Merge branch 'dev' into dependabot/maven/org.apache.avro-avro-1.12.0

Author: sneha-d-desai

.github/workflows/deploy-opensearch-dev.yaml .github/workflows/deploy-opensearch-prod.yaml

@@ -1,4 +1,4 @@
-name: Deploy opensearch til Dev
+name: Deploy opensearch til Prod
 on:
   workflow_dispatch:
 
@@ -13,5 +13,5 @@ jobs:
       - uses: actions/checkout@v4
       - uses: nais/deploy/actions/deploy@v2
         env:
-          CLUSTER: dev-gcp
-          RESOURCE: ".nais/application/opensearch-dev.yaml"
+          CLUSTER: prod-gcp
+          RESOURCE: ".nais/application/gcp/opensearch-prod.yaml"

.github/workflows/main-gcp.yml

@@ -0,0 +1,103 @@
+name: Build, push and deploy GCP
+on: push
+env:
+  IMAGE_TAG: ${{ github.sha }}
+  PRINT_PAYLOAD: true
+permissions:
+  packages: write
+  contents: write
+  id-token: write
+jobs:
+  test:
+    name: Run tests
+    runs-on: ubuntu-latest
+    if: github.ref != 'refs/heads/flytte-til-gcp'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Java
+        uses: actions/setup-java@v4
+        with:
+          java-version: 21
+          distribution: 'temurin'
+          cache: 'maven'
+
+      - name: Run maven tests
+        env:
+          MAVEN_OPTS: -Xss1024M -Xmx2048M
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: mvn -B verify
+
+  build-and-push:
+    name: Build and push
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/flytte-til-gcp'
+    outputs:
+      image: ${{ steps.docker-build-push.outputs.image }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Java
+        uses: actions/setup-java@v4
+        with:
+          java-version: 21
+          distribution: 'temurin'
+          cache: 'maven'
+
+      - name: Build maven artifacts
+        run: mvn -Dgithub.token=${{ secrets.GITHUB_TOKEN }} -B package -D skipTests
+
+      - name: Build and push Docker image
+        uses: nais/docker-build-push@v0
+        id: docker-build-push
+        with:
+          team: obo
+          identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }}
+          project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }}
+
+  deploy-dev:
+    name: Deploy application to dev gcp
+    if: github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/flytte-til-gcp'
+    needs: build-and-push
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Deploy application
+        uses: nais/deploy/actions/deploy@v2
+        env:
+          CLUSTER: dev-gcp
+          RESOURCE: .nais/application/gcp/application-config-dev.yaml
+          VAR: image=${{ needs.build-and-push.outputs.image }}
+
+  deploy-prod:
+    name: Deploy application to prod gcp
+    if: github.ref == 'refs/heads/flytte-til-gcp'
+    needs: build-and-push
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Deploy application
+        uses: nais/deploy/actions/deploy@v2
+        env:
+          CLUSTER: prod-gcp
+          RESOURCE: .nais/application/gcp/application-config-prod.yaml
+          VAR: image=${{ needs.build-and-push.outputs.image }}
+
+  release-prod:
+    name: Create prod release
+    needs: deploy-prod
+    runs-on: ubuntu-latest
+    steps:
+      - name: Create release
+        uses: softprops/action-gh-release@v2
+        with:
+          name: Release to prod
+          target_commitish: master
+          tag_name: release/prod@${{ env.IMAGE_TAG }}
+          prerelease: false

