diff --git a/.github/workflows/sandbox.yml b/.github/workflows/sandbox.yml index e95ba7f..12007e9 100644 --- a/.github/workflows/sandbox.yml +++ b/.github/workflows/sandbox.yml @@ -1,58 +1,143 @@ -name: Build, push, and deploy + +name: 'Build and deploy sandbox' on: push: branches: - sandbox + workflow_call: env: - docker_image: docker.pkg.github.com/${{ github.repository }}/navansatt:${{ github.sha }} + IMAGE_BASE: ghcr.io/${{ github.repository }} jobs: build: - name: Build and push Docker container + name: "Build Navansatt" permissions: contents: "read" checks: "write" id-token: "write" packages: "write" runs-on: ubuntu-latest + timeout-minutes: 30 + outputs: + version: ${{ steps.version.outputs.version }} + image: "${{ steps.login.outputs.registry }}/${{ github.repository }}/navansatt:${{ env.VERSION }}" + image-digest: "${{ steps.login.outputs.registry }}/${{ github.repository }}/navansatt:@${{ steps.build_push.outputs.digest }}" steps: - - uses: actions/checkout@v2 - - uses: actions/cache@v2 + - uses: actions/checkout@v4 with: - path: ~/.m2 - key: "${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}" + ref: 'sandbox' + - name: Set version + id: version + shell: bash + run: | + TIME=$(TZ="Europe/Oslo" date +%Y.%m.%d-%H.%M) + COMMIT=$(git rev-parse --short=12 HEAD) + export VERSION="$TIME-$COMMIT-sandbox" + echo "Building version $VERSION" + echo "VERSION=$VERSION" >> $GITHUB_ENV + echo "VERSION=$VERSION" >> $GITHUB_OUTPUT + + echo "::set-output name=yearweek::$(date +'%Y-%W')" + + - name: Cache local Maven repository + uses: actions/cache@v4 + with: + path: | + ~/.m2/repository/*/* + !~/.m2/repository/no/nav + key: ${{ runner.os }}-maven-${{ steps.version.outputs.yearweek }}-${{ hashFiles('**/pom.xml') }} restore-keys: | - ${{ runner.os }}-maven- - - uses: actions/setup-java@v1 + ${{ runner.os }}-maven-${{ steps.version.outputs.yearweek }}- + + - uses: actions/setup-java@v4 with: - java-version: 14 + distribution: 'temurin' + java-version: '17' + - uses: docker/setup-buildx-action@v3 + - name: Build shell: bash run: | + mvn versions:set -DnewVersion="$VERSION" -DgenerateBackupPoms=false -Pgithub-action --batch-mode -DprocessAllModules mvn clean install - - name: Build and publish Docker image + # mvn clean verify -Pgithub-action -Dmaven.wagon.http.retryHandler.count=3 -Dsurefire.rerunFailingTestsCount=2 -Dlogback.configurationFile="${GITHUB_WORKSPACE}/.github/logback-github.xml" --batch-mode --fail-at-end -T 1.5C env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - docker build --tag ${docker_image} . - docker login docker.pkg.github.com -u ${GITHUB_REPOSITORY} -p ${GITHUB_TOKEN} - docker push ${docker_image} + TZ: "Europe/Oslo" + + - name: Log in to the Container registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: NAIS login + uses: nais/login@v0 + id: login + with: + project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} + identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} + team: teampensjon + + - name: "Build and publish navansatt Docker image" + id: build_push + uses: docker/build-push-action@v6 + with: + context: . + file: Dockerfile + tags: "${{ steps.login.outputs.registry }}/${{ github.repository }}/navansatt:${{ env.VERSION }},${{ steps.login.outputs.registry }}/${{ github.repository }}/navansatt:sandbox" + push: true + cache-from: | + "type=registry,ref=${{ steps.login.outputs.registry }}/${{ github.repository }}/navansatt:sandbox" + "type=registry,ref=${{ steps.login.outputs.registry }}/${{ github.repository }}/navansatt:main" + cache-to: type=inline deploy: - name: Deploy to NAIS + name: "Deploy" permissions: contents: "read" id-token: "write" - needs: build - if: github.ref == 'refs/heads/sandbox' runs-on: ubuntu-latest + needs: build steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 + with: + ref: 'sandbox' - uses: nais/deploy/actions/deploy@v2 - name: Dev deploy + name: "Deploy to NAIS" env: - CLUSTER: dev-fss RESOURCE: nais/nais-dev.yml - VAR: image=${{ env.docker_image }} + IMAGE: "${{ needs.build.outputs.image }}" + CLUSTER: dev-fss + TIMEOUT: 10m + + attest-sign: + permissions: + contents: read + id-token: write + needs: [build] + runs-on: 'ubuntu-latest' + steps: + - uses: actions/checkout@v4 + - name: NAIS login + uses: nais/login@v0 + id: login + with: + project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} + identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} + team: teampensjon + - name: 'Generate SBOM' + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'image' + format: 'cyclonedx' + output: 'trivy-results.cyclonedx' + image-ref: "${{ needs.build.outputs.image-digest }}" + - name: Attest and sign image + id: attest-sign + uses: nais/attest-sign@v1 + with: + image_ref: "${{ needs.build.outputs.image-digest }}" + sbom: "trivy-results.cyclonedx" diff --git a/nais/nais-dev.yml b/nais/nais-dev.yml index 4c1cca5..936d0c2 100644 --- a/nais/nais-dev.yml +++ b/nais/nais-dev.yml @@ -36,20 +36,40 @@ spec: rules: - application: pensjon-pen-q0 namespace: pensjon-q0 + cluster: dev-fss - application: pensjon-pen-q1 namespace: pensjon-q1 + cluster: dev-fss - application: pensjon-pen-q2 namespace: pensjon-q2 + cluster: dev-fss - application: pensjon-pen-q5 namespace: pensjon-q5 + cluster: dev-fss - application: pensjon-psak-q0 namespace: pensjon-q0 + cluster: dev-fss - application: pensjon-psak-q1 namespace: pensjon-q1 + cluster: dev-fss - application: pensjon-psak-q2 namespace: pensjon-q2 + cluster: dev-fss - application: pensjon-psak-q5 namespace: pensjon-q5 + cluster: dev-fss + - application: pensjon-psak-q0 + namespace: pensjon-q0 + cluster: dev-gcp + - application: pensjon-psak-q1 + namespace: pensjon-q1 + cluster: dev-gcp + - application: pensjon-psak-q2 + namespace: pensjon-q2 + cluster: dev-gcp + - application: pensjon-psak-q5 + namespace: pensjon-q5 + cluster: dev-gcp - application: etterlatte-brev-api namespace: etterlatte cluster: dev-gcp @@ -71,9 +91,6 @@ spec: - application: skribenten-backend-lokal namespace: pensjonsbrev cluster: dev-gcp - - application: pensjon-psak-q2 - namespace: pensjon-q2 - cluster: dev-gcp azure: application: enabled: true diff --git a/nais/nais-prod.yml b/nais/nais-prod.yml index f9ba32f..f44c908 100644 --- a/nais/nais-prod.yml +++ b/nais/nais-prod.yml @@ -37,6 +37,10 @@ spec: namespace: pensjondeployer - application: pensjon-psak namespace: pensjondeployer + cluster: prod-fss + - application: pensjon-psak + namespace: pensjondeployer + cluster: prod-gcp - application: etterlatte-brev-api namespace: etterlatte cluster: prod-gcp diff --git a/nais/nais-test.yml b/nais/nais-test.yml deleted file mode 100644 index 29dcb2b..0000000 --- a/nais/nais-test.yml +++ /dev/null @@ -1,53 +0,0 @@ -apiVersion: "nais.io/v1alpha1" -kind: "Application" -metadata: - name: "navansatt-t" - namespace: "teampensjon" - labels: - team: "teampensjon" -spec: - image: "{{{ image }}}" - port: 7000 - replicas: - min: 2 - max: 4 - liveness: - path: "/internal/isalive" - initialDelay: 3 - timeout: 1 - readiness: - path: "/internal/isready" - initialDelay: 3 - timeout: 1 - resources: - limits: - memory: "1024Mi" - requests: - memory: "512Mi" - prometheus: - enabled: true - path: "/internal/metrics" - ingresses: - - "https://navansatt-t.dev.adeo.no" - - "https://navansatt-t.dev.intern.nav.no" - azure: - application: - enabled: true - tenant: trygdeetaten.no - webproxy: true - env: - - name: "LDAP_URL" - value: "ldaps://ldapgw.test.local" - - name: "LDAP_BASE" - value: "dc=test,dc=local" - - name: "AXSYS_URL" - value: "https://axsys.dev.intern.nav.no" - - name: "NORG2_URL" - value: "https://norg2-t1.nais.preprod.local/norg2" - - name: "STS_WELL_KNOWN_URL" - value: "https://security-token-service-t4.nais.preprod.local/.well-known/openid-configuration" - vault: - enabled: true - paths: - - kvPath: "serviceuser/data/test/srvssolinux" - mountPath: "/secrets/ldap" diff --git a/src/main/kotlin/no/nav/navansatt/mainModule.kt b/src/main/kotlin/no/nav/navansatt/mainModule.kt index 1a7d9d3..2f5f193 100644 --- a/src/main/kotlin/no/nav/navansatt/mainModule.kt +++ b/src/main/kotlin/no/nav/navansatt/mainModule.kt @@ -58,10 +58,10 @@ fun Application.mainModule( install(CallLogging) { level = Level.INFO filter { call -> !call.request.path().matches(Regex(".*/isready|.*/isalive|.*/metrics")) } - callIdMdc("X-Correlation-ID") + callIdMdc("correlationId") } install(CallId) { - retrieveFromHeader("X-Correlation-ID") + retrieveFromHeader("correlationId") generate { UUID.randomUUID().toString() } } install(Locations)