From bb2d57c38c998896ed8ebfba7d3ac699a0007cac Mon Sep 17 00:00:00 2001 From: Kuan Fan <31664961+kuanfandevops@users.noreply.github.com> Date: Thu, 6 Jul 2023 09:27:28 -0700 Subject: [PATCH] Build frontend and backend for Jan pipeline (#2421) --- .github/workflows/branch-build-template.yaml | 2 +- .github/workflows/branch-deploy-template.yaml | 107 ++++++++++++ .github/workflows/dev-jan-release.yaml | 57 +++--- charts/tfrs-apps/.helmignore | 23 +++ charts/tfrs-apps/Chart.yaml | 24 +++ .../tfrs-apps/charts/tfrs-backend/.helmignore | 23 +++ .../tfrs-apps/charts/tfrs-backend/Chart.yaml | 24 +++ .../tfrs-backend/templates/_helpers.tpl | 67 +++++++ .../templates/deployment-config.yaml | 164 ++++++++++++++++++ .../charts/tfrs-backend/templates/hpa.yaml | 32 ++++ .../charts/tfrs-backend/templates/route.yaml | 20 +++ .../tfrs-backend/templates/service.yaml | 15 ++ .../charts/tfrs-backend/values-dev-jan.yaml | 34 ++++ .../charts/tfrs-frontend/.helmignore | 23 +++ .../tfrs-apps/charts/tfrs-frontend/Chart.yaml | 24 +++ .../tfrs-frontend/templates/_helpers.tpl | 66 +++++++ .../tfrs-frontend/templates/configmap.yaml | 28 +++ .../templates/deployment-config.yaml | 96 ++++++++++ .../charts/tfrs-frontend/templates/hpa.yaml | 32 ++++ .../charts/tfrs-frontend/templates/route.yaml | 22 +++ .../tfrs-frontend/templates/service.yaml | 16 ++ .../charts/tfrs-frontend/values-dev-jan.yaml | 28 +++ openshift-v4/templates/knp/2a-apps-jan.yaml | 63 +++++++ openshift-v4/templates/knp/3a-spilo-jan.yaml | 98 +++++++++++ .../templates/knp/4a-clamav-rabbitmq.yaml | 102 +++++++++++ 25 files changed, 1156 insertions(+), 34 deletions(-) create mode 100644 .github/workflows/branch-deploy-template.yaml create mode 100644 charts/tfrs-apps/.helmignore create mode 100644 charts/tfrs-apps/Chart.yaml create mode 100644 charts/tfrs-apps/charts/tfrs-backend/.helmignore create mode 100644 charts/tfrs-apps/charts/tfrs-backend/Chart.yaml create mode 100644 charts/tfrs-apps/charts/tfrs-backend/templates/_helpers.tpl create mode 100644 charts/tfrs-apps/charts/tfrs-backend/templates/deployment-config.yaml create mode 100644 charts/tfrs-apps/charts/tfrs-backend/templates/hpa.yaml create mode 100644 charts/tfrs-apps/charts/tfrs-backend/templates/route.yaml create mode 100644 charts/tfrs-apps/charts/tfrs-backend/templates/service.yaml create mode 100644 charts/tfrs-apps/charts/tfrs-backend/values-dev-jan.yaml create mode 100644 charts/tfrs-apps/charts/tfrs-frontend/.helmignore create mode 100644 charts/tfrs-apps/charts/tfrs-frontend/Chart.yaml create mode 100644 charts/tfrs-apps/charts/tfrs-frontend/templates/_helpers.tpl create mode 100644 charts/tfrs-apps/charts/tfrs-frontend/templates/configmap.yaml create mode 100644 charts/tfrs-apps/charts/tfrs-frontend/templates/deployment-config.yaml create mode 100644 charts/tfrs-apps/charts/tfrs-frontend/templates/hpa.yaml create mode 100644 charts/tfrs-apps/charts/tfrs-frontend/templates/route.yaml create mode 100644 charts/tfrs-apps/charts/tfrs-frontend/templates/service.yaml create mode 100644 charts/tfrs-apps/charts/tfrs-frontend/values-dev-jan.yaml create mode 100644 openshift-v4/templates/knp/2a-apps-jan.yaml create mode 100644 openshift-v4/templates/knp/3a-spilo-jan.yaml create mode 100644 openshift-v4/templates/knp/4a-clamav-rabbitmq.yaml diff --git a/.github/workflows/branch-build-template.yaml b/.github/workflows/branch-build-template.yaml index 5555b7d2e..1ed52e579 100644 --- a/.github/workflows/branch-build-template.yaml +++ b/.github/workflows/branch-build-template.yaml @@ -1,5 +1,5 @@ -name: PR Build Template +name: Branch Build Template on: workflow_call: diff --git a/.github/workflows/branch-deploy-template.yaml b/.github/workflows/branch-deploy-template.yaml new file mode 100644 index 000000000..fa5942a56 --- /dev/null +++ b/.github/workflows/branch-deploy-template.yaml @@ -0,0 +1,107 @@ +name: Branch Deploy Template + +on: + workflow_call: + inputs: + branch-name: # sample value: release-2.9.0 or main-release-jan-2024 + required: true + type: string + # suffix is in format of -dev, -test, -dev-jan, test-jan, -dev-1923, dev-jan-1923 + suffix: + required: true + type: string + # env-name is in format of dev, test + env-name: + required: true + type: string + # database-service-host-name sample tfrs-spilo, tfrs-spilo-jan, tfrs-spilo-dev-1988 + database-service-host-name: + required: true + type: string + secrets: + tools-namespace: + required: true + namespace: + required: true + openshift-server: + required: true + openshift-token: + required: true + +jobs: + + deploy: + + name: Deploy tfrs + runs-on: ubuntu-latest + timeout-minutes: 60 + + steps: + + - name: Check out repository + uses: actions/checkout@v3 + with: + ref: ${{ inputs.branch-name }} + + - name: Log in to Openshift + uses: redhat-actions/oc-login@v1.2 + with: + openshift_server_url: ${{ secrets.openshift-server }} + openshift_token: ${{ secrets.openshift-token }} + insecure_skip_tls_verify: true + namespace: ${{ secrets.tools-namespace }} + + - name: Tag Images from tools + run: | + oc tag ${{ secrets.tools-namespace }}/tfrs-frontend:build-${{ inputs.branch-name }} ${{ secrets.namespace }}/tfrs-frontend:${{ inputs.env-name }}-${{ inputs.branch-name }} + oc tag ${{ secrets.tools-namespace }}/tfrs-backend:build-${{ inputs.branch-name }} ${{ secrets.namespace }}/tfrs-backend:${{ inputs.env-name }}-${{ inputs.branch-name }} + + - name: Deploy tfrs-frontend + shell: bash {0} + run: | + cd charts/tfrs-apps/charts/tfrs-frontend + helm status -n ${{ secrets.namespace }} tfrs-frontend${{ inputs.suffix }} + if [ $? -eq 0 ]; then + echo "tfrs-frontend${{ inputs.suffix }} release exists already" + helm upgrade \ + --set frontendImageTagName=${{ inputs.env-name }}-${{ inputs.branch-name }} \ + --set suffix=${{ inputs.suffix }} \ + --set namespace=${{ secrets.namespace }} \ + --set envName=${{ inputs.env-Name }} \ + -n ${{ secrets.namespace }} -f ./values${{ inputs.suffix }}.yaml tfrs-frontend${{ inputs.suffix }} . + else + echo "tfrs-frontend${{ inputs.suffix }} release does not exist" + helm install \ + --set frontendImageTagName=${{ inputs.env-name }}-${{ inputs.branch-name }} \ + --set suffix=${{ inputs.suffix }} \ + --set namespace=${{ secrets.namespace }} \ + --set envName=${{ inputs.env-Name }} \ + -n ${{ secrets.namespace }} -f ./values${{ inputs.suffix }}.yaml tfrs-frontend${{ inputs.suffix }} . + fi + + + - name: Deploy tfrs-backend + shell: bash {0} + run: | + cd charts/tfrs-apps/charts/tfrs-backend + helm status -n ${{ secrets.namespace }} tfrs-backend${{ inputs.suffix }} + if [ $? -eq 0 ]; then + echo "tfrs-backend${{ inputs.suffix }} release exists already" + helm upgrade \ + --set backendImageTagName=${{ inputs.env-name }}-${{ inputs.branch-name }} \ + --set suffix=${{ inputs.suffix }} \ + --set namespace=${{ secrets.namespace }} \ + --set envName=${{ inputs.env-Name }} \ + --set databaseServiceHostName=${{ inputs.database-service-host-name }} \ + -n ${{ secrets.namespace }} -f ./values${{ inputs.suffix }}.yaml tfrs-backend${{ inputs.suffix }} . + else + echo "tfrs-backend${{ inputs.suffix }} release does not exist" + helm install \ + --set backendImageTagName=${{ inputs.env-name }}-${{ inputs.branch-name }} \ + --set suffix=${{ inputs.suffix }} \ + --set namespace=${{ secrets.namespace }} \ + --set envName=${{ inputs.env-Name }} \ + --set databaseServiceHostName=${{ inputs.database-service-host-name }} \ + -n ${{ secrets.namespace }} -f ./values${{ inputs.suffix }}.yaml tfrs-backend${{ inputs.suffix }} . + fi + diff --git a/.github/workflows/dev-jan-release.yaml b/.github/workflows/dev-jan-release.yaml index ef0f0fce7..d2d47ba65 100644 --- a/.github/workflows/dev-jan-release.yaml +++ b/.github/workflows/dev-jan-release.yaml @@ -6,11 +6,12 @@ name: TFRS Dev Jan 2024 Release on: push: - branches: [ jan-pipelin ] - # paths: - # - frontend/** - # - backend/** - # workflow_dispatch: + branches: [ main-release-jan-2024 ] + paths: + - frontend/** + - backend/** + - security-scan/** + workflow_dispatch: concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -65,7 +66,8 @@ jobs: LOG_LEVEL: WARN build: - # needs: [unit-test, lint] + name: Build + needs: [unit-test, lint] uses: ./.github/workflows/branch-build-template.yaml with: branch-name: ${{ github.ref_name }} @@ -74,30 +76,19 @@ jobs: openshift-server: ${{ secrets.OPENSHIFT_SERVER }} openshift-token: ${{ secrets.OPENSHIFT_TOKEN }} - # deploy-on-dev: - - # name: Deploy TFRS on Dev - # runs-on: ubuntu-latest - # timeout-minutes: 240 - # needs: build - - # steps: - - # ## it will checkout to /home/runner/work/itvr/itvr - # - name: Check out repository - # uses: actions/checkout@v3 - - # - name: Log in to Openshift - # ##uses: redhat-actions/oc-login@v1 - # uses: smlgbl/oc-login@main - # with: - # openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }} - # openshift_token: ${{ secrets.OPENSHIFT_TOKEN }} - # insecure_skip_tls_verify: true - # namespace: ${{ secrets.OPENSHIFT_NAMESPACE_PLATE }}-tools - - # - name: Run deploy - # run: | - # cd .pipeline - # npm install - # npm run deploy -- --pr=${{ env.PR_NUMBER }} --env=dev + # The suffix is -dev-jan, the deployment names are tfrs-backend-dev-jan, tfrs-frontend-dev-jan and etc.. + # The image tags are tfrs-backend:dev-main-release-jan-2024, tfrs-frontend:dev-main-release-jan-2024 and etc.. + deploy-on-dev: + name: Deploy on Dev + needs: build + uses: ./.github/workflows/branch-deploy-template.yaml + with: + branch-name: ${{ github.ref_name }} + suffix: -dev-jan + env-name: dev + database-service-host-name: tfrs-spilo-jan + secrets: + tools-namespace: ${{ secrets.OPENSHIFT_NAMESPACE_PLATE }}-tools + namespace: ${{ secrets.OPENSHIFT_NAMESPACE_PLATE }}-dev + openshift-server: ${{ secrets.OPENSHIFT_SERVER }} + openshift-token: ${{ secrets.OPENSHIFT_TOKEN }} diff --git a/charts/tfrs-apps/.helmignore b/charts/tfrs-apps/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/charts/tfrs-apps/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/tfrs-apps/Chart.yaml b/charts/tfrs-apps/Chart.yaml new file mode 100644 index 000000000..0b9a41aee --- /dev/null +++ b/charts/tfrs-apps/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: tfrs-apps +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 1.0.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "3.0.0" diff --git a/charts/tfrs-apps/charts/tfrs-backend/.helmignore b/charts/tfrs-apps/charts/tfrs-backend/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/charts/tfrs-apps/charts/tfrs-backend/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/tfrs-apps/charts/tfrs-backend/Chart.yaml b/charts/tfrs-apps/charts/tfrs-backend/Chart.yaml new file mode 100644 index 000000000..3a573ec96 --- /dev/null +++ b/charts/tfrs-apps/charts/tfrs-backend/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: tfrs-backend +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "3.0.0" diff --git a/charts/tfrs-apps/charts/tfrs-backend/templates/_helpers.tpl b/charts/tfrs-apps/charts/tfrs-backend/templates/_helpers.tpl new file mode 100644 index 000000000..1b1c0be19 --- /dev/null +++ b/charts/tfrs-apps/charts/tfrs-backend/templates/_helpers.tpl @@ -0,0 +1,67 @@ +{{/* + +The labels for all components: + labels: + helm.sh/chart: tfrs-backend-1.0.0 + app.kubernetes.io/name: tfrs-backend + app.kubernetes.io/instance: tfrs-backend-dev or tfrs-backend-dev-jan + app.kubernetes.io/version: "3.0.0" + app.kubernetes.io/managed-by: Helm + +The selector lables: + selector: + app.kubernetes.io/name: tfrs-backend + app.kubernetes.io/instance: tfrs-backend-dev-1977 + +.Release.Name comes from command helm install + example: helm install tfrs-backend-dev ... or helm install tfrs-backend-dev-jan ... + +.Chart.Name come from the name attribute in Chart.yaml + +*/}} + +{{/* +Expand the name of the chart. If nameOverride is empty, use .Chart.Name. +Typically no need to assign value to nameOverride, +*/}} +{{- define "tfrs-backend.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +The .Release.Name is the first parameter of command helm install tfrs-backend-dev or tfrs-backend-dev-jan +*/}} +{{- define "tfrs-backend.fullname" -}} +{{- .Release.Name }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "tfrs-backend.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels: +app.kubernetes.io/managed-by would be Helm +*/}} +{{- define "tfrs-backend.labels" -}} +helm.sh/chart: {{ include "tfrs-backend.chart" . }} +{{ include "tfrs-backend.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "tfrs-backend.selectorLabels" -}} +app.kubernetes.io/name: {{ include "tfrs-backend.name" . }} +app.kubernetes.io/instance: {{ include "tfrs-backend.fullname" . }} +{{- end }} + diff --git a/charts/tfrs-apps/charts/tfrs-backend/templates/deployment-config.yaml b/charts/tfrs-apps/charts/tfrs-backend/templates/deployment-config.yaml new file mode 100644 index 000000000..fcc5feff2 --- /dev/null +++ b/charts/tfrs-apps/charts/tfrs-backend/templates/deployment-config.yaml @@ -0,0 +1,164 @@ +kind: DeploymentConfig +apiVersion: apps.openshift.io/v1 +metadata: + annotations: + description: Defines how to deploy the backend application + name: tfrs-backend{{ .Values.suffix }} + labels: + {{- include "tfrs-backend.labels" . | nindent 4 }} +spec: + strategy: + type: Recreate + recreateParams: + timeoutSeconds: 600 + mid: + failurePolicy: Abort + execNewPod: + command: + - /bin/sh + - '-c' + - python manage.py migrate; + containerName: tfrs-app + resources: {} + activeDeadlineSeconds: 21600 + triggers: + - type: ImageChange + imageChangeParams: + automatic: true + containerNames: + - tfrs-app + from: + kind: ImageStreamTag + namespace: {{ .Values.namespace }} + name: tfrs-backend:{{ .Values.backendImageTagName }} + - type: ConfigChange + replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: 10 + test: false + selector: + {{- include "tfrs-backend.selectorLabels" . | nindent 4 }} + template: + metadata: + name: tfrs-backend-test + creationTimestamp: null + labels: + {{- include "tfrs-backend.labels" . | nindent 8 }} + spec: + containers: + - resources: +{{ toYaml .Values.resources | indent 12 }} + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 60 + timeoutSeconds: 3 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 10 + terminationMessagePath: /dev/termination-log + name: tfrs-app + livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 90 + timeoutSeconds: 3 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 10 + env: + - name: EMAIL_FROM_ADDRESS + value: donotreply@gov.bc.ca + - name: EMAIL_SENDING_ENABLED + value: '{{ .Values.env.emailSendingEnabled }}' + - name: MINIO_BUCKET_NAME + value: tfrs + - name: SMTP_SERVER_HOST + value: apps.smtp.gov.bc.ca + - name: DJANGO_DEBUG + value: '{{ .Values.env.djangoDebug }}' + - name: SMTP_SERVER_PORT + value: '2500' + - name: DATABASE_SERVICE_NAME + value: {{ .Values.databaseServiceHostName }} + - name: DATABASE_ENGINE + value: postgresql + - name: DATABASE_NAME + valueFrom: + secretKeyRef: + name: tfrs-patroni-app + key: app-db-name + - name: DATABASE_USER + valueFrom: + secretKeyRef: + name: tfrs-patroni-app + key: app-db-username + - name: DATABASE_PASSWORD + valueFrom: + secretKeyRef: + name: tfrs-patroni-app + key: app-db-password + - name: POSTGRESQL_SERVICE_HOST + value: {{ .Values.databaseServiceHostName }}.{{ .Values.namespace }}.svc.cluster.local + - name: POSTGRESQL_SERVICE_PORT + value: '5432' + - name: RABBITMQ_USER + valueFrom: + secretKeyRef: + name: tfrs-rabbitmq-app + key: username + - name: RABBITMQ_VHOST + value: tfrs{{ .Values.suffix }}-vhost + - name: RABBITMQ_HOST + value: tfrs-rabbitmq.{{ .Values.namespace }}.svc.cluster.local + - name: RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: tfrs-rabbitmq-app + key: password + - name: RABBITMQ_PORT + value: '5672' + - name: MINIO_ENDPOINT + value: tfrs-minio-{{ .Values.envName }}.apps.silver.devops.gov.bc.ca:443 + - name: MINIO_USE_SSL + value: 'true' + - name: DOCUMENTS_API_ENABLED + value: '{{ .Values.env.documentsApiEnabled }}' + - name: MINIO_ACCESS_KEY + valueFrom: + secretKeyRef: + name: tfrs-minio-{{ .Values.envName }} + key: MINIO_ACCESS_KEY + - name: MINIO_SECRET_KEY + valueFrom: + secretKeyRef: + name: tfrs-minio-{{ .Values.envName }} + key: MINIO_SECRET_KEY + - name: FUEL_CODES_API_ENABLED + value: '{{ .Values.env.fuelCodesApiEnabled}}' + - name: CREDIT_CALCULATION_API_ENABLED + value: '{{ .Values.env.creditCalculationApiEnabled}}' + - name: COMPLIANCE_REPORTING_API_ENABLED + value: '{{ .Values.env.complianceReportingApiEnabled}}' + - name: EXCLUSION_REPORTS_API_ENABLED + value: '{{ .Values.env.exclusionReportsApiEnabled}}' + - name: DJANGO_SECRET_KEY + valueFrom: + secretKeyRef: + name: django-secret-key + key: DJANGO_SECRET_KEY + - name: APP_CONFIG + value: /opt/app-root/src/gunicorn.cfg.py + - name: KEYCLOAK_AUDIENCE + value: tfrs-on-gold-4308 + - name: WELL_KNOWN_ENDPOINT + value: https://{{ .Values.envName }}.loginproxy.gov.bc.ca/auth/realms/standard/.well-known/openid-configuration + ports: + - containerPort: 8080 + protocol: TCP + imagePullPolicy: IfNotPresent + terminationMessagePolicy: File + restartPolicy: Always + terminationGracePeriodSeconds: 30 + dnsPolicy: ClusterFirst + securityContext: {} + schedulerName: default-scheduler \ No newline at end of file diff --git a/charts/tfrs-apps/charts/tfrs-backend/templates/hpa.yaml b/charts/tfrs-apps/charts/tfrs-backend/templates/hpa.yaml new file mode 100644 index 000000000..0643f8a07 --- /dev/null +++ b/charts/tfrs-apps/charts/tfrs-backend/templates/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta2 +kind: HorizontalPodAutoscaler +metadata: + name: tfrs-backend{{ .Values.suffix }} + labels: + {{- include "tfrs-backend.