Legg til deploy og nais filer (#1)

Init

Author: MagnusTonnessen

.deploy/nais/nais-preprod.yaml

@@ -0,0 +1,73 @@
+apiVersion: "nais.io/v1alpha1"
+kind: "Application"
+metadata:
+  name: familie-ks-barnehagelister
+  namespace: teamfamilie
+  labels:
+    team: teamfamilie
+  annotations:
+    nais.io/restricted: "true"
+
+spec:
+  image: {{ image }}
+  port: 8096
+  liveness:
+    path: /internal/health/liveness
+    initialDelay: 30
+    failureThreshold: 10
+  readiness:
+    path: /internal/health/readiness
+    initialDelay: 30
+    failureThreshold: 10
+  prometheus:
+    enabled: true
+    path: /internal/prometheus
+  vault:
+    enabled: false
+  replicas:
+    min: 1
+    max: 2
+  resources:
+    limits:
+      memory: 2048Mi
+    requests:
+      memory: 1024Mi
+      cpu: 200m
+  secureLogs:
+    enabled: true
+  ingresses: # Optional. List of ingress URLs that will route HTTP traffic to the application.
+    - https://familie-ks-barnehagelister.intern.dev.nav.no
+    - https://familie-ks-barnehagelister.ekstern.dev.nav.no
+  maskinporten:
+    enabled: true
+    scopes:
+      exposes:
+        - name: "v1/kontantstotte/barnehagelister"
+          enabled: true
+          product: "familie"
+          allowedIntegrations:
+            - maskinporten
+          atMaxAge: 680
+          consumers:
+            - name: "NAV"
+              orgno: "889640782"
+      consumes:
+        - name: "nav:familie/v1/kontantstotte/barnehagelister"
+  accessPolicy:
+    outbound:
+      rules:
+        - application: familie-ks-sak
+          cluster: dev-gcp
+  observability:
+    logging:
+      destinations:
+        - id: loki
+        - id: elastic
+    autoInstrumentation:
+      enabled: true
+      runtime: java
+  env:
+    - name: SPRING_PROFILES_ACTIVE
+      value: preprod
+    - name: JAVA_OPTS
+      value: "-Xmx1g"

.deploy/nais/nais-prod.yaml

@@ -0,0 +1,73 @@
+apiVersion: "nais.io/v1alpha1"
+kind: "Application"
+metadata:
+  name: familie-ks-barnehagelister
+  namespace: teamfamilie
+  labels:
+    team: teamfamilie
+  annotations:
+    nais.io/restricted: "true"
+
+spec:
+  image: {{ image }}
+  port: 8096
+  liveness:
+    path: /internal/health/liveness
+    initialDelay: 30
+    failureThreshold: 10
+  readiness:
+    path: /internal/health/readiness
+    initialDelay: 30
+    failureThreshold: 10
+  prometheus:
+    enabled: true
+    path: /internal/prometheus
+  vault:
+    enabled: false
+  replicas:
+    min: 1
+    max: 2
+  resources:
+    limits:
+      memory: 2048Mi
+    requests:
+      memory: 1024Mi
+      cpu: 200m
+  secureLogs:
+    enabled: true
+  ingresses: # Optional. List of ingress URLs that will route HTTP traffic to the application.
+    - https://familie-ks-barnehagelister.intern.nav.no
+    - https://familie-ks-barnehagelister.nav.no
+  maskinporten:
+    enabled: true
+    scopes:
+      exposes:
+        - name: "v1/kontantstotte/barnehagelister"
+          enabled: true
+          product: "familie"
+          allowedIntegrations:
+            - maskinporten
+          atMaxAge: 680
+          consumers:
+            - name: "NAV"
+              orgno: "889640782"
+      consumes:
+        - name: "nav:familie/v1/kontantstotte/barnehagelister"
+  accessPolicy:
+    outbound:
+      rules:
+        - application: familie-ks-sak
+          cluster: prod-gcp
+  observability:
+    logging:
+      destinations:
+        - id: loki
+        - id: elastic
+    autoInstrumentation:
+      enabled: true
+      runtime: java
+  env:
+    - name: SPRING_PROFILES_ACTIVE
+      value: prod
+    - name: JAVA_OPTS
+      value: "-Xmx1g"

.github/workflows/CodeQl.yml

@@ -0,0 +1,51 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "main"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main" ]
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'java' ]
+      
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: ${{ matrix.language }}
+
+    - uses: actions/setup-java@v4
+      with:
+        java-version: 21
+        distribution: 'temurin'
+        cache: 'maven'
+    
+    - name: Bygg med maven
+      env:
+        GITHUB_USERNAME: x-access-token
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        mvn -B --no-transfer-progress package --settings .m2/maven-settings.xml --file pom.xml
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/build-and-deploy-prod.yml