.nais/application/gcp/application-config-dev.yaml

@@ -0,0 +1,136 @@
+# ref https://raw.githubusercontent.com/nais/naiserator/master/examples/nais-max.yaml
+apiVersion: "nais.io/v1alpha1"
+kind: "Application"
+metadata:
+  name: veilarbportefolje
+  namespace: obo
+  labels:
+    team: obo
+spec:
+  image: {{image}}
+  replicas:
+    min: 1
+    max: 3
+    cpuThresholdPercentage: 50
+  port: 8080
+  ingresses:
+    - https://veilarbportefolje.intern.dev.nav.no
+  webproxy: true
+  leaderElection: true
+  secureLogs:
+    enabled: true
+  kafka:
+    pool: nav-dev
+  envFrom:
+    - secret: veilarbportefolje-unleash-api-token
+  liveness:
+    path: veilarbportefolje/internal/isAlive
+    initialDelay: 60
+    timeout: 10
+  readiness:
+    path: veilarbportefolje/internal/isReady
+    initialDelay: 60
+    timeout: 10
+  prometheus:
+    enabled: true
+    path: veilarbportefolje/internal/prometheus
+  openSearch:
+    access: admin
+    instance: veilarbportefolje
+  gcp:
+    sqlInstances:
+      - type: POSTGRES_15
+        tier: db-f1-micro
+        databases:
+          - name: veilarbportefolje
+            envVarPrefix: DB
+  azure:
+    application:
+      allowAllUsers: true
+      enabled: true
+      claims:
+        extra:
+          - NAVident
+          - azp_name
+  accessPolicy:
+    inbound:
+      rules:
+        - application: veilarbportefoljeflatefs
+          namespace: obo
+          cluster: dev-gcp
+        - application: veilarbpersonflate
+          namespace: poao
+          cluster: dev-gcp
+        - application: pto-admin
+          namespace: pto
+          cluster: dev-fss
+        - application: azure-token-generator
+          namespace: aura
+          cluster: dev-gcp
+    outbound:
+      rules:
+        - application: kodeverk-api
+          namespace: team-rocket
+        - application: pdl-api
+          namespace: pdl
+          cluster: dev-fss
+        - application: veilarbvedtaksstotte
+          namespace: pto
+          cluster: dev-fss
+        - application: veilarbarena
+          namespace: pto
+          cluster: dev-fss
+        - application: veilarbveileder
+          namespace: pto
+          cluster: dev-fss
+        - application: poao-tilgang
+          namespace: poao
+      external:
+        - host: team-obo-unleash-api.nav.cloud.nais.io
+        - host: pdl-api.dev-fss-pub.nais.io
+        - host: veilarboppfolging.dev-fss-pub.nais.io
+        - host: veilarbvedtaksstotte.dev-fss-pub.nais.io
+        - host: veilarbveileder.dev-fss-pub.nais.io
+        - host: veilarbarena.dev-fss-pub.nais.io
+  resources:
+    limits:
+      cpu: "4"
+      memory: 8Gi
+    requests:
+      cpu: "1"
+      memory: 4Gi
+  env:
+    - name: JAVA_OPTS
+      value: "-Xms4098m -Xmx8096m --illegal-access=permit --add-opens=java.base/java.lang=ALL-UNNAMED"
+    - name: VEILARBOPPFOLGING_URL
+      value: "https://veilarboppfolging.dev-fss-pub.nais.io/veilarboppfolging"
+    - name: VEILARBOPPFOLGING_TOKEN_SCOPE
+      value: "api://dev-fss.pto.veilarboppfolging/.default"
+    - name: VEILARBVEDTAKSSTOTTE_URL
+      value: "https://veilarbvedtaksstotte.dev-fss-pub.nais.io/veilarbvedtaksstotte"
+    - name: VEILARBVEDTAKSSTOTTE_TOKEN_SCOPE
+      value: "api://dev-fss.pto.veilarbvedtaksstotte/.default"
+    - name: VEILARBVEILEDER_URL
+      value: "https://veilarbveileder.dev-fss-pub.nais.io/veilarbveileder"
+    - name: VEILARBVEILEDER_TOKEN_SCOPE
+      value: "api://dev-fss.pto.veilarbveileder/.default"
+    - name: VEILARBARENA_URL
+      value: "https://veilarbarena.dev-fss-pub.nais.io/veilarbarena"
+    - name: VEILARBARENA_TOKEN_SCOPE
+      value: "api://dev-fss.pto.veilarbarena/.default"
+    - name: PDL_URL
+      value: "https://pdl-api.dev-fss-pub.nais.io"
+    - name: PDL_TOKEN_SCOPE
+      value: "api://dev-fss.pdl.pdl-api/.default"
+    - name: POAO_TILGANG_URL
+      value: "http://poao-tilgang.poao"
+    - name: POAO_TILGANG_TOKEN_SCOPE
+      value: "api://dev-gcp.poao.poao-tilgang/.default"
+    - name: KODEVERK_URL
+      value: "https://kodeverk-api.intern.dev.nav.no"
+    - name: KODEVERK_SCOPE
+      value: "api://dev-gcp.team-rocket.kodeverk-api/.default"
+    - name: OPPSLAG_ARBEIDSSOEKERREGISTERET_URL
+      value: "http://paw-arbeidssoekerregisteret-api-oppslag.paw"
+    - name: OPPSLAG_ARBEIDSSOEKERREGISTERET_SCOPE
+      value: "api://dev-gcp.paw.paw-arbeidssoekerregisteret-api-oppslag/.default"

