROJECT_ID gitlab_group_name = local.GITLAB_CURRENT_GROUP_NAME gitlab_api_url = local.GITLAB_API_URL From 2d8a758d688594ff41ff5deebcd2599d125d3e48 Mon Sep 17 00:00:00 2001 From: David Fry Date: Fri, 19 Apr 2024 17:34:03 +0200 Subject: [PATCH 112/201] first draft override kustomization (#225) * update configs for performance * update configs for performance * first draft patch kustomization * cleanup naming * add istio log config * rm values from default * fix: scale account lookup service * rebase kustomization refactor for mojaloop (#233) * Fix/refactor igw (#228) * fixing grafna oidc * fixing non existing index * app-deploy refactoring * Removing unwanted variable assignements * Removing unwanted variable definition * Inclding variable finanace_portal_ingress_internal_lb in vnext * removing fin portal fqdn * Removing fin_portal assignment in vnext * Removing the var definition * Removing the var definition from mojaloop * Moving pm4ml_keycloak_realm_env_secret_map * Removing local var definition from app deploy * Removing duplicate pm4ml_var_map * Fixing variable issues * removing the first two from allowedurllist * rm interop vars not needed anymore * Removing the commented line * cleanup internal/external lb vars --------- Co-authored-by: Sijo George <87609749+sijo5722-2021@users.noreply.github.com> Co-authored-by: Sijo George --------- Co-authored-by: Kalin Krustev Co-authored-by: Sijo George <87609749+sijo5722-2021@users.noreply.github.com> Co-authored-by: Sijo George From 8e4997ef7493e06006795dbb23b8bb4affd5b76c Mon Sep 17 00:00:00 2001 From: David Fry Date: Fri, 19 Apr 2024 17:46:53 +0100 Subject: [PATCH 113/201] Revert "Draft - Refactoring app-deploy.tf (#229)" This reverts commit 1b54a10f902db07c8163a281ab67fb066b5befd6. --- .../istio-main/values-istio-istiod.yaml.tpl | 4 +- .../templates/mojaloop/kustomization.yaml.tpl | 1 - .../values-mojaloop-override.yaml.tpl | 1 - .../mojaloop/values-mojaloop.yaml.tpl | 54 +++++ .../templates/ory/values-kratos.yaml.tpl | 7 +- .../gitops/k8s-cluster-config/app-deploy.tf | 130 ++++++++++- terraform/gitops/k8s-cluster-config/istio.tf | 5 - .../gitops/k8s-cluster-config/keycloak.tf | 20 -- terraform/gitops/k8s-cluster-config/ory.tf | 8 +- terraform/gitops/mojaloop/mcm.tf | 49 ++-- terraform/gitops/mojaloop/mojaloop.tf | 95 ++++---- terraform/gitops/mojaloop/variables.tf | 9 + terraform/gitops/mojaloop/vault-pki-setup.tf | 5 +- terraform/gitops/pm4ml/pm4ml.tf | 87 ++++--- terraform/gitops/pm4ml/variables.tf | 14 +- terraform/gitops/pm4ml/vault-pki-setup.tf | 7 +- terraform/gitops/vnext/mcm.tf | 46 ++-- terraform/gitops/vnext/variables.tf | 8 + terraform/gitops/vnext/vault-pki-setup.tf | 1 + terraform/gitops/vnext/vnext.tf | 86 ++++--- terraform/k8s/default-config/common-vars.yaml | 1 - .../mojaloop-values-override.yaml | 216 ------------------ .../k8s/default-config/mojaloop-vars.yaml | 28 +++ terraform/k8s/gitops-build/terragrunt.hcl | 4 +- 24 files changed, 480 insertions(+), 406 deletions(-) delete mode 100644 terraform/gitops/generate-files/templates/mojaloop/values-mojaloop-override.yaml.tpl delete mode 100644 terraform/k8s/default-config/mojaloop-values-override.yaml diff --git a/terraform/gitops/generate-files/templates/istio/istio-main/values-istio-istiod.yaml.tpl b/terraform/gitops/generate-files/templates/istio/istio-main/values-istio-istiod.yaml.tpl index 987206643..b98c95c30 100644 --- a/terraform/gitops/generate-files/templates/istio/istio-main/values-istio-istiod.yaml.tpl +++ b/terraform/gitops/generate-files/templates/istio/istio-main/values-istio-istiod.yaml.tpl @@ -309,7 +309,7 @@ global: # Per Component log level for proxy, applies to gateways and sidecars. If a component level is # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:${istio_proxy_log_level}" + componentLogLevel: "misc:debug" # If set, newly injected sidecars will have core dumps enabled. enableCoreDump: false @@ -332,7 +332,7 @@ global: # Log level for proxy, applies to gateways and sidecars. # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: ${istio_proxy_log_level} + logLevel: debug #If set to true, istio-proxy container will have privileged securityContext privileged: false diff --git a/terraform/gitops/generate-files/templates/mojaloop/kustomization.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/kustomization.yaml.tpl index 480bf6371..1f073aa27 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/kustomization.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/kustomization.yaml.tpl @@ -16,7 +16,6 @@ helmCharts: valuesFile: values-mojaloop.yaml namespace: ${mojaloop_namespace} additionalValuesFiles: - - values-mojaloop-override.yaml - values-mojaloop-addons.yaml - name: finance-portal releaseName: ${finance_portal_release_name} diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop-override.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop-override.yaml.tpl deleted file mode 100644 index 42d51bf36..000000000 --- a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop-override.yaml.tpl +++ /dev/null @@ -1 +0,0 @@ -#placeholder file for addons \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl index 5ed656c12..d6d02b4bb 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl @@ -372,6 +372,15 @@ centralledger: config: prefix: *CL_MONITORING_PREFIX centralledger-handler-transfer-prepare: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 10 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 10 %{ if central_ledger_handler_transfer_prepare_affinity != null ~} affinity: ${indent(8, central_ledger_handler_transfer_prepare_affinity)} @@ -402,6 +411,15 @@ centralledger: config: prefix: *CL_MONITORING_PREFIX centralledger-handler-transfer-position: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 10 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 10 %{ if central_ledger_handler_transfer_position_affinity != null ~} affinity: ${indent(8, central_ledger_handler_transfer_position_affinity)} @@ -432,6 +450,15 @@ centralledger: prefix: *CL_MONITORING_PREFIX centralledger-handler-transfer-position-batch: enabled: *CL_BATCH_PROCESSING_ENABLED + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 10 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 10 %{ if central_ledger_handler_transfer_position_batch_affinity != null ~} affinity: ${indent(8, central_ledger_handler_transfer_position_batch_affinity)} @@ -463,6 +490,15 @@ centralledger: config: prefix: *CL_MONITORING_PREFIX centralledger-handler-transfer-get: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 10 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 10 %{ if central_ledger_handler_transfer_get_affinity != null ~} affinity: ${indent(8, central_ledger_handler_transfer_get_affinity)} @@ -492,6 +528,15 @@ centralledger: config: prefix: *CL_MONITORING_PREFIX centralledger-handler-transfer-fulfil: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 10 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 10 %{ if central_ledger_handler_transfer_fulfil_affinity != null ~} affinity: ${indent(8, central_ledger_handler_transfer_fulfil_affinity)} @@ -522,6 +567,15 @@ centralledger: config: prefix: *CL_MONITORING_PREFIX centralledger-handler-timeout: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 10 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 10 tolerations: *MOJALOOP_TOLERATIONS config: kafka_host: *KAFKA_HOST diff --git a/terraform/gitops/generate-files/templates/ory/values-kratos.yaml.tpl b/terraform/gitops/generate-files/templates/ory/values-kratos.yaml.tpl index c6a91834d..5e4c67e85 100644 --- a/terraform/gitops/generate-files/templates/ory/values-kratos.yaml.tpl +++ b/terraform/gitops/generate-files/templates/ory/values-kratos.yaml.tpl @@ -86,8 +86,11 @@ kratos: selfservice: default_browser_return_url: https://${auth_fqdn}/ui/welcome allowed_return_urls: - - https://*.${private_subdomain} - - https://*.${public_subdomain} + - https://${auth_fqdn}/ui + - https://${keycloak_fqdn} +%{ for fqdnItem in bof_managed_portal_fqdns ~} + - https://${fqdnItem} +%{ endfor ~} methods: password: diff --git a/terraform/gitops/k8s-cluster-config/app-deploy.tf b/terraform/gitops/k8s-cluster-config/app-deploy.tf index 68819afb2..52353b988 100644 --- a/terraform/gitops/k8s-cluster-config/app-deploy.tf +++ b/terraform/gitops/k8s-cluster-config/app-deploy.tf @@ -6,6 +6,8 @@ module "mojaloop" { external_load_balancer_dns = var.external_load_balancer_dns private_subdomain = var.private_subdomain public_subdomain = var.public_subdomain + external_interop_switch_fqdn = local.external_interop_switch_fqdn + internal_interop_switch_fqdn = local.internal_interop_switch_fqdn secrets_key_map = var.secrets_key_map properties_key_map = var.properties_key_map output_dir = var.output_dir @@ -31,6 +33,10 @@ module "mojaloop" { vault_secret_key = var.vault_secret_key role_assign_svc_secret = var.role_assign_svc_secret role_assign_svc_user = var.role_assign_svc_user + ttk_backend_fqdn = local.ttk_backend_fqdn + ttk_frontend_fqdn = local.ttk_frontend_fqdn + ttk_istio_gateway_namespace = local.ttk_istio_gateway_namespace + ttk_istio_wildcard_gateway_name = local.ttk_istio_wildcard_gateway_name istio_external_gateway_name = var.istio_external_gateway_name istio_internal_gateway_name = var.istio_internal_gateway_name istio_external_wildcard_gateway_name = local.istio_external_wildcard_gateway_name @@ -43,16 +49,21 @@ module "mojaloop" { mojaloop_enabled = var.common_var_map.mojaloop_enabled bulk_enabled = var.app_var_map.bulk_enabled third_party_enabled = var.app_var_map.third_party_enabled + mojaloop_ingress_internal_lb = var.app_var_map.mojaloop_ingress_internal_lb + mcm_ingress_internal_lb = var.app_var_map.mcm_ingress_internal_lb stateful_resources_config_file = var.mojaloop_stateful_resources_config_file local_vault_kv_root_path = local.local_vault_kv_root_path app_var_map = var.app_var_map auth_fqdn = local.auth_fqdn ory_namespace = var.ory_namespace + finance_portal_fqdn = local.finance_portal_fqdn + portal_istio_gateway_namespace = local.portal_istio_gateway_namespace + portal_istio_wildcard_gateway_name = local.portal_istio_wildcard_gateway_name + portal_istio_gateway_name = local.portal_istio_gateway_name bof_release_name = local.bof_release_name oathkeeper_auth_provider_name = local.oathkeeper_auth_provider_name keycloak_hubop_realm_name = var.keycloak_hubop_realm_name rbac_api_resources_file = var.rbac_api_resources_file - mojaloop_values_override_file = var.mojaloop_values_override_file mcm_fqdn = local.mcm_fqdn mcm_istio_gateway_namespace = local.mcm_istio_gateway_namespace mcm_istio_wildcard_gateway_name = local.mcm_istio_wildcard_gateway_name @@ -68,6 +79,8 @@ module "pm4ml" { external_load_balancer_dns = var.external_load_balancer_dns private_subdomain = var.private_subdomain public_subdomain = var.public_subdomain + external_interop_switch_fqdn = local.external_interop_switch_fqdn + internal_interop_switch_fqdn = local.internal_interop_switch_fqdn secrets_key_map = var.secrets_key_map properties_key_map = var.properties_key_map output_dir = var.output_dir @@ -94,8 +107,16 @@ module "pm4ml" { istio_external_wildcard_gateway_name = local.istio_external_wildcard_gateway_name istio_internal_wildcard_gateway_name = local.istio_internal_wildcard_gateway_name local_vault_kv_root_path = local.local_vault_kv_root_path + portal_fqdns = local.portal_fqdns + admin_portal_fqdns = local.admin_portal_fqdns auth_fqdn = local.auth_fqdn oathkeeper_auth_provider_name = local.oathkeeper_auth_provider_name + experience_api_fqdns = local.experience_api_fqdns + mojaloop_connnector_fqdns = local.mojaloop_connnector_fqdns + ttk_backend_fqdns = local.pm4ml_ttk_backend_fqdns + ttk_frontend_fqdns = local.pm4ml_ttk_frontend_fqdns + pta_portal_fqdns = local.pm4ml_pta_portal_fqdns + test_fqdns = local.test_fqdns vault_root_ca_name = "pki-${var.cluster_name}" app_var_map = local.pm4ml_var_map bof_release_name = local.bof_release_name @@ -103,6 +124,9 @@ module "pm4ml" { role_assign_svc_secret_prefix = "role-assign-svc-secret-" portal_admin_user = var.portal_admin_user portal_admin_secret_prefix = "portal-admin-secret-" + pm4ml_istio_gateway_namespaces = local.pm4ml_istio_gateway_namespaces + pm4ml_istio_wildcard_gateway_names = local.pm4ml_istio_wildcard_gateway_names + pm4ml_istio_gateway_names = local.pm4ml_istio_gateway_names } module "vnext" { @@ -113,6 +137,8 @@ module "vnext" { external_load_balancer_dns = var.external_load_balancer_dns private_subdomain = var.private_subdomain public_subdomain = var.public_subdomain + external_interop_switch_fqdn = local.external_interop_switch_fqdn + internal_interop_switch_fqdn = local.internal_interop_switch_fqdn secrets_key_map = var.secrets_key_map properties_key_map = var.properties_key_map output_dir = var.output_dir @@ -138,6 +164,14 @@ module "vnext" { vault_secret_key = var.vault_secret_key role_assign_svc_secret = var.role_assign_svc_secret role_assign_svc_user = var.role_assign_svc_user + mcm_fqdn = local.mcm_fqdn + mcm_istio_gateway_namespace = local.mcm_istio_gateway_namespace + mcm_istio_wildcard_gateway_name = local.mcm_istio_wildcard_gateway_name + mcm_istio_gateway_name = local.mcm_istio_gateway_name + ttk_backend_fqdn = local.ttk_backend_fqdn + ttk_frontend_fqdn = local.ttk_frontend_fqdn + ttk_istio_wildcard_gateway_name = local.ttk_istio_wildcard_gateway_name + ttk_istio_gateway_namespace = local.ttk_istio_gateway_namespace istio_external_gateway_name = var.istio_external_gateway_name istio_internal_gateway_name = var.istio_internal_gateway_name istio_external_wildcard_gateway_name = local.istio_external_wildcard_gateway_name @@ -148,16 +182,22 @@ module "vnext" { mcm_enabled = var.common_var_map.mcm_enabled mcm_chart_version = var.app_var_map.mcm_chart_version vnext_enabled = var.common_var_map.vnext_enabled + vnext_ingress_internal_lb = var.app_var_map.vnext_ingress_internal_lb + mcm_ingress_internal_lb = var.app_var_map.mcm_ingress_internal_lb stateful_resources_config_file = var.vnext_stateful_resources_config_file local_vault_kv_root_path = local.local_vault_kv_root_path app_var_map = var.app_var_map auth_fqdn = local.auth_fqdn ory_namespace = var.ory_namespace + finance_portal_fqdn = local.finance_portal_fqdn bof_release_name = local.bof_release_name oathkeeper_auth_provider_name = local.oathkeeper_auth_provider_name keycloak_hubop_realm_name = var.keycloak_hubop_realm_name rbac_api_resources_file = var.rbac_api_resources_file - fspiop_use_ory_for_auth = var.app_var_map.fspiop_use_ory_for_auth + vnext_admin_ui_fqdn = local.vnext_admin_ui_fqdn + vnext_istio_gateway_namespace = local.vnext_istio_gateway_namespace + vnext_istio_wildcard_gateway_name = local.vnext_istio_wildcard_gateway_name + fspiop_use_ory_for_auth = var.app_var_map.fspiop_use_ory_for_auth } variable "app_var_map" { @@ -243,10 +283,6 @@ variable "rbac_api_resources_file" { type = string } -variable "mojaloop_values_override_file" { - type = string -} - variable "argocd_ingress_internal_lb" { default = true description = "whether argocd should only be available on private network" @@ -257,11 +293,91 @@ variable "argocd_namespace" { description = "namespace argocd is deployed to" } +variable "finanace_portal_ingress_internal_lb" { + default = false + description = "whether argocd should only be available on private network" +} + locals { - auth_fqdn = "auth.${var.public_subdomain}" pm4ml_var_map = { for pm4ml in var.app_var_map.pm4mls : pm4ml.pm4ml => pm4ml } + oidc_providers = var.common_var_map.pm4ml_enabled ? [for pm4ml in var.app_var_map.pm4mls : { + realm = "${var.keycloak_pm4ml_realm_name}-${pm4ml.pm4ml}" + client_id = "${var.pm4ml_oidc_client_id_prefix}-${pm4ml.pm4ml}" + secret_name = "${var.pm4ml_oidc_client_secret_secret}-${pm4ml.pm4ml}" + }] : [] + mojaloop_keycloak_realm_env_secret_map = { + "${var.mcm_oidc_client_secret_secret}" = var.mcm_oidc_client_secret_secret_key + "${var.jwt_client_secret_secret}" = var.jwt_client_secret_secret_key + } + pm4ml_keycloak_realm_env_secret_map = merge( + { for key, pm4ml in local.pm4ml_var_map : "${var.pm4ml_oidc_client_secret_secret}-${key}" => var.vault_secret_key }, + { for key, pm4ml in local.pm4ml_var_map : "portal-admin-secret-${key}" => var.vault_secret_key }, + { for key, pm4ml in local.pm4ml_var_map : "role-assign-svc-secret-${key}" => var.vault_secret_key } + ) + + pm4ml_wildcard_gateways = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => pm4ml.pm4ml_ingress_internal_lb ? "internal" : "external" } + + mcm_wildcard_gateway = var.app_var_map.mcm_ingress_internal_lb ? "internal" : "external" + mcm_fqdn = local.mcm_wildcard_gateway == "external" ? "mcm.${var.public_subdomain}" : "mcm.${var.private_subdomain}" + mcm_istio_gateway_namespace = local.mcm_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace + mcm_istio_wildcard_gateway_name = local.mcm_wildcard_gateway == "external" ? local.istio_external_wildcard_gateway_name : local.istio_internal_wildcard_gateway_name + mcm_istio_gateway_name = local.mcm_wildcard_gateway == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name + + auth_fqdn = "auth.${var.public_subdomain}" + external_interop_switch_fqdn = "extapi.${var.public_subdomain}" + internal_interop_switch_fqdn = "intapi.${var.private_subdomain}" + + mojaloop_wildcard_gateway = var.app_var_map.mojaloop_ingress_internal_lb ? "internal" : "external" + ttk_frontend_fqdn = local.mojaloop_wildcard_gateway == "external" ? "ttkfrontend.${var.public_subdomain}" : "ttkfrontend.${var.private_subdomain}" + ttk_backend_fqdn = local.mojaloop_wildcard_gateway == "external" ? "ttkbackend.${var.public_subdomain}" : "ttkbackend.${var.private_subdomain}" + ttk_istio_wildcard_gateway_name = local.mojaloop_wildcard_gateway == "external" ? local.istio_external_wildcard_gateway_name : local.istio_internal_wildcard_gateway_name + ttk_istio_gateway_namespace = local.mojaloop_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace + + finance_portal_wildcard_gateway = var.finanace_portal_ingress_internal_lb ? "internal" : "external" + finance_portal_fqdn = local.finance_portal_wildcard_gateway == "external" ? "finance-portal.${var.public_subdomain}" : "finance-portal.${var.private_subdomain}" + portal_istio_gateway_namespace = local.finance_portal_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace + portal_istio_wildcard_gateway_name = local.finance_portal_wildcard_gateway == "external" ? local.istio_external_wildcard_gateway_name : local.istio_internal_wildcard_gateway_name + portal_istio_gateway_name = local.finance_portal_wildcard_gateway == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name + + vnext_wildcard_gateway = var.app_var_map.vnext_ingress_internal_lb ? "internal" : "external" + vnext_admin_ui_fqdn = local.vnext_wildcard_gateway == "external" ? "vnext-admin.${var.public_subdomain}" : "vnext-admin.${var.private_subdomain}" + vnext_istio_gateway_namespace = local.vnext_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace + vnext_istio_wildcard_gateway_name = local.vnext_wildcard_gateway == "external" ? local.istio_external_wildcard_gateway_name : local.istio_internal_wildcard_gateway_name + + portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "portal-${pm4ml.pm4ml}.${var.public_subdomain}" : "portal-${pm4ml.pm4ml}.${var.private_subdomain}" } + admin_portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "admin-portal-${pm4ml.pm4ml}.${var.public_subdomain}" : "admin-portal-${pm4ml.pm4ml}.${var.private_subdomain}"} + experience_api_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "exp-${pm4ml.pm4ml}.${var.public_subdomain}" : "exp-${pm4ml.pm4ml}.${var.private_subdomain}"} + mojaloop_connnector_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "conn-${pm4ml.pm4ml}.${var.public_subdomain}" : "conn-${pm4ml.pm4ml}.${var.private_subdomain}" } + test_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "test-${pm4ml.pm4ml}.${var.public_subdomain}" : "test-${pm4ml.pm4ml}.${var.private_subdomain}" } + pm4ml_ttk_frontend_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "ttkfront-${pm4ml.pm4ml}.${var.public_subdomain}" : "ttkfront-${pm4ml.pm4ml}.${var.private_subdomain}" } + pm4ml_ttk_backend_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "ttkback-${pm4ml.pm4ml}.${var.public_subdomain}" : "ttkback-${pm4ml.pm4ml}.${var.private_subdomain}"} + pm4ml_pta_portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "pta-portal-${pm4ml.pm4ml}.${var.public_subdomain}" : "pta-portal-${pm4ml.pm4ml}.${var.private_subdomain}"} + + pm4ml_istio_gateway_namespaces = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace } + pm4ml_istio_wildcard_gateway_names = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? local.istio_external_wildcard_gateway_name : local.istio_internal_wildcard_gateway_name } + pm4ml_istio_gateway_names = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name } + + pm4ml_internal_wildcard_admin_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.admin_portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "internal"] + pm4ml_external_wildcard_admin_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.admin_portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external"] + pm4ml_internal_wildcard_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "internal"] + pm4ml_external_wildcard_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external"] + pm4ml_internal_wildcard_exp_hosts = [for pm4ml in local.pm4ml_var_map : local.experience_api_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "internal"] + pm4ml_external_wildcard_exp_hosts = [for pm4ml in local.pm4ml_var_map : local.experience_api_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external"] + + pm4ml_internal_gateway_hosts = concat(local.pm4ml_internal_wildcard_admin_portal_hosts, local.pm4ml_internal_wildcard_portal_hosts, local.pm4ml_internal_wildcard_exp_hosts, values(local.pm4ml_ttk_frontend_fqdns), values(local.pm4ml_ttk_backend_fqdns), values(local.test_fqdns), values(local.pm4ml_pta_portal_fqdns)) + pm4ml_external_gateway_hosts = concat(local.pm4ml_external_wildcard_admin_portal_hosts, local.pm4ml_external_wildcard_portal_hosts, local.pm4ml_external_wildcard_exp_hosts) + + keycloak_realm_env_secret_map = merge( + (var.common_var_map.mojaloop_enabled || var.common_var_map.vnext_enabled) ? local.mojaloop_keycloak_realm_env_secret_map : local.pm4ml_keycloak_realm_env_secret_map, + { + "${var.hubop_oidc_client_secret_secret}" = var.vault_secret_key + "${var.role_assign_svc_secret}" = var.vault_secret_key + "${var.portal_admin_secret}" = var.vault_secret_key + } + ) + bof_managed_portal_fqdns = (var.common_var_map.mojaloop_enabled || var.common_var_map.vnext_enabled) ? [local.finance_portal_fqdn, local.mcm_fqdn] : concat(local.pm4ml_external_wildcard_portal_hosts, local.pm4ml_internal_wildcard_portal_hosts, local.pm4ml_internal_wildcard_admin_portal_hosts, local.pm4ml_external_wildcard_admin_portal_hosts) } diff --git a/terraform/gitops/k8s-cluster-config/istio.tf b/terraform/gitops/k8s-cluster-config/istio.tf index 7f83693d2..e72b40613 100644 --- a/terraform/gitops/k8s-cluster-config/istio.tf +++ b/terraform/gitops/k8s-cluster-config/istio.tf @@ -39,7 +39,6 @@ module "generate_istio_files" { argocd_public_fqdn = local.argocd_public_fqdn argocd_private_fqdn = local.argocd_private_fqdn argocd_namespace = var.argocd_namespace - istio_proxy_log_level = try(var.common_var_map.istio_proxy_log_level, local.istio_proxy_log_level) } file_list = [for f in fileset(local.istio_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.istio_app_file, f))] @@ -50,10 +49,6 @@ module "generate_istio_files" { } locals { - - istio_template_path = "${path.module}/../generate-files/templates/istio" - istio_app_file = "istio-app.yaml" - istio_proxy_log_level = "warn" istio_template_path = "${path.module}/../generate-files/templates/istio" istio_app_file = "istio-app.yaml" argocd_wildcard_gateway = var.argocd_ingress_internal_lb ? "internal" : "external" diff --git a/terraform/gitops/k8s-cluster-config/keycloak.tf b/terraform/gitops/k8s-cluster-config/keycloak.tf index d9e6e5c03..707c3b156 100644 --- a/terraform/gitops/k8s-cluster-config/keycloak.tf +++ b/terraform/gitops/k8s-cluster-config/keycloak.tf @@ -100,24 +100,4 @@ locals { keycloak_admin_istio_gateway_namespace = local.keycloak_admin_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace keycloak_istio_gateway_name = local.keycloak_wildcard_gateway == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name keycloak_secrets_path = "/secret/keycloak" - - mojaloop_keycloak_realm_env_secret_map = { - "${var.mcm_oidc_client_secret_secret}" = var.mcm_oidc_client_secret_secret_key - "${var.jwt_client_secret_secret}" = var.jwt_client_secret_secret_key - } - - pm4ml_keycloak_realm_env_secret_map = merge( - { for key, pm4ml in local.pm4ml_var_map : "${var.pm4ml_oidc_client_secret_secret}-${key}" => var.vault_secret_key }, - { for key, pm4ml in local.pm4ml_var_map : "portal-admin-secret-${key}" => var.vault_secret_key }, - { for key, pm4ml in local.pm4ml_var_map : "role-assign-svc-secret-${key}" => var.vault_secret_key } - ) - - keycloak_realm_env_secret_map = merge( - (var.common_var_map.mojaloop_enabled || var.common_var_map.vnext_enabled) ? local.mojaloop_keycloak_realm_env_secret_map : local.pm4ml_keycloak_realm_env_secret_map, - { - "${var.hubop_oidc_client_secret_secret}" = var.vault_secret_key - "${var.role_assign_svc_secret}" = var.vault_secret_key - "${var.portal_admin_secret}" = var.vault_secret_key - } - ) } diff --git a/terraform/gitops/k8s-cluster-config/ory.tf b/terraform/gitops/k8s-cluster-config/ory.tf index 144bb4f5c..e98058d84 100644 --- a/terraform/gitops/k8s-cluster-config/ory.tf +++ b/terraform/gitops/k8s-cluster-config/ory.tf @@ -10,7 +10,7 @@ module "generate_ory_files" { ory_namespace = var.ory_namespace auth_fqdn = local.auth_fqdn public_subdomain = var.public_subdomain - private_subdomain = var.private_subdomain + bof_managed_portal_fqdns = local.bof_managed_portal_fqdns keto_postgres_database = module.common_stateful_resources.stateful_resources[local.keto_postgres_resource_index].logical_service_config.database_name keto_postgres_user = module.common_stateful_resources.stateful_resources[local.keto_postgres_resource_index].logical_service_config.username keto_postgres_host = "${module.common_stateful_resources.stateful_resources[local.keto_postgres_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" @@ -120,10 +120,4 @@ locals { rolesPermissions = yamldecode(file(var.rbac_permissions_file)) mojaloopRoles = local.rolesPermissions["roles"] permissionExclusions = local.rolesPermissions["permission-exclusions"] - - oidc_providers = var.common_var_map.pm4ml_enabled ? [for pm4ml in var.app_var_map.pm4mls : { - realm = "${var.keycloak_pm4ml_realm_name}-${pm4ml.pm4ml}" - client_id = "${var.pm4ml_oidc_client_id_prefix}-${pm4ml.pm4ml}" - secret_name = "${var.pm4ml_oidc_client_secret_secret}-${pm4ml.pm4ml}" - }] : [] } diff --git a/terraform/gitops/mojaloop/mcm.tf b/terraform/gitops/mojaloop/mcm.tf index bf44dc7a1..9c080e551 100644 --- a/terraform/gitops/mojaloop/mcm.tf +++ b/terraform/gitops/mojaloop/mcm.tf @@ -8,11 +8,11 @@ module "generate_mcm_files" { db_schema = module.mojaloop_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.database_name db_port = module.mojaloop_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_port db_host = "${module.mojaloop_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - mcm_fqdn = local.mcm_fqdn - mcm_istio_gateway_namespace = local.mcm_istio_gateway_namespace - mcm_istio_wildcard_gateway_name = local.mcm_istio_wildcard_gateway_name - mcm_istio_gateway_name = local.mcm_istio_gateway_name - fspiop_use_ory_for_auth = var.fspiop_use_ory_for_auth + mcm_fqdn = var.mcm_fqdn + mcm_istio_gateway_namespace = var.mcm_istio_gateway_namespace + mcm_istio_wildcard_gateway_name = var.mcm_istio_wildcard_gateway_name + mcm_istio_gateway_name = var.mcm_istio_gateway_name + fspiop_use_ory_for_auth = var.fspiop_use_ory_for_auth env_name = var.cluster_name env_cn = var.public_subdomain env_o = "Mojaloop" @@ -34,7 +34,7 @@ module "generate_mcm_files" { public_subdomain = var.public_subdomain enable_oidc = var.enable_mcm_oidc mcm_sync_wave = var.mcm_sync_wave - ingress_class = try(var.app_var_map.mcm_ingress_internal_lb, false) ? var.internal_ingress_class_name : var.external_ingress_class_name + ingress_class = var.mcm_ingress_internal_lb ? var.internal_ingress_class_name : var.external_ingress_class_name istio_create_ingress_gateways = var.istio_create_ingress_gateways pki_path = var.vault_root_ca_name dfsp_client_cert_bundle = local.dfsp_client_cert_bundle @@ -60,7 +60,7 @@ module "generate_mcm_files" { mcm_wildcard_gateway = local.mcm_wildcard_gateway istio_external_gateway_name = var.istio_external_gateway_name private_network_cidr = var.private_network_cidr - interop_switch_fqdn = local.external_interop_switch_fqdn + interop_switch_fqdn = var.external_interop_switch_fqdn keycloak_fqdn = var.keycloak_fqdn keycloak_dfsp_realm_name = var.keycloak_dfsp_realm_name keycloak_hubop_realm_name = var.keycloak_hubop_realm_name @@ -77,7 +77,7 @@ module "generate_mcm_files" { internal_load_balancer_dns = var.internal_load_balancer_dns external_load_balancer_dns = var.external_load_balancer_dns istio_internal_gateway_name = var.istio_internal_gateway_name - int_interop_switch_fqdn = local.internal_interop_switch_fqdn + int_interop_switch_fqdn = var.internal_interop_switch_fqdn mojaloop_namespace = var.mojaloop_namespace mojaloop_release_name = var.mojaloop_release_name onboarding_collection_tag = var.app_var_map.onboarding_collection_tag @@ -99,7 +99,11 @@ variable "mcm_enabled" { type = bool default = true } - +variable "mcm_ingress_internal_lb" { + type = bool + description = "mcm_ingress_internal_lb" + default = false +} variable "enable_mcm_oidc" { type = bool default = false @@ -206,6 +210,26 @@ variable "keycloak_namespace" { description = "namespace of keycloak in which to create realm" } +variable "mcm_fqdn" { + type = string + description = "hostname for mcm" +} + +variable "mcm_istio_wildcard_gateway_name" { + type = string + default = "" +} + +variable "mcm_istio_gateway_namespace" { + type = string + default = "" +} + +variable "mcm_istio_gateway_name" { + type = string + default = "" +} + variable "fspiop_use_ory_for_auth" { type = bool } @@ -214,13 +238,8 @@ locals { mcm_template_path = "${path.module}/../generate-files/templates/mcm" mcm_app_file = "mcm-app.yaml" mcm_resource_index = index(module.mojaloop_stateful_resources.stateful_resources.*.resource_name, "mcm-db") - mcm_wildcard_gateway = try(var.app_var_map.mcm_ingress_internal_lb, false) ? "internal" : "external" + mcm_wildcard_gateway = var.mcm_ingress_internal_lb ? "internal" : "external" dfsp_client_cert_bundle = "${local.onboarding_secret_path}_pm4mls" dfsp_internal_whitelist_secret = "${local.whitelist_secret_path}_pm4mls" dfsp_external_whitelist_secret = "${local.whitelist_secret_path}_fsps" - - mcm_fqdn = local.mcm_wildcard_gateway == "external" ? "mcm.${var.public_subdomain}" : "mcm.${var.private_subdomain}" - mcm_istio_gateway_namespace = local.mcm_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace - mcm_istio_wildcard_gateway_name = local.mcm_wildcard_gateway == "external" ? var.istio_external_wildcard_gateway_name : var.istio_internal_wildcard_gateway_name - mcm_istio_gateway_name = local.mcm_wildcard_gateway == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name } diff --git a/terraform/gitops/mojaloop/mojaloop.tf b/terraform/gitops/mojaloop/mojaloop.tf index d34760296..363cf0c3b 100644 --- a/terraform/gitops/mojaloop/mojaloop.tf +++ b/terraform/gitops/mojaloop/mojaloop.tf @@ -25,12 +25,12 @@ module "generate_mojaloop_files" { central_ledger_handler_transfer_position_batch_consume_timeout_ms = try(var.app_var_map.central_ledger_handler_transfer_position_batch_consume_timeout_ms, 10) central_ledger_cache_enabled = try(var.app_var_map.central_ledger_cache_enabled, true) central_ledger_cache_expires_in_ms = try(var.app_var_map.central_ledger_cache_expires_in_ms, 1000) - interop_switch_fqdn = local.external_interop_switch_fqdn - int_interop_switch_fqdn = local.internal_interop_switch_fqdn + interop_switch_fqdn = var.external_interop_switch_fqdn + int_interop_switch_fqdn = var.internal_interop_switch_fqdn external_ingress_class_name = var.external_ingress_class_name vault_certman_secretname = var.vault_certman_secretname nginx_jwt_namespace = var.nginx_jwt_namespace - ingress_class_name = try(var.app_var_map.mojaloop_ingress_internal_lb, true) ? var.internal_ingress_class_name : var.external_ingress_class_name + ingress_class_name = var.mojaloop_ingress_internal_lb ? var.internal_ingress_class_name : var.external_ingress_class_name istio_create_ingress_gateways = var.istio_create_ingress_gateways istio_external_gateway_name = var.istio_external_gateway_name external_load_balancer_dns = var.external_load_balancer_dns @@ -41,10 +41,10 @@ module "generate_mojaloop_files" { mojaloop_wildcard_gateway = local.mojaloop_wildcard_gateway keycloak_fqdn = var.keycloak_fqdn keycloak_realm_name = var.keycloak_hubop_realm_name - ttk_frontend_fqdn = local.ttk_frontend_fqdn - ttk_backend_fqdn = local.ttk_backend_fqdn - ttk_istio_gateway_namespace = local.ttk_istio_gateway_namespace - ttk_istio_wildcard_gateway_name = local.ttk_istio_wildcard_gateway_name + ttk_frontend_fqdn = var.ttk_frontend_fqdn + ttk_backend_fqdn = var.ttk_backend_fqdn + ttk_istio_gateway_namespace = var.ttk_istio_gateway_namespace + ttk_istio_wildcard_gateway_name = var.ttk_istio_wildcard_gateway_name kafka_host = "${module.mojaloop_stateful_resources.stateful_resources[local.mojaloop_kafka_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" kafka_port = module.mojaloop_stateful_resources.stateful_resources[local.mojaloop_kafka_resource_index].logical_service_config.logical_service_port account_lookup_db_existing_secret = module.mojaloop_stateful_resources.stateful_resources[local.ml_als_resource_index].logical_service_config.user_password_secret @@ -113,7 +113,7 @@ module "generate_mojaloop_files" { central_settlement_handler_deferredsettlement_replica_count = try(var.app_var_map.central_settlement_handler_deferredsettlement_replica_count, 1) central_settlement_handler_grosssettlement_replica_count = try(var.app_var_map.central_settlement_handler_grosssettlement_replica_count, 1) central_settlement_handler_rules_replica_count = try(var.app_var_map.central_settlement_handler_rules_replica_count, 1) - transaction_requests_service_replica_count = try(var.app_var_map.transaction_requests_service_replica_count, 1) + trasaction_requests_service_replica_count = try(var.app_var_map.trasaction_requests_service_replica_count, 1) auth_service_replica_count = try(var.app_var_map.auth_service_replica_count, 1) consent_oracle_replica_count = try(var.app_var_map.consent_oracle_replica_count, 1) tp_api_svc_replica_count = try(var.app_var_map.tp_api_svc_replica_count, 1) @@ -141,7 +141,7 @@ module "generate_mojaloop_files" { central_settlement_handler_deferredsettlement_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_settlement.affinity_definition), null) central_settlement_handler_grosssettlement_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_settlement.affinity_definition), null) central_settlement_handler_rules_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_settlement.affinity_definition), null) - transaction_requests_service_affinity = try(yamlencode(var.app_var_map.workload_definitions.core_api_adapters.affinity_definition), null) + trasaction_requests_service_affinity = try(yamlencode(var.app_var_map.workload_definitions.core_api_adapters.affinity_definition), null) central_ledger_monitoring_prefix = try(var.app_var_map.central_ledger_monitoring_prefix, "moja_cl_") quoting_service_monitoring_prefix = try(var.app_var_map.quoting_service_monitoring_prefix, "moja_qs_") ml_api_adapter_monitoring_prefix = try(var.app_var_map.ml_api_adapter_monitoring_prefix, "moja_ml_") @@ -168,10 +168,10 @@ module "generate_mojaloop_files" { keto_read_url = "http://keto-read.${var.ory_namespace}.svc.cluster.local:80" keto_write_url = "http://keto-write.${var.ory_namespace}.svc.cluster.local:80" kratos_service_name = "kratos-public.${var.ory_namespace}.svc.cluster.local" - portal_fqdn = local.finance_portal_fqdn - portal_istio_gateway_namespace = local.portal_istio_gateway_namespace - portal_istio_wildcard_gateway_name = local.portal_istio_wildcard_gateway_name - portal_istio_gateway_name = local.portal_istio_gateway_name + portal_fqdn = var.finance_portal_fqdn + portal_istio_gateway_namespace = var.portal_istio_gateway_namespace + portal_istio_wildcard_gateway_name = var.portal_istio_wildcard_gateway_name + portal_istio_gateway_name = var.portal_istio_gateway_name finance_portal_release_name = "fin-portal" finance_portal_chart_version = try(var.app_var_map.finance_portal_chart_version, var.finance_portal_chart_version) oathkeeper_auth_provider_name = var.oathkeeper_auth_provider_name @@ -191,9 +191,7 @@ module "generate_mojaloop_files" { jws_rotation_period_hours = try(var.app_var_map.jws_rotation_period_hours, var.jws_rotation_period_hours) mcm_hub_jws_endpoint = "http://mcm-connection-manager-api.${var.mcm_namespace}.svc.cluster.local:3001/api/hub/jwscerts" ttk_gp_testcase_labels = try(var.app_var_map.ttk_gp_testcase_labels, var.ttk_gp_testcase_labels) - override_values_file_exists = local.override_values_file_exists fspiop_use_ory_for_auth = var.fspiop_use_ory_for_auth - } file_list = [for f in fileset(local.mojaloop_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.mojaloop_app_file, f))] template_path = local.mojaloop_template_path @@ -202,29 +200,8 @@ module "generate_mojaloop_files" { app_output_path = "${var.output_dir}/app-yamls" } -resource "local_file" "mojaloop_values_override" { - count = local.override_values_file_exists ? 1 : 0 - content = file(var.mojaloop_values_override_file) - filename = "${local.output_path}/values-mojaloop-override.yaml" - depends_on = [module.generate_mojaloop_files] -} locals { - mojaloop_wildcard_gateway = try(var.app_var_map.mojaloop_ingress_internal_lb, true) ? "internal" : "external" - ttk_frontend_fqdn = local.mojaloop_wildcard_gateway == "external" ? "ttkfrontend.${var.public_subdomain}" : "ttkfrontend.${var.private_subdomain}" - ttk_backend_fqdn = local.mojaloop_wildcard_gateway == "external" ? "ttkbackend.${var.public_subdomain}" : "ttkbackend.${var.private_subdomain}" - ttk_istio_wildcard_gateway_name = local.mojaloop_wildcard_gateway == "external" ? var.istio_external_wildcard_gateway_name : var.istio_internal_wildcard_gateway_name - ttk_istio_gateway_namespace = local.mojaloop_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace - - finance_portal_wildcard_gateway = try(var.app_var_map.finance_portal_ingress_internal_lb, true) ? "internal" : "external" - finance_portal_fqdn = local.finance_portal_wildcard_gateway == "external" ? "finance-portal.${var.public_subdomain}" : "finance-portal.${var.private_subdomain}" - portal_istio_gateway_namespace = local.finance_portal_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace - portal_istio_wildcard_gateway_name = local.finance_portal_wildcard_gateway == "external" ? var.istio_external_wildcard_gateway_name : var.istio_internal_wildcard_gateway_name - portal_istio_gateway_name = local.finance_portal_wildcard_gateway == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name - - external_interop_switch_fqdn = "extapi.${var.public_subdomain}" - internal_interop_switch_fqdn = "intapi.${var.private_subdomain}" - mojaloop_template_path = "${path.module}/../generate-files/templates/mojaloop" mojaloop_app_file = "mojaloop-app.yaml" output_path = "${var.output_dir}/mojaloop" @@ -239,9 +216,9 @@ locals { third_party_consent_oracle_db_resource_index = index(module.mojaloop_stateful_resources.stateful_resources.*.resource_name, "mysql-consent-oracle-db") ttk_redis_resource_index = index(module.mojaloop_stateful_resources.stateful_resources.*.resource_name, "ttk-redis") reporting_events_mongodb_resource_index = index(module.mojaloop_stateful_resources.stateful_resources.*.resource_name, "reporting-events-mongodb") + mojaloop_wildcard_gateway = var.mojaloop_ingress_internal_lb ? "internal" : "external" apiResources = yamldecode(file(var.rbac_api_resources_file)) jws_key_secret = "switch-jws" - override_values_file_exists = fileexists(var.mojaloop_values_override_file) } variable "app_var_map" { @@ -253,6 +230,12 @@ variable "mojaloop_enabled" { default = true } +variable "mojaloop_ingress_internal_lb" { + type = bool + description = "mojaloop_ingress_internal_lb" + default = true +} + variable "mojaloop_chart_repo" { description = "repo for mojaloop charts" type = string @@ -344,6 +327,12 @@ variable "quoting_service_simple_routing_mode_enabled" { default = false } +variable "ttk_frontend_fqdn" { + type = string +} +variable "ttk_backend_fqdn" { + type = string +} variable "auth_fqdn" { type = string @@ -352,6 +341,9 @@ variable "ory_namespace" { type = string } +variable "finance_portal_fqdn" { + type = string +} variable "bof_release_name" { type = string @@ -380,10 +372,6 @@ variable "rbac_api_resources_file" { type = string } -variable "mojaloop_values_override_file" { - type = string -} - variable "reporting_templates_chart_version" { type = string default = "1.1.7" @@ -408,3 +396,28 @@ variable "ttk_gp_testcase_labels" { type = string default = "p2p" } + +variable "ttk_istio_wildcard_gateway_name" { + type = string + default = "" +} + +variable "ttk_istio_gateway_namespace" { + type = string + default = "" +} + +variable "portal_istio_wildcard_gateway_name" { + type = string + default = "" +} + +variable "portal_istio_gateway_namespace" { + type = string + default = "" +} + +variable "portal_istio_gateway_name" { + type = string + default = "" +} diff --git a/terraform/gitops/mojaloop/variables.tf b/terraform/gitops/mojaloop/variables.tf index 3b9f90bce..8a00055c3 100644 --- a/terraform/gitops/mojaloop/variables.tf +++ b/terraform/gitops/mojaloop/variables.tf @@ -81,6 +81,15 @@ variable "kv_path" { description = "path for kv engine" default = "secret" } + +variable "external_interop_switch_fqdn" { + description = "fqdn for interop ext" +} + +variable "internal_interop_switch_fqdn" { + description = "fqdn for interop int" +} + variable "internal_ingress_class_name" { type = string description = "nginx_internal_namespace" diff --git a/terraform/gitops/mojaloop/vault-pki-setup.tf b/terraform/gitops/mojaloop/vault-pki-setup.tf index f27754b11..cc79f4825 100644 --- a/terraform/gitops/mojaloop/vault-pki-setup.tf +++ b/terraform/gitops/mojaloop/vault-pki-setup.tf @@ -9,6 +9,7 @@ module "generate_vault_pki_setup_files" { cert_manager_service_account_name = var.cert_manager_service_account_name gitlab_project_url = var.gitlab_project_url cert_manager_cluster_issuer_role_name = var.cert_manager_cluster_issuer_role_name + interop_switch_fqdn = var.external_interop_switch_fqdn vault_root_ca_name = var.vault_root_ca_name pki_server_cert_role = var.pki_server_cert_role pki_client_cert_role = var.pki_client_cert_role @@ -24,8 +25,8 @@ module "generate_vault_pki_setup_files" { } locals { - vault_pki_template_path = "${path.module}/../generate-files/templates/vault-pki-setup" - vault_pki_app_file = "vault-pki-app.yaml" + vault_pki_template_path = "${path.module}/../generate-files/templates/vault-pki-setup" + vault_pki_app_file = "vault-pki-app.yaml" } diff --git a/terraform/gitops/pm4ml/pm4ml.tf b/terraform/gitops/pm4ml/pm4ml.tf index 4ce1b99df..1b45f031b 100644 --- a/terraform/gitops/pm4ml/pm4ml.tf +++ b/terraform/gitops/pm4ml/pm4ml.tf @@ -17,10 +17,10 @@ module "generate_pm4ml_files" { pm4ml_wildcard_gateway = each.value.pm4ml_ingress_internal_lb ? "internal" : "external" keycloak_fqdn = var.keycloak_fqdn keycloak_pm4ml_realm_name = "${var.keycloak_pm4ml_realm_name}-${each.key}" - experience_api_fqdn = local.experience_api_fqdns[each.key] + experience_api_fqdn = var.experience_api_fqdns[each.key] kratos_service_name = "kratos-public.