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps.openshift.io/v1 + kind: DeploymentConfig + name: tfrs-backend{{ .Values.suffix }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/charts/tfrs-apps/charts/tfrs-backend/templates/route.yaml b/charts/tfrs-apps/charts/tfrs-backend/templates/route.yaml new file mode 100644 index 000000000..52105f810 --- /dev/null +++ b/charts/tfrs-apps/charts/tfrs-backend/templates/route.yaml @@ -0,0 +1,20 @@ +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: tfrs-backend{{ .Values.suffix }} + annotations: + haproxy.router.openshift.io/timeout: 1200s + labels: + {{- include "tfrs-backend.labels" . | nindent 4 }} +spec: + host: tfrs-backend{{ .Values.suffix }}.apps.silver.devops.gov.bc.ca + port: + targetPort: web + tls: + insecureEdgeTerminationPolicy: Redirect + termination: edge + to: + kind: Service + name: tfrs-backend{{ .Values.suffix }} + weight: 100 + wildcardPolicy: None diff --git a/charts/tfrs-apps/charts/tfrs-backend/templates/service.yaml b/charts/tfrs-apps/charts/tfrs-backend/templates/service.yaml new file mode 100644 index 000000000..d5c5bc4df --- /dev/null +++ b/charts/tfrs-apps/charts/tfrs-backend/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: tfrs-backend{{ .Values.suffix }} + labels: + {{- include "tfrs-backend.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 8080 + targetPort: 8080 + protocol: TCP + name: web + selector: + {{- include "tfrs-backend.selectorLabels" . | nindent 4 }} diff --git a/charts/tfrs-apps/charts/tfrs-backend/values-dev-jan.yaml b/charts/tfrs-apps/charts/tfrs-backend/values-dev-jan.yaml new file mode 100644 index 000000000..d1508cea6 --- /dev/null +++ b/charts/tfrs-apps/charts/tfrs-backend/values-dev-jan.yaml @@ -0,0 +1,34 @@ +# Default values for itvr-backend. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# backendImageTagName is not in this file, it comes as a argument from the helm command line +# helm template command +# helm template --set backendImageTagName=dev-main-release-jan-2024 -f ./values-dev-jan.yaml tfrs-backend-dev-jan . +# helm -n --set backendImageTagName=dev-main-release-jan-2024 -f ./values-dev-jan.yaml upgrade tfrs-backend-dev-jan . + +replicaCount: 1 + +resources: + limits: + cpu: 400m + memory: 1200Mi + requests: + cpu: 200m + memory: 600Mi + +autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 90 + +env: + emailSendingEnabled: true + djangoDebug: true + documentsApiEnabled: true + fuelCodesApiEnabled: true + creditCalculationApiEnabled: true + complianceReportingApiEnabled: true + exclusionReportsApiEnabled: true diff --git a/charts/tfrs-apps/charts/tfrs-frontend/.helmignore b/charts/tfrs-apps/charts/tfrs-frontend/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/charts/tfrs-apps/charts/tfrs-frontend/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/tfrs-apps/charts/tfrs-frontend/Chart.yaml b/charts/tfrs-apps/charts/tfrs-frontend/Chart.yaml new file mode 100644 index 000000000..6dfef21e9 --- /dev/null +++ b/charts/tfrs-apps/charts/tfrs-frontend/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: tfrs-frontend +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "3.0.0" diff --git a/charts/tfrs-apps/charts/tfrs-frontend/templates/_helpers.tpl b/charts/tfrs-apps/charts/tfrs-frontend/templates/_helpers.tpl new file mode 100644 index 000000000..a34119769 --- /dev/null +++ b/charts/tfrs-apps/charts/tfrs-frontend/templates/_helpers.tpl @@ -0,0 +1,66 @@ +{{/* + +The labels for all components: + labels: + helm.sh/chart: tfrs-frontend-1.0.0 + app.kubernetes.io/name: tfrs-frontend + app.kubernetes.io/instance: tfrs-frontend-dev or tfrs-frontend-dev-jan + app.kubernetes.io/version: "3.0.0" + app.kubernetes.io/managed-by: Helm + +The selector lables: + selector: + app.kubernetes.io/name: tfrs-frontend + app.kubernetes.io/instance: tfrs-frontend-dev-1977 + +.Release.Name comes from command helm install + example: helm install tfrs-frontend-dev ... or helm install tfrs-frontend-dev-jan ... + +.Chart.Name come from the name attribute in Chart.yaml + +*/}} + +{{/* +Expand the name of the chart. If nameOverride is empty, use .Chart.Name. +Typically no need to assign value to nameOverride, +*/}} +{{- define "tfrs-frontend.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +The .Release.Name is the first parameter of command helm install tfrs-frontend-dev or tfrs-frontend-dev-jan +*/}} +{{- define "tfrs-frontend.fullname" -}} +{{- .Release.Name }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "tfrs-frontend.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels: +app.kubernetes.io/managed-by would be Helm +*/}} +{{- define "tfrs-frontend.labels" -}} +helm.sh/chart: {{ include "tfrs-frontend.chart" . }} +{{ include "tfrs-frontend.