Merge remote-tracking branch 'origin/opa-gatekeeper'

# Conflicts:
#	clusters/flux-system/gotk-components.yaml

.github/workflows/tilt_extraction.yml

@@ -0,0 +1,84 @@
+name: Tilt Extraction
+
+on:
+  push:
+    paths:
+      - 'tilt.json'
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+jobs:
+  update-deployment:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v2
+
+    - name: Set up JQ
+      run: sudo apt-get install jq
+
+    - name: Extract country and update deployment.yaml
+      run: |
+        # Extract country from tilt.json
+        COUNTRIES=$(jq -r '.dataDisclosed[]?.recipients[]?.country | select(.!=null)' tilt.json)
+        
+        # Print the extracted countries
+        echo "Extracted Countries: $COUNTRIES"
+        
+        # Check if there are any countries extracted
+        if [ -n "$COUNTRIES" ]; then
+            # Update deployment.yaml for each country
+            for COUNTRY in $COUNTRIES; do
+                LABEL="geo: $COUNTRY"
+
+                # Check and append the label with correct indentation under metadata/labels. Only does this at the first instance of labels and not for subsequent instances. 
+                # IMPORTANT: This assumes that the labels are indented with 4 spaces. If the indentation is different, this will not work.
+                # ALSO: This assumes that the labels are the first entry under metadata. If the labels are under some other section or not the first entry, this will not work. 
+
+                # Update the deployment.yaml files
+                for FILE in apps/catalogue/deployment.yaml apps/orders/deployment.yaml apps/payment/deployment.yaml apps/shipping/deployment.yaml; do
+                  awk -v label="$LABEL" 'BEGIN {append=0} /metadata:/ {print; getline; if ($1 == "labels:" && append == 0) {print; print "    " label; append=1; next}}1' $FILE > ${FILE}_temp && mv ${FILE}_temp $FILE
+                done
+            done
+        fi
+
+    - name: Extract category and update deployment.yaml
+      run: |
+        # Extract category from tilt.json
+        CATEGORIES=$(jq -r '.dataDisclosed[]?.recipients[]?.category | select(.!=null)' tilt.json)
+        
+        # Print the extracted categories
+        echo "Extracted Categories: $CATEGORIES"
+        
+        # Check if there are any categories extracted
+        if [ -n "$CATEGORIES" ]; then
+            # Update deployment.yaml for each category
+            for CATEGORY in $CATEGORIES; do
+                LABEL="serviceType: $CATEGORY"
+                # Check and append the label with correct indentation under metadata/labels. Only does this at the first instance of labels and not for subsequent instances. 
+                # IMPORTANT: This assumes that the labels are indented with 4 spaces. If the indentation is different, this will not work.
+                # ALSO: This assumes that the labels are the first entry under metadata. If the labels are under some other section or not the first entry, this will not work. 
+
+                # Update the deployment.yaml files
+                for FILE in apps/catalogue/deployment.yaml apps/orders/deployment.yaml apps/payment/deployment.yaml apps/shipping/deployment.yaml; do
+                  awk -v label="$LABEL" 'BEGIN {append=0} /metadata:/ {print; getline; if ($1 == "labels:" && append == 0) {print; print "    " label; append=1; next}}1' $FILE > ${FILE}_temp && mv ${FILE}_temp $FILE
+                done
+            done
+        fi
+
+    - name: Commit and push if changed
+      run: |
+        git config --local user.email "[email protected]"
+        git config --local user.name "GitHub Action"
+      
+        # Add every potentially modified deployment.yaml file
+        git add apps/catalogue/deployment.yaml
+        git add apps/orders/deployment.yaml
+        git add apps/payment/deployment.yaml
+        git add apps/shipping/deployment.yaml
+  
+        # Commit and push if there are any changes
+        git diff-index --quiet HEAD || git commit -m "Add tilt-labels to deployment files"
+        git push

apps/catalogue/canary.yaml

@@ -25,7 +25,7 @@ spec:
     trafficPolicy:
       tls:
         # use ISTIO_MUTUAL when mTLS is enabled
-        mode: ISTIO_MUTUAL
+        mode: DISABLE
   analysis:
     # schedule interval (default 60s)
     interval: 30s
@@ -38,12 +38,12 @@ spec:
     # promotion increment step (default 100)
     stepWeightPromotion: 100
 