${var.ory_namespace}.svc.cluster.local" - portal_fqdn = local.portal_fqdns[each.key] - admin_portal_fqdn = local.admin_portal_fqdns[each.key] + portal_fqdn = var.portal_fqdns[each.key] + admin_portal_fqdn = var.admin_portal_fqdns[each.key] auth_fqdn = var.auth_fqdn admin_portal_release_name = "admin-portal-${each.key}" admin_portal_chart_version = try(var.app_var_map.admin_portal_chart_version, var.admin_portal_chart_version) @@ -39,9 +39,9 @@ module "generate_pm4ml_files" { keto_read_url = "http://keto-read.${var.ory_namespace}.svc.cluster.local:80" keto_write_url = "http://keto-write.${var.ory_namespace}.svc.cluster.local:80" pm4ml_secret_path = "${var.local_vault_kv_root_path}/${each.key}" - callback_url = "https://${local.mojaloop_connnector_fqdns[each.key]}" - mojaloop_connnector_fqdn = local.mojaloop_connnector_fqdns[each.key] - callback_fqdn = local.mojaloop_connnector_fqdns[each.key] + callback_url = "https://${var.mojaloop_connnector_fqdns[each.key]}" + mojaloop_connnector_fqdn = var.mojaloop_connnector_fqdns[each.key] + callback_fqdn = var.mojaloop_connnector_fqdns[each.key] redis_port = "6379" redis_host = "redis-master" redis_replica_count = "1" @@ -69,10 +69,10 @@ module "generate_pm4ml_files" { ttk_enabled = each.value.pm4ml_ttk_enabled core_connector_selected = each.value.core_connector_selected custom_core_connector_endpoint = each.value.custom_core_connector_endpoint - ttk_backend_fqdn = local.pm4ml_ttk_frontend_fqdns[each.key] - ttk_frontend_fqdn = local.pm4ml_ttk_frontend_fqdns[each.key] - pta_portal_fqdn = local.pm4ml_pta_portal_fqdns[each.key] - test_fqdn = local.test_fqdns[each.key] + ttk_backend_fqdn = var.ttk_backend_fqdns[each.key] + ttk_frontend_fqdn = var.ttk_frontend_fqdns[each.key] + pta_portal_fqdn = var.pta_portal_fqdns[each.key] + test_fqdn = var.test_fqdns[each.key] ory_namespace = var.ory_namespace oathkeeper_auth_provider_name = var.oathkeeper_auth_provider_name istio_create_ingress_gateways = var.istio_create_ingress_gateways @@ -87,9 +87,9 @@ module "generate_pm4ml_files" { pm4ml_reserve_notification = each.value.pm4ml_reserve_notification core_connector_config = each.value.core_connector_config payment_token_adapter_config = each.value.payment_token_adapter_config - pm4ml_istio_gateway_namespace = local.pm4ml_istio_gateway_namespaces[each.key] - pm4ml_istio_wildcard_gateway_name = local.pm4ml_istio_wildcard_gateway_names[each.key] - pm4ml_istio_gateway_name = local.pm4ml_istio_gateway_names[each.key] + pm4ml_istio_gateway_namespace = var.pm4ml_istio_gateway_namespaces[each.key] + pm4ml_istio_wildcard_gateway_name = var.pm4ml_istio_wildcard_gateway_names[each.key] + pm4ml_istio_gateway_name = var.pm4ml_istio_gateway_names[each.key] } @@ -104,37 +104,18 @@ module "generate_pm4ml_files" { locals { pm4ml_template_path = "${path.module}/../generate-files/templates/pm4ml" pm4ml_app_file = "pm4ml-app.yaml" - - pm4ml_var_map = var.app_var_map - - pm4ml_wildcard_gateways = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => pm4ml.pm4ml_ingress_internal_lb ? "internal" : "external" } - - portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "portal-${pm4ml.pm4ml}.${var.public_subdomain}" : "portal-${pm4ml.pm4ml}.${var.private_subdomain}" } - admin_portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "admin-portal-${pm4ml.pm4ml}.${var.public_subdomain}" : "admin-portal-${pm4ml.pm4ml}.${var.private_subdomain}"} - experience_api_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "exp-${pm4ml.pm4ml}.${var.public_subdomain}" : "exp-${pm4ml.pm4ml}.${var.private_subdomain}"} - mojaloop_connnector_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "conn-${pm4ml.pm4ml}.${var.public_subdomain}" : "conn-${pm4ml.pm4ml}.${var.private_subdomain}" } - test_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "test-${pm4ml.pm4ml}.${var.public_subdomain}" : "test-${pm4ml.pm4ml}.${var.private_subdomain}" } - pm4ml_ttk_frontend_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "ttkfront-${pm4ml.pm4ml}.${var.public_subdomain}" : "ttkfront-${pm4ml.pm4ml}.${var.private_subdomain}" } - pm4ml_ttk_backend_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "ttkback-${pm4ml.pm4ml}.${var.public_subdomain}" : "ttkback-${pm4ml.pm4ml}.${var.private_subdomain}"} - pm4ml_pta_portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "pta-portal-${pm4ml.pm4ml}.${var.public_subdomain}" : "pta-portal-${pm4ml.pm4ml}.${var.private_subdomain}"} - - pm4ml_istio_gateway_namespaces = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace } - pm4ml_istio_wildcard_gateway_names = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? var.istio_external_wildcard_gateway_name : var.istio_internal_wildcard_gateway_name } - pm4ml_istio_gateway_names = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name } - - pm4ml_internal_wildcard_admin_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.admin_portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "internal"] - pm4ml_external_wildcard_admin_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.admin_portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external"] - pm4ml_internal_wildcard_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "internal"] - pm4ml_external_wildcard_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external"] - pm4ml_internal_wildcard_exp_hosts = [for pm4ml in local.pm4ml_var_map : local.experience_api_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "internal"] - pm4ml_external_wildcard_exp_hosts = [for pm4ml in local.pm4ml_var_map : local.experience_api_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external"] } variable "app_var_map" { type = any } - +variable "portal_fqdns" { + description = "fqdns for pm4ml portal" +} +variable "admin_portal_fqdns" { + description = "fqdns for pm4ml admin portal" +} variable "auth_fqdn" { type = string } @@ -142,7 +123,25 @@ variable "auth_fqdn" { variable "oathkeeper_auth_provider_name" { type = string } +variable "experience_api_fqdns" { + description = "fqdns for pm4ml experience api" +} +variable "mojaloop_connnector_fqdns" { + description = "fqdns for pm4ml connector" +} +variable "test_fqdns" { + description = "fqdns for pm4ml test" +} +variable "ttk_backend_fqdns" { + description = "fqdns for pm4ml ttk back" +} +variable "ttk_frontend_fqdns" { + description = "fqdns for pm4ml ttk front" +} +variable "pta_portal_fqdns" { + description = "fqdns for pm4ml payment token adapter portal" +} variable "pm4ml_vault_k8s_role_name" { description = "vault k8s role name for pm4ml" type = string @@ -242,6 +241,18 @@ variable "portal_admin_secret_prefix" { type = string } +variable "pm4ml_istio_gateway_namespaces" { + description = "fqdns for pm4ml portal" +} + +variable "pm4ml_istio_wildcard_gateway_names" { + description = "fqdns for pm4ml portal" +} + +variable "pm4ml_istio_gateway_names" { + description = "fqdns for pm4ml portal" +} + locals { nat_cidr_list = join(", ", [for ip in var.nat_public_ips : format("%s/32", ip)]) } diff --git a/terraform/gitops/pm4ml/variables.tf b/terraform/gitops/pm4ml/variables.tf index eb933542d..114d760c5 100644 --- a/terraform/gitops/pm4ml/variables.tf +++ b/terraform/gitops/pm4ml/variables.tf @@ -20,7 +20,7 @@ variable "gitlab_project_url" { } variable "nat_public_ips" { - type = list(any) + type = list description = "nat_public_ips" } variable "internal_load_balancer_dns" { @@ -82,6 +82,14 @@ variable "kv_path" { default = "secret" } +variable "external_interop_switch_fqdn" { + description = "fqdn for interop ext" +} + +variable "internal_interop_switch_fqdn" { + description = "fqdn for interop int" +} + variable "internal_ingress_class_name" { type = string description = "nginx_internal_namespace" @@ -145,11 +153,11 @@ variable "vault_namespace" { description = "vault_namespace" } variable "cert_manager_namespace" { - type = string + type = string description = "cert_manager_namespace" } variable "vault_certman_secretname" { description = "secret name to create for tls offloading via certmanager" type = string default = "vault-tls-cert" -} +} \ No newline at end of file diff --git a/terraform/gitops/pm4ml/vault-pki-setup.tf b/terraform/gitops/pm4ml/vault-pki-setup.tf index 9708709fd..458965e68 100644 --- a/terraform/gitops/pm4ml/vault-pki-setup.tf +++ b/terraform/gitops/pm4ml/vault-pki-setup.tf @@ -8,6 +8,7 @@ module "generate_vault_pki_setup_files" { cert_manager_service_account_name = var.cert_manager_service_account_name gitlab_project_url = var.gitlab_project_url cert_manager_cluster_issuer_role_name = var.cert_manager_cluster_issuer_role_name + interop_switch_fqdn = var.external_interop_switch_fqdn vault_root_ca_name = var.vault_root_ca_name pki_server_cert_role = var.pki_server_cert_role pki_client_cert_role = var.pki_client_cert_role @@ -23,8 +24,8 @@ module "generate_vault_pki_setup_files" { } locals { - vault_pki_template_path = "${path.module}/../generate-files/templates/vault-pki-setup" - vault_pki_app_file = "vault-pki-app.yaml" + vault_pki_template_path = "${path.module}/../generate-files/templates/vault-pki-setup" + vault_pki_app_file = "vault-pki-app.yaml" } @@ -76,4 +77,4 @@ variable "vault_pki_sync_wave" { variable "local_vault_kv_root_path" { description = "vault kv secret root" type = string -} +} \ No newline at end of file diff --git a/terraform/gitops/vnext/mcm.tf b/terraform/gitops/vnext/mcm.tf index d8876fc3d..34db4050f 100644 --- a/terraform/gitops/vnext/mcm.tf +++ b/terraform/gitops/vnext/mcm.tf @@ -8,10 +8,10 @@ module "generate_mcm_files" { db_schema = module.vnext_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.database_name db_port = module.vnext_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_port db_host = "${module.vnext_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - mcm_fqdn = local.mcm_fqdn - mcm_istio_gateway_namespace = local.mcm_istio_gateway_namespace - mcm_istio_wildcard_gateway_name = local.mcm_istio_wildcard_gateway_name - mcm_istio_gateway_name = local.mcm_istio_gateway_name + mcm_fqdn = var.mcm_fqdn + mcm_istio_gateway_namespace = var.mcm_istio_gateway_namespace + mcm_istio_wildcard_gateway_name = var.mcm_istio_wildcard_gateway_name + mcm_istio_gateway_name = var.mcm_istio_gateway_name fspiop_use_ory_for_auth = var.fspiop_use_ory_for_auth env_name = var.cluster_name env_cn = var.public_subdomain @@ -34,7 +34,7 @@ module "generate_mcm_files" { public_subdomain = var.public_subdomain enable_oidc = var.enable_mcm_oidc mcm_sync_wave = var.mcm_sync_wave - ingress_class = try(var.app_var_map.mcm_ingress_internal_lb, false) ? var.internal_ingress_class_name : var.external_ingress_class_name + ingress_class = var.mcm_ingress_internal_lb ? var.internal_ingress_class_name : var.external_ingress_class_name istio_create_ingress_gateways = var.istio_create_ingress_gateways pki_path = var.vault_root_ca_name dfsp_client_cert_bundle = local.dfsp_client_cert_bundle @@ -60,7 +60,7 @@ module "generate_mcm_files" { mcm_wildcard_gateway = local.mcm_wildcard_gateway istio_external_gateway_name = var.istio_external_gateway_name private_network_cidr = var.private_network_cidr - interop_switch_fqdn = local.external_interop_switch_fqdn + interop_switch_fqdn = var.external_interop_switch_fqdn keycloak_fqdn = var.keycloak_fqdn keycloak_dfsp_realm_name = var.keycloak_dfsp_realm_name keycloak_hubop_realm_name = var.keycloak_hubop_realm_name @@ -77,7 +77,7 @@ module "generate_mcm_files" { internal_load_balancer_dns = var.internal_load_balancer_dns external_load_balancer_dns = var.external_load_balancer_dns istio_internal_gateway_name = var.istio_internal_gateway_name - int_interop_switch_fqdn = local.internal_interop_switch_fqdn + int_interop_switch_fqdn = var.internal_interop_switch_fqdn mojaloop_namespace = var.vnext_namespace mojaloop_release_name = var.vnext_release_name onboarding_collection_tag = var.app_var_map.onboarding_collection_tag @@ -99,6 +99,11 @@ variable "mcm_enabled" { type = bool default = true } +variable "mcm_ingress_internal_lb" { + type = bool + description = "mcm_ingress_internal_lb" + default = false +} variable "enable_mcm_oidc" { type = bool default = false @@ -205,6 +210,26 @@ variable "keycloak_namespace" { description = "namespace of keycloak in which to create realm" } +variable "mcm_fqdn" { + type = string + description = "hostname for mcm" +} + +variable "mcm_istio_wildcard_gateway_name" { + type = string + default = "" +} + +variable "mcm_istio_gateway_namespace" { + type = string + default = "" +} + +variable "mcm_istio_gateway_name" { + type = string + default = "" +} + variable "fspiop_use_ory_for_auth" { type = bool } @@ -213,13 +238,8 @@ locals { mcm_template_path = "${path.module}/../generate-files/templates/mcm" mcm_app_file = "mcm-app.yaml" mcm_resource_index = index(module.vnext_stateful_resources.stateful_resources.*.resource_name, "mcm-db") - mcm_wildcard_gateway = try(var.app_var_map.mcm_ingress_internal_lb, false) ? "internal" : "external" + mcm_wildcard_gateway = var.mcm_ingress_internal_lb ? "internal" : "external" dfsp_client_cert_bundle = "${local.onboarding_secret_path}_pm4mls" dfsp_internal_whitelist_secret = "${local.whitelist_secret_path}_pm4mls" dfsp_external_whitelist_secret = "${local.whitelist_secret_path}_fsps" - - mcm_fqdn = local.mcm_wildcard_gateway == "external" ? "mcm.${var.public_subdomain}" : "mcm.${var.private_subdomain}" - mcm_istio_gateway_namespace = local.mcm_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace - mcm_istio_wildcard_gateway_name = local.mcm_wildcard_gateway == "external" ? var.istio_external_wildcard_gateway_name : var.istio_internal_wildcard_gateway_name - mcm_istio_gateway_name = local.mcm_wildcard_gateway == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name } diff --git a/terraform/gitops/vnext/variables.tf b/terraform/gitops/vnext/variables.tf index dc4e5bbec..8a00055c3 100644 --- a/terraform/gitops/vnext/variables.tf +++ b/terraform/gitops/vnext/variables.tf @@ -82,6 +82,14 @@ variable "kv_path" { default = "secret" } +variable "external_interop_switch_fqdn" { + description = "fqdn for interop ext" +} + +variable "internal_interop_switch_fqdn" { + description = "fqdn for interop int" +} + variable "internal_ingress_class_name" { type = string description = "nginx_internal_namespace" diff --git a/terraform/gitops/vnext/vault-pki-setup.tf b/terraform/gitops/vnext/vault-pki-setup.tf index f27754b11..6bfc8c0da 100644 --- a/terraform/gitops/vnext/vault-pki-setup.tf +++ b/terraform/gitops/vnext/vault-pki-setup.tf @@ -9,6 +9,7 @@ module "generate_vault_pki_setup_files" { cert_manager_service_account_name = var.cert_manager_service_account_name gitlab_project_url = var.gitlab_project_url cert_manager_cluster_issuer_role_name = var.cert_manager_cluster_issuer_role_name + interop_switch_fqdn = var.external_interop_switch_fqdn vault_root_ca_name = var.vault_root_ca_name pki_server_cert_role = var.pki_server_cert_role pki_client_cert_role = var.pki_client_cert_role diff --git a/terraform/gitops/vnext/vnext.tf b/terraform/gitops/vnext/vnext.tf index ebc65134d..0ed75320f 100644 --- a/terraform/gitops/vnext/vnext.tf +++ b/terraform/gitops/vnext/vnext.tf @@ -7,8 +7,8 @@ module "generate_vnext_files" { vnext_chart_version = try(var.app_var_map.vnext_chart_version, var.vnext_chart_version) vnext_release_name = var.vnext_release_name vnext_namespace = var.vnext_namespace - interop_switch_fqdn = local.external_interop_switch_fqdn - int_interop_switch_fqdn = local.internal_interop_switch_fqdn + interop_switch_fqdn = var.external_interop_switch_fqdn + int_interop_switch_fqdn = var.internal_interop_switch_fqdn storage_class_name = var.storage_class_name vnext_sync_wave = var.vnext_sync_wave vault_certman_secretname = var.vault_certman_secretname @@ -22,10 +22,10 @@ module "generate_vnext_files" { vnext_wildcard_gateway = local.vnext_wildcard_gateway keycloak_fqdn = var.keycloak_fqdn keycloak_realm_name = var.keycloak_hubop_realm_name - ttk_frontend_fqdn = local.ttk_frontend_fqdn - ttk_backend_fqdn = local.ttk_backend_fqdn - ttk_istio_wildcard_gateway_name = local.ttk_istio_wildcard_gateway_name - ttk_istio_gateway_namespace = local.ttk_istio_gateway_namespace + ttk_frontend_fqdn = var.ttk_frontend_fqdn + ttk_backend_fqdn = var.ttk_backend_fqdn + ttk_istio_wildcard_gateway_name = var.ttk_istio_wildcard_gateway_name + ttk_istio_gateway_namespace = var.ttk_istio_gateway_namespace kafka_host = "${module.vnext_stateful_resources.stateful_resources[local.vnext_kafka_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" kafka_port = module.vnext_stateful_resources.stateful_resources[local.vnext_kafka_resource_index].logical_service_config.logical_service_port redis_host = "${module.vnext_stateful_resources.stateful_resources[local.vnext_redis_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" @@ -46,6 +46,7 @@ module "generate_vnext_files" { keto_read_url = "http://keto-read.${var.ory_namespace}.svc.cluster.local:80" keto_write_url = "http://keto-write.${var.ory_namespace}.svc.cluster.local:80" kratos_service_name = "kratos-public.${var.ory_namespace}.svc.cluster.local" + portal_fqdn = var.finance_portal_fqdn finance_portal_release_name = "fin-portal" finance_portal_chart_version = try(var.app_var_map.finance_portal_chart_version, var.finance_portal_chart_version) oathkeeper_auth_provider_name = var.oathkeeper_auth_provider_name @@ -63,9 +64,9 @@ module "generate_vnext_files" { jws_rotation_renew_before_hours = try(var.app_var_map.jws_rotation_renew_before_hours, var.jws_rotation_renew_before_hours) jws_rotation_period_hours = try(var.app_var_map.jws_rotation_period_hours, var.jws_rotation_period_hours) mcm_hub_jws_endpoint = "http://mcm-connection-manager-api.${var.mcm_namespace}.svc.cluster.local:3001/api/hub/jwscerts" - vnext_admin_ui_fqdn = local.vnext_admin_ui_fqdn - vnext_istio_gateway_namespace = local.vnext_istio_gateway_namespace - vnext_istio_wildcard_gateway_name = local.vnext_istio_wildcard_gateway_name + vnext_admin_ui_fqdn = var.vnext_admin_ui_fqdn + vnext_istio_gateway_namespace = var.vnext_istio_gateway_namespace + vnext_istio_wildcard_gateway_name = var.vnext_istio_wildcard_gateway_name } file_list = [for f in fileset(local.vnext_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.vnext_app_file, f))] template_path = local.vnext_template_path @@ -76,24 +77,14 @@ module "generate_vnext_files" { locals { - vnext_wildcard_gateway = try(var.app_var_map.vnext_ingress_internal_lb, true) ? "internal" : "external" - vnext_admin_ui_fqdn = local.vnext_wildcard_gateway == "external" ? "vnext-admin.${var.public_subdomain}" : "vnext-admin.${var.private_subdomain}" - vnext_istio_gateway_namespace = local.vnext_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace - vnext_istio_wildcard_gateway_name = local.vnext_wildcard_gateway == "external" ? var.istio_external_wildcard_gateway_name : var.istio_internal_wildcard_gateway_name - - ttk_frontend_fqdn = local.vnext_wildcard_gateway == "external" ? "ttkfrontend.${var.public_subdomain}" : "ttkfrontend.${var.private_subdomain}" - ttk_backend_fqdn = local.vnext_wildcard_gateway == "external" ? "ttkbackend.${var.public_subdomain}" : "ttkbackend.${var.private_subdomain}" - ttk_istio_wildcard_gateway_name = local.vnext_wildcard_gateway == "external" ? var.istio_external_wildcard_gateway_name : var.istio_internal_wildcard_gateway_name - ttk_istio_gateway_namespace = local.vnext_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace - external_interop_switch_fqdn = "extapi.${var.public_subdomain}" - internal_interop_switch_fqdn = "intapi.${var.private_subdomain}" - vnext_template_path = "${path.module}/../generate-files/templates/vnext" - vnext_app_file = "vnext-app.yaml" - vnext_kafka_resource_index = index(module.vnext_stateful_resources.stateful_resources.*.resource_name, "vnext-kafka") - vnext_redis_resource_index = index(module.vnext_stateful_resources.stateful_resources.*.resource_name, "vnext-redis") - vnext_mongodb_resource_index = index(module.vnext_stateful_resources.stateful_resources.*.resource_name, "vnext-mongodb") - apiResources = yamldecode(file(var.rbac_api_resources_file)) - jws_key_secret = "switch-jws" + vnext_template_path = "${path.module}/../generate-files/templates/vnext" + vnext_app_file = "vnext-app.yaml" + vnext_kafka_resource_index = index(module.vnext_stateful_resources.stateful_resources.*.resource_name, "vnext-kafka") + vnext_redis_resource_index = index(module.vnext_stateful_resources.stateful_resources.*.resource_name, "vnext-redis") + vnext_mongodb_resource_index = index(module.vnext_stateful_resources.stateful_resources.*.resource_name, "vnext-mongodb") + vnext_wildcard_gateway = var.vnext_ingress_internal_lb ? "internal" : "external" + apiResources = yamldecode(file(var.rbac_api_resources_file)) + jws_key_secret = "switch-jws" } variable "app_var_map" { @@ -105,6 +96,12 @@ variable "vnext_enabled" { default = true } +variable "vnext_ingress_internal_lb" { + type = bool + description = "vnext_ingress_internal_lb" + default = true +} + variable "vnext_chart_repo" { description = "repo for vnext charts" type = string @@ -138,6 +135,17 @@ variable "vnext_sync_wave" { default = "0" } +variable "ttk_frontend_fqdn" { + type = string +} +variable "ttk_backend_fqdn" { + type = string +} + +variable "vnext_admin_ui_fqdn" { + type = string +} + variable "auth_fqdn" { type = string } @@ -145,6 +153,10 @@ variable "ory_namespace" { type = string } +variable "finance_portal_fqdn" { + type = string +} + variable "bof_release_name" { type = string } @@ -191,3 +203,23 @@ variable "ttk_gp_testcase_labels" { type = string default = "p2p" } + +variable "ttk_istio_wildcard_gateway_name" { + type = string + default = "" +} + +variable "ttk_istio_gateway_namespace" { + type = string + default = "" +} + +variable "vnext_istio_wildcard_gateway_name" { + type = string + default = "" +} + +variable "vnext_istio_gateway_namespace" { + type = string + default = "" +} \ No newline at end of file diff --git a/terraform/k8s/default-config/common-vars.yaml b/terraform/k8s/default-config/common-vars.yaml index ec6c54b67..11ba4b20c 100644 --- a/terraform/k8s/default-config/common-vars.yaml +++ b/terraform/k8s/default-config/common-vars.yaml @@ -34,5 +34,4 @@ prometheus_retention_period: 10d istio_egress_gateway_max_replicas: 5 microk8s_version: 1.29/stable alertmanager_enabled: false -istio_proxy_log_level: warn longhorn_backup_job_enabled: true diff --git a/terraform/k8s/default-config/mojaloop-values-override.yaml b/terraform/k8s/default-config/mojaloop-values-override.yaml deleted file mode 100644 index b25990de3..000000000 --- a/terraform/k8s/default-config/mojaloop-values-override.yaml +++ /dev/null @@ -1,216 +0,0 @@ -account-lookup-service: - account-lookup-service: - replicaCount: 12 - config: - event_log_filter: "" - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 5 - sidecar: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 5 - account-lookup-service-admin: - replicaCount: 1 -quoting-service: - quoting-service: - replicaCount: 4 - config: - event_log_filter: "" - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 5 - sidecar: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 5 - quoting-service-handler: - replicaCount: 12 - config: - event_log_filter: "" - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 5 - sidecar: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 5 -ml-api-adapter: - ml-api-adapter-service: - replicaCount: 4 - config: - event_log_filter: "" - ml-api-adapter-handler-notification: - replicaCount: 12 - config: - event_log_filter: "" -centralledger: - centralledger-service: - replicaCount: 8 - config: - event_log_filter: "" - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 5 - sidecar: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 5 - centralledger-handler-transfer-prepare: - replicaCount: 12 - config: - event_log_filter: "" - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 5 - sidecar: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 5 - centralledger-handler-transfer-position: - replicaCount: 8 - config: - event_log_filter: "" - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 5 - sidecar: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 5 - centralledger-handler-transfer-position-batch: - replicaCount: 12 - config: - event_log_filter: "" - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 5 - sidecar: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 5 - centralledger-handler-transfer-get: - replicaCount: 1 - config: - event_log_filter: "" - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 5 - sidecar: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 5 - centralledger-handler-transfer-fulfil: - replicaCount: 12 - config: - event_log_filter: "" - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 5 - sidecar: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 5 - centralledger-handler-timeout: - config: - event_log_filter: "" - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 5 - sidecar: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 5 - centralledger-handler-admin-transfer: - replicaCount: 1 - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 5 - sidecar: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 5 -centralsettlement: - centralsettlement-service: - replicaCount: 1 - config: - event_log_filter: "" - centralsettlement-handler-deferredsettlement: - replicaCount: 1 - config: - event_log_filter: "" - centralsettlement-handler-grosssettlement: - replicaCount: 1 - config: - event_log_filter: "" - centralsettlement-handler-rules: - replicaCount: 1 - config: - event_log_filter: "" -transaction-requests-service: - replicaCount: 4 - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 5 - sidecar: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 5 -thirdparty: - auth-svc: - replicaCount: 1 - consent-oracle: - replicaCount: 1 - tp-api-svc: - replicaCount: 1 -mojaloop-bulk: - bulk-api-adapter: - bulk-api-adapter-service: - replicaCount: 1 - config: - event_log_filter: "" - bulk-api-adapter-handler-notification: - replicaCount: 1 - config: - event_log_filter: "" - bulk-centralledger: - cl-handler-bulk-transfer-prepare: - replicaCount: 1 - config: - event_log_filter: "" - cl-handler-bulk-transfer-fulfil: - replicaCount: 1 - config: - event_log_filter: "" - cl-handler-bulk-transfer-processing: - replicaCount: 1 - config: - event_log_filter: "" - cl-handler-bulk-transfer-get: - replicaCount: 1 - config: - event_log_filter: "" diff --git a/terraform/k8s/default-config/mojaloop-vars.yaml b/terraform/k8s/default-config/mojaloop-vars.yaml index bd62df7e4..d1f38bf19 100644 --- a/terraform/k8s/default-config/mojaloop-vars.yaml +++ b/terraform/k8s/default-config/mojaloop-vars.yaml @@ -4,6 +4,34 @@ mcm_chart_version: 0.7.7 mojaloop_chart_version: 16.0.0 mcm_ingress_internal_lb: false mojaloop_ingress_internal_lb: true +#replica counts +account_lookup_service_replica_count: 1 +account_lookup_service_admin_replica_count: 1 +quoting_service_replica_count: 1 +quoting_service_handler_replica_count: 1 +ml_api_adapter_service_replica_count: 1 +ml_api_adapter_handler_notifications_replica_count: 1 +central_ledger_service_replica_count: 1 +central_ledger_handler_transfer_prepare_replica_count: 1 +central_ledger_handler_transfer_position_replica_count: 1 +central_ledger_handler_transfer_position_batch_replica_count: 1 +central_ledger_handler_transfer_get_replica_count: 1 +central_ledger_handler_transfer_fulfil_replica_count: 1 +central_ledger_handler_admin_transfer_replica_count: 1 +central_settlement_service_replica_count: 1 +central_settlement_handler_deferredsettlement_replica_count: 1 +central_settlement_handler_grosssettlement_replica_count: 1 +central_settlement_handler_rules_replica_count: 1 +trasaction_requests_service_replica_count: 1 +auth_service_replica_count: 1 +consent_oracle_replica_count: 1 +tp_api_svc_replica_count: 1 +bulk_api-adapter_service_replica_count: 1 +bulk_api_adapter_handler_notification_replica_count: 1 +cl_handler_bulk_transfer_prepare_replica_count: 1 +cl_handler_bulk_transfer_fulfil_replica_count: 1 +cl_handler_bulk_transfer_processing_replica_count: 1 +cl_handler_bulk_transfer_get_replica_count: 1 onboarding_collection_tag: 15.2.0 grafana_dashboard_tag: 15.2.0 enable_istio_injection: true diff --git a/terraform/k8s/gitops-build/terragrunt.hcl b/terraform/k8s/gitops-build/terragrunt.hcl index 0d23bbdad..0d02611e3 100644 --- a/terraform/k8s/gitops-build/terragrunt.hcl +++ b/terraform/k8s/gitops-build/terragrunt.hcl @@ -2,6 +2,7 @@ terraform { source = "git::https://github.com/mojaloop/iac-modules.git//terraform/gitops/k8s-cluster-config?ref=${get_env("iac_terraform_modules_tag")}" } + include "root" { path = find_in_parent_folders() } @@ -14,7 +15,7 @@ dependency "k8s_store_config" { dependency "k8s_deploy" { config_path = "../k8s-deploy" mock_outputs = { - nat_public_ips = [""] + nat_public_ips = [""] internal_load_balancer_dns = "" external_load_balancer_dns = "" private_subdomain = "" @@ -62,7 +63,6 @@ inputs = { stateful_resources_config_file = find_in_parent_folders("${get_env("CONFIG_PATH")}/common-stateful-resources.json") mojaloop_stateful_resources_config_file = find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-stateful-resources.json") vnext_stateful_resources_config_file = find_in_parent_folders("${get_env("CONFIG_PATH")}/vnext-stateful-resources.json") - mojaloop_values_override_file = find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-values-override.yaml", "mojaloop-values-override.yaml") current_gitlab_project_id = local.GITLAB_CURRENT_PROJECT_ID gitlab_group_name = local.GITLAB_CURRENT_GROUP_NAME gitlab_api_url = local.GITLAB_API_URL From 22927550457e083c7a228afde605a3b7aee7886d Mon Sep 17 00:00:00 2001 From: David Fry Date: Fri, 19 Apr 2024 19:07:01 +0200 Subject: [PATCH 114/201] New PR Feature/refactor appdeploy (#236) * update configs for performance * update configs for performance * first draft patch kustomization * cleanup naming * add istio log config * rm values from default * app-deploy refactoring * fix: scale account lookup service * Removing unwanted variable assignements * Removing unwanted variable definition * Inclding variable finanace_portal_ingress_internal_lb in vnext * removing fin portal fqdn * Removing fin_portal assignment in vnext * Removing the var definition * Removing the var definition from mojaloop * Moving pm4ml_keycloak_realm_env_secret_map * Removing local var definition from app deploy * Removing duplicate pm4ml_var_map * Fixing variable issues * removing the first two from allowedurllist * rm interop vars not needed anymore * Removing the commented line * cleanup internal/external lb vars * rm bad merge * add mojaloop-values-override.yaml --------- Co-authored-by: Kalin Krustev Co-authored-by: Sijo George Co-authored-by: Sijo George <87609749+sijo5722-2021@users.noreply.github.com> --- .../.gitlab/scripts/config-merge.sh | 2 +- .../istio-main/values-istio-istiod.yaml.tpl | 4 +- .../templates/mojaloop/kustomization.yaml.tpl | 1 + .../values-mojaloop-override.yaml.tpl | 1 + .../mojaloop/values-mojaloop.yaml.tpl | 54 ----- .../templates/ory/values-kratos.yaml.tpl | 7 +- .../gitops/k8s-cluster-config/app-deploy.tf | 134 +---------- terraform/gitops/k8s-cluster-config/istio.tf | 3 + .../gitops/k8s-cluster-config/keycloak.tf | 20 ++ terraform/gitops/k8s-cluster-config/ory.tf | 8 +- terraform/gitops/mojaloop/mcm.tf | 49 ++-- terraform/gitops/mojaloop/mojaloop.tf | 95 ++++---- terraform/gitops/mojaloop/variables.tf | 9 - terraform/gitops/mojaloop/vault-pki-setup.tf | 5 +- terraform/gitops/pm4ml/pm4ml.tf | 87 +++---- terraform/gitops/pm4ml/variables.tf | 14 +- terraform/gitops/pm4ml/vault-pki-setup.tf | 7 +- terraform/gitops/vnext/mcm.tf | 46 ++-- terraform/gitops/vnext/variables.tf | 8 - terraform/gitops/vnext/vault-pki-setup.tf | 1 - terraform/gitops/vnext/vnext.tf | 86 +++---- terraform/k8s/default-config/common-vars.yaml | 1 + .../mojaloop-values-override.yaml | 216 ++++++++++++++++++ .../k8s/default-config/mojaloop-vars.yaml | 28 --- terraform/k8s/gitops-build/terragrunt.hcl | 4 +- 25 files changed, 405 insertions(+), 485 deletions(-) create mode 100644 terraform/gitops/generate-files/templates/mojaloop/values-mojaloop-override.yaml.tpl create mode 100644 terraform/k8s/default-config/mojaloop-values-override.yaml diff --git a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/config-merge.sh b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/config-merge.sh index ca7117f2b..ead45e9fd 100755 --- a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/config-merge.sh +++ b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/config-merge.sh @@ -1,5 +1,5 @@ mkdir -p $CONFIG_PATH -for configFile in {'aws-vars.yaml','cluster-config.yaml','common-vars.yaml','mojaloop-rbac-permissions.yaml','mojaloop-vars.yaml','pm4ml-vars.yaml','bare-metal-vars.yaml','pm4ml-rbac-permissions.yaml','mojaloop-stateful-resources.json','common-stateful-resources.json','mojaloop-rbac-api-resources.yaml','vnext-vars.yaml','vnext-stateful-resources.json','addons-vars.yaml'}; +for configFile in {'aws-vars.yaml','cluster-config.yaml','common-vars.yaml','mojaloop-rbac-permissions.yaml','mojaloop-vars.yaml','pm4ml-vars.yaml','bare-metal-vars.yaml','pm4ml-rbac-permissions.yaml','mojaloop-stateful-resources.json','common-stateful-resources.json','mojaloop-rbac-api-resources.yaml','vnext-vars.yaml','vnext-stateful-resources.json','addons-vars.yaml','mojaloop-values-override.yaml'}; do echo $configFile python3 .gitlab/scripts/dictmerge.py default-config/$configFile custom-config/$configFile $CONFIG_PATH; diff --git a/terraform/gitops/generate-files/templates/istio/istio-main/values-istio-istiod.yaml.tpl b/terraform/gitops/generate-files/templates/istio/istio-main/values-istio-istiod.yaml.tpl index b98c95c30..987206643 100644 --- a/terraform/gitops/generate-files/templates/istio/istio-main/values-istio-istiod.yaml.tpl +++ b/terraform/gitops/generate-files/templates/istio/istio-main/values-istio-istiod.yaml.tpl @@ -309,7 +309,7 @@ global: # Per Component log level for proxy, applies to gateways and sidecars. If a component level is # not set, then the global "logLevel" will be used. - componentLogLevel: "misc:debug" + componentLogLevel: "misc:${istio_proxy_log_level}" # If set, newly injected sidecars will have core dumps enabled. enableCoreDump: false @@ -332,7 +332,7 @@ global: # Log level for proxy, applies to gateways and sidecars. # Expected values are: trace|debug|info|warning|error|critical|off - logLevel: debug + logLevel: ${istio_proxy_log_level} #If set to true, istio-proxy container will have privileged securityContext privileged: false diff --git a/terraform/gitops/generate-files/templates/mojaloop/kustomization.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/kustomization.yaml.tpl index 1f073aa27..480bf6371 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/kustomization.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/kustomization.yaml.tpl @@ -16,6 +16,7 @@ helmCharts: valuesFile: values-mojaloop.yaml namespace: ${mojaloop_namespace} additionalValuesFiles: + - values-mojaloop-override.yaml - values-mojaloop-addons.yaml - name: finance-portal releaseName: ${finance_portal_release_name} diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop-override.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop-override.yaml.tpl new file mode 100644 index 000000000..42d51bf36 --- /dev/null +++ b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop-override.yaml.tpl @@ -0,0 +1 @@ +#placeholder file for addons \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl index d6d02b4bb..5ed656c12 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl @@ -372,15 +372,6 @@ centralledger: config: prefix: *CL_MONITORING_PREFIX centralledger-handler-transfer-prepare: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 10 - sidecar: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 10 %{ if central_ledger_handler_transfer_prepare_affinity != null ~} affinity: ${indent(8, central_ledger_handler_transfer_prepare_affinity)} @@ -411,15 +402,6 @@ centralledger: config: prefix: *CL_MONITORING_PREFIX centralledger-handler-transfer-position: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 10 - sidecar: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 10 %{ if central_ledger_handler_transfer_position_affinity != null ~} affinity: ${indent(8, central_ledger_handler_transfer_position_affinity)} @@ -450,15 +432,6 @@ centralledger: prefix: *CL_MONITORING_PREFIX centralledger-handler-transfer-position-batch: enabled: *CL_BATCH_PROCESSING_ENABLED - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 10 - sidecar: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 10 %{ if central_ledger_handler_transfer_position_batch_affinity != null ~} affinity: ${indent(8, central_ledger_handler_transfer_position_batch_affinity)} @@ -490,15 +463,6 @@ centralledger: config: prefix: *CL_MONITORING_PREFIX centralledger-handler-transfer-get: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 10 - sidecar: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 10 %{ if central_ledger_handler_transfer_get_affinity != null ~} affinity: ${indent(8, central_ledger_handler_transfer_get_affinity)} @@ -528,15 +492,6 @@ centralledger: config: prefix: *CL_MONITORING_PREFIX centralledger-handler-transfer-fulfil: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 10 - sidecar: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 10 %{ if central_ledger_handler_transfer_fulfil_affinity != null ~} affinity: ${indent(8, central_ledger_handler_transfer_fulfil_affinity)} @@ -567,15 +522,6 @@ centralledger: config: prefix: *CL_MONITORING_PREFIX centralledger-handler-timeout: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 10 - sidecar: - readinessProbe: - initialDelaySeconds: 5 - livenessProbe: - initialDelaySeconds: 10 tolerations: *MOJALOOP_TOLERATIONS config: kafka_host: *KAFKA_HOST diff --git a/terraform/gitops/generate-files/templates/ory/values-kratos.yaml.tpl b/terraform/gitops/generate-files/templates/ory/values-kratos.yaml.tpl index 5e4c67e85..c6a91834d 100644 --- a/terraform/gitops/generate-files/templates/ory/values-kratos.yaml.tpl +++ b/terraform/gitops/generate-files/templates/ory/values-kratos.yaml.tpl @@ -86,11 +86,8 @@ kratos: selfservice: default_browser_return_url: https://${auth_fqdn}/ui/welcome allowed_return_urls: - - https://${auth_fqdn}/ui - - https://${keycloak_fqdn} -%{ for fqdnItem in bof_managed_portal_fqdns ~} - - https://${fqdnItem} -%{ endfor ~} + - https://*.${private_subdomain} + - https://*.${public_subdomain} methods: password: diff --git a/terraform/gitops/k8s-cluster-config/app-deploy.tf b/terraform/gitops/k8s-cluster-config/app-deploy.tf index 52353b988..654aecce2 100644 --- a/terraform/gitops/k8s-cluster-config/app-deploy.tf +++ b/terraform/gitops/k8s-cluster-config/app-deploy.tf @@ -6,8 +6,6 @@ module "mojaloop" { external_load_balancer_dns = var.external_load_balancer_dns private_subdomain = var.private_subdomain public_subdomain = var.public_subdomain - external_interop_switch_fqdn = local.external_interop_switch_fqdn - internal_interop_switch_fqdn = local.internal_interop_switch_fqdn secrets_key_map = var.secrets_key_map properties_key_map = var.properties_key_map output_dir = var.output_dir @@ -33,10 +31,6 @@ module "mojaloop" { vault_secret_key = var.vault_secret_key role_assign_svc_secret = var.role_assign_svc_secret role_assign_svc_user = var.role_assign_svc_user - ttk_backend_fqdn = local.ttk_backend_fqdn - ttk_frontend_fqdn = local.ttk_frontend_fqdn - ttk_istio_gateway_namespace = local.ttk_istio_gateway_namespace - ttk_istio_wildcard_gateway_name = local.ttk_istio_wildcard_gateway_name istio_external_gateway_name = var.istio_external_gateway_name istio_internal_gateway_name = var.istio_internal_gateway_name istio_external_wildcard_gateway_name = local.istio_external_wildcard_gateway_name @@ -49,25 +43,16 @@ module "mojaloop" { mojaloop_enabled = var.common_var_map.mojaloop_enabled bulk_enabled = var.app_var_map.bulk_enabled third_party_enabled = var.app_var_map.third_party_enabled - mojaloop_ingress_internal_lb = var.app_var_map.mojaloop_ingress_internal_lb - mcm_ingress_internal_lb = var.app_var_map.mcm_ingress_internal_lb stateful_resources_config_file = var.mojaloop_stateful_resources_config_file local_vault_kv_root_path = local.local_vault_kv_root_path app_var_map = var.app_var_map auth_fqdn = local.auth_fqdn ory_namespace = var.ory_namespace - finance_portal_fqdn = local.finance_portal_fqdn - portal_istio_gateway_namespace = local.portal_istio_gateway_namespace - portal_istio_wildcard_gateway_name = local.portal_istio_wildcard_gateway_name - portal_istio_gateway_name = local.portal_istio_gateway_name bof_release_name = local.bof_release_name oathkeeper_auth_provider_name = local.oathkeeper_auth_provider_name keycloak_hubop_realm_name = var.keycloak_hubop_realm_name rbac_api_resources_file = var.rbac_api_resources_file - mcm_fqdn = local.mcm_fqdn - mcm_istio_gateway_namespace = local.mcm_istio_gateway_namespace - mcm_istio_wildcard_gateway_name = local.mcm_istio_wildcard_gateway_name - mcm_istio_gateway_name = local.mcm_istio_gateway_name + mojaloop_values_override_file = var.mojaloop_values_override_file fspiop_use_ory_for_auth = var.app_var_map.fspiop_use_ory_for_auth } @@ -79,8 +64,6 @@ module "pm4ml" { external_load_balancer_dns = var.external_load_balancer_dns private_subdomain = var.private_subdomain public_subdomain = var.public_subdomain - external_interop_switch_fqdn = local.external_interop_switch_fqdn - internal_interop_switch_fqdn = local.internal_interop_switch_fqdn secrets_key_map = var.secrets_key_map properties_key_map = var.properties_key_map output_dir = var.output_dir @@ -107,16 +90,8 @@ module "pm4ml" { istio_external_wildcard_gateway_name = local.istio_external_wildcard_gateway_name istio_internal_wildcard_gateway_name = local.istio_internal_wildcard_gateway_name local_vault_kv_root_path = local.local_vault_kv_root_path - portal_fqdns = local.portal_fqdns - admin_portal_fqdns = local.admin_portal_fqdns auth_fqdn = local.auth_fqdn oathkeeper_auth_provider_name = local.oathkeeper_auth_provider_name - experience_api_fqdns = local.experience_api_fqdns - mojaloop_connnector_fqdns = local.mojaloop_connnector_fqdns - ttk_backend_fqdns = local.pm4ml_ttk_backend_fqdns - ttk_frontend_fqdns = local.pm4ml_ttk_frontend_fqdns - pta_portal_fqdns = local.pm4ml_pta_portal_fqdns - test_fqdns = local.test_fqdns vault_root_ca_name = "pki-${var.cluster_name}" app_var_map = local.pm4ml_var_map bof_release_name = local.bof_release_name @@ -124,9 +99,6 @@ module "pm4ml" { role_assign_svc_secret_prefix = "role-assign-svc-secret-" portal_admin_user = var.portal_admin_user portal_admin_secret_prefix = "portal-admin-secret-" - pm4ml_istio_gateway_namespaces = local.pm4ml_istio_gateway_namespaces - pm4ml_istio_wildcard_gateway_names = local.pm4ml_istio_wildcard_gateway_names - pm4ml_istio_gateway_names = local.pm4ml_istio_gateway_names } module "vnext" { @@ -137,8 +109,6 @@ module "vnext" { external_load_balancer_dns = var.external_load_balancer_dns private_subdomain = var.private_subdomain public_subdomain = var.public_subdomain - external_interop_switch_fqdn = local.external_interop_switch_fqdn - internal_interop_switch_fqdn = local.internal_interop_switch_fqdn secrets_key_map = var.secrets_key_map properties_key_map = var.properties_key_map output_dir = var.output_dir @@ -164,14 +134,6 @@ module "vnext" { vault_secret_key = var.vault_secret_key role_assign_svc_secret = var.role_assign_svc_secret role_assign_svc_user = var.role_assign_svc_user - mcm_fqdn = local.mcm_fqdn - mcm_istio_gateway_namespace = local.mcm_istio_gateway_namespace - mcm_istio_wildcard_gateway_name = local.mcm_istio_wildcard_gateway_name - mcm_istio_gateway_name = local.mcm_istio_gateway_name - ttk_backend_fqdn = local.ttk_backend_fqdn - ttk_frontend_fqdn = local.ttk_frontend_fqdn - ttk_istio_wildcard_gateway_name = local.ttk_istio_wildcard_gateway_name - ttk_istio_gateway_namespace = local.ttk_istio_gateway_namespace istio_external_gateway_name = var.istio_external_gateway_name istio_internal_gateway_name = var.istio_internal_gateway_name istio_external_wildcard_gateway_name = local.istio_external_wildcard_gateway_name @@ -182,22 +144,16 @@ module "vnext" { mcm_enabled = var.common_var_map.mcm_enabled mcm_chart_version = var.app_var_map.mcm_chart_version vnext_enabled = var.common_var_map.vnext_enabled - vnext_ingress_internal_lb = var.app_var_map.vnext_ingress_internal_lb - mcm_ingress_internal_lb = var.app_var_map.mcm_ingress_internal_lb stateful_resources_config_file = var.vnext_stateful_resources_config_file local_vault_kv_root_path = local.local_vault_kv_root_path app_var_map = var.app_var_map auth_fqdn = local.auth_fqdn ory_namespace = var.ory_namespace - finance_portal_fqdn = local.finance_portal_fqdn bof_release_name = local.bof_release_name oathkeeper_auth_provider_name = local.oathkeeper_auth_provider_name keycloak_hubop_realm_name = var.keycloak_hubop_realm_name rbac_api_resources_file = var.rbac_api_resources_file - vnext_admin_ui_fqdn = local.vnext_admin_ui_fqdn - vnext_istio_gateway_namespace = local.vnext_istio_gateway_namespace - vnext_istio_wildcard_gateway_name = local.vnext_istio_wildcard_gateway_name - fspiop_use_ory_for_auth = var.app_var_map.fspiop_use_ory_for_auth + fspiop_use_ory_for_auth = var.app_var_map.fspiop_use_ory_for_auth } variable "app_var_map" { @@ -283,6 +239,10 @@ variable "rbac_api_resources_file" { type = string } +variable "mojaloop_values_override_file" { + type = string +} + variable "argocd_ingress_internal_lb" { default = true description = "whether argocd should only be available on private network" @@ -293,91 +253,11 @@ variable "argocd_namespace" { description = "namespace argocd is deployed to" } -variable "finanace_portal_ingress_internal_lb" { - default = false - description = "whether argocd should only be available on private network" -} - locals { + auth_fqdn = "auth.