Merge pull request #1150 from navikt/migrate_backend_gcp

ORG-291: Migrate Backend to GCP

.github/workflows/deploy-alerts.yaml

@@ -7,8 +7,8 @@ on:
       - '.github/workflows/deploy-alerts.yaml'
       - 'apps/frackend/nais/alerts-frackend-dev-gcp.yaml'
       - 'apps/frackend/nais/alerts-frackend-prod-gcp.yaml'
-      - 'apps/backend/nais/alerts-backend-dev-fss.yaml'
-      - 'apps/backend/nais/alerts-backend-prod-fss.yaml'
+      - 'apps/backend/nais/alerts-backend-dev-gcp.yaml'
+      - 'apps/backend/nais/alerts-backend-prod-gcp.yaml'
   workflow_dispatch:
 
 jobs:
@@ -22,16 +22,16 @@ jobs:
       - name: Deploy to dev
         uses: nais/deploy/actions/deploy@v1
         env:
-          APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
-          CLUSTER: dev-fss
-          RESOURCE: apps/backend/nais/alerts-backend-dev-fss.yaml
+          APIKEY: ${{ secrets.NAIS_ORG_DEPLOY_APIKEY }}
+          CLUSTER: dev-gcp
+          RESOURCE: apps/backend/nais/alerts-backend-dev-gcp.yaml
 
       - name: Deploy to prod
         uses: nais/deploy/actions/deploy@v1
         env:
-          APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
-          CLUSTER: prod-fss
-          RESOURCE: apps/backend/nais/alerts-backend-prod-fss.yaml
+          APIKEY: ${{ secrets.NAIS_ORG_DEPLOY_APIKEY }}
+          CLUSTER: prod-gcp
+          RESOURCE: apps/backend/nais/alerts-backend-prod-gcp.yaml
 
   apply-frackend-alerts:
     name: Apply frackend alerts

.github/workflows/deploy-backend.yaml

@@ -55,17 +55,16 @@ jobs:
           project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }}
 
   deploy-preprod:
-    name: Backend - deploy Dev FSS
+    name: Backend - deploy Dev GCP
     needs: build
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: nais/deploy/actions/deploy@v1
         env:
-          APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
-          CLUSTER: dev-fss
-          RESOURCE: apps/backend/nais/backend-fss.yaml
-          VARS: apps/backend/nais/backend-dev-fss-vars.yaml
+          APIKEY: ${{ secrets.NAIS_ORG_DEPLOY_APIKEY  }}
+          CLUSTER: dev-gcp
+          RESOURCE: apps/backend/nais/backend-dev-gcp.yaml
           VAR: image=${{needs.build.outputs.image}}
 
   deploy-prod:
@@ -77,8 +76,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: nais/deploy/actions/deploy@v1
         env:
-          APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }}
-          CLUSTER: prod-fss
-          RESOURCE: apps/backend/nais/backend-fss.yaml
-          VARS: apps/backend/nais/backend-prod-fss-vars.yaml
+          APIKEY: ${{ secrets.NAIS_ORG_DEPLOY_APIKEY  }}
+          CLUSTER: prod-gcp
+          RESOURCE: apps/backend/nais/backend-prod-fss-vars.yaml
           VAR: image=${{ needs.build.outputs.image }}

apps/backend/nais/alerts-backend-dev-gcp.yaml

@@ -0,0 +1,30 @@
+apiVersion: "monitoring.coreos.com/v1"
+kind: "PrometheusRule"
+metadata:
+  name: team-catalog-backend-alerts
+  namespace: org
+  labels:
+    team: org
+spec:
+  groups:
+    - name: team-catalog-backend_down
+      rules:
+        - alert: team-catalog-backend pod nede
+          expr: kube_deployment_status_replicas_unavailable{deployment="team-catalog-backend"} > 0
+          for: 3m
+          annotations:
+            action: "`kubectl describe pod {{ $labels.pod }}` for events, og `kubectl logs {{ $labels.pod }} -c {{ $labels.app }}` for logger"
+            summary: "{{ $labels.app }} er nede"
+          labels:
+            namespace: nom
+            severity: critical
+    - name: team-catalog-backend_high_failrate
+      rules:
+        - alert: team-catalog-backend høy feilrate i logger
+          expr: (100 * sum by (app, namespace) (rate(log_messages_errors{app="team-catalog-backend",namespace="org"}[3m])) / sum by (app, namespace) (rate(log_messages_total{app="team-catalog-backend",namespace="org"}[3m]))) > 10
+          for: 3m
+          annotations:
+            action: "Sjekk loggene til app {{ $labels.app }}, for å se hvorfor det er så mye feil"
+          labels:
+            namespace: nom
+            severity: warning

