Merge pull request #231 from navikt/dev

Prodsetting: pub ingress og fjerning av pdl
navikt · Sep 23, 2022 · 7cefdaf · 7cefdaf
2 parents c62a7b4 + f1937eb
commit 7cefdaf
Show file tree

Hide file tree

Showing 8 changed files with 66 additions and 43 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -2,7 +2,7 @@ name: Build, push and deploy
 on: push
 env:
   IMAGE_TAG: ${{ github.sha }}
-  IMAGE: docker.pkg.github.com/${{ github.repository }}/veilarbarena
+  IMAGE: ghcr.io/${{ github.repository }}/veilarbarena
   PRINT_PAYLOAD: true
 jobs:
   test:
@@ -11,13 +11,14 @@ jobs:
     if: github.ref != 'refs/heads/dev' && github.ref != 'refs/heads/master'
     steps:
       - name: Checkout
-        uses: actions/checkout@v1
+        uses: actions/checkout@v3
       - name: Set up JDK 11
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@v3
         with:
           java-version: 11
+          distribution: 'temurin'
       - name: Set up cache
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
@@ -31,26 +32,32 @@ jobs:
     if: github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/master'
     steps:
       - name: Checkout
-        uses: actions/checkout@v1
+        uses: actions/checkout@v3
       - name: Set up JDK 11
-        uses: actions/setup-java@v1
+        uses: actions/setup-java@v3
         with:
           java-version: 11
+          distribution: 'temurin'
       - name: Set up cache
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/.m2/repository
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
           restore-keys: ${{ runner.os }}-maven-
       - name: Build maven artifacts
         run: mvn -B package
+      - name: Login to Docker
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build and push Docker image
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          echo ${GITHUB_TOKEN} | docker login docker.pkg.github.com -u ${GITHUB_REPOSITORY} --password-stdin
-          docker build -t ${IMAGE}:${IMAGE_TAG} .
-          docker push ${IMAGE}:${IMAGE_TAG}
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          push: true
+          tags: ${{ env.IMAGE }}:${{ env.IMAGE_TAG }}
 
   deploy-dev:
     name: Deploy application to dev
@@ -59,7 +66,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v1
+        uses: actions/checkout@v3
       - name: Deploy application
         uses: nais/deploy/actions/deploy@v1
         env:
@@ -75,7 +82,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v1
+        uses: actions/checkout@v3
       - name: Deploy application
         uses: nais/deploy/actions/deploy@v1
         env:

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM docker.pkg.github.com/navikt/pus-nais-java-app/pus-nais-java-app:java11
+FROM ghcr.io/navikt/pus-nais-java-app/pus-nais-java-app:java11
 
 COPY init.sh /init-scripts/init.sh
 COPY /target/veilarbarena.jar app.jar
diff --git a/nais-dev.yaml b/nais-dev.yaml
@@ -6,8 +6,9 @@ metadata:
   labels:
     team: pto
 spec:
-  image: docker.pkg.github.com/navikt/veilarbarena/veilarbarena:{{version}}
+  image: ghcr.io/navikt/veilarbarena/veilarbarena:{{version}}
   ingresses:
+    - https://veilarbarena.dev-fss-pub.nais.io
     - https://veilarbarena-q1.nais.preprod.local
     - https://app-q1.adeo.no/veilarbarena
     - https://veilarbarena.dev.intern.nav.no
@@ -66,6 +67,9 @@ spec:
         - application: mulighetsrommet-api
           namespace: team-mulighetsrommet
           cluster: dev-gcp
+        - application: poao-tilgang
+          namespace: poao
+          cluster: dev-gcp
   vault:
     enabled: true
     paths:

diff --git a/nais-prod.yaml b/nais-prod.yaml
@@ -6,8 +6,9 @@ metadata:
   labels:
     team: pto
 spec:
-  image: docker.pkg.github.com/navikt/veilarbarena/veilarbarena:{{version}}
+  image: ghcr.io/navikt/veilarbarena/veilarbarena:{{version}}
   ingresses:
+    - https://veilarbarena.prod-fss-pub.nais.io
     - https://veilarbarena.nais.adeo.no
     - https://veilarbarena.intern.nav.no
   port: 8080
@@ -65,6 +66,9 @@ spec:
         - application: mulighetsrommet-api
           namespace: team-mulighetsrommet
           cluster: prod-gcp
+        - application: poao-tilgang
+          namespace: poao
+          cluster: prod-gcp
   vault:
     enabled: true
     paths:

diff --git a/pom.xml b/pom.xml
@@ -19,7 +19,7 @@
 
     <properties>
         <java.version>11</java.version>
-        <common.version>2.2022.09.02_11.04-2530dd139a0a</common.version>
+        <common.version>2.2022.09.15_07.46-e4fa96eb6813</common.version>
         <testcontainers.version>1.17.2</testcontainers.version>
         <tjenestespesifikasjoner.version>1.2019.09.25-00.21-49b69f0625e0</tjenestespesifikasjoner.version>
     </properties>
@@ -163,6 +163,11 @@
             <artifactId>sts</artifactId>
             <version>${common.version}</version>
         </dependency>
+        <dependency>
+            <groupId>no.nav.common</groupId>
+            <artifactId>token-client</artifactId>
+            <version>${common.version}</version>
+        </dependency>
         <dependency>
             <groupId>no.nav.common</groupId>
             <artifactId>auth</artifactId>

diff --git a/src/main/java/no/nav/veilarbarena/config/ApplicationConfig.java b/src/main/java/no/nav/veilarbarena/config/ApplicationConfig.java
@@ -16,8 +16,8 @@
 import no.nav.common.job.leader_election.LeaderElectionHttpClient;
 import no.nav.common.metrics.InfluxClient;
 import no.nav.common.metrics.MetricsClient;
-import no.nav.common.sts.NaisSystemUserTokenProvider;
-import no.nav.common.sts.SystemUserTokenProvider;
+import no.nav.common.token_client.builder.AzureAdTokenClientBuilder;
+import no.nav.common.token_client.client.AzureAdMachineToMachineTokenClient;
 import no.nav.common.utils.Credentials;
 import no.nav.common.utils.EnvironmentUtils;
 import no.nav.veilarbarena.client.ords.ArenaOrdsClient;
@@ -51,6 +51,13 @@ public Credentials serviceUserCredentials() {
         return getCredentials("service_user");
     }
 
+    @Bean
+    public AzureAdMachineToMachineTokenClient azureAdMachineToMachineTokenClient() {
+        return AzureAdTokenClientBuilder.builder()
+                .withNaisDefaults()
+                .buildMachineToMachineTokenClient();
+    }
+
     @Bean
     public UnleashClient unleashClient(EnvironmentProperties properties) {
         return new UnleashClientImpl(properties.getUnleashUrl(), APPLICATION_NAME);
@@ -66,24 +73,20 @@ public MetricsClient metricsClient() {
         return new InfluxClient();
     }
 
-    @Bean
-    public SystemUserTokenProvider systemUserTokenProvider(EnvironmentProperties properties, Credentials serviceUserCredentials) {
-        return new NaisSystemUserTokenProvider(properties.getNaisStsDiscoveryUrl(), serviceUserCredentials.username, serviceUserCredentials.password);
-    }
-
     @Bean
     public AuthContextHolder authContextHolder() {
         return AuthContextHolderThreadLocal.instance();
     }
 