${var.public_subdomain}" pm4ml_var_map = { for pm4ml in var.app_var_map.pm4mls : pm4ml.pm4ml => pm4ml } - oidc_providers = var.common_var_map.pm4ml_enabled ? [for pm4ml in var.app_var_map.pm4mls : { - realm = "${var.keycloak_pm4ml_realm_name}-${pm4ml.pm4ml}" - client_id = "${var.pm4ml_oidc_client_id_prefix}-${pm4ml.pm4ml}" - secret_name = "${var.pm4ml_oidc_client_secret_secret}-${pm4ml.pm4ml}" - }] : [] - mojaloop_keycloak_realm_env_secret_map = { - "${var.mcm_oidc_client_secret_secret}" = var.mcm_oidc_client_secret_secret_key - "${var.jwt_client_secret_secret}" = var.jwt_client_secret_secret_key - } - pm4ml_keycloak_realm_env_secret_map = merge( - { for key, pm4ml in local.pm4ml_var_map : "${var.pm4ml_oidc_client_secret_secret}-${key}" => var.vault_secret_key }, - { for key, pm4ml in local.pm4ml_var_map : "portal-admin-secret-${key}" => var.vault_secret_key }, - { for key, pm4ml in local.pm4ml_var_map : "role-assign-svc-secret-${key}" => var.vault_secret_key } - ) - - pm4ml_wildcard_gateways = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => pm4ml.pm4ml_ingress_internal_lb ? "internal" : "external" } - - mcm_wildcard_gateway = var.app_var_map.mcm_ingress_internal_lb ? "internal" : "external" - mcm_fqdn = local.mcm_wildcard_gateway == "external" ? "mcm.${var.public_subdomain}" : "mcm.${var.private_subdomain}" - mcm_istio_gateway_namespace = local.mcm_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace - mcm_istio_wildcard_gateway_name = local.mcm_wildcard_gateway == "external" ? local.istio_external_wildcard_gateway_name : local.istio_internal_wildcard_gateway_name - mcm_istio_gateway_name = local.mcm_wildcard_gateway == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name - - auth_fqdn = "auth.${var.public_subdomain}" - external_interop_switch_fqdn = "extapi.${var.public_subdomain}" - internal_interop_switch_fqdn = "intapi.${var.private_subdomain}" - - mojaloop_wildcard_gateway = var.app_var_map.mojaloop_ingress_internal_lb ? "internal" : "external" - ttk_frontend_fqdn = local.mojaloop_wildcard_gateway == "external" ? "ttkfrontend.${var.public_subdomain}" : "ttkfrontend.${var.private_subdomain}" - ttk_backend_fqdn = local.mojaloop_wildcard_gateway == "external" ? "ttkbackend.${var.public_subdomain}" : "ttkbackend.${var.private_subdomain}" - ttk_istio_wildcard_gateway_name = local.mojaloop_wildcard_gateway == "external" ? local.istio_external_wildcard_gateway_name : local.istio_internal_wildcard_gateway_name - ttk_istio_gateway_namespace = local.mojaloop_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace - - finance_portal_wildcard_gateway = var.finanace_portal_ingress_internal_lb ? "internal" : "external" - finance_portal_fqdn = local.finance_portal_wildcard_gateway == "external" ? "finance-portal.${var.public_subdomain}" : "finance-portal.${var.private_subdomain}" - portal_istio_gateway_namespace = local.finance_portal_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace - portal_istio_wildcard_gateway_name = local.finance_portal_wildcard_gateway == "external" ? local.istio_external_wildcard_gateway_name : local.istio_internal_wildcard_gateway_name - portal_istio_gateway_name = local.finance_portal_wildcard_gateway == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name - - vnext_wildcard_gateway = var.app_var_map.vnext_ingress_internal_lb ? "internal" : "external" - vnext_admin_ui_fqdn = local.vnext_wildcard_gateway == "external" ? "vnext-admin.${var.public_subdomain}" : "vnext-admin.${var.private_subdomain}" - vnext_istio_gateway_namespace = local.vnext_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace - vnext_istio_wildcard_gateway_name = local.vnext_wildcard_gateway == "external" ? local.istio_external_wildcard_gateway_name : local.istio_internal_wildcard_gateway_name - - portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "portal-${pm4ml.pm4ml}.${var.public_subdomain}" : "portal-${pm4ml.pm4ml}.${var.private_subdomain}" } - admin_portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "admin-portal-${pm4ml.pm4ml}.${var.public_subdomain}" : "admin-portal-${pm4ml.pm4ml}.${var.private_subdomain}"} - experience_api_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "exp-${pm4ml.pm4ml}.${var.public_subdomain}" : "exp-${pm4ml.pm4ml}.${var.private_subdomain}"} - mojaloop_connnector_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "conn-${pm4ml.pm4ml}.${var.public_subdomain}" : "conn-${pm4ml.pm4ml}.${var.private_subdomain}" } - test_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "test-${pm4ml.pm4ml}.${var.public_subdomain}" : "test-${pm4ml.pm4ml}.${var.private_subdomain}" } - pm4ml_ttk_frontend_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "ttkfront-${pm4ml.pm4ml}.${var.public_subdomain}" : "ttkfront-${pm4ml.pm4ml}.${var.private_subdomain}" } - pm4ml_ttk_backend_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "ttkback-${pm4ml.pm4ml}.${var.public_subdomain}" : "ttkback-${pm4ml.pm4ml}.${var.private_subdomain}"} - pm4ml_pta_portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "pta-portal-${pm4ml.pm4ml}.${var.public_subdomain}" : "pta-portal-${pm4ml.pm4ml}.${var.private_subdomain}"} - - pm4ml_istio_gateway_namespaces = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace } - pm4ml_istio_wildcard_gateway_names = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? local.istio_external_wildcard_gateway_name : local.istio_internal_wildcard_gateway_name } - pm4ml_istio_gateway_names = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name } - - pm4ml_internal_wildcard_admin_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.admin_portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "internal"] - pm4ml_external_wildcard_admin_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.admin_portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external"] - pm4ml_internal_wildcard_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "internal"] - pm4ml_external_wildcard_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external"] - pm4ml_internal_wildcard_exp_hosts = [for pm4ml in local.pm4ml_var_map : local.experience_api_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "internal"] - pm4ml_external_wildcard_exp_hosts = [for pm4ml in local.pm4ml_var_map : local.experience_api_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external"] - - pm4ml_internal_gateway_hosts = concat(local.pm4ml_internal_wildcard_admin_portal_hosts, local.pm4ml_internal_wildcard_portal_hosts, local.pm4ml_internal_wildcard_exp_hosts, values(local.pm4ml_ttk_frontend_fqdns), values(local.pm4ml_ttk_backend_fqdns), values(local.test_fqdns), values(local.pm4ml_pta_portal_fqdns)) - pm4ml_external_gateway_hosts = concat(local.pm4ml_external_wildcard_admin_portal_hosts, local.pm4ml_external_wildcard_portal_hosts, local.pm4ml_external_wildcard_exp_hosts) - - keycloak_realm_env_secret_map = merge( - (var.common_var_map.mojaloop_enabled || var.common_var_map.vnext_enabled) ? local.mojaloop_keycloak_realm_env_secret_map : local.pm4ml_keycloak_realm_env_secret_map, - { - "${var.hubop_oidc_client_secret_secret}" = var.vault_secret_key - "${var.role_assign_svc_secret}" = var.vault_secret_key - "${var.portal_admin_secret}" = var.vault_secret_key - } - ) - bof_managed_portal_fqdns = (var.common_var_map.mojaloop_enabled || var.common_var_map.vnext_enabled) ? [local.finance_portal_fqdn, local.mcm_fqdn] : concat(local.pm4ml_external_wildcard_portal_hosts, local.pm4ml_internal_wildcard_portal_hosts, local.pm4ml_internal_wildcard_admin_portal_hosts, local.pm4ml_external_wildcard_admin_portal_hosts) } diff --git a/terraform/gitops/k8s-cluster-config/istio.tf b/terraform/gitops/k8s-cluster-config/istio.tf index e72b40613..27d62b099 100644 --- a/terraform/gitops/k8s-cluster-config/istio.tf +++ b/terraform/gitops/k8s-cluster-config/istio.tf @@ -39,6 +39,7 @@ module "generate_istio_files" { argocd_public_fqdn = local.argocd_public_fqdn argocd_private_fqdn = local.argocd_private_fqdn argocd_namespace = var.argocd_namespace + istio_proxy_log_level = try(var.common_var_map.istio_proxy_log_level, local.istio_proxy_log_level) } file_list = [for f in fileset(local.istio_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.istio_app_file, f))] @@ -49,8 +50,10 @@ module "generate_istio_files" { } locals { + istio_template_path = "${path.module}/../generate-files/templates/istio" istio_app_file = "istio-app.yaml" + istio_proxy_log_level = "warn" argocd_wildcard_gateway = var.argocd_ingress_internal_lb ? "internal" : "external" argocd_public_fqdn = "argocd.${var.public_subdomain}" argocd_private_fqdn = "argocd.${var.private_subdomain}" diff --git a/terraform/gitops/k8s-cluster-config/keycloak.tf b/terraform/gitops/k8s-cluster-config/keycloak.tf index 707c3b156..d9e6e5c03 100644 --- a/terraform/gitops/k8s-cluster-config/keycloak.tf +++ b/terraform/gitops/k8s-cluster-config/keycloak.tf @@ -100,4 +100,24 @@ locals { keycloak_admin_istio_gateway_namespace = local.keycloak_admin_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace keycloak_istio_gateway_name = local.keycloak_wildcard_gateway == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name keycloak_secrets_path = "/secret/keycloak" + + mojaloop_keycloak_realm_env_secret_map = { + "${var.mcm_oidc_client_secret_secret}" = var.mcm_oidc_client_secret_secret_key + "${var.jwt_client_secret_secret}" = var.jwt_client_secret_secret_key + } + + pm4ml_keycloak_realm_env_secret_map = merge( + { for key, pm4ml in local.pm4ml_var_map : "${var.pm4ml_oidc_client_secret_secret}-${key}" => var.vault_secret_key }, + { for key, pm4ml in local.pm4ml_var_map : "portal-admin-secret-${key}" => var.vault_secret_key }, + { for key, pm4ml in local.pm4ml_var_map : "role-assign-svc-secret-${key}" => var.vault_secret_key } + ) + + keycloak_realm_env_secret_map = merge( + (var.common_var_map.mojaloop_enabled || var.common_var_map.vnext_enabled) ? local.mojaloop_keycloak_realm_env_secret_map : local.pm4ml_keycloak_realm_env_secret_map, + { + "${var.hubop_oidc_client_secret_secret}" = var.vault_secret_key + "${var.role_assign_svc_secret}" = var.vault_secret_key + "${var.portal_admin_secret}" = var.vault_secret_key + } + ) } diff --git a/terraform/gitops/k8s-cluster-config/ory.tf b/terraform/gitops/k8s-cluster-config/ory.tf index e98058d84..144bb4f5c 100644 --- a/terraform/gitops/k8s-cluster-config/ory.tf +++ b/terraform/gitops/k8s-cluster-config/ory.tf @@ -10,7 +10,7 @@ module "generate_ory_files" { ory_namespace = var.ory_namespace auth_fqdn = local.auth_fqdn public_subdomain = var.public_subdomain - bof_managed_portal_fqdns = local.bof_managed_portal_fqdns + private_subdomain = var.private_subdomain keto_postgres_database = module.common_stateful_resources.stateful_resources[local.keto_postgres_resource_index].logical_service_config.database_name keto_postgres_user = module.common_stateful_resources.stateful_resources[local.keto_postgres_resource_index].logical_service_config.username keto_postgres_host = "${module.common_stateful_resources.stateful_resources[local.keto_postgres_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" @@ -120,4 +120,10 @@ locals { rolesPermissions = yamldecode(file(var.rbac_permissions_file)) mojaloopRoles = local.rolesPermissions["roles"] permissionExclusions = local.rolesPermissions["permission-exclusions"] + + oidc_providers = var.common_var_map.pm4ml_enabled ? [for pm4ml in var.app_var_map.pm4mls : { + realm = "${var.keycloak_pm4ml_realm_name}-${pm4ml.pm4ml}" + client_id = "${var.pm4ml_oidc_client_id_prefix}-${pm4ml.pm4ml}" + secret_name = "${var.pm4ml_oidc_client_secret_secret}-${pm4ml.pm4ml}" + }] : [] } diff --git a/terraform/gitops/mojaloop/mcm.tf b/terraform/gitops/mojaloop/mcm.tf index 9c080e551..bf44dc7a1 100644 --- a/terraform/gitops/mojaloop/mcm.tf +++ b/terraform/gitops/mojaloop/mcm.tf @@ -8,11 +8,11 @@ module "generate_mcm_files" { db_schema = module.mojaloop_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.database_name db_port = module.mojaloop_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_port db_host = "${module.mojaloop_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - mcm_fqdn = var.mcm_fqdn - mcm_istio_gateway_namespace = var.mcm_istio_gateway_namespace - mcm_istio_wildcard_gateway_name = var.mcm_istio_wildcard_gateway_name - mcm_istio_gateway_name = var.mcm_istio_gateway_name - fspiop_use_ory_for_auth = var.fspiop_use_ory_for_auth + mcm_fqdn = local.mcm_fqdn + mcm_istio_gateway_namespace = local.mcm_istio_gateway_namespace + mcm_istio_wildcard_gateway_name = local.mcm_istio_wildcard_gateway_name + mcm_istio_gateway_name = local.mcm_istio_gateway_name + fspiop_use_ory_for_auth = var.fspiop_use_ory_for_auth env_name = var.cluster_name env_cn = var.public_subdomain env_o = "Mojaloop" @@ -34,7 +34,7 @@ module "generate_mcm_files" { public_subdomain = var.public_subdomain enable_oidc = var.enable_mcm_oidc mcm_sync_wave = var.mcm_sync_wave - ingress_class = var.mcm_ingress_internal_lb ? var.internal_ingress_class_name : var.external_ingress_class_name + ingress_class = try(var.app_var_map.mcm_ingress_internal_lb, false) ? var.internal_ingress_class_name : var.external_ingress_class_name istio_create_ingress_gateways = var.istio_create_ingress_gateways pki_path = var.vault_root_ca_name dfsp_client_cert_bundle = local.dfsp_client_cert_bundle @@ -60,7 +60,7 @@ module "generate_mcm_files" { mcm_wildcard_gateway = local.mcm_wildcard_gateway istio_external_gateway_name = var.istio_external_gateway_name private_network_cidr = var.private_network_cidr - interop_switch_fqdn = var.external_interop_switch_fqdn + interop_switch_fqdn = local.external_interop_switch_fqdn keycloak_fqdn = var.keycloak_fqdn keycloak_dfsp_realm_name = var.keycloak_dfsp_realm_name keycloak_hubop_realm_name = var.keycloak_hubop_realm_name @@ -77,7 +77,7 @@ module "generate_mcm_files" { internal_load_balancer_dns = var.internal_load_balancer_dns external_load_balancer_dns = var.external_load_balancer_dns istio_internal_gateway_name = var.istio_internal_gateway_name - int_interop_switch_fqdn = var.internal_interop_switch_fqdn + int_interop_switch_fqdn = local.internal_interop_switch_fqdn mojaloop_namespace = var.mojaloop_namespace mojaloop_release_name = var.mojaloop_release_name onboarding_collection_tag = var.app_var_map.onboarding_collection_tag @@ -99,11 +99,7 @@ variable "mcm_enabled" { type = bool default = true } -variable "mcm_ingress_internal_lb" { - type = bool - description = "mcm_ingress_internal_lb" - default = false -} + variable "enable_mcm_oidc" { type = bool default = false @@ -210,26 +206,6 @@ variable "keycloak_namespace" { description = "namespace of keycloak in which to create realm" } -variable "mcm_fqdn" { - type = string - description = "hostname for mcm" -} - -variable "mcm_istio_wildcard_gateway_name" { - type = string - default = "" -} - -variable "mcm_istio_gateway_namespace" { - type = string - default = "" -} - -variable "mcm_istio_gateway_name" { - type = string - default = "" -} - variable "fspiop_use_ory_for_auth" { type = bool } @@ -238,8 +214,13 @@ locals { mcm_template_path = "${path.module}/../generate-files/templates/mcm" mcm_app_file = "mcm-app.yaml" mcm_resource_index = index(module.mojaloop_stateful_resources.stateful_resources.*.resource_name, "mcm-db") - mcm_wildcard_gateway = var.mcm_ingress_internal_lb ? "internal" : "external" + mcm_wildcard_gateway = try(var.app_var_map.mcm_ingress_internal_lb, false) ? "internal" : "external" dfsp_client_cert_bundle = "${local.onboarding_secret_path}_pm4mls" dfsp_internal_whitelist_secret = "${local.whitelist_secret_path}_pm4mls" dfsp_external_whitelist_secret = "${local.whitelist_secret_path}_fsps" + + mcm_fqdn = local.mcm_wildcard_gateway == "external" ? "mcm.${var.public_subdomain}" : "mcm.${var.private_subdomain}" + mcm_istio_gateway_namespace = local.mcm_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace + mcm_istio_wildcard_gateway_name = local.mcm_wildcard_gateway == "external" ? var.istio_external_wildcard_gateway_name : var.istio_internal_wildcard_gateway_name + mcm_istio_gateway_name = local.mcm_wildcard_gateway == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name } diff --git a/terraform/gitops/mojaloop/mojaloop.tf b/terraform/gitops/mojaloop/mojaloop.tf index 363cf0c3b..d34760296 100644 --- a/terraform/gitops/mojaloop/mojaloop.tf +++ b/terraform/gitops/mojaloop/mojaloop.tf @@ -25,12 +25,12 @@ module "generate_mojaloop_files" { central_ledger_handler_transfer_position_batch_consume_timeout_ms = try(var.app_var_map.central_ledger_handler_transfer_position_batch_consume_timeout_ms, 10) central_ledger_cache_enabled = try(var.app_var_map.central_ledger_cache_enabled, true) central_ledger_cache_expires_in_ms = try(var.app_var_map.central_ledger_cache_expires_in_ms, 1000) - interop_switch_fqdn = var.external_interop_switch_fqdn - int_interop_switch_fqdn = var.internal_interop_switch_fqdn + interop_switch_fqdn = local.external_interop_switch_fqdn + int_interop_switch_fqdn = local.internal_interop_switch_fqdn external_ingress_class_name = var.external_ingress_class_name vault_certman_secretname = var.vault_certman_secretname nginx_jwt_namespace = var.nginx_jwt_namespace - ingress_class_name = var.mojaloop_ingress_internal_lb ? var.internal_ingress_class_name : var.external_ingress_class_name + ingress_class_name = try(var.app_var_map.mojaloop_ingress_internal_lb, true) ? var.internal_ingress_class_name : var.external_ingress_class_name istio_create_ingress_gateways = var.istio_create_ingress_gateways istio_external_gateway_name = var.istio_external_gateway_name external_load_balancer_dns = var.external_load_balancer_dns @@ -41,10 +41,10 @@ module "generate_mojaloop_files" { mojaloop_wildcard_gateway = local.mojaloop_wildcard_gateway keycloak_fqdn = var.keycloak_fqdn keycloak_realm_name = var.keycloak_hubop_realm_name - ttk_frontend_fqdn = var.ttk_frontend_fqdn - ttk_backend_fqdn = var.ttk_backend_fqdn - ttk_istio_gateway_namespace = var.ttk_istio_gateway_namespace - ttk_istio_wildcard_gateway_name = var.ttk_istio_wildcard_gateway_name + ttk_frontend_fqdn = local.ttk_frontend_fqdn + ttk_backend_fqdn = local.ttk_backend_fqdn + ttk_istio_gateway_namespace = local.ttk_istio_gateway_namespace + ttk_istio_wildcard_gateway_name = local.ttk_istio_wildcard_gateway_name kafka_host = "${module.mojaloop_stateful_resources.stateful_resources[local.mojaloop_kafka_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" kafka_port = module.mojaloop_stateful_resources.stateful_resources[local.mojaloop_kafka_resource_index].logical_service_config.logical_service_port account_lookup_db_existing_secret = module.mojaloop_stateful_resources.stateful_resources[local.ml_als_resource_index].logical_service_config.user_password_secret @@ -113,7 +113,7 @@ module "generate_mojaloop_files" { central_settlement_handler_deferredsettlement_replica_count = try(var.app_var_map.central_settlement_handler_deferredsettlement_replica_count, 1) central_settlement_handler_grosssettlement_replica_count = try(var.app_var_map.central_settlement_handler_grosssettlement_replica_count, 1) central_settlement_handler_rules_replica_count = try(var.app_var_map.central_settlement_handler_rules_replica_count, 1) - trasaction_requests_service_replica_count = try(var.app_var_map.trasaction_requests_service_replica_count, 1) + transaction_requests_service_replica_count = try(var.app_var_map.transaction_requests_service_replica_count, 1) auth_service_replica_count = try(var.app_var_map.auth_service_replica_count, 1) consent_oracle_replica_count = try(var.app_var_map.consent_oracle_replica_count, 1) tp_api_svc_replica_count = try(var.app_var_map.tp_api_svc_replica_count, 1) @@ -141,7 +141,7 @@ module "generate_mojaloop_files" { central_settlement_handler_deferredsettlement_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_settlement.affinity_definition), null) central_settlement_handler_grosssettlement_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_settlement.affinity_definition), null) central_settlement_handler_rules_affinity = try(yamlencode(var.app_var_map.workload_definitions.central_settlement.affinity_definition), null) - trasaction_requests_service_affinity = try(yamlencode(var.app_var_map.workload_definitions.core_api_adapters.affinity_definition), null) + transaction_requests_service_affinity = try(yamlencode(var.app_var_map.workload_definitions.core_api_adapters.affinity_definition), null) central_ledger_monitoring_prefix = try(var.app_var_map.central_ledger_monitoring_prefix, "moja_cl_") quoting_service_monitoring_prefix = try(var.app_var_map.quoting_service_monitoring_prefix, "moja_qs_") ml_api_adapter_monitoring_prefix = try(var.app_var_map.ml_api_adapter_monitoring_prefix, "moja_ml_") @@ -168,10 +168,10 @@ module "generate_mojaloop_files" { keto_read_url = "http://keto-read.${var.ory_namespace}.svc.cluster.local:80" keto_write_url = "http://keto-write.${var.ory_namespace}.svc.cluster.local:80" kratos_service_name = "kratos-public.${var.ory_namespace}.svc.cluster.local" - portal_fqdn = var.finance_portal_fqdn - portal_istio_gateway_namespace = var.portal_istio_gateway_namespace - portal_istio_wildcard_gateway_name = var.portal_istio_wildcard_gateway_name - portal_istio_gateway_name = var.portal_istio_gateway_name + portal_fqdn = local.finance_portal_fqdn + portal_istio_gateway_namespace = local.portal_istio_gateway_namespace + portal_istio_wildcard_gateway_name = local.portal_istio_wildcard_gateway_name + portal_istio_gateway_name = local.portal_istio_gateway_name finance_portal_release_name = "fin-portal" finance_portal_chart_version = try(var.app_var_map.finance_portal_chart_version, var.finance_portal_chart_version) oathkeeper_auth_provider_name = var.oathkeeper_auth_provider_name @@ -191,7 +191,9 @@ module "generate_mojaloop_files" { jws_rotation_period_hours = try(var.app_var_map.jws_rotation_period_hours, var.jws_rotation_period_hours) mcm_hub_jws_endpoint = "http://mcm-connection-manager-api.${var.mcm_namespace}.svc.cluster.local:3001/api/hub/jwscerts" ttk_gp_testcase_labels = try(var.app_var_map.ttk_gp_testcase_labels, var.ttk_gp_testcase_labels) + override_values_file_exists = local.override_values_file_exists fspiop_use_ory_for_auth = var.fspiop_use_ory_for_auth + } file_list = [for f in fileset(local.mojaloop_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.mojaloop_app_file, f))] template_path = local.mojaloop_template_path @@ -200,8 +202,29 @@ module "generate_mojaloop_files" { app_output_path = "${var.output_dir}/app-yamls" } +resource "local_file" "mojaloop_values_override" { + count = local.override_values_file_exists ? 1 : 0 + content = file(var.mojaloop_values_override_file) + filename = "${local.output_path}/values-mojaloop-override.yaml" + depends_on = [module.generate_mojaloop_files] +} locals { + mojaloop_wildcard_gateway = try(var.app_var_map.mojaloop_ingress_internal_lb, true) ? "internal" : "external" + ttk_frontend_fqdn = local.mojaloop_wildcard_gateway == "external" ? "ttkfrontend.${var.public_subdomain}" : "ttkfrontend.${var.private_subdomain}" + ttk_backend_fqdn = local.mojaloop_wildcard_gateway == "external" ? "ttkbackend.${var.public_subdomain}" : "ttkbackend.${var.private_subdomain}" + ttk_istio_wildcard_gateway_name = local.mojaloop_wildcard_gateway == "external" ? var.istio_external_wildcard_gateway_name : var.istio_internal_wildcard_gateway_name + ttk_istio_gateway_namespace = local.mojaloop_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace + + finance_portal_wildcard_gateway = try(var.app_var_map.finance_portal_ingress_internal_lb, true) ? "internal" : "external" + finance_portal_fqdn = local.finance_portal_wildcard_gateway == "external" ? "finance-portal.${var.public_subdomain}" : "finance-portal.${var.private_subdomain}" + portal_istio_gateway_namespace = local.finance_portal_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace + portal_istio_wildcard_gateway_name = local.finance_portal_wildcard_gateway == "external" ? var.istio_external_wildcard_gateway_name : var.istio_internal_wildcard_gateway_name + portal_istio_gateway_name = local.finance_portal_wildcard_gateway == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name + + external_interop_switch_fqdn = "extapi.${var.public_subdomain}" + internal_interop_switch_fqdn = "intapi.${var.private_subdomain}" + mojaloop_template_path = "${path.module}/../generate-files/templates/mojaloop" mojaloop_app_file = "mojaloop-app.yaml" output_path = "${var.output_dir}/mojaloop" @@ -216,9 +239,9 @@ locals { third_party_consent_oracle_db_resource_index = index(module.mojaloop_stateful_resources.stateful_resources.*.resource_name, "mysql-consent-oracle-db") ttk_redis_resource_index = index(module.mojaloop_stateful_resources.stateful_resources.*.resource_name, "ttk-redis") reporting_events_mongodb_resource_index = index(module.mojaloop_stateful_resources.stateful_resources.*.resource_name, "reporting-events-mongodb") - mojaloop_wildcard_gateway = var.mojaloop_ingress_internal_lb ? "internal" : "external" apiResources = yamldecode(file(var.rbac_api_resources_file)) jws_key_secret = "switch-jws" + override_values_file_exists = fileexists(var.mojaloop_values_override_file) } variable "app_var_map" { @@ -230,12 +253,6 @@ variable "mojaloop_enabled" { default = true } -variable "mojaloop_ingress_internal_lb" { - type = bool - description = "mojaloop_ingress_internal_lb" - default = true -} - variable "mojaloop_chart_repo" { description = "repo for mojaloop charts" type = string @@ -327,12 +344,6 @@ variable "quoting_service_simple_routing_mode_enabled" { default = false } -variable "ttk_frontend_fqdn" { - type = string -} -variable "ttk_backend_fqdn" { - type = string -} variable "auth_fqdn" { type = string @@ -341,9 +352,6 @@ variable "ory_namespace" { type = string } -variable "finance_portal_fqdn" { - type = string -} variable "bof_release_name" { type = string @@ -372,6 +380,10 @@ variable "rbac_api_resources_file" { type = string } +variable "mojaloop_values_override_file" { + type = string +} + variable "reporting_templates_chart_version" { type = string default = "1.1.7" @@ -396,28 +408,3 @@ variable "ttk_gp_testcase_labels" { type = string default = "p2p" } - -variable "ttk_istio_wildcard_gateway_name" { - type = string - default = "" -} - -variable "ttk_istio_gateway_namespace" { - type = string - default = "" -} - -variable "portal_istio_wildcard_gateway_name" { - type = string - default = "" -} - -variable "portal_istio_gateway_namespace" { - type = string - default = "" -} - -variable "portal_istio_gateway_name" { - type = string - default = "" -} diff --git a/terraform/gitops/mojaloop/variables.tf b/terraform/gitops/mojaloop/variables.tf index 8a00055c3..3b9f90bce 100644 --- a/terraform/gitops/mojaloop/variables.tf +++ b/terraform/gitops/mojaloop/variables.tf @@ -81,15 +81,6 @@ variable "kv_path" { description = "path for kv engine" default = "secret" } - -variable "external_interop_switch_fqdn" { - description = "fqdn for interop ext" -} - -variable "internal_interop_switch_fqdn" { - description = "fqdn for interop int" -} - variable "internal_ingress_class_name" { type = string description = "nginx_internal_namespace" diff --git a/terraform/gitops/mojaloop/vault-pki-setup.tf b/terraform/gitops/mojaloop/vault-pki-setup.tf index cc79f4825..f27754b11 100644 --- a/terraform/gitops/mojaloop/vault-pki-setup.tf +++ b/terraform/gitops/mojaloop/vault-pki-setup.tf @@ -9,7 +9,6 @@ module "generate_vault_pki_setup_files" { cert_manager_service_account_name = var.cert_manager_service_account_name gitlab_project_url = var.gitlab_project_url cert_manager_cluster_issuer_role_name = var.cert_manager_cluster_issuer_role_name - interop_switch_fqdn = var.external_interop_switch_fqdn vault_root_ca_name = var.vault_root_ca_name pki_server_cert_role = var.pki_server_cert_role pki_client_cert_role = var.pki_client_cert_role @@ -25,8 +24,8 @@ module "generate_vault_pki_setup_files" { } locals { - vault_pki_template_path = "${path.module}/../generate-files/templates/vault-pki-setup" - vault_pki_app_file = "vault-pki-app.yaml" + vault_pki_template_path = "${path.module}/../generate-files/templates/vault-pki-setup" + vault_pki_app_file = "vault-pki-app.yaml" } diff --git a/terraform/gitops/pm4ml/pm4ml.tf b/terraform/gitops/pm4ml/pm4ml.tf index 1b45f031b..4ce1b99df 100644 --- a/terraform/gitops/pm4ml/pm4ml.tf +++ b/terraform/gitops/pm4ml/pm4ml.tf @@ -17,10 +17,10 @@ module "generate_pm4ml_files" { pm4ml_wildcard_gateway = each.value.pm4ml_ingress_internal_lb ? "internal" : "external" keycloak_fqdn = var.keycloak_fqdn keycloak_pm4ml_realm_name = "${var.keycloak_pm4ml_realm_name}-${each.key}" - experience_api_fqdn = var.experience_api_fqdns[each.key] + experience_api_fqdn = local.experience_api_fqdns[each.key] kratos_service_name = "kratos-public.${var.ory_namespace}.svc.cluster.local" - portal_fqdn = var.portal_fqdns[each.key] - admin_portal_fqdn = var.admin_portal_fqdns[each.key] + portal_fqdn = local.portal_fqdns[each.key] + admin_portal_fqdn = local.admin_portal_fqdns[each.key] auth_fqdn = var.auth_fqdn admin_portal_release_name = "admin-portal-${each.key}" admin_portal_chart_version = try(var.app_var_map.admin_portal_chart_version, var.admin_portal_chart_version) @@ -39,9 +39,9 @@ module "generate_pm4ml_files" { keto_read_url = "http://keto-read.${var.ory_namespace}.svc.cluster.local:80" keto_write_url = "http://keto-write.${var.ory_namespace}.svc.cluster.local:80" pm4ml_secret_path = "${var.local_vault_kv_root_path}/${each.key}" - callback_url = "https://${var.mojaloop_connnector_fqdns[each.key]}" - mojaloop_connnector_fqdn = var.mojaloop_connnector_fqdns[each.key] - callback_fqdn = var.mojaloop_connnector_fqdns[each.key] + callback_url = "https://${local.mojaloop_connnector_fqdns[each.key]}" + mojaloop_connnector_fqdn = local.mojaloop_connnector_fqdns[each.key] + callback_fqdn = local.mojaloop_connnector_fqdns[each.key] redis_port = "6379" redis_host = "redis-master" redis_replica_count = "1" @@ -69,10 +69,10 @@ module "generate_pm4ml_files" { ttk_enabled = each.value.pm4ml_ttk_enabled core_connector_selected = each.value.core_connector_selected custom_core_connector_endpoint = each.value.custom_core_connector_endpoint - ttk_backend_fqdn = var.ttk_backend_fqdns[each.key] - ttk_frontend_fqdn = var.ttk_frontend_fqdns[each.key] - pta_portal_fqdn = var.pta_portal_fqdns[each.key] - test_fqdn = var.test_fqdns[each.key] + ttk_backend_fqdn = local.pm4ml_ttk_frontend_fqdns[each.key] + ttk_frontend_fqdn = local.pm4ml_ttk_frontend_fqdns[each.key] + pta_portal_fqdn = local.pm4ml_pta_portal_fqdns[each.key] + test_fqdn = local.test_fqdns[each.key] ory_namespace = var.ory_namespace oathkeeper_auth_provider_name = var.oathkeeper_auth_provider_name istio_create_ingress_gateways = var.istio_create_ingress_gateways @@ -87,9 +87,9 @@ module "generate_pm4ml_files" { pm4ml_reserve_notification = each.value.pm4ml_reserve_notification core_connector_config = each.value.core_connector_config payment_token_adapter_config = each.value.payment_token_adapter_config - pm4ml_istio_gateway_namespace = var.pm4ml_istio_gateway_namespaces[each.key] - pm4ml_istio_wildcard_gateway_name = var.pm4ml_istio_wildcard_gateway_names[each.key] - pm4ml_istio_gateway_name = var.pm4ml_istio_gateway_names[each.key] + pm4ml_istio_gateway_namespace = local.pm4ml_istio_gateway_namespaces[each.key] + pm4ml_istio_wildcard_gateway_name = local.pm4ml_istio_wildcard_gateway_names[each.key] + pm4ml_istio_gateway_name = local.pm4ml_istio_gateway_names[each.key] } @@ -104,18 +104,37 @@ module "generate_pm4ml_files" { locals { pm4ml_template_path = "${path.module}/../generate-files/templates/pm4ml" pm4ml_app_file = "pm4ml-app.yaml" + + pm4ml_var_map = var.app_var_map + + pm4ml_wildcard_gateways = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => pm4ml.pm4ml_ingress_internal_lb ? "internal" : "external" } + + portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "portal-${pm4ml.pm4ml}.${var.public_subdomain}" : "portal-${pm4ml.pm4ml}.${var.private_subdomain}" } + admin_portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "admin-portal-${pm4ml.pm4ml}.${var.public_subdomain}" : "admin-portal-${pm4ml.pm4ml}.${var.private_subdomain}"} + experience_api_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "exp-${pm4ml.pm4ml}.${var.public_subdomain}" : "exp-${pm4ml.pm4ml}.${var.private_subdomain}"} + mojaloop_connnector_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "conn-${pm4ml.pm4ml}.${var.public_subdomain}" : "conn-${pm4ml.pm4ml}.${var.private_subdomain}" } + test_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "test-${pm4ml.pm4ml}.${var.public_subdomain}" : "test-${pm4ml.pm4ml}.${var.private_subdomain}" } + pm4ml_ttk_frontend_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "ttkfront-${pm4ml.pm4ml}.${var.public_subdomain}" : "ttkfront-${pm4ml.pm4ml}.${var.private_subdomain}" } + pm4ml_ttk_backend_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "ttkback-${pm4ml.pm4ml}.${var.public_subdomain}" : "ttkback-${pm4ml.pm4ml}.${var.private_subdomain}"} + pm4ml_pta_portal_fqdns = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? "pta-portal-${pm4ml.pm4ml}.${var.public_subdomain}" : "pta-portal-${pm4ml.pm4ml}.${var.private_subdomain}"} + + pm4ml_istio_gateway_namespaces = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace } + pm4ml_istio_wildcard_gateway_names = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? var.istio_external_wildcard_gateway_name : var.istio_internal_wildcard_gateway_name } + pm4ml_istio_gateway_names = { for pm4ml in local.pm4ml_var_map : pm4ml.pm4ml => local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name } + + pm4ml_internal_wildcard_admin_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.admin_portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "internal"] + pm4ml_external_wildcard_admin_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.admin_portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external"] + pm4ml_internal_wildcard_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "internal"] + pm4ml_external_wildcard_portal_hosts = [for pm4ml in local.pm4ml_var_map : local.portal_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external"] + pm4ml_internal_wildcard_exp_hosts = [for pm4ml in local.pm4ml_var_map : local.experience_api_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "internal"] + pm4ml_external_wildcard_exp_hosts = [for pm4ml in local.pm4ml_var_map : local.experience_api_fqdns[pm4ml.pm4ml] if local.pm4ml_wildcard_gateways[pm4ml.pm4ml] == "external"] } variable "app_var_map" { type = any } -variable "portal_fqdns" { - description = "fqdns for pm4ml portal" -} -variable "admin_portal_fqdns" { - description = "fqdns for pm4ml admin portal" -} + variable "auth_fqdn" { type = string } @@ -123,25 +142,7 @@ variable "auth_fqdn" { variable "oathkeeper_auth_provider_name" { type = string } -variable "experience_api_fqdns" { - description = "fqdns for pm4ml experience api" -} -variable "mojaloop_connnector_fqdns" { - description = "fqdns for pm4ml connector" -} -variable "test_fqdns" { - description = "fqdns for pm4ml test" -} -variable "ttk_backend_fqdns" { - description = "fqdns for pm4ml ttk back" -} -variable "ttk_frontend_fqdns" { - description = "fqdns for pm4ml ttk front" -} -variable "pta_portal_fqdns" { - description = "fqdns for pm4ml payment token adapter portal" -} variable "pm4ml_vault_k8s_role_name" { description = "vault k8s role name for pm4ml" type = string @@ -241,18 +242,6 @@ variable "portal_admin_secret_prefix" { type = string } -variable "pm4ml_istio_gateway_namespaces" { - description = "fqdns for pm4ml portal" -} - -variable "pm4ml_istio_wildcard_gateway_names" { - description = "fqdns for pm4ml portal" -} - -variable "pm4ml_istio_gateway_names" { - description = "fqdns for pm4ml portal" -} - locals { nat_cidr_list = join(", ", [for ip in var.nat_public_ips : format("%s/32", ip)]) } diff --git a/terraform/gitops/pm4ml/variables.tf b/terraform/gitops/pm4ml/variables.tf index 114d760c5..eb933542d 100644 --- a/terraform/gitops/pm4ml/variables.tf +++ b/terraform/gitops/pm4ml/variables.tf @@ -20,7 +20,7 @@ variable "gitlab_project_url" { } variable "nat_public_ips" { - type = list + type = list(any) description = "nat_public_ips" } variable "internal_load_balancer_dns" { @@ -82,14 +82,6 @@ variable "kv_path" { default = "secret" } -variable "external_interop_switch_fqdn" { - description = "fqdn for interop ext" -} - -variable "internal_interop_switch_fqdn" { - description = "fqdn for interop int" -} - variable "internal_ingress_class_name" { type = string description = "nginx_internal_namespace" @@ -153,11 +145,11 @@ variable "vault_namespace" { description = "vault_namespace" } variable "cert_manager_namespace" { - type = string + type = string description = "cert_manager_namespace" } variable "vault_certman_secretname" { description = "secret name to create for tls offloading via certmanager" type = string default = "vault-tls-cert" -} \ No newline at end of file +} diff --git a/terraform/gitops/pm4ml/vault-pki-setup.tf b/terraform/gitops/pm4ml/vault-pki-setup.tf index 458965e68..9708709fd 100644 --- a/terraform/gitops/pm4ml/vault-pki-setup.tf +++ b/terraform/gitops/pm4ml/vault-pki-setup.tf @@ -8,7 +8,6 @@ module "generate_vault_pki_setup_files" { cert_manager_service_account_name = var.cert_manager_service_account_name gitlab_project_url = var.gitlab_project_url cert_manager_cluster_issuer_role_name = var.cert_manager_cluster_issuer_role_name - interop_switch_fqdn = var.external_interop_switch_fqdn vault_root_ca_name = var.vault_root_ca_name pki_server_cert_role = var.pki_server_cert_role pki_client_cert_role = var.pki_client_cert_role @@ -24,8 +23,8 @@ module "generate_vault_pki_setup_files" { } locals { - vault_pki_template_path = "${path.module}/../generate-files/templates/vault-pki-setup" - vault_pki_app_file = "vault-pki-app.yaml" + vault_pki_template_path = "${path.module}/../generate-files/templates/vault-pki-setup" + vault_pki_app_file = "vault-pki-app.yaml" } @@ -77,4 +76,4 @@ variable "vault_pki_sync_wave" { variable "local_vault_kv_root_path" { description = "vault kv secret root" type = string -} \ No newline at end of file +} diff --git a/terraform/gitops/vnext/mcm.tf b/terraform/gitops/vnext/mcm.tf index 34db4050f..d8876fc3d 100644 --- a/terraform/gitops/vnext/mcm.tf +++ b/terraform/gitops/vnext/mcm.tf @@ -8,10 +8,10 @@ module "generate_mcm_files" { db_schema = module.vnext_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.database_name db_port = module.vnext_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_port db_host = "${module.vnext_stateful_resources.stateful_resources[local.mcm_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" - mcm_fqdn = var.mcm_fqdn - mcm_istio_gateway_namespace = var.mcm_istio_gateway_namespace - mcm_istio_wildcard_gateway_name = var.mcm_istio_wildcard_gateway_name - mcm_istio_gateway_name = var.mcm_istio_gateway_name + mcm_fqdn = local.mcm_fqdn + mcm_istio_gateway_namespace = local.mcm_istio_gateway_namespace + mcm_istio_wildcard_gateway_name = local.mcm_istio_wildcard_gateway_name + mcm_istio_gateway_name = local.mcm_istio_gateway_name fspiop_use_ory_for_auth = var.fspiop_use_ory_for_auth env_name = var.cluster_name env_cn = var.public_subdomain @@ -34,7 +34,7 @@ module "generate_mcm_files" { public_subdomain = var.public_subdomain enable_oidc = var.enable_mcm_oidc mcm_sync_wave = var.mcm_sync_wave - ingress_class = var.mcm_ingress_internal_lb ? var.internal_ingress_class_name : var.external_ingress_class_name + ingress_class = try(var.app_var_map.mcm_ingress_internal_lb, false) ? var.internal_ingress_class_name : var.external_ingress_class_name istio_create_ingress_gateways = var.istio_create_ingress_gateways pki_path = var.vault_root_ca_name dfsp_client_cert_bundle = local.dfsp_client_cert_bundle @@ -60,7 +60,7 @@ module "generate_mcm_files" { mcm_wildcard_gateway = local.mcm_wildcard_gateway istio_external_gateway_name = var.istio_external_gateway_name private_network_cidr = var.private_network_cidr - interop_switch_fqdn = var.external_interop_switch_fqdn + interop_switch_fqdn = local.external_interop_switch_fqdn keycloak_fqdn = var.keycloak_fqdn keycloak_dfsp_realm_name = var.keycloak_dfsp_realm_name keycloak_hubop_realm_name = var.keycloak_hubop_realm_name @@ -77,7 +77,7 @@ module "generate_mcm_files" { internal_load_balancer_dns = var.internal_load_balancer_dns external_load_balancer_dns = var.external_load_balancer_dns istio_internal_gateway_name = var.istio_internal_gateway_name - int_interop_switch_fqdn = var.internal_interop_switch_fqdn + int_interop_switch_fqdn = local.internal_interop_switch_fqdn mojaloop_namespace = var.vnext_namespace mojaloop_release_name = var.vnext_release_name onboarding_collection_tag = var.app_var_map.onboarding_collection_tag @@ -99,11 +99,6 @@ variable "mcm_enabled" { type = bool default = true } -variable "mcm_ingress_internal_lb" { - type = bool - description = "mcm_ingress_internal_lb" - default = false -} variable "enable_mcm_oidc" { type = bool default = false @@ -210,26 +205,6 @@ variable "keycloak_namespace" { description = "namespace of keycloak in which to create realm" } -variable "mcm_fqdn" { - type = string - description = "hostname for mcm" -} - -variable "mcm_istio_wildcard_gateway_name" { - type = string - default = "" -} - -variable "mcm_istio_gateway_namespace" { - type = string - default = "" -} - -variable "mcm_istio_gateway_name" { - type = string - default = "" -} - variable "fspiop_use_ory_for_auth" { type = bool } @@ -238,8 +213,13 @@ locals { mcm_template_path = "${path.module}/../generate-files/templates/mcm" mcm_app_file = "mcm-app.yaml" mcm_resource_index = index(module.vnext_stateful_resources.stateful_resources.