migrere-gcp (#88)

* begynne migrere gcp

* todo

* todo

* todo

* todo

* begynne migrere gcp

* todo

* todo

* todo

* todo

* div

* div

* div

* fiks pdl

* fix prod nais file and main deploy

* add outbound to nais yml

* add outbound to nais yml

* add outbound to nais yml

* flytte til dab namespace

* flytte til dab namespace

* endring

* endring

* fjerne pto config

* fix pdl scope injection

* autoresise disk

* legg til workflow_dispatch også for prod

* korriger navn på jobb

* korriger navn på nais fil

* Korriger sti til image

* Korriger hostnavn

* La deploy til prod kun ha build som forutsetning

* korriger namespace inbound rules

* Bruk database som er dekket av GCPs SLA

* Revert read-only

---------

Co-authored-by: johannetronstad <[email protected]>
Co-authored-by: Mads Lee Giil <[email protected]>
Co-authored-by: Hans Petter Simonsen <[email protected]>

.github/workflows/deploy-feature-branch.yml

@@ -13,7 +13,7 @@ env:
   PRINT_PAYLOAD: true
 
 jobs:
-  test-build-and-push:
+  build:
     name: Test, build and push
     runs-on: ubuntu-latest
     permissions:
@@ -42,15 +42,15 @@ jobs:
 
   deploy-dev:
     name: Deploy application to dev
-    needs: test-build-and-push
+    needs: build
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v3
       - name: Deploy application
         uses: nais/deploy/actions/deploy@v1
         env:
-          APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
-          CLUSTER: dev-fss
+          APIKEY: ${{ secrets.DAB_NAIS_DEPLOY_APIKEY }}
+          CLUSTER: dev-gcp
           RESOURCE: nais-dev.yaml
-          VAR: image=${{ needs.test-build-and-push.outputs.image }}
+          VAR: image=${{ needs.build.outputs.image }}

.github/workflows/deploy.yml

@@ -50,8 +50,8 @@ jobs:
       - name: Deploy application
         uses: nais/deploy/actions/deploy@v1
         env:
-          APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
-          CLUSTER: dev-fss
+          APIKEY: ${{ secrets.DAB_NAIS_DEPLOY_APIKEY }}
+          CLUSTER: dev-gcp
           RESOURCE: nais-dev.yaml
           VAR: image=${{ needs.test-build-and-push.outputs.image }}
 
@@ -65,8 +65,8 @@ jobs:
       - name: Deploy application
         uses: nais/deploy/actions/deploy@v1
         env:
-          APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
-          CLUSTER: prod-fss
+          APIKEY: ${{ secrets.DAB_NAIS_DEPLOY_APIKEY }}
+          CLUSTER: prod-gcp
           RESOURCE: nais.yaml
           VAR: image=${{ needs.test-build-and-push.outputs.image }}
 

nais-dev.yaml

@@ -2,18 +2,11 @@ kind: Application
 apiVersion: nais.io/v1alpha1
 metadata:
   name: veilarblest
-  namespace: pto
+  namespace: dab
   labels:
-    team: pto
+    team: dab
 spec:
   image: {{ image }}
-  ingresses:
-    - https://veilarblest-q1.nais.preprod.local
-    - https://app-q1.adeo.no/veilarblest
-    - https://app-q1.dev.adeo.no/veilarblest
-    - https://app.dev.adeo.no/veilarblest
-    - https://veilarblest.dev-fss-pub.nais.io
-  webproxy: true
   port: 8080
   prometheus:
     enabled: true
@@ -35,28 +28,24 @@ spec:
     requests:
       cpu: 200m
       memory: 768Mi
-  envFrom:
-    - configmap: pto-config
   kafka:
     pool: nav-dev
-  vault:
-    enabled: true
-    paths:
-      - kvPath: /serviceuser/data/dev/srvveilarblest
-        mountPath: /var/run/secrets/nais.io/service_user
-      - kvPath: /kv/preprod/fss/veilarblest/q1
-        mountPath: /var/run/secrets/nais.io/vault
   env:
-    - name: VEILARBLEST_DB_URL
-      value: jdbc:postgresql://B27DBVL003.preprod.local:5432/veilarblest-q1
-    - name: APP_ENVIRONMENT_NAME
-      value: q1
+    - name: PDL_URL
+      value: https://pdl-api.dev-fss-pub.nais.io
+    - name: PDL_SCOPE
+      value: api://dev-fss.pdl.pdl-api/.default
   tokenx:
     enabled: true
+  gcp:
+    sqlInstances:
+      - type: POSTGRES_15
+        databases:
+            - name: veilarblest
   azure:
     application:
       enabled: true
-      allowAllUsers: true #todo burde vi legge inn noen roller her?
+      allowAllUsers: true
       claims:
         extra:
           - "NAVident"
@@ -65,7 +54,8 @@ spec:
       rules:
         - application: veilarbpersonflate
           namespace: poao
-          cluster: dev-gcp
         - application: aktivitetsplan
           namespace: pto
-          cluster: dev-gcp
+    outbound:
+      external:
+        - host: pdl-api.dev-fss-pub.nais.io

