diff --git a/.github/workflows/tilgangskontroll.yaml b/.github/workflows/tilgangskontroll.yaml new file mode 100644 index 00000000..176aa393 --- /dev/null +++ b/.github/workflows/tilgangskontroll.yaml @@ -0,0 +1,83 @@ +name: Tilgangskontroll + +on: + push: + branches: + - main + - dev/* + paths: + - 'apps/tilgangskontroll/**' + - 'lib/**' + - 'domain/**' + - '.github/workflows/tilgangskontroll.yaml' + - 'gradle/**' + - 'settings.gradle.kts' + - 'gradle.properties' + - 'gradlew' + - 'gradlew.bat' + +env: + IMAGE: europe-north1-docker.pkg.dev/${{ vars.NAIS_MANAGEMENT_PROJECT_ID }}/paw/paw-tilgangskontroll +jobs: + build: + name: Build + runs-on: ubuntu-latest + timeout-minutes: 10 + permissions: + contents: read + id-token: write + packages: write + outputs: + image: ${{ steps.docker-build-push.outputs.image }} + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Setup Java + uses: actions/setup-java@v4 + with: + java-version: 21 + distribution: temurin + cache: gradle + - name: Set module + run: echo "MODULE=tilgangskontroll" >> $GITHUB_ENV + - name: Set version + run: echo "VERSION=$(date +'%y.%m.%d').${{ github.run_number }}-${{ github.run_attempt }}" >> $GITHUB_ENV + - name: Login GAR + uses: nais/login@v0 + with: + project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} + identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} + team: paw + - name: Build and push image with Gradle + id: docker-build-push + working-directory: ./ + run: | + echo "image=${{ env.IMAGE }}:${{ env.VERSION }}" >> $GITHUB_OUTPUT + echo -Pversion=${{ env.VERSION }} -Pimage=${{ env.IMAGE }} :apps:${{ env.MODULE }}:build :apps:${{ env.MODULE }}:jib + ./gradlew -Pversion=${{ env.VERSION }} -Pimage=${{ env.IMAGE }} :apps:${{ env.MODULE }}:build :apps:${{ env.MODULE }}:jib + echo "DIGEST=$(cat apps/${{ env.MODULE }}/build/jib-image.digest)" >> $GITHUB_ENV + env: + ORG_GRADLE_PROJECT_githubPassword: ${{ secrets.GITHUB_TOKEN }} + - name: Attest and sign image + uses: nais/attest-sign@v1.5.8 + with: + image_ref: ${{ env.IMAGE }}@${{ env.DIGEST }} + + deploy-dev: + if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/dev') + name: Deploy to dev-gcp + needs: + - build + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Deploy to GCP + uses: nais/deploy/actions/deploy@v2 + env: + CLUSTER: dev-gcp + RESOURCE: apps/tilgangskontroll/nais/nais-dev.yaml + VAR: image=${{ needs.build.outputs.image }} diff --git a/apps/tilgangskontroll/build.gradle.kts b/apps/tilgangskontroll/build.gradle.kts index 73069db5..effd18b2 100644 --- a/apps/tilgangskontroll/build.gradle.kts +++ b/apps/tilgangskontroll/build.gradle.kts @@ -24,7 +24,7 @@ dependencies { implementation(libs.opentelemetry.annotations) implementation(libs.hoplite.core) implementation(libs.hoplite.toml) - implementation(libs.nav.security.tokenValidationKtorV2) + implementation(libs.nav.security.tokenValidationKtorV3) implementation(libs.nav.security.tokenClientCore) implementation(libs.nav.common.tokenClient) implementation(libs.nav.common.auditLog) diff --git a/apps/tilgangskontroll/nais/nais-dev.yaml b/apps/tilgangskontroll/nais/nais-dev.yaml new file mode 100644 index 00000000..bd8c8b1a --- /dev/null +++ b/apps/tilgangskontroll/nais/nais-dev.yaml @@ -0,0 +1,48 @@ +apiVersion: nais.io/v1alpha1 +kind: Application +metadata: + name: paw-tilgangskontroll + namespace: paw + labels: + team: paw +spec: + image: {{ image }} + port: 8080 + resources: + limits: + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + tokenx: + enabled: true + azure: + application: + enabled: true + allowAllUsers: true + claims: + extra: + - NAVident + env: + replicas: + min: 1 + max: 1 + liveness: + path: /internal/isAlive + initialDelay: 10 + readiness: + path: /internal/isReady + initialDelay: 10 + prometheus: + enabled: true + path: /internal/metrics + observability: + autoInstrumentation: + enabled: true + runtime: java + accessPolicy: + inbound: + rules: + outbound: + rules: + external: diff --git a/apps/tilgangskontroll/nais/nais-prod.yaml b/apps/tilgangskontroll/nais/nais-prod.yaml new file mode 100644 index 00000000..bd8c8b1a --- /dev/null +++ b/apps/tilgangskontroll/nais/nais-prod.yaml @@ -0,0 +1,48 @@ +apiVersion: nais.io/v1alpha1 +kind: Application +metadata: + name: paw-tilgangskontroll + namespace: paw + labels: + team: paw +spec: + image: {{ image }} + port: 8080 + resources: + limits: + memory: 128Mi + requests: + cpu: 10m + memory: 64Mi + tokenx: + enabled: true + azure: + application: + enabled: true + allowAllUsers: true + claims: + extra: + - NAVident + env: + replicas: + min: 1 + max: 1 + liveness: + path: /internal/isAlive + initialDelay: 10 + readiness: + path: /internal/isReady + initialDelay: 10 + prometheus: + enabled: true + path: /internal/metrics + observability: + autoInstrumentation: + enabled: true + runtime: java + accessPolicy: + inbound: + rules: + outbound: + rules: + external: diff --git a/apps/tilgangskontroll/src/main/kotlin/no/nav/paw/tilgangskontroll/StartApp.kt b/apps/tilgangskontroll/src/main/kotlin/no/nav/paw/tilgangskontroll/StartApp.kt index 9e206e1d..9a3e7b5a 100644 --- a/apps/tilgangskontroll/src/main/kotlin/no/nav/paw/tilgangskontroll/StartApp.kt +++ b/apps/tilgangskontroll/src/main/kotlin/no/nav/paw/tilgangskontroll/StartApp.kt @@ -1,5 +1,26 @@ package no.nav.paw.tilgangskontroll -fun main() { +import io.ktor.server.engine.embeddedServer +import io.ktor.server.netty.Netty +import io.ktor.server.response.respondText +import io.ktor.server.routing.get +import io.ktor.server.routing.routing +import io.micrometer.prometheusmetrics.PrometheusConfig +import io.micrometer.prometheusmetrics.PrometheusMeterRegistry +fun main() { + val prometheusMeterRegistry = PrometheusMeterRegistry(PrometheusConfig.DEFAULT) + embeddedServer(Netty, port = 8080) { + routing { + get("/internal/isAlive") { + call.respondText("ALIVE") + } + get("/internal/isReady") { + call.respondText("READY") + } + get("/internal/metrics") { + call.respondText(prometheusMeterRegistry.scrape()) + } + } + }.start(wait = true) } \ No newline at end of file