*.resource_name, "mcm-db") - mcm_wildcard_gateway = var.mcm_ingress_internal_lb ? "internal" : "external" + mcm_wildcard_gateway = try(var.app_var_map.mcm_ingress_internal_lb, false) ? "internal" : "external" dfsp_client_cert_bundle = "${local.onboarding_secret_path}_pm4mls" dfsp_internal_whitelist_secret = "${local.whitelist_secret_path}_pm4mls" dfsp_external_whitelist_secret = "${local.whitelist_secret_path}_fsps" + + mcm_fqdn = local.mcm_wildcard_gateway == "external" ? "mcm.${var.public_subdomain}" : "mcm.${var.private_subdomain}" + mcm_istio_gateway_namespace = local.mcm_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace + mcm_istio_wildcard_gateway_name = local.mcm_wildcard_gateway == "external" ? var.istio_external_wildcard_gateway_name : var.istio_internal_wildcard_gateway_name + mcm_istio_gateway_name = local.mcm_wildcard_gateway == "external" ? var.istio_external_gateway_name : var.istio_internal_gateway_name } diff --git a/terraform/gitops/vnext/variables.tf b/terraform/gitops/vnext/variables.tf index 8a00055c3..dc4e5bbec 100644 --- a/terraform/gitops/vnext/variables.tf +++ b/terraform/gitops/vnext/variables.tf @@ -82,14 +82,6 @@ variable "kv_path" { default = "secret" } -variable "external_interop_switch_fqdn" { - description = "fqdn for interop ext" -} - -variable "internal_interop_switch_fqdn" { - description = "fqdn for interop int" -} - variable "internal_ingress_class_name" { type = string description = "nginx_internal_namespace" diff --git a/terraform/gitops/vnext/vault-pki-setup.tf b/terraform/gitops/vnext/vault-pki-setup.tf index 6bfc8c0da..f27754b11 100644 --- a/terraform/gitops/vnext/vault-pki-setup.tf +++ b/terraform/gitops/vnext/vault-pki-setup.tf @@ -9,7 +9,6 @@ module "generate_vault_pki_setup_files" { cert_manager_service_account_name = var.cert_manager_service_account_name gitlab_project_url = var.gitlab_project_url cert_manager_cluster_issuer_role_name = var.cert_manager_cluster_issuer_role_name - interop_switch_fqdn = var.external_interop_switch_fqdn vault_root_ca_name = var.vault_root_ca_name pki_server_cert_role = var.pki_server_cert_role pki_client_cert_role = var.pki_client_cert_role diff --git a/terraform/gitops/vnext/vnext.tf b/terraform/gitops/vnext/vnext.tf index 0ed75320f..ebc65134d 100644 --- a/terraform/gitops/vnext/vnext.tf +++ b/terraform/gitops/vnext/vnext.tf @@ -7,8 +7,8 @@ module "generate_vnext_files" { vnext_chart_version = try(var.app_var_map.vnext_chart_version, var.vnext_chart_version) vnext_release_name = var.vnext_release_name vnext_namespace = var.vnext_namespace - interop_switch_fqdn = var.external_interop_switch_fqdn - int_interop_switch_fqdn = var.internal_interop_switch_fqdn + interop_switch_fqdn = local.external_interop_switch_fqdn + int_interop_switch_fqdn = local.internal_interop_switch_fqdn storage_class_name = var.storage_class_name vnext_sync_wave = var.vnext_sync_wave vault_certman_secretname = var.vault_certman_secretname @@ -22,10 +22,10 @@ module "generate_vnext_files" { vnext_wildcard_gateway = local.vnext_wildcard_gateway keycloak_fqdn = var.keycloak_fqdn keycloak_realm_name = var.keycloak_hubop_realm_name - ttk_frontend_fqdn = var.ttk_frontend_fqdn - ttk_backend_fqdn = var.ttk_backend_fqdn - ttk_istio_wildcard_gateway_name = var.ttk_istio_wildcard_gateway_name - ttk_istio_gateway_namespace = var.ttk_istio_gateway_namespace + ttk_frontend_fqdn = local.ttk_frontend_fqdn + ttk_backend_fqdn = local.ttk_backend_fqdn + ttk_istio_wildcard_gateway_name = local.ttk_istio_wildcard_gateway_name + ttk_istio_gateway_namespace = local.ttk_istio_gateway_namespace kafka_host = "${module.vnext_stateful_resources.stateful_resources[local.vnext_kafka_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" kafka_port = module.vnext_stateful_resources.stateful_resources[local.vnext_kafka_resource_index].logical_service_config.logical_service_port redis_host = "${module.vnext_stateful_resources.stateful_resources[local.vnext_redis_resource_index].logical_service_config.logical_service_name}.${var.stateful_resources_namespace}.svc.cluster.local" @@ -46,7 +46,6 @@ module "generate_vnext_files" { keto_read_url = "http://keto-read.${var.ory_namespace}.svc.cluster.local:80" keto_write_url = "http://keto-write.${var.ory_namespace}.svc.cluster.local:80" kratos_service_name = "kratos-public.${var.ory_namespace}.svc.cluster.local" - portal_fqdn = var.finance_portal_fqdn finance_portal_release_name = "fin-portal" finance_portal_chart_version = try(var.app_var_map.finance_portal_chart_version, var.finance_portal_chart_version) oathkeeper_auth_provider_name = var.oathkeeper_auth_provider_name @@ -64,9 +63,9 @@ module "generate_vnext_files" { jws_rotation_renew_before_hours = try(var.app_var_map.jws_rotation_renew_before_hours, var.jws_rotation_renew_before_hours) jws_rotation_period_hours = try(var.app_var_map.jws_rotation_period_hours, var.jws_rotation_period_hours) mcm_hub_jws_endpoint = "http://mcm-connection-manager-api.${var.mcm_namespace}.svc.cluster.local:3001/api/hub/jwscerts" - vnext_admin_ui_fqdn = var.vnext_admin_ui_fqdn - vnext_istio_gateway_namespace = var.vnext_istio_gateway_namespace - vnext_istio_wildcard_gateway_name = var.vnext_istio_wildcard_gateway_name + vnext_admin_ui_fqdn = local.vnext_admin_ui_fqdn + vnext_istio_gateway_namespace = local.vnext_istio_gateway_namespace + vnext_istio_wildcard_gateway_name = local.vnext_istio_wildcard_gateway_name } file_list = [for f in fileset(local.vnext_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.vnext_app_file, f))] template_path = local.vnext_template_path @@ -77,14 +76,24 @@ module "generate_vnext_files" { locals { - vnext_template_path = "${path.module}/../generate-files/templates/vnext" - vnext_app_file = "vnext-app.yaml" - vnext_kafka_resource_index = index(module.vnext_stateful_resources.stateful_resources.*.resource_name, "vnext-kafka") - vnext_redis_resource_index = index(module.vnext_stateful_resources.stateful_resources.*.resource_name, "vnext-redis") - vnext_mongodb_resource_index = index(module.vnext_stateful_resources.stateful_resources.*.resource_name, "vnext-mongodb") - vnext_wildcard_gateway = var.vnext_ingress_internal_lb ? "internal" : "external" - apiResources = yamldecode(file(var.rbac_api_resources_file)) - jws_key_secret = "switch-jws" + vnext_wildcard_gateway = try(var.app_var_map.vnext_ingress_internal_lb, true) ? "internal" : "external" + vnext_admin_ui_fqdn = local.vnext_wildcard_gateway == "external" ? "vnext-admin.${var.public_subdomain}" : "vnext-admin.${var.private_subdomain}" + vnext_istio_gateway_namespace = local.vnext_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace + vnext_istio_wildcard_gateway_name = local.vnext_wildcard_gateway == "external" ? var.istio_external_wildcard_gateway_name : var.istio_internal_wildcard_gateway_name + + ttk_frontend_fqdn = local.vnext_wildcard_gateway == "external" ? "ttkfrontend.${var.public_subdomain}" : "ttkfrontend.${var.private_subdomain}" + ttk_backend_fqdn = local.vnext_wildcard_gateway == "external" ? "ttkbackend.${var.public_subdomain}" : "ttkbackend.${var.private_subdomain}" + ttk_istio_wildcard_gateway_name = local.vnext_wildcard_gateway == "external" ? var.istio_external_wildcard_gateway_name : var.istio_internal_wildcard_gateway_name + ttk_istio_gateway_namespace = local.vnext_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace + external_interop_switch_fqdn = "extapi.${var.public_subdomain}" + internal_interop_switch_fqdn = "intapi.${var.private_subdomain}" + vnext_template_path = "${path.module}/../generate-files/templates/vnext" + vnext_app_file = "vnext-app.yaml" + vnext_kafka_resource_index = index(module.vnext_stateful_resources.stateful_resources.*.resource_name, "vnext-kafka") + vnext_redis_resource_index = index(module.vnext_stateful_resources.stateful_resources.*.resource_name, "vnext-redis") + vnext_mongodb_resource_index = index(module.vnext_stateful_resources.stateful_resources.*.resource_name, "vnext-mongodb") + apiResources = yamldecode(file(var.rbac_api_resources_file)) + jws_key_secret = "switch-jws" } variable "app_var_map" { @@ -96,12 +105,6 @@ variable "vnext_enabled" { default = true } -variable "vnext_ingress_internal_lb" { - type = bool - description = "vnext_ingress_internal_lb" - default = true -} - variable "vnext_chart_repo" { description = "repo for vnext charts" type = string @@ -135,17 +138,6 @@ variable "vnext_sync_wave" { default = "0" } -variable "ttk_frontend_fqdn" { - type = string -} -variable "ttk_backend_fqdn" { - type = string -} - -variable "vnext_admin_ui_fqdn" { - type = string -} - variable "auth_fqdn" { type = string } @@ -153,10 +145,6 @@ variable "ory_namespace" { type = string } -variable "finance_portal_fqdn" { - type = string -} - variable "bof_release_name" { type = string } @@ -203,23 +191,3 @@ variable "ttk_gp_testcase_labels" { type = string default = "p2p" } - -variable "ttk_istio_wildcard_gateway_name" { - type = string - default = "" -} - -variable "ttk_istio_gateway_namespace" { - type = string - default = "" -} - -variable "vnext_istio_wildcard_gateway_name" { - type = string - default = "" -} - -variable "vnext_istio_gateway_namespace" { - type = string - default = "" -} \ No newline at end of file diff --git a/terraform/k8s/default-config/common-vars.yaml b/terraform/k8s/default-config/common-vars.yaml index 11ba4b20c..ec6c54b67 100644 --- a/terraform/k8s/default-config/common-vars.yaml +++ b/terraform/k8s/default-config/common-vars.yaml @@ -34,4 +34,5 @@ prometheus_retention_period: 10d istio_egress_gateway_max_replicas: 5 microk8s_version: 1.29/stable alertmanager_enabled: false +istio_proxy_log_level: warn longhorn_backup_job_enabled: true diff --git a/terraform/k8s/default-config/mojaloop-values-override.yaml b/terraform/k8s/default-config/mojaloop-values-override.yaml new file mode 100644 index 000000000..b25990de3 --- /dev/null +++ b/terraform/k8s/default-config/mojaloop-values-override.yaml @@ -0,0 +1,216 @@ +account-lookup-service: + account-lookup-service: + replicaCount: 12 + config: + event_log_filter: "" + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + account-lookup-service-admin: + replicaCount: 1 +quoting-service: + quoting-service: + replicaCount: 4 + config: + event_log_filter: "" + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + quoting-service-handler: + replicaCount: 12 + config: + event_log_filter: "" + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 +ml-api-adapter: + ml-api-adapter-service: + replicaCount: 4 + config: + event_log_filter: "" + ml-api-adapter-handler-notification: + replicaCount: 12 + config: + event_log_filter: "" +centralledger: + centralledger-service: + replicaCount: 8 + config: + event_log_filter: "" + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + centralledger-handler-transfer-prepare: + replicaCount: 12 + config: + event_log_filter: "" + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + centralledger-handler-transfer-position: + replicaCount: 8 + config: + event_log_filter: "" + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + centralledger-handler-transfer-position-batch: + replicaCount: 12 + config: + event_log_filter: "" + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + centralledger-handler-transfer-get: + replicaCount: 1 + config: + event_log_filter: "" + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + centralledger-handler-transfer-fulfil: + replicaCount: 12 + config: + event_log_filter: "" + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + centralledger-handler-timeout: + config: + event_log_filter: "" + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + centralledger-handler-admin-transfer: + replicaCount: 1 + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 +centralsettlement: + centralsettlement-service: + replicaCount: 1 + config: + event_log_filter: "" + centralsettlement-handler-deferredsettlement: + replicaCount: 1 + config: + event_log_filter: "" + centralsettlement-handler-grosssettlement: + replicaCount: 1 + config: + event_log_filter: "" + centralsettlement-handler-rules: + replicaCount: 1 + config: + event_log_filter: "" +transaction-requests-service: + replicaCount: 4 + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 +thirdparty: + auth-svc: + replicaCount: 1 + consent-oracle: + replicaCount: 1 + tp-api-svc: + replicaCount: 1 +mojaloop-bulk: + bulk-api-adapter: + bulk-api-adapter-service: + replicaCount: 1 + config: + event_log_filter: "" + bulk-api-adapter-handler-notification: + replicaCount: 1 + config: + event_log_filter: "" + bulk-centralledger: + cl-handler-bulk-transfer-prepare: + replicaCount: 1 + config: + event_log_filter: "" + cl-handler-bulk-transfer-fulfil: + replicaCount: 1 + config: + event_log_filter: "" + cl-handler-bulk-transfer-processing: + replicaCount: 1 + config: + event_log_filter: "" + cl-handler-bulk-transfer-get: + replicaCount: 1 + config: + event_log_filter: "" diff --git a/terraform/k8s/default-config/mojaloop-vars.yaml b/terraform/k8s/default-config/mojaloop-vars.yaml index d1f38bf19..bd62df7e4 100644 --- a/terraform/k8s/default-config/mojaloop-vars.yaml +++ b/terraform/k8s/default-config/mojaloop-vars.yaml @@ -4,34 +4,6 @@ mcm_chart_version: 0.7.7 mojaloop_chart_version: 16.0.0 mcm_ingress_internal_lb: false mojaloop_ingress_internal_lb: true -#replica counts -account_lookup_service_replica_count: 1 -account_lookup_service_admin_replica_count: 1 -quoting_service_replica_count: 1 -quoting_service_handler_replica_count: 1 -ml_api_adapter_service_replica_count: 1 -ml_api_adapter_handler_notifications_replica_count: 1 -central_ledger_service_replica_count: 1 -central_ledger_handler_transfer_prepare_replica_count: 1 -central_ledger_handler_transfer_position_replica_count: 1 -central_ledger_handler_transfer_position_batch_replica_count: 1 -central_ledger_handler_transfer_get_replica_count: 1 -central_ledger_handler_transfer_fulfil_replica_count: 1 -central_ledger_handler_admin_transfer_replica_count: 1 -central_settlement_service_replica_count: 1 -central_settlement_handler_deferredsettlement_replica_count: 1 -central_settlement_handler_grosssettlement_replica_count: 1 -central_settlement_handler_rules_replica_count: 1 -trasaction_requests_service_replica_count: 1 -auth_service_replica_count: 1 -consent_oracle_replica_count: 1 -tp_api_svc_replica_count: 1 -bulk_api-adapter_service_replica_count: 1 -bulk_api_adapter_handler_notification_replica_count: 1 -cl_handler_bulk_transfer_prepare_replica_count: 1 -cl_handler_bulk_transfer_fulfil_replica_count: 1 -cl_handler_bulk_transfer_processing_replica_count: 1 -cl_handler_bulk_transfer_get_replica_count: 1 onboarding_collection_tag: 15.2.0 grafana_dashboard_tag: 15.2.0 enable_istio_injection: true diff --git a/terraform/k8s/gitops-build/terragrunt.hcl b/terraform/k8s/gitops-build/terragrunt.hcl index 0d02611e3..0d23bbdad 100644 --- a/terraform/k8s/gitops-build/terragrunt.hcl +++ b/terraform/k8s/gitops-build/terragrunt.hcl @@ -2,7 +2,6 @@ terraform { source = "git::https://github.com/mojaloop/iac-modules.git//terraform/gitops/k8s-cluster-config?ref=${get_env("iac_terraform_modules_tag")}" } - include "root" { path = find_in_parent_folders() } @@ -15,7 +14,7 @@ dependency "k8s_store_config" { dependency "k8s_deploy" { config_path = "../k8s-deploy" mock_outputs = { - nat_public_ips = [""] + nat_public_ips = [""] internal_load_balancer_dns = "" external_load_balancer_dns = "" private_subdomain = "" @@ -63,6 +62,7 @@ inputs = { stateful_resources_config_file = find_in_parent_folders("${get_env("CONFIG_PATH")}/common-stateful-resources.json") mojaloop_stateful_resources_config_file = find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-stateful-resources.json") vnext_stateful_resources_config_file = find_in_parent_folders("${get_env("CONFIG_PATH")}/vnext-stateful-resources.json") + mojaloop_values_override_file = find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-values-override.yaml", "mojaloop-values-override.yaml") current_gitlab_project_id = local.GITLAB_CURRENT_PROJECT_ID gitlab_group_name = local.GITLAB_CURRENT_GROUP_NAME gitlab_api_url = local.GITLAB_API_URL From 057b713b795e8b9c026078bea788befd377546a4 Mon Sep 17 00:00:00 2001 From: David Fry Date: Fri, 19 Apr 2024 19:19:01 +0200 Subject: [PATCH 115/201] update versions (#237) --- terraform/k8s/default-config/cluster-config.yaml | 4 ++-- terraform/k8s/default-config/mojaloop-vars.yaml | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/terraform/k8s/default-config/cluster-config.yaml b/terraform/k8s/default-config/cluster-config.yaml index 35eb780d0..0c1bb0ff6 100644 --- a/terraform/k8s/default-config/cluster-config.yaml +++ b/terraform/k8s/default-config/cluster-config.yaml @@ -7,8 +7,8 @@ cloud_platform_client_secret_name: AWS_SECRET_ACCESS_KEY k8s_cluster_module: base-k8s cloud_region: eu-west-1 k8s_cluster_type: microk8s -ansible_collection_tag: v5.1.0 -iac_terraform_modules_tag: v5.1.0 +ansible_collection_tag: v5.2.0 +iac_terraform_modules_tag: v5.2.0 letsencrypt_email: test@mojalabs.io dns_zone_force_destroy: true longhorn_backup_object_store_destroy: true diff --git a/terraform/k8s/default-config/mojaloop-vars.yaml b/terraform/k8s/default-config/mojaloop-vars.yaml index bd62df7e4..aad03e24c 100644 --- a/terraform/k8s/default-config/mojaloop-vars.yaml +++ b/terraform/k8s/default-config/mojaloop-vars.yaml @@ -4,6 +4,7 @@ mcm_chart_version: 0.7.7 mojaloop_chart_version: 16.0.0 mcm_ingress_internal_lb: false mojaloop_ingress_internal_lb: true +finance_portal_ingress_internal_lb: true onboarding_collection_tag: 15.2.0 grafana_dashboard_tag: 15.2.0 enable_istio_injection: true From 4cd584450990dddbdd392fc6cbcb4c129af07e1d Mon Sep 17 00:00:00 2001 From: Sijo George <87609749+sijo5722-2021@users.noreply.github.com> Date: Mon, 22 Apr 2024 16:25:05 +0530 Subject: [PATCH 116/201] Fixing typo (#238) --- .../templates/mojaloop/values-mojaloop.yaml.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl index 5ed656c12..60e0c5034 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl @@ -654,9 +654,9 @@ centralsettlement: transaction-requests-service: podLabels: sidecar.istio.io/inject: "${enable_istio_injection}" -%{ if trasaction_requests_service_affinity != null ~} +%{ if transaction_requests_service_affinity != null ~} affinity: - ${indent(8, trasaction_requests_service_affinity)} + ${indent(8, transaction_requests_service_affinity)} %{ endif ~} tolerations: *MOJALOOP_TOLERATIONS replicaCount: ${trasaction_requests_service_replica_count} From 711706ae488445246ac79e602381b0b5ad219e7f Mon Sep 17 00:00:00 2001 From: Sijo George <87609749+sijo5722-2021@users.noreply.github.com> Date: Mon, 22 Apr 2024 16:31:09 +0530 Subject: [PATCH 117/201] Fix typo (#239) --- .../generate-files/templates/mojaloop/values-mojaloop.yaml.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl index 60e0c5034..aa8659887 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl @@ -659,7 +659,7 @@ transaction-requests-service: ${indent(8, transaction_requests_service_affinity)} %{ endif ~} tolerations: *MOJALOOP_TOLERATIONS - replicaCount: ${trasaction_requests_service_replica_count} + replicaCount: ${transaction_requests_service_replica_count} ingress: %{ if istio_create_ingress_gateways ~} enabled: false From 0036059ffa67e3613d06519fd15a86d6060f3be7 Mon Sep 17 00:00:00 2001 From: muzammil360 Date: Fri, 19 Apr 2024 16:13:38 +0500 Subject: [PATCH 118/201] make tempo buckets in minio --- .../control-center-post-config/minio-tempo.tf | 92 +++++++++++++++++++ .../control-center-post-config/variables.tf | 5 + 2 files changed, 97 insertions(+) create mode 100644 terraform/config-params/control-center-post-config/minio-tempo.tf diff --git a/terraform/config-params/control-center-post-config/minio-tempo.tf b/terraform/config-params/control-center-post-config/minio-tempo.tf new file mode 100644 index 000000000..fd6269b5e --- /dev/null +++ b/terraform/config-params/control-center-post-config/minio-tempo.tf @@ -0,0 +1,92 @@ +resource "minio_s3_bucket" "tempo-s3-bucket" { + for_each = var.env_map + bucket = "${each.key}-tempo" +} + +resource "minio_ilm_policy" "tempo-bucket-lifecycle-rules" { + for_each = var.env_map + bucket = minio_s3_bucket.tempo-s3-bucket[each.key].bucket + rule { + id = "expire-${tempo_data_expiry_days}" + expiration = var.tempo_data_expiry_days + } +} + +resource "random_password" "minio_tempo_password" { + for_each = var.env_map + length = 20 + special = false +} + +resource "minio_iam_user" "tempo-user" { + for_each = var.env_map + name = "${each.key}-tempo-user" + secret = random_password.minio_tempo_password[each.key].result + force_destroy = true + tags = { + env = each.key + purpose = "access tempo data" + } +} + +resource "minio_iam_policy" "tempo-iam-policy" { + for_each = var.env_map + name = "${each.key}-tempo-policy" + policy = < Date: Fri, 19 Apr 2024 16:36:53 +0500 Subject: [PATCH 119/201] add tempo_data_expiry_days in terragrunt configs --- .../init/control-center-post-config/terragrunt.hcl | 3 ++- terraform/control-center/init/environment.yaml | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/terraform/control-center/init/control-center-post-config/terragrunt.hcl b/terraform/control-center/init/control-center-post-config/terragrunt.hcl index f5e28ad83..33866a6ab 100644 --- a/terraform/control-center/init/control-center-post-config/terragrunt.hcl +++ b/terraform/control-center/init/control-center-post-config/terragrunt.hcl @@ -73,8 +73,9 @@ inputs = { gitlab_admin_rbac_group = local.env_vars.gitlab_admin_rbac_group gitlab_readonly_rbac_group = local.env_vars.gitlab_readonly_rbac_group loki_data_expiry = local.env_vars.loki_data_expiry + tempo_data_expiry_days = local.env_vars.tempo_data_expiry_days longhorn_backup_data_expiry = local.env_vars.longhorn_backup_data_expiry - private_subdomain_string = local.private_subdomain_string + private_subdomain_string = local.private_subdomain_string } locals { diff --git a/terraform/control-center/init/environment.yaml b/terraform/control-center/init/environment.yaml index 457ebe13a..1a537e0aa 100644 --- a/terraform/control-center/init/environment.yaml +++ b/terraform/control-center/init/environment.yaml @@ -15,6 +15,7 @@ letsencrypt_email: test@mojalabs.io delete_storage_on_term: true docker_server_extra_vol_size: 100 loki_data_expiry: 1d +tempo_data_expiry_days: 7d longhorn_backup_data_expiry: 1d envs: - env: dev From 8802f8ee80a5fd6ed6513628e58cfb4005c482c4 Mon Sep 17 00:00:00 2001 From: muzammil360 Date: Mon, 22 Apr 2024 14:19:51 +0500 Subject: [PATCH 120/201] add minio_tempo_bucket variable to gitlab --- terraform/gitops/k8s-cluster-config/stored-params.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/terraform/gitops/k8s-cluster-config/stored-params.tf b/terraform/gitops/k8s-cluster-config/stored-params.tf index 8b7a76358..25247bb5e 100644 --- a/terraform/gitops/k8s-cluster-config/stored-params.tf +++ b/terraform/gitops/k8s-cluster-config/stored-params.tf @@ -51,6 +51,11 @@ data "gitlab_project_variable" "minio_loki_bucket" { key = "minio_loki_bucket" } +data "gitlab_project_variable" "minio_tempo_bucket" { + project = var.current_gitlab_project_id + key = "minio_tempo_bucket" +} + data "gitlab_project_variable" "minio_longhorn_bucket" { project = var.current_gitlab_project_id key = "minio_longhorn_bucket" From 03dece9e2e2510082edb9dbeacdd8aa4db04941f Mon Sep 17 00:00:00 2001 From: muzammil360 Date: Mon, 22 Apr 2024 14:22:06 +0500 Subject: [PATCH 121/201] move all the resources to a single file --- .../control-center-post-config/minio-tempo.tf | 92 ------------------ .../control-center-post-config/minio.tf | 94 +++++++++++++++++++ 2 files changed, 94 insertions(+), 92 deletions(-) delete mode 100644 terraform/config-params/control-center-post-config/minio-tempo.tf diff --git a/terraform/config-params/control-center-post-config/minio-tempo.tf b/terraform/config-params/control-center-post-config/minio-tempo.tf deleted file mode 100644 index fd6269b5e..000000000 --- a/terraform/config-params/control-center-post-config/minio-tempo.tf +++ /dev/null @@ -1,92 +0,0 @@ -resource "minio_s3_bucket" "tempo-s3-bucket" { - for_each = var.env_map - bucket = "${each.key}-tempo" -} - -resource "minio_ilm_policy" "tempo-bucket-lifecycle-rules" { - for_each = var.env_map - bucket = minio_s3_bucket.tempo-s3-bucket[each.key].bucket - rule { - id = "expire-${tempo_data_expiry_days}" - expiration = var.tempo_data_expiry_days - } -} - -resource "random_password" "minio_tempo_password" { - for_each = var.env_map - length = 20 - special = false -} - -resource "minio_iam_user" "tempo-user" { - for_each = var.env_map - name = "${each.key}-tempo-user" - secret = random_password.minio_tempo_password[each.key].result - force_destroy = true - tags = { - env = each.key - purpose = "access tempo data" - } -} - -resource "minio_iam_policy" "tempo-iam-policy" { - for_each = var.env_map - name = "${each.key}-tempo-policy" - policy = < Date: Tue, 23 Apr 2024 14:06:47 +0500 Subject: [PATCH 122/201] fix the variable --- terraform/config-params/control-center-post-config/minio.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/config-params/control-center-post-config/minio.tf b/terraform/config-params/control-center-post-config/minio.tf index 56b9624f9..9c9fa53ba 100644 --- a/terraform/config-params/control-center-post-config/minio.tf +++ b/terraform/config-params/control-center-post-config/minio.tf @@ -99,7 +99,7 @@ resource "minio_ilm_policy" "tempo-bucket-lifecycle-rules" { for_each = var.env_map bucket = minio_s3_bucket.tempo-s3-bucket[each.key].bucket rule { - id = "expire-${tempo_data_expiry_days}" + id = "expire-${var.tempo_data_expiry_days}" expiration = var.tempo_data_expiry_days } } From 8995d3023697e1c5dd091a6fe2e1fde70bcc0017 Mon Sep 17 00:00:00 2001 From: Muzammil Date: Tue, 23 Apr 2024 12:17:14 +0500 Subject: [PATCH 123/201] Increase loki and longhorn data TTL to 7 days in minio --- terraform/control-center/init/environment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/control-center/init/environment.yaml b/terraform/control-center/init/environment.yaml index 1a537e0aa..7552840e3 100644 --- a/terraform/control-center/init/environment.yaml +++ b/terraform/control-center/init/environment.yaml @@ -14,9 +14,9 @@ netmaker_version: 0.18.7 letsencrypt_email: test@mojalabs.io delete_storage_on_term: true docker_server_extra_vol_size: 100 -loki_data_expiry: 1d +loki_data_expiry: 7d tempo_data_expiry_days: 7d -longhorn_backup_data_expiry: 1d +longhorn_backup_data_expiry: 7d envs: - env: dev domain: labsk8s604.mojaloop.live From 918eed2d11b1de20886255f8377f28237c21eb75 Mon Sep 17 00:00:00 2001 From: Muzammil Date: Tue, 23 Apr 2024 14:25:01 +0500 Subject: [PATCH 124/201] use 1d for longhorn data --- terraform/control-center/init/environment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/control-center/init/environment.yaml b/terraform/control-center/init/environment.yaml index 7552840e3..7169a321c 100644 --- a/terraform/control-center/init/environment.yaml +++ b/terraform/control-center/init/environment.yaml @@ -16,7 +16,7 @@ delete_storage_on_term: true docker_server_extra_vol_size: 100 loki_data_expiry: 7d tempo_data_expiry_days: 7d -longhorn_backup_data_expiry: 7d +longhorn_backup_data_expiry: 1d envs: - env: dev domain: labsk8s604.mojaloop.live From 25d50ce5623ee4f66e556b965e332fa79e54bedb Mon Sep 17 00:00:00 2001 From: Vijay Date: Tue, 23 Apr 2024 18:40:38 +0530 Subject: [PATCH 125/201] fix: admin portal name limit --- terraform/gitops/pm4ml/pm4ml.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gitops/pm4ml/pm4ml.tf b/terraform/gitops/pm4ml/pm4ml.tf index 4ce1b99df..694ae3632 100644 --- a/terraform/gitops/pm4ml/pm4ml.tf +++ b/terraform/gitops/pm4ml/pm4ml.tf @@ -22,7 +22,7 @@ module "generate_pm4ml_files" { portal_fqdn = local.portal_fqdns[each.key] admin_portal_fqdn = local.admin_portal_fqdns[each.key] auth_fqdn = var.auth_fqdn - admin_portal_release_name = "admin-portal-${each.key}" + admin_portal_release_name = "admin-portal" admin_portal_chart_version = try(var.app_var_map.admin_portal_chart_version, var.admin_portal_chart_version) dfsp_id = each.value.pm4ml_dfsp_id pm4ml_service_account_name = "${var.pm4ml_service_account_name}-${each.key}" From 3991841b9edbeefac8a853710b5a9d6c669a6fed Mon Sep 17 00:00:00 2001 From: Sijo George <87609749+sijo5722-2021@users.noreply.github.com> Date: Wed, 24 Apr 2024 19:17:07 +0530 Subject: [PATCH 126/201] Fix for auth and wrong backend (#246) --- .../generate-files/templates/pm4ml/istio-gateway.yaml.tpl | 2 +- terraform/gitops/pm4ml/pm4ml.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/gitops/generate-files/templates/pm4ml/istio-gateway.yaml.tpl b/terraform/gitops/generate-files/templates/pm4ml/istio-gateway.yaml.tpl index ac4cb00e9..8fbb9db39 100644 --- a/terraform/gitops/generate-files/templates/pm4ml/istio-gateway.yaml.tpl +++ b/terraform/gitops/generate-files/templates/pm4ml/istio-gateway.yaml.tpl @@ -110,7 +110,7 @@ spec: apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - name: ${admin_portal_release_name}-auth + name: ${admin_portal_release_name}-${pm4ml_release_name}-auth namespace: ${pm4ml_istio_gateway_namespace} spec: selector: diff --git a/terraform/gitops/pm4ml/pm4ml.tf b/terraform/gitops/pm4ml/pm4ml.tf index 694ae3632..29e1f0f12 100644 --- a/terraform/gitops/pm4ml/pm4ml.tf +++ b/terraform/gitops/pm4ml/pm4ml.tf @@ -69,7 +69,7 @@ module "generate_pm4ml_files" { ttk_enabled = each.value.pm4ml_ttk_enabled core_connector_selected = each.value.core_connector_selected custom_core_connector_endpoint = each.value.custom_core_connector_endpoint - ttk_backend_fqdn = local.pm4ml_ttk_frontend_fqdns[each.key] + ttk_backend_fqdn = local.pm4ml_ttk_backend_fqdns[each.key] ttk_frontend_fqdn = local.pm4ml_ttk_frontend_fqdns[each.key] pta_portal_fqdn = local.pm4ml_pta_portal_fqdns[each.key] test_fqdn = local.test_fqdns[each.key] From 91f1219a366ef8e3922325708b511752100cc7f5 Mon Sep 17 00:00:00 2001 From: Sijo George <87609749+sijo5722-2021@users.noreply.github.com> Date: Thu, 25 Apr 2024 18:23:22 +0530 Subject: [PATCH 127/201] Correcting the default values (#247) --- terraform/k8s/default-config/mojaloop-vars.yaml | 2 +- terraform/k8s/default-config/pm4ml-vars.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/k8s/default-config/mojaloop-vars.yaml b/terraform/k8s/default-config/mojaloop-vars.yaml index aad03e24c..c9c41706f 100644 --- a/terraform/k8s/default-config/mojaloop-vars.yaml +++ b/terraform/k8s/default-config/mojaloop-vars.yaml @@ -20,7 +20,7 @@ account_lookup_service_monitoring_prefix: "moja_als_" ttk_gp_testcase_labels: "p2p" jws_rotation_period_hours: 672 jws_rotation_renew_before_hours: 1 -fspiop_use_ory_for_auth: false +fspiop_use_ory_for_auth: true mojaloop_tolerations: - key: "moja-enabled" operator: "Equal" diff --git a/terraform/k8s/default-config/pm4ml-vars.yaml b/terraform/k8s/default-config/pm4ml-vars.yaml index 718676be1..0b7ebb661 100644 --- a/terraform/k8s/default-config/pm4ml-vars.yaml +++ b/terraform/k8s/default-config/pm4ml-vars.yaml @@ -1,6 +1,6 @@ pm4ml: pm4mltest pm4ml_enabled: true -pm4ml_chart_version: 9.1.4 +pm4ml_chart_version: 9.1.5 pm4ml_external_mcm_public_fqdn: mcm.dev.labsk8s601.mojaloop.live pm4ml_ingress_internal_lb: false pm4ml_external_switch_client_id: dfsp-jwt From a018534f5bfa50d6b36a44bfa0560d76c7e500c5 Mon Sep 17 00:00:00 2001 From: David Fry Date: Thu, 25 Apr 2024 19:33:44 +0200 Subject: [PATCH 128/201] fine tune addons module config (#240) --- terraform/gitlab/ci-templates/k8s-cluster/.gitlab-ci.yml | 6 ++++-- .../k8s-cluster/.gitlab/scripts/config-merge.sh | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab-ci.yml b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab-ci.yml index c40a03920..c70841682 100644 --- a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab-ci.yml +++ b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab-ci.yml @@ -56,7 +56,9 @@ cache: - source $(which gitlab-terraform) - .gitlab/scripts/config-merge.sh - yq eval '.' $CONFIG_PATH/cluster-config.yaml -o=json > cluster-config.json + - yq eval '.' $CONFIG_PATH/addons-vars.yaml -o=json > addons-vars.yaml - for var in $(jq -r 'to_entries[] | "\(.key)=\(.value)\n"' ./cluster-config.json); do export $var; done + - for var in $(jq -r 'to_entries[] | "\(.key)=\(.value)\n"' ./addons-vars.yaml); do export $var; done - export VAULT_TOKEN="$(vault write -field=token auth/${VAULT_AUTH_PATH}/login role=$VAULT_AUTH_ROLE jwt=$VAULT_ID_TOKEN)" - export ENV_VAULT_TOKEN="$(vault kv get -field=value ${KV_SECRET_PATH}/${CI_PROJECT_NAME}/env_token)" - export NETMAKER_OPS_TOKEN="$(vault kv get -field=value ${KV_SECRET_PATH}/${CI_PROJECT_NAME}/netmaker_ops_token)" @@ -66,8 +68,8 @@ cache: - export VAULT_GITLAB_ROOT_TOKEN="$(vault kv get -field=value ${KV_SECRET_PATH}/tenancy/vault_root_token)" - export METMAKER_MASTER_KEY="$(vault kv get -field=value ${KV_SECRET_PATH}/tenancy/netmaker_master_key)" - source setcivars.sh - - if [ "$PRIVATE_REPO_USER" == "nullvalue" ]; then echo "https://${PRIVATE_REPO_USER}:${PRIVATE_REPO_TOKEN}@${PRIVATE_REPO}" > ~/.gitcredentials.store; fi - - if [ "$PRIVATE_REPO_USER" == "nullvalue" ]; then git config --global credential.helper 'store --file ~/.gitcredentials.store'; fi + - echo "https://${PRIVATE_REPO_USER}:${PRIVATE_REPO_TOKEN}@${PRIVATE_REPO}" > ~/.gitcredentials.store + - git config --global credential.helper 'store --file ~/.gitcredentials.store' - git config --global advice.detachedHead false - source set-ansible-destroy-preq-vars.sh - export TERRAGRUNT_EXCLUDE_DIR="/dev/null" diff --git a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/config-merge.sh b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/config-merge.sh index ead45e9fd..e2d58e7b8 100755 --- a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/config-merge.sh +++ b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/config-merge.sh @@ -1,5 +1,5 @@ mkdir -p $CONFIG_PATH -for configFile in {'aws-vars.yaml','cluster-config.yaml','common-vars.yaml','mojaloop-rbac-permissions.yaml','mojaloop-vars.yaml','pm4ml-vars.yaml','bare-metal-vars.yaml','pm4ml-rbac-permissions.yaml','mojaloop-stateful-resources.json','common-stateful-resources.json','mojaloop-rbac-api-resources.yaml','vnext-vars.yaml','vnext-stateful-resources.json','addons-vars.yaml','mojaloop-values-override.yaml'}; +for configFile in {'aws-vars.yaml','cluster-config.yaml','common-vars.yaml','mojaloop-rbac-permissions.yaml','mojaloop-vars.yaml','pm4ml-vars.yaml','bare-metal-vars.yaml','pm4ml-rbac-permissions.yaml','mojaloop-stateful-resources.json','common-stateful-resources.json','mojaloop-rbac-api-resources.yaml','vnext-vars.yaml','vnext-stateful-resources.json','addons-vars.yaml','addons-stateful-resources.json','mojaloop-values-override.yaml'}; do echo $configFile python3 .gitlab/scripts/dictmerge.py default-config/$configFile custom-config/$configFile $CONFIG_PATH; From 2c276f308c71b538841ede01532ef8c7d4086c95 Mon Sep 17 00:00:00 2001 From: Muzammil Date: Thu, 25 Apr 2024 22:34:01 +0500 Subject: [PATCH 129/201] reduce loki_ingester_pvc_size to 10Gi (#245) --- terraform/gitops/k8s-cluster-config/monitoring.tf | 2 +- terraform/k8s/default-config/common-vars.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/gitops/k8s-cluster-config/monitoring.tf b/terraform/gitops/k8s-cluster-config/monitoring.tf index 0fb478c4d..fd40137c3 100644 --- a/terraform/gitops/k8s-cluster-config/monitoring.tf +++ b/terraform/gitops/k8s-cluster-config/monitoring.tf @@ -115,7 +115,7 @@ locals { grafana_operator_version = "3.5.11" monitoring_template_path = "${path.module}/../generate-files/templates/monitoring" monitoring_app_file = "monitoring-app.yaml" - loki_ingester_pvc_size = "50Gi" + loki_ingester_pvc_size = "10Gi" prometheus_pvc_size = "50Gi" loki_retention_enabled = true loki_ingester_retention_period = "72h" diff --git a/terraform/k8s/default-config/common-vars.yaml b/terraform/k8s/default-config/common-vars.yaml index ec6c54b67..5645f723a 100644 --- a/terraform/k8s/default-config/common-vars.yaml +++ b/terraform/k8s/default-config/common-vars.yaml @@ -26,7 +26,7 @@ grafana_operator_version: 3.5.11 grafana_version: 10.2.3 tempo_chart_version: 2.6.0 loki_chart_version: 2.13.0 -loki_ingester_pvc_size: 50Gi +loki_ingester_pvc_size: 10Gi prometheus_pvc_size: 50Gi loki_retention_enabled: true loki_ingester_retention_period: 72h From ead675f138e14228e6adb64c0a64652f2346b2dc Mon Sep 17 00:00:00 2001 From: Muzammil Date: Fri, 26 Apr 2024 15:05:07 +0500 Subject: [PATCH 130/201] renamed minio_credentials_secret_name to minio_loki_credentials_secret_name (#244) * updated references to minio_loki_credentials_secret_name * updated value of minio_loki_credentials_secret_name --- .../templates/monitoring/install/values-loki.yaml.tpl | 6 +++--- .../monitoring/install/vault-minio-ext-secret.yaml.tpl | 4 ++-- terraform/gitops/k8s-cluster-config/monitoring.tf | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl index a09bbd04b..61bd57fef 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl @@ -33,7 +33,7 @@ ingester: size: ${loki_ingester_pvc_size} storageClass: ${storage_class_name} extraArgs: ["-config.expand-env"] - extraEnvVarsSecret: ${minio_credentials_secret_name} + extraEnvVarsSecret: ${minio_loki_credentials_secret_name} nodeAffinityPreset: type: hard key: workload-class.mojaloop.io/MONITORING @@ -41,7 +41,7 @@ ingester: compactor: # https://grafana.com/docs/loki/latest/operations/storage/boltdb-shipper/#compactor extraArgs: ["-config.expand-env"] - extraEnvVarsSecret: minio-credentials-secret + extraEnvVarsSecret: ${minio_loki_credentials_secret_name} nodeAffinityPreset: type: hard key: workload-class.mojaloop.io/MONITORING @@ -58,7 +58,7 @@ gateway: values: ["enabled"] querier: extraArgs: ["-config.expand-env"] - extraEnvVarsSecret: minio-credentials-secret + extraEnvVarsSecret: ${minio_loki_credentials_secret_name} nodeAffinityPreset: type: hard key: workload-class.mojaloop.io/MONITORING diff --git a/terraform/gitops/generate-files/templates/monitoring/install/vault-minio-ext-secret.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/vault-minio-ext-secret.yaml.tpl index b5509fb95..152a60b93 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/vault-minio-ext-secret.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/vault-minio-ext-secret.yaml.tpl @@ -1,7 +1,7 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: - name: ${minio_credentials_secret_name} + name: ${minio_loki_credentials_secret_name} annotations: argocd.argoproj.io/sync-wave: "${external_secret_sync_wave}" spec: @@ -12,7 +12,7 @@ spec: name: tenant-vault-secret-store target: - name: ${minio_credentials_secret_name} # Name for the secret to be created on the cluster + name: ${minio_loki_credentials_secret_name} # Name for the secret to be created on the cluster creationPolicy: Owner data: diff --git a/terraform/gitops/k8s-cluster-config/monitoring.tf b/terraform/gitops/k8s-cluster-config/monitoring.tf index fd40137c3..87f053ab4 100644 --- a/terraform/gitops/k8s-cluster-config/monitoring.tf +++ b/terraform/gitops/k8s-cluster-config/monitoring.tf @@ -36,7 +36,7 @@ module "generate_monitoring_files" { loki_ingester_retention_period = try(var.common_var_map.loki_ingester_retention_period, local.loki_ingester_retention_period) prometheus_retention_period = try(var.common_var_map.prometheus_retention_period, local.prometheus_retention_period) alertmanager_enabled = try(var.common_var_map.alertmanager_enabled, false) - minio_credentials_secret_name = "minio-credentials-secret" + minio_loki_credentials_secret_name = "minio-loki-credentials-secret" minio_api_url = var.minio_api_url minio_loki_bucket = local.minio_loki_bucket minio_loki_user_key = "${var.cluster_name}/minio_loki_username" From a33da608eb41ea3e20fd0ec83f7684184b396a72 Mon Sep 17 00:00:00 2001 From: Muzammil Date: Fri, 26 Apr 2024 15:12:17 +0500 Subject: [PATCH 131/201] IPROD-565: Setup tempo to use minio (#232) * enable env variable expansion in config * update tempo chart version * add minio_tempo_credentials_secret_name * update * minio tempo credentials secert * added tempo datasource * replace extraArgs with args * remove extra args * upadte config * fix bugs * added extraEnvVarsSecret to remaining services * switch to s3 * add tempo retension period * use hours instead of days * get minio_tempo_bucket from gitlab * use minio api url * use minio_tempo_credentials_secret_name variable * refactor --------- Co-authored-by: David Fry --- .../monitoring/install/values-tempo.yaml.tpl | 111 ++++++++++++++++++ .../install/vault-minio-ext-secret.yaml.tpl | 35 +++++- .../post-config/monitoring-crs.yaml.tpl | 20 ++++ .../gitops/k8s-cluster-config/monitoring.tf | 102 ++++++++-------- .../gitops/k8s-cluster-config/variables.tf | 1 + terraform/k8s/default-config/common-vars.yaml | 3 +- 6 files changed, 222 insertions(+), 50 deletions(-) diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-tempo.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-tempo.yaml.tpl index 108667750..2ee6eb906 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-tempo.