Merge branch 'master' into feature/statisk-data-forvalter-kodeverk-proxy

Author: stigus

.github/workflows/app.altinn3-tilgang-service-prod.yml

@@ -0,0 +1,24 @@
+name: altinn3-tilgang-service-prod
+
+on:
+  push:
+    paths:
+      - "plugins/**"
+      - "libs/reactive-core/**"
+      - "libs/reactive-security/**"
+      - "apps/altinn3-tilgang-service/**"
+      - ".github/workflows/app.altinn3-tilgang-service.yml"
+
+jobs:
+  workflow:
+    uses: ./.github/workflows/common.workflow.backend.yml
+    with:
+      working-directory: "apps/altinn3-tilgang-service"
+      deploy-tag: "#deploy-altinn3-tilgang-service-prod"
+      nais-manifest: "config.prod.yml"
+      cluster: "prod-gcp"
+    permissions:
+      contents: read
+      id-token: write
+    secrets: inherit
+

.github/workflows/app.altinn3-tilgang-service.yml

@@ -0,0 +1,23 @@
+name: altinn3-tilgang-service
+
+on:
+  push:
+    paths:
+      - "plugins/**"
+      - "libs/reactive-core/**"
+      - "libs/reactive-security/**"
+      - "apps/altinn3-tilgang-service/**"
+      - ".github/workflows/app.altinn3-tilgang-service.yml"
+
+jobs:
+  workflow:
+    uses: ./.github/workflows/common.workflow.backend.yml
+    with:
+      working-directory: "apps/altinn3-tilgang-service"
+      deploy-tag: "#deploy-altinn3-tilgang-service"
+      nais-manifest: "config.dev.yml"
+    permissions:
+      contents: read
+      id-token: write
+    secrets: inherit
+

apps/adresse-service/src/main/resources/application-local.yml

@@ -0,0 +1,7 @@
+AZURE_APP_CLIENT_ID: ${sm://azure-app-client-id}
+AZURE_APP_CLIENT_SECRET: ${sm://azure-app-client-secret}
+TOKEN_X_CLIENT_ID: dev-gcp:dolly:testnav-adresse-service
+
+spring:
+  config:
+    import: "sm://"

apps/adresse-service/src/main/resources/application.yaml apps/adresse-service/src/main/resources/application.yml

@@ -0,0 +1,6 @@
+#!/usr/bin/env sh
+
+#
+# Converts NAIS provided key.pem to PKCS#8 PEM format, which can be used by R2dbc.
+#
+openssl pkey -in /var/run/secrets/nais.io/sqlcertificate/key.pem -out /tmp/pk8.pem

apps/altinn3-tilgang-service/99-dolly-convert-to-pk8.sh

@@ -0,0 +1,9 @@
+FROM ghcr.io/navikt/baseimages/temurin:21
+LABEL maintainer="Team Dolly"
+
+ENV JAVA_OPTS="--add-opens java.base/java.lang=ALL-UNNAMED"
+
+COPY 99-dolly-convert-to-pk8.sh /init-scripts/
+COPY /build/libs/app.jar /app/
+
+EXPOSE 8080

apps/altinn3-tilgang-service/Dockerfile

@@ -0,0 +1,17 @@
+## altinn3-tilgang-service
+
+Service som godkjenner tilganger for en spesifisert organisasjoner mot Dolly ved bruk av bankid.
+
+## Swagger
+
+Swagger finnes under [/swagger-ui.html](https://testnav-altinn3-tilgang-service.intern.dev.nav.no/swagger-ui.html)
+-endepunktet til applikasjonen.
+
+## Lokal kjøring
+
+Ha naisdevice kjørende og kjør Altinn3TilgangServiceApplicationStarter med følgende argumenter:
+
+``` 
+-Dspring.profiles.active=local
+-Dspring.cloud.vault.token=[vault-token]
+```

apps/altinn3-tilgang-service/README.md

@@ -0,0 +1,38 @@
+plugins {
+    id "dolly-apps"
+}
+
+sonarqube {
+    properties {
+        property "sonar.projectKey", "testnav-altinn3-tilgang-service"
+        property "sonar.projectName", "testnav-altinn3-tilgang-service"
+    }
+}
+
+dependencies {
+    implementation "com.google.cloud:spring-cloud-gcp-starter-secretmanager:$versions.gcpSecretManager"
+
+    implementation "no.nav.testnav.libs:reactive-core"
+    implementation "no.nav.testnav.libs:reactive-security"
+    implementation "no.nav.testnav.libs:vault"
+
+    implementation "org.springframework.boot:spring-boot-starter-data-r2dbc"
+    implementation "org.springframework.boot:spring-boot-starter-oauth2-resource-server"
+    implementation "org.springframework.boot:spring-boot-starter-security"
+
+    implementation "org.flywaydb:flyway-core"
+    implementation "org.flywaydb:flyway-database-postgresql"
+
+    runtimeOnly "org.postgresql:postgresql"
+    runtimeOnly "org.postgresql:r2dbc-postgresql"
+
+    implementation "ma.glasnost.orika:orika-core:$versions.orika"
+
+    implementation "io.micrometer:micrometer-registry-prometheus"
+    implementation "org.springdoc:springdoc-openapi-starter-webflux-ui:$versions.springdoc"
+    implementation "io.swagger.core.v3:swagger-annotations-jakarta:$versions.swagger"
+
+    implementation "io.r2dbc:r2dbc-h2"
+    testRuntimeOnly "com.h2database:h2"
+}
+