nais.yaml

@@ -2,16 +2,11 @@ kind: Application
 apiVersion: nais.io/v1alpha1
 metadata:
   name: veilarblest
-  namespace: pto
+  namespace: dab
   labels:
-    team: pto
+    team: dab
 spec:
   image: {{ image }}
-  ingresses:
-    - https://veilarblest.nais.adeo.no
-    - https://app.adeo.no/veilarblest
-    - https://veilarblest.prod-fss-pub.nais.io
-  webproxy: true
   port: 8080
   prometheus:
     enabled: true
@@ -35,24 +30,23 @@ spec:
     requests:
       cpu: "1"
       memory: 1024Mi
-  envFrom:
-    - configmap: pto-config
   kafka:
     pool: nav-prod
-  vault:
-    enabled: true
-    paths:
-      - kvPath: /serviceuser/data/prod/srvveilarblest
-        mountPath: /var/run/secrets/nais.io/service_user
-      - kvPath: /kv/prod/fss/veilarblest/default
-        mountPath: /var/run/secrets/nais.io/vault
   env:
-    - name: VEILARBLEST_DB_URL
-      value: jdbc:postgresql://fsspgdb.adeo.no:5432/veilarblest
-    - name: APP_ENVIRONMENT_NAME
-      value: p
+    - name: PDL_URL
+      value: https://pdl-api.prod-fss-pub.nais.io
+    - name: PDL_SCOPE
+      value: api://prod-fss.pdl.pdl-api/.default
   tokenx:
     enabled: true
+  gcp:
+    sqlInstances:
+      - type: POSTGRES_15
+        diskType: SSD
+        tier: db-custom-1-3840
+        diskAutoresize: true
+        databases:
+          - name: veilarblest
   azure:
     application:
       enabled: true
@@ -65,7 +59,8 @@ spec:
       rules:
         - application: veilarbpersonflate
           namespace: poao
-          cluster: prod-gcp
         - application: aktivitetsplan
           namespace: pto
-          cluster: prod-gcp
+    outbound:
+      external:
+        - host: pdl-api.prod-fss-pub.nais.io

pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>3.0.3</version>
+        <version>3.2.0</version>
         <relativePath/>
     </parent>
 
@@ -229,7 +229,12 @@
         <dependency>
             <groupId>org.testcontainers</groupId>
             <artifactId>postgresql</artifactId>
-            <version>1.17.6</version>
+            <version>1.19.3</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-testcontainers</artifactId>
             <scope>test</scope>
         </dependency>
     </dependencies>

src/main/java/no/nav/veilarblest/config/ApplicationConfig.java

@@ -13,7 +13,7 @@
 import no.nav.common.token_client.builder.AzureAdTokenClientBuilder;
 import no.nav.common.token_client.client.AzureAdMachineToMachineTokenClient;
 import no.nav.common.token_client.client.MachineToMachineTokenClient;
-import no.nav.common.utils.Credentials;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -31,37 +31,25 @@
 @EnableScheduling
 @EnableConfigurationProperties({EnvironmentProperties.class})
 public class ApplicationConfig {
-    public static final String APPLICATION_NAME = "veilarblest";
-
     @Bean
     public AuthContextHolder authContextHolder() {
         return AuthContextHolderThreadLocal.instance();
     }
 
-    @Bean
-    @Profile("!local")
-    public Credentials serviceUserCredentials() {
-        return getCredentials("service_user");
-    }
 
     @Bean
     @Profile("!local")
     public AzureAdMachineToMachineTokenClient tokenClient() {
-        return AzureAdTokenClientBuilder.builder()
+        return AzureAdTokenClientBuilder
+                .builder()
                 .withNaisDefaults()
                 .buildMachineToMachineTokenClient();
     }
 