apps/backend/nais/alerts-backend-prod-gcp.yaml

@@ -0,0 +1,30 @@
+apiVersion: "monitoring.coreos.com/v1"
+kind: "PrometheusRule"
+metadata:
+  name: team-catalog-backend-alerts
+  namespace: org
+  labels:
+    team: org
+spec:
+  groups:
+    - name: team-catalog-backend_down
+      rules:
+        - alert: team-catalog-backend applikasjon nede
+          expr: up{app="team-catalog-backend", job="kubernetes-pods"} == 0
+          for: 3m
+          annotations:
+            action: "`kubectl describe pod {{ $labels.pod }}` for events, og `kubectl logs {{ $labels.pod }} -c {{ $labels.app }}` for logger"
+            summary: "{{ $labels.app }} er nede"
+          labels:
+            namespace: nom
+            severity: critical
+    - name: team-catalog-backend_high_failrate
+      rules:
+        - alert: team-catalog-backend høy feilrate i logger
+          expr: (100 * sum by (app, namespace) (rate(log_messages_errors{app="team-catalog-backend",namespace="org"}[3m])) / sum by (app, namespace) (rate(log_messages_total{app="team-catalog-backend",namespace="org"}[3m]))) > 10
+          for: 3m
+          annotations:
+            action: "Sjekk loggene til app {{ $labels.app }}, for å se hvorfor det er så mye feil"
+          labels:
+            namespace: nom
+            severity: warning

apps/backend/nais/backend-dev-gcp.yaml

@@ -0,0 +1,112 @@
+apiVersion: "nais.io/v1alpha1"
+kind: "Application"
+metadata:
+  name: team-catalog-backend
+  namespace: org
+  labels:
+    team: org
+spec:
+  image: {{image}}
+  port: 8080
+  azure:
+    application:
+      enabled: true
+      allowAllUsers: true
+      claims:
+        extra:
+          - NAVident
+        groups:
+          - id: eedc0f72-585e-4814-94f4-25b43d9c8d1b
+      replyURLs:
+        - https://teamkatalog-api.intern.dev.nav.no/oauth2/callback
+        - https://teamkatalog.ekstern.dev.nav.no/oauth2/callback
+        - https://teamkatalogen.ekstern.dev.nav.no/oauth2/callback
+        - http://localhost:8080/oauth2/callback
+        - http://localhost:3000/oauth2/callback
+  accessPolicy:
+    inbound:
+      rules:
+        - application: team-catalog-frackend
+          namespace: org
+          cluster: dev-gcp
+        - application: nom-ui2
+          namespace: org
+          cluster: dev-gcp
+        - application: org-token-tool
+          namespace: org
+          cluster: dev-gcp
+        - application: behandlingskatalog-backend
+          namespace: teamdatajegerne
+          cluster: dev-gcp
+    outbound:
+      rules:
+        - application: nom-api
+          namespace: nom
+          cluster: dev-gcp
+      external:
+        - host: slack.com
+        - host: behandlingskatalog-backend.intern.dev.nav.no
+
+  ingresses:
+    - https://teamkatalog-api.intern.dev.nav.no
+  replicas:
+    min: 2
+    max: 2
+    cpuThresholdPercentage: 50
+  resources:
+    limits:
+      cpu: 1000m
+      memory: 2048Mi
+    requests:
+      memory: 1024Mi
+  liveness:
+    path: internal/isAlive
+    initialDelay: 10
+    periodSeconds: 5
+    failureThreshold: 30
+  readiness:
+    path: internal/isReady
+    initialDelay: 10
+    periodSeconds: 5
+    failureThreshold: 30
+  kafka:
+    pool: nav-dev
+  prometheus:
+    enabled: true
+    path: /internal/prometheus
+  envFrom:
+    - secret: teamcat-enckey
+    - secret: teamcat-mail-pwd
+    - secret: teamcat-slack-token
+    - secret: teamcat-nais-console-token
+    - secret: teamcat-srvteamcat
+  env:
+    - name: TEAM_CATALOG_ENVLEVEL
+      value: primary
+    - name: ENVIRONMENT_CLASS
+      value: preprod
+    - name: DEFAULT_PRODUCTAREA_UUID
+      value: "c5557f01-35c1-43fa-a0b4-2c35c50a9905"
+    - name: TEAM_CATALOG_SECURITY_REDIRECT_URIS
+      value: "https://teamkatalog-api.intern.dev.nav.no,http://localhost:3000"
+    - name: CLIENT_TEAM_NORA_URL
+      value: "https://nora.nais.adeo.no/api/v1"
+    - name: CLIENT_PROCESS_CAT_BASE_URL
+      value: "https://behandlingskatalog-backend.intern.dev.nav.no"
+    - name: CLIENT_NOM_GRAPHQL_URL
+      value: "http://nom-api.nom.svc.cluster.local/graphql"
+    - name: AZURE_CLIENT_GROUPS
+      value: "ceab8bf0-0771-4478-bc39-186629b8cc2b"
+    - name: AZURE_CLIENT_GROUPS_ADMIN
+      value: "eedc0f72-585e-4814-94f4-25b43d9c8d1b"
+    - name: AZURE_APP_MAIL_USER
+      value: "[email protected]"
+    - name: DEV_EMAIL_ALLOW_LIST
+      value: "[email protected]"
+
+  gcp:
+    sqlInstances:
+      - type: POSTGRES_14
+        databases:
+          - name: team-catalog
+            envVarPrefix: BACKEND_DB