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-tempo.yaml.tpl @@ -1,29 +1,140 @@ +tempo: + # source: https://github.com/bitnami/charts/blob/a3c7c6e5bc685b2587a6302770e20c6890ebd72d/bitnami/grafana-tempo/values.yaml#L136C3-L231C48 + configuration: | + multitenancy_enabled: false + cache: + caches: + - memcached: + host: {{ include "grafana-tempo.memcached.url" . }} + service: memcache + timeout: 500ms + consistent_hash: true + roles: + - bloom + - trace-id-index + compactor: + compaction: + block_retention: ${tempo_retention_period} + ring: + kvstore: + store: memberlist + distributor: + ring: + kvstore: + store: memberlist + receivers: + {{- if or (.Values.tempo.traces.jaeger.thriftCompact) (.Values.tempo.traces.jaeger.thriftBinary) (.Values.tempo.traces.jaeger.thriftHttp) (.Values.tempo.traces.jaeger.grpc) }} + jaeger: + protocols: + {{- if .Values.tempo.traces.jaeger.thriftCompact }} + thrift_compact: + endpoint: 0.0.0.0:6831 + {{- end }} + {{- if .Values.tempo.traces.jaeger.thriftBinary }} + thrift_binary: + endpoint: 0.0.0.0:6832 + {{- end }} + {{- if .Values.tempo.traces.jaeger.thriftHttp }} + thrift_http: + endpoint: 0.0.0.0:14268 + {{- end }} + {{- if .Values.tempo.traces.jaeger.grpc }} + grpc: + endpoint: 0.0.0.0:14250 + {{- end }} + {{- end }} + {{- if .Values.tempo.traces.zipkin }} + zipkin: + endpoint: 0.0.0.0:9411 + {{- end }} + {{- if or (.Values.tempo.traces.otlp.http) (.Values.tempo.traces.otlp.grpc) }} + otlp: + protocols: + {{- if .Values.tempo.traces.otlp.http }} + http: + endpoint: 0.0.0.0:55681 + {{- end }} + {{- if .Values.tempo.traces.otlp.grpc }} + grpc: + endpoint: 0.0.0.0:4317 + {{- end }} + {{- end }} + {{- if .Values.tempo.traces.opencensus }} + opencensus: + endpoint: 0.0.0.0:55678 + {{- end }} + querier: + frontend_worker: + frontend_address: {{ include "grafana-tempo.query-frontend.fullname" . }}-headless:{{ .Values.queryFrontend.service.ports.grpc }} + ingester: + lifecycler: + ring: + replication_factor: 1 + kvstore: + store: memberlist + tokens_file_path: {{ .Values.tempo.dataDir }}/tokens.json + metrics_generator: + ring: + kvstore: + store: memberlist + storage: + path: {{ .Values.tempo.dataDir }}/wal + remote_write: {{ include "common.tplvalues.render" (dict "value" .Values.metricsGenerator.remoteWrite "context" $) | nindent 6 }} + memberlist: + abort_if_cluster_join_fails: false + join_members: + - {{ include "grafana-tempo.gossip-ring.fullname" . }} + overrides: + per_tenant_override_config: /bitnami/grafana-tempo/conf/overrides.yaml + server: + http_listen_port: {{ .Values.tempo.containerPorts.web }} + storage: + trace: + backend: s3 + blocklist_poll: 5m + local: + path: {{ .Values.tempo.dataDir }}/traces + wal: + path: {{ .Values.tempo.dataDir }}/wal + s3: + forcepathstyle: true + endpoint: ${minio_api_url} + insecure: true + bucket: ${minio_tempo_bucket} + + compactor: + extraEnvVarsSecret: ${minio_tempo_credentials_secret_name} nodeAffinityPreset: type: hard key: workload-class.mojaloop.io/MONITORING values: ["enabled"] distributor: + extraEnvVarsSecret: ${minio_tempo_credentials_secret_name} nodeAffinityPreset: type: hard key: workload-class.mojaloop.io/MONITORING values: ["enabled"] ingester: + extraEnvVarsSecret: ${minio_tempo_credentials_secret_name} nodeAffinityPreset: type: hard key: workload-class.mojaloop.io/MONITORING values: ["enabled"] metricsGenerator: + extraEnvVarsSecret: ${minio_tempo_credentials_secret_name} nodeAffinityPreset: type: hard key: workload-class.mojaloop.io/MONITORING values: ["enabled"] querier: + extraEnvVarsSecret: ${minio_tempo_credentials_secret_name} nodeAffinityPreset: type: hard key: workload-class.mojaloop.io/MONITORING values: ["enabled"] queryFrontend: + extraEnvVarsSecret: ${minio_tempo_credentials_secret_name} nodeAffinityPreset: type: hard key: workload-class.mojaloop.io/MONITORING diff --git a/terraform/gitops/generate-files/templates/monitoring/install/vault-minio-ext-secret.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/vault-minio-ext-secret.yaml.tpl index 152a60b93..5244ac963 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/vault-minio-ext-secret.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/vault-minio-ext-secret.yaml.tpl @@ -27,4 +27,37 @@ spec: conversionStrategy: Default decodingStrategy: None key: ${minio_loki_password_key} - property: value \ No newline at end of file + property: value + +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: ${minio_tempo_credentials_secret_name} + annotations: + argocd.argoproj.io/sync-wave: "${external_secret_sync_wave}" +spec: + refreshInterval: 1h + + secretStoreRef: + kind: ClusterSecretStore + name: tenant-vault-secret-store + + target: + name: ${minio_tempo_credentials_secret_name} # Name for the secret to be created on the cluster + creationPolicy: Owner + + data: + # https://grafana.com/docs/tempo/latest/configuration/hosted-storage/s3/#amazon-s3-permissions + - secretKey: MINIO_ACCESS_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: ${minio_tempo_user_key} + property: value + - secretKey: MINIO_SECRET_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: ${minio_tempo_password_key} + property: value \ No newline at end of file diff --git a/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl index 5c4d3824b..7cb2be9e7 100644 --- a/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl @@ -88,6 +88,26 @@ spec: editable: true --- apiVersion: grafana.integreatly.org/v1beta1 +kind: GrafanaDatasource +metadata: + name: tempo +spec: + instanceSelector: + matchLabels: + dashboards: "grafana" + datasource: + name: Tempo + type: tempo + access: proxy + url: http://tempo-grafana-tempo-query-frontend:3200 + jsonData: + httpHeaderName1: 'X-Scope-OrgID' + secureJsonData: + httpHeaderValue1: 'single-tenant' + isDefault: false + editable: true +--- +apiVersion: grafana.integreatly.org/v1beta1 kind: GrafanaFolder metadata: name: default diff --git a/terraform/gitops/k8s-cluster-config/monitoring.tf b/terraform/gitops/k8s-cluster-config/monitoring.tf index 87f053ab4..9592af7a6 100644 --- a/terraform/gitops/k8s-cluster-config/monitoring.tf +++ b/terraform/gitops/k8s-cluster-config/monitoring.tf @@ -1,53 +1,58 @@ module "generate_monitoring_files" { source = "../generate-files" var_map = { - grafana_crd_version_tag = try(var.common_var_map.grafana_crd_version_tag, local.grafana_crd_version_tag) - prometheus_crd_version = try(var.common_var_map.prometheus_crd_version, local.prometheus_crd_version) - loki_chart_version = try(var.common_var_map.loki_chart_version, local.loki_chart_version) - prometheus_operator_version = try(var.common_var_map.prometheus_operator_version, local.prometheus_operator_version) - prometheus_operator_release_name = local.prometheus_operator_release_name - prometheus_process_exporter_version = try(var.common_var_map.prometheus_process_exporter_version, local.prometheus_process_exporter_version) - loki_release_name = local.loki_release_name - grafana_operator_version = try(var.common_var_map.grafana_operator_version, local.grafana_operator_version) - grafana_version = try(var.common_var_map.grafana_version, local.grafana_version) - tempo_chart_version = try(var.common_var_map.tempo_chart_version, local.tempo_chart_version) - monitoring_namespace = var.monitoring_namespace - gitlab_server_url = var.gitlab_server_url - gitlab_project_url = var.gitlab_project_url - public_subdomain = var.public_subdomain - client_id = try(data.vault_generic_secret.grafana_oauth_client_id[0].data.value,"") - client_secret = try(data.vault_generic_secret.grafana_oauth_client_secret[0].data.value,"") - enable_oidc = var.enable_grafana_oidc - storage_class_name = var.storage_class_name - groups = var.gitlab_admin_group_name - prom-mojaloop-url = "http://prometheus-operated:9090" - admin_secret_pw_key = "admin-pw" - admin_secret_user_key = "admin-user" - admin_secret = "grafana-admin-secret" - admin_user_name = "grafana-admin" - alertmanager_jira_secret_ref = "${var.cluster_name}/jira-prometheus-integration-secret-key" - monitoring_sync_wave = var.monitoring_sync_wave - monitoring_post_config_sync_wave = var.monitoring_post_config_sync_wave - ingress_class = var.grafana_ingress_internal_lb ? var.internal_ingress_class_name : var.external_ingress_class_name - istio_create_ingress_gateways = var.istio_create_ingress_gateways - loki_ingester_pvc_size = try(var.common_var_map.loki_ingester_pvc_size, local.loki_ingester_pvc_size) - prometheus_pvc_size = try(var.common_var_map.prometheus_pvc_size, local.prometheus_pvc_size) - loki_retention_enabled = try(var.common_var_map.loki_retention_enabled, local.loki_retention_enabled) - loki_ingester_retention_period = try(var.common_var_map.loki_ingester_retention_period, local.loki_ingester_retention_period) - prometheus_retention_period = try(var.common_var_map.prometheus_retention_period, local.prometheus_retention_period) - alertmanager_enabled = try(var.common_var_map.alertmanager_enabled, false) - minio_loki_credentials_secret_name = "minio-loki-credentials-secret" - minio_api_url = var.minio_api_url - minio_loki_bucket = local.minio_loki_bucket - minio_loki_user_key = "${var.cluster_name}/minio_loki_username" - minio_loki_password_key = "${var.cluster_name}/minio_loki_password" - external_secret_sync_wave = var.external_secret_sync_wave - prom_tsdb_max_block_duration = try(var.common_var_map.prom_tsdb_max_block_duration, local.prom_tsdb_max_block_duration) - prom_tsdb_min_block_duration = try(var.common_var_map.prom_tsdb_min_block_duration, local.prom_tsdb_min_block_duration) - grafana_subdomain = local.grafana_subdomain - grafana_fqdn = local.grafana_fqdn - grafana_istio_gateway_namespace = local.grafana_istio_gateway_namespace - grafana_istio_wildcard_gateway_name = local.vault_istio_wildcard_gateway_name + grafana_crd_version_tag = try(var.common_var_map.grafana_crd_version_tag, local.grafana_crd_version_tag) + prometheus_crd_version = try(var.common_var_map.prometheus_crd_version, local.prometheus_crd_version) + loki_chart_version = try(var.common_var_map.loki_chart_version, local.loki_chart_version) + prometheus_operator_version = try(var.common_var_map.prometheus_operator_version, local.prometheus_operator_version) + prometheus_operator_release_name = local.prometheus_operator_release_name + prometheus_process_exporter_version = try(var.common_var_map.prometheus_process_exporter_version, local.prometheus_process_exporter_version) + loki_release_name = local.loki_release_name + grafana_operator_version = try(var.common_var_map.grafana_operator_version, local.grafana_operator_version) + grafana_version = try(var.common_var_map.grafana_version, local.grafana_version) + tempo_chart_version = try(var.common_var_map.tempo_chart_version, local.tempo_chart_version) + monitoring_namespace = var.monitoring_namespace + gitlab_server_url = var.gitlab_server_url + gitlab_project_url = var.gitlab_project_url + public_subdomain = var.public_subdomain + client_id = try(data.vault_generic_secret.grafana_oauth_client_id[0].data.value, "") + client_secret = try(data.vault_generic_secret.grafana_oauth_client_secret[0].data.value, "") + enable_oidc = var.enable_grafana_oidc + storage_class_name = var.storage_class_name + groups = var.gitlab_admin_group_name + prom-mojaloop-url = "http://prometheus-operated:9090" + admin_secret_pw_key = "admin-pw" + admin_secret_user_key = "admin-user" + admin_secret = "grafana-admin-secret" + admin_user_name = "grafana-admin" + alertmanager_jira_secret_ref = "${var.cluster_name}/jira-prometheus-integration-secret-key" + monitoring_sync_wave = var.monitoring_sync_wave + monitoring_post_config_sync_wave = var.monitoring_post_config_sync_wave + ingress_class = var.grafana_ingress_internal_lb ? var.internal_ingress_class_name : var.external_ingress_class_name + istio_create_ingress_gateways = var.istio_create_ingress_gateways + loki_ingester_pvc_size = try(var.common_var_map.loki_ingester_pvc_size, local.loki_ingester_pvc_size) + prometheus_pvc_size = try(var.common_var_map.prometheus_pvc_size, local.prometheus_pvc_size) + loki_retention_enabled = try(var.common_var_map.loki_retention_enabled, local.loki_retention_enabled) + loki_ingester_retention_period = try(var.common_var_map.loki_ingester_retention_period, local.loki_ingester_retention_period) + prometheus_retention_period = try(var.common_var_map.prometheus_retention_period, local.prometheus_retention_period) + alertmanager_enabled = try(var.common_var_map.alertmanager_enabled, false) + minio_credentials_secret_name = "minio-credentials-secret" # TODO: update to minio_loki_credentials_secret_name + minio_api_url = var.minio_api_url + minio_loki_bucket = local.minio_loki_bucket + minio_loki_user_key = "${var.cluster_name}/minio_loki_username" + minio_loki_password_key = "${var.cluster_name}/minio_loki_password" + minio_tempo_credentials_secret_name = "minio-tempo-credentials-secret" + minio_tempo_user_key = "${var.cluster_name}/minio_tempo_username" + minio_tempo_password_key = "${var.cluster_name}/minio_tempo_password" + minio_tempo_bucket = local.minio_tempo_bucket + tempo_retention_period = try(var.common_var_map.tempo_retention_period, local.tempo_retention_period) + external_secret_sync_wave = var.external_secret_sync_wave + prom_tsdb_max_block_duration = try(var.common_var_map.prom_tsdb_max_block_duration, local.prom_tsdb_max_block_duration) + prom_tsdb_min_block_duration = try(var.common_var_map.prom_tsdb_min_block_duration, local.prom_tsdb_min_block_duration) + grafana_subdomain = local.grafana_subdomain + grafana_fqdn = local.grafana_fqdn + grafana_istio_gateway_namespace = local.grafana_istio_gateway_namespace + grafana_istio_wildcard_gateway_name = local.vault_istio_wildcard_gateway_name } file_list = [for f in fileset(local.monitoring_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.monitoring_app_file, f))] template_path = local.monitoring_template_path @@ -110,7 +115,7 @@ locals { loki_chart_version = "2.13.0" prometheus_operator_version = "8.22.8" prometheus_process_exporter_version = "0.4.2" - tempo_chart_version = "2.6.0" + tempo_chart_version = "3.1.0" grafana_version = "10.2.3" grafana_operator_version = "3.5.11" monitoring_template_path = "${path.module}/../generate-files/templates/monitoring" @@ -120,6 +125,7 @@ locals { loki_retention_enabled = true loki_ingester_retention_period = "72h" prometheus_retention_period = "10d" + tempo_retention_period = "72h" prom_tsdb_min_block_duration = "30m" prom_tsdb_max_block_duration = "30m" grafana_public_fqdn = "grafana.${var.public_subdomain}" diff --git a/terraform/gitops/k8s-cluster-config/variables.tf b/terraform/gitops/k8s-cluster-config/variables.tf index 2730b1888..a0667dc74 100644 --- a/terraform/gitops/k8s-cluster-config/variables.tf +++ b/terraform/gitops/k8s-cluster-config/variables.tf @@ -130,4 +130,5 @@ locals { longhorn_backups_credentials_secret_provider_key = "minio_longhorn_password" longhorn_backups_credentials_id_provider_key = "minio_longhorn_username" minio_loki_bucket = data.gitlab_project_variable.minio_loki_bucket.value + minio_tempo_bucket = data.gitlab_project_variable.minio_tempo_bucket.value } diff --git a/terraform/k8s/default-config/common-vars.yaml b/terraform/k8s/default-config/common-vars.yaml index 5645f723a..18e056074 100644 --- a/terraform/k8s/default-config/common-vars.yaml +++ b/terraform/k8s/default-config/common-vars.yaml @@ -24,13 +24,14 @@ prometheus_operator_version: 8.22.8 prometheus_process_exporter_version: 0.4.2 grafana_operator_version: 3.5.11 grafana_version: 10.2.3 -tempo_chart_version: 2.6.0 +tempo_chart_version: 3.1.0 loki_chart_version: 2.13.0 loki_ingester_pvc_size: 10Gi prometheus_pvc_size: 50Gi loki_retention_enabled: true loki_ingester_retention_period: 72h prometheus_retention_period: 10d +tempo_retention_period: 72h istio_egress_gateway_max_replicas: 5 microk8s_version: 1.29/stable alertmanager_enabled: false From 232f46f592926ce6ddf214e886b0e874e4900d06 Mon Sep 17 00:00:00 2001 From: David Fry Date: Fri, 26 Apr 2024 19:20:19 +0200 Subject: [PATCH 132/201] typo on minio_loki_credentials_secret_name (#248) --- terraform/gitops/k8s-cluster-config/monitoring.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gitops/k8s-cluster-config/monitoring.tf b/terraform/gitops/k8s-cluster-config/monitoring.tf index 9592af7a6..371892ae3 100644 --- a/terraform/gitops/k8s-cluster-config/monitoring.tf +++ b/terraform/gitops/k8s-cluster-config/monitoring.tf @@ -36,7 +36,7 @@ module "generate_monitoring_files" { loki_ingester_retention_period = try(var.common_var_map.loki_ingester_retention_period, local.loki_ingester_retention_period) prometheus_retention_period = try(var.common_var_map.prometheus_retention_period, local.prometheus_retention_period) alertmanager_enabled = try(var.common_var_map.alertmanager_enabled, false) - minio_credentials_secret_name = "minio-credentials-secret" # TODO: update to minio_loki_credentials_secret_name + minio_loki_credentials_secret_name = "minio-loki-credentials-secret" minio_api_url = var.minio_api_url minio_loki_bucket = local.minio_loki_bucket minio_loki_user_key = "${var.cluster_name}/minio_loki_username" From 54f22314038f91c5d508194354f3683944b030e0 Mon Sep 17 00:00:00 2001 From: David Fry Date: Mon, 29 Apr 2024 13:29:42 +0200 Subject: [PATCH 133/201] rm consul inject (#249) --- .../gitops/generate-files/templates/consul/values.yaml.tpl | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/terraform/gitops/generate-files/templates/consul/values.yaml.tpl b/terraform/gitops/generate-files/templates/consul/values.yaml.tpl index 0857a8ede..540be2f3c 100644 --- a/terraform/gitops/generate-files/templates/consul/values.yaml.tpl +++ b/terraform/gitops/generate-files/templates/consul/values.yaml.tpl @@ -8,4 +8,6 @@ consul: enabled: true storage: ${storage_size} replicas: ${consul_replicas} - storageClass: ${storage_class_name} \ No newline at end of file + storageClass: ${storage_class_name} + connectInject: + enabled: false \ No newline at end of file From da009b595132851267d738cf68fa66ae52ff405d Mon Sep 17 00:00:00 2001 From: Muzammil Date: Tue, 30 Apr 2024 11:50:27 +0500 Subject: [PATCH 134/201] Increase resource limits for tempo (#250) --- .../templates/monitoring/install/values-tempo.yaml.tpl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-tempo.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-tempo.yaml.tpl index 2ee6eb906..69f4d278c 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-tempo.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-tempo.yaml.tpl @@ -116,6 +116,7 @@ distributor: key: workload-class.mojaloop.io/MONITORING values: ["enabled"] ingester: + resourcesPreset: small extraEnvVarsSecret: ${minio_tempo_credentials_secret_name} nodeAffinityPreset: type: hard @@ -128,6 +129,7 @@ metricsGenerator: key: workload-class.mojaloop.io/MONITORING values: ["enabled"] querier: + resourcesPreset: small extraEnvVarsSecret: ${minio_tempo_credentials_secret_name} nodeAffinityPreset: type: hard From a44db1c5def48398fd1f60e32306271b76ee0a44 Mon Sep 17 00:00:00 2001 From: vijayg10 <33152110+vijayg10@users.noreply.github.com> Date: Thu, 2 May 2024 17:57:57 +0530 Subject: [PATCH 135/201] feat: exposed ttk test cases tag and added ttk test cases labels (#252) --- .../mojaloop/values-mojaloop.yaml.tpl | 65 +++++++++++++++++++ terraform/gitops/mojaloop/mojaloop.tf | 1 + .../k8s/default-config/mojaloop-vars.yaml | 1 + 3 files changed, 67 insertions(+) diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl index aa8659887..8a191793f 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl @@ -105,6 +105,19 @@ CONFIG: cl_monitoring_prefix: &CL_MONITORING_PREFIX "${central_ledger_monitoring_prefix}" als_monitoring_prefix: &ALS_MONITORING_PREFIX "${account_lookup_service_monitoring_prefix}" + ## TESTS + testCasesZipUrl: &TEST_CASES_ZIP_URL https://github.com/mojaloop/testing-toolkit-test-cases/archive/v${ttk_testcases_tag}.zip + test_cases_path_setup: &TEST_CASES_PATH_SETUP testing-toolkit-test-cases-${ttk_testcases_tag}/collections/hub/provisioning + test_cases_path_gp: &TEST_CASES_PATH_GP testing-toolkit-test-cases-${ttk_testcases_tag}/collections/hub/golden_path + test_cases_path_bulk: &TEST_CASES_PATH_BULK testing-toolkit-test-cases-${ttk_testcases_tag}/collections/hub/other_tests/bulk_transfers + test_cases_path_tp_setup: &TEST_CASES_PATH_TP_SETUP testing-toolkit-test-cases-${ttk_testcases_tag}/collections/hub/provisioning_thirdparty + test_cases_path_tp_val: &TEST_CASES_PATH_TP_VAL testing-toolkit-test-cases-${ttk_testcases_tag}/collections/hub/thirdparty + test_cases_path_sdk_bulk_setup: &TEST_CASES_PATH_SDK_BULK_SETUP testing-toolkit-test-cases-${ttk_testcases_tag}/collections/hub/provisioning_sdkbulk + test_cases_path_sdk_bulk_val: &TEST_CASES_PATH_SDK_BULK_VAL testing-toolkit-test-cases-${ttk_testcases_tag}/collections/hub/sdk_scheme_adapter/bulk/basic + test_cases_path_sdk_r2p_val: &TEST_CASES_PATH_SDK_R2P_VAL testing-toolkit-test-cases-${ttk_testcases_tag}/collections/hub/sdk_scheme_adapter/request-to-pay/basic + test_cases_path_cleanup: &TEST_CASES_PATH_CLEANUP testing-toolkit-test-cases-${ttk_testcases_tag}/collections/hub/cleanup + + ingress_class: &INGRESS_CLASS "${ingress_class_name}" ## Endpiont Security @@ -1016,6 +1029,40 @@ ml-testing-toolkit: host: ${ttk_backend_fqdn} adminApi: host: ${ttk_backend_fqdn} + config_files: + user_config.json: + LABELS: [ + { + "name": "p2p", + "description": "tests related to p2p transfer", + "color": "red" + }, + { + "name": "settlements", + "description": "tests related to settlements", + "color": "green" + }, + { + "name": "quotes", + "description": "tests related to quoting service", + "color": "blue" + }, + { + "name": "basic-func-tests", + "description": "for testing basic functionality", + "color": "orange" + }, + { + "name": "prod-tests", + "description": "tests related to production environment", + "color": "black" + }, + { + "name": "min-func-tests", + "description": "minimal functional tests", + "color": "yellow" + } + ] parameters: &simNames simNamePayerfsp: 'payerfsp' simNamePayeefsp: 'payeefsp' @@ -1114,6 +1161,8 @@ ml-ttk-test-setup: tests: enabled: true config: + testCasesZipUrl: *TEST_CASES_ZIP_URL + testCasesPathInZip: *TEST_CASES_PATH_SETUP testSuiteName: Provisioning environmentName: ${ingress_subdomain} saveReport: true @@ -1137,6 +1186,8 @@ ml-ttk-test-val-gp: tests: enabled: true config: + testCasesZipUrl: *TEST_CASES_ZIP_URL + testCasesPathInZip: *TEST_CASES_PATH_GP testSuiteName: GP Tests environmentName: ${ingress_subdomain} saveReport: true @@ -1159,6 +1210,8 @@ ml-ttk-test-val-bulk: tests: enabled: true config: + testCasesZipUrl: *TEST_CASES_ZIP_URL + testCasesPathInZip: *TEST_CASES_PATH_BULK testSuiteName: Bulk Tests environmentName: ${ingress_subdomain} saveReport: true @@ -1171,6 +1224,8 @@ ml-ttk-test-setup-tp: tests: enabled: true config: + testCasesZipUrl: *TEST_CASES_ZIP_URL + testCasesPathInZip: *TEST_CASES_PATH_TP_SETUP testSuiteName: Third Party Provisioning Tests environmentName: ${ingress_subdomain} saveReport: true @@ -1183,6 +1238,8 @@ ml-ttk-test-val-tp: tests: enabled: true config: + testCasesZipUrl: *TEST_CASES_ZIP_URL + testCasesPathInZip: *TEST_CASES_PATH_TP_VAL testSuiteName: Third Party Validation Tests environmentName: ${ingress_subdomain} saveReport: true @@ -1195,6 +1252,8 @@ ml-ttk-test-setup-sdk-bulk: tests: enabled: true config: + testCasesZipUrl: *TEST_CASES_ZIP_URL + testCasesPathInZip: *TEST_CASES_PATH_SDK_BULK_SETUP testSuiteName: SDK Bulk Provisioning Tests environmentName: ${ingress_subdomain} saveReport: true @@ -1207,6 +1266,8 @@ ml-ttk-test-val-sdk-bulk: tests: enabled: true config: + testCasesZipUrl: *TEST_CASES_ZIP_URL + testCasesPathInZip: *TEST_CASES_PATH_SDK_BULK_VAL testSuiteName: SDK Bulk Validation Tests environmentName: ${ingress_subdomain} saveReport: true @@ -1219,6 +1280,8 @@ ml-ttk-test-val-sdk-r2p: tests: enabled: true config: + testCasesZipUrl: *TEST_CASES_ZIP_URL + testCasesPathInZip: *TEST_CASES_PATH_SDK_R2P_VAL testSuiteName: SDK Request To Pay Tests environmentName: ${ingress_subdomain} saveReport: true @@ -1231,6 +1294,8 @@ ml-ttk-test-cleanup: tests: enabled: true config: + testCasesZipUrl: *TEST_CASES_ZIP_URL + testCasesPathInZip: *TEST_CASES_PATH_CLEANUP testSuiteName: Post Cleanup environmentName: ${ingress_subdomain} saveReport: true diff --git a/terraform/gitops/mojaloop/mojaloop.tf b/terraform/gitops/mojaloop/mojaloop.tf index d34760296..4155579fa 100644 --- a/terraform/gitops/mojaloop/mojaloop.tf +++ b/terraform/gitops/mojaloop/mojaloop.tf @@ -11,6 +11,7 @@ module "generate_mojaloop_files" { mojaloop_sync_wave = var.mojaloop_sync_wave mojaloop_test_sync_wave = var.mojaloop_test_sync_wave internal_ttk_enabled = var.internal_ttk_enabled + ttk_testcases_tag = try(var.app_var_map.ttk_testcases_tag, var.mojaloop_chart_version) ttk_test_currency1 = var.ttk_test_currency1 ttk_test_currency2 = var.ttk_test_currency2 ttk_test_currency3 = var.ttk_test_currency3 diff --git a/terraform/k8s/default-config/mojaloop-vars.yaml b/terraform/k8s/default-config/mojaloop-vars.yaml index c9c41706f..75e064fed 100644 --- a/terraform/k8s/default-config/mojaloop-vars.yaml +++ b/terraform/k8s/default-config/mojaloop-vars.yaml @@ -2,6 +2,7 @@ bulk_enabled: false third_party_enabled: false mcm_chart_version: 0.7.7 mojaloop_chart_version: 16.0.0 +ttk_testcases_tag: 16.0.0 mcm_ingress_internal_lb: false mojaloop_ingress_internal_lb: true finance_portal_ingress_internal_lb: true From 9432e9a8c57a23acfef87182450b7fe72887949a Mon Sep 17 00:00:00 2001 From: Sijo George <87609749+sijo5722-2021@users.noreply.github.com> Date: Thu, 2 May 2024 20:32:04 +0530 Subject: [PATCH 136/201] Verify IAC deployment using eks (#255) * Moving to a compatible version * adding vpc cni specific version * Upgrading to new version * addnig vpc cni service account role * private zone change * ns record * Changes for public_int_domain * fixing zone * fixing zone * temprly setting the flag to true * removing ns record * try using defaults from self managed * rm configmap * cleanup and add ns record * fix typo on ns * fix output for eks module for int domain * add zone for int to post config * missed local var * add prefix delegation and sgs * just use primary * adding try for taints and labels * adding try for node pool ref * Fixing null nodepool * correcting the condition * use latest cni * revert * go back to latest cni addon --------- Co-authored-by: David Fry --- terraform/aws/base-infra/data.tf | 15 ++++++--- terraform/aws/base-infra/outputs.tf | 6 +++- terraform/aws/base-infra/route53.tf | 41 +++++++++++++++++-------- terraform/aws/base-infra/variables.tf | 1 + terraform/aws/base-k8s/infra.tf | 2 +- terraform/aws/base-k8s/outputs.tf | 2 +- terraform/aws/eks/infra.tf | 25 ++++++++++++++- terraform/aws/eks/outputs.tf | 2 +- terraform/aws/eks/variables.tf | 2 +- terraform/k8s/k8s-deploy/terragrunt.hcl | 3 +- 10 files changed, 75 insertions(+), 24 deletions(-) diff --git a/terraform/aws/base-infra/data.tf b/terraform/aws/base-infra/data.tf index cda6ec52d..1c1c6cd49 100644 --- a/terraform/aws/base-infra/data.tf +++ b/terraform/aws/base-infra/data.tf @@ -1,23 +1,28 @@ data "aws_route53_zone" "public" { count = (var.create_public_zone || !var.configure_route_53) ? 0 : 1 - name = "${local.cluster_domain}." + name = "${local.cluster_domain}." +} + +data "aws_route53_zone" "public_int" { + count = (var.create_public_zone || !var.configure_route_53) ? 0 : 1 + name = "${var.private_subdomain_string}.${local.cluster_domain}." } data "aws_route53_zone" "private" { count = (var.create_private_zone || !var.configure_route_53) ? 0 : 1 - name = "${local.cluster_domain}.internal." + name = "${local.cluster_domain}.internal." } data "aws_route53_zone" "cluster_parent" { count = (var.manage_parent_domain || !var.configure_route_53) ? 0 : 1 - name = "${local.cluster_parent_domain}." + name = "${local.cluster_parent_domain}." } data "aws_route53_zone" "cluster_parent_parent" { count = (var.manage_parent_domain && var.manage_parent_domain_ns && var.configure_route_53) ? 1 : 0 - name = "${local.cluster_parent_parent_domain}." + name = "${local.cluster_parent_parent_domain}." } data "aws_availability_zones" "available" { state = "available" -} \ No newline at end of file +} diff --git a/terraform/aws/base-infra/outputs.tf b/terraform/aws/base-infra/outputs.tf index 94cc97702..9ff8d4134 100644 --- a/terraform/aws/base-infra/outputs.tf +++ b/terraform/aws/base-infra/outputs.tf @@ -22,6 +22,10 @@ output "private_zone" { value = local.private_zone } +output "public_int_zone" { + value = local.public_int_zone +} + output "public_zone" { value = local.public_zone } @@ -62,4 +66,4 @@ output "key_pair_name" { output "haproxy_server_fqdn" { description = "haproxy server Hostname" value = var.create_haproxy_dns_record ? aws_route53_record.haproxy_server_private[0].fqdn : "" -} \ No newline at end of file +} diff --git a/terraform/aws/base-infra/route53.tf b/terraform/aws/base-infra/route53.tf index f7ad4abd5..efd469fe2 100644 --- a/terraform/aws/base-infra/route53.tf +++ b/terraform/aws/base-infra/route53.tf @@ -1,7 +1,8 @@ resource "aws_route53_zone" "private" { force_destroy = var.route53_zone_force_destroy - count = (var.configure_route_53 && var.create_private_zone) ? 1 : 0 - name = "${var.private_subdomain_string}.${local.cluster_domain}." + count = (var.configure_route_53 && var.create_private_zone) ? 1 : 0 + name = "${local.cluster_domain}.internal." + vpc { vpc_id = module.vpc.vpc_id } @@ -10,13 +11,20 @@ resource "aws_route53_zone" "private" { resource "aws_route53_zone" "public" { force_destroy = var.route53_zone_force_destroy - count = (var.configure_route_53 && var.create_public_zone) ? 1 : 0 - name = "${local.cluster_domain}." - tags = merge({ Name = "${local.cluster_domain}-public" }, local.common_tags) + count = (var.configure_route_53 && var.create_public_zone) ? 1 : 0 + name = "${local.cluster_domain}." + tags = merge({ Name = "${local.cluster_domain}-public" }, local.common_tags) +} + +resource "aws_route53_zone" "public_int" { + force_destroy = var.route53_zone_force_destroy + count = (var.configure_route_53 && var.create_public_zone) ? 1 : 0 + name = "${var.private_subdomain_string}.${local.cluster_domain}." + tags = merge({ Name = "${local.cluster_domain}-public-int" }, local.common_tags) } resource "aws_route53_record" "public_ns" { - count = (var.configure_route_53 && var.create_public_zone) ? 1 : 0 + count = (var.configure_route_53 && var.create_public_zone) ? 1 : 0 zone_id = local.cluster_parent_zone_id name = local.cluster_domain type = "NS" @@ -24,15 +32,24 @@ resource "aws_route53_record" "public_ns" { records = aws_route53_zone.public[0].name_servers } +resource "aws_route53_record" "public_int_ns" { + count = (var.configure_route_53 && var.create_public_zone) ? 1 : 0 + zone_id = aws_route53_zone.public[0].zone_id + name = "${var.private_subdomain_string}.${local.cluster_domain}" + type = "NS" + ttl = "30" + records = aws_route53_zone.public_int[0].name_servers +} + resource "aws_route53_zone" "cluster_parent" { force_destroy = var.route53_zone_force_destroy - count = (var.configure_route_53 && var.manage_parent_domain) ? 1 : 0 - name = "${local.cluster_parent_domain}." - tags = merge({ Name = "${local.cluster_domain}-cluster-parent" }, local.common_tags) + count = (var.configure_route_53 && var.manage_parent_domain) ? 1 : 0 + name = "${local.cluster_parent_domain}." + tags = merge({ Name = "${local.cluster_domain}-cluster-parent" }, local.common_tags) } resource "aws_route53_record" "cluster_ns" { - count = (var.configure_route_53 && var.manage_parent_domain && var.manage_parent_domain_ns) ? 1 : 0 + count = (var.configure_route_53 && var.manage_parent_domain && var.manage_parent_domain_ns) ? 1 : 0 zone_id = data.aws_route53_zone.cluster_parent_parent[0].zone_id name = local.cluster_parent_domain type = "NS" @@ -41,10 +58,10 @@ resource "aws_route53_record" "cluster_ns" { } resource "aws_route53_record" "haproxy_server_private" { - count = (var.configure_route_53 && var.create_haproxy_dns_record) ? 1 : 0 + count = (var.configure_route_53 && var.create_haproxy_dns_record) ? 1 : 0 zone_id = local.public_zone.id name = "haproxy" type = "A" ttl = "300" records = [aws_instance.bastion.private_ip] -} \ No newline at end of file +} diff --git a/terraform/aws/base-infra/variables.tf b/terraform/aws/base-infra/variables.tf index 0bee6ada0..5a6532911 100644 --- a/terraform/aws/base-infra/variables.tf +++ b/terraform/aws/base-infra/variables.tf @@ -113,6 +113,7 @@ locals { azs = slice(data.aws_availability_zones.available.names, 0, var.az_count) public_zone = var.configure_route_53 ? (var.create_public_zone ? aws_route53_zone.public[0] : data.aws_route53_zone.public[0]) : null private_zone = var.configure_route_53 ? (var.create_private_zone ? aws_route53_zone.private[0] : data.aws_route53_zone.private[0]) : null + public_int_zone = var.configure_route_53 ? (var.create_public_zone ? aws_route53_zone.public_int[0] : data.aws_route53_zone.public_int[0]) : null cluster_parent_zone_id = var.configure_route_53 ? (var.manage_parent_domain ? aws_route53_zone.cluster_parent[0].zone_id : data.aws_route53_zone.cluster_parent[0].zone_id) : null cluster_parent_parent_zone_id = var.configure_route_53 ? ((var.manage_parent_domain && var.manage_parent_domain_ns) ? data.aws_route53_zone.cluster_parent_parent[0].zone_id : null) : null ssh_keys = [] diff --git a/terraform/aws/base-k8s/infra.tf b/terraform/aws/base-k8s/infra.tf index ff375eb95..99112894a 100644 --- a/terraform/aws/base-k8s/infra.tf +++ b/terraform/aws/base-k8s/infra.tf @@ -25,7 +25,7 @@ module "post_config" { name = var.cluster_name domain = var.domain tags = var.tags - private_zone_id = module.base_infra.private_zone.id + private_zone_id = module.base_infra.public_int_zone.id public_zone_id = module.base_infra.public_zone.id } diff --git a/terraform/aws/base-k8s/outputs.tf b/terraform/aws/base-k8s/outputs.tf index 8989f1559..7c2fd3b18 100644 --- a/terraform/aws/base-k8s/outputs.tf +++ b/terraform/aws/base-k8s/outputs.tf @@ -12,7 +12,7 @@ output "external_load_balancer_dns" { } output "private_subdomain" { - value = module.base_infra.private_zone.name + value = module.base_infra.public_int_zone.name } output "public_subdomain" { diff --git a/terraform/aws/eks/infra.tf b/terraform/aws/eks/infra.tf index d5a98371d..356c74130 100644 --- a/terraform/aws/eks/infra.tf +++ b/terraform/aws/eks/infra.tf @@ -46,7 +46,9 @@ module "k6s_test_harness" { } module "eks" { - source = "terraform-aws-modules/eks/aws" + source = "terraform-aws-modules/eks/aws" + version = "~> 19.21" + enable_irsa = true cluster_name = local.eks_name cluster_version = var.kubernetes_version @@ -62,6 +64,9 @@ module "eks" { # See README for further details before_compute = true most_recent = true # To ensure access to the latest settings provided + #addon_version = "v1.18.0-eksbuild.1" #https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html#vpc-add-on-self-managed-update + resolve_conflicts = "OVERWRITE" + service_account_role_arn = module.vpc_cni_irsa.iam_role_arn configuration_values = jsonencode({ env = { # Reference docs https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html @@ -135,6 +140,7 @@ locals { launch_template_use_name_prefix = false iam_role_name = "${local.eks_name}-${node_pool_key}" iam_role_use_name_prefix = false + iam_role_attach_cni_policy = true bootstrap_extra_args = "--use-max-pods false --kubelet-extra-args '--max-pods=110 --node-labels=${join(",", local.node_labels[node_pool_key].extra_args)} --register-with-taints=${join(",", local.node_taints[node_pool_key].extra_args)}'" post_bootstrap_user_data = <<-EOT yum install iscsi-initiator-utils -y && sudo systemctl enable iscsid && sudo systemctl start iscsid @@ -172,6 +178,23 @@ locals { } } +module "vpc_cni_irsa" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + version = "~> 5.39" + role_name = "AmazonEKSVPCCNIRole" + attach_vpc_cni_policy = true + vpc_cni_enable_ipv4 = true + + oidc_providers = { + main = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["kube-system:aws-node"] + } + } + + tags = var.tags +} + data "aws_ami" "eks_default" { most_recent = true owners = ["amazon"] diff --git a/terraform/aws/eks/outputs.tf b/terraform/aws/eks/outputs.tf index 5506ee66e..e56c94d5e 100644 --- a/terraform/aws/eks/outputs.tf +++ b/terraform/aws/eks/outputs.tf @@ -12,7 +12,7 @@ output "external_load_balancer_dns" { } output "private_subdomain" { - value = module.base_infra.private_zone.name + value = module.base_infra.public_int_zone.name } output "public_subdomain" { diff --git a/terraform/aws/eks/variables.tf b/terraform/aws/eks/variables.tf index 83dd8cd8a..6572ad9f7 100644 --- a/terraform/aws/eks/variables.tf +++ b/terraform/aws/eks/variables.tf @@ -15,7 +15,7 @@ variable "domain" { variable "kubernetes_version" { description = "version of k8s" type = string - default = "1.27" + default = "1.29" } variable "ext_interop_switch_subdomain" { description = "subdomain for interop ext" diff --git a/terraform/k8s/k8s-deploy/terragrunt.hcl b/terraform/k8s/k8s-deploy/terragrunt.hcl index 33dcd9a2a..c69395f26 100644 --- a/terraform/k8s/k8s-deploy/terragrunt.hcl +++ b/terraform/k8s/k8s-deploy/terragrunt.hcl @@ -14,7 +14,7 @@ inputs = { domain = local.CLUSTER_DOMAIN dns_zone_force_destroy = local.env_vars.dns_zone_force_destroy longhorn_backup_object_store_destroy = local.env_vars.longhorn_backup_object_store_destroy - node_pools = local.env_vars.nodes + node_pools = local.enabled_node_pools enable_k6s_test_harness = local.env_vars.enable_k6s_test_harness k6s_docker_server_instance_type = local.env_vars.k6s_docker_server_instance_type vpc_cidr = local.env_vars.vpc_cidr @@ -32,6 +32,7 @@ locals { cloud_platform_vars = yamldecode( file("${find_in_parent_folders("${get_env("CONFIG_PATH")}/${get_env("cloud_platform")}-vars.yaml")}") ) + enabled_node_pools = [for node in local.env_vars.nodes : node if node != null] total_agent_count = try(sum([for node in local.env_vars.nodes : node.node_count if !node.master]), 0) total_master_count = try(sum([for node in local.env_vars.nodes : node.node_count if node.master]), 0) tags = local.env_vars.tags From 9563f1310e8b246b7799a602a462e037bc6c27f9 Mon Sep 17 00:00:00 2001 From: Muzammil Date: Fri, 3 May 2024 17:14:00 +0500 Subject: [PATCH 137/201] increase resouce limit for tempo services (#259) --- .../templates/monitoring/install/values-tempo.yaml.tpl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-tempo.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-tempo.yaml.tpl index 69f4d278c..3b245bcb5 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-tempo.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-tempo.yaml.tpl @@ -104,6 +104,7 @@ tempo: compactor: + resourcesPreset: large extraEnvVarsSecret: ${minio_tempo_credentials_secret_name} nodeAffinityPreset: type: hard @@ -116,7 +117,7 @@ distributor: key: workload-class.mojaloop.io/MONITORING values: ["enabled"] ingester: - resourcesPreset: small + resourcesPreset: large extraEnvVarsSecret: ${minio_tempo_credentials_secret_name} nodeAffinityPreset: type: hard From b049f2dcbf6ce88bf7405cc469eb0f0a60ab6e6c Mon Sep 17 00:00:00 2001 From: Muzammil Date: Fri, 3 May 2024 18:15:10 +0500 Subject: [PATCH 138/201] IPROD-668: Update command and args of loki memcached (#254) * update command and args of loki memcached * add comments --- .../monitoring/install/values-loki.yaml.tpl | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl index 61bd57fef..694baefc8 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl @@ -70,6 +70,18 @@ queryFrontend: values: ["enabled"] memcachedchunks: + resourcesPreset: medium # https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl + command: + - "/opt/bitnami/scripts/memcached/entrypoint.sh" + - "/opt/bitnami/scripts/memcached/run.sh" + args: + # medium profile memory-limit: 1536Mi. Setting value slightly below that. + # See https://github.com/memcached/memcached/wiki/ConfiguringServer#commandline-arguments + # We only updated memory-limit and max-item-size + # We did not add extended params related to external store because as of now, we keep all our cache in memory. + # We did not change "aggressive" configs for memcache client in loki since memcache is completely RAM backed as of now. + - "--memory-limit=1400" # max memory limit for all cached items in mega bytes + - "--max-item-size=2m" # max memory limit for a single item nodeAffinityPreset: type: hard key: workload-class.mojaloop.io/MONITORING From d2568e40aaa2cb95cdc3b3c9bb41a9dfa8800435 Mon Sep 17 00:00:00 2001 From: Muzammil Date: Fri, 3 May 2024 18:30:35 +0500 Subject: [PATCH 139/201] enable metrics for memcachedChunks (#260) * enable metrics for memcachedChunks * added memcached exporter dashboard * update command and args of loki memcached * add comments * enable service monitor for memcache exporter --- .../monitoring/install/values-loki.yaml.tpl | 4 ++++ .../post-config/dashboards/default.yaml.tpl | 20 ++++++++++++++++++- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl index 694baefc8..37745ad97 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl @@ -70,6 +70,10 @@ queryFrontend: values: ["enabled"] memcachedchunks: + metrics: + enabled: true + serviceMonitor: + enabled: true resourcesPreset: medium # https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl command: - "/opt/bitnami/scripts/memcached/entrypoint.sh" diff --git a/terraform/gitops/generate-files/templates/monitoring/post-config/dashboards/default.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/post-config/dashboards/default.yaml.tpl index e77a03ed2..55a9ff1c2 100644 --- a/terraform/gitops/generate-files/templates/monitoring/post-config/dashboards/default.