.nais/application/gcp/application-config-prod.yaml

@@ -0,0 +1,131 @@
+# ref https://raw.githubusercontent.com/nais/naiserator/master/examples/nais-max.yaml
+apiVersion: "nais.io/v1alpha1"
+kind: "Application"
+metadata:
+  name: veilarbportefolje
+  namespace: obo
+  labels:
+    team: obo
+spec:
+  image: {{image}}
+  replicas:
+    min: 3
+    max: 3
+    cpuThresholdPercentage: 50
+  port: 8080
+  ingresses:
+    - https://veilarbportefolje.intern.nav.no
+  webproxy: true
+  leaderElection: true
+  secureLogs:
+    enabled: true
+  kafka:
+    pool: nav-prod
+  envFrom:
+    - secret: veilarbportefolje-unleash-api-token
+  liveness:
+    path: veilarbportefolje/internal/isAlive
+    initialDelay: 60
+    timeout: 10
+  readiness:
+    path: veilarbportefolje/internal/isReady
+    initialDelay: 60
+    timeout: 10
+  prometheus:
+    enabled: true
+    path: veilarbportefolje/internal/prometheus
+  openSearch:
+    access: admin
+    instance: veilarbportefolje
+  gcp:
+    sqlInstances:
+      - type: POSTGRES_15
+        tier: db-custom-1-4096
+        databases:
+          - name: veilarbportefolje
+            envVarPrefix: DB
+  azure:
+    application:
+      allowAllUsers: true
+      enabled: true
+      claims:
+        extra:
+          - NAVident
+          - azp_name
+  accessPolicy:
+    inbound:
+      rules:
+        - application: veilarbportefoljeflatefs
+          namespace: obo
+        - application: veilarbpersonflate
+          namespace: poao
+        - application: pto-admin
+          namespace: pto
+          cluster: prod-fss
+    outbound:
+      rules:
+        - application: kodeverk-api
+          namespace: team-rocket
+        - application: pdl-api
+          namespace: pdl
+          cluster: dev-fss
+        - application: veilarbvedtaksstotte
+          namespace: pto
+          cluster: dev-fss
+        - application: veilarbarena
+          namespace: pto
+          cluster: dev-fss
+        - application: veilarbveileder
+          namespace: pto
+          cluster: dev-fss
+        - application: poao-tilgang
+          namespace: poao
+      external:
+        - host: team-obo-unleash-api.nav.cloud.nais.io
+        - host: pdl-api.dev-fss-pub.nais.io
+        - host: veilarboppfolging.dev-fss-pub.nais.io
+        - host: veilarbvedtaksstotte.dev-fss-pub.nais.io
+        - host: veilarbveileder.dev-fss-pub.nais.io
+        - host: veilarbarena.dev-fss-pub.nais.io
+  resources:
+    limits:
+      cpu: "4"
+      memory: 10Gi
+    requests:
+      cpu: "1"
+      memory: 4Gi
+  env:
+    - name: JAVA_OPTS
+      value: "-Xms4096m -Xmx10144m --illegal-access=permit --add-opens=java.base/java.lang=ALL-UNNAMED"
+    - name: VEILARBOPPFOLGING_URL
+      value: "https://veilarboppfolging.prod-fss-pub.nais.io/veilarboppfolging"
+    - name: VEILARBOPPFOLGING_TOKEN_SCOPE
+      value: "api://prod-fss.pto.veilarboppfolging/.default"
+    - name: VEILARBVEDTAKSSTOTTE_URL
+      value: "https://veilarbvedtaksstotte.prod-fss-pub.nais.io/veilarbvedtaksstotte"
+    - name: VEILARBVEDTAKSSTOTTE_TOKEN_SCOPE
+      value: "api://prod-fss.pto.veilarbvedtaksstotte/.default"
+    - name: VEILARBVEILEDER_URL
+      value: "https://veilarbveileder.prod-fss-pub.nais.io/veilarbveileder"
+    - name: VEILARBVEILEDER_TOKEN_SCOPE
+      value: "api://prod-fss.pto.veilarbveileder/.default"
+    - name: VEILARBARENA_URL
+      value: "https://veilarbarena.prod-fss-pub.nais.io/veilarbarena"
+    - name: VEILARBARENA_TOKEN_SCOPE
+      value: "api://prod-fss.pto.veilarbarena/.default"
+    - name: PDL_URL
+      value: "https://pdl-api.prod-fss-pub.nais.io"
+    - name: PDL_TOKEN_SCOPE
+      value: "api://prod-fss.pdl.pdl-api/.default"
+    - name: POAO_TILGANG_URL
+      value: "http://poao-tilgang.poao"
+    - name: POAO_TILGANG_TOKEN_SCOPE
+      value: "api://prod-fss.poao.poao-tilgang/.default"
+    - name: KODEVERK_URL
+      value: "https://kodeverk-api.intern.nav.no"
+    - name: KODEVERK_SCOPE
+      value: "api://prod-gcp.team-rocket.kodeverk-api/.default"
+    - name: OPPSLAG_ARBEIDSSOEKERREGISTERET_URL
+      value: "http://paw-arbeidssoekerregisteret-api-oppslag.paw"
+    - name: OPPSLAG_ARBEIDSSOEKERREGISTERET_SCOPE
+      value: "api://prod-gcp.paw.paw-arbeidssoekerregisteret-api-oppslag/.default"