apps/backend/nais/backend-prod-gcp.yaml

@@ -43,6 +43,10 @@ spec:
         - application: nom-api
           namespace: nom
           cluster: prod-gcp
+      external:
+        - host: slack.com
+        - host: behandlingskatalog-backend.intern.nav.no
+
   ingresses:
     - https://teamkatalog-api.intern.nav.no
   replicas:
@@ -90,7 +94,7 @@ spec:
     - name: CLIENT_PROCESS_CAT_BASE_URL
       value: "https://behandlingskatalog-backend.intern.nav.no"
     - name: CLIENT_NOM_GRAPHQL_URL
-      value: "https://nom-api.intern.nav.no/graphql"
+      value: "http://nom-api.nom.svc.cluster.local/graphql"
     - name: AZURE_CLIENT_GROUPS
       value: "2ee0ef50-718c-43d3-8c05-c839f2dc2490"
     - name: AZURE_CLIENT_GROUPS_ADMIN

apps/backend/src/main/java/no/nav/data/AppStarter.java

@@ -1,54 +1,17 @@
 package no.nav.data;
 
 import lombok.extern.slf4j.Slf4j;
-import no.nav.data.common.exceptions.TechnicalException;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration;
 import org.springframework.boot.context.properties.ConfigurationPropertiesScan;
 
-import java.io.IOException;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.nio.file.Paths;
-import java.util.stream.Stream;
-
 @Slf4j
 @ConfigurationPropertiesScan
 @SpringBootApplication(exclude = {UserDetailsServiceAutoConfiguration.class})
 public class AppStarter {
 
     public static void main(String[] args) {
-        readAzureSecret();
         SpringApplication.run(AppStarter.class, args);
     }
-
-    private static void readAzureSecret() {
-        listSecretFiles();
-        fileToProp("/var/run/secrets/nais.io/srv/username", "SRV_USER");
-        fileToProp("/var/run/secrets/nais.io/srv/password", "SRV_PASSWORD");
-    }
-
-    private static void listSecretFiles() {
-        var base = Paths.get("/var/run/secrets/nais.io");
-        try (Stream<Path> paths = Files.walk(base)) {
-            paths.forEach(p -> log.info("Vault file: {}", p.toAbsolutePath()));
-        } catch (IOException e) {
-            log.error("couldnt list vault files", e);
-        }
-    }
-
-    private static void fileToProp(String file, String prop) {
-        Path path = Paths.get(file);
-        try {
-            if (Files.exists(path)) {
-                log.info("Reading property={} from={}", prop, file);
-                String content = Files.readString(path);
-                System.setProperty(prop, content);
-            }
-        } catch (Exception e) {
-            throw new TechnicalException("Couldn't read file " + file);
-        }
-    }
-
 }

apps/backend/src/main/java/no/nav/data/common/SchedulerConfig.java

@@ -16,8 +16,8 @@
 
 @Slf4j
 @Configuration
-@EnableScheduling
-@EnableSchedulerLock(defaultLockAtMostFor = "PT10M", defaultLockAtLeastFor = "PT59s")
+//@EnableScheduling
+//@EnableSchedulerLock(defaultLockAtMostFor = "PT10M", defaultLockAtLeastFor = "PT59s")
 public class SchedulerConfig implements SchedulingConfigurer {
 
     @Override