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/post-config/dashboards/default.yaml.tpl @@ -12,4 +12,22 @@ spec: dashboards: "grafana" grafanaCom: id: 249 - revision: 2 \ No newline at end of file + revision: 2 + +--- + +apiVersion: grafana.integreatly.org/v1beta1 +kind: GrafanaDashboard +metadata: + name: memcached-exporter +spec: + folder: default + datasources: + - inputName: "DS_PROMETHEUS" + datasourceName: "Prometheus" + instanceSelector: + matchLabels: + dashboards: "grafana" + grafanaCom: + id: 11527 + revision: 1 \ No newline at end of file From 35a6487d17d4b8aef0830081d9d75fb99ed1c07e Mon Sep 17 00:00:00 2001 From: Sijo George <87609749+sijo5722-2021@users.noreply.github.com> Date: Fri, 3 May 2024 19:39:09 +0530 Subject: [PATCH 140/201] Fix/node pool map (#261) * node pool map change * fix post config domain and asg/sgs * reverting irsa * setting longhorn_backup_job_enabled: false --------- Co-authored-by: David Fry --- terraform/aws/eks/infra.tf | 35 ++++++------------- terraform/k8s/default-config/common-vars.yaml | 2 +- terraform/k8s/k8s-deploy/terragrunt.hcl | 2 +- 3 files changed, 13 insertions(+), 26 deletions(-) diff --git a/terraform/aws/eks/infra.tf b/terraform/aws/eks/infra.tf index 356c74130..539c8538e 100644 --- a/terraform/aws/eks/infra.tf +++ b/terraform/aws/eks/infra.tf @@ -25,7 +25,7 @@ module "post_config" { name = var.cluster_name domain = var.domain tags = var.tags - private_zone_id = module.base_infra.private_zone.id + private_zone_id = module.base_infra.public_int_zone.id public_zone_id = module.base_infra.public_zone.id } @@ -64,9 +64,6 @@ module "eks" { # See README for further details before_compute = true most_recent = true # To ensure access to the latest settings provided - #addon_version = "v1.18.0-eksbuild.1" #https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html#vpc-add-on-self-managed-update - resolve_conflicts = "OVERWRITE" - service_account_role_arn = module.vpc_cni_irsa.iam_role_arn configuration_values = jsonencode({ env = { # Reference docs https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html @@ -90,6 +87,10 @@ module "eks" { # Self Managed Node Group(s) self_managed_node_group_defaults = { update_launch_template_default_version = true + autoscaling_group_tags = { + "k8s.io/cluster-autoscaler/enabled" : true, + "k8s.io/cluster-autoscaler/${local.eks_name}" : "owned", + } } self_managed_node_groups = local.self_managed_node_groups tags = var.tags @@ -140,12 +141,14 @@ locals { launch_template_use_name_prefix = false iam_role_name = "${local.eks_name}-${node_pool_key}" iam_role_use_name_prefix = false - iam_role_attach_cni_policy = true - bootstrap_extra_args = "--use-max-pods false --kubelet-extra-args '--max-pods=110 --node-labels=${join(",", local.node_labels[node_pool_key].extra_args)} --register-with-taints=${join(",", local.node_taints[node_pool_key].extra_args)}'" - post_bootstrap_user_data = <<-EOT + vpc_security_group_ids = [ + module.eks.cluster_primary_security_group_id + ] + bootstrap_extra_args = "--use-max-pods false --kubelet-extra-args '--max-pods=110 --node-labels=${join(",", local.node_labels[node_pool_key].extra_args)} --register-with-taints=${join(",", local.node_taints[node_pool_key].extra_args)}'" + post_bootstrap_user_data = <<-EOT yum install iscsi-initiator-utils -y && sudo systemctl enable iscsid && sudo systemctl start iscsid EOT - ebs_optimized = true + ebs_optimized = true block_device_mappings = { xvda = { device_name = "/dev/xvda" @@ -178,22 +181,6 @@ locals { } } -module "vpc_cni_irsa" { - source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" - version = "~> 5.39" - role_name = "AmazonEKSVPCCNIRole" - attach_vpc_cni_policy = true - vpc_cni_enable_ipv4 = true - - oidc_providers = { - main = { - provider_arn = module.eks.oidc_provider_arn - namespace_service_accounts = ["kube-system:aws-node"] - } - } - - tags = var.tags -} data "aws_ami" "eks_default" { most_recent = true diff --git a/terraform/k8s/default-config/common-vars.yaml b/terraform/k8s/default-config/common-vars.yaml index 18e056074..06591f743 100644 --- a/terraform/k8s/default-config/common-vars.yaml +++ b/terraform/k8s/default-config/common-vars.yaml @@ -36,4 +36,4 @@ istio_egress_gateway_max_replicas: 5 microk8s_version: 1.29/stable alertmanager_enabled: false istio_proxy_log_level: warn -longhorn_backup_job_enabled: true +longhorn_backup_job_enabled: false diff --git a/terraform/k8s/k8s-deploy/terragrunt.hcl b/terraform/k8s/k8s-deploy/terragrunt.hcl index c69395f26..66f1f09c1 100644 --- a/terraform/k8s/k8s-deploy/terragrunt.hcl +++ b/terraform/k8s/k8s-deploy/terragrunt.hcl @@ -32,7 +32,7 @@ locals { cloud_platform_vars = yamldecode( file("${find_in_parent_folders("${get_env("CONFIG_PATH")}/${get_env("cloud_platform")}-vars.yaml")}") ) - enabled_node_pools = [for node in local.env_vars.nodes : node if node != null] + enabled_node_pools = {for node_key, node in local.env_vars.nodes : node_key => node if node != null} total_agent_count = try(sum([for node in local.env_vars.nodes : node.node_count if !node.master]), 0) total_master_count = try(sum([for node in local.env_vars.nodes : node.node_count if node.master]), 0) tags = local.env_vars.tags From a5c599d1f06b77522428333094bf5f22a3052743 Mon Sep 17 00:00:00 2001 From: Muzammil Date: Tue, 7 May 2024 13:06:49 +0500 Subject: [PATCH 141/201] expose minio-loki-credentails to queryfrontend and distributor (#263) --- .../templates/monitoring/install/values-loki.yaml.tpl | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl index 37745ad97..5e9176912 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl @@ -47,6 +47,8 @@ compactor: key: workload-class.mojaloop.io/MONITORING values: ["enabled"] distributor: + extraArgs: ["-config.expand-env"] + extraEnvVarsSecret: ${minio_loki_credentials_secret_name} nodeAffinityPreset: type: hard key: workload-class.mojaloop.io/MONITORING @@ -64,6 +66,8 @@ querier: key: workload-class.mojaloop.io/MONITORING values: ["enabled"] queryFrontend: + extraArgs: ["-config.expand-env"] + extraEnvVarsSecret: ${minio_loki_credentials_secret_name} nodeAffinityPreset: type: hard key: workload-class.mojaloop.io/MONITORING From b8c5a3e1a964f885feeeccfc597f1833810df05f Mon Sep 17 00:00:00 2001 From: Sijo George Date: Wed, 8 May 2024 18:56:18 +0530 Subject: [PATCH 142/201] Upgrading netmaker version --- terraform/control-center/init/environment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/control-center/init/environment.yaml b/terraform/control-center/init/environment.yaml index 7169a321c..25ff5bc95 100644 --- a/terraform/control-center/init/environment.yaml +++ b/terraform/control-center/init/environment.yaml @@ -10,7 +10,7 @@ smtp_server_enable: false gitlab_version: 16.0.5 gitlab_runner_version: 16.0.2 iac_group_name: iac_admin -netmaker_version: 0.18.7 +netmaker_version: 0.24.0 letsencrypt_email: test@mojalabs.io delete_storage_on_term: true docker_server_extra_vol_size: 100 From e2225672b489af6bf5ce4fce985498aacef61dd4 Mon Sep 17 00:00:00 2001 From: Muzammil Date: Thu, 9 May 2024 11:23:56 +0500 Subject: [PATCH 143/201] All mojaloop grafana dashboards use same git tag (#262) --- .../gitops/generate-files/templates/mojaloop/grafana.yaml.tpl | 4 ++-- terraform/k8s/default-config/mojaloop-vars.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/gitops/generate-files/templates/mojaloop/grafana.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/grafana.yaml.tpl index 6670ad313..34ac16dc4 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/grafana.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/grafana.yaml.tpl @@ -111,7 +111,7 @@ spec: datasources: - inputName: "DS_PROMETHEUS" datasourceName: "Prometheus" - url: "https://raw.githubusercontent.com/mojaloop/ml-core-test-harness/v1.2.4-snapshot.0/docker/grafana/provisioning/dashboards/mojaloop/dashboard-quoting-service.json" + url: "https://raw.githubusercontent.com/mojaloop/helm/v${grafana_dashboard_tag}/monitoring/dashboards/mojaloop/dashboard-quoting-service.json" --- apiVersion: grafana.integreatly.org/v1beta1 kind: GrafanaDashboard @@ -126,5 +126,5 @@ spec: datasources: - inputName: "DS_PROMETHEUS" datasourceName: "Prometheus" - url: "https://raw.githubusercontent.com/mojaloop/helm/v16.1.0-snapshot.7/monitoring/dashboards/mojaloop/dashboard-performance-troubleshooting.json" + url: "https://raw.githubusercontent.com/mojaloop/helm/v${grafana_dashboard_tag}/monitoring/dashboards/mojaloop/dashboard-performance-troubleshooting.json" --- diff --git a/terraform/k8s/default-config/mojaloop-vars.yaml b/terraform/k8s/default-config/mojaloop-vars.yaml index 75e064fed..f91275a81 100644 --- a/terraform/k8s/default-config/mojaloop-vars.yaml +++ b/terraform/k8s/default-config/mojaloop-vars.yaml @@ -7,7 +7,7 @@ mcm_ingress_internal_lb: false mojaloop_ingress_internal_lb: true finance_portal_ingress_internal_lb: true onboarding_collection_tag: 15.2.0 -grafana_dashboard_tag: 15.2.0 +grafana_dashboard_tag: 16.1.1-snapshot.2 # TODO: update once v16.1.x is published enable_istio_injection: true central_ledger_handler_transfer_position_batch_processing_enabled: false central_ledger_handler_transfer_position_batch_size: 100 From d2dfe345ca83bf7aa7d851de5e9509ce227622cd Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 9 May 2024 12:10:07 +0530 Subject: [PATCH 144/201] Correcting the instance class for mysql rds --- terraform/k8s/default-config/mojaloop-stateful-resources.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/k8s/default-config/mojaloop-stateful-resources.json b/terraform/k8s/default-config/mojaloop-stateful-resources.json index 3b06ffeeb..1084250b8 100644 --- a/terraform/k8s/default-config/mojaloop-stateful-resources.json +++ b/terraform/k8s/default-config/mojaloop-stateful-resources.json @@ -338,7 +338,7 @@ "engine": "mysql", "engine_version": "5.7", "family": "mysql5.7", - "instance_class": "db.t2.micro", + "instance_class": "db.m5.large", "maintenance_window": "Sun:04:00-Sun:06:00", "major_engine_version": "5.7", "monitoring_interval": "30", @@ -475,7 +475,7 @@ "engine": "mysql", "engine_version": "5.7", "family": "mysql5.7", - "instance_class": "db.t2.micro", + "instance_class": "db.m5.large", "maintenance_window": "Sun:04:00-Sun:06:00", "major_engine_version": "5.7", "monitoring_interval": "30", From e33291d24bc91c7aed1f87f648df4585ba8e6878 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 9 May 2024 12:41:08 +0530 Subject: [PATCH 145/201] Bringing managed services changes --- terraform/aws/support-svcs/deploy-managed-svcs/deploy.tf | 2 +- terraform/aws/support-svcs/deploy-managed-svcs/outputs.tf | 2 +- terraform/aws/support-svcs/deploy-msk/outputs.tf | 7 +++---- .../k8s-cluster-config/common-stateful-resources-config.tf | 3 ++- terraform/gitops/mojaloop/stateful-resources-config.tf | 3 ++- .../gitops/stateful-resources/stateful-resources-config.tf | 3 +-- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/terraform/aws/support-svcs/deploy-managed-svcs/deploy.tf b/terraform/aws/support-svcs/deploy-managed-svcs/deploy.tf index df5396d76..49ee788f4 100644 --- a/terraform/aws/support-svcs/deploy-managed-svcs/deploy.tf +++ b/terraform/aws/support-svcs/deploy-managed-svcs/deploy.tf @@ -14,7 +14,7 @@ module "deploy_msk" { deployment_name = var.deployment_name tags = var.tags msk_services = local.msk_services - security_group_id = aws_security_group.managed_svcs[0].id + security_group_id = aws_security_group.managed_svcs.*.id private_subnets = module.base_infra[0].private_subnets } diff --git a/terraform/aws/support-svcs/deploy-managed-svcs/outputs.tf b/terraform/aws/support-svcs/deploy-managed-svcs/outputs.tf index 98597c6d0..bcba88d25 100644 --- a/terraform/aws/support-svcs/deploy-managed-svcs/outputs.tf +++ b/terraform/aws/support-svcs/deploy-managed-svcs/outputs.tf @@ -4,7 +4,7 @@ output "secrets_var_map" { } output "properties_var_map" { - value = length(local.rds_services) > 0 ? module.deploy_rds[0].properties_var_map : {} + value = ( length(local.rds_services) > 0 || length(local.msk_services) > 0 ) ? merge(try(module.deploy_rds[0].properties_var_map, {}), try(module.deploy_msk[0].properties_var_map , {})) : {} } output "secrets_key_map" { diff --git a/terraform/aws/support-svcs/deploy-msk/outputs.tf b/terraform/aws/support-svcs/deploy-msk/outputs.tf index f26d85874..092ddc1eb 100644 --- a/terraform/aws/support-svcs/deploy-msk/outputs.tf +++ b/terraform/aws/support-svcs/deploy-msk/outputs.tf @@ -5,12 +5,11 @@ output "secrets_var_map" { for index, rds_module in module.rds : var.rds_services[index].external_resource_config.password_key_name => jsondecode(data.aws_secretsmanager_secret_version.rds_passwords[index].secret_string)["password"] } -} +}*/ output "properties_var_map" { value = { - for index, rds_module in module.rds : - var.rds_services[index].external_resource_config.instance_address_key_name => rds_module.db_instance_address + for index, msk_module in module.msk : + var.msk_services[index].external_resource_config.instance_address_key_name => msk_module.bootstrap_brokers_tls } } -*/ \ No newline at end of file diff --git a/terraform/gitops/k8s-cluster-config/common-stateful-resources-config.tf b/terraform/gitops/k8s-cluster-config/common-stateful-resources-config.tf index 0e8c58b47..77eb0311a 100644 --- a/terraform/gitops/k8s-cluster-config/common-stateful-resources-config.tf +++ b/terraform/gitops/k8s-cluster-config/common-stateful-resources-config.tf @@ -10,7 +10,7 @@ module "common_stateful_resources" { stateful_resources_namespace = var.stateful_resources_namespace create_stateful_resources_ns = true kv_path = var.kv_path - external_stateful_resource_instance_addresses = length(data.gitlab_project_variable.external_stateful_resource_instance_address) > 0 ? data.gitlab_project_variable.external_stateful_resource_instance_address.*.value : [] + external_stateful_resource_instance_addresses = local.external_stateful_resource_instance_addresses } variable "stateful_resources_config_file" { @@ -32,4 +32,5 @@ locals { stateful_resources = jsondecode(file(var.stateful_resources_config_file)) enabled_stateful_resources = { for stateful_resource in local.stateful_resources : stateful_resource.resource_name => stateful_resource if stateful_resource.enabled } managed_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service } + external_stateful_resource_instance_addresses = { for address in data.gitlab_project_variable.external_stateful_resource_instance_address : address.key => address.value } } diff --git a/terraform/gitops/mojaloop/stateful-resources-config.tf b/terraform/gitops/mojaloop/stateful-resources-config.tf index f767dc554..a372facf0 100644 --- a/terraform/gitops/mojaloop/stateful-resources-config.tf +++ b/terraform/gitops/mojaloop/stateful-resources-config.tf @@ -10,7 +10,7 @@ module "mojaloop_stateful_resources" { stateful_resources_namespace = var.stateful_resources_namespace create_stateful_resources_ns = false kv_path = var.kv_path - external_stateful_resource_instance_addresses = length(data.gitlab_project_variable.external_stateful_resource_instance_address) > 0 ? data.gitlab_project_variable.external_stateful_resource_instance_address.*.value : [] + external_stateful_resource_instance_addresses = local.external_stateful_resource_instance_addresses } variable "stateful_resources_config_file" { @@ -32,4 +32,5 @@ locals { stateful_resources = jsondecode(file(var.stateful_resources_config_file)) enabled_stateful_resources = { for stateful_resource in local.stateful_resources : stateful_resource.resource_name => stateful_resource if stateful_resource.enabled } managed_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service } + external_stateful_resource_instance_addresses = { for address in data.gitlab_project_variable.external_stateful_resource_instance_address : address.key => address.value } } diff --git a/terraform/gitops/stateful-resources/stateful-resources-config.tf b/terraform/gitops/stateful-resources/stateful-resources-config.tf index e477ec3f8..76fed983a 100644 --- a/terraform/gitops/stateful-resources/stateful-resources-config.tf +++ b/terraform/gitops/stateful-resources/stateful-resources-config.tf @@ -65,8 +65,7 @@ locals { managed_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service } local_stateful_resources = { for local_stateful_resource in local.enabled_stateful_resources : local_stateful_resource.resource_name => local_stateful_resource if !local_stateful_resource.external_service } local_external_name_map = { for stateful_resource in local.local_stateful_resources : stateful_resource.logical_service_config.logical_service_name => stateful_resource.local_resource_config.override_service_name != null ? "${stateful_resource.local_resource_config.override_service_name}.${stateful_resource.local_resource_config.resource_namespace}.svc.cluster.local" : "${stateful_resource.resource_name}.${stateful_resource.local_resource_config.resource_namespace}.svc.cluster.local" } - managed_external_name_map = { for index, stateful_resource in local.managed_stateful_resources : stateful_resource.logical_service_config.logical_service_name => var.external_stateful_resource_instance_addresses[index] } - external_name_map = merge(local.local_external_name_map, local.managed_external_name_map) + managed_external_name_map = { for index, stateful_resource in local.managed_stateful_resources : stateful_resource.logical_service_config.logical_service_name => var.external_stateful_resource_instance_addresses[stateful_resource.external_resource_config.instance_address_key_name] } external_name_map = merge(local.local_external_name_map, local.managed_external_name_map) managed_resource_password_map = { for index, stateful_resource in local.managed_stateful_resources : stateful_resource.resource_name => { vault_path = "${var.kv_path}/${var.cluster_name}/${stateful_resource.external_resource_config.password_key_name}" namespaces = stateful_resource.logical_service_config.secret_extra_namespaces From 0948b0fb521f699b762c2ee4a9d445c476c38fe0 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 9 May 2024 12:46:59 +0530 Subject: [PATCH 146/201] Correcting the newline --- .../gitops/stateful-resources/stateful-resources-config.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/gitops/stateful-resources/stateful-resources-config.tf b/terraform/gitops/stateful-resources/stateful-resources-config.tf index 76fed983a..5e2c94ce3 100644 --- a/terraform/gitops/stateful-resources/stateful-resources-config.tf +++ b/terraform/gitops/stateful-resources/stateful-resources-config.tf @@ -65,7 +65,8 @@ locals { managed_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service } local_stateful_resources = { for local_stateful_resource in local.enabled_stateful_resources : local_stateful_resource.resource_name => local_stateful_resource if !local_stateful_resource.external_service } local_external_name_map = { for stateful_resource in local.local_stateful_resources : stateful_resource.logical_service_config.logical_service_name => stateful_resource.local_resource_config.override_service_name != null ? "${stateful_resource.local_resource_config.override_service_name}.${stateful_resource.local_resource_config.resource_namespace}.svc.cluster.local" : "${stateful_resource.resource_name}.${stateful_resource.local_resource_config.resource_namespace}.svc.cluster.local" } - managed_external_name_map = { for index, stateful_resource in local.managed_stateful_resources : stateful_resource.logical_service_config.logical_service_name => var.external_stateful_resource_instance_addresses[stateful_resource.external_resource_config.instance_address_key_name] } external_name_map = merge(local.local_external_name_map, local.managed_external_name_map) + managed_external_name_map = { for index, stateful_resource in local.managed_stateful_resources : stateful_resource.logical_service_config.logical_service_name => var.external_stateful_resource_instance_addresses[stateful_resource.external_resource_config.instance_address_key_name] } + external_name_map = merge(local.local_external_name_map, local.managed_external_name_map) managed_resource_password_map = { for index, stateful_resource in local.managed_stateful_resources : stateful_resource.resource_name => { vault_path = "${var.kv_path}/${var.cluster_name}/${stateful_resource.external_resource_config.password_key_name}" namespaces = stateful_resource.logical_service_config.secret_extra_namespaces From 85987fc0dcc9cc6ade0a11b2c7870fd487763b20 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 9 May 2024 12:53:47 +0530 Subject: [PATCH 147/201] Chaging the type of variable --- .../gitops/stateful-resources/stateful-resources-config.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/terraform/gitops/stateful-resources/stateful-resources-config.tf b/terraform/gitops/stateful-resources/stateful-resources-config.tf index 5e2c94ce3..20abc16e5 100644 --- a/terraform/gitops/stateful-resources/stateful-resources-config.tf +++ b/terraform/gitops/stateful-resources/stateful-resources-config.tf @@ -87,8 +87,6 @@ locals { } variable "external_stateful_resource_instance_addresses" { - type = list(string) - default = [] } variable "create_stateful_resources_ns" { From 8cee30ffe3bd74fab747473528b3a6e966b032d9 Mon Sep 17 00:00:00 2001 From: Muzammil Date: Thu, 9 May 2024 13:56:58 +0500 Subject: [PATCH 148/201] IPROD-686 : add loki-query-scheduler (#265) * add query sceduler * give minio access to gateway as well * Revert "give minio access to gateway as well" This reverts commit 3440f34d263d457ab792e3e5ffd6cc0ddb8211fe. * run two replicas of queryFrontend * Revert "run two replicas of queryFrontend" This reverts commit 43f9480d36de158c0e4d6a6e1938f827ba1587f9. --- .../templates/monitoring/install/values-loki.yaml.tpl | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl index 5e9176912..c43b8ae2f 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl @@ -72,6 +72,14 @@ queryFrontend: type: hard key: workload-class.mojaloop.io/MONITORING values: ["enabled"] +queryScheduler: + enabled: true + extraArgs: ["-config.expand-env"] + extraEnvVarsSecret: ${minio_loki_credentials_secret_name} + nodeAffinityPreset: + type: hard + key: workload-class.mojaloop.io/MONITORING + values: ["enabled"] memcachedchunks: metrics: From e76c1be685e9ab2b71bc665b741d1f26edf5b3ea Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 9 May 2024 16:49:07 +0530 Subject: [PATCH 149/201] Adding bastion to k8s nm network along with cc --- terraform/k8s/ansible-k8s-deploy/terragrunt.hcl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl b/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl index 7fd769542..9121fe668 100644 --- a/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl +++ b/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl @@ -77,14 +77,14 @@ locals { total_master_count = try(sum([for node in local.env_vars.nodes : node.node_count if node.master]), 0) bastion_hosts_yaml_maps = { - netmaker_join_tokens = yamlencode([get_env("NETMAKER_OPS_TOKEN")]) + netmaker_join_tokens = yamlencode(concat([get_env("NETMAKER_OPS_TOKEN")], [get_env(“NETMAKER_ENV_TOKEN”)])) } bastion_hosts_var_maps = { netmaker_image_version = get_env("NETMAKER_VERSION") nexus_fqdn = get_env("NEXUS_FQDN") minio_fqdn = get_env("MINIO_FQDN") vault_fqdn = get_env("VAULT_FQDN") - netmaker_master_key = get_env("METMAKER_MASTER_KEY") + netmaker_master_key = get_env("METMAKER_MASTER_KEY") netmaker_api_host = get_env("NETMAKER_HOST_NAME") root_app_path = "${local.ARGO_CD_ROOT_APP_PATH}/app-yamls" external_secrets_version = local.common_vars.external_secrets_version From 8015ba7c3fd494914bb21991f9b24334a629a4a9 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 9 May 2024 17:03:40 +0530 Subject: [PATCH 150/201] Correcting the quotes --- terraform/k8s/ansible-k8s-deploy/terragrunt.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl b/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl index 9121fe668..3645879f1 100644 --- a/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl +++ b/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl @@ -77,7 +77,7 @@ locals { total_master_count = try(sum([for node in local.env_vars.nodes : node.node_count if node.master]), 0) bastion_hosts_yaml_maps = { - netmaker_join_tokens = yamlencode(concat([get_env("NETMAKER_OPS_TOKEN")], [get_env(“NETMAKER_ENV_TOKEN”)])) + netmaker_join_tokens = yamlencode(concat([get_env("NETMAKER_OPS_TOKEN")], [get_env("NETMAKER_ENV_TOKEN")])) } bastion_hosts_var_maps = { netmaker_image_version = get_env("NETMAKER_VERSION") From 2313798b23d9dc64d45128f252b3b00721153d57 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 9 May 2024 19:28:56 +0530 Subject: [PATCH 151/201] adding changes for external ms --- terraform/ansible/k8s-deploy/ansible.tf | 7 ++++++- terraform/ansible/k8s-deploy/variables.tf | 4 ++++ terraform/gitops/k8s-cluster-config/app-deploy.tf | 1 + terraform/gitops/k8s-cluster-config/variables.tf | 5 +++++ terraform/gitops/mojaloop/variables.tf | 5 +++++ .../gitops/stateful-resources/stateful-resources-config.tf | 7 ++++++- terraform/k8s/ansible-k8s-deploy/terragrunt.hcl | 1 + terraform/k8s/gitops-build/terragrunt.hcl | 1 + 8 files changed, 29 insertions(+), 2 deletions(-) diff --git a/terraform/ansible/k8s-deploy/ansible.tf b/terraform/ansible/k8s-deploy/ansible.tf index 2586676c7..746fd75bd 100644 --- a/terraform/ansible/k8s-deploy/ansible.tf +++ b/terraform/ansible/k8s-deploy/ansible.tf @@ -12,7 +12,7 @@ resource "local_sensitive_file" "ansible_inventory" { all_hosts_var_maps = merge(var.all_hosts_var_maps, local.ssh_private_key_file_map, local.all_hosts_var_maps), agent_hosts_yaml_maps = var.agent_hosts_yaml_maps, master_hosts_yaml_maps = var.master_hosts_yaml_maps, - bastion_hosts_yaml_maps = var.bastion_hosts_yaml_maps, + bastion_hosts_yaml_maps = merge(var.bastion_hosts_yaml_maps,local.managed_svc_port_maps) test_harness_hosts = var.test_harness_hosts, test_harness_hosts_var_maps = merge(var.test_harness_hosts_var_maps, local.jumphostmap) } @@ -79,5 +79,10 @@ locals { all_hosts_var_maps = { kubeconfig_local_location = local.ansible_output_dir } + + stateful_resources = jsondecode(file(var.stateful_resources_config_file)) + enabled_stateful_resources = { for stateful_resource in local.stateful_resources : stateful_resource.resource_name => stateful_resource if stateful_resource.enabled } + managed_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service } + managed_svc_port_maps = { for service in local.managed_stateful_resources : service.logical_service_config.logical_service_name => service.logical_service_config.logical_service_name.logical_service_port} } \ No newline at end of file diff --git a/terraform/ansible/k8s-deploy/variables.tf b/terraform/ansible/k8s-deploy/variables.tf index c0cc18669..7f61083c7 100644 --- a/terraform/ansible/k8s-deploy/variables.tf +++ b/terraform/ansible/k8s-deploy/variables.tf @@ -105,3 +105,7 @@ variable "ansible_debug" { type = string default = "" } + +variable "mojaloop_stateful_resources_config_file" { + type = string +} \ No newline at end of file diff --git a/terraform/gitops/k8s-cluster-config/app-deploy.tf b/terraform/gitops/k8s-cluster-config/app-deploy.tf index 654aecce2..bbf8a17fd 100644 --- a/terraform/gitops/k8s-cluster-config/app-deploy.tf +++ b/terraform/gitops/k8s-cluster-config/app-deploy.tf @@ -54,6 +54,7 @@ module "mojaloop" { rbac_api_resources_file = var.rbac_api_resources_file mojaloop_values_override_file = var.mojaloop_values_override_file fspiop_use_ory_for_auth = var.app_var_map.fspiop_use_ory_for_auth + managed_db_host = var.managed_db_host } module "pm4ml" { diff --git a/terraform/gitops/k8s-cluster-config/variables.tf b/terraform/gitops/k8s-cluster-config/variables.tf index a0667dc74..d5f2ecf86 100644 --- a/terraform/gitops/k8s-cluster-config/variables.tf +++ b/terraform/gitops/k8s-cluster-config/variables.tf @@ -114,6 +114,11 @@ variable "default_internal_ssl_certificate" { default = "lets-enc-internal-tls" } +variable "managed_db_host" { + type = string + description = "url to managed db based on haproxy" +} + locals { cloud_region = data.gitlab_project_variable.cloud_region.value k8s_cluster_type = data.gitlab_project_variable.k8s_cluster_type.value diff --git a/terraform/gitops/mojaloop/variables.tf b/terraform/gitops/mojaloop/variables.tf index 3b9f90bce..e6de05f73 100644 --- a/terraform/gitops/mojaloop/variables.tf +++ b/terraform/gitops/mojaloop/variables.tf @@ -161,3 +161,8 @@ variable "switch_dfspid" { type = string default = "switch" } + +variable "managed_db_host" { + type = string + description = "url to managed db based on haproxy" +} diff --git a/terraform/gitops/stateful-resources/stateful-resources-config.tf b/terraform/gitops/stateful-resources/stateful-resources-config.tf index 20abc16e5..11a1f80db 100644 --- a/terraform/gitops/stateful-resources/stateful-resources-config.tf +++ b/terraform/gitops/stateful-resources/stateful-resources-config.tf @@ -65,7 +65,7 @@ locals { managed_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service } local_stateful_resources = { for local_stateful_resource in local.enabled_stateful_resources : local_stateful_resource.resource_name => local_stateful_resource if !local_stateful_resource.external_service } local_external_name_map = { for stateful_resource in local.local_stateful_resources : stateful_resource.logical_service_config.logical_service_name => stateful_resource.local_resource_config.override_service_name != null ? "${stateful_resource.local_resource_config.override_service_name}.${stateful_resource.local_resource_config.resource_namespace}.svc.cluster.local" : "${stateful_resource.resource_name}.${stateful_resource.local_resource_config.resource_namespace}.svc.cluster.local" } - managed_external_name_map = { for index, stateful_resource in local.managed_stateful_resources : stateful_resource.logical_service_config.logical_service_name => var.external_stateful_resource_instance_addresses[stateful_resource.external_resource_config.instance_address_key_name] } + managed_external_name_map = { for index, stateful_resource in local.managed_stateful_resources : stateful_resource.logical_service_config.logical_service_name => var.managed_db_host } external_name_map = merge(local.local_external_name_map, local.managed_external_name_map) managed_resource_password_map = { for index, stateful_resource in local.managed_stateful_resources : stateful_resource.resource_name => { vault_path = "${var.kv_path}/${var.cluster_name}/${stateful_resource.external_resource_config.password_key_name}" @@ -147,3 +147,8 @@ variable "stateful_resources_sync_wave" { description = "stateful_resources_sync_wave, wait for vault config operator" default = "-5" } + +variable "managed_db_host" { + type = string + description = "url to managed db based on haproxy" +} \ No newline at end of file diff --git a/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl b/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl index 3645879f1..34cf5fb87 100644 --- a/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl +++ b/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl @@ -60,6 +60,7 @@ inputs = { ansible_playbook_name = "argo${local.K8S_CLUSTER_TYPE}_cluster_deploy" ansible_destroy_playbook_name = "argo${local.K8S_CLUSTER_TYPE}_cluster_destroy" master_node_supports_traffic = (local.total_agent_count == 0) ? true : false + mojaloop_stateful_resources_config_file = find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-stateful-resources.json") } locals { diff --git a/terraform/k8s/gitops-build/terragrunt.hcl b/terraform/k8s/gitops-build/terragrunt.hcl index 0d23bbdad..e0874275a 100644 --- a/terraform/k8s/gitops-build/terragrunt.hcl +++ b/terraform/k8s/gitops-build/terragrunt.hcl @@ -77,6 +77,7 @@ inputs = { transit_vault_key_name = local.TRANSIT_VAULT_UNSEAL_KEY_NAME transit_vault_url = "http://${dependency.k8s_deploy.outputs.haproxy_server_fqdn}:8200" minio_api_url = "${dependency.k8s_deploy.outputs.haproxy_server_fqdn}:9000" + managed_db_host = "${dependency.k8s_deploy.outputs.haproxy_server_fqdn}" private_network_cidr = dependency.k8s_deploy.outputs.private_network_cidr dns_provider = dependency.k8s_deploy.outputs.dns_provider rbac_api_resources_file = (local.common_vars.mojaloop_enabled || local.common_vars.vnext_enabled) ? find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-rbac-api-resources.yaml") : "" From db024edde6bfa6273fd5df0d766a38daa40d7040 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 9 May 2024 19:52:52 +0530 Subject: [PATCH 152/201] Correcting the variable names --- terraform/ansible/k8s-deploy/variables.tf | 2 +- terraform/k8s/ansible-k8s-deploy/terragrunt.hcl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/ansible/k8s-deploy/variables.tf b/terraform/ansible/k8s-deploy/variables.tf index 7f61083c7..9f150ed2c 100644 --- a/terraform/ansible/k8s-deploy/variables.tf +++ b/terraform/ansible/k8s-deploy/variables.tf @@ -106,6 +106,6 @@ variable "ansible_debug" { default = "" } -variable "mojaloop_stateful_resources_config_file" { +variable "stateful_resources_config_file" { type = string } \ No newline at end of file diff --git a/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl b/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl index 34cf5fb87..7692ab910 100644 --- a/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl +++ b/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl @@ -60,7 +60,7 @@ inputs = { ansible_playbook_name = "argo${local.K8S_CLUSTER_TYPE}_cluster_deploy" ansible_destroy_playbook_name = "argo${local.K8S_CLUSTER_TYPE}_cluster_destroy" master_node_supports_traffic = (local.total_agent_count == 0) ? true : false - mojaloop_stateful_resources_config_file = find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-stateful-resources.json") + stateful_resources_config_file = find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-stateful-resources.json") } locals { From 0643434fba391adc329f9898de88ef35611b8ef4 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 9 May 2024 20:04:28 +0530 Subject: [PATCH 153/201] Adding the map changes --- terraform/ansible/k8s-deploy/ansible.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/ansible/k8s-deploy/ansible.tf b/terraform/ansible/k8s-deploy/ansible.tf index 746fd75bd..7af4ab3e8 100644 --- a/terraform/ansible/k8s-deploy/ansible.tf +++ b/terraform/ansible/k8s-deploy/ansible.tf @@ -83,6 +83,6 @@ locals { stateful_resources = jsondecode(file(var.stateful_resources_config_file)) enabled_stateful_resources = { for stateful_resource in local.stateful_resources : stateful_resource.resource_name => stateful_resource if stateful_resource.enabled } managed_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service } - managed_svc_port_maps = { for service in local.managed_stateful_resources : service.logical_service_config.logical_service_name => service.logical_service_config.logical_service_name.logical_service_port} + managed_svc_port_maps = { for service in local.managed_stateful_resources : service.resource_name => service.logical_service_config.logical_service_port} } \ No newline at end of file From 700d96d058eb66149495fbe40a008b637bce8dee Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 9 May 2024 20:11:38 +0530 Subject: [PATCH 154/201] adding managed_db_host var in middle layers --- terraform/gitops/mojaloop/stateful-resources-config.tf | 1 + terraform/gitops/vnext/stateful-resources-config.tf | 6 +++++- terraform/gitops/vnext/variables.tf | 5 +++++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/terraform/gitops/mojaloop/stateful-resources-config.tf b/terraform/gitops/mojaloop/stateful-resources-config.tf index a372facf0..eb4fd8207 100644 --- a/terraform/gitops/mojaloop/stateful-resources-config.tf +++ b/terraform/gitops/mojaloop/stateful-resources-config.tf @@ -11,6 +11,7 @@ module "mojaloop_stateful_resources" { create_stateful_resources_ns = false kv_path = var.kv_path external_stateful_resource_instance_addresses = local.external_stateful_resource_instance_addresses + managed_db_host = var.managed_db_host } variable "stateful_resources_config_file" { diff --git a/terraform/gitops/vnext/stateful-resources-config.tf b/terraform/gitops/vnext/stateful-resources-config.tf index a07ca2c8a..e06c82b35 100644 --- a/terraform/gitops/vnext/stateful-resources-config.tf +++ b/terraform/gitops/vnext/stateful-resources-config.tf @@ -10,7 +10,9 @@ module "vnext_stateful_resources" { stateful_resources_namespace = var.stateful_resources_namespace create_stateful_resources_ns = false kv_path = var.kv_path - external_stateful_resource_instance_addresses = length(data.gitlab_project_variable.external_stateful_resource_instance_address) > 0 ? data.gitlab_project_variable.external_stateful_resource_instance_address.*.value : [] + external_stateful_resource_instance_addresses = local.external_stateful_resource_instance_addresses + managed_db_host = var.managed_db_host + } variable "stateful_resources_config_file" { @@ -32,4 +34,6 @@ locals { stateful_resources = jsondecode(file(var.stateful_resources_config_file)) enabled_stateful_resources = { for stateful_resource in local.stateful_resources : stateful_resource.resource_name => stateful_resource if stateful_resource.enabled } managed_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service } + external_stateful_resource_instance_addresses = { for address in data.gitlab_project_variable.external_stateful_resource_instance_address : address.key => address.value } + } diff --git a/terraform/gitops/vnext/variables.tf b/terraform/gitops/vnext/variables.tf index dc4e5bbec..cb040ffcd 100644 --- a/terraform/gitops/vnext/variables.tf +++ b/terraform/gitops/vnext/variables.tf @@ -162,3 +162,8 @@ variable "switch_dfspid" { type = string default = "switch" } + +variable "managed_db_host" { + type = string + description = "url to managed db based on haproxy" +} \ No newline at end of file From 3cd83e95a95b943c59e6a20f31331d626e52ed13 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 9 May 2024 20:16:19 +0530 Subject: [PATCH 155/201] Passing the variable --- terraform/gitops/k8s-cluster-config/app-deploy.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/gitops/k8s-cluster-config/app-deploy.tf b/terraform/gitops/k8s-cluster-config/app-deploy.tf index bbf8a17fd..81bd7501c 100644 --- a/terraform/gitops/k8s-cluster-config/app-deploy.tf +++ b/terraform/gitops/k8s-cluster-config/app-deploy.tf @@ -155,6 +155,7 @@ module "vnext" { keycloak_hubop_realm_name = var.keycloak_hubop_realm_name rbac_api_resources_file = var.rbac_api_resources_file fspiop_use_ory_for_auth = var.app_var_map.fspiop_use_ory_for_auth + managed_db_host = var.managed_db_host } variable "app_var_map" { From 4629a2824f5f5562d31eedc40a6a5100e5fd0596 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 9 May 2024 20:52:11 +0530 Subject: [PATCH 156/201] adding map variable for port and destination for ms --- terraform/ansible/k8s-deploy/ansible.tf | 19 ++++++++++++++++++- terraform/ansible/k8s-deploy/variables.tf | 5 +++++ .../k8s/ansible-k8s-deploy/terragrunt.hcl | 3 +++ 3 files changed, 26 insertions(+), 1 deletion(-) diff --git a/terraform/ansible/k8s-deploy/ansible.tf b/terraform/ansible/k8s-deploy/ansible.tf index 7af4ab3e8..b4a7336ac 100644 --- a/terraform/ansible/k8s-deploy/ansible.tf +++ b/terraform/ansible/k8s-deploy/ansible.tf @@ -68,6 +68,12 @@ resource "local_sensitive_file" "ec2_ssh_key" { file_permission = "0600" } +data "gitlab_project_variable" "external_stateful_resource_instance_address" { + for_each = local.managed_stateful_resources + project = var.current_gitlab_project_id + key = each.value.external_resource_config.instance_address_key_name +} + locals { jumphostmap = { ansible_ssh_common_args = "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o ProxyCommand=\"ssh -W %h:%p -i ${local_sensitive_file.ec2_ssh_key.filename} -o StrictHostKeyChecking=no -q ${var.ansible_bastion_os_username}@${var.ansible_bastion_public_ip}\"" @@ -83,6 +89,17 @@ locals { stateful_resources = jsondecode(file(var.stateful_resources_config_file)) enabled_stateful_resources = { for stateful_resource in local.stateful_resources : stateful_resource.resource_name => stateful_resource if stateful_resource.enabled } managed_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service } - managed_svc_port_maps = { for service in local.managed_stateful_resources : service.resource_name => service.logical_service_config.logical_service_port} + + external_stateful_resource_instance_addresses = { for address in data.gitlab_project_variable.external_stateful_resource_instance_address : address.key => address.value } + managed_svc_port_maps = { for service in local.managed_stateful_resources : [ + for logical_service_config in service: { + "${service.resource_name}" = { + "port" = logical_service_config.logical_service_port + "name" = service.resource_name + "dest" = local.external_stateful_resource_instance_addresses[service.external_resource_config.instance_address_key_name] + } + } + ] + } } \ No newline at end of file diff --git a/terraform/ansible/k8s-deploy/variables.tf b/terraform/ansible/k8s-deploy/variables.tf index 9f150ed2c..502239b01 100644 --- a/terraform/ansible/k8s-deploy/variables.tf +++ b/terraform/ansible/k8s-deploy/variables.tf @@ -108,4 +108,9 @@ variable "ansible_debug" { variable "stateful_resources_config_file" { type = string +} + +variable "current_gitlab_project_id" { + type = string + description = "current_gitlab_project_id" } \ No newline at end of file diff --git a/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl b/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl index 7692ab910..7184663e1 100644 --- a/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl +++ b/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl @@ -61,6 +61,8 @@ inputs = { ansible_destroy_playbook_name = "argo${local.K8S_CLUSTER_TYPE}_cluster_destroy" master_node_supports_traffic = (local.total_agent_count == 0) ? true : false stateful_resources_config_file = find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-stateful-resources.json") + current_gitlab_project_id = local.GITLAB_CURRENT_PROJECT_ID + } locals { @@ -73,6 +75,7 @@ locals { CLUSTER_NAME = get_env("cluster_name") NEXUS_DOCKER_REPO_LISTENING_PORT = get_env("NEXUS_DOCKER_REPO_LISTENING_PORT") NEXUS_FQDN = get_env("NEXUS_FQDN") + GITLAB_CURRENT_PROJECT_ID = get_env("GITLAB_CURRENT_PROJECT_ID") total_agent_count = try(sum([for node in local.env_vars.nodes : node.node_count if !node.master]), 0) total_master_count = try(sum([for node in local.env_vars.nodes : node.node_count if node.master]), 0) From 813453b95895bad64f526a6bfef91c14f98ed4b1 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 9 May 2024 20:59:16 +0530 Subject: [PATCH 157/201] adding map variable assignment --- terraform/ansible/k8s-deploy/ansible.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/ansible/k8s-deploy/ansible.tf b/terraform/ansible/k8s-deploy/ansible.tf index b4a7336ac..7723c074c 100644 --- a/terraform/ansible/k8s-deploy/ansible.tf +++ b/terraform/ansible/k8s-deploy/ansible.tf @@ -92,8 +92,8 @@ locals { external_stateful_resource_instance_addresses = { for address in data.gitlab_project_variable.external_stateful_resource_instance_address : address.key => address.value } managed_svc_port_maps = { for service in local.managed_stateful_resources : [ - for logical_service_config in service: { - "${service.resource_name}" = { + for logical_service_config in service : { + "${service.resource_name}" => { "port" = logical_service_config.logical_service_port "name" = service.resource_name "dest" = local.external_stateful_resource_instance_addresses[service.external_resource_config.instance_address_key_name] From a082b43ee65e1f180ee16f9304104d9b5b46044f Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 9 May 2024 21:07:54 +0530 Subject: [PATCH 158/201] correcting the syntax --- terraform/ansible/k8s-deploy/ansible.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/ansible/k8s-deploy/ansible.tf b/terraform/ansible/k8s-deploy/ansible.tf index 7723c074c..f54cfc9b4 100644 --- a/terraform/ansible/k8s-deploy/ansible.tf +++ b/terraform/ansible/k8s-deploy/ansible.tf @@ -91,7 +91,7 @@ locals { managed_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service } external_stateful_resource_instance_addresses = { for address in data.gitlab_project_variable.external_stateful_resource_instance_address : address.key => address.value } - managed_svc_port_maps = { for service in local.managed_stateful_resources : [ + managed_svc_port_maps = { for service in local.managed_stateful_resources : { for logical_service_config in service : { "${service.resource_name}" => { "port" = logical_service_config.logical_service_port @@ -99,7 +99,7 @@ locals { "dest" = local.external_stateful_resource_instance_addresses[service.external_resource_config.instance_address_key_name] } } - ] + } } } \ No newline at end of file From 24afa02fe3965dbcaf8362b1324e769b21c2923a Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 9 May 2024 21:09:31 +0530 Subject: [PATCH 159/201] correcting the syntax --- terraform/ansible/k8s-deploy/ansible.