-    alerts:
-      - name: "on-call Discord"
-        severity: info
-        providerRef:
-          name: on-call
-          namespace: flux-system
+#    alerts:
+#      - name: "on-call Discord"
+#        severity: info
+#        providerRef:
+#          name: on-call
+#          namespace: flux-system
     #Built in Flagger metrics
 #    webhooks:
       #gate waits for status code 200 from an url. If it gets 403, rollout

apps/catalogue/deployment.yaml

@@ -1,11 +1,13 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: catalogue
   labels:
+    cat-DB: "true"
+    geo-DE: "true"
     name: catalogue
     app: catalogue
     version: v1
+  name: catalogue
   namespace: sock-shop
 spec:
   replicas: 1
@@ -25,7 +27,8 @@ spec:
     spec:
       containers:
       - name: catalogue
-        image: europe-west3-docker.pkg.dev/toucan-378111/toucan/catalogue:latest
+#        image: europe-west3-docker.pkg.dev/toucan-378111/toucan/catalogue:latest
+        image: ghcr.io/siar-akbayin/catalogue:0.3.5
         command: ["/app"]
         args:
         - -port=8080
@@ -60,4 +63,4 @@ spec:
           initialDelaySeconds: 180
           periodSeconds: 3
       nodeSelector:
-        beta.kubernetes.io/os: linux
+        beta.kubernetes.io/os: linux

apps/catalogue/kustomization.yaml

@@ -4,4 +4,4 @@ resources:
   - deployment.yaml
   - canary.yaml
   - hpa.yaml
-  - destinationrule.yaml
+#  - destinationrule.yaml

apps/front-end/app/canary.yaml

@@ -31,7 +31,7 @@ spec:
     trafficPolicy:
       tls:
         # use ISTIO_MUTUAL when mTLS is enabled
-        mode: ISTIO_MUTUAL
+        mode: DISABLE
   analysis:
     # schedule interval (default 60s)
     interval: 30s
@@ -53,13 +53,13 @@ spec:
 #          cookie:
 #            regex: "^(.*?;)?(type=insider)(;.*)?$"
     # Istio Prometheus checks
-    alerts:
-      - name: "on-call Discord"
-        severity: info
-        providerRef:
-          name: on-call
-          namespace: flux-system
-    metrics:
+#    alerts:
+#      - name: "on-call Discord"
+#        severity: info
+#        providerRef:
+#          name: on-call
+#          namespace: flux-system
+#    metrics:
 #      - name: request-success-rate
 #        interval: 1m
 #        thresholdRange:
@@ -68,41 +68,41 @@ spec:
 #        interval: 1m
 #        thresholdRange:
 #          max: 1000
-      - name: error-rate
-        templateRef:
-          name: error-rate
-          namespace: istio-system
-        thresholdRange:
-          max: 10
-        interval: 30s
-      - name: latency
-        templateRef:
-          name: latency
-          namespace: istio-system
-        thresholdRange:
-          max: 500
-        interval: 30s
-      - name: gcp_location_not_europe
-        templateRef:
-          name: gcp_location_not_europe
-          namespace: istio-system
-        thresholdRange:
-          max: 1
-        interval: 60s
-      - name: destination-country-not-eu
-        templateRef:
-          name: destination-country-not-eu
-          namespace: istio-system
-        thresholdRange:
-          max: 1
-        interval: 60s
-      - name: hawk-unmapped-fields-ratio-front-end
-        templateRef:
-          name: hawk-unmapped-fields-ratio-front-end
-          namespace: hawk-ns
-        thresholdRange:
-          max: 0.5
-        interval: 60s
+#      - name: error-rate
+#        templateRef:
+#          name: error-rate
+#          namespace: istio-system
+#        thresholdRange:
+#          max: 10
+#        interval: 30s
+#      - name: latency
+#        templateRef:
+#          name: latency
+#          namespace: istio-system
+#        thresholdRange:
+#          max: 500
+#        interval: 30s
+#      - name: gcp_location_not_europe
+#        templateRef:
+#          name: gcp_location_not_europe
+#          namespace: istio-system
+#        thresholdRange:
+#          max: 1
+#        interval: 60s
+#      - name: destination-country-not-eu
+#        templateRef:
+#          name: destination-country-not-eu
+#          namespace: istio-system
+#        thresholdRange:
+#          max: 1
+#        interval: 60s
+#      - name: hawk-unmapped-fields-ratio-front-end
+#        templateRef:
+#          name: hawk-unmapped-fields-ratio-front-end
+#          namespace: hawk-ns
+#        thresholdRange:
+#          max: 0.5
+#        interval: 60s
 #    webhooks:
 #      - name: conformance-test
 #        type: pre-rollout
@@ -117,4 +117,4 @@ spec:
 #        url: http://flagger-loadtester.sock-shop/
 #        metadata:
 #          type: cmd
-#          cmd: "hey -z 1m -q 10 -c 2 http://frontend.sock-shop:8079/"
+#          cmd: "hey -z 1m -q 10 -c 2 http://frontend.sock-shop:8079/"