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "tfrs-frontend.selectorLabels" -}} +app.kubernetes.io/name: {{ include "tfrs-frontend.name" . }} +app.kubernetes.io/instance: {{ include "tfrs-frontend.fullname" . }} +{{- end }} diff --git a/charts/tfrs-apps/charts/tfrs-frontend/templates/configmap.yaml b/charts/tfrs-apps/charts/tfrs-frontend/templates/configmap.yaml new file mode 100644 index 000000000..8f3e92ee1 --- /dev/null +++ b/charts/tfrs-apps/charts/tfrs-frontend/templates/configmap.yaml @@ -0,0 +1,28 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: tfrs-frontend{{ .Values.suffix }} + creationTimestamp: +data: + features.js: | + window.tfrs_config = { + "keycloak.realm": "standard", + "keycloak.client_id": "{{ .Values.configmap.keycloak.clientId }}", + "keycloak.auth_url": "https://{{ .Values.envName }}.loginproxy.gov.bc.ca/auth", + "keycloak.callback_url": "https://tfrs{{ .Values.suffix }}.apps.silver.devops.gov.bc.ca", + "keycloak.post_logout_url": "https://tfrs{{ .Values.suffix }}.apps.silver.devops.gov.bc.ca", + "keycloak.siteminder_logout_url": "{{ .Values.configmap.keycloak.siteminderLogoutUrl }}", + "debug.enabled": {{ .Values.configmap.debugEnabled }}, + "secure_document_upload.enabled": true, + "secure_document_upload.max_file_size": 50000000, + "fuel_codes.enabled": true, + "keycloak.custom_login": true, + "credit_transfer.enabled": true, + "compliance_reporting.enabled": true, + "compliance_reporting.starting_year": 2017, + "compliance_reporting.create_effective_date": "2019-01-01", + "credit_calculation_api.enabled": true, + "exclusion_reports.enabled": true, + "exclusion_reports.create_effective_date": "2019-01-01", + "api_base": "https://tfrs-backend{{ .Values.suffix }}.apps.silver.devops.gov.bc.ca/api" + }; \ No newline at end of file diff --git a/charts/tfrs-apps/charts/tfrs-frontend/templates/deployment-config.yaml b/charts/tfrs-apps/charts/tfrs-frontend/templates/deployment-config.yaml new file mode 100644 index 000000000..f494076d6 --- /dev/null +++ b/charts/tfrs-apps/charts/tfrs-frontend/templates/deployment-config.yaml @@ -0,0 +1,96 @@ + +apiVersion: apps.openshift.io/v1 +kind: DeploymentConfig +metadata: + name: tfrs-frontend{{ .Values.suffix }} + annotations: + description: Defines how to deploy the frontend application + creationTimestamp: null + labels: + {{- include "tfrs-frontend.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: 10 + automountServiceAccountToken: false + selector: + {{- include "tfrs-frontend.selectorLabels" . | nindent 4 }} + strategy: + activeDeadlineSeconds: 600 + recreateParams: + timeoutSeconds: 300 + resources: {} + type: Recreate + template: + metadata: + creationTimestamp: null + labels: + {{- include "tfrs-frontend.labels" . | nindent 8 }} + spec: + volumes: + - name: tfrs-frontend{{ .Values.suffix }} + configMap: + name: tfrs-frontend{{ .Values.suffix }} + containers: + - name: frontend + env: null + image: + imagePullPolicy: IfNotPresent + volumeMounts: + - name: tfrs-frontend{{ .Values.suffix }} + mountPath: /app/static/js/config + ports: + - containerPort: 8080 + protocol: TCP + env: + - name: RABBITMQ_VHOST + value: tfrs{{ .Values.suffix }}-vhost + - name: RABBITMQ_USER + valueFrom: + secretKeyRef: + name: tfrs-rabbitmq-app + key: username + - name: RABBITMQ_PASSWORD + valueFrom: + secretKeyRef: + name: tfrs-rabbitmq-app + key: password + - name: RABBITMQ_HOST + value: tfrs-rabbitmq.{{ .Values.namespace }}.svc.cluster.local + - name: RABBITMQ_PORT + value: '5672' + livenessProbe: + failureThreshold: 10 + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 8080 + timeoutSeconds: 3 + readinessProbe: + failureThreshold: 10 + initialDelaySeconds: 20 + periodSeconds: 10 + successThreshold: 1 + tcpSocket: + port: 8080 + timeoutSeconds: 3 + resources: +{{ toYaml .Values.resources | indent 12 }} + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + terminationGracePeriodSeconds: 30 + test: false + triggers: + - imageChangeParams: + automatic: true + containerNames: + - frontend + from: + kind: ImageStreamTag + name: tfrs-frontend:{{ .Values.frontendImageTagName }} + lastTriggeredImage: + type: ImageChange + - type: ConfigChange diff --git a/charts/tfrs-apps/charts/tfrs-frontend/templates/hpa.yaml b/charts/tfrs-apps/charts/tfrs-frontend/templates/hpa.yaml new file mode 100644 index 000000000..af2553cfd --- /dev/null +++ b/charts/tfrs-apps/charts/tfrs-frontend/templates/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta2 +kind: HorizontalPodAutoscaler +metadata: + name: tfrs-frontend{{ .Values.suffix }} + labels: + {{- include "tfrs-frontend.