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/ansible/k8s-deploy/ansible.tf b/terraform/ansible/k8s-deploy/ansible.tf index f54cfc9b4..7b6abd43a 100644 --- a/terraform/ansible/k8s-deploy/ansible.tf +++ b/terraform/ansible/k8s-deploy/ansible.tf @@ -93,7 +93,7 @@ locals { external_stateful_resource_instance_addresses = { for address in data.gitlab_project_variable.external_stateful_resource_instance_address : address.key => address.value } managed_svc_port_maps = { for service in local.managed_stateful_resources : { for logical_service_config in service : { - "${service.resource_name}" => { + "${service.resource_name}" = { "port" = logical_service_config.logical_service_port "name" = service.resource_name "dest" = local.external_stateful_resource_instance_addresses[service.external_resource_config.instance_address_key_name] From e64946c774c6bfa4c463f2faf00f2d5b4fde4a91 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 9 May 2024 21:13:52 +0530 Subject: [PATCH 160/201] correcting the syntax --- terraform/ansible/k8s-deploy/ansible.tf | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/terraform/ansible/k8s-deploy/ansible.tf b/terraform/ansible/k8s-deploy/ansible.tf index 7b6abd43a..21736dd09 100644 --- a/terraform/ansible/k8s-deploy/ansible.tf +++ b/terraform/ansible/k8s-deploy/ansible.tf @@ -75,6 +75,8 @@ data "gitlab_project_variable" "external_stateful_resource_instance_address" { } locals { + map_name = "managed_services_port_mapping" + jumphostmap = { ansible_ssh_common_args = "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o ProxyCommand=\"ssh -W %h:%p -i ${local_sensitive_file.ec2_ssh_key.filename} -o StrictHostKeyChecking=no -q ${var.ansible_bastion_os_username}@${var.ansible_bastion_public_ip}\"" } @@ -91,14 +93,14 @@ locals { managed_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service } external_stateful_resource_instance_addresses = { for address in data.gitlab_project_variable.external_stateful_resource_instance_address : address.key => address.value } - managed_svc_port_maps = { for service in local.managed_stateful_resources : { - for logical_service_config in service : { - "${service.resource_name}" = { + managed_svc_port_maps = { for service in local.managed_stateful_resources : service.resource_name => { + for logical_service_config in service : + service.resource_name => { "port" = logical_service_config.logical_service_port "name" = service.resource_name "dest" = local.external_stateful_resource_instance_addresses[service.external_resource_config.instance_address_key_name] } - } + } } From a44a380ed2a9d0c3554c161b0bba48492c684b4b Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 9 May 2024 21:19:13 +0530 Subject: [PATCH 161/201] ading variable --- .../k8s-cluster-config/common-stateful-resources-config.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/gitops/k8s-cluster-config/common-stateful-resources-config.tf b/terraform/gitops/k8s-cluster-config/common-stateful-resources-config.tf index 77eb0311a..a2a9da3e6 100644 --- a/terraform/gitops/k8s-cluster-config/common-stateful-resources-config.tf +++ b/terraform/gitops/k8s-cluster-config/common-stateful-resources-config.tf @@ -11,6 +11,7 @@ module "common_stateful_resources" { create_stateful_resources_ns = true kv_path = var.kv_path external_stateful_resource_instance_addresses = local.external_stateful_resource_instance_addresses + managed_db_host = var.managed_db_host } variable "stateful_resources_config_file" { From 9dc9cb498369bbd3d7e7458b63af4d261dd8c2fe Mon Sep 17 00:00:00 2001 From: Sijo George Date: Thu, 9 May 2024 21:27:16 +0530 Subject: [PATCH 162/201] Removing the inner loop --- terraform/ansible/k8s-deploy/ansible.tf | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/terraform/ansible/k8s-deploy/ansible.tf b/terraform/ansible/k8s-deploy/ansible.tf index 21736dd09..da9829734 100644 --- a/terraform/ansible/k8s-deploy/ansible.tf +++ b/terraform/ansible/k8s-deploy/ansible.tf @@ -75,8 +75,6 @@ data "gitlab_project_variable" "external_stateful_resource_instance_address" { } locals { - map_name = "managed_services_port_mapping" - jumphostmap = { ansible_ssh_common_args = "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o ProxyCommand=\"ssh -W %h:%p -i ${local_sensitive_file.ec2_ssh_key.filename} -o StrictHostKeyChecking=no -q ${var.ansible_bastion_os_username}@${var.ansible_bastion_public_ip}\"" } @@ -93,15 +91,12 @@ locals { managed_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service } external_stateful_resource_instance_addresses = { for address in data.gitlab_project_variable.external_stateful_resource_instance_address : address.key => address.value } - managed_svc_port_maps = { for service in local.managed_stateful_resources : service.resource_name => { - for logical_service_config in service : + managed_svc_port_maps = { for service in local.managed_stateful_resources : service.resource_name => { - "port" = logical_service_config.logical_service_port + "port" = service.logical_service_config.logical_service_port "name" = service.resource_name "dest" = local.external_stateful_resource_instance_addresses[service.external_resource_config.instance_address_key_name] } - - } } } \ No newline at end of file From 7e02d45e1cc9b58ba5267bb9a948631c607fbc51 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Fri, 10 May 2024 12:55:23 +0530 Subject: [PATCH 163/201] Passing yaml encoded value --- terraform/ansible/k8s-deploy/ansible.tf | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/terraform/ansible/k8s-deploy/ansible.tf b/terraform/ansible/k8s-deploy/ansible.tf index da9829734..bb6b3f287 100644 --- a/terraform/ansible/k8s-deploy/ansible.tf +++ b/terraform/ansible/k8s-deploy/ansible.tf @@ -12,7 +12,7 @@ resource "local_sensitive_file" "ansible_inventory" { all_hosts_var_maps = merge(var.all_hosts_var_maps, local.ssh_private_key_file_map, local.all_hosts_var_maps), agent_hosts_yaml_maps = var.agent_hosts_yaml_maps, master_hosts_yaml_maps = var.master_hosts_yaml_maps, - bastion_hosts_yaml_maps = merge(var.bastion_hosts_yaml_maps,local.managed_svc_port_maps) + bastion_hosts_yaml_maps = merge(var.bastion_hosts_yaml_maps,local.bastion_hosts_yaml_maps) test_harness_hosts = var.test_harness_hosts, test_harness_hosts_var_maps = merge(var.test_harness_hosts_var_maps, local.jumphostmap) } @@ -91,12 +91,16 @@ locals { managed_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service } external_stateful_resource_instance_addresses = { for address in data.gitlab_project_variable.external_stateful_resource_instance_address : address.key => address.value } + managed_svc_port_maps = { for service in local.managed_stateful_resources : service.resource_name => { "port" = service.logical_service_config.logical_service_port "name" = service.resource_name "dest" = local.external_stateful_resource_instance_addresses[service.external_resource_config.instance_address_key_name] } - } + } + bastion_hosts_yaml_maps = { + managed_svc_ports = yamlencode(local.managed_svc_port_maps) + } } \ No newline at end of file From b6dab0af1302c1a331b18503a574ec8b6b72cea2 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Fri, 10 May 2024 13:11:29 +0530 Subject: [PATCH 164/201] changing the ds to list of maps --- terraform/ansible/k8s-deploy/ansible.tf | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/terraform/ansible/k8s-deploy/ansible.tf b/terraform/ansible/k8s-deploy/ansible.tf index bb6b3f287..f0839f684 100644 --- a/terraform/ansible/k8s-deploy/ansible.tf +++ b/terraform/ansible/k8s-deploy/ansible.tf @@ -92,14 +92,13 @@ locals { external_stateful_resource_instance_addresses = { for address in data.gitlab_project_variable.external_stateful_resource_instance_address : address.key => address.value } - managed_svc_port_maps = { for service in local.managed_stateful_resources : - service.resource_name => { + managed_svc_port_maps = [ for service in local.managed_stateful_resources : + { "port" = service.logical_service_config.logical_service_port "name" = service.resource_name "dest" = local.external_stateful_resource_instance_addresses[service.external_resource_config.instance_address_key_name] } - } - + ] bastion_hosts_yaml_maps = { managed_svc_ports = yamlencode(local.managed_svc_port_maps) } From 309d61f7b54ee3ec73be761c25f7a5a6e03d4df9 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Fri, 10 May 2024 13:37:10 +0530 Subject: [PATCH 165/201] change in inventory map --- terraform/ansible/k8s-deploy/ansible.tf | 8 +++++--- .../k8s/default-config/mojaloop-stateful-resources.json | 2 ++ 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/terraform/ansible/k8s-deploy/ansible.tf b/terraform/ansible/k8s-deploy/ansible.tf index f0839f684..940e888b0 100644 --- a/terraform/ansible/k8s-deploy/ansible.tf +++ b/terraform/ansible/k8s-deploy/ansible.tf @@ -94,9 +94,11 @@ locals { managed_svc_port_maps = [ for service in local.managed_stateful_resources : { - "port" = service.logical_service_config.logical_service_port - "name" = service.resource_name - "dest" = local.external_stateful_resource_instance_addresses[service.external_resource_config.instance_address_key_name] + "local_listening_port" = service.logical_service_config.logical_service_port + "mode" = service.communication_mode + "name" = service.resource_name + "dest_fqdn" = local.external_stateful_resource_instance_addresses[service.external_resource_config.instance_address_key_name] + "dest_port" = service.external_resource_config.port } ] bastion_hosts_yaml_maps = { diff --git a/terraform/k8s/default-config/mojaloop-stateful-resources.json b/terraform/k8s/default-config/mojaloop-stateful-resources.json index 1084250b8..3619bc0c6 100644 --- a/terraform/k8s/default-config/mojaloop-stateful-resources.json +++ b/terraform/k8s/default-config/mojaloop-stateful-resources.json @@ -247,6 +247,7 @@ "enabled": true, "resource_name": "account-lookup-db", "resource_type": "mysql", + "communication_mode": "tcp", "external_service": false, "logical_service_config": { "logical_service_port": 3306, @@ -384,6 +385,7 @@ "enabled": true, "resource_name": "central-ledger-db", "resource_type": "mysql", + "communication_mode": "tcp", "external_service": false, "logical_service_config": { "logical_service_port": 3306, From 9dcb1d688a6287e0809a54b172e8b2c9ff997117 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Fri, 10 May 2024 18:00:59 +0530 Subject: [PATCH 166/201] Adding managed kafka --- terraform/ansible/k8s-deploy/ansible.tf | 22 ++++++++++++++++--- .../mojaloop-stateful-resources.json | 3 +++ 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/terraform/ansible/k8s-deploy/ansible.tf b/terraform/ansible/k8s-deploy/ansible.tf index 940e888b0..d260070bd 100644 --- a/terraform/ansible/k8s-deploy/ansible.tf +++ b/terraform/ansible/k8s-deploy/ansible.tf @@ -88,11 +88,15 @@ locals { stateful_resources = jsondecode(file(var.stateful_resources_config_file)) enabled_stateful_resources = { for stateful_resource in local.stateful_resources : stateful_resource.resource_name => stateful_resource if stateful_resource.enabled } - managed_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service } + managed_rds_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service && managed_service.resource_type == "mysql" } + managed_kafka_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service && managed_service.resource_type == "kafka" } + external_stateful_resource_instance_addresses = { for address in data.gitlab_project_variable.external_stateful_resource_instance_address : address.key => address.value } + managed_kafka_brokers_list = { for service in local.managed_kafka_stateful_resources : service.resource_name => split(",",local.external_stateful_resource_instance_addresses[service.external_resource_config.instance_address_key_name]) } + - managed_svc_port_maps = [ for service in local.managed_stateful_resources : + managed_rds_svc_port_maps = [ for service in local.managed_rds_stateful_resources : { "local_listening_port" = service.logical_service_config.logical_service_port "mode" = service.communication_mode @@ -101,7 +105,19 @@ locals { "dest_port" = service.external_resource_config.port } ] + + managed_kafka_svc_maps = [ for service in local.managed_kafka_stateful_resources : + { + "local_listening_port" = service.logical_service_config.logical_service_port + "managed_kafka_brokers_list" = managed_kafka_brokers_list[service.resource_name] + "mode" = service.communication_mode + "name" = service.resource_name + "dest_port" = service.external_resource_config.port + } + + ] bastion_hosts_yaml_maps = { - managed_svc_ports = yamlencode(local.managed_svc_port_maps) + managed_rds_svc = yamlencode(local.managed_rds_svc_port_maps) + managed_kafka_svc = yamlencode(local.managed_kafka_svc_maps) } } \ No newline at end of file diff --git a/terraform/k8s/default-config/mojaloop-stateful-resources.json b/terraform/k8s/default-config/mojaloop-stateful-resources.json index 3619bc0c6..2fdc34b4e 100644 --- a/terraform/k8s/default-config/mojaloop-stateful-resources.json +++ b/terraform/k8s/default-config/mojaloop-stateful-resources.json @@ -655,6 +655,8 @@ "enabled": true, "resource_name": "mojaloop-kafka", "resource_type": "kafka", + "instance_address_key_name": "mojaloop-kafka-brokers", + "communication_mode": "http", "external_service": false, "logical_service_config": { "logical_service_port": 9092, @@ -909,6 +911,7 @@ }, "external_resource_config": { "name": "mks", + "port": 9092, "kafka_version": "3.4.0", "number_of_broker_nodes": 3, "enhanced_monitoring": "PER_TOPIC_PER_PARTITION", From 3b64439f0ebe55b5ec10e8c786cf317b98c9ffe3 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Fri, 10 May 2024 18:07:09 +0530 Subject: [PATCH 167/201] Formatting ansible tf --- terraform/ansible/k8s-deploy/ansible.tf | 72 ++++++++++++------------- 1 file changed, 36 insertions(+), 36 deletions(-) diff --git a/terraform/ansible/k8s-deploy/ansible.tf b/terraform/ansible/k8s-deploy/ansible.tf index d260070bd..09b2e0a5f 100644 --- a/terraform/ansible/k8s-deploy/ansible.tf +++ b/terraform/ansible/k8s-deploy/ansible.tf @@ -12,7 +12,7 @@ resource "local_sensitive_file" "ansible_inventory" { all_hosts_var_maps = merge(var.all_hosts_var_maps, local.ssh_private_key_file_map, local.all_hosts_var_maps), agent_hosts_yaml_maps = var.agent_hosts_yaml_maps, master_hosts_yaml_maps = var.master_hosts_yaml_maps, - bastion_hosts_yaml_maps = merge(var.bastion_hosts_yaml_maps,local.bastion_hosts_yaml_maps) + bastion_hosts_yaml_maps = merge(var.bastion_hosts_yaml_maps, local.bastion_hosts_yaml_maps) test_harness_hosts = var.test_harness_hosts, test_harness_hosts_var_maps = merge(var.test_harness_hosts_var_maps, local.jumphostmap) } @@ -36,7 +36,7 @@ resource "null_resource" "run_ansible" { EOT working_dir = path.module } - + depends_on = [ local_sensitive_file.ansible_inventory, local_sensitive_file.ec2_ssh_key @@ -53,12 +53,12 @@ resource "null_resource" "destroy_ansible_actions" { ansible-playbook "$destroy_ansible_playbook" -i "$destroy_ansible_inventory" EOT working_dir = path.module - } + } - depends_on = [ + depends_on = [ local_sensitive_file.ansible_inventory, local_sensitive_file.ec2_ssh_key, - ] + ] } @@ -85,39 +85,39 @@ locals { all_hosts_var_maps = { kubeconfig_local_location = local.ansible_output_dir } - - stateful_resources = jsondecode(file(var.stateful_resources_config_file)) - enabled_stateful_resources = { for stateful_resource in local.stateful_resources : stateful_resource.resource_name => stateful_resource if stateful_resource.enabled } - managed_rds_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service && managed_service.resource_type == "mysql" } - managed_kafka_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service && managed_service.resource_type == "kafka" } - + stateful_resources = jsondecode(file(var.stateful_resources_config_file)) + enabled_stateful_resources = { for stateful_resource in local.stateful_resources : stateful_resource.resource_name => stateful_resource if stateful_resource.enabled } + managed_rds_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service && managed_service.resource_type == "mysql" } + managed_kafka_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service && managed_service.resource_type == "kafka" } + + external_stateful_resource_instance_addresses = { for address in data.gitlab_project_variable.external_stateful_resource_instance_address : address.key => address.value } - managed_kafka_brokers_list = { for service in local.managed_kafka_stateful_resources : service.resource_name => split(",",local.external_stateful_resource_instance_addresses[service.external_resource_config.instance_address_key_name]) } - - - managed_rds_svc_port_maps = [ for service in local.managed_rds_stateful_resources : - { - "local_listening_port" = service.logical_service_config.logical_service_port - "mode" = service.communication_mode - "name" = service.resource_name - "dest_fqdn" = local.external_stateful_resource_instance_addresses[service.external_resource_config.instance_address_key_name] - "dest_port" = service.external_resource_config.port - } - ] - - managed_kafka_svc_maps = [ for service in local.managed_kafka_stateful_resources : - { - "local_listening_port" = service.logical_service_config.logical_service_port - "managed_kafka_brokers_list" = managed_kafka_brokers_list[service.resource_name] - "mode" = service.communication_mode - "name" = service.resource_name - "dest_port" = service.external_resource_config.port - } - - ] + managed_kafka_brokers_list = { for service in local.managed_kafka_stateful_resources : service.resource_name => split(",", local.external_stateful_resource_instance_addresses[service.external_resource_config.instance_address_key_name]) } + + + managed_rds_svc_port_maps = [for service in local.managed_rds_stateful_resources : + { + "local_listening_port" = service.logical_service_config.logical_service_port + "mode" = service.communication_mode + "name" = service.resource_name + "dest_fqdn" = local.external_stateful_resource_instance_addresses[service.external_resource_config.instance_address_key_name] + "dest_port" = service.external_resource_config.port + } + ] + + managed_kafka_svc_maps = [for service in local.managed_kafka_stateful_resources : + { + "local_listening_port" = service.logical_service_config.logical_service_port + "managed_kafka_brokers_list" = managed_kafka_brokers_list[service.resource_name] + "mode" = service.communication_mode + "name" = service.resource_name + "dest_port" = service.external_resource_config.port + } + + ] bastion_hosts_yaml_maps = { - managed_rds_svc = yamlencode(local.managed_rds_svc_port_maps) - managed_kafka_svc = yamlencode(local.managed_kafka_svc_maps) + managed_rds_svc = yamlencode(local.managed_rds_svc_port_maps) + managed_kafka_svc = yamlencode(local.managed_kafka_svc_maps) } } \ No newline at end of file From 1d06ef694395efe20f50fd1b54754d1138011310 Mon Sep 17 00:00:00 2001 From: Muzammil Date: Fri, 10 May 2024 17:46:51 +0500 Subject: [PATCH 168/201] IPROD-694: Enable loki metrics monitoring (#268) --- .../templates/monitoring/install/values-loki.yaml.tpl | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl index c43b8ae2f..e4da71be7 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl @@ -27,6 +27,12 @@ loki: secret_access_key: $${MINIO_LOKI_PASSWORD} bucketnames: ${minio_loki_bucket} +metrics: + enabled: true + serviceMonitor: + enabled: true + + # NOTE: make sure all components which are running have node affinity enabled for monitoring nodes ingester: persistence: From 87939c0eff5e32c289d4222dd203a822189d7caf Mon Sep 17 00:00:00 2001 From: Sijo George Date: Fri, 10 May 2024 18:52:12 +0530 Subject: [PATCH 169/201] Change in ref obj --- terraform/ansible/k8s-deploy/ansible.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/ansible/k8s-deploy/ansible.tf b/terraform/ansible/k8s-deploy/ansible.tf index 09b2e0a5f..da87a513f 100644 --- a/terraform/ansible/k8s-deploy/ansible.tf +++ b/terraform/ansible/k8s-deploy/ansible.tf @@ -88,8 +88,8 @@ locals { stateful_resources = jsondecode(file(var.stateful_resources_config_file)) enabled_stateful_resources = { for stateful_resource in local.stateful_resources : stateful_resource.resource_name => stateful_resource if stateful_resource.enabled } - managed_rds_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service && managed_service.resource_type == "mysql" } - managed_kafka_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service && managed_service.resource_type == "kafka" } + managed_rds_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service && managed_resource.resource_type == "mysql" } + managed_kafka_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service && managed_resource.resource_type == "kafka" } external_stateful_resource_instance_addresses = { for address in data.gitlab_project_variable.external_stateful_resource_instance_address : address.key => address.value } From 2fc9f33c8e37dc5c3bd1067015ca9406c68341f4 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Fri, 10 May 2024 19:08:50 +0530 Subject: [PATCH 170/201] Separating msk and rds --- terraform/ansible/k8s-deploy/ansible.tf | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/terraform/ansible/k8s-deploy/ansible.tf b/terraform/ansible/k8s-deploy/ansible.tf index da87a513f..1e8fe1c22 100644 --- a/terraform/ansible/k8s-deploy/ansible.tf +++ b/terraform/ansible/k8s-deploy/ansible.tf @@ -68,12 +68,19 @@ resource "local_sensitive_file" "ec2_ssh_key" { file_permission = "0600" } -data "gitlab_project_variable" "external_stateful_resource_instance_address" { - for_each = local.managed_stateful_resources +data "gitlab_project_variable" "external_rds_stateful_resource_instance_address" { + for_each = local.managed_rds_stateful_resources project = var.current_gitlab_project_id key = each.value.external_resource_config.instance_address_key_name } +data "gitlab_project_variable" "external_kafka_stateful_resource_instance_address" { + for_each = local.managed_kafka_stateful_resources + project = var.current_gitlab_project_id + key = each.value.external_resource_config.instance_address_key_name +} + + locals { jumphostmap = { ansible_ssh_common_args = "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o ProxyCommand=\"ssh -W %h:%p -i ${local_sensitive_file.ec2_ssh_key.filename} -o StrictHostKeyChecking=no -q ${var.ansible_bastion_os_username}@${var.ansible_bastion_public_ip}\"" @@ -92,8 +99,9 @@ locals { managed_kafka_stateful_resources = { for managed_resource in local.enabled_stateful_resources : managed_resource.resource_name => managed_resource if managed_resource.external_service && managed_resource.resource_type == "kafka" } - external_stateful_resource_instance_addresses = { for address in data.gitlab_project_variable.external_stateful_resource_instance_address : address.key => address.value } - managed_kafka_brokers_list = { for service in local.managed_kafka_stateful_resources : service.resource_name => split(",", local.external_stateful_resource_instance_addresses[service.external_resource_config.instance_address_key_name]) } + external_rds_stateful_resource_instance_addresses = { for address in data.gitlab_project_variable.external_rds_stateful_resource_instance_address : address.key => address.value } + + managed_kafka_brokers_list = { for service in local.managed_kafka_stateful_resources : service.resource_name => split(",", local.external_kafka_stateful_resource_instance_address[service.external_resource_config.instance_address_key_name]) } managed_rds_svc_port_maps = [for service in local.managed_rds_stateful_resources : @@ -101,7 +109,7 @@ locals { "local_listening_port" = service.logical_service_config.logical_service_port "mode" = service.communication_mode "name" = service.resource_name - "dest_fqdn" = local.external_stateful_resource_instance_addresses[service.external_resource_config.instance_address_key_name] + "dest_fqdn" = local.external_rds_stateful_resource_instance_addresses[service.external_resource_config.instance_address_key_name] "dest_port" = service.external_resource_config.port } ] @@ -109,7 +117,7 @@ locals { managed_kafka_svc_maps = [for service in local.managed_kafka_stateful_resources : { "local_listening_port" = service.logical_service_config.logical_service_port - "managed_kafka_brokers_list" = managed_kafka_brokers_list[service.resource_name] + "managed_kafka_brokers_list" = local.managed_kafka_brokers_list[service.resource_name] "mode" = service.communication_mode "name" = service.resource_name "dest_port" = service.external_resource_config.port From 5d67df86eeb1b69bef936482bfb672f6c3fe63f2 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Fri, 10 May 2024 19:15:56 +0530 Subject: [PATCH 171/201] adding local external_kafka_stateful_resource_instance_addresses --- terraform/ansible/k8s-deploy/ansible.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/terraform/ansible/k8s-deploy/ansible.tf b/terraform/ansible/k8s-deploy/ansible.tf index 1e8fe1c22..c23093dba 100644 --- a/terraform/ansible/k8s-deploy/ansible.tf +++ b/terraform/ansible/k8s-deploy/ansible.tf @@ -100,8 +100,10 @@ locals { external_rds_stateful_resource_instance_addresses = { for address in data.gitlab_project_variable.external_rds_stateful_resource_instance_address : address.key => address.value } + external_kafka_stateful_resource_instance_addresses = { for address in data.gitlab_project_variable.external_kafka_stateful_resource_instance_address : address.key => address.value } + - managed_kafka_brokers_list = { for service in local.managed_kafka_stateful_resources : service.resource_name => split(",", local.external_kafka_stateful_resource_instance_address[service.external_resource_config.instance_address_key_name]) } + managed_kafka_brokers_list = { for service in local.managed_kafka_stateful_resources : service.resource_name => split(",", local.external_kafka_stateful_resource_instance_addresses[service.external_resource_config.instance_address_key_name]) } managed_rds_svc_port_maps = [for service in local.managed_rds_stateful_resources : From 7d1d640ccd5b5f8451f7bed9c8f20b7f11d97d80 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Fri, 10 May 2024 19:52:46 +0530 Subject: [PATCH 172/201] Adding sg rule for kafka access --- .../deploy-managed-svcs/security-groups.tf | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/terraform/aws/support-svcs/deploy-managed-svcs/security-groups.tf b/terraform/aws/support-svcs/deploy-managed-svcs/security-groups.tf index f2eedff00..53fc3f92e 100644 --- a/terraform/aws/support-svcs/deploy-managed-svcs/security-groups.tf +++ b/terraform/aws/support-svcs/deploy-managed-svcs/security-groups.tf @@ -20,6 +20,17 @@ resource "aws_security_group_rule" "mysql" { description = "mysql client access" } +resource "aws_security_group_rule" "kafka" { + count = length(local.msk_services) > 0 ? 1 : 0 + type = "ingress" + from_port = 9094 + to_port = 9094 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = aws_security_group.managed_svcs[0].id + description = "kafka broker access" +} + resource "aws_security_group_rule" "egress_all" { count = length(local.external_services) > 0 ? 1 : 0 type = "egress" From 2b2ea6298282a5f57c3c0216be9abf3745d24af3 Mon Sep 17 00:00:00 2001 From: Muzammil Date: Tue, 14 May 2024 11:12:28 +0500 Subject: [PATCH 173/201] IPROD-694: Add dashboards for monitoring loki (#269) --- .../monitoring/install/values-loki.yaml.tpl | 4 +- .../post-config/dashboards/loki.yaml.tpl | 42 +++++++++++++++++++ .../post-config/monitoring-crs.yaml.tpl | 9 ++++ .../service-monitors/loki.yaml.tpl | 23 ++++++++++ .../gitops/k8s-cluster-config/monitoring.tf | 2 + terraform/k8s/default-config/common-vars.yaml | 1 + 6 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 terraform/gitops/generate-files/templates/monitoring/post-config/dashboards/loki.yaml.tpl create mode 100644 terraform/gitops/generate-files/templates/monitoring/post-config/service-monitors/loki.yaml.tpl diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl index e4da71be7..ec6852bc5 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-loki.yaml.tpl @@ -6,6 +6,8 @@ loki: shared_store: s3 limits_config: retention_period: ${loki_ingester_retention_period} + ingester: + max_chunk_age: ${loki_ingester_max_chunk_age} schema_config: configs: - from: 2020-10-24 @@ -30,7 +32,7 @@ loki: metrics: enabled: true serviceMonitor: - enabled: true + enabled: true # NOTE: make sure all components which are running have node affinity enabled for monitoring nodes diff --git a/terraform/gitops/generate-files/templates/monitoring/post-config/dashboards/loki.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/post-config/dashboards/loki.yaml.tpl new file mode 100644 index 000000000..1abd82f14 --- /dev/null +++ b/terraform/gitops/generate-files/templates/monitoring/post-config/dashboards/loki.yaml.tpl @@ -0,0 +1,42 @@ +apiVersion: grafana.integreatly.org/v1beta1 +kind: GrafanaDashboard +metadata: + name: loki-chunks +spec: + folder: monitoring + datasources: + - inputName: "DS_PROMETHEUS" + datasourceName: "Prometheus" + instanceSelector: + matchLabels: + dashboards: "grafana" + url: "https://raw.githubusercontent.com/grafana/loki/v3.0.0/production/helm/loki/src/dashboards/loki-chunks.json" +--- +apiVersion: grafana.integreatly.org/v1beta1 +kind: GrafanaDashboard +metadata: + name: loki-deletion +spec: + folder: monitoring + datasources: + - inputName: "DS_PROMETHEUS" + datasourceName: "Prometheus" + instanceSelector: + matchLabels: + dashboards: "grafana" + url: "https://raw.githubusercontent.com/grafana/loki/v3.0.0/production/helm/loki/src/dashboards/loki-deletion.json" +--- +apiVersion: grafana.integreatly.org/v1beta1 +kind: GrafanaDashboard +metadata: + name: loki-logs +spec: + folder: monitoring + datasources: + - inputName: "DS_PROMETHEUS" + datasourceName: "Prometheus" + instanceSelector: + matchLabels: + dashboards: "grafana" + url: "https://raw.githubusercontent.com/grafana/loki/v3.0.0/production/helm/loki/src/dashboards/loki-logs.json" +--- diff --git a/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl index 7cb2be9e7..bd6aff4af 100644 --- a/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/post-config/monitoring-crs.yaml.tpl @@ -117,6 +117,15 @@ spec: dashboards: "grafana" --- apiVersion: grafana.integreatly.org/v1beta1 +kind: GrafanaFolder +metadata: + name: monitoring +spec: + instanceSelector: + matchLabels: + dashboards: "grafana" +--- +apiVersion: grafana.integreatly.org/v1beta1 kind: GrafanaDashboard metadata: name: mysql diff --git a/terraform/gitops/generate-files/templates/monitoring/post-config/service-monitors/loki.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/post-config/service-monitors/loki.yaml.tpl new file mode 100644 index 000000000..a72c8ce41 --- /dev/null +++ b/terraform/gitops/generate-files/templates/monitoring/post-config/service-monitors/loki.yaml.tpl @@ -0,0 +1,23 @@ +# WARNING: This service monitoring is added to make loki-chunks dashboard happy with job label. +# In the long run, we should fix the loki-chunk dashboard job label using mixins + +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: loki-ingester-custom-servicemonitor-temporary + annotations: + app.kubernetes.io/description: "Allows scraping loki metrics with custom job label to support hardcoded job value in dashboards." +spec: + namespaceSelector: + matchNames: [${monitoring_namespace}] + selector: + matchLabels: + app.kubernetes.io/part-of: grafana-loki + app.kubernetes.io/component: ingester + endpoints: + - port: http + relabelings: + - sourceLabels: [] + action: replace + targetLabel: job + replacement: ${monitoring_namespace}/loki-write diff --git a/terraform/gitops/k8s-cluster-config/monitoring.tf b/terraform/gitops/k8s-cluster-config/monitoring.tf index 371892ae3..cbb8aaa9f 100644 --- a/terraform/gitops/k8s-cluster-config/monitoring.tf +++ b/terraform/gitops/k8s-cluster-config/monitoring.tf @@ -34,6 +34,7 @@ module "generate_monitoring_files" { prometheus_pvc_size = try(var.common_var_map.prometheus_pvc_size, local.prometheus_pvc_size) loki_retention_enabled = try(var.common_var_map.loki_retention_enabled, local.loki_retention_enabled) loki_ingester_retention_period = try(var.common_var_map.loki_ingester_retention_period, local.loki_ingester_retention_period) + loki_ingester_max_chunk_age = try(var.common_var_map.loki_ingester_max_chunk_age, local.loki_ingester_max_chunk_age) prometheus_retention_period = try(var.common_var_map.prometheus_retention_period, local.prometheus_retention_period) alertmanager_enabled = try(var.common_var_map.alertmanager_enabled, false) minio_loki_credentials_secret_name = "minio-loki-credentials-secret" @@ -124,6 +125,7 @@ locals { prometheus_pvc_size = "50Gi" loki_retention_enabled = true loki_ingester_retention_period = "72h" + loki_ingester_max_chunk_age = "2h" prometheus_retention_period = "10d" tempo_retention_period = "72h" prom_tsdb_min_block_duration = "30m" diff --git a/terraform/k8s/default-config/common-vars.yaml b/terraform/k8s/default-config/common-vars.yaml index 06591f743..f982d59c6 100644 --- a/terraform/k8s/default-config/common-vars.yaml +++ b/terraform/k8s/default-config/common-vars.yaml @@ -30,6 +30,7 @@ loki_ingester_pvc_size: 10Gi prometheus_pvc_size: 50Gi loki_retention_enabled: true loki_ingester_retention_period: 72h +loki_ingester_max_chunk_age: 2h prometheus_retention_period: 10d tempo_retention_period: 72h istio_egress_gateway_max_replicas: 5 From 783da32c493c9ab7f1430f20b93e55ea5b1c6a5e Mon Sep 17 00:00:00 2001 From: Kalin Krustev Date: Tue, 14 May 2024 12:50:46 +0300 Subject: [PATCH 174/201] feat: re-generate apps in branch pipeline (#257) * feat: re-generate apps in branch pipeline * remove unused property * small fixes * fix mocks * set defaults * set defaults --- .../ci-templates/k8s-cluster/.gitlab-ci.yml | 16 ++++++- .../k8s/ansible-k8s-deploy/terragrunt.hcl | 8 +++- .../terragrunt.hcl | 6 ++- terraform/k8s/gitops-build/terragrunt.hcl | 48 +++++++++++++------ terraform/k8s/k8s-deploy/terragrunt.hcl | 6 ++- terraform/k8s/k8s-store-config/terragrunt.hcl | 14 ++++-- terraform/k8s/managed-services/terragrunt.hcl | 6 ++- 7 files changed, 76 insertions(+), 28 deletions(-) diff --git a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab-ci.yml b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab-ci.yml index c70841682..ee5511fb4 100644 --- a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab-ci.yml +++ b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab-ci.yml @@ -12,7 +12,7 @@ workflow: # This comes from https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Workflows/MergeRequest-Pipelines.gitlab-ci.yml - if: $CI_MERGE_REQUEST_IID - if: $CI_COMMIT_TAG - - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH + - if: $CI_COMMIT_BRANCH stages: - prepare @@ -119,6 +119,8 @@ fmt: when: manual init: + rules: + - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH stage: init id_tokens: VAULT_ID_TOKEN: @@ -206,3 +208,15 @@ destroy: - terragrunt run-all destroy --terragrunt-non-interactive -input=false - .gitlab/scripts/cleanapps.sh $CI_PROJECT_PATH $CI_SERVER_HOST $CI_COMMIT_REF_NAME $GITOPS_BUILD_OUTPUT_DIR $GITLAB_CI_PAT $ARGO_CD_ROOT_APP_PATH when: manual + +apps: + stage: deploy + rules: + - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH && $CI_COMMIT_BRANCH + id_tokens: + VAULT_ID_TOKEN: + aud: $VAULT_SERVER_URL + script: + - !reference [.source, script] + - terragrunt run-all apply --terragrunt-non-interactive -input=false + - .gitlab/scripts/pushtorepo.sh $CI_PROJECT_PATH $CI_SERVER_HOST $CI_COMMIT_REF_NAME $GITOPS_BUILD_OUTPUT_DIR $GITLAB_CI_PAT $ARGO_CD_ROOT_APP_PATH \ No newline at end of file diff --git a/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl b/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl index 7fd769542..5d0feedce 100644 --- a/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl +++ b/terraform/k8s/ansible-k8s-deploy/terragrunt.hcl @@ -22,7 +22,8 @@ dependency "k8s_deploy" { bastion_public_ip = "null" haproxy_server_fqdn = "null" } - mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "show"] + skip_outputs = local.skip_outputs + mock_outputs_allowed_terraform_commands = local.skip_outputs ? ["init", "validate", "plan", "show", "apply"] : ["init", "validate", "plan", "show"] mock_outputs_merge_strategy_with_state = "shallow" } @@ -40,7 +41,7 @@ inputs = { }) agent_hosts_var_maps = dependency.k8s_deploy.outputs.agent_hosts_var_maps master_hosts_var_maps = dependency.k8s_deploy.outputs.master_hosts_var_maps - all_hosts_var_maps = merge(dependency.k8s_deploy.outputs.all_hosts_var_maps, local.all_hosts_var_maps, + all_hosts_var_maps = merge(dependency.k8s_deploy.outputs.all_hosts_var_maps, local.all_hosts_var_maps, { registry_mirror_fqdn = dependency.k8s_deploy.outputs.haproxy_server_fqdn }, (local.K8S_CLUSTER_TYPE == "microk8s") ? { @@ -63,6 +64,7 @@ inputs = { } locals { + skip_outputs = get_env("CI_COMMIT_BRANCH") != get_env("CI_DEFAULT_BRANCH") env_vars = yamldecode( file("${find_in_parent_folders("${get_env("CONFIG_PATH")}/cluster-config.yaml")}")) common_vars = yamldecode(file("${find_in_parent_folders("${get_env("CONFIG_PATH")}/common-vars.yaml")}")) @@ -118,3 +120,5 @@ locals { include "root" { path = find_in_parent_folders() } + +skip = get_env("CI_COMMIT_BRANCH") != get_env("CI_DEFAULT_BRANCH") diff --git a/terraform/k8s/ansible-managed-svcs-deploy/terragrunt.hcl b/terraform/k8s/ansible-managed-svcs-deploy/terragrunt.hcl index 98f8195c3..6910abc44 100644 --- a/terraform/k8s/ansible-managed-svcs-deploy/terragrunt.hcl +++ b/terraform/k8s/ansible-managed-svcs-deploy/terragrunt.hcl @@ -11,7 +11,8 @@ dependency "managed_services" { bastion_os_username = "null" bastion_public_ip = "null" } - mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "show"] + skip_outputs = local.skip_outputs + mock_outputs_allowed_terraform_commands = local.skip_outputs ? ["init", "validate", "plan", "show", "apply"] : ["init", "validate", "plan", "show"] mock_outputs_merge_strategy_with_state = "shallow" } @@ -29,6 +30,7 @@ inputs = { } locals { + skip_outputs = get_env("CI_COMMIT_BRANCH") != get_env("CI_DEFAULT_BRANCH") env_vars = yamldecode( file("${find_in_parent_folders("${get_env("CONFIG_PATH")}/cluster-config.yaml")}")) common_vars = yamldecode(file("${find_in_parent_folders("${get_env("CONFIG_PATH")}/common-vars.yaml")}")) @@ -47,3 +49,5 @@ locals { include "root" { path = find_in_parent_folders() } + +skip = get_env("CI_COMMIT_BRANCH") != get_env("CI_DEFAULT_BRANCH") diff --git a/terraform/k8s/gitops-build/terragrunt.hcl b/terraform/k8s/gitops-build/terragrunt.hcl index 0d23bbdad..bc22db62d 100644 --- a/terraform/k8s/gitops-build/terragrunt.hcl +++ b/terraform/k8s/gitops-build/terragrunt.hcl @@ -14,28 +14,32 @@ dependency "k8s_store_config" { dependency "k8s_deploy" { config_path = "../k8s-deploy" mock_outputs = { - nat_public_ips = [""] - internal_load_balancer_dns = "" - external_load_balancer_dns = "" - private_subdomain = "" - public_subdomain = "" + nat_public_ips = local.cloud_platform_vars.nat_public_ips + internal_load_balancer_dns = local.cloud_platform_vars.internal_load_balancer_dns + external_load_balancer_dns = local.cloud_platform_vars.external_load_balancer_dns + private_subdomain = local.cloud_platform_vars.private_subdomain + public_subdomain = local.cloud_platform_vars.public_subdomain external_interop_switch_fqdn = "" internal_interop_switch_fqdn = "" - target_group_internal_https_port = 0 - target_group_internal_http_port = 0 - target_group_external_https_port = 0 - target_group_external_http_port = 0 + target_group_internal_https_port = local.cloud_platform_vars.target_group_internal_https_port + target_group_internal_http_port = local.cloud_platform_vars.target_group_internal_http_port + target_group_external_https_port = local.cloud_platform_vars.target_group_external_https_port + target_group_external_http_port = local.cloud_platform_vars.target_group_external_http_port properties_key_map = { + external_dns_credentials_client_id_name_key = "external_dns_credentials_client_id_name" + external_dns_credentials_client_secret_name_key = "external_dns_credentials_client_secret_name" + cert_manager_credentials_client_id_name_key = "cert_manager_credentials_client_id_name" + cert_manager_credentials_client_secret_name_key = "cert_manager_credentials_client_secret_name" } secrets_key_map = { - external_dns_cred_id_key = "mock" - external_dns_cred_secret_key = "mock" + external_dns_cred_id_key = "route53_external_dns_access_key" + external_dns_cred_secret_key = "route53_external_dns_secret_key" } - haproxy_server_fqdn = "null" - private_network_cidr = "" - dns_provider = "" + haproxy_server_fqdn = local.cloud_platform_vars.haproxy_server_fqdn + private_network_cidr = local.cloud_platform_vars.private_network_cidr + dns_provider = "aws" } - mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "show"] + mock_outputs_allowed_terraform_commands = local.skip_outputs ? ["init", "validate", "plan", "show", "apply"] : ["init", "validate", "plan", "show"] mock_outputs_merge_strategy_with_state = "shallow" } @@ -87,6 +91,7 @@ inputs = { } locals { + skip_outputs = get_env("CI_COMMIT_BRANCH") != get_env("CI_DEFAULT_BRANCH") env_vars = yamldecode(file("${find_in_parent_folders("${get_env("CONFIG_PATH")}/cluster-config.yaml")}")) tags = local.env_vars.tags gitlab_readonly_rbac_group = get_env("GITLAB_READONLY_RBAC_GROUP") @@ -95,6 +100,19 @@ locals { pm4ml_vars = yamldecode(file("${find_in_parent_folders("${get_env("CONFIG_PATH")}/pm4ml-vars.yaml")}")) mojaloop_vars = yamldecode(file("${find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-vars.yaml")}")) vnext_vars = yamldecode(file("${find_in_parent_folders("${get_env("CONFIG_PATH")}/vnext-vars.yaml")}")) + cloud_platform_vars = merge({ + nat_public_ips = [""], + internal_load_balancer_dns = "", + external_load_balancer_dns = "", + private_subdomain = "int.${replace(get_env("cluster_name"), "-", "")}.${get_env("domain")}", + public_subdomain = "${replace(get_env("cluster_name"), "-", "")}.${get_env("domain")}", + target_group_internal_https_port = 31443, + target_group_internal_http_port = 31080, + target_group_external_https_port = 32443, + target_group_external_http_port = 32080, + haproxy_server_fqdn = "haproxy.${replace(get_env("cluster_name"), "-", "")}.${get_env("domain")}", + private_network_cidr = "${get_env("vpc_cidr")}" + }, yamldecode(file("${find_in_parent_folders("${get_env("CONFIG_PATH")}/${get_env("cloud_platform")}-vars.yaml")}"))) GITLAB_SERVER_URL = get_env("GITLAB_SERVER_URL") GITOPS_BUILD_OUTPUT_DIR = get_env("GITOPS_BUILD_OUTPUT_DIR") CLUSTER_NAME = get_env("cluster_name") diff --git a/terraform/k8s/k8s-deploy/terragrunt.hcl b/terraform/k8s/k8s-deploy/terragrunt.hcl index 66f1f09c1..9b9965d73 100644 --- a/terraform/k8s/k8s-deploy/terragrunt.hcl +++ b/terraform/k8s/k8s-deploy/terragrunt.hcl @@ -54,8 +54,8 @@ generate "required_providers_override" { if_exists = "overwrite_terragrunt" contents = < Date: Tue, 14 May 2024 20:28:34 +0530 Subject: [PATCH 175/201] including bootstrap_brokers_plaintext --- terraform/aws/support-svcs/deploy-msk/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aws/support-svcs/deploy-msk/outputs.tf b/terraform/aws/support-svcs/deploy-msk/outputs.tf index 092ddc1eb..4abe45310 100644 --- a/terraform/aws/support-svcs/deploy-msk/outputs.tf +++ b/terraform/aws/support-svcs/deploy-msk/outputs.tf @@ -10,6 +10,6 @@ output "secrets_var_map" { output "properties_var_map" { value = { for index, msk_module in module.msk : - var.msk_services[index].external_resource_config.instance_address_key_name => msk_module.bootstrap_brokers_tls + var.msk_services[index].external_resource_config.instance_address_key_name => ( msk_module.encryption_in_transit_client_broker == "PLAINTEXT" ) ? msk_module.bootstrap_brokers_plaintext : msk_module.bootstrap_brokers_tls } } From d4fee60f8843445e2b9cbd792612c27b25be4403 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Tue, 14 May 2024 20:36:31 +0530 Subject: [PATCH 176/201] chaing the expressin and instance type --- terraform/aws/base-infra/infra.tf | 2 +- terraform/aws/support-svcs/deploy-msk/outputs.