apps/front-end/app/deployment.yaml

@@ -6,6 +6,7 @@ metadata:
   labels:
     app: frontend
 spec:
+  replicas: 1
   progressDeadlineSeconds: 180
   strategy:
     rollingUpdate:
@@ -24,7 +25,8 @@ spec:
     spec:
       containers:
       - name: frontend
-        image: europe-west3-docker.pkg.dev/toucan-378111/toucan/front-end:1.0.0 # {"$imagepolicy": "flux-system:frontend"}
+        image: ghcr.io/siar-akbayin/front-end:0.3.12
+#        image: europe-west3-docker.pkg.dev/toucan-378111/toucan/front-end:1.0.0 # {"$imagepolicy": "flux-system:frontend"}
         imagePullPolicy: IfNotPresent
         resources:
           limits:

apps/front-end/app/kustomization.yaml

@@ -4,7 +4,7 @@ resources:
 - canary.yaml
 - deployment.yaml
 - hpa.yaml
-- destinationrule.yaml
+#- destinationrule.yaml
 #images:
 #- name: europe-west3-docker.pkg.dev/toucan-378111/toucan/front-end
 #  newName: europe-west3-docker.pkg.dev/toucan-378111/toucan/front-end

apps/orders/deployment.yaml

@@ -1,10 +1,12 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: orders
   labels:
+    cat-DB: "true"
+    geo-DE: "true"
     name: orders
     app: orders
+  name: orders
   namespace: sock-shop
 spec:
   selector:
@@ -21,7 +23,8 @@ spec:
     spec:
       containers:
       - name: orders
-        image: europe-west3-docker.pkg.dev/toucan-378111/toucan/orders:latest
+#        image: europe-west3-docker.pkg.dev/toucan-378111/toucan/orders:latest
+        image: ghcr.io/siar-akbayin/orders:0.4.7
         env:
          - name: JAVA_OPTS
            value: -Xms64m -Xmx128m -XX:+UseG1GC -Djava.security.egd=file:/dev/urandom -Dspring.zipkin.enabled=false

apps/payment/deployment.yaml

@@ -1,11 +1,13 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: payment
   labels:
+    cat-DB: "true"
+    geo-DE: "true"
     name: payment
     app: payment
     version: v1
+  name: payment
   namespace: sock-shop
 spec:
   selector:
@@ -24,7 +26,8 @@ spec:
     spec:
       containers:
       - name: payment
-        image: europe-west3-docker.pkg.dev/toucan-378111/toucan/payment:latest
+#        image: europe-west3-docker.pkg.dev/toucan-378111/toucan/payment:latest
+        image: ghcr.io/siar-akbayin/payment:0.4.3
         resources:
           limits:
             cpu: 200m

apps/shipping/deployment.yaml

@@ -1,11 +1,13 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: shipping
   labels:
+    cat-DB: "true"
+    geo-DE: "true"
     name: shipping
     app: shipping
     version: v1
+  name: shipping
   namespace: sock-shop
 spec:
   selector:
@@ -24,7 +26,8 @@ spec:
     spec:
       containers:
       - name: shipping
-        image: europe-west3-docker.pkg.dev/toucan-378111/toucan/shipping:latest
+#        image: europe-west3-docker.pkg.dev/toucan-378111/toucan/shipping:latest
+        image: ghcr.io/siar-akbayin/shipping:0.4.8
         env:
          - name: ZIPKIN
            value: zipkin.jaeger.svc.cluster.local

clusters/flux-system/gotk-sync.yaml

@@ -8,7 +8,7 @@ metadata:
 spec:
   interval: 10m0s
   ref:
-    branch: master
+    branch: opa-gatekeeper
   secretRef:
     name: flux-system
   url: https://github.com/PrivacyEngineering/hawk-release