apps/altinn3-tilgang-service/build.gradle

@@ -0,0 +1,80 @@
+apiVersion: "nais.io/v1alpha1"
+kind: "Application"
+metadata:
+  name: testnav-altinn3-tilgang-service
+  namespace: dolly
+  labels:
+    team: dolly
+spec:
+  tokenx:
+    enabled: true
+  image: "{{image}}"
+  port: 8080
+  azure:
+    application:
+      enabled: true
+      tenant: nav.no
+      claims:
+        groups:
+          - id: 9c7efec1-1599-4216-a67e-6fd53a6a951c
+  maskinporten:
+    enabled: true
+    scopes:
+      consumes:
+        - name: altinn:resourceregistry/accesslist.read
+        - name: altinn:resourceregistry/accesslist.write
+  accessPolicy:
+    inbound:
+      rules:
+        - application: dolly-frontend
+        - application: dolly-frontend-dev
+        - application: dolly-frontend-dev-unstable
+        - application: dolly-idporten
+        - application: team-dolly-lokal-app
+        - application: testnav-oversikt-frontend
+    outbound:
+      external:
+        - host: platform.tt02.altinn.no
+        - host: data.brreg.no
+  liveness:
+    path: /internal/isAlive
+    initialDelay: 10
+    periodSeconds: 5
+    failureThreshold: 500
+  observability:
+    logging:
+      destinations:
+        - id: elastic
+    autoInstrumentation:
+      enabled: true
+      runtime: java
+  readiness:
+    path: /internal/isReady
+    initialDelay: 10
+    periodSeconds: 5
+    failureThreshold: 500
+  prometheus:
+    enabled: true
+    path: /internal/metrics
+  replicas:
+    min: 1
+    max: 1
+  resources:
+    requests:
+      cpu: 200m
+      memory: 1024Mi
+    limits:
+      memory: 2048Mi
+  env:
+    - name: SPRING_PROFILES_ACTIVE
+      value: dev
+  ingresses:
+    - "https://testnav-altinn3-tilgang-service.intern.dev.nav.no"
+  gcp:
+    sqlInstances:
+      - type: POSTGRES_16
+        tier: db-custom-1-3840
+        name: testnav-altinn3-tilgang
+        databases:
+          - name: testnav-altinn3-tilgang
+        autoBackupHour: 2

apps/altinn3-tilgang-service/config.dev.yml

@@ -0,0 +1,86 @@
+apiVersion: "nais.io/v1alpha1"
+kind: "Application"
+metadata:
+  name: testnav-altinn3-tilgang-service-prod
+  namespace: dolly
+  labels:
+    team: dolly
+spec:
+  tokenx:
+    enabled: true
+  image: "{{image}}"
+  port: 8080
+  azure:
+    application:
+      enabled: true
+      tenant: nav.no
+      claims:
+        groups:
+          - id: 9c7efec1-1599-4216-a67e-6fd53a6a951c
+  maskinporten:
+    enabled: true
+    scopes:
+      consumes:
+        - name: altinn:resourceregistry/accesslist.read
+        - name: altinn:resourceregistry/accesslist.write
+  accessPolicy:
+    inbound:
+      rules:
+        - application: dolly-frontend
+          cluster: dev-gcp
+        - application: dolly-frontend-dev
+          cluster: dev-gcp
+        - application: dolly-frontend-dev-unstable
+          cluster: dev-gcp
+        - application: dolly-idporten
+          cluster: dev-gcp
+        - application: team-dolly-lokal-app
+          cluster: dev-gcp
+        - application: testnav-oversikt-frontend
+          cluster: dev-gcp
+    outbound:
+      external:
+        - host: platform.altinn.no
+        - host: data.brreg.no
+  liveness:
+    path: /internal/isAlive
+    initialDelay: 10
+    periodSeconds: 5
+    failureThreshold: 500
+  observability:
+    logging:
+      destinations:
+        - id: elastic
+    autoInstrumentation:
+      enabled: true
+      runtime: java
+  readiness:
+    path: /internal/isReady
+    initialDelay: 10
+    periodSeconds: 5
+    failureThreshold: 500
+  prometheus:
+    enabled: true
+    path: /internal/metrics
+  replicas:
+    min: 1
+    max: 1
+  resources:
+    requests:
+      cpu: 200m
+      memory: 1024Mi
+    limits:
+      memory: 2048Mi
+  env:
+    - name: SPRING_PROFILES_ACTIVE
+      value: prod
+  ingresses:
+    - "https://testnav-altinn3-tilgang-service.nav.no"
+  gcp:
+    sqlInstances:
+      - type: POSTGRES_16
+        tier: db-custom-1-3840
+        name: testnav-altinn3-tilgang
+        databases:
+          - name: testnav-altinn3-tilgang
+        autoBackupHour: 2

apps/altinn3-tilgang-service/config.prod.yml

@@ -0,0 +1,5 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.7-bin.zip
+zipStoreBase=GRADLE_USER_HOME
+zipStorePath=wrapper/dists