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/aws/base-infra/infra.tf b/terraform/aws/base-infra/infra.tf index aa19d27bc..5745d1357 100644 --- a/terraform/aws/base-infra/infra.tf +++ b/terraform/aws/base-infra/infra.tf @@ -81,7 +81,7 @@ resource "aws_security_group_rule" "bastion_egress_all" { resource "aws_instance" "bastion" { ami = var.bastion_ami - instance_type = "t2.micro" + instance_type = "t2.medium" subnet_id = element(module.vpc.public_subnets, 0) user_data = templatefile("${path.module}/templates/bastion.user_data.tmpl", { ssh_keys = local.ssh_keys }) key_name = local.cluster_domain diff --git a/terraform/aws/support-svcs/deploy-msk/outputs.tf b/terraform/aws/support-svcs/deploy-msk/outputs.tf index 4abe45310..f9c2653ef 100644 --- a/terraform/aws/support-svcs/deploy-msk/outputs.tf +++ b/terraform/aws/support-svcs/deploy-msk/outputs.tf @@ -10,6 +10,6 @@ output "secrets_var_map" { output "properties_var_map" { value = { for index, msk_module in module.msk : - var.msk_services[index].external_resource_config.instance_address_key_name => ( msk_module.encryption_in_transit_client_broker == "PLAINTEXT" ) ? msk_module.bootstrap_brokers_plaintext : msk_module.bootstrap_brokers_tls + var.msk_services[index].external_resource_config.instance_address_key_name => ( var.msk_services[index].encryption_in_transit_client_broker == "PLAINTEXT" ) ? msk_module.bootstrap_brokers_plaintext : msk_module.bootstrap_brokers_tls } } From 7d653d7ce300a580084b6973f788950a8d355027 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Tue, 14 May 2024 20:46:41 +0530 Subject: [PATCH 177/201] Correcting the expression --- terraform/aws/support-svcs/deploy-msk/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aws/support-svcs/deploy-msk/outputs.tf b/terraform/aws/support-svcs/deploy-msk/outputs.tf index f9c2653ef..abd7cd988 100644 --- a/terraform/aws/support-svcs/deploy-msk/outputs.tf +++ b/terraform/aws/support-svcs/deploy-msk/outputs.tf @@ -10,6 +10,6 @@ output "secrets_var_map" { output "properties_var_map" { value = { for index, msk_module in module.msk : - var.msk_services[index].external_resource_config.instance_address_key_name => ( var.msk_services[index].encryption_in_transit_client_broker == "PLAINTEXT" ) ? msk_module.bootstrap_brokers_plaintext : msk_module.bootstrap_brokers_tls + var.msk_services[index].external_resource_config.instance_address_key_name => ( var.msk_services[index].external_resource_config.encryption_in_transit_client_broker == "PLAINTEXT" ) ? msk_module.bootstrap_brokers_plaintext : msk_module.bootstrap_brokers_tls } } From 45f7b3113e315ba30fc56022a1f365929334d2ae Mon Sep 17 00:00:00 2001 From: Sijo George Date: Tue, 14 May 2024 21:18:55 +0530 Subject: [PATCH 178/201] changing the out --- terraform/aws/support-svcs/deploy-msk/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aws/support-svcs/deploy-msk/outputs.tf b/terraform/aws/support-svcs/deploy-msk/outputs.tf index abd7cd988..a04024408 100644 --- a/terraform/aws/support-svcs/deploy-msk/outputs.tf +++ b/terraform/aws/support-svcs/deploy-msk/outputs.tf @@ -10,6 +10,6 @@ output "secrets_var_map" { output "properties_var_map" { value = { for index, msk_module in module.msk : - var.msk_services[index].external_resource_config.instance_address_key_name => ( var.msk_services[index].external_resource_config.encryption_in_transit_client_broker == "PLAINTEXT" ) ? msk_module.bootstrap_brokers_plaintext : msk_module.bootstrap_brokers_tls + var.msk_services[index].external_resource_config.instance_address_key_name => ( var.msk_services[index].external_resource_config.encryption_in_transit_client_broker == "PLAINTEXT" ) ? msk_module.bootstrap_brokers : msk_module.bootstrap_brokers_tls } } From e5aa4d73f28913c24f84d7ba8419b13ae575a221 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Tue, 14 May 2024 21:29:22 +0530 Subject: [PATCH 179/201] Chaging the output --- terraform/aws/support-svcs/deploy-msk/outputs.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/terraform/aws/support-svcs/deploy-msk/outputs.tf b/terraform/aws/support-svcs/deploy-msk/outputs.tf index a04024408..d970503c0 100644 --- a/terraform/aws/support-svcs/deploy-msk/outputs.tf +++ b/terraform/aws/support-svcs/deploy-msk/outputs.tf @@ -7,9 +7,11 @@ output "secrets_var_map" { } }*/ +#var.msk_services[index].external_resource_config.instance_address_key_name => ( var.msk_services[index].external_resource_config.encryption_in_transit_client_broker == "PLAINTEXT" ) ? msk_module.bootstrap_brokers : msk_module.bootstrap_brokers_tls + output "properties_var_map" { value = { for index, msk_module in module.msk : - var.msk_services[index].external_resource_config.instance_address_key_name => ( var.msk_services[index].external_resource_config.encryption_in_transit_client_broker == "PLAINTEXT" ) ? msk_module.bootstrap_brokers : msk_module.bootstrap_brokers_tls + var.msk_services[index].external_resource_config.instance_address_key_name => msk_module.bootstrap_brokers } } From cacc893592ba5e7de8f3603f393d1fa03f8c67a1 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Tue, 14 May 2024 21:44:26 +0530 Subject: [PATCH 180/201] converting list to string --- terraform/aws/support-svcs/deploy-msk/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aws/support-svcs/deploy-msk/outputs.tf b/terraform/aws/support-svcs/deploy-msk/outputs.tf index d970503c0..c4a3717cb 100644 --- a/terraform/aws/support-svcs/deploy-msk/outputs.tf +++ b/terraform/aws/support-svcs/deploy-msk/outputs.tf @@ -12,6 +12,6 @@ output "secrets_var_map" { output "properties_var_map" { value = { for index, msk_module in module.msk : - var.msk_services[index].external_resource_config.instance_address_key_name => msk_module.bootstrap_brokers + var.msk_services[index].external_resource_config.instance_address_key_name => join(",", msk_module.bootstrap_brokers) } } From e67cd18fa528305f7bf8aa6d02acd2fe9bce5586 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Wed, 15 May 2024 17:45:52 +0530 Subject: [PATCH 181/201] change the default protocol for msk --- terraform/k8s/default-config/mojaloop-stateful-resources.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/k8s/default-config/mojaloop-stateful-resources.json b/terraform/k8s/default-config/mojaloop-stateful-resources.json index 2fdc34b4e..d7c88893b 100644 --- a/terraform/k8s/default-config/mojaloop-stateful-resources.json +++ b/terraform/k8s/default-config/mojaloop-stateful-resources.json @@ -656,7 +656,7 @@ "resource_name": "mojaloop-kafka", "resource_type": "kafka", "instance_address_key_name": "mojaloop-kafka-brokers", - "communication_mode": "http", + "communication_mode": "tcp", "external_service": false, "logical_service_config": { "logical_service_port": 9092, From ff4abc7494aa2a07cd8eeb5064618646ec0cd952 Mon Sep 17 00:00:00 2001 From: Kalin Krustev Date: Wed, 15 May 2024 15:38:16 +0300 Subject: [PATCH 182/201] Finance portal override (#270) * allow overriding variables for finance portal * typo --- .../.gitlab/scripts/config-merge.sh | 2 +- .../templates/mojaloop/kustomization.yaml.tpl | 2 ++ .../values-finance-portal-override.yaml.tpl | 1 + .../gitops/k8s-cluster-config/app-deploy.tf | 5 +++++ terraform/gitops/mojaloop/mojaloop.tf | 21 +++++++++++++++---- .../finance-portal-values-override.yaml | 1 + terraform/k8s/gitops-build/terragrunt.hcl | 1 + 7 files changed, 28 insertions(+), 5 deletions(-) create mode 100644 terraform/gitops/generate-files/templates/mojaloop/values-finance-portal-override.yaml.tpl create mode 100644 terraform/k8s/default-config/finance-portal-values-override.yaml diff --git a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/config-merge.sh b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/config-merge.sh index e2d58e7b8..528ab2e9d 100755 --- a/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/config-merge.sh +++ b/terraform/gitlab/ci-templates/k8s-cluster/.gitlab/scripts/config-merge.sh @@ -1,5 +1,5 @@ mkdir -p $CONFIG_PATH -for configFile in {'aws-vars.yaml','cluster-config.yaml','common-vars.yaml','mojaloop-rbac-permissions.yaml','mojaloop-vars.yaml','pm4ml-vars.yaml','bare-metal-vars.yaml','pm4ml-rbac-permissions.yaml','mojaloop-stateful-resources.json','common-stateful-resources.json','mojaloop-rbac-api-resources.yaml','vnext-vars.yaml','vnext-stateful-resources.json','addons-vars.yaml','addons-stateful-resources.json','mojaloop-values-override.yaml'}; +for configFile in {'aws-vars.yaml','cluster-config.yaml','common-vars.yaml','mojaloop-rbac-permissions.yaml','mojaloop-vars.yaml','pm4ml-vars.yaml','bare-metal-vars.yaml','pm4ml-rbac-permissions.yaml','mojaloop-stateful-resources.json','common-stateful-resources.json','mojaloop-rbac-api-resources.yaml','vnext-vars.yaml','vnext-stateful-resources.json','addons-vars.yaml','addons-stateful-resources.json','mojaloop-values-override.yaml','finance-portal-values-override.yaml'}; do echo $configFile python3 .gitlab/scripts/dictmerge.py default-config/$configFile custom-config/$configFile $CONFIG_PATH; diff --git a/terraform/gitops/generate-files/templates/mojaloop/kustomization.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/kustomization.yaml.tpl index 480bf6371..774b96030 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/kustomization.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/kustomization.yaml.tpl @@ -25,6 +25,8 @@ helmCharts: valuesFile: values-finance-portal.yaml namespace: ${mojaloop_namespace} includeCRDs: true + additionalValuesFiles: + - values-finance-portal-override.yaml - name: reporting-k8s-templates releaseName: reporting-templates version: ${reporting_templates_chart_version} diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-finance-portal-override.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-finance-portal-override.yaml.tpl new file mode 100644 index 000000000..4f0ba94e5 --- /dev/null +++ b/terraform/gitops/generate-files/templates/mojaloop/values-finance-portal-override.yaml.tpl @@ -0,0 +1 @@ +#placeholder file for overrides \ No newline at end of file diff --git a/terraform/gitops/k8s-cluster-config/app-deploy.tf b/terraform/gitops/k8s-cluster-config/app-deploy.tf index 654aecce2..78f9c5036 100644 --- a/terraform/gitops/k8s-cluster-config/app-deploy.tf +++ b/terraform/gitops/k8s-cluster-config/app-deploy.tf @@ -53,6 +53,7 @@ module "mojaloop" { keycloak_hubop_realm_name = var.keycloak_hubop_realm_name rbac_api_resources_file = var.rbac_api_resources_file mojaloop_values_override_file = var.mojaloop_values_override_file + finance_portal_values_override_file = var.finance_portal_values_override_file fspiop_use_ory_for_auth = var.app_var_map.fspiop_use_ory_for_auth } @@ -243,6 +244,10 @@ variable "mojaloop_values_override_file" { type = string } +variable "finance_portal_values_override_file" { + type = string +} + variable "argocd_ingress_internal_lb" { default = true description = "whether argocd should only be available on private network" diff --git a/terraform/gitops/mojaloop/mojaloop.tf b/terraform/gitops/mojaloop/mojaloop.tf index 4155579fa..5c8ad04ec 100644 --- a/terraform/gitops/mojaloop/mojaloop.tf +++ b/terraform/gitops/mojaloop/mojaloop.tf @@ -192,8 +192,9 @@ module "generate_mojaloop_files" { jws_rotation_period_hours = try(var.app_var_map.jws_rotation_period_hours, var.jws_rotation_period_hours) mcm_hub_jws_endpoint = "http://mcm-connection-manager-api.${var.mcm_namespace}.svc.cluster.local:3001/api/hub/jwscerts" ttk_gp_testcase_labels = try(var.app_var_map.ttk_gp_testcase_labels, var.ttk_gp_testcase_labels) - override_values_file_exists = local.override_values_file_exists - fspiop_use_ory_for_auth = var.fspiop_use_ory_for_auth + mojaloop_override_values_file_exists = local.mojaloop_override_values_file_exists + finance_portal_override_values_file_exists = local.finance_portal_override_values_file_exists + fspiop_use_ory_for_auth = var.fspiop_use_ory_for_auth } file_list = [for f in fileset(local.mojaloop_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.mojaloop_app_file, f))] @@ -204,12 +205,19 @@ module "generate_mojaloop_files" { } resource "local_file" "mojaloop_values_override" { - count = local.override_values_file_exists ? 1 : 0 + count = local.mojaloop_override_values_file_exists ? 1 : 0 content = file(var.mojaloop_values_override_file) filename = "${local.output_path}/values-mojaloop-override.yaml" depends_on = [module.generate_mojaloop_files] } +resource "local_file" "finance_portal_values_override" { + count = local.finance_portal_override_values_file_exists ? 1 : 0 + content = file(var.finance_portal_values_override_file) + filename = "${local.output_path}/values-finance-portal-override.yaml" + depends_on = [module.generate_mojaloop_files] +} + locals { mojaloop_wildcard_gateway = try(var.app_var_map.mojaloop_ingress_internal_lb, true) ? "internal" : "external" ttk_frontend_fqdn = local.mojaloop_wildcard_gateway == "external" ? "ttkfrontend.${var.public_subdomain}" : "ttkfrontend.${var.private_subdomain}" @@ -242,7 +250,8 @@ locals { reporting_events_mongodb_resource_index = index(module.mojaloop_stateful_resources.stateful_resources.*.resource_name, "reporting-events-mongodb") apiResources = yamldecode(file(var.rbac_api_resources_file)) jws_key_secret = "switch-jws" - override_values_file_exists = fileexists(var.mojaloop_values_override_file) + mojaloop_override_values_file_exists = fileexists(var.mojaloop_values_override_file) + finance_portal_override_values_file_exists = fileexists(var.finance_portal_values_override_file) } variable "app_var_map" { @@ -385,6 +394,10 @@ variable "mojaloop_values_override_file" { type = string } +variable "finance_portal_values_override_file" { + type = string +} + variable "reporting_templates_chart_version" { type = string default = "1.1.7" diff --git a/terraform/k8s/default-config/finance-portal-values-override.yaml b/terraform/k8s/default-config/finance-portal-values-override.yaml new file mode 100644 index 000000000..42d51bf36 --- /dev/null +++ b/terraform/k8s/default-config/finance-portal-values-override.yaml @@ -0,0 +1 @@ +#placeholder file for addons \ No newline at end of file diff --git a/terraform/k8s/gitops-build/terragrunt.hcl b/terraform/k8s/gitops-build/terragrunt.hcl index bc22db62d..467717547 100644 --- a/terraform/k8s/gitops-build/terragrunt.hcl +++ b/terraform/k8s/gitops-build/terragrunt.hcl @@ -67,6 +67,7 @@ inputs = { mojaloop_stateful_resources_config_file = find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-stateful-resources.json") vnext_stateful_resources_config_file = find_in_parent_folders("${get_env("CONFIG_PATH")}/vnext-stateful-resources.json") mojaloop_values_override_file = find_in_parent_folders("${get_env("CONFIG_PATH")}/mojaloop-values-override.yaml", "mojaloop-values-override.yaml") + finance_portal_values_override_file = find_in_parent_folders("${get_env("CONFIG_PATH")}/finance-portal-values-override.yaml", "finance-portal-values-override.yaml") current_gitlab_project_id = local.GITLAB_CURRENT_PROJECT_ID gitlab_group_name = local.GITLAB_CURRENT_GROUP_NAME gitlab_api_url = local.GITLAB_API_URL From 479b0a106ec69d6782f4b3da0df23330014dd272 Mon Sep 17 00:00:00 2001 From: Sijo George Date: Wed, 15 May 2024 18:32:02 +0530 Subject: [PATCH 183/201] Default value to PLAINTEXT --- terraform/k8s/default-config/mojaloop-stateful-resources.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/k8s/default-config/mojaloop-stateful-resources.json b/terraform/k8s/default-config/mojaloop-stateful-resources.json index d7c88893b..d7106e8e9 100644 --- a/terraform/k8s/default-config/mojaloop-stateful-resources.json +++ b/terraform/k8s/default-config/mojaloop-stateful-resources.json @@ -921,7 +921,7 @@ } }, "broker_node_instance_type": "kafka.t3.small", - "encryption_in_transit_client_broker": "TLS", + "encryption_in_transit_client_broker": "PLAINTEXT", "encryption_in_transit_in_cluster": true, "configuration_name": "example-configuration", "configuration_description": "Example configuration", From 0ff5921ca736584ae9a33815d167a4ff012b8abe Mon Sep 17 00:00:00 2001 From: Sijo George Date: Wed, 15 May 2024 18:49:54 +0530 Subject: [PATCH 184/201] Setting the bastion instance type to t2.micro --- terraform/aws/base-infra/infra.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/aws/base-infra/infra.tf b/terraform/aws/base-infra/infra.tf index 5745d1357..aa19d27bc 100644 --- a/terraform/aws/base-infra/infra.tf +++ b/terraform/aws/base-infra/infra.tf @@ -81,7 +81,7 @@ resource "aws_security_group_rule" "bastion_egress_all" { resource "aws_instance" "bastion" { ami = var.bastion_ami - instance_type = "t2.medium" + instance_type = "t2.micro" subnet_id = element(module.vpc.public_subnets, 0) user_data = templatefile("${path.module}/templates/bastion.user_data.tmpl", { ssh_keys = local.ssh_keys }) key_name = local.cluster_domain From 93afde57c04d6ed206cb66a29b64fca739233eca Mon Sep 17 00:00:00 2001 From: David Fry Date: Wed, 15 May 2024 18:20:55 +0200 Subject: [PATCH 185/201] use valid yaml in default (#272) --- .../k8s/default-config/finance-portal-values-override.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/k8s/default-config/finance-portal-values-override.yaml b/terraform/k8s/default-config/finance-portal-values-override.yaml index 42d51bf36..9e7f25669 100644 --- a/terraform/k8s/default-config/finance-portal-values-override.yaml +++ b/terraform/k8s/default-config/finance-portal-values-override.yaml @@ -1 +1,2 @@ -#placeholder file for addons \ No newline at end of file +#placeholder to avoid merge failire +test: value From ad2354896498107042912356d39dee099acb41a9 Mon Sep 17 00:00:00 2001 From: Kalin Krustev Date: Tue, 28 May 2024 19:54:50 +0300 Subject: [PATCH 186/201] fix: optimize defaults (#278) * fix: optimize defaults * fix: optimize defaults --- .../mojaloop/values-finance-portal.yaml.tpl | 2 +- .../finance-portal-values-override.yaml | 4 +- .../mojaloop-stateful-resources.json | 84 ++++++++--- .../mojaloop-values-override.yaml | 140 +++++++++++++----- 4 files changed, 173 insertions(+), 57 deletions(-) diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-finance-portal.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-finance-portal.yaml.tpl index 6b19d36b7..b213ead96 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/values-finance-portal.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/values-finance-portal.yaml.tpl @@ -107,7 +107,7 @@ reporting-events-processor-svc: kafka: host: ${kafka_host} port: ${kafka_port} - topicEvent: topic-event + topicEvent: topic-event-audit consumerGroup: reporting_events_processor_consumer_group clientId: reporting_events_processor_consumer diff --git a/terraform/k8s/default-config/finance-portal-values-override.yaml b/terraform/k8s/default-config/finance-portal-values-override.yaml index 9e7f25669..fd53abc69 100644 --- a/terraform/k8s/default-config/finance-portal-values-override.yaml +++ b/terraform/k8s/default-config/finance-portal-values-override.yaml @@ -1,2 +1,2 @@ -#placeholder to avoid merge failire -test: value +reporting-events-processor-svc: + replicaCount: 1 diff --git a/terraform/k8s/default-config/mojaloop-stateful-resources.json b/terraform/k8s/default-config/mojaloop-stateful-resources.json index d7106e8e9..4e63fb986 100644 --- a/terraform/k8s/default-config/mojaloop-stateful-resources.json +++ b/terraform/k8s/default-config/mojaloop-stateful-resources.json @@ -247,7 +247,7 @@ "enabled": true, "resource_name": "account-lookup-db", "resource_type": "mysql", - "communication_mode": "tcp", + "communication_mode": "tcp", "external_service": false, "logical_service_config": { "logical_service_port": 3306, @@ -385,7 +385,7 @@ "enabled": true, "resource_name": "central-ledger-db", "resource_type": "mysql", - "communication_mode": "tcp", + "communication_mode": "tcp", "external_service": false, "logical_service_config": { "logical_service_port": 3306, @@ -681,7 +681,51 @@ { "name": "topic-event", "partitions": 12, - "replicationFactor": 3, + "replicationFactor": 1, + "config": { + "cleanup.policy": "delete", + "retention.ms": "-1", + "segment.bytes": "52428800", + "retention.bytes": "262144000" + } + }, + { + "name": "topic-event-audit", + "partitions": 12, + "replicationFactor": 1, + "config": { + "cleanup.policy": "delete", + "retention.ms": "-1", + "segment.bytes": "52428800", + "retention.bytes": "262144000" + } + }, + { + "name": "topic-event-log", + "partitions": 12, + "replicationFactor": 1, + "config": { + "cleanup.policy": "delete", + "retention.ms": "-1", + "segment.bytes": "52428800", + "retention.bytes": "262144000" + } + }, + { + "name": "topic-event-trace", + "partitions": 12, + "replicationFactor": 1, + "config": { + "cleanup.policy": "delete", + "retention.ms": "-1", + "segment.bytes": "52428800", + "retention.bytes": "262144000" + } + }, + { + "name": "topic-deferredsettlement-close", + "partitions": 12, + "replicationFactor": 1, "config": { "cleanup.policy": "delete", "retention.ms": "-1", @@ -692,7 +736,7 @@ { "name": "topic-transfer-prepare", "partitions": 12, - "replicationFactor": 3, + "replicationFactor": 1, "config": { "cleanup.policy": "delete", "retention.ms": "-1", @@ -703,7 +747,7 @@ { "name": "topic-transfer-position", "partitions": 12, - "replicationFactor": 3, + "replicationFactor": 1, "config": { "cleanup.policy": "delete", "retention.ms": "-1", @@ -714,7 +758,7 @@ { "name": "topic-transfer-position-batch", "partitions": 12, - "replicationFactor": 3, + "replicationFactor": 1, "config": { "cleanup.policy": "delete", "retention.ms": "-1", @@ -725,7 +769,7 @@ { "name": "topic-transfer-fulfil", "partitions": 12, - "replicationFactor": 3, + "replicationFactor": 1, "config": { "cleanup.policy": "delete", "retention.ms": "-1", @@ -736,7 +780,7 @@ { "name": "topic-notification-event", "partitions": 12, - "replicationFactor": 3, + "replicationFactor": 1, "config": { "cleanup.policy": "delete", "retention.ms": "-1", @@ -747,7 +791,7 @@ { "name": "topic-transfer-get", "partitions": 12, - "replicationFactor": 3, + "replicationFactor": 1, "config": { "cleanup.policy": "delete", "retention.ms": "-1", @@ -758,7 +802,7 @@ { "name": "topic-admin-transfer", "partitions": 12, - "replicationFactor": 3, + "replicationFactor": 1, "config": { "cleanup.policy": "delete", "retention.ms": "-1", @@ -769,7 +813,7 @@ { "name": "topic-bulk-prepare", "partitions": 12, - "replicationFactor": 3, + "replicationFactor": 1, "config": { "cleanup.policy": "delete", "retention.ms": "-1", @@ -780,7 +824,7 @@ { "name": "topic-bulk-fulfil", "partitions": 12, - "replicationFactor": 3, + "replicationFactor": 1, "config": { "cleanup.policy": "delete", "retention.ms": "-1", @@ -791,7 +835,7 @@ { "name": "topic-bulk-processing", "partitions": 12, - "replicationFactor": 3, + "replicationFactor": 1, "config": { "cleanup.policy": "delete", "retention.ms": "-1", @@ -802,7 +846,7 @@ { "name": "topic-bulk-get", "partitions": 12, - "replicationFactor": 3, + "replicationFactor": 1, "config": { "cleanup.policy": "delete", "retention.ms": "-1", @@ -813,7 +857,7 @@ { "name": "topic-quotes-post", "partitions": 12, - "replicationFactor": 3, + "replicationFactor": 1, "config": { "cleanup.policy": "delete", "retention.ms": "-1", @@ -824,7 +868,7 @@ { "name": "topic-quotes-put", "partitions": 12, - "replicationFactor": 3, + "replicationFactor": 1, "config": { "cleanup.policy": "delete", "retention.ms": "-1", @@ -835,7 +879,7 @@ { "name": "topic-quotes-get", "partitions": 12, - "replicationFactor": 3, + "replicationFactor": 1, "config": { "cleanup.policy": "delete", "retention.ms": "-1", @@ -846,7 +890,7 @@ { "name": "topic-bulkquotes-post", "partitions": 12, - "replicationFactor": 3, + "replicationFactor": 1, "config": { "cleanup.policy": "delete", "retention.ms": "-1", @@ -857,7 +901,7 @@ { "name": "topic-bulkquotes-put", "partitions": 12, - "replicationFactor": 3, + "replicationFactor": 1, "config": { "cleanup.policy": "delete", "retention.ms": "-1", @@ -868,7 +912,7 @@ { "name": "topic-bulkquotes-get", "partitions": 12, - "replicationFactor": 3, + "replicationFactor": 1, "config": { "cleanup.policy": "delete", "retention.ms": "-1", diff --git a/terraform/k8s/default-config/mojaloop-values-override.yaml b/terraform/k8s/default-config/mojaloop-values-override.yaml index b25990de3..6a0327f2e 100644 --- a/terraform/k8s/default-config/mojaloop-values-override.yaml +++ b/terraform/k8s/default-config/mojaloop-values-override.yaml @@ -1,12 +1,16 @@ account-lookup-service: account-lookup-service: - replicaCount: 12 + replicaCount: 1 config: event_log_filter: "" - readinessProbe: - initialDelaySeconds: 5 + log_level: warn livenessProbe: initialDelaySeconds: 5 + timeoutSeconds: 2 + readinessProbe: + initialDelaySeconds: 5 + timeoutSeconds: 1 + periodSeconds: 1 sidecar: readinessProbe: initialDelaySeconds: 5 @@ -16,26 +20,34 @@ account-lookup-service: replicaCount: 1 quoting-service: quoting-service: - replicaCount: 4 + replicaCount: 1 config: event_log_filter: "" - readinessProbe: - initialDelaySeconds: 5 + log_level: warn livenessProbe: initialDelaySeconds: 5 + timeoutSeconds: 2 + readinessProbe: + initialDelaySeconds: 5 + timeoutSeconds: 1 + periodSeconds: 1 sidecar: readinessProbe: initialDelaySeconds: 5 livenessProbe: initialDelaySeconds: 5 quoting-service-handler: - replicaCount: 12 + replicaCount: 1 config: event_log_filter: "" - readinessProbe: - initialDelaySeconds: 5 + log_level: warn livenessProbe: initialDelaySeconds: 5 + timeoutSeconds: 2 + readinessProbe: + initialDelaySeconds: 5 + timeoutSeconds: 1 + periodSeconds: 1 sidecar: readinessProbe: initialDelaySeconds: 5 @@ -43,61 +55,103 @@ quoting-service: initialDelaySeconds: 5 ml-api-adapter: ml-api-adapter-service: - replicaCount: 4 + replicaCount: 1 config: event_log_filter: "" + log_level: warn + livenessProbe: + initialDelaySeconds: 5 + timeoutSeconds: 2 + readinessProbe: + initialDelaySeconds: 5 + timeoutSeconds: 1 + periodSeconds: 1 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 ml-api-adapter-handler-notification: - replicaCount: 12 + replicaCount: 1 config: event_log_filter: "" + log_level: warn + livenessProbe: + initialDelaySeconds: 5 + timeoutSeconds: 2 + readinessProbe: + initialDelaySeconds: 5 + timeoutSeconds: 1 + periodSeconds: 1 + sidecar: + readinessProbe: + initialDelaySeconds: 5 + livenessProbe: + initialDelaySeconds: 5 centralledger: centralledger-service: - replicaCount: 8 + replicaCount: 1 config: event_log_filter: "" - readinessProbe: - initialDelaySeconds: 5 + log_level: warn livenessProbe: initialDelaySeconds: 5 + timeoutSeconds: 2 + readinessProbe: + initialDelaySeconds: 5 + timeoutSeconds: 1 + periodSeconds: 1 sidecar: readinessProbe: initialDelaySeconds: 5 livenessProbe: initialDelaySeconds: 5 centralledger-handler-transfer-prepare: - replicaCount: 12 + replicaCount: 1 config: event_log_filter: "" - readinessProbe: - initialDelaySeconds: 5 + log_level: warn livenessProbe: initialDelaySeconds: 5 + timeoutSeconds: 2 + readinessProbe: + initialDelaySeconds: 5 + timeoutSeconds: 1 + periodSeconds: 1 sidecar: readinessProbe: initialDelaySeconds: 5 livenessProbe: initialDelaySeconds: 5 centralledger-handler-transfer-position: - replicaCount: 8 + replicaCount: 1 config: event_log_filter: "" - readinessProbe: - initialDelaySeconds: 5 + log_level: warn livenessProbe: initialDelaySeconds: 5 + timeoutSeconds: 2 + readinessProbe: + initialDelaySeconds: 5 + timeoutSeconds: 1 + periodSeconds: 1 sidecar: readinessProbe: initialDelaySeconds: 5 livenessProbe: initialDelaySeconds: 5 centralledger-handler-transfer-position-batch: - replicaCount: 12 + replicaCount: 1 config: event_log_filter: "" - readinessProbe: - initialDelaySeconds: 5 + log_level: warn livenessProbe: initialDelaySeconds: 5 + timeoutSeconds: 2 + readinessProbe: + initialDelaySeconds: 5 + timeoutSeconds: 1 + periodSeconds: 1 sidecar: readinessProbe: initialDelaySeconds: 5 @@ -107,23 +161,31 @@ centralledger: replicaCount: 1 config: event_log_filter: "" - readinessProbe: - initialDelaySeconds: 5 + log_level: warn livenessProbe: initialDelaySeconds: 5 + timeoutSeconds: 2 + readinessProbe: + initialDelaySeconds: 5 + timeoutSeconds: 1 + periodSeconds: 1 sidecar: readinessProbe: initialDelaySeconds: 5 livenessProbe: initialDelaySeconds: 5 centralledger-handler-transfer-fulfil: - replicaCount: 12 + replicaCount: 1 config: event_log_filter: "" - readinessProbe: - initialDelaySeconds: 5 + log_level: warn livenessProbe: initialDelaySeconds: 5 + timeoutSeconds: 2 + readinessProbe: + initialDelaySeconds: 5 + timeoutSeconds: 1 + periodSeconds: 1 sidecar: readinessProbe: initialDelaySeconds: 5 @@ -132,10 +194,14 @@ centralledger: centralledger-handler-timeout: config: event_log_filter: "" - readinessProbe: - initialDelaySeconds: 5 + log_level: warn livenessProbe: initialDelaySeconds: 5 + timeoutSeconds: 2 + readinessProbe: + initialDelaySeconds: 5 + timeoutSeconds: 1 + periodSeconds: 1 sidecar: readinessProbe: initialDelaySeconds: 5 @@ -143,10 +209,13 @@ centralledger: initialDelaySeconds: 5 centralledger-handler-admin-transfer: replicaCount: 1 - readinessProbe: - initialDelaySeconds: 5 livenessProbe: initialDelaySeconds: 5 + timeoutSeconds: 2 + readinessProbe: + initialDelaySeconds: 5 + timeoutSeconds: 1 + periodSeconds: 1 sidecar: readinessProbe: initialDelaySeconds: 5 @@ -162,7 +231,7 @@ centralsettlement: config: event_log_filter: "" centralsettlement-handler-grosssettlement: - replicaCount: 1 + replicaCount: 0 config: event_log_filter: "" centralsettlement-handler-rules: @@ -170,11 +239,14 @@ centralsettlement: config: event_log_filter: "" transaction-requests-service: - replicaCount: 4 + replicaCount: 1 readinessProbe: initialDelaySeconds: 5 + timeoutSeconds: 2 livenessProbe: initialDelaySeconds: 5 + timeoutSeconds: 1 + periodSeconds: 1 sidecar: readinessProbe: initialDelaySeconds: 5 From 0fe6a711dff8eae03591a52defd57a26eaf78689 Mon Sep 17 00:00:00 2001 From: Muzammil Date: Tue, 28 May 2024 21:58:18 +0500 Subject: [PATCH 187/201] IPROD-545: Enable prometheus remote write and read (#275) * IPROD-545: Enable remote write on client prometheus * fix url address * extract configs in params * test disabling remote write * refactor * add remote read configs * added default values for central monitoring configs * remove a comment --- .../install/values-prom-operator.yaml.tpl | 20 +++++++++++++++++++ .../gitops/k8s-cluster-config/monitoring.tf | 11 ++++++++++ 2 files changed, 31 insertions(+) diff --git a/terraform/gitops/generate-files/templates/monitoring/install/values-prom-operator.yaml.tpl b/terraform/gitops/generate-files/templates/monitoring/install/values-prom-operator.yaml.tpl index 0ce8a3294..343b9cfd1 100644 --- a/terraform/gitops/generate-files/templates/monitoring/install/values-prom-operator.yaml.tpl +++ b/terraform/gitops/generate-files/templates/monitoring/install/values-prom-operator.yaml.tpl @@ -28,6 +28,26 @@ prometheus: value: ${prom_tsdb_min_block_duration} - name: storage.tsdb.max-block-duration value: ${prom_tsdb_max_block_duration} + externalLabels: + cluster: ${cluster_label} + +%{if enable_central_observability_write ~} + remoteWrite: + - name: central-monitoring + url: ${central_observability_endpoint}/api/v1/push + headers: + X-Scope-OrgID: ${central_observability_tenant_id} +%{endif ~} + +%{if enable_central_observability_read ~} + remoteRead: + - name: central-monitoring + url: ${central_observability_endpoint}/api/v1/read + headers: + X-Scope-OrgID: ${central_observability_tenant_id} +%{endif ~} + + operator: nodeAffinityPreset: type: hard diff --git a/terraform/gitops/k8s-cluster-config/monitoring.tf b/terraform/gitops/k8s-cluster-config/monitoring.tf index cbb8aaa9f..547754dc5 100644 --- a/terraform/gitops/k8s-cluster-config/monitoring.tf +++ b/terraform/gitops/k8s-cluster-config/monitoring.tf @@ -54,6 +54,13 @@ module "generate_monitoring_files" { grafana_fqdn = local.grafana_fqdn grafana_istio_gateway_namespace = local.grafana_istio_gateway_namespace grafana_istio_wildcard_gateway_name = local.vault_istio_wildcard_gateway_name + + # central observability configs + cluster_label = var.cluster_name # cluster identifier in central observability stack + enable_central_observability_write = try(var.common_var_map.enable_central_observability_write, local.enable_central_observability_write) + enable_central_observability_read = try(var.common_var_map.enable_central_observability_read, local.enable_central_observability_read) + central_observability_endpoint = try(var.common_var_map.central_observability_endpoint, local.central_observability_endpoint) + central_observability_tenant_id = try(var.common_var_map.central_observability_tenant_id, local.central_observability_tenant_id) } file_list = [for f in fileset(local.monitoring_template_path, "**/*.tpl") : trimsuffix(f, ".tpl") if !can(regex(local.monitoring_app_file, f))] template_path = local.monitoring_template_path @@ -136,4 +143,8 @@ locals { grafana_fqdn = local.grafana_wildcard_gateway == "external" ? "grafana.${var.public_subdomain}" : "grafana.${var.private_subdomain}" grafana_istio_gateway_namespace = local.grafana_wildcard_gateway == "external" ? var.istio_external_gateway_namespace : var.istio_internal_gateway_namespace grafana_istio_wildcard_gateway_name = local.grafana_wildcard_gateway == "external" ? local.istio_external_wildcard_gateway_name : local.istio_internal_wildcard_gateway_name + enable_central_observability_write = false + enable_central_observability_read = false + central_observability_endpoint = "http://to-be-updated" + central_observability_tenant_id = "infitx" } From b4a8efc74c8b9862a334161ea9630c1f50d0d9fd Mon Sep 17 00:00:00 2001 From: Kevin Leyow Date: Wed, 5 Jun 2024 12:05:35 -0500 Subject: [PATCH 188/201] chore: update versions --- .../generate-files/templates/mojaloop/values-mojaloop.yaml.tpl | 2 +- .../gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl index 62b6e0b41..f66315a1e 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl @@ -128,7 +128,7 @@ CONFIG: cl_image: &CL_IMAGE registry: docker.io repository: mojaloop/central-ledger - tag: v17.7.0-snapshot.0 + tag: v17.7.0-snapshot.4 qs_image: &QS_IMAGE registry: docker.io diff --git a/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl b/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl index 5cd90c771..e10144f47 100644 --- a/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl +++ b/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl @@ -217,7 +217,7 @@ ttk: ml-testing-toolkit-backend: image: repository: mojaloop/ml-testing-toolkit - tag: v17.1.1 + tag: v17.2.0 ingress: enabled: false nameOverride: ttk-backend From fa553e352c4a3648bd0e54ad1e6c09a916f9a509 Mon Sep 17 00:00:00 2001 From: Kevin Leyow Date: Wed, 5 Jun 2024 17:35:37 -0500 Subject: [PATCH 189/201] update --- .../generate-files/templates/mojaloop/values-mojaloop.yaml.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl index f66315a1e..a60787ace 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl @@ -128,7 +128,7 @@ CONFIG: cl_image: &CL_IMAGE registry: docker.io repository: mojaloop/central-ledger - tag: v17.7.0-snapshot.4 + tag: v17.7.0-snapshot.8 qs_image: &QS_IMAGE registry: docker.io From 43f23f957b41b46ddf7c585b87a96e1334e6dcc2 Mon Sep 17 00:00:00 2001 From: Kevin Leyow Date: Thu, 6 Jun 2024 14:36:28 -0500 Subject: [PATCH 190/201] revert ttk version --- .../gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl b/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl index f9300feac..9748e84d9 100644 --- a/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl +++ b/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl @@ -215,7 +215,7 @@ ttk: ml-testing-toolkit-backend: image: repository: mojaloop/ml-testing-toolkit - tag: v17.2.0 + tag: v17.1.1 ingress: enabled: false nameOverride: ttk-backend From 2490c88a0b14727d4815ddb987742be77a26617c Mon Sep 17 00:00:00 2001 From: Kevin Leyow Date: Fri, 7 Jun 2024 09:59:15 -0500 Subject: [PATCH 191/201] update services --- .../templates/mojaloop/values-mojaloop.yaml.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl index b80edb2e3..c52a4756b 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl @@ -136,12 +136,12 @@ CONFIG: ml_api_adapter_image: &ML_API_ADAPTER_IMAGE registry: docker.io repository: mojaloop/ml-api-adapter - tag: v14.1.0-snapshot.5 + tag: v14.1.0-snapshot.9 cl_image: &CL_IMAGE registry: docker.io repository: mojaloop/central-ledger - tag: v17.7.0-snapshot.8 + tag: v17.7.0-snapshot.11 qs_image: &QS_IMAGE registry: docker.io From b3a3185a67b6b655de1bd3c4108379e816717acb Mon Sep 17 00:00:00 2001 From: Kevin Leyow Date: Fri, 7 Jun 2024 11:04:59 -0500 Subject: [PATCH 192/201] update tkk --- .../gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl b/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl index 9748e84d9..f9300feac 100644 --- a/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl +++ b/terraform/gitops/generate-files/templates/pm4ml/values-pm4ml.yaml.tpl @@ -215,7 +215,7 @@ ttk: ml-testing-toolkit-backend: image: repository: mojaloop/ml-testing-toolkit - tag: v17.1.1 + tag: v17.2.0 ingress: enabled: false nameOverride: ttk-backend From 55c3aacbf722d6015b3664bbc86e118ec61853ac Mon Sep 17 00:00:00 2001 From: Kevin Leyow Date: Fri, 7 Jun 2024 18:46:55 -0500 Subject: [PATCH 193/201] bump --- .../generate-files/templates/mojaloop/values-mojaloop.yaml.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl index c52a4756b..0a06d9602 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl @@ -146,7 +146,7 @@ CONFIG: qs_image: &QS_IMAGE registry: docker.io repository: mojaloop/quoting-service - tag: v15.8.0-snapshot.15 + tag: v15.8.0-snapshot.20 %{ else ~} ml_api_adapter_image: &ML_API_ADAPTER_IMAGE {} cl_image: &CL_IMAGE {} From 6eb17dbe1d79e19925a6f291d5f0a472ba90aaaa Mon Sep 17 00:00:00 2001 From: Kevin Leyow Date: Fri, 7 Jun 2024 19:59:28 -0500 Subject: [PATCH 194/201] bump --- .../generate-files/templates/mojaloop/values-mojaloop.yaml.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl index 0a06d9602..47ba43788 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl @@ -146,7 +146,7 @@ CONFIG: qs_image: &QS_IMAGE registry: docker.io repository: mojaloop/quoting-service - tag: v15.8.0-snapshot.20 + tag: v15.8.0-snapshot.21 %{ else ~} ml_api_adapter_image: &ML_API_ADAPTER_IMAGE {} cl_image: &CL_IMAGE {} From 9c28e967ea1c1b216e1ea47be63ce96636602773 Mon Sep 17 00:00:00 2001 From: Kevin Leyow Date: Sun, 9 Jun 2024 14:07:41 -0500 Subject: [PATCH 195/201] update charts --- terraform/k8s/default-config/cluster-config.yaml | 2 +- terraform/k8s/default-config/mojaloop-vars.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/k8s/default-config/cluster-config.yaml b/terraform/k8s/default-config/cluster-config.yaml index 0c1bb0ff6..29309f77f 100644 --- a/terraform/k8s/default-config/cluster-config.yaml +++ b/terraform/k8s/default-config/cluster-config.yaml @@ -8,7 +8,7 @@ k8s_cluster_module: base-k8s cloud_region: eu-west-1 k8s_cluster_type: microk8s ansible_collection_tag: v5.2.0 -iac_terraform_modules_tag: v5.2.0 +iac_terraform_modules_tag: v5.3.0-fx8 letsencrypt_email: test@mojalabs.io dns_zone_force_destroy: true longhorn_backup_object_store_destroy: true diff --git a/terraform/k8s/default-config/mojaloop-vars.yaml b/terraform/k8s/default-config/mojaloop-vars.yaml index f4a683d6a..2b6fdbe16 100644 --- a/terraform/k8s/default-config/mojaloop-vars.yaml +++ b/terraform/k8s/default-config/mojaloop-vars.yaml @@ -2,8 +2,8 @@ bulk_enabled: false mojaloop_fx_enabled: true third_party_enabled: false mcm_chart_version: 0.7.7 -mojaloop_chart_version: 16.1.0-17831.79a97d4 -ttk_testcases_tag: 16.0.0 +mojaloop_chart_version: 16.2.0-18217.8e42727 +ttk_testcases_tag: 16.1.0-fx-snapshot mcm_ingress_internal_lb: false mojaloop_ingress_internal_lb: true finance_portal_ingress_internal_lb: true From f04e25affc9943093eaac49bc50e99b14b81f299 Mon Sep 17 00:00:00 2001 From: Kevin Leyow Date: Mon, 10 Jun 2024 13:02:19 -0500 Subject: [PATCH 196/201] revert quoting --- .../generate-files/templates/mojaloop/values-mojaloop.yaml.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl index 47ba43788..c52a4756b 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl @@ -146,7 +146,7 @@ CONFIG: qs_image: &QS_IMAGE registry: docker.io repository: mojaloop/quoting-service - tag: v15.8.0-snapshot.21 + tag: v15.8.0-snapshot.15 %{ else ~} ml_api_adapter_image: &ML_API_ADAPTER_IMAGE {} cl_image: &CL_IMAGE {} From 6af5397f4d922066c5a57067fe32d4a2a41e70fd Mon Sep 17 00:00:00 2001 From: Kevin Leyow Date: Mon, 10 Jun 2024 14:58:14 -0500 Subject: [PATCH 197/201] downgrade --- .../templates/mojaloop/values-mojaloop.yaml.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl index c52a4756b..aa177768b 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl @@ -136,12 +136,12 @@ CONFIG: ml_api_adapter_image: &ML_API_ADAPTER_IMAGE registry: docker.io repository: mojaloop/ml-api-adapter - tag: v14.1.0-snapshot.9 + tag: v14.1.0-snapshot.5 cl_image: &CL_IMAGE registry: docker.io repository: mojaloop/central-ledger - tag: v17.7.0-snapshot.11 + tag: v17.6.2-snapshot.0 qs_image: &QS_IMAGE registry: docker.io From eb8dedd371bd7570ab2f429df7c2ebcff1251623 Mon Sep 17 00:00:00 2001 From: Kevin Leyow Date: Mon, 10 Jun 2024 15:32:19 -0500 Subject: [PATCH 198/201] undo --- .../generate-files/templates/mojaloop/values-mojaloop.yaml.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl index aa177768b..7d2d915de 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl @@ -141,7 +141,7 @@ CONFIG: cl_image: &CL_IMAGE registry: docker.io repository: mojaloop/central-ledger - tag: v17.6.2-snapshot.0 + tag: v17.7.0-snapshot.11 qs_image: &QS_IMAGE registry: docker.io From 6ef9a772cf4477650bbc7ccda1d185ba9e32b6d1 Mon Sep 17 00:00:00 2001 From: Kevin Leyow Date: Mon, 10 Jun 2024 17:40:43 -0500 Subject: [PATCH 199/201] bump --- .../generate-files/templates/mojaloop/values-mojaloop.yaml.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl index 7d2d915de..c52a4756b 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl @@ -136,7 +136,7 @@ CONFIG: ml_api_adapter_image: &ML_API_ADAPTER_IMAGE registry: docker.io repository: mojaloop/ml-api-adapter - tag: v14.1.0-snapshot.5 + tag: v14.1.0-snapshot.9 cl_image: &CL_IMAGE registry: docker.io From 4921d79c305ad4c2371ce7d4fb1b56c49237d373 Mon Sep 17 00:00:00 2001 From: Kevin Leyow Date: Wed, 12 Jun 2024 09:30:52 -0500 Subject: [PATCH 200/201] bump services --- .../generate-files/templates/mojaloop/values-mojaloop.yaml.tpl | 2 +- terraform/k8s/default-config/mojaloop-vars.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl index c52a4756b..47ba43788 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl @@ -146,7 +146,7 @@ CONFIG: qs_image: &QS_IMAGE registry: docker.io repository: mojaloop/quoting-service - tag: v15.8.0-snapshot.15 + tag: v15.8.0-snapshot.21 %{ else ~} ml_api_adapter_image: &ML_API_ADAPTER_IMAGE {} cl_image: &CL_IMAGE {} diff --git a/terraform/k8s/default-config/mojaloop-vars.yaml b/terraform/k8s/default-config/mojaloop-vars.yaml index 2b6fdbe16..ff0a45a27 100644 --- a/terraform/k8s/default-config/mojaloop-vars.yaml +++ b/terraform/k8s/default-config/mojaloop-vars.yaml @@ -2,7 +2,7 @@ bulk_enabled: false mojaloop_fx_enabled: true third_party_enabled: false mcm_chart_version: 0.7.7 -mojaloop_chart_version: 16.2.0-18217.8e42727 +mojaloop_chart_version: 16.2.0-18225.553bc50 ttk_testcases_tag: 16.1.0-fx-snapshot mcm_ingress_internal_lb: false mojaloop_ingress_internal_lb: true From ca02c3d994f69a838596a416bd50d56d32b1c3e3 Mon Sep 17 00:00:00 2001 From: Kevin Leyow Date: Wed, 12 Jun 2024 10:59:40 -0500 Subject: [PATCH 201/201] downgrade quoting --- .../generate-files/templates/mojaloop/values-mojaloop.yaml.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl index 47ba43788..c52a4756b 100644 --- a/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl +++ b/terraform/gitops/generate-files/templates/mojaloop/values-mojaloop.yaml.tpl @@ -146,7 +146,7 @@ CONFIG: qs_image: &QS_IMAGE registry: docker.io repository: mojaloop/quoting-service - tag: v15.8.0-snapshot.21 + tag: v15.8.0-snapshot.15 %{ else ~} ml_api_adapter_image: &ML_API_ADAPTER_IMAGE {} cl_image: &CL_IMAGE {}