@@ -0,0 +1,46 @@
+name: Build-Deploy-Prod
+on:
+  push:
+    branches:
+      - 'main'
+env:
+  IMAGE: ghcr.io/navikt/familie-ks-barnehagelister:${{ github.sha }}
+  IMAGE_LATEST: ghcr.io/navikt/familie-ks-barnehagelister:latest
+jobs:
+  deploy:
+    name: Bygg app/image, push til github, deploy til dev-fss/prod-fss
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-java@v4
+        with:
+          java-version: 21
+          distribution: 'temurin'
+          cache: 'maven'
+      - name: Bygg med maven
+        env:
+          GITHUB_USERNAME: x-access-token
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          mvn -B --no-transfer-progress package --settings .m2/maven-settings.xml --file pom.xml
+
+      - uses: nais/docker-build-push@v0
+        id: docker-push
+        with:
+          team: teamfamilie
+          push_image: true
+          dockerfile: Dockerfile
+          docker_context: .
+          project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }}
+          identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }}
+          byosbom: target/classes/META-INF/sbom/application.cdx.json
+
+      - name: Deploy til prod-gcp
+        uses: nais/deploy/actions/deploy@v2
+        env:
+          CLUSTER: prod-gcp
+          RESOURCE: .deploy/nais/nais-prod.yaml
+          IMAGE: ${{ steps.docker-push.outputs.image }}

.github/workflows/build-and-deploy.yml

@@ -0,0 +1,83 @@
+name: Build-Deploy-Preprod
+on:
+  pull_request:
+    types: [ opened, synchronize, reopened, ready_for_review ]
+  workflow_dispatch:
+env:
+  IMAGE: ghcr.io/navikt/familie-ks-barnehagelister:${{ github.sha }}
+jobs:
+  ktlint:
+    name: Ktlint
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-java@v4
+        with:
+          java-version: 21
+          distribution: 'temurin'
+          cache: 'maven'
+      - name: Kjør ktlint
+        env:
+          GITHUB_USERNAME: x-access-token
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          mvn antrun:run@ktlint
+  deploy:
+    name: Bygg app/image, push til github, deploy til dev-fss/prod-fss
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      pull-requests: write
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-java@v4
+        with:
+          java-version: 21
+          distribution: 'temurin'
+          cache: 'maven'
+      - name: Bygg med maven
+        env:
+          GITHUB_USERNAME: x-access-token
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          mvn -B --no-transfer-progress package --settings .m2/maven-settings.xml --file pom.xml
+
+      - uses: nais/docker-build-push@v0
+        id: docker-push
+        if: github.event.pull_request.user.login != 'dependabot[bot]'
+        with:
+          team: teamfamilie
+          push_image: true
+          dockerfile: Dockerfile
+          docker_context: .
+          project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }}
+          identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }}
+          byosbom: target/classes/META-INF/sbom/application.cdx.json
+
+      - name: Deploy til dev-gcp
+        if: github.event.pull_request.user.login != 'dependabot[bot]'
+        uses: nais/deploy/actions/deploy@v2
+        env:
+          CLUSTER: dev-gcp
+          RESOURCE: .deploy/nais/nais-preprod.yaml
+          IMAGE: ${{ steps.docker-push.outputs.image }}
+
+      - name: Dependabot metadata
+        if: github.event.pull_request.user.login == 'dependabot[bot]'
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Approve a PR
+        if: github.event.pull_request.user.login == 'dependabot[bot]'
+        run: gh pr review --approve "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

.gitignore

@@ -22,3 +22,6 @@
 # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
 hs_err_pid*
 replay_pid*
+
+.idea
+target

.m2/maven-settings.xml

@@ -0,0 +1,14 @@
+<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
+                      http://maven.apache.org/xsd/settings-1.0.0.xsd">
+
+  <servers>
+    <server>
+      <id>github</id>
+      <username>${GITHUB_USERNAME}</username>
+      <password>${GITHUB_TOKEN}</password>
+    </server>
+  </servers>
+
+</settings>

Dockerfile

@@ -0,0 +1,13 @@
+FROM busybox:1.36.1-uclibc as busybox
+
+# Final image
+FROM gcr.io/distroless/java21:nonroot
+COPY --from=busybox /bin/printenv /bin/printenv
+COPY --chown=nonroot:nonroot ./target/familie-ks-barnehagelister.jar /app/app.jar
+WORKDIR /app
+
+ENV APP_NAME=familie-ks-barnehagelister
+ENV TZ="Europe/Oslo"
+# TLS Config works around an issue in OpenJDK... See: https://github.com/kubernetes-client/java/issues/854
+ENTRYPOINT [ "java", "-Djdk.tls.client.protocols=TLSv1.2", "-jar", "/app/app.jar" ]
+