     @Bean
     @Profile("!local")
-    public AktorOppslagClient aktorregisterClient(MachineToMachineTokenClient tokenClient) {
-        String tokenScop = String.format("api://%s-fss.pdl.pdl-api/.default",
-                isProduction().orElse(false) ? "prod" : "dev"
-        );
-        return new CachedAktorOppslagClient(new PdlAktorOppslagClient(
-                createServiceUrl("pdl-api", "pdl", false),
-                () -> tokenClient.createMachineToMachineToken(tokenScop))
-        );
+    public AktorOppslagClient aktorregisterClient(MachineToMachineTokenClient tokenClient, @Value("${app.pdl.url}") String pdlUrl, @Value("${app.pdl.scope}") String pdlScope) {
+        return new CachedAktorOppslagClient(new PdlAktorOppslagClient(pdlUrl, () -> tokenClient.createMachineToMachineToken(pdlScope)));
     }
 
     @Bean

src/main/java/no/nav/veilarblest/config/DatabaseConfig.java

@@ -3,63 +3,44 @@
 import com.zaxxer.hikari.HikariConfig;
 import com.zaxxer.hikari.HikariDataSource;
 import lombok.SneakyThrows;
-import no.nav.vault.jdbc.hikaricp.HikariCPVaultUtil;
 import org.flywaydb.core.Flyway;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.Profile;
 import org.springframework.transaction.annotation.EnableTransactionManagement;
 
-import jakarta.annotation.PostConstruct;
 import javax.sql.DataSource;
 
-import static no.nav.veilarblest.config.ApplicationConfig.APPLICATION_NAME;
 
 @Configuration
 @EnableTransactionManagement
-@Profile("!local")
 public class DatabaseConfig {
 
-    private final EnvironmentProperties environmentProperties;
-
-    public DatabaseConfig(EnvironmentProperties environmentProperties) {
-        this.environmentProperties = environmentProperties;
-    }
-
     @Bean
-    public DataSource dataSource() {
-        return dataSource("user");
-    }
+    @SneakyThrows
+    public DataSource dataSource(
+            @Value("${db.host}") String host,
+            @Value("${db.port}") String port,
+            @Value("${db.database}") String database,
+            @Value("${db.username}") String username,
+            @Value("${db.password}") String password) {
 
 
-    @SneakyThrows
-    private HikariDataSource dataSource(String user) {
         HikariConfig config = new HikariConfig();
-        config.setJdbcUrl(environmentProperties.getDbUrl());
+        config.setJdbcUrl("jdbc:postgresql://" + host + ":" + port + "/" + database);
+        config.setUsername(username);
+        config.setPassword(password);
+
         config.setMaximumPoolSize(3);
         config.setMinimumIdle(1);
-        String mountPath = environmentProperties.getEnvironmentName().toLowerCase().equals("p")
-                ? "postgresql/prod-fss"
-                : "postgresql/preprod-fss";
-        return HikariCPVaultUtil.createHikariDataSourceWithVaultIntegration(config, mountPath, dbRole(user));
-    }
-
-    private String dbRole(String role) {
-        return environmentProperties.getEnvironmentName().toLowerCase().equals("p")
-                ? String.join("-", APPLICATION_NAME, role)
-                : String.join("-", APPLICATION_NAME, environmentProperties.getEnvironmentName(), role);
-    }
 
+        HikariDataSource dataSource = new HikariDataSource(config);
 
-    @PostConstruct
-    public void migrateDatabase() {
-        var dataSource = dataSource("admin");
         Flyway.configure()
                 .dataSource(dataSource)
-                .initSql(String.format("SET ROLE \"%s\"", dbRole("admin")))
                 .load()
                 .migrate();
-    }
-
 
+        return dataSource;
+    }
 }

src/main/java/no/nav/veilarblest/config/EnvironmentProperties.java

@@ -11,16 +11,6 @@ public class EnvironmentProperties {
 
     private String azureAdDiscoveryUrl;
 
-    private String azureAdLoginServiceClientId;
-
     private String azureAdClientId;
 
-    private String loginserviceIdportenDiscoveryUrl;
-
-    private String loginserviceIdportenAudience;
-
-    private String dbUrl;
-
-    private String environmentName;
-
 }