     @Bean
-    public AktorOppslagClient aktorOppslagClient(SystemUserTokenProvider systemUserTokenProvider) {
+    public AktorOppslagClient aktorOppslagClient(AzureAdMachineToMachineTokenClient tokenClient) {
+        String tokenScope = String.format("api://%s.pdl.pdl-api/.default",
+                isProduction() ? "prod-fss" : "dev-fss");
+
         AktorOppslagClient aktorOppslagClient = new PdlAktorOppslagClient(
                 internalDevOrProdPdlIngress(),
-                systemUserTokenProvider::getSystemUserToken,
-                systemUserTokenProvider::getSystemUserToken
+                () -> tokenClient.createMachineToMachineToken(tokenScope)
         );
-
         return new CachedAktorOppslagClient(aktorOppslagClient);
     }
 
@@ -136,7 +139,7 @@ private static String createArenaOrdsUrl() {
     private String internalDevOrProdPdlIngress() {
         return isProduction()
                 ? createProdInternalIngressUrl("pdl-api")
-                : createDevInternalIngressUrl("pdl-api-q1");
+                : createDevInternalIngressUrl("pdl-api");
     }
 
     private static boolean isProduction() {

diff --git a/src/main/java/no/nav/veilarbarena/scheduled/OppfolgingsbrukerEndretSchedule.java b/src/main/java/no/nav/veilarbarena/scheduled/OppfolgingsbrukerEndretSchedule.java
@@ -65,12 +65,16 @@ public OppfolgingsbrukerEndretSchedule(
 
     @Scheduled(fixedDelay = TEN_SECONDS, initialDelay = TEN_SECONDS)
     public void publiserBrukereSomErEndretPaKafka() {
-        if (leaderElectionClient.isLeader()) {
-            if (unleashService.erSkruAvPubliseringPaKafkaEnabled()) {
-                log.info("Publisering av brukere på kafka er skrudd av");
-            } else {
-                publisereArenaBrukerEndringer();
+        if (isProduction().orElseThrow()) {
+            if (leaderElectionClient.isLeader()) {
+                if (unleashService.erSkruAvPubliseringPaKafkaEnabled()) {
+                    log.info("Publisering av brukere på kafka er skrudd av");
+                } else {
+                    publisereArenaBrukerEndringer();
+                }
             }
+        } else {
+            log.info("Publisering av denne onPrem topicen er skrud av i dev. Vi anbefaler å migrere til v2 topicen som ligger på aiven.");
         }
     }
 
@@ -134,7 +138,7 @@ void publisereArenaBrukerEndringerV2() {
                             .ifPresent(this::publiserPaKafka);
                 } else {
                     log.info("Ignorerer rader som har et tidsstempel i som er eldre enn 1 måned");
-               }
+                }
                 oppdaterteBrukereRepository.slettOppdatering(brukerOppdatering);
             });
         }

diff --git a/src/main/java/no/nav/veilarbarena/service/AuthService.java b/src/main/java/no/nav/veilarbarena/service/AuthService.java
@@ -21,22 +21,18 @@ public class AuthService {
 
     private final AuthContextHolder authContextHolder;
 
-    private final AktorOppslagClient aktorOppslagClient;
-
     private final Pep veilarbPep;
 
     @Autowired
-    public AuthService(AuthContextHolder authContextHolder, AktorOppslagClient aktorOppslagClient, Pep veilarbPep) {
+    public AuthService(AuthContextHolder authContextHolder,  Pep veilarbPep) {
         this.authContextHolder = authContextHolder;
-        this.aktorOppslagClient = aktorOppslagClient;
         this.veilarbPep = veilarbPep;
     }
 
     public void sjekkTilgang(Fnr fnr) {
-        AktorId aktorId = aktorOppslagClient.hentAktorId(fnr);
         String innloggetBrukerToken = authContextHolder.requireIdTokenString();
 
-        if (!veilarbPep.harTilgangTilPerson(innloggetBrukerToken, ActionId.READ, aktorId)) {
+        if (!veilarbPep.harTilgangTilPerson(innloggetBrukerToken, ActionId.READ, fnr)) {
             throw new ResponseStatusException(HttpStatus.FORBIDDEN);
         }
     }