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps.openshift.io/v1 + kind: DeploymentConfig + name: tfrs-frontend{{ .Values.suffix }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/charts/tfrs-apps/charts/tfrs-frontend/templates/route.yaml b/charts/tfrs-apps/charts/tfrs-frontend/templates/route.yaml new file mode 100644 index 000000000..2bc10c2ef --- /dev/null +++ b/charts/tfrs-apps/charts/tfrs-frontend/templates/route.yaml @@ -0,0 +1,22 @@ +{{- if .Values.route.createFrontendRoute }} +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: tfrs-frontend{{ .Values.suffix }} + annotations: + haproxy.router.openshift.io/timeout: 1200s + labels: + {{- include "tfrs-frontend.labels" . | nindent 4 }} +spec: + host: tfrs-frontend{{ .Values.suffix }}.apps.silver.devops.gov.bc.ca + port: + targetPort: web + tls: + insecureEdgeTerminationPolicy: Redirect + termination: edge + to: + kind: Service + name: tfrs-frontend{{ .Values.suffix }} + weight: 100 + wildcardPolicy: None + {{- end }} \ No newline at end of file diff --git a/charts/tfrs-apps/charts/tfrs-frontend/templates/service.yaml b/charts/tfrs-apps/charts/tfrs-frontend/templates/service.yaml new file mode 100644 index 000000000..3cd86a0a9 --- /dev/null +++ b/charts/tfrs-apps/charts/tfrs-frontend/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: tfrs-frontend{{ .Values.suffix }} + labels: + {{- include "tfrs-frontend.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 8080 + targetPort: 8080 + protocol: TCP + name: web + sessionAffinity: None + selector: + {{- include "tfrs-frontend.selectorLabels" . | nindent 4 }} diff --git a/charts/tfrs-apps/charts/tfrs-frontend/values-dev-jan.yaml b/charts/tfrs-apps/charts/tfrs-frontend/values-dev-jan.yaml new file mode 100644 index 000000000..882ab1112 --- /dev/null +++ b/charts/tfrs-apps/charts/tfrs-frontend/values-dev-jan.yaml @@ -0,0 +1,28 @@ +# Default values for tfrs-frontend. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +configmap: + keycloak: + clientId: tfrs-on-gold-4308 + siteminderLogoutUrl: https://logontest7.gov.bc.ca/clp-cgi/logoff.cgi?retnow=1&returl= + debugEnabled: true + +resources: + limits: + cpu: 80m + memory: 120Mi + requests: + cpu: 40m + memory: 60Mi + +route: + createFrontendRoute: true + +autoscaling: + enabled: true + minReplicas: 1 + maxReplicas: 2 + targetCPUUtilizationPercentage: 80 diff --git a/openshift-v4/templates/knp/2a-apps-jan.yaml b/openshift-v4/templates/knp/2a-apps-jan.yaml new file mode 100644 index 000000000..f24967bdf --- /dev/null +++ b/openshift-v4/templates/knp/2a-apps-jan.yaml @@ -0,0 +1,63 @@ +--- +apiVersion: template.openshift.io/v1 +kind: Template +labels: + template: tfrs-network-policy-jan +metadata: + name: tfrs-network-policy-jan +parameters: + - name: ENVIRONMENT + displayName: null + description: such as dev or test + required: true +objects: + - apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: allow-tfrs-backend-accepts-frontend-${ENVIRONMENT}-jan + spec: + ## Allow backend to accept communication from frontend + podSelector: + matchLabels: + name: tfrs-backend-${ENVIRONMENT}-jan + ingress: + - from: + - podSelector: + matchLabels: + name: tfrs-frontend-${ENVIRONMENT}-jan + ports: + - protocol: TCP + port: 8080 + - apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: allow-tfrs-minio-accepts-${ENVIRONMENT}-jan + spec: + ## Allow minio to accept communications from scan coordinator + ## Allow minio to accept communications from celery + ## Allow minio to accept communications from backend + podSelector: + matchLabels: + name: tfrs-minio-${ENVIRONMENT} + ingress: + - from: + - podSelector: + matchLabels: + name: tfrs-scan-coordinator-${ENVIRONMENT}-jan + ports: + - protocol: TCP + port: 9000 + - from: + - podSelector: + matchLabels: + name: tfrs-celery-${ENVIRONMENT}-jan + ports: + - protocol: TCP + port: 9000 + - from: + - podSelector: + matchLabels: + name: tfrs-backend-${ENVIRONMENT}-jan + ports: + - protocol: TCP + port: 9000 diff --git a/openshift-v4/templates/knp/3a-spilo-jan.yaml b/openshift-v4/templates/knp/3a-spilo-jan.yaml new file mode 100644 index 000000000..4a03c4a81 --- /dev/null +++ b/openshift-v4/templates/knp/3a-spilo-jan.yaml @@ -0,0 +1,98 @@ +--- +apiVersion: template.openshift.io/v1 +kind: Template +labels: + template: tfrs-spilo-network-policy-jan +metadata: + name: tfrs-spilo-network-policy-jan +parameters: + - name: ENVIRONMENT + displayName: null + description: such as dev or test + required: true +objects: + - apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: allow-tfrs-spilo-accepts-${ENVIRONMENT}-jan + spec: + ## Allow tfrs-spilo to accept communications from backend + ## Allow tfrs-spilo to accept communications from backend-mid + ## Allow tfrs-spilo to accept communications from scan-handler + ## Allow tfrs-spilo to accept communications from schema-public + ## Allow tfrs-spilo to accept communications from schema-audit + ## Allow tfrs-spilo to accept communications from celery + ## Allow tfrs-spilo to accept communications from nagios + ## Allow tfrs-spilo to accept communications from backup-container + ## Allow tfrs-spilo to accept communications from metabase from cthub + podSelector: + matchLabels: + app.kubernetes.io/instance: tfrs-spilo-jan + ingress: + - from: + - podSelector: + matchLabels: + name: tfrs-backend-${ENVIRONMENT}-jan + ports: + - protocol: TCP + port: 5432 + - from: + - podSelector: + matchLabels: + openshift.io/deployer-pod.type: hook-mid + ports: + - protocol: TCP + port: 5432 + - from: + - podSelector: + matchLabels: + name: tfrs-scan-handler-${ENVIRONMENT}-jan + ports: + - protocol: TCP + port: 5432 + - from: + - podSelector: + matchLabels: + name: tfrs-schema-spy-public-${ENVIRONMENT}-jan + ports: + - protocol: TCP + port: 5432 + - from: + - podSelector: + matchLabels: + name: tfrs-schema-spy-audit-${ENVIRONMENT}-jan + ports: + - protocol: TCP + port: 5432 + - from: + - podSelector: + matchLabels: + name: tfrs-celery-${ENVIRONMENT}-jan + ports: + - protocol: TCP + port: 5432 + - from: + - podSelector: + matchLabels: + app: nagios + ports: + - protocol: TCP + port: 5432 + - from: + - podSelector: + matchLabels: + name: patroni-backup-jan + ports: + - protocol: TCP + port: 5432 + - from: + - namespaceSelector: + matchLabels: + name: 30b186 + environment: ${ENVIRONMENT} + - podSelector: + matchLabels: + app: metabase + ports: + - protocol: TCP + port: 5432 diff --git a/openshift-v4/templates/knp/4a-clamav-rabbitmq.yaml b/openshift-v4/templates/knp/4a-clamav-rabbitmq.yaml new file mode 100644 index 000000000..797ffaf4d --- /dev/null +++ b/openshift-v4/templates/knp/4a-clamav-rabbitmq.yaml @@ -0,0 +1,102 @@ +--- +apiVersion: template.openshift.io/v1 +kind: Template +labels: + template: tfrs-network-policy-jan +metadata: + name: tfrs-network-policy-jan +parameters: + - name: ENVIRONMENT + displayName: null + description: such as dev or test + required: true +objects: + - apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: allow-tfrs-rabbitmq-accepts-${ENVIRONMENT}-jan + spec: + ## Allow rabbitmq to accept communications from notification server + ## Allow rabbitmq to accept communications from backend + ## Allow rabbitmq to accept communications from scan handler + ## Allow rabbitmq to accept communications from scan coordinator + ## Allow rabbitmq to accept communications from celery + ## Allow rabbitmq to accept communications from other rabbitmq pods + podSelector: + matchLabels: + app.kubernetes.io/instance: tfrs-rabbitmq + ingress: + - from: + - podSelector: + matchLabels: + name: tfrs-notification-server-${ENVIRONMENT}-jan + ports: + - protocol: TCP + port: 5672 + - from: + - podSelector: + matchLabels: + name: tfrs-backend-${ENVIRONMENT}-jan + ports: + - protocol: TCP + port: 5672 + - from: + - podSelector: + matchLabels: + name: tfrs-scan-handler-${ENVIRONMENT}-jan + ports: + - protocol: TCP + port: 5672 + - from: + - podSelector: + matchLabels: + name: tfrs-scan-coordinator-${ENVIRONMENT}-jan + ports: + - protocol: TCP + port: 5672 + - from: + - podSelector: + matchLabels: + name: tfrs-celery-${ENVIRONMENT}-jan + ports: + - protocol: TCP + port: 5672 + - from: + - podSelector: + matchLabels: + app.kubernetes.io/instance: tfrs-rabbitmq + ports: + - protocol: TCP + port: 5672 + - protocol: TCP + port: 15672 + - protocol: TCP + port: 25672 + - protocol: TCP + port: 4369 + - apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: allow-tfrs-clamav-accepts-${ENVIRONMENT}-jan + spec: + ## Allow clamav to accept communications from scan coordinator + ## Allow clamav to accept communications from backend + podSelector: + matchLabels: + app.kubernetes.io/instance: tfrs-clamav + ingress: + - from: + - podSelector: + matchLabels: + name: tfrs-scan-coordinator-${ENVIRONMENT}-jan + ports: + - protocol: TCP + port: 3310 + - from: + - podSelector: + matchLabels: + name: tfrs-backend-${ENVIRONMENT}-jan + ports: + - protocol: TCP + port: 3310 +