diff --git a/.env.c2 b/.env.c2 new file mode 100644 index 000000000..cf0cbd74f --- /dev/null +++ b/.env.c2 @@ -0,0 +1,3 @@ +export AZURE_CLIENT_ID=8186a108-135d-478e-af97-e200cb238757 +export OAUTH2_REDIS_QA_HOSTNAME=radix-c2-qa.redis.cache.windows.net +export OAUTH2_REDIS_PROD_HOSTNAME=radix-c2-prod.redis.cache.windows.net diff --git a/.env.dev b/.env.dev new file mode 100644 index 000000000..3f2ac4373 --- /dev/null +++ b/.env.dev @@ -0,0 +1,3 @@ +export AZURE_CLIENT_ID=5687b237-eda3-4ec3-a2a1-023e85a2bd84 +export OAUTH2_REDIS_QA_HOSTNAME=radix-dev-qa.redis.cache.windows.net +export OAUTH2_REDIS_PROD_HOSTNAME=radix-dev-prod.redis.cache.windows.net diff --git a/.env.platform b/.env.platform new file mode 100644 index 000000000..449f27353 --- /dev/null +++ b/.env.platform @@ -0,0 +1,3 @@ +export AZURE_CLIENT_ID=a593a59c-8f76-490e-937b-a90779039a90 +export OAUTH2_REDIS_QA_HOSTNAME=radix-platform-qa.redis.cache.windows.net +export OAUTH2_REDIS_PROD_HOSTNAME=radix-platform-prod.redis.cache.windows.net diff --git a/.env.playground b/.env.playground new file mode 100644 index 000000000..517f3f811 --- /dev/null +++ b/.env.playground @@ -0,0 +1,3 @@ +export AZURE_CLIENT_ID=a593a59c-8f76-490e-937b-a90779039a90 +export OAUTH2_REDIS_QA_HOSTNAME=radix-playground-qa.redis.cache.windows.net +export OAUTH2_REDIS_PROD_HOSTNAME=radix-playground-prod.redis.cache.windows.net diff --git a/.github/workflows/radix-web-console-pr.yml b/.github/workflows/radix-web-console-pr.yml index 39f231044..bad762390 100644 --- a/.github/workflows/radix-web-console-pr.yml +++ b/.github/workflows/radix-web-console-pr.yml @@ -11,7 +11,7 @@ jobs: - uses: actions/checkout@v4 - name: Build docker image env: - REF: ${{ github. sha }} + REF: ${{ github.sha }} run: docker build -t radix-web-console:${REF##*/} . test: @@ -53,6 +53,13 @@ jobs: validate-radixconfig: name: Test RadixConfig runs-on: ubuntu-latest + strategy: + matrix: + env: + - dev + - c2 + - playground + - platform steps: - name: 'Fake TOKEN FOR RADIX CLI' run: echo "APP_SERVICE_ACCOUNT_TOKEN=dummy" >> $GITHUB_ENV @@ -60,4 +67,13 @@ jobs: - name: 'Validate' uses: equinor/radix-github-actions@v1 with: - args: validate radix-config --config-file radixconfig.yaml + args: validate radix-config --config-file radixconfig.${{matrix.env}}.yaml + + verify-code-generation: + name: Verify Code Generation + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Verify Code Generation + run: | + make verify-generate diff --git a/Makefile b/Makefile index a7ff2cb55..8ce03d290 100644 --- a/Makefile +++ b/Makefile @@ -71,3 +71,17 @@ run-mac-rebuild: down: docker compose down +.PHONY: radixconfigs +radixconfigs: SHELL:=/bin/bash +radixconfigs: + source .env.dev; envsubst < radixconfig.tpl.yaml > radixconfig.dev.yaml + source .env.c2; envsubst < radixconfig.tpl.yaml > radixconfig.c2.yaml + source .env.platform; envsubst < radixconfig.tpl.yaml > radixconfig.platform.yaml + source .env.playground; envsubst < radixconfig.tpl.yaml > radixconfig.playground.yaml + +.PHONY: generate +generate: radixconfigs + +.PHONY: verify-generate +verify-generate: generate + git diff --exit-code diff --git a/docker-compose.yml b/docker-compose.yml index a4417ac0c..1d596e260 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -48,6 +48,8 @@ services: - radix ports: - "8080:8080" + depends_on: + - auth auth: image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.1 @@ -70,7 +72,7 @@ services: - OAUTH2_PROXY_PROVIDER=oidc - OAUTH2_PROXY_REDIRECT_URL=http://localhost:8000/oauth2/callback - OAUTH2_PROXY_REDIS_CONNECTION_URL=redis://auth-state:6379 - - OAUTH2_PROXY_SCOPE=openid profile offline_access ${API_RESOURCE_ID}/user.read email # offline_access scope needed to get refresh token: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#successful-response-1 + - OAUTH2_PROXY_SCOPE=openid profile offline_access 6dae42f8-4368-4678-94ff-3960e28e3630/user.read email # offline_access scope needed to get refresh token: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#successful-response-1 - OAUTH2_PROXY_SESSION_STORE_TYPE=redis - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true - OAUTH2_PROXY_UPSTREAMS=http://proxy:8080 diff --git a/proxy/nginx.conf b/proxy/nginx.conf deleted file mode 100644 index 3245a81c8..000000000 --- a/proxy/nginx.conf +++ /dev/null @@ -1,41 +0,0 @@ -events { - worker_connections 1024; -} -http { - include /etc/nginx/mime.types; - - server { - large_client_header_buffers 4 32k; # Required for OAuth2 Proxy - - listen 80; - root /app; - gzip on; - gzip_types text/css application/javascript image/svg+xml text/plain; - error_page 500 502 503 504 /50x.html; - - location /api/ { - proxy_pass https://server-radix-api-${RADIX_ENVIRONMENT}.${RADIX_CLUSTERNAME}.${RADIX_DNS_ZONE}; - proxy_set_header Authorization "Bearer $http_x_forwarded_access_token"; - proxy_set_header x-forwarded-access-token ""; - } - - location /uptime/ { - proxy_pass https://uptime.ext-mon.radix.equinor.com/; - } - - location /cost-api/ { - proxy_pass https://server-radix-cost-allocation-api-${RADIX_ENVIRONMENT}.${RADIX_CLUSTERNAME}.${RADIX_DNS_ZONE}/api/v1/; - proxy_set_header Authorization "Bearer $http_x_forwarded_access_token"; - proxy_set_header x-forwarded-access-token ""; - } - - location / { - try_files $uri /index.html; - } - - location = /50x.html { - sub_filter_once on; - sub_filter HTTP_STATUS_CODE $status; - } - } -} diff --git a/radixconfig.c2.yaml b/radixconfig.c2.yaml new file mode 100644 index 000000000..e0778952b --- /dev/null +++ b/radixconfig.c2.yaml @@ -0,0 +1,90 @@ +apiVersion: radix.equinor.com/v1 +kind: RadixApplication +metadata: + name: radix-web-console +spec: + build: + useBuildKit: true + environments: + - name: qa + build: + from: master + - name: prod + build: + from: release + components: + - name: web + readOnlyFileSystem: true + volumeMounts: + - name: tmp + path: /tmp + emptyDir: + sizeLimit: 1M + - name: nginxconfd + path: /etc/nginx/conf.d + emptyDir: + sizeLimit: 1M + - name: wwwconfig + path: /app/config + emptyDir: + sizeLimit: 1M + src: "." + ports: + - name: http + port: 8080 + publicPort: http + runtime: + architecture: arm64 + variables: + CLUSTER_EGRESS_IPS: undefined # Comma separated list of IPs of all Public IP Prefixes assigned to the ClusterType (production, playground, development) + CLUSTER_INGRESS_IPS: undefined # Comma separated list of IPs of all Public IP Prefixes assigned to the ClusterType (production, playground, development) + OAUTH2_AUTHORITY: "https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0" + SERVICENOW_PROXY_SCOPES: "1b4a22f1-d4a1-4b6a-81b2-fd936daf1786/Application.Read" # scopes must be seperated by comma + CLUSTER_OIDC_ISSUER_URL: "" + CMDB_CI_URL: "https://equinor.service-now.com/selfservice?id=form&table=cmdb_ci_business_app&sys_id={CIID}" + OAUTH2_CLIENT_ID: "8186a108-135d-478e-af97-e200cb238757" + authentication: + oauth2: + clientId: "8186a108-135d-478e-af97-e200cb238757" + scope: "openid profile offline_access 6dae42f8-4368-4678-94ff-3960e28e3630/user.read email" + setXAuthRequestHeaders: true + setAuthorizationHeader: true + sessionStoreType: redis + redisStore: + connectionUrl: rediss://radix-c2-qa.redis.cache.windows.net:6380 + environmentConfig: + - environment: qa + resources: + requests: + cpu: "20m" + memory: "50Mi" + limits: + cpu: "50m" + memory: "50Mi" + horizontalScaling: + maxReplicas: 1 + minReplicas: 0 + triggers: + - name: cron + cron: + timezone: Europe/Oslo + start: 0 7 * * 1-5 # 07:00 Monday - Friday + end: 0 17 * * 1-5 # 17:00 Monday - Friday + desiredReplicas: 1 + - environment: prod + replicas: 2 + resources: + requests: + cpu: "50m" + memory: "50Mi" + limits: + cpu: "100m" + memory: "50Mi" + - environment: prod + resources: + requests: + cpu: "50m" + memory: "100Mi" + limits: + cpu: "100m" + memory: "100Mi" diff --git a/radixconfig.dev.yaml b/radixconfig.dev.yaml new file mode 100644 index 000000000..1a5bfbbda --- /dev/null +++ b/radixconfig.dev.yaml @@ -0,0 +1,90 @@ +apiVersion: radix.equinor.com/v1 +kind: RadixApplication +metadata: + name: radix-web-console +spec: + build: + useBuildKit: true + environments: + - name: qa + build: + from: master + - name: prod + build: + from: release + components: + - name: web + readOnlyFileSystem: true + volumeMounts: + - name: tmp + path: /tmp + emptyDir: + sizeLimit: 1M + - name: nginxconfd + path: /etc/nginx/conf.d + emptyDir: + sizeLimit: 1M + - name: wwwconfig + path: /app/config + emptyDir: + sizeLimit: 1M + src: "." + ports: + - name: http + port: 8080 + publicPort: http + runtime: + architecture: arm64 + variables: + CLUSTER_EGRESS_IPS: undefined # Comma separated list of IPs of all Public IP Prefixes assigned to the ClusterType (production, playground, development) + CLUSTER_INGRESS_IPS: undefined # Comma separated list of IPs of all Public IP Prefixes assigned to the ClusterType (production, playground, development) + OAUTH2_AUTHORITY: "https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0" + SERVICENOW_PROXY_SCOPES: "1b4a22f1-d4a1-4b6a-81b2-fd936daf1786/Application.Read" # scopes must be seperated by comma + CLUSTER_OIDC_ISSUER_URL: "" + CMDB_CI_URL: "https://equinor.service-now.com/selfservice?id=form&table=cmdb_ci_business_app&sys_id={CIID}" + OAUTH2_CLIENT_ID: "5687b237-eda3-4ec3-a2a1-023e85a2bd84" + authentication: + oauth2: + clientId: "5687b237-eda3-4ec3-a2a1-023e85a2bd84" + scope: "openid profile offline_access 6dae42f8-4368-4678-94ff-3960e28e3630/user.read email" + setXAuthRequestHeaders: true + setAuthorizationHeader: true + sessionStoreType: redis + redisStore: + connectionUrl: rediss://radix-dev-qa.redis.cache.windows.net:6380 + environmentConfig: + - environment: qa + resources: + requests: + cpu: "20m" + memory: "50Mi" + limits: + cpu: "50m" + memory: "50Mi" + horizontalScaling: + maxReplicas: 1 + minReplicas: 0 + triggers: + - name: cron + cron: + timezone: Europe/Oslo + start: 0 7 * * 1-5 # 07:00 Monday - Friday + end: 0 17 * * 1-5 # 17:00 Monday - Friday + desiredReplicas: 1 + - environment: prod + replicas: 2 + resources: + requests: + cpu: "50m" + memory: "50Mi" + limits: + cpu: "100m" + memory: "50Mi" + - environment: prod + resources: + requests: + cpu: "50m" + memory: "100Mi" + limits: + cpu: "100m" + memory: "100Mi" diff --git a/radixconfig.platform.yaml b/radixconfig.platform.yaml new file mode 100644 index 000000000..2e24d93db --- /dev/null +++ b/radixconfig.platform.yaml @@ -0,0 +1,90 @@ +apiVersion: radix.equinor.com/v1 +kind: RadixApplication +metadata: + name: radix-web-console +spec: + build: + useBuildKit: true + environments: + - name: qa + build: + from: master + - name: prod + build: + from: release + components: + - name: web + readOnlyFileSystem: true + volumeMounts: + - name: tmp + path: /tmp + emptyDir: + sizeLimit: 1M + - name: nginxconfd + path: /etc/nginx/conf.d + emptyDir: + sizeLimit: 1M + - name: wwwconfig + path: /app/config + emptyDir: + sizeLimit: 1M + src: "." + ports: + - name: http + port: 8080 + publicPort: http + runtime: + architecture: arm64 + variables: + CLUSTER_EGRESS_IPS: undefined # Comma separated list of IPs of all Public IP Prefixes assigned to the ClusterType (production, playground, development) + CLUSTER_INGRESS_IPS: undefined # Comma separated list of IPs of all Public IP Prefixes assigned to the ClusterType (production, playground, development) + OAUTH2_AUTHORITY: "https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0" + SERVICENOW_PROXY_SCOPES: "1b4a22f1-d4a1-4b6a-81b2-fd936daf1786/Application.Read" # scopes must be seperated by comma + CLUSTER_OIDC_ISSUER_URL: "" + CMDB_CI_URL: "https://equinor.service-now.com/selfservice?id=form&table=cmdb_ci_business_app&sys_id={CIID}" + OAUTH2_CLIENT_ID: "a593a59c-8f76-490e-937b-a90779039a90" + authentication: + oauth2: + clientId: "a593a59c-8f76-490e-937b-a90779039a90" + scope: "openid profile offline_access 6dae42f8-4368-4678-94ff-3960e28e3630/user.read email" + setXAuthRequestHeaders: true + setAuthorizationHeader: true + sessionStoreType: redis + redisStore: + connectionUrl: rediss://radix-platform-qa.redis.cache.windows.net:6380 + environmentConfig: + - environment: qa + resources: + requests: + cpu: "20m" + memory: "50Mi" + limits: + cpu: "50m" + memory: "50Mi" + horizontalScaling: + maxReplicas: 1 + minReplicas: 0 + triggers: + - name: cron + cron: + timezone: Europe/Oslo + start: 0 7 * * 1-5 # 07:00 Monday - Friday + end: 0 17 * * 1-5 # 17:00 Monday - Friday + desiredReplicas: 1 + - environment: prod + replicas: 2 + resources: + requests: + cpu: "50m" + memory: "50Mi" + limits: + cpu: "100m" + memory: "50Mi" + - environment: prod + resources: + requests: + cpu: "50m" + memory: "100Mi" + limits: + cpu: "100m" + memory: "100Mi" diff --git a/radixconfig.playground.yaml b/radixconfig.playground.yaml new file mode 100644 index 000000000..fd10f2ed4 --- /dev/null +++ b/radixconfig.playground.yaml @@ -0,0 +1,90 @@ +apiVersion: radix.equinor.com/v1 +kind: RadixApplication +metadata: + name: radix-web-console +spec: + build: + useBuildKit: true + environments: + - name: qa + build: + from: master + - name: prod + build: + from: release + components: + - name: web + readOnlyFileSystem: true + volumeMounts: + - name: tmp + path: /tmp + emptyDir: + sizeLimit: 1M + - name: nginxconfd + path: /etc/nginx/conf.d + emptyDir: + sizeLimit: 1M + - name: wwwconfig + path: /app/config + emptyDir: + sizeLimit: 1M + src: "." + ports: + - name: http + port: 8080 + publicPort: http + runtime: + architecture: arm64 + variables: + CLUSTER_EGRESS_IPS: undefined # Comma separated list of IPs of all Public IP Prefixes assigned to the ClusterType (production, playground, development) + CLUSTER_INGRESS_IPS: undefined # Comma separated list of IPs of all Public IP Prefixes assigned to the ClusterType (production, playground, development) + OAUTH2_AUTHORITY: "https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0" + SERVICENOW_PROXY_SCOPES: "1b4a22f1-d4a1-4b6a-81b2-fd936daf1786/Application.Read" # scopes must be seperated by comma + CLUSTER_OIDC_ISSUER_URL: "" + CMDB_CI_URL: "https://equinor.service-now.com/selfservice?id=form&table=cmdb_ci_business_app&sys_id={CIID}" + OAUTH2_CLIENT_ID: "a593a59c-8f76-490e-937b-a90779039a90" + authentication: + oauth2: + clientId: "a593a59c-8f76-490e-937b-a90779039a90" + scope: "openid profile offline_access 6dae42f8-4368-4678-94ff-3960e28e3630/user.read email" + setXAuthRequestHeaders: true + setAuthorizationHeader: true + sessionStoreType: redis + redisStore: + connectionUrl: rediss://radix-playground-qa.redis.cache.windows.net:6380 + environmentConfig: + - environment: qa + resources: + requests: + cpu: "20m" + memory: "50Mi" + limits: + cpu: "50m" + memory: "50Mi" + horizontalScaling: + maxReplicas: 1 + minReplicas: 0 + triggers: + - name: cron + cron: + timezone: Europe/Oslo + start: 0 7 * * 1-5 # 07:00 Monday - Friday + end: 0 17 * * 1-5 # 17:00 Monday - Friday + desiredReplicas: 1 + - environment: prod + replicas: 2 + resources: + requests: + cpu: "50m" + memory: "50Mi" + limits: + cpu: "100m" + memory: "50Mi" + - environment: prod + resources: + requests: + cpu: "50m" + memory: "100Mi" + limits: + cpu: "100m" + memory: "100Mi" diff --git a/radixconfig.tpl.yaml b/radixconfig.tpl.yaml new file mode 100644 index 000000000..d21b92915 --- /dev/null +++ b/radixconfig.tpl.yaml @@ -0,0 +1,90 @@ +apiVersion: radix.equinor.com/v1 +kind: RadixApplication +metadata: + name: radix-web-console +spec: + build: + useBuildKit: true + environments: + - name: qa + build: + from: master + - name: prod + build: + from: release + components: + - name: web + readOnlyFileSystem: true + volumeMounts: + - name: tmp + path: /tmp + emptyDir: + sizeLimit: 1M + - name: nginxconfd + path: /etc/nginx/conf.d + emptyDir: + sizeLimit: 1M + - name: wwwconfig + path: /app/config + emptyDir: + sizeLimit: 1M + src: "." + ports: + - name: http + port: 8080 + publicPort: http + runtime: + architecture: arm64 + variables: + CLUSTER_EGRESS_IPS: undefined # Comma separated list of IPs of all Public IP Prefixes assigned to the ClusterType (production, playground, development) + CLUSTER_INGRESS_IPS: undefined # Comma separated list of IPs of all Public IP Prefixes assigned to the ClusterType (production, playground, development) + OAUTH2_AUTHORITY: "https://login.microsoftonline.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0" + SERVICENOW_PROXY_SCOPES: "1b4a22f1-d4a1-4b6a-81b2-fd936daf1786/Application.Read" # scopes must be seperated by comma + CLUSTER_OIDC_ISSUER_URL: "" + CMDB_CI_URL: "https://equinor.service-now.com/selfservice?id=form&table=cmdb_ci_business_app&sys_id={CIID}" + OAUTH2_CLIENT_ID: "${AZURE_CLIENT_ID}" + authentication: + oauth2: + clientId: "${AZURE_CLIENT_ID}" + scope: "openid profile offline_access 6dae42f8-4368-4678-94ff-3960e28e3630/user.read email" + setXAuthRequestHeaders: true + setAuthorizationHeader: true + sessionStoreType: redis + redisStore: + connectionUrl: rediss://${OAUTH2_REDIS_QA_HOSTNAME}:6380 + environmentConfig: + - environment: qa + resources: + requests: + cpu: "20m" + memory: "50Mi" + limits: + cpu: "50m" + memory: "50Mi" + horizontalScaling: + maxReplicas: 1 + minReplicas: 0 + triggers: + - name: cron + cron: + timezone: Europe/Oslo + start: 0 7 * * 1-5 # 07:00 Monday - Friday + end: 0 17 * * 1-5 # 17:00 Monday - Friday + desiredReplicas: 1 + - environment: prod + replicas: 2 + resources: + requests: + cpu: "50m" + memory: "50Mi" + limits: + cpu: "100m" + memory: "50Mi" + - environment: prod + resources: + requests: + cpu: "50m" + memory: "100Mi" + limits: + cpu: